A dangerous vibe-coded remote execution system over WebSockets. Run UNIX commands on remote workers through a central broker.

A human Vibe-coded this project using ChatGPT5 and Claude Code. Consider not using it if you are allergic to vibe-coded software engineering.

This was done to explore the capabilities of Vibe coding in Rust and to create a proof-of-concept for a remote execution system. Something somewhat scary.

We observed that AI agents do not really care about security, unless you ask, repeatedly. This project has not received an independent human-made security audit.

IMPORTANT: Tokens must be stored in separate files with secure permissions before running the system:

# Create token directories
mkdir -p tokens

# Generate client token
CLIENT_TOKEN=$(openssl rand -base64 32)
echo "$CLIENT_TOKEN" > tokens/broker-clients
echo "$CLIENT_TOKEN" > tokens/client

# Generate worker token
WORKER_TOKEN=$(openssl rand -base64 32)
echo "$WORKER_TOKEN" > tokens/broker-workers
echo "$WORKER_TOKEN" > tokens/worker

# Set secure permissions (owner read/write only)
chmod 0600 tokens/*

Edit the generated config.toml to reference these files:

[security]
# Broker validation tokens (one per line in each file)
client_tokens_file = "tokens/broker-clients"
worker_tokens_file = "tokens/broker-workers"

[client]
# Client authentication token
token_file = "tokens/client"

[worker]
# Worker authentication token
token_file = "tokens/worker"

# Optional: Restrict commands workers can run
[exec]
[[exec.command_configs]]
command = "/usr/bin/echo"
allow_args = true

[[exec.command_configs]]
command = "/usr/bin/cat"
allow_args = false

[[exec.command_configs]]
command = "/bin/sh"
allow_args = true
allowed_args = ["-c"]
max_args = 2

Security Notes:

• Token files must have 0600 permissions (owner read/write only)
• Tokens must be at least 32 characters long
• Client and worker tokens are separate from broker validation tokens
• Workers deny all commands by default (secure by default)
• Commands must be explicitly configured to be allowed

Prerequisites: Rust/Cargo installed + Security Setup completed

1. Build and configure:

   cargo build --release
   ./target/release/rendez-vous-exec gen-config --output config.toml
   # Complete Security Setup above before proceeding

2. Run (3 terminals):

   # Terminal 1: Broker
   ./target/release/rendez-vous-exec --config config.toml broker
   
   # Terminal 2: Worker
   ./target/release/rendez-vous-exec --config config.toml worker --job-category test
   
   # Terminal 3: Client
   echo "Hello World" | ./target/release/rendez-vous-exec --config config.toml client \
       --job-category test --stdin -- cat

Output: Hello World

Client                  Broker                  Worker
  |                       |                       |
  |---> WebSocket ------->|                       |
  |     (WSS/HTTPS)       |<----- WebSocket -----|
  |                       |       (WSS/HTTPS)    |
  |                       |                       |
  |-- Job Request ------->|-- Relay Job -------->|
  |-- stdin line -------->|-- Relay stdin ------>|-- flush stdin -->
  |                       |<-- stdout line ------|<-- line buffered -
  |<-- stdout line -------|                       |
  |                       |<-- stderr line ------|<-- line buffered -
  |<-- stderr line -------|                       |
  |<-- Exit Status -------|<-- Exit Status ------|

Real-time Line Streaming: stdin/stdout/stderr are processed line-by-line for immediate feedback.

• stdin: Sent and flushed immediately on each line/write
• stdout/stderr: Buffered line reading with immediate transmission

• Real-time I/O streaming over WebSockets
• Job categories for different worker types
• Token-based authentication
• Binary data support

For quick testing with containers:

• Docker and Docker Compose installed

# 1. Create token directory and generate secure tokens
mkdir -p docker-tokens

# Generate client token (used for both broker validation and client auth)
CLIENT_TOKEN=$(openssl rand -base64 32)
echo "$CLIENT_TOKEN" > docker-tokens/broker-clients
echo "$CLIENT_TOKEN" > docker-tokens/client

# Generate worker token (used for both broker validation and worker auth)
WORKER_TOKEN=$(openssl rand -base64 32)
echo "$WORKER_TOKEN" > docker-tokens/broker-workers
echo "$WORKER_TOKEN" > docker-tokens/worker

# Set secure permissions
chmod 0600 docker-tokens/*

# 2. Build and run services
docker-compose up --build

# 3. Run with demo client (in another terminal)
docker-compose --profile demo up client-example

# Build image
docker build -t rendez-vous-exec .

# Run broker
docker run -p 8080:8080 \
  -v $(pwd)/config.docker.toml:/app/config.toml:ro \
  -v $(pwd)/docker-tokens:/app/tokens:ro \
  rendez-vous-exec --config /app/config.toml broker

# Run worker (different terminal)
docker run \
  -v $(pwd)/config.docker.toml:/app/config.toml:ro \
  -v $(pwd)/docker-tokens:/app/tokens:ro \
  rendez-vous-exec --config /app/config.toml worker --job-category demo

# Run client (different terminal)
echo "Hello Docker!" | docker run -i \
  -v $(pwd)/config.docker.toml:/app/config.toml:ro \
  -v $(pwd)/docker-tokens:/app/tokens:ro \
  rendez-vous-exec --config /app/config.toml client --job-category demo --stdin -- cat

Output: Hello Docker!

cargo test

• Do Not use in production: this is a prototype to test vibe coding in Rust. Use at your own risk.
• This is not a tty proxy: running tty will return not a tty. Consider using SSH or similar instead.
• This has not been security audited by humans: again, use at your own risk.

MIT License - see LICENSE file for details. The MIT standard last paragraph in uppercase letters is important.