TransIT AI

Vendor coverage

Generic Linux / Unix

Generic Linux / Unix server — any device whose CLI is the open UNIX command space.

Mode: unrestricted (the only vendor in v1 without a per-command permit list).

Why “unrestricted”?

A Linux server has no realistically bounded set of “safe” commands. The operational CLI is the entire UNIX command space — ls, cat, ps, top, df, journalctl, systemctl status, ad infinitum. An honest “allow these read verbs, block these destructive ones” list would be both infinite and false confidence:

  • We’d miss the next thousand destructive verbs.
  • You’d trust the list anyway.

Two properties preserve the spirit of Transit AI’s permit-list-AND-click rule even without a per-command list:

1. The approval dialog is mandatory

Every command the AI proposes on a Linux device opens an approval dialog with an amber warning banner at the top. There is no silent-execution path.

2. The always-allow shortcut is refused

On other vendors, you can mark “always allow this pattern in this chat” to skip the approval dialog for matching commands (the permit list still runs). On Linux, this shortcut is unavailable — every command needs an explicit click, no exceptions.

What you’ll see

When the AI proposes any command on a Linux device, the approval dialog renders with this warning above the command box:

Generic Linux/Unix server — Transit AI cannot enforce a read-only command list. Verify every command before approving. The “always allow” shortcut is disabled for this device class.

Approve runs the command. Deny doesn’t. There is no shortcut.

The risk and the mitigation

Risk: the AI proposes a destructive command and you reflex-approve. Mitigation: the warning banner, the mandatory dialog, and the fact that the always-allow shortcut is unavailable. You retain full agency over what runs — Transit AI just won’t pretend a permit list is protecting you when it can’t.

When to use this vendor profile

  • Your inventory record is a generic Linux server (jumpbox, monitoring host, etc.).
  • The vendor isn’t on the supported list yet and you’d rather not wait for vendor-specific coverage.

For a vendor with a documented safe-command surface that we don’t yet support, open a request. We ship new vendor profiles regularly.