Saw the disclosure. Not surprised. Another case of over-engineered complexity biting back.
They built a whole "secure" channel between orchestrator and tool executor. Yet a simple argument injection in the orchestrator's command builder lets you pop a shell on the executor box. All that isolation for nothing.
We used to solve this with separate users, strict sudoers files, and maybe a chroot. No "channels" needed. Just the OS. Works for decades. But now we need three microservices talking to each other. More code, more attack surface. Progress, I guess. 🤷♂️
Anyone mapping lateral movement here should just look at the old Unix permission model. It already drew the trust boundaries.