ssh_session_exec
Execute a command in an open SSH session, returning stdout, stderr, and exit code.
Instructions
Execute a command in a session opened with ssh_session_open. Returns stdout, stderr and exit_code. exit_code != 0 means remote command failure, NOT a tool error. The command is preflighted against the current signer policy before execution; target and bastion access, end-user groups, sudo, sudo_user, PTY, and the host's physical route are revalidated, and audit-mode policy warnings are returned in warnings. If a policy is enabled after a shell/pty session was opened, later commands in that session are rejected. Session state (current directory, environment variables) persists across calls when mode=shell or mode=pty.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| command | Yes | command to execute in the session | |
| session_id | Yes | id returned by ssh_session_open |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| serial | Yes | audit identifier; ignore when reasoning about the result | |
| stderr | Yes | error output of the remote command (empty when pty=true, since stdout and stderr are merged) | |
| stdout | Yes | standard output of the remote command | |
| warnings | No | advisory warnings; command_policy audit-mode warnings mean the command was allowed but would have been blocked or approval-gated in enforce mode | |
| exit_code | Yes | exit code of the remote command: 0=success, non-zero=command failure (NOT a tool error) |