[graceful6800]

Genuine question, how is everyone else dealing with giving agents elevated permissions? Obviously the answer is "don't", but some things are pretty harmless, like journalctl and dmesg, and are pretty useful for debugging the system.

I guess you could make a new user to run the harness under and give it no-password sudo rights for select commands? That doesn't feel like a great solution but it's the only thing I can come up with

[nijave]

I give it passwordless sudo but don't give it permissions to automatically run commands. I just review what it's running before accepting. If it looks questionable, I interrupt and ask it to explain what/why it wants to run the thing

[martinald]

I use sudo -A with some openssh ui for sudo. I tell the agent to use sudo -A for anything that it needs and then it pops up with a sudo password prompt.