Skip to content
John Broadway edited this page Jul 4, 2026 · 1 revision

FAQ

Isn't handing the keys to an AI agent a bad idea?

Yes. That's the assumption Proximo is built on. It doesn't ask you to trust the agent — it assumes the agent is careless, hijacked, or wrong, and puts the floor somewhere the agent can't reach: your Proxmox RBAC token, enforced by Proxmox server-side, not by Proximo's own code. Point it at a read-only token and it physically cannot mutate a thing, no matter how the model behaves or who's driving. Above that floor, every change is planned, recorded, and reversible where Proxmox allows. Not because the AI earned trust — because it never gets any. See The Trust Spine.

Is Proximo a sandbox?

No, and it says so everywhere. It's defense in depth for AI-driven infra ops. Risk ratings are advisory heuristics — LOW means "no state change," not "safe." The real containment is the token's ACL plus a deployment shape that puts the opt-in gates' state outside the agent's reach. See Security Model.

How is it different from other Proxmox MCP servers?

Most give you an API wrapper and lean on token scoping plus client-side prompts. Proximo's bet is trust by construction — every mutation carries a plan, a tamper-evident record, and an auto-snapshot (where Proxmox supports one), in-band and fail-closed by default — across the governance plane (firewall, SDN, ACLs, roles, realms, PBS) that most servers keep off the agent surface. It's honest about what it isn't: not first, not the most tools, not the only one with a trust story.

Do I have to give it write access?

No. Start read-only — that's the recommended path, and proximo doctor verifies exactly what a token can and can't do before any AI sees it. Grant scoped write only when you're ready, and only to the surface you mean to hand over. See Quickstart.

My Proxmox uses a self-signed certificate. Do I disable TLS?

Never. Proximo refuses to send a token over an unverified channel anyway. Either point at the cluster CA (PROXIMO_CA_BUNDLE) or pin the certificate directly (PROXIMO_FINGERPRINT) — see Certificate Pinning.

Does it run on a server? Open a port?

No. It runs on your machine, on demand, over stdio — wherever your MCP client lives. No daemon, no listening port. (An optional A2A face exists for agent-to-agent use; it refuses a non-localhost bind without a bearer token.)

Is it production-ready?

It's pre-1.0 and honest about it. The trust spine and core mutate cycle are live-proven against real hardware; breadth is wide but some of the tool surface still runs against mocks for shape. Check the CHANGELOG against the version you installed, start read-only, and — genuinely — try to break it. That's the review the project wants.

How do I report a security issue?

See SECURITY.md. Finding a way past a boundary the docs describe is exactly the kind of feedback that's wanted.

Clone this wiki locally