Start deploying
·3 min read·Robert Seares

SSH into any agent, in one command

a2a ssh <agent> drops you into a throwaway cloud box with Node, Python, a2a-pack, and your agent's repo already loaded — over your existing ingress, VS Code-ready, and scaled to zero when idle.

productdeveloper-experienceagents

Deploying an agent on a2a cloud gives you a URL. But the moment something looks off — a skill misbehaving, a dependency to check, a quick fix to try — you don't want a URL. You want to be *inside* the thing.

Now you are:

Shell
a2a ssh my-agent

One command drops you into a shell on a throwaway cloud box with Node, Python, a2a-pack, and your agent's repo already there. No VM to spin up, nothing to install, no repo to clone. You land in ~/my-agent, on the same runtime your agent deploys on.

What you skip

Getting a real environment for an agent used to mean the usual dance: clone the repo, install the right Node and Python, pip install the SDK, replicate the runtime, hope it matches production. Every time, on every machine.

a2a ssh deletes that dance. The box comes up whole:

  • Node 20 and Python 3.11
  • a2a-pack pre-installed — run a2a, iterate on skills, test locally
  • git and your agent's source, already cloned
  • a real shell with sudo and a TTY

And when you disconnect, it scales to zero. It costs nothing sitting idle, and wakes on your next connect.

Bring your own editor

a2a ssh writes an entry to your ~/.ssh/config, so the box is reachable from anything that speaks SSH — including remote IDEs:

  • VS Code / Cursor — Remote-SSH → Connect to Host → your agent
  • JetBrains Gateway — same host alias, zero extra setup
  • scp / rsync — move files in and out
  • bare sshssh my-agent.a2a

You get a full remote editing session against the agent's repo, running on the agent's own toolchain.

The part we're quietly proud of

Here's the wrinkle: SSH is raw TCP, and our cluster's ingress is HTTP-only. There's no SSH port open to the world — and we didn't want to open one. Every exposed port is attack surface.

So we don't. The box runs sshd bound to localhost, and a small bridge tunnels SSH over a WebSocket through the same HTTPS ingress your agents already use. The a2a CLI ships the ProxyCommand that speaks that tunnel. No bastion, no firewall rule, no new port. (It's the same trick Cloudflare Access uses for SSH-over-HTTPS — and it's why VS Code Remote-SSH just works.)

Locked down by default

A dev box is scoped and disposable on purpose. Two independent checks gate every session:

  • Your keya2a ssh generates a throwaway SSH keypair per agent; only it

can log in.

  • A signed grant — each connection carries a short-lived, Ed25519-signed

grant scoped to that one box, verified at the tunnel before SSH even begins. Nothing shared, nothing stored, nothing to leak.

The box clones your repo with a fresh, read-scoped token — never a platform admin credential — and scales to zero when you leave, so there's no idle surface to attack.

Deploy the agent. Then live in it.

That's the whole idea. You ship an agent as a product — database, tools, API, frontend — and now, when you need to get your hands on it, you're one command away from a full environment on the exact runtime it runs on.

Shell
pip install -U a2a-pack
a2a ssh my-agent

Live in it.

discussion

0 comments

No comments yet.
Checking session