Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"brokre": {
"args": [
"-y",
"brokre@latest"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
brokre is a local credential broker for AI agents and humans. Use it with Cursor, Claude Code, Kimi Code, Trae, OpenClaw, Hermes Agent, ChatClaw, and other MCP-capable clients to run ssh, mysql, psql, and more — passwords never enter AI context, environment variables, or ps output. It wraps any CLI on your PATH — not only SSH or MySQL — and injects saved passwords at the prompt without exposing plaintext to the AI process, shell history, or process environment.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'brokre' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked brokre against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in security / data
Query and manage PostgreSQL databases directly from AI assistants
Manage Supabase projects — databases, auth, storage, and edge functions
Zero-dependency, token-efficient database MCP server for Postgres, MySQL, SQL Server, MariaDB, SQLite.
🔥 Official Firecrawl MCP Server - Adds powerful web scraping and search to Cursor, Claude and any other LLM clients.
MCP Security Weekly
Get CVE alerts and security updates for io.github.Furowu/brokre and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
English | 简体中文
brokre is a local credential broker for AI agents and humans. Use it with Cursor, Claude Code, Kimi Code, Trae, OpenClaw, Hermes Agent, ChatClaw, and other MCP-capable clients to run ssh, mysql, psql, and more — passwords never enter AI context, environment variables, or ps output. It wraps any CLI on your PATH — not only SSH or MySQL — and injects saved passwords at the prompt without exposing plaintext to the AI process, shell history, or process environment.
Developed by Techinone (成都同创合一科技有限公司).
0.2.17 is the current release: SessionRelay routed SSH by default, multi-hop bastion routes, local-only list by default, and the existing one-command npm install / auto MCP registration / auto binary upgrade flow.
npm install -g brokre # or: npx -y brokre@latest
| Capability | What happens |
|---|---|
| Auto MCP registration | postinstall runs brokre-setup-mcp — detects installed IDEs only and merges npx -y brokre@latest into each global MCP config. Re-run: brokre mcp setup or npx brokre-setup-mcp. Skip: BROKRE_MCP_SKIP_SETUP=1. |
| Auto binary upgrade | On each MCP start, compares npm package version with PATH / ~/.brokre/bin/brokre; downloads matching GitHub Release when missing or older. |
| CLI without npm | brokre version / brokre upgrade for install.sh users; brokre mcp setup to register MCP after installing IDEs. |
| Supported IDEs | Cursor, VS Code, VS Code Insiders, Claude Code, Claude Desktop, Trae, Kimi Code, Windsurf, OpenClaw — see packages/brokre-mcp/README.md. |
Recommended MCP config (also applied by auto-setup):
{ "command": "npx", "args": ["-y", "brokre@latest"] }
The bastion layer lets AI agents operate many hosts behind one jump box without copying vault passwords into context or scattering secrets on the laptop.
| Advantage | What it means in practice |
|---|---|
| Single control plane | Register a bastion SSH alias (b150), sync inner aliases from remote brokre, and drive the whole cluster from brokre list / MCP brokre_list |
| Smart routing | b150::db, b150::app-01, multi-hop b1::b2::inner — route separator ::; routed SSH uses SessionRelay by default |
| Secrets stay on the bastion | Routed exec runs ~/.brokre/bin/brokre on the jump host; laptop holds metadata and session gate, not inner-host passwords |
| Human gate, agent-friendly | Bastion outbound requires unlock (TTY, /bastion-auth, or MCP URL elicitation); gate auth survives manage UI idle expiry so long MCP runs keep working |
| Cluster-safe defaults | Local-only list by default; explicit bastion discovery; reachability probes with ms timeouts and concurrency caps; loop detection and audit route/bastion fields |
| Privileged ops over routes | brokre_exec_elevated and sudo/sudo -i paths work through bastions with session reuse and PTY hardening |
Typical flow for a K8s / DB / batch cluster behind one entry host:
brokre bastion enable b150
brokre bastion sync b150 --json # pull inner alias catalog
brokre bastion unlock
brokre list --include-bastions --json # b150::db, b150::worker-01, …
brokre ssh b150::db systemctl status # MCP: brokre_exec with routed alias
MCP equivalent:
{ "binary": "ssh", "args": ["b150::db", "uname", "-a"] }
Gate policy (default vs strict) — see Bastion gate policy below. Gate is inactive until brokre bastion set-key; then default unlocks only bastion outbound p