SakiAgentSSH — SASS Protocol v1.4

IETF Internet-Draft: draft-sakistudio-sass-05

SASS (Saki Agent Secure Stream) is an application-layer overlay protocol specifically engineered for authenticated remote command execution, streaming process I/O, and binary file transfer between autonomous AI Agents. Considering the threat model of a “Rogue Agent” executing tasks on remote nodes—where, unlike human operators using legacy SSH clients, an Agent might autonomously execute destructive commands, exfiltrate credentials, or perform lateral network movement—the SASS protocol defines a transport-agnostic Abstract Message Model (SAMM) utilizing a decoupled “Control-Transport” architecture.


Core Features

FeatureDescription
6-Response State MachineConverges all potential Agent actions into six deterministic responses (R1~R6), ensuring storage safety for each.
Multi-layered Active Threat Defense (MAS)13Policy heuristic boundary adjudicator + Cognitive Challenge mechanism + Dual-Standard execution.
Safety GradientA 7-layer loss boundary theory—each protocol layer constrains worst-case losses even if all layers above are breached.
Transparent BranchingAgent-transparent write isolation, redirecting all write operations to a disposable branch directory.
Vi SwapTrap authenticated but over-privileged Agents in a simulated interactive terminal state, forcing the LLM to halt generation.
TarpitStream high-entropy data to unauthenticated attackers at O(1) memory cost, exhausting their local compute resources.
PTY Ring BufferCircular buffer + offset transmission, enabling idempotent reconnections after link interruptions.
Control-Transport DecouplingSAMM abstract message model supporting gRPC-h2 / WebSocket / TCP-CBOR-RPC transport profiles.

Architecture

+----------------------------------------------------------+
| Layer 7: Transparent Branching (UVSF | Micro Branch)     |
+----------------------------------------------------------+
| Layer 6: Storage Sandbox (UVSF Core | KFS Kernel)        |
+----------------------------------------------------------+
| Layer 5: Forward-Secure Audit Trail (Hash Chain)          |
+----------------------------------------------------------+
| Layer 4: Capability & Session Management                  |
+----------------------------------------------------------+
| Layer 3: Active Threat Defense (13Policy, Tarpit, Vi)     |
+----------------------------------------------------------+
| Layer 2: Payload Encoding (Zstd Stream + Base64)          |
+----------------------------------------------------------+
| Layer 1: Abstract Transport Adapter (SAMM Interface)      |
+----------------------------------------------------------+
|  [Transport Profiles: gRPC-h2 | WS | TCP-CBOR-RPC]       |
+----------------------------------------------------------+

Orthogonal: 6-Response State Machine
+----------------------------------------------------------+
| R1: EXECUTE  | R2: CHALLENGE | R3: THROTTLE              |
| R4: VI_SWAP  | R5: TARPIT    | R6: DROP                  |
+----------------------------------------------------------+

7 RFC Standardized Plugins

SASS defines 7 composable security plugins, each with its own independent RFC anchor:

  1. ChaCha20-Poly1305 Cognitive Challenge — Requires the Agent to solve cryptographic challenges to prove cognitive capabilities.
  2. TLS Exporter Channel Binding — Binds the session to the TLS channel, preventing Man-in-the-Middle (MitM) attacks.
  3. Zero-Allocation Tarpit — Global 64 KiB static buffer, streaming infinite bytes with O(1) memory.
  4. ED25519 Audit Chain — Blockchain-like immutable audit logs.
  5. Vi Swap Terminal Trap — Simulates vi with ANSI escape sequences to stall LLM generation.
  6. Symlink Tree Transparent Branching — Redirects file writes to a disposable branch tree.
  7. Volatile Environment Redirection — Isolates cache and garbage I/O to a tempfs sandbox.

Download & Installation

v1.4.0 — Total Response Mapping Release

Package Managers

# Scoop (Windows)
scoop bucket add sakistudio https://github.com/Saki-tw/Scoop-SakiStudio
scoop install sakiagentssh-daemon
scoop install sakiagentssh-client

# Homebrew (macOS)
brew tap saki-tw/tools
brew install --cask sakiagentssh-daemon
brew install --cask sakiagentssh-client

# Winget (Windows)
winget install SakiStudio.SakiAgentSSH.Client
winget install SakiStudio.SakiAgentSSH.Daemon

Build from Source

# Daemon (Server Side)
cd saki-ssh-daemon && cargo build --release

# Client (Client Side)
cd saki-ssh-client && cargo build --release

# macOS GUI Application (SwiftUI)
cd SakiAgentSSH-Daemon && xcodegen generate && xcodebuild build -configuration Release
cd SakiAgentSSH-Client && xcodegen generate && xcodebuild build -configuration Release

Documentation

ResourceLink
IETF Datatrackerdraft-sakistudio-sass
GitHubSaki-tw/SakiSSH-Saki-Agent-Secure-Stream
Winget (Client)SakiStudio.SakiAgentSSH.Client
Winget (Daemon)SakiStudio.SakiAgentSSH.Daemon
Architecture SpecARCHITECTURE.md
0226 Incident WhitepaperOriginal (Traditional Chinese) · Official (English)

ProjectDescriptionLink
SakiMCPModel Context Protocol Server (Rust)App Store
SakiAgentSkillsAgent Skills Library (Swift/Python)App Store
VI-SakiWin64Vi editor for Windows x64Winget

Authors



In this cold and dark era where terminals are always pitch black, this hint of color feels like a pale blue butterfly rising from the depths of one’s chest.

Copyright © 2026 Saki Studio. All Rights Reserved.