Managed hosts are reached through OpenSSH and standard system tools. ShellOrchestra does not require installing a permanent agent daemon on servers.
Instead of long-lived authorized_keys entries, ShellOrchestra can configure an SSH CA and issue short-lived user certificates for connections.
Server-access material is tied to trusted client devices. New devices and sensitive key changes are approved through the trusted-device workflow.
Desktop apps are designed around narrow backend actions, payload validation, iframe sandboxes for untrusted rich content, and audit logging.