A CLI wrapper that intercepts and rewrites AI agent commands to run read-only diagnostic operations on remote hosts, it also learns the more your agent uses it. Lily installs as a guard hook into coding agents (Claude Code, Cursor, Codex) and automatically rewrites SSH, cloud CLI, and kubectl exec commands to use validated read-only execution. Destructive operations (rm, sudo, bash, etc.) are hardcoded-blocked and cannot be overridden.
Requires Go 1.26.2+.
go install github.com/aspectrr/lily/cmd/lily@latestVerify:
lily versionThe guard hook automatically intercepts SSH, cloud CLI, and kubectl exec commands from your agent and rewrites them to use lily's validated read-only execution.
# See which agents are detected on your system
lily guard status
# Install into a specific agent
lily guard install claude-code
lily guard install cursor
lily guard install codex
# Or install into all detected agents
lily guard install allOnce installed, your agent's SSH commands are automatically rewritten:
Agent runs: ssh web1 "systemctl status nginx"
Lily rewrites: lily run web1 "systemctl status nginx"
Agent runs: kubectl exec my-pod -- ps aux
Lily rewrites: lily kubectl exec my-pod -- ps aux
# List hosts from your SSH config
lily hosts
# Check connectivity
lily check web1
# Run a diagnostic command
lily run web1 "systemctl status nginx"
# Wrap a command manually (no hook needed)
lily aws ssm start-session --target i-12345 --command "ps aux"
lily gcloud compute ssh my-instance --project P --zone Z --command "df -h"lily [flags]
lily <command> [arguments]
| Command | Description |
|---|---|
hosts |
List hosts from ~/.ssh/config |
run <host> <command> |
Execute a validated read-only command on a host |
validate <command> |
Check if a command is allowed without executing |
check <host> |
Test SSH connectivity to a host |
rewrite <command> |
Rewrite SSH commands to use lily run (for scripting) |
list-commands |
Show all allowed commands and subcommand restrictions |
config-path |
Print the config file path |
validate-config |
Validate the lily.yaml config file |
aws <args...> |
Run validated command on AWS instance via SSM |
gcloud <args...> |
Run validated command on GCP instance via gcloud |
az <args...> |
Run validated command on Azure VM via az |
kubectl <args...> |
Run validated command in Kubernetes pod via kubectl exec |
guard install <agent|all> |
Install guard hook into an agent's config |
guard uninstall <agent|all> |
Remove guard hook from an agent's config |
guard status |
Show guard hook installation status |
guard-hook <agent> |
Run as agent hook (reads JSON stdin) |
version |
Print version |
| Flag | Default | Description |
|---|---|---|
-config <path> |
~/.ssh/config |
Path to SSH config |
-config-file <path> |
~/.config/lily/lily.yaml |
Path to lily config |
-timeout <duration> |
30s |
SSH command timeout |
The guard hook is the recommended way to use lily. It installs as a PreToolUse hook that intercepts your agent's bash commands and automatically rewrites SSH/cloud/kubectl commands to use lily's validated execution.
lily guard status # Check which agents have the hook
lily guard install all # Install into all detected agents
lily guard install claude-code # Install into a specific agent
lily guard uninstall cursor # Remove from an agentSupported agents: Claude Code, Codex, Cursor
The guard rewrites commands in-place (the agent sees the rewritten command) or blocks them entirely if they would be destructive. All error paths are non-blocking β the original command always runs if the hook fails.
Lily enforces configurable limits to prevent agents from abusing remote hosts:
| Setting | Default | Config Key | Description |
|---|---|---|---|
| Rate limit | 1 command/sec | rate_limit |
Minimum interval between commands |
| Max output | 1 MB | max_output_bytes |
Output cap per command (stdout + stderr) |
| SSH timeout | 30s | -timeout flag |
Maximum execution time per command |
Rate limiting applies to run_command and check_host only. Read-only tools like list_hosts and validate_command are not rate-limited.
lily reads ~/.ssh/config to find available hosts. Only hosts explicitly defined in SSH config can be accessed β the agent cannot connect to arbitrary hosts.
Host web1
HostName 192.168.1.10
User deploy
Port 2222
IdentityFile ~/.ssh/web1_key
Host db1
HostName db.example.com
User postgres
lily uses the user's existing SSH credentials:
- SSH agent (
SSH_AUTH_SOCK) β loaded keys are tried first - IdentityFile β if specified in SSH config for the host
- Default keys β
~/.ssh/id_ed25519,~/.ssh/id_ecdsa,~/.ssh/id_rsa
No special setup or server-side installation is needed. If you can ssh web1 from your terminal, lily can too.
Lily uses Trust On First Use (TOFU) for SSH host key verification:
- First connection to a host β the host key is automatically recorded in
~/.ssh/known_hosts - Subsequent connections β the key is verified against the recorded value
- Key mismatch β the connection is rejected with a clear MITM warning
If ~/.ssh/known_hosts doesn't exist, Lily creates it automatically. No manual setup required.
Lily supports SSH ProxyJump for reaching hosts behind a bastion or jump server. This is the standard scenario where your local machine connects to a jump host, and from there tunnels to internal hosts that aren't directly reachable.
Configure it in ~/.ssh/config:
Host bastion
HostName 203.0.113.1
User admin
Host web1
HostName 10.0.0.5
User deploy
ProxyJump bastion
Host db1
HostName 10.0.0.6
ProxyJump bastion
Now lily run web1 "systemctl status nginx" automatically tunnels through bastion. The AI agent doesn't need to know about the proxy β it just targets web1 as usual.
- Lily reads
ProxyJumpfrom your SSH config - Dials the jump host directly
- Opens an SSH tunnel through the jump host to the target
- Runs the validated command on the target
- All intermediate connections are kept alive and cleaned up together
ProxyJump supports chaining through multiple hosts:
Host gateway
HostName 203.0.113.1
Host bastion
HostName 10.0.0.1
ProxyJump gateway
Host web1
HostName 192.168.1.5
ProxyJump bastion
This creates a chain: local β gateway β bastion β web1. Lily resolves the chain recursively and detects loops.
You can also use comma-separated proxies (no recursive resolution):
Host web1
HostName 10.0.0.5
ProxyJump jump1,jump2
Each hop in the chain uses its own SSH config (user, identity file, port). The SSH agent and default keys are tried for every hop, so if your agent has keys for both the bastion and the target, everything works automatically.
Lily only supports ProxyJump (SSH-native tunneling). ProxyCommand is not supported because it executes arbitrary local commands, which is a security risk. If your SSH config uses ProxyCommand, convert it to ProxyJump:
- ProxyCommand ssh -W %h:%p bastion
+ ProxyJump bastionIf a host has ProxyCommand but no ProxyJump, Lily prints a warning and attempts a direct connection (which will likely fail if the host truly requires a proxy).
The list_hosts tool and lily hosts command show which hosts use a proxy:
β list_hosts()
β Found 3 host(s) in SSH config:
bastion 203.0.113.1 (user: admin)
web1 10.0.0.5 (user: deploy) [via bastion]
db1 10.0.0.6 [via bastion]
check_host also indicates the proxy:
β check_host(host="web1")
β Host "web1" is reachable (via bastion).
The validated command is sent over SSH and executed by the remote host's default shell. No agent, daemon, or restricted shell is installed on the remote β all safety enforcement happens client-side in the compiled binary.
Lily extends its read-only command validation to cloud provider CLI commands and kubectl exec. Agents can run diagnostic commands on AWS, Google Cloud, Azure instances, and Kubernetes pods without needing SSH config entries.
# AWS SSM Session Manager
lily aws ssm start-session --target i-0123456789abcdef0 --command "systemctl status nginx"
# Google Cloud
lily gcloud compute ssh my-instance --project my-project --zone us-central1-a --command "ps aux"
# Azure
lily az ssh vm --resource-group MyResourceGroup --name MyVM --command "uptime"
# Kubernetes
lily kubectl exec my-pod -- ps aux
lily kubectl exec my-pod -c sidecar -n prod -- "cat /etc/config.yaml"Without --command, opens an interactive restricted shell (same as lily ssh):
lily aws ssm start-session --target i-12345
lily gcloud compute ssh my-instance --project P --zone Z
lily az ssh vm --resource-group RG --name VM
lily kubectl exec my-pod| Provider | Command mechanism | Requirements |
|---|---|---|
| AWS SSM | send-command + get-command-invocation polling |
SSM Agent on instance, aws CLI locally |
| GCloud | Native --command flag |
gcloud CLI locally |
| Azure | -- separator for SSH command |
az CLI + ssh extension |
| Kubectl | -- separator for exec command |
kubectl CLI locally |
AWS uses aws ssm send-command with the AWS-RunShellScript document under the hood. The command is sent, and lily polls get-command-invocation until the result is available. This provides synchronous, reliable command execution.
GCloud uses gcloud compute ssh --command which natively supports non-interactive command execution. IAP tunneling (--tunnel-through-iap) is supported.
Azure uses az ssh vm -- <command> to pass the validated command to the underlying SSH session. Azure Bastion (az network bastion ssh) is also supported.
Kubernetes uses kubectl exec POD -- <command> to run the validated command inside the container. The guard intercepts kubectl exec commands and validates the command portion through lily's read-only allowlist. Only exec subcommands are intercepted β kubectl get, kubectl logs, etc. pass through unchanged.
The guard automatically detects raw cloud CLI SSH commands and rewrites them to use lily:
| Agent runs | Guard rewrites to |
|---|---|
aws ssm start-session --target ID |
lily aws ssm start-session --target ID |
aws ec2-instance-connect ssh --instance-id |
lily aws ec2-instance-connect ssh --instance-id |
gcloud compute ssh INSTANCE ... |
lily gcloud compute ssh INSTANCE ... |
az ssh vm --resource-group RG --name VM |
lily az ssh vm --resource-group RG --name VM |
az network bastion ssh ... |
lily az network bastion ssh ... |
kubectl exec POD -- command |
lily kubectl exec POD -- command |
Commands already prefixed with lily are left unchanged (passthrough).
aws ec2-instance-connect ssh is detected by the guard and rewritten, but does not support non-interactive command execution. When a command is specified, lily returns an error suggesting SSM instead:
# This will fail with a helpful error:
lily aws ec2-instance-connect ssh --instance-id i-xxx --command "ps aux"
# β Use 'lily aws ssm start-session --target i-xxx --command "CMD"' insteadLocation: ~/.config/lily/lily.yaml (run lily config-path to find it)
The config file can only add to the base allowlist. The hardcoded blocklist (rm, sudo, bash, etc.) cannot be overridden β even if the YAML is edited to include them, they are silently ignored.
# ββ Execution Limits ββββββββββββββββββββββββββββββββββββββββββββββ
# Minimum interval between command executions.
# Prevents agents from flooding hosts with rapid-fire commands.
# Default: "1s"
rate_limit: "1s"
# Maximum output (stdout + stderr) captured per command, in bytes.
# Output beyond this limit is silently truncated.
# Default: 1048576 (1 MB). Minimum: 1024 (1 KB).
max_output_bytes: 1048576
# ββ Command Allowlist ββββββββββββββββββββββββββββββββββββββββββββ
# Add commands beyond the built-in allowlist.
# Still subject to metacharacter checks and subcommand restrictions.
extra_commands:
- docker
- kubectl
# Restrict which subcommands are allowed for extra commands.
extra_subcommand_restrictions:
docker:
- ps
- logs
- inspect
- stats
- top
- events
- images
- network ls
- volume ls
kubectl:
- get
- describe
- logs
- top
- explain
- api-resources
- api-versions
# Block specific flags for any command (built-in or extra).
extra_blocked_flags:
docker:
- exec
- run
- rm
- rmi
- build
- push
- pull
kubectl:
- delete
- apply
- create
- edit
- patch
- replacelily validate-config
# Config valid.
# Extra commands: 2
# Extra restrictions: 2
# Extra blocked flags: 2
# Rate limit: 1s
# Max output: 1048576 bytesThe config file was renamed from allowlist.yaml to lily.yaml in v0.2.0. Lily automatically falls back to ~/.config/lily/allowlist.yaml if lily.yaml doesn't exist, so existing setups continue to work without changes.
Lily can automatically learn from debugging sessions and surface relevant past investigations when similar issues arise. This feature is opt-in and requires no daemon β it works by checking a session lock file on each command invocation.
- Session tracking β Every time
lily runor a cloud command executes, Lily checks if there's an active investigation session. If no commands have run for the configured timeout (default 10 min), the previous session is flushed as a completed investigation. - Keyword extraction β Lily automatically extracts diagnostic keywords from command output (error patterns, HTTP status codes, service names, etc.).
- Similarity matching β When a new command is run, Lily compares the current context (host, command, keywords) against past investigations using a weighted heuristic.
- Hint surfacing β If a similar past investigation is found (similarity β₯ 30%), its details are appended to the command output.
Investigations that span multiple hosts are tracked together. If you debug web1 and then check db1 in the same session, both hosts are recorded in a single investigation. Future sessions on web1 will surface hints like "last time this happened, the problem was actually on db1."
β lily run web1 "systemctl status nginx"
β β nginx.service - A high performance web server
Active: failed (Result: exit-code)
ββ Past Investigation (May 10, 87% similar) ββ
Root cause: php-fpm pool exhaustion causing nginx 502
Hosts involved: web1
Investigation path:
web1: systemctl status nginx
web1: journalctl -u nginx --no-pager -n 20
web1: systemctl status php-fpm
Consider checking: systemctl status php-fpm
memory:
# Enable automatic investigation tracking (default: false)
enabled: true
# Time with no activity before an investigation is considered complete
session_timeout: "10m"
# Max past investigations to keep per host (older are auto-pruned)
max_investigations_per_host: 50# Check memory status
lily memory status
# List past investigations
lily memory list
# Clear all stored investigations
lily memory clearInvestigations are stored as flat YAML files in ~/.config/lily/memory/investigations/. No database, no daemon. Session state is tracked via a .session.lock file that is checked on every command invocation.
| Signal | Weight | What it measures |
|---|---|---|
| Host match | 40% | Is the same host involved? |
| Trigger overlap | 35% | Same diagnostic command used? |
| Keyword overlap | 25% | Jaccard similarity on extracted error keywords |
Run lily list-commands for the full list.
cat ls find head tail stat file wc du tree strings md5sum sha256sum readlink realpath basename dirname base64
ps top pgrep systemctl (read-only) journalctl dmesg
ss netstat ip ifconfig dig nslookup ping curl (GET only) openssl (read-only)
df lsblk blkid
dpkg (list/status) rpm (query) apt (list/show) pip (list/show)
uname hostname uptime free lscpu lsmod lspci lsusb arch nproc
whoami id groups who w last
date which type echo test
grep awk sed (no -i) sort uniq cut tr xargs
| Command | Allowed subcommands |
|---|---|
systemctl |
status, show, list-units, is-active, is-enabled |
dpkg |
-l, --list, -s, --status |
rpm |
-qa, -q |
apt |
list, show |
pip |
list, show |
openssl |
x509, verify, s_client, crl, version, ciphers, req (display only) |
curl |
GET requests only |
| Command | Blocked flags |
|---|---|
sed |
-i, --in-place |
curl |
-X, -d, --data, --data-raw, --data-binary, --data-urlencode, -F, --form, -T, --upload-file, -o, --output, -O, --remote-name, -K, --config, -x, --proxy |
These commands are hardcoded in the compiled binary and can never be allowed, even via user config:
| Category | Commands |
|---|---|
| Destructive | rm rmdir mv cp dd chmod chown chgrp chattr kill killall pkill shutdown reboot halt poweroff mkfs mount umount fdisk parted |
| Privilege escalation | sudo su pkexec |
| User management | useradd userdel usermod groupadd groupdel groupmod passwd chpasswd |
| Shells / interpreters | bash sh zsh dash csh tcsh fish python python3 python2 perl ruby node php lua |
| Editors | vi vim nano emacs pico |
| File transfer | scp rsync sftp ftp wget |
| Build tools | make gcc g++ cc |
| Firewalls | iptables ip6tables nft |
| Cron | crontab at batch |
- Command substitution:
$(...)and backticks - Variable expansion:
$var,${var} - Output redirection:
>and>> - Input redirection:
< - Process substitution:
<(...)and>(...) - Subshells:
(...)and(...) - Newlines and carriage returns
- Environment variable assignments:
FOO=bar cmd
Lily uses a 7-layer defense-in-depth pipeline:
- Metacharacter scanner β blocks
$(), backticks,${},$var,>,>>,<,<<,(), newlines - Redirection scanner β blocks unquoted
> - Environment scanner β blocks
VAR=valueassignments (preventsLD_PRELOADinjection) - Pipeline splitter β validates each segment independently
- Per-segment validation β allowlist, blocklist, subcommand restrictions, blocked flags, argument validators
- Command sanitizer β reconstructs the entire command with safe single-quoting
- SSH transport β output caps, timeouts, Trust On First Use (TOFU) host key verification
For the full security model, threat analysis, and bypass vectors, see SECURITY.md.
Lily is designed to run inside a sandboxed environment where the AI agent has no filesystem write access and no network access except via the Lily binary. Without sandboxing, an agent could bypass Lily and SSH directly, modify ~/.ssh/config, or edit lily.yaml.
Shuru provides lightweight Linux microVMs using Apple Virtualization.framework (macOS) and KVM (Linux ARM64). Sandboxes are offline by default.
# Install
brew tap superhq-ai/tap && brew install shuru # macOS
# or: curl -fsSL https://shuru.run/install.sh | sh
# Create project config
cat > shuru.json << 'EOF'
{
"cpus": 1,
"memory": 512,
"mounts": [
"~/.ssh:/home/agent/.ssh:ro",
"~/.config/lily:/home/agent/.config/lily:ro"
]
}
EOF
# Install Lily binary into sandbox
shuru run --mount ./bin/lily:/usr/local/bin/lily:ro -- lily hosts
# Run your agent inside the sandbox
shuru run --mount ./bin/lily:/usr/local/bin/lily:ro -- your-agent-command| Resource | Setting | Why |
|---|---|---|
| Network | Offline (default) | Agent can't SSH/curl directly |
~/.ssh/ |
Read-only mount | Agent can't modify SSH config |
lily.yaml |
Read-only mount | Agent can't edit allowlist |
/usr/local/bin/lily |
Read-only mount | Agent can't replace the binary |
| Memory/CPU | Minimal (512 MB, 1 CPU) | Contain resource usage |
vmsan provides Firecracker microVMs with per-VM network namespaces, seccomp-bpf filters, and cgroup resource limits.
# Install
curl -fsSL https://vmsan.dev/install | bash
vmsan doctor # verify KVM, disk space, binaries
# Create isolated VM with no network access
vmsan create \
--vcpus 1 \
--memory 256 \
--disk 5gb \
--network-policy deny-all \
--timeout 2h
# Get the VM ID
VM_ID=$(vmsan ls --json | jq -r '.[0].id')
# Upload Lily binary and config
vmsan upload "$VM_ID" ./bin/lily
vmsan exec "$VM_ID" -- mkdir -p /root/.config/lily
vmsan upload "$VM_ID" ./lily.yaml
vmsan exec "$VM_ID" -- mv /root/lily.yaml /root/.config/lily/lily.yaml
# Run the agent
vmsan exec "$VM_ID" -- your-agent-commandTo allow SSH to internal hosts while blocking everything else:
vmsan create \
--vcpus 1 \
--memory 256 \
--network-policy custom \
--allowed-cidr "10.0.0.0/8" \
--allowed-cidr "192.168.0.0/16" \
--denied-cidr "169.254.0.0/16" \
--denied-cidr "100.100.0.0/16" \
--timeout 2h| Resource | Flag | Effect |
|---|---|---|
| Network | --network-policy deny-all |
No outbound from VM |
| seccomp-bpf | Enabled by default | Restricts syscalls |
| PID namespace | Enabled by default | Process isolation |
| cgroups | Enabled by default | Memory/CPU limits |
| Timeout | --timeout 2h |
Auto-shutdown after idle period |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Sandbox (shuru / vmsan) β
β β
β βββββββββββββββ ββββββββββββ ββββββββββββββββββββ β
β β AI Agent βββββΆβ Lily CLI βββββΆβ SSH to Remote β β
β β β β β β Hosts β β
β β No network β β Validatesβ β β β
β β No SSH dir β β Sanitizesβ β Read-only cmds β β
β β No curl β β Rate lim β β only β β
β βββββββββββββββ ββββββββββββ ββββββββββββββββββββ β
β β β β
β read-only read-only β
β lily.yaml ~/.ssh/ β
β β
β β No raw SSH, curl, wget, nc β
β β No write access to ~/.ssh/ or lily.yaml β
β β No outbound network (except via Lily SSH) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
lily/
βββ cmd/lily/main.go # CLI entry point + all subcommands
βββ internal/
β βββ allowlist/ # YAML config parsing + execution limits
β β βββ allowlist.go # Config struct, loading, defaults
β β βββ allowlist_test.go
β βββ cloud/ # Cloud provider SSH (AWS, GCloud, Azure) + kubectl exec
β β βββ cloud.go # Provider execution, command parsing, shell
β β βββ cloud_test.go
β βββ guard/ # Guard hooks (SSH + cloud CLI rewrite)
β β βββ rewrite.go # Command rewrite logic
β β βββ hook.go # Agent-specific hook runner
β β βββ install.go # Hook install/uninstall
β β βββ *_test.go
β βββ memory/ # Investigation memory (session tracking, similarity)
β β βββ memory.go # Session lock, keyword extraction, investigation persistence
β β βββ memory_test.go
β βββ readonly/ # Command validation engine
β β βββ validate.go # 7-layer validation pipeline
β β βββ validate_test.go # 75+ attack vector regression tests
β βββ sshconfig/ # SSH config parser
β β βββ sshconfig.go # Host, ProxyJump, ProxyCommand parsing
β β βββ sshconfig_test.go
β βββ sshexec/ # SSH execution (direct + ProxyJump)
β βββ sshexec.go # Executor with output caps, proxy chains
β βββ sshexec_test.go
βββ lily.yaml # Example config
βββ SECURITY.md # Full security model & sandboxing guide
βββ SKILL.md # Agent skill reference
βββ AGENTS.md # Agent integration guide
βββ Makefile
βββ README.md
The compiled binary prevents the AI agent from inspecting or modifying the validation logic at runtime. A Python-based solution could be read by the agent, who could then edit the source to bypass restrictions. Go produces a single static binary with no runtime dependencies.
make build # Build to bin/lily
make test # Run all tests (267 tests across 12 packages)
make all # Test + build
make install # Build + copy to /usr/local/bin
make install-go # Install via go install
make fmt # Format code
make vet # Run go vet
make clean # Remove bin/