From 21723a6860cafff580077c55fe8661e247f0884b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:44:42 +0000
Subject: [PATCH 1/2] Initial plan


From b331c49b618d4cd2c7b412912caf83391707c0d6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:46:13 +0000
Subject: [PATCH 2/2] Add scoped sudo rules to tech-support.nix for
 sovran-support user

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/e108b70d-de49-4d19-87a7-f093df3b05d3

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 modules/core/tech-support.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/core/tech-support.nix b/modules/core/tech-support.nix
index 2a0fd5d..6dd84d8 100644
--- a/modules/core/tech-support.nix
+++ b/modules/core/tech-support.nix
@@ -11,6 +11,8 @@
 #     (u:sovran-support:---) by the Hub API as soon as a session is started.
 #   • The Hub web UI lets the user grant time-limited access to wallet files
 #     and view a full audit log of every session event.
+#   • Scoped sudo rules allow support staff to edit custom.nix, trigger rebuilds,
+#     restart services, and read logs — without full root or wallet access.
 #
 # The `acl` package provides the `setfacl` / `getfacl` utilities required by
 # the Hub's _apply_wallet_acls() and _revoke_wallet_acls() helpers.
@@ -39,4 +41,20 @@
     "d /var/lib/sovran-support      0700 sovran-support sovran-support -"
     "d /var/lib/sovran-support/.ssh 0700 sovran-support sovran-support -"
   ];
+
+  # ── Scoped sudo rules for support staff ───────────────────────────────────
+  # Grants only the minimum privileges needed for a support session.
+  # Support staff cannot stop/disable/mask services or access wallet files.
+  security.sudo.extraRules = [
+    {
+      users = [ "sovran-support" ];
+      commands = [
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/custom.nix";        options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/configuration.nix"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /etc/nixos"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/systemctl restart *";               options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/journalctl *";                      options = [ "NOPASSWD" ]; }
+      ];
+    }
+  ];
 }