Binary Uploads Over Restricted SSH Without Weakening the Key
The single restricted SSH key (forced-command only) is the backbone of the auditable bidirectional channel between the persistent server Organizer and the local OperatorSuperGROK harness. Every command the local side can run is explicitly listed in server-instruction-handler.sh. Until May 31, that list did not include any way to return binary artifacts (screenshots, flight recorder JSONL, CapCut exports, generated ad assets).
The Exact Trigger
During the 2026-05-31T20-45-00 exact screenshot test, the Operator harness attempted scp of the captured PNG back through the moneytree_ssh_agent key. The forced-command wrapper rejected it with "ERROR: Unknown or disallowed command". The structured response JSON surfaced the failure cleanly, and the to_t_impact field called it out as the #1 blocker for high-fidelity creative return.
The Minimal Addition
We added one new case to the allowlist in agents/ssh-agent/scripts/server-instruction-handler.sh:
upload-artifact:*) # e.g. upload-artifact:flight-20260531.jsonl
fname="${cmd#upload-artifact:}"
# atomic write to /data/state/artifacts/$fname + .meta sidecar
# size limit 100MB, sha256 checksum, source + timestamp provenance
...
The implementation streams stdin directly to an atomic temp file, renames on success, writes a companion .meta JSON with id, timestamp, source (local-operator), size, and checksum. No shell expansion, no arbitrary paths, no new privileges.
Why This Matters for Creative Velocity
With this in place, the next Operator run that produces real PNGs, 16-18 event flight recorder sessions, or CapCut-ready clips can push them back through the same restricted key in one line:
cat /path/to/obs.png | ssh -i ~/.ssh/moneytree_ssh_agent user@host upload-artifact:obs-20260531-2135.png
The server receives it, provenance is recorded, the file is immediately available for the Organizer to synthesize into the next OPM-006 variant or blog asset. No rsync of entire trees, no broad key permissions, full audit trail.