infrabroker
infrabroker is an infrastructure access broker MCP server that lets AI agents securely execute SSH and Kubernetes operations using ephemeral, scope-limited credentials that never enter the model's context, with policy enforcement and audit logging.
SSH & Host Operations:
List accessible hosts (
ssh_list_servers): Discover all permitted hosts and their capabilities (sudo, PTY, file transfer, bastion info). Call this first before interacting with any host.Execute one-shot SSH commands (
ssh_execute): Run a single command with an ephemeral SSH certificate. Supports optional sudo elevation, PTY allocation, dry-run mode (previews policy without executing), and custom certificate TTL. Returns stdout, stderr, and exit code.Persistent SSH sessions (
ssh_session_open/ssh_session_exec/ssh_session_close): Open reusable connections for multi-step workflows in three modes —exec(stateless),shell(stateful:cdand env vars persist), orpty(interactive pseudo-terminal for editors,less, etc.). Policy is revalidated on each command.File transfer (
ssh_get_file/ssh_put_file): Read or write files over SSH with base64 support for binary data, size limits, SHA-256 integrity checks, and optionalchmod. Requiresallow_file_transfer=trueon the host.
Kubernetes Operations:
Supports
k8s_get,k8s_list,k8s_logs,k8s_apply,k8s_delete, andk8s_list_clustersusing short-lived bound ServiceAccount tokens.
Security & Governance:
Ephemeral credentials exist only in broker memory — never exposed to the AI model, preventing exfiltration even if the agent is compromised.
Every operation is validated against configurable allow/deny command policies, RBAC groups, and optional human-in-the-loop approval gates.
All actions are logged in an append-only, cryptographically chained audit trail with serial identifiers and SHA-256 digests for non-repudiation.
Sudo and PTY usage are gated by host-level policy flags. Session recording via ASCIIcast v2 is also supported.
Provides tools for managing Kubernetes clusters, including querying resources, applying manifests, and deleting resources, with per-operation bound ServiceAccount tokens and dry-run support.
infrabroker
Infrastructure access broker for AI agents — SSH & Kubernetes. The model
never touches a credential. (formerly ssh-broker)
The agent requests an action — run a command on a host, query or change a cluster. infrabroker checks it against policy, executes it with a credential minted for that single operation — an ephemeral, scope-limited SSH certificate from its own CA, or a short-lived bound ServiceAccount token — and returns only the output. Keys, certificates and tokens live in the broker's memory and are discarded after the call: nothing enters the model's context, so a prompt-injected agent has nothing to exfiltrate.
Three frontends share the same engine (internal/broker) and tool surface
(internal/mcpserver):
MCP stdio (local, recommended for personal use) —
cmd/mcp-broker. Tools:ssh_execute,ssh_session_open/ssh_session_exec/ssh_session_close,ssh_list_servers,ssh_put_file/ssh_get_file; with clusters configured, alsok8s_get/k8s_list/k8s_logs/k8s_apply/k8s_delete/k8s_list_clusters. No transport auth — isolation comes from the process being launched by the user (as the MCP spec recommends for stdio).MCP HTTP + OAuth2/OIDC (remote, multi-user) —
cmd/mcp-broker-http, Streamable HTTP. Same tools, but each client authenticates with an OIDC bearer token validated locally against the issuer's JWKS; the user identity (and groups, for per-user RBAC) is propagated to the signer.HTTP + mTLS —
cmd/broker,POST /v1/ssh_run(one-shot), for network agents authenticated with a client certificate.
Documentation
This README is a landing page. The detail lives in focused, single-source docs:
Document | Contents |
Diagram, request flow, design decisions, sudo elevation, sessions, multi-CA | |
Actors, trust boundaries, security controls, and explicit non-goals/gaps | |
Runbook: startup, adding hosts, hot-reload, | |
HTTP endpoint reference for all services | |
Guide to the MCP tools (SSH + Kubernetes), dry-run, and audit review (for the model / operator) | |
Vulnerability disclosure policy | |
Workflow, versioning, Go style |
Related MCP server: Agentic Vault
Why infrabroker
Anti-exfiltration (prompt injection): the ephemeral key/cert/token live only in the broker's memory; they never enter the model's context.
Kubernetes without kubeconfigs: the signer mints a short-lived bound ServiceAccount token (TokenRequest API) per operation; every cluster is default-deny with per-verb/resource/namespace policy and the same dry-run, approval and audit path as SSH.
Anti-reuse: each cert carries a TTL of minutes,
source-address(broker or bastion IP), and — for one-shot — aforce-command. Useless outside its host/time/IP.Controlled escalation:
allow_sudo/allowed_sudo_userslive in the signer; a compromised broker cannot escalate where policy forbids it.CA compromise bounded: one CA per host group (
ca_keys), each key optionally in Azure Key Vault — the private key never leaves the HSM.Audit / non-repudiation: append-only, Ed25519-chained log correlated by
serialacross signer, broker, andsshd.
The full threat model — including what the system deliberately does not defend — is in THREAT_MODEL.md.
How it works
AI model ──tool call──> broker ──mTLS──> [control-plane] ──mTLS──> signer
(no credential) (ephemeral key (approval + (CA key +
in RAM, never guardrails, policy + RBAC,
on disk) no CA key) signs the cert)
│
└── SSH with the ephemeral cert ──> bastion ──> target host
└─ stdout/stderr/exit_code ─> modelThe broker sends an intent ({host, role, purpose, command?, sudo?, pty?, pubkey, …}); the signer derives every certificate constraint from policy and
returns the signed cert. The ephemeral private key is generated in the broker
and never leaves it. See ARCHITECTURE.md for the request flow,
the design decisions, and the per-hop ProxyJump certificate diagrams.
Feature overview
Capability | One-liner | More |
Ephemeral certificates | Ed25519 pair in RAM per operation; minutes-long, scoped cert. No reusable secret. | |
External signer | A separate | |
Multi-CA + HSM | One CA key per host group via | |
AI-action firewall | Per-host or composable-by-group command policy (allow/deny/ | |
Human-in-the-loop approval | Optional control plane gates | |
Action budgets (behaviour guardrails) | Budget how much an agent can do: per-CN sign-rate cap plus per-subject rate limit and novelty escalation (a subsequent new host / novel command → approval); observe or enforce. Network tools budget what an agent can reach or spend; this budgets the actions themselves. | |
RBAC | Broker-CN groups (mTLS) + per-end-user OIDC groups; fail-closed. | |
sudo / PTY | Policy-gated elevation ( | |
Kubernetes broker |
| |
Session recording |
| |
Chained audit | Append-only, Ed25519-signed, SHA-256-chained; correlated by | |
Hot reload |
|
Comparison with existing solutions
Several tools address SSH access control or AI-agent credential security, but none cover the full combination that infrabroker targets in a lightweight, self-hosted package.
Feature | infrabroker | Teleport | Vault + SSH engine | StrongDM | ssh-mcp |
Ephemeral cert in memory (no disk) | ✅ | ✅ | ✅ | ❌ | ❌ |
Separate broker / signing service | ✅ | ✅ | Partial | ❌ | ❌ |
MCP-native (AI agents) | ✅ | ✅ (2025) | ✅ (2025) | ❌ | ✅ |
OAuth2/OIDC on MCP transport | ✅ | ✅ | ✅ | ❌ | ❌ |
Per-command policy + dry-run (AI-action firewall) | ✅ | ❌ | ❌ | ❌ | ❌ |
Human-in-the-loop approval for AI commands | ✅ | ❌ | ❌ | ❌ | ❌ |
Per-agent behavioral guardrails (anomaly/rate) | ✅ | ❌ | ❌ | ❌ | ❌ |
Session recording (ASCIIcast v2, stdin+stdout+stderr) | ✅ | ✅ | ❌ | Partial | ❌ |
Cryptographically chained audit log | ✅ | ❌ | ❌ | Partial | ❌ |
Single-binary / simple self-hosted | ✅ | ❌ | ❌ | ❌ | ✅ |
HSM/KMS for CA key | ✅ (AKV) | ✅ | ✅ | — | — |
Teleport is the closest commercial equivalent — short-lived SSH certs, RBAC, and since 2025 Secure MCP; its Jan-2026 Agentic Identity Framework targets the same threat model. The difference is operational weight: Teleport needs a dedicated control-plane cluster, recording proxy, and web UI — orders of magnitude heavier than a Go binary + signer.
HashiCorp Vault SSH secrets engine
is an SSH CA with full HSM/KMS support and (2025) its own MCP server, but it
provides only the signing piece — you still build the execution layer
(engine.go, session.go, the MCP tools) yourself.
StrongDM hides credentials but stores
long-lived secrets rather than generating ephemeral certs in memory, making it
weaker against exfiltration. Smallstep SSH CA is a
lightweight OIDC-integrated SSH CA (close to cmd/signer) with no execution
broker or MCP layer. ssh-mcp exposes
SSH to LLMs over MCP but uses a static SSH key — the exact vulnerability this
broker prevents. CyberArk PAM offers
comparable JIT cert access but is a closed enterprise platform for human
operators, not AI workloads.
Where it fits: MCP-native AI-agent access + in-memory ephemeral certs + separate signer + ASCIIcast recording + chained audit, as a small set of Go binaries without a cluster. Enterprise features (web UI, multi-region HA) are on the roadmap (see HANDOFF.md).
Install
Prebuilt binaries — each release ships
infrabroker_<ver>_{linux,darwin}_{amd64,arm64}.tar.gzwith all six binaries, plus the installer tarball (infrabroker-v<ver>.tar.gz) thatdeploy/install.shconsumes for the systemd production path.go install —
go install github.com/luisgf/infrabroker/cmd/mcp-broker@latest(pure Go, no CGO; same for the othercmd/binaries).Container —
ghcr.io/luisgf/infrabroker(docker or podman, multi-arch; entrypoint is the stdio MCP frontend). See CONTAINERS.md, including a compose demo that runs the full stack against a toy host:cd examples/compose && docker compose up --build -d(ormake demo).From source — the Quickstart below.
Register with Claude Code in one line — native binary or container:
claude mcp add infrabroker -- ~/bin/mcp-broker -config /secure/path/config.json
claude mcp add infrabroker -- docker run -i --rm -v /secure/path:/config \
ghcr.io/luisgf/infrabroker -config /config/config.jsonQuickstart
# 1. Build (make injects the version from the git tag into every binary)
make install # → ~/bin/{signer,broker,broker-ctl,mcp-broker,...}
# or a single binary: make signer
# (plain `go build ./cmd/...` also works; it reports a dev-<commit> version)
# 2. Start the signing service (must be running before the broker)
./signer.sh start
# 3. Add a host and reload
broker-ctl host add --name web01 --addr web01.example.com:22 --user deploy --scan \
--groups prod-web --sudo
broker-ctl reload
# (--config is a global flag, before the subcommand; every binary takes --version)
broker-ctl --config /secure/path/signer.json host list
broker-ctl --version # short; add --verbose for build detailsRegister the stdio MCP with your client:
// Claude Code — ~/.claude.json
"infrabroker": { "type": "stdio", "command": "/Users/<you>/bin/mcp-broker",
"args": ["-config", "/secure/path/config.json"] }
// OpenCode — ~/.config/opencode/opencode.json (note: type "local", command is an array)
"infrabroker": { "type": "local",
"command": ["/home/<you>/bin/mcp-broker", "-config", "/secure/path/config.json"],
"enabled": true }Full setup — local vs external signing mode, the remote OAuth frontend, host
fields, sudoers, PKI, and broker-ctl — is in OPERATIONS.md.
Tool usage for the model is in USAGE.md.
API
Full reference: API.md.
Service | Endpoint | Auth | Description |
Signer |
| mTLS | Request an ephemeral SSH certificate |
Signer |
| mTLS | List accessible hosts (filtered by caller groups) |
Signer |
| mTLS | Hot-reload |
Control plane |
| mTLS | Forwarding + human approval |
Broker HTTP |
| mTLS | Execute a one-shot SSH command |
MCP HTTP |
| None | OAuth2 discovery (RFC 9728) |
MCP HTTP | Streamable HTTP | OIDC Bearer | MCP tools |
Security
The security posture — trust boundaries, the layered controls (RBAC, command
policy, approval gate, guardrails, source-address/TTL pinning, chained audit),
and the explicit non-goals (mode=exec sessions are broker-preflighted but
not host-enforced, no KRL, secrets logged verbatim, audit fail-open, …) — is documented in
THREAT_MODEL.md.
To report a vulnerability, see SECURITY.md. CI enforces gofmt,
go vet, go test -race, and govulncheck on every push and PR.
Testing
make test # go test -race ./... (cert build, policy/RBAC/sudo/PTY, hops, …)
bash lab/run_signer_lab.sh # external signer: broker without ca_key + policy + denial
bash lab/run_mcp_lab.sh # bastion + target (ProxyJump) MCP scenario
bash lab/run_lab.sh # HTTP/mTLS frontendLicense
Copyright (C) 2026 Luis González Fernández.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License v3.0 as published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. See LICENSE for the full text.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/luisgf/infrabroker'
If you have feedback or need assistance with the MCP directory API, please join our Discord server