Thanks for your feedback, Daniel. I think if you try it, you will be
pleasantly surprised.

On the issue of "manually approving agent requests" -- you don't have to.
The local agent gets to see and approve each request, but the user can
"allow forever" and doesn't need to approve each request manually.

Re: "additional network and firewall considerations," Guardian Agent just
runs over autossh. If you can SSH to the intermediary, you can run Guardian
Agent.

On the "other attacks with similar prerequisites" -- if I understand you,
Guardian Agent already prevents these attacks. The "legit auth challenge"
is bound to the triple of { intermediary machine, command, server }, so
it's not possible to "replace" a legit auth challenge and use the user's
credentials to execute a different command (or on a different server, or
from a different intermediary) than what was requested. (The way that
Guardian Agent works is that the local agent actually issues the command to
the remote server before handing over the session to the intermediary.) So
while a compromised intermediary machine can *ask* to execute an evil
command, the agent will know about it and it won't match some prior "allow"
rule in the local configuration.

(To be clear, this works best for commands like 'git fetch-pack' to a
particular repository or something like that, where the command is not
going to allow arbitrary follow-on commands to be executed. If the user
wants to execute a shell or some other interactive session, then yes, this
doesn't prevent a malicious intermediary from later inserting arbitrary
input into the session. Probably the best thing in that case, if you really
don't trust the intermediary, would be to just to use the intermediary to
ferry ciphertext bytes and not to let it see the plaintext at all. But even
in that case, at least Guardian Agent still lets you lock down which
intermediaries can connect to which remote servers.)

-Keith