Skip to content

infrabroker

Infrastructure access broker for AI agents — SSH & Kubernetes. The model never receives a credential: it requests an action, and the broker executes it with a credential minted for that single operation — an ephemeral, scope-limited SSH certificate from its own CA, or a short-lived bound ServiceAccount token — and returns only the output. (formerly ssh-broker)

This site is the published reference. The Markdown lives in the repository under docs/ and is the single source of truth — it is reviewed in the same pull request as the code, and the generated reference is rebuilt from the code on every build so it cannot drift.

Start here

If you want to… Read
Understand the design and request flow Architecture
Know what is and isn't defended Threat model
Run it — startup, hosts, hot-reload, PKI Operations
Call the HTTP services API reference
Use the MCP tools (as the model/operator) Tool usage
Report a vulnerability Security
Contribute Contributing · Coding style

Generated reference (from code)

These pages are produced by tools/docgen from the actual routes, tool schemas, and config structs, and are diff-checked in CI:

The three frontends

  • MCP stdio (cmd/mcp-broker) — local, recommended for personal use; isolation from the process being launched by the user.
  • MCP HTTP + OAuth2/OIDC (cmd/mcp-broker-http) — remote, multi-user; each client authenticates with an OIDC bearer token; the user identity (and groups) propagate to the signer.
  • HTTP + mTLS (cmd/broker, POST /v1/ssh_run) — one-shot, for network agents with a client certificate.