Security feedback: SSH hardening and policy validation

[pimlock]

Context

Security hardening work is required to improve SSH and policy enforcement safeguards.

Requested work

• Further harden ssh security
• Fine-tune seccomp policies.
• Enforce mTLS certificate validation.
• Add checks to verify setgid and setuid calls succeed.
• Add policy validation to ensure corrupted or maliciously modified policies do not cause unsafe behavior.

Definition of done

• Security hardening changes are implemented and validated.
• Failure modes are explicit, with safe defaults when validation fails.
• Tests or checks cover the new validation and enforcement paths.

---

Originally by @drew on 2026-02-12T17:58:51.059-08:00

[pimlock]

Additional security review here, https://docs.google.com/document/d/1BpszyWkTepMN5DRaraA9AWQKgfdBqINUBpVRbLmlSeU/edit?tab=t.0.

This document should be broken up into tickets.

---

Originally by @drew on 2026-02-19T08:23:28.602-08:00

[drew]

This ticket is duplicated by other more specific tickets. Closing this in favor of the others.