Agent Skills
› NeverSight/learn-skills.dev
› alma-linux-remote-plugin
alma-linux-remote-plugin
GitHubAlma Linux远程管理插件,支持SSH/SFTP连接、持久会话及WebSocket终端桥接。提供危险命令审批、RBAC权限控制、严格策略校验及SIEM兼容审计日志,确保Linux主机操作的安全性与可追溯性。
Trigger Scenarios
需要远程执行Linux命令或批量操作
通过SFTP上传或下载文件
建立持久化SSH会话进行交互式调试
检查远程服务状态或查看系统日志
涉及高危命令需人工审批或权限校验
Install
npx skills add NeverSight/learn-skills.dev --skill alma-linux-remote-plugin -g -y
SKILL.md
Frontmatter
{
"name": "alma-linux-remote-plugin",
"description": "Remote Linux management for Alma via SSH\/SFTP with persistent stateful SSH sessions, thread-session binding, NL-to-command bridge, xterm.js websocket terminal bridge, dangerous-command approval flow, strict command policy option, host-key verification modes, RBAC allowlist, and SIEM-friendly redacted audit fields.",
"allowed-tools": [
"Bash",
"Read",
"Write"
]
}
Alma Linux Remote Plugin
Use this project to manage remote Linux hosts from Alma with safety controls.
Capabilities
- SSH connection test
- Single/batch command execution
- Primary tools:
run_command,run_batch - Compatibility aliases:
execute_command,execute_batch
- Primary tools:
- Upload/download files via SFTP
- Service status and journal logs
- Dangerous command protection:
- Manual approval workflow (
approval_id) - Operator RBAC allowlist (
approval.allowed_operators) - Optional one-time confirmation token mode
- Manual approval workflow (
- Command policy hardening:
policy.strict_policy=false(compatible mode)policy.strict_policy=true(normalized/token-level matching)
- Host key verification policy (
ssh.host_key_policy):known_hosts(RejectPolicy + optionalknown_hosts_required)reject(strict reject unknown hosts)auto_add(compatibility mode)
- Server profile docs:
- First remote access auto-creates
server_profiles/<IP>.md - Subsequent remote calls read this profile before connect
- First remote access auto-creates
- Audit logging (
JSONL) with SIEM-friendly fields and safety:request_id/trace_id/operator_ip- Sensitive fields redacted (
password/token/secret/key/passphrase) stdout/stderrtruncated for log safety
- Persistent SSH sessions (stateful shell):
open_session,list_sessions,close_sessionrun_command_in_session,write_session,read_session,resize_session- Session metadata persistence (
session.storage_file)
- Real terminal bridge (xterm.js + WebSocket):
start_terminal_wsreturnsws://.../terminal/<session_id>stop_terminal_wsunregisters a session or stops the WS server
- Session key injection:
send_keys_to_sessionsupportsESC/UP/DOWN/LEFT/RIGHT/TAB/ENTER
- Thread-session binding layer:
bind_thread_session,get_thread_session,unbind_thread_sessionensure_thread_session(auto-open and bind when missing)
- NL -> command bridge:
plan_command_from_text(plan only)execute_text_in_session(plan + run in persistent session)
Install
git clone https://github.com/adfoke/alma-linux-remote-plugin.git
cd alma-linux-remote-plugin
uv sync --all-extras
Quick Start
uv run python demo_cli.py --config ./examples/hosts.example.yaml handle health
uv run python demo_cli.py --config ./examples/hosts.example.yaml tools
uv run python demo_cli.py --config ./examples/hosts.example.yaml handle execute_command '{"host_name":"prod-web-1","command":"uptime"}'
uv run python demo_cli.py --config ./examples/hosts.example.yaml handle open_session '{"host_name":"prod-web-1"}'
uv run python demo_cli.py --config ./examples/hosts.example.yaml handle list_sessions '{"status":"all"}'
uv run python demo_cli.py --config ./examples/hosts.example.yaml plan-text thread-a prod-web-1 "帮我看下磁盘和内存"
uv run python demo_cli.py --config ./examples/hosts.example.yaml exec-text thread-a prod-web-1 "查看 nginx 状态和最近日志"
uv run python demo_cli.py --config ./examples/hosts.example.yaml handle send_keys_to_session '{"session_id":"<SESSION_ID>","keys":["ESC",":wq","ENTER"]}'
English doc: README.en.md
Safety Workflow (dangerous command)
- Run dangerous command → receive
approval_requiredandapproval_id - Approver calls
approve_requestwith allowedoperator - Re-run command with
approval_id
Code Audit Notes
plugin.pynow uses_with_connected_client(...)to consolidate repeated connect/close patterns.- Added focused tests for
ssh_client.pyandterminal_ws.pyto keep critical path coverage high.
Quality Gate
uv run ruff check src tests demo_cli.py
uv run pytest --cov=src/alma_linux_remote_plugin --cov-report=term-missing --cov-fail-under=65
Main Entrypoint
- Runtime adapter:
src/alma_linux_remote_plugin/runtime_adapter.py - Plugin metadata:
plugin.yaml
Version History
- e0220ca Current 2026-07-05 23:20


