A few days ago, I shared why I walked away from heavy web panels like aaPanel and Plesk to build Vessel—a local-first desktop control plane that manages your servers over standard SSH with zero server overhead.
The response from this community was incredible (shoutout to Nazar Boyko @nazar_boyko for the suggestion to aggregate multi-container logs—I'm currently mapping out the Rust backend for that!).
Since that post, I've spent the last 72 hours straight overhauling the frontend and hardening the security model. Here is exactly how it works under the hood, how I avoided common security pitfalls in agentless tools, and what the new UI looks like.
The project is 100% open-source (MIT): Vessel
The Tech Stack: Why Tauri + SolidJS?
Electron apps are notorious for eating 500MB of RAM just to idle. For a tool meant to save server resources, that felt hypocritical.
I paired Tauri v2 (Rust) with SolidJS for the frontend.
- Rust Backend: Handles multi-threaded SSH connections, SFTP streams, and native OS API calls.
- SolidJS Frontend: Provides fine-grained reactivity. When server metrics stream back over the Tauri IPC bridge, only the exact DOM nodes for the CPU/RAM graphs update.
- The Result: A premium, glassmorphic UI that compiles into a featherweight native binary (~15MB) and uses almost zero idle desktop memory.
Hardening an Agentless System (The Security Details)
Because Vessel installs absolutely nothing on your VPS, it has to execute commands remotely via SSH channels. If you don't handle user input flawlessly, you invite nightmare vulnerabilities.
Here is how the security architecture is set up to prevent that:
- Zero Configuration Files for Secrets Your SSH private keys and passwords never touch a plain text file or an unencrypted app database. Vessel interfaces directly with your operating system's native secure storage:
- macOS: Keychain Services
- Windows: Credential Manager
Linux: Secret Service API via libsecret
Shell Injection Defenses
When you restart a systemd service or toggle a Docker container in the UI, Vessel doesn't just pass strings into a raw remote shell (sh -c). We structure commands as explicit argument arrays directly via the SSH subsystem. This completely eliminates standard shell injection vectors.Path Traversal & File Protection
The built-in SFTP file manager applies strict null-byte filtering and alphanumeric sanitization on the Rust layer before sending file system requests. This prevents malicious or accidental path traversal exploits (../../etc/passwd).
What's Inside the New Build
- Docker Engine Dashboard: Instantly view container states, toggle lifecycles, and stream live container logs.
- Secure File Manager: Inline code editor, file permission management, and binary file protection over SFTP.
- Reverse Proxy & SSL: Clean configuration generation for Nginx and Caddy without altering the rest of your server layout.
- Real-time Monitoring: WebGL-accelerated graphs tracking CPU, RAM, disk, and uptime via low-overhead Linux metrics parsing.
Source Code & Pre-built Binaries
Vessel is free, open-source, and ready to use. I’ve compiled binaries for Windows (.exe/.msi), Linux (.deb), and macOS (.dmg).
If you want to look at the security implementation, build it from source, or try it out:
GitHub Repo: Vessel
If you like the local-first approach to dev tools, dropping a star on the repository helps immensely with visibility and keeps the project moving forward!
Let me know what you think of the security model or what feature you'd want to see added next in the comments.
Top comments (0)