-
Notifications
You must be signed in to change notification settings - Fork 1
FAQ
Yes. That's the assumption Proximo is built on. It doesn't ask you to trust the agent — it assumes the agent is careless, hijacked, or wrong, and puts the floor somewhere the agent can't reach: your Proxmox RBAC token, enforced by Proxmox server-side, not by Proximo's own code. Point it at a read-only token and it physically cannot mutate a thing, no matter how the model behaves or who's driving. Above that floor, every change is planned, recorded, and reversible where Proxmox allows. Not because the AI earned trust — because it never gets any. See The Trust Spine.
No, and it says so everywhere. It's defense in depth for AI-driven infra ops. Risk ratings
are advisory heuristics — LOW means "no state change," not "safe." The real containment is
the token's ACL plus a deployment shape that puts the opt-in gates' state outside the agent's
reach. See Security Model.
Most give you an API wrapper and lean on token scoping plus client-side prompts. Proximo's bet is trust by construction — every mutation carries a plan, a tamper-evident record, and an auto-snapshot (where Proxmox supports one), in-band and fail-closed by default — across the governance plane (firewall, SDN, ACLs, roles, realms, PBS) that most servers keep off the agent surface. It's honest about what it isn't: not first, not the most tools, not the only one with a trust story.
No. Start read-only — that's the recommended path, and proximo doctor verifies exactly what
a token can and can't do before any AI sees it. Grant scoped write only when you're ready, and
only to the surface you mean to hand over. See Quickstart.
Never. Proximo refuses to send a token over an unverified channel anyway. Either point at the
cluster CA (PROXIMO_CA_BUNDLE) or pin the certificate directly
(PROXIMO_FINGERPRINT) — see Certificate Pinning.
No. It runs on your machine, on demand, over stdio — wherever your MCP client lives. No daemon, no listening port. (An optional A2A face exists for agent-to-agent use; it refuses a non-localhost bind without a bearer token.)
It's pre-1.0 and honest about it. The trust spine and core mutate cycle are live-proven against real hardware; breadth is wide but some of the tool surface still runs against mocks for shape. Check the CHANGELOG against the version you installed, start read-only, and — genuinely — try to break it. That's the review the project wants.
See SECURITY.md. Finding a
way past a boundary the docs describe is exactly the kind of feedback that's wanted.
Getting started
How it works
More