--- title: Remote support description: How ARGUS remote support works, the consent and activation model, and the guides for each operator task. --- # Remote support Remote support is a controlled, audited way for an ARGUS operator to reach a tenant's running streaming agent: tail logs, read allowlisted files, refresh capability data, view a camera frame, and apply signed hotfix patches. It exists so an install problem or an incident can be diagnosed remotely instead of on site. ## The model in plain terms **Agents connect OUT only.** The streaming agent dials the ops API and holds a persistent idle WebSocket. The server has no inbound path to the host. If the agent is not already running, it is offline and the only remedy is out of band: there is no "start" or "wake" affordance anywhere, and activation against an offline agent fails. This is why cold-start reach-in is impossible by construction. **The agent ships dormant.** Until the server flips activation for that specific agent, every command message the agent receives is rejected. Its only outbound traffic on the support channel is a heartbeat, an activation-state ack, and an advisory capability manifest. **Tenant consent is a hard gate.** Every activation checks recorded tenant consent before any session token is minted. A database CHECK makes "enabled without signed consent" unrepresentable, and there is no operator override. A tenant that has not signed the remote-support clause hard-fails activation with `tenant_consent_required`. **ARM is operator-asserted and time-boxed.** Arming a tenant (`argusctl tenant arm`) is the operator's assertion that signed consent exists, made with a dedicated PAT scope and a required reason. Sessions themselves auto-expire: default 30 minutes, hard cap 120 minutes in server code. There is no "stay activated forever" knob. **Activation needs the 3-factor operator gate.** Opening a session requires, independently: a caller IP inside `REMOTE_SUPPORT_OPERATOR_CIDRS`, the `X-Argus-Ops-Token` second factor matching `ARGUS_OPS_TOKEN`, and an operator credential carrying the `remote_support` scope. Drop any one and the request gets a 403. `REMOTE_SUPPORT_ENABLED` must also be on. **Every action is audited.** Every activation, command, and patch attempt writes two rows: one to the operational audit table and one to the append-only events store. A nightly job compares the two and emails on any mismatch. The tenant sees a live indicator whenever a session is active. ## Lifecycle 1. **Consent.** The tenant signs the remote-support clause; the consent record is stored with the signed-document ID. 2. **Arm.** An operator asserts that consent and arms the tenant. 3. **Activate.** The operator passes the 3-factor gate and opens a time-boxed session on one enrolled, online agent. The session token is shown once. 4. **Command.** The operator runs allowlisted commands only (`ping`, `agent_info`, `tail_log`, `read_file`, `get_capabilities`, signed `apply_patch`, camera view). Each command is validated against the session's bound tenant and agent. 5. **Disarm / expire.** The session ends by explicit deactivation, by expiry, by the agent-side kill switch, or by disarming the tenant (which ends any live sessions). The end is audited. ## Guides * [Arm and disarm a tenant](/docs/remote-support/arm-disarm) * [Activate a session and run commands](/docs/remote-support/remote-in) * [View a camera frame](/docs/remote-support/camera-live-view) * [Revoke a stale agent enrollment](/docs/remote-support/revoke) * [Security model](/docs/remote-support/security-model) Related references: [argusctl tenant commands](/docs/cli/tenant), [argusctl agent commands](/docs/cli/agent), [argusctl support commands](/docs/cli/support). --- For a semantic overview of all documentation, see [/sitemap.md](/sitemap.md) For an index of all available documentation, see [/llms.txt](/llms.txt) For agent-facing discovery, including API and MCP surfaces, see [/agents.md](/agents.md)