I do NOT recommended you to use Claude Code to execute arbitrary commands on a production application server. But it is a very addictive, time-saving thing to do - particularly to investigate the logs. If you want to ever do it, here is my suggestion for a skill that provides a harness. Please feel free to comment on your suggested improvements.
---
name: prod-vm
description: Rules and protocol for Claude Code when connecting to and operating on production VMs.
---
When the user asks Claude Code to connect to a production VM and perform actions, the following rules apply.
## Connection
Connections are typically made using `plink` with named saved sessions (e.g., `plink "ERP Kerberos Server" <command>`).
## Command Authorization
- **Diagnostic / read-only commands** (viewing logs, checking processes, disk usage, service status, etc.) are permitted without explicit authorization. `sudo` with a read-only payload is also permitted.
- **Any command that alters machine configuration or files** requires explicit user authorization before execution. Authorization may be granted for a single command, a batch of commands, or a class of commands (e.g., "you may restart services if needed").
- **Every command must be printed before execution**, along with the reason it is being run.
## Logging
Maintain a session log at `~/.claude/logs/prod-vm/<machine-name>.cc.log` on the dev machine (never on the prod VM). Log each command executed, the reason it was run, and a summary of its output.
## Data / File Downloads
Any files or data downloaded from the session must be listed at the end of the session for proper handling and securing.
## Sub-commands
If the user specifies `clean-logs`, delete all log files under `~/.claude/logs/prod-vm/`.
If the user specifies `help`, display the available sub-commands and a summary of the rules above.
No comments:
Post a Comment