infrabroker¶
Infrastructure access broker for AI agents — SSH & Kubernetes. The model
never receives a credential: it requests an action, and the broker executes
it with a credential minted for that single operation — an ephemeral,
scope-limited SSH certificate from its own CA, or a short-lived bound
ServiceAccount token — and returns only the output. (formerly ssh-broker)
This site is the published reference. The Markdown lives in the
repository under docs/ and is the single source of
truth — it is reviewed in the same pull request as the code, and the
generated reference is rebuilt from the code on every build so it
cannot drift.
Start here¶
| If you want to… | Read |
|---|---|
| Understand the design and request flow | Architecture |
| Know what is and isn't defended | Threat model |
| Run it — startup, hosts, hot-reload, PKI | Operations |
| Call the HTTP services | API reference |
| Use the MCP tools (as the model/operator) | Tool usage |
| Report a vulnerability | Security |
| Contribute | Contributing · Coding style |
Generated reference (from code)¶
These pages are produced by tools/docgen from the actual routes, tool schemas, and config
structs, and are diff-checked in CI:
- HTTP endpoints — every route across the services
- MCP tools — tool names and input/output schemas
- Config reference — every config field and policy vocabulary
- broker-ctl CLI — command and flag reference
The three frontends¶
- MCP stdio (
cmd/mcp-broker) — local, recommended for personal use; isolation from the process being launched by the user. - MCP HTTP + OAuth2/OIDC (
cmd/mcp-broker-http) — remote, multi-user; each client authenticates with an OIDC bearer token; the user identity (and groups) propagate to the signer. - HTTP + mTLS (
cmd/broker,POST /v1/ssh_run) — one-shot, for network agents with a client certificate.