a2a cloud
a2a ssh

SSH into any agent.
One command.

a2a ssh <agent> opens a throwaway cloud box with Node, Python, a2a-pack, and the agent repo already loaded. No VM to provision, nothing to install, nothing to clone. It scales to zero when you leave.

terminalshell
$ a2a ssh revenue-agent
  waking revenue-agent dev box … ready in 6s

dev@revenue-agent:~$ ls
revenue-agent/
dev@revenue-agent:~$ cd revenue-agent && node --version && python3 --version
v20.20.2
Python 3.11.2
dev@revenue-agent:~/revenue-agent$ a2a --help
Build, package, and deploy A2A agents.
what's in the box

A real environment, not a stub.

Every dev box comes up whole — the agent's toolchain and its code, ready the second you connect.

node + python

Node 20 and Python 3.11 on the PATH

a2a-pack

The SDK + CLI pre-installed — iterate on tools, test locally

your repo

The agent's git repo already cloned into ~/<agent>

real shell

bash, sudo, a TTY — a full environment, not a sandbox stub

prod parity

Same runtime image family your agent deploys on

scale to zero

Wakes on connect, drains to zero when you leave

connect from anywhere

Your editor, on the agent's runtime.

a2a ssh writes a ~/.ssh/config entry, so every OpenSSH tool reaches the box by its host alias — including remote IDEs.

VS Code / Cursor

Remote-SSH → Connect to Host → the agent's alias. Full remote editing.

JetBrains Gateway

Connect over SSH to the same host alias, zero extra setup.

scp / rsync

Copy files in and out with the tools you already use.

bare ssh

ssh <agent>.a2a for a plain terminal on the box.

how it works

SSH over your existing ingress. No open port.

The cluster has no exposed SSH port. The box runs sshd on localhost and tunnels SSH over a WebSocket through the same HTTPS ingress your agents use — the CLI ships the ProxyCommand that speaks it. No bastion, no firewall rule, no new attack surface. (The same pattern Cloudflare Access uses for SSH-over-HTTPS.)

ssh client->
a2a ssh-proxy->
wss:// ingress->
bridge->
sshd->
your shell
scoped by design

Disposable, signed, and least-privilege.

Two independent checks gate every session — the transport grant and your SSH key. Neither alone gets you in.

ephemeral key

A throwaway SSH keypair per agent under ~/.a2a/ssh — only that key logs in.

signed transport

Each connection carries a short-lived Ed25519 grant scoped to that box, verified before SSH begins.

scoped repo access

The box clones with a fresh read-scoped Gitea token — never a platform admin credential.

no idle surface

Disconnect and the box scales to zero. Nothing left running to attack.

one command

Deploy the agent. Then live in it.