---
title: "Wrangler SSH Hard Gate: Prevent Remote Shell Exposure"
slug: "wrangler-ssh-hard-gate"
date: "2026-03-20"
category: "security"
tags: ["codex-skill", "security", "wrangler", "predeploy"]
---

## What this skill does

This skill runs `predeploy_no_wrangler_ssh_gate.py` to fail deployment if any Wrangler config enables `wrangler_ssh.enabled = true`.

## Why it is useful

In a multi-domain constellation, a centrally managed SSH capability can create unacceptable blast radius. This gate enforces a no-SSH policy before deploy.

## Core command

```bash
cd "<domain-management-root>"
python3 predeploy_no_wrangler_ssh_gate.py \
  --scan-root "<codex-root>" \
  --report-json reports/wrangler_ssh_gate_latest.json
```

## Inputs and outputs

- Input: Wrangler config files under scan root
- Output: `reports/wrangler_ssh_gate_latest.json`
- Exit behavior: non-zero when gate fails

## Compatibility

- Surface: `codex-cli`
- Requires network: no
- Requires escalated permissions: no
- Required tools: `python3`

## Safety notes

- Read-only scan of config files.
- No mutation of deployment artifacts.
- Works as a CI/predeploy block step.

## Sources

- [Cloudflare Wrangler docs](https://developers.cloudflare.com/workers/wrangler/)
- [Cloudflare Containers overview](https://developers.cloudflare.com/containers/)