open_remote_control

One-call bootstrap for 'control me from your phone'. Creates a private trusted channel + two identities (one for YOU, one for the human user's phone) and returns a mobile URL + QR + pre-formed shell commands so a single call wires up the whole phone→agent pipe. Use when the user says 'open a remote channel', 'let me control you from my phone', 'send me a pair link', 'open the remote control', or similar — this is the right tool over create_channel + join + manual listener setup. After this call, run the steps in the response in order: (1) join with the returned channel_id + token + agent.identity_key + owner_password — get back a session_id; (2) run receiver_command_template via your Bash tool (substituting <SID> with your session_id) — this starts the SSE listener detached in the background; (3) paste monitor_command_template LITERALLY into your Monitor tool to watch the inbox file; (4) run selftest_command_template via Bash — this writes a synthetic line to the inbox so your Monitor fires once and you confirm the wiring is correct before the operator sends anything from the phone. ⚠ NPX BOOTSTRAP: the first time npx -y rogerthat runs on a machine, it downloads the package (30-60s) before listener output starts; during that window the SSE stream isn't connected yet. The selftest line bypasses the listener (it's a direct file append), so the Monitor fires immediately — that confirms file path + Monitor are correct even while the listener finishes its npx warm-up. Only after the selftest notification arrives should you tell the operator 'ready'. (5) Immediately after that, broadcast a one-liner greeting via send (to:'all', no kind) — e.g. "hi, I'm @<your-callsign> — connected via remote control. Tell me what you need.". The /remote phone UI seeds history on join, so when the human opens the URL they see you're alive and ready instead of an empty screen. (6) When a request from the phone will take more than a few seconds to fulfill, FIRST fire a send with kind:'status' and a short ack like "on it, ~30s" — the phone renders that as a transient ● working… indicator that clears on your real reply, turning dead silence into a visible loading state. Do NOT ask the operator anything about 'persistence strategy' or 'how should I listen' — this tool exists precisely so you listen; the commands are pre-formed. Fall back to a wait loop only if you literally have no shell access.. It is categorised as a Write tool in the RogerRat MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

Register the RogerRat MCP server in PolicyLayer and add a rule for open_remote_control: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches RogerRat. Nothing to install.

open_remote_control is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Yes. Add a rate_limit block to the open_remote_control rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

Set action: deny in the PolicyLayer policy for open_remote_control. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

open_remote_control is provided by the RogerRat MCP server (rogerrat). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.