feat(actions): SSH forced-command service-restart channel + host wrapper

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/void-act

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Forced command for the Void's restricted key. Maps a whitelisted action id to a
+# concrete systemctl restart. The id arrives via SSH_ORIGINAL_COMMAND; nothing else
+# is honoured. Edit the case list per host. Keep in sync with config/actions.json.
+#
+# Install on each target host:
+#   install -m 755 void-act /usr/local/bin/void-act
+#   # in voidact's ~/.ssh/authorized_keys, prefix the Void's pubkey with:
+#   command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding <pubkey>
+set -euo pipefail
+id="${SSH_ORIGINAL_COMMAND:-}"
+case "$id" in
+  restart-caddy-ct100) exec systemctl restart caddy ;;
+  *) echo "void-act: refused '$id'" >&2; exit 13 ;;
+esac

lib/actions/channels/ssh.js

@@ -0,0 +1,26 @@
+import { spawn as nodeSpawn } from 'node:child_process';
+
+const ID_RE = /^[a-z0-9-]+$/;
+
+// Runs `ssh voidact@<ip> <action-id>`. The host's authorized_keys pins a forced
+// wrapper (deploy/void-act) that maps the id → systemctl restart <service> from
+// its OWN whitelist. We pass ONLY the id as a single argv element — no shell.
+export function restartService({ ip, actionId }, {
+  keyPath = process.env.ACTIONS_SSH_KEY,
+  user = 'voidact',
+  spawnImpl = nodeSpawn
+} = {}) {
+  if (!ID_RE.test(actionId || '')) return Promise.reject(new Error(`invalid action id: ${actionId}`));
+  const args = ['-i', keyPath, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new',
+    `${user}@${ip}`, actionId];
+  return new Promise((resolve, reject) => {
+    const child = spawnImpl('ssh', args);
+    let out = '', err = '';
+    child.stdout.on('data', (d) => { out += d; });
+    child.stderr.on('data', (d) => { err += d; });
+    child.on('close', (code) => code === 0
+      ? resolve({ ok: true, output: out.trim() })
+      : reject(new Error(`ssh ${actionId} → exit ${code}: ${err.trim()}`)));
+    child.on('error', reject);
+  });
+}

tests/actions/ssh.test.js

@@ -0,0 +1,24 @@
+import { describe, it, expect } from 'vitest';
+import { restartService } from '../../lib/actions/channels/ssh.js';
+
+describe('ssh channel', () => {
+  it('spawns ssh with argv (no shell string) sending only the action id', async () => {
+    const calls = [];
+    const spawnMock = (cmd, args) => {
+      calls.push({ cmd, args });
+      return { stdout: { on(ev, cb) { if (ev === 'data') cb('ok\n'); } }, stderr: { on() {} },
+        on(ev, cb) { if (ev === 'close') cb(0); } };
+    };
+    const out = await restartService({ ip: '192.168.1.230', actionId: 'restart-caddy-ct100' },
+      { keyPath: '/k', user: 'voidact', spawnImpl: spawnMock });
+    expect(out.ok).toBe(true);
+    const { cmd, args } = calls[0];
+    expect(cmd).toBe('ssh');
+    expect(args).toEqual(['-i', '/k', '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new',
+      'voidact@192.168.1.230', 'restart-caddy-ct100']);
+  });
+  it('rejects an action id with shell metacharacters', async () => {
+    await expect(restartService({ ip: '1.2.3.4', actionId: 'x; rm -rf /' }, { spawnImpl: () => {} }))
+      .rejects.toThrow(/invalid action id/i);
+  });
+});