praxis¶
The unified AI-operations MCP. A self-contained, security-first, single-operator-operable, EU-sovereign control plane that fuses three things into one audited surface.
Maturity
v0: real and tested, in iterative security hardening, not a finished product.
make ci-success is green and each of the nine invariants has a passing test, but
read Limitations
and the security model
before relying on it.
What it is¶
- A live bitemporal model of the fleet. Hosts, services, packages, storage, networks, identities, and alerts as typed vertices and edges, every fact carrying four timestamps and never deleted (corrections supersede). The source of truth.
- A drift engine. Observed host state against desired state (an IaC plan, a config baseline, or an operator-blessed known-good snapshot), with structured findings and human-gated convergence.
- A tiered, audited actuator. One execution path that classifies every action T0 to T3, gates state-changing actions behind human confirmation, and wraps the right tool per host type (ssh, ansible, opentofu, runbooks, talosctl, redfish, cloud) instead of reinventing it.
It is self-contained: no imports from, or runtime coupling to, any sibling fleet repository. Third-party libraries are minimal and license-vetted (pydantic for input validation, psycopg for the optional Postgres backend), and the execution core stays dependency-free.
The nine invariants¶
The load-bearing controls, each with a proving test:
- Single audited execution path; no tool bypasses it.
- Tiered authority T0 to T3; conservative classification; modes gate tiers; deny is global.
- Audit stores
output_sha256andoutput_len, never bodies; an append-only hash chain; redacted parameters; the logger never raises. - Bitemporal, append-only state; deletion blocked at the store; supersession carries an actor and a reason.
- host_type gates actuation; never SSH a Talos host.
- DRY_RUN, then human approval, then execute; T3 needs a typed token and one target at a time.
- stdio by default; HTTP needs a token, a non-loopback opt-in, and an SSRF egress filter; no token passthrough.
- Lethal-trifecta containment; read tools separable from act tools; a human gate between observation and actuation.
- Least privilege; scoped, revocable credentials; a kill switch; no
NOPASSWD: ALL.
Where to start¶
- Architecture: the design reference and the layered structure.
- Decisions (ADRs): the immutable record of every design decision.
- Safety and security (STPA): the hazard analysis and the security constraints each control traces to.
- Governance: the EU AI Act, NIS2, CRA, GDPR, and ISO 27001 mapping.
- Runbooks: the day-to-day operator loop.
- Roadmap: documented possible future expansion.
- Backlog: the stable
BL-NNNwork items.
The quickstart, the security model, and the running limitations live in the repository: README, SECURITY, LIMITATIONS.
License¶
Apache-2.0 (see LICENSE and NOTICE in the repository).