SSH & Kubernetes access broker for AI agents; the model never touches a credential.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-luisgf-infrabroker": {
"command": "<see-readme>",
"args": []
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
SSH & Kubernetes access broker for AI agents; the model never touches a credential.
No automated test available for this server. Check the GitHub README for setup instructions.
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
No package registry to scan.
This server is missing a description. Tools and install config are also missing.If you've used it, help the community.
Add informationBe the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / cloud
Persistent memory using a knowledge graph
An autonomous agent that conducts deep research on any data using any LLM providers
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
Dynamic problem-solving through sequential thought chains
MCP Security Weekly
Get CVE alerts and security updates for io.github.luisgf/infrabroker and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Infrastructure access broker for AI agents — SSH & Kubernetes. The model
never touches a credential. (formerly ssh-broker)
The agent requests an action — run a command on a host, query or change a cluster. infrabroker checks it against policy, executes it with a credential minted for that single operation — an ephemeral, scope-limited SSH certificate from its own CA, or a short-lived bound ServiceAccount token — and returns only the output. Keys, certificates and tokens live in the broker's memory and are discarded after the call: nothing enters the model's context, so a prompt-injected agent has nothing to exfiltrate.
Three frontends share the same engine (internal/broker) and tool surface
(internal/mcpserver):
cmd/mcp-broker. Tools:
ssh_execute, ssh_session_open / ssh_session_exec / ssh_session_close,
ssh_list_servers, ssh_put_file / ssh_get_file; with clusters configured,
also k8s_get / k8s_list / k8s_logs / k8s_apply / k8s_delete /
k8s_list_clusters. No transport auth — isolation comes from the process
being launched by the user (as the MCP spec recommends for stdio).cmd/mcp-broker-http,
Streamable HTTP. Same tools, but each client authenticates with an OIDC
bearer token validated locally against the issuer's JWKS; the user identity
(and groups, for per-user RBAC) is propagated to the signer.cmd/broker, POST /v1/ssh_run (one-shot), for network
agents authenticated with a client certificate.This README is a landing page. The detail lives in focused, single-source docs:
| Document | Contents |
|---|---|
| ARCHITECTURE.md | Diagram, request flow, design decisions, sudo elevation, sessions, multi-CA |
| THREAT_MODEL.md | Actors, trust boundaries, security controls, and explicit non-goals/gaps |
| OPERATIONS.md | Runbook: startup, adding hosts, hot-reload, broker-ctl, PKI rotation, configs |
| API.md | HTTP endpoint reference for all services |
| USAGE.md | Guide to the MCP tools (SSH + Kubernetes), dry-run, and audit review (for the model / operator) |
| SECURITY.md | Vulnerability disclosure policy |
| CONTRIBUTING.md · CODING_STYLE.md | Workflow, versioning, Go style |
source-address (broker or
bastion IP), and — for one-shot — a force-command. Useless outside its
host/time/IP.allow_sudo / allowed_sudo_users live in the
signer; a compromised broker cannot escalate where policy forbids it.ca_keys), each key
optionally