Early beta · CommercialMCP-native

One control plane
for tools, sandboxes, and host operations.

infrastrActure is the open-source DevOps control plane for AI agents. Run an MCP marketplace of tools, spin up isolated sandboxes per user, and operate your fleet over SSH — all from a single signed surface that any LLM client can talk to.

Self-host on GitHub →Join the early beta
Aeromech IndustriesShips with Gaia, the operator agentShips with Gaia, the operator agent
GET /api/integrations/client?instanceId=acme-prod&client=claude
Authorization: Bearer mcp_sk_live_…

{
  "mcpServers": {
    "github":      { "type": "streamable", "url": "https://mcp.acme.io/u/42/github"  },
    "browser-use": { "type": "streamable", "url": "https://mcp.acme.io/u/42/browser" },
    "infra-ssh":   { "type": "streamable", "url": "https://mcp.acme.io/shared/ssh"   }
  }
}
Primitives

Three things, well-shaped, instead of a hundred half-shaped ones.

Tools. Sandboxes. Host operations. Each is a clean control-plane primitive with the same lifecycle, identity, and audit semantics.

An MCP marketplace your agents can subscribe to.

Containerised tools, served over MCP, behind one signed URL per user. A marketplace UI lets users add what they need; the control plane handles install, lifecycle, OAuth callbacks, and rotation.

  • GitHub, Google Workspace, Tavily, Notion, browser-use, code-runner, …
  • One install per user — config persisted, container reused, OAuth bound to identity.
  • Tier-gated at the catalog: API keys see only the tools their tier permits.
  • Webhook deltas: installation_created / _updated / _deleted, signed.
Live config

Config that pushes, instead of config you redeploy.

Tool installations, sandbox lifecycle, host changes — all surface as signed webhook deltas. Your client app subscribes once and stays in sync.

Without infrastrActure
  • · Hand-roll a Docker image per integration.
  • · Provision OAuth credentials per user, by hand.
  • · Track which tool is which user’s in your own DB.
  • · Redeploy your client every time the catalog changes.
  • · Page yourself when a sandbox container leaks memory.
With infrastrActure
  • · One API: GET /api/integrations/client returns every tool a user has, signed.
  • · Marketplace handles install, OAuth, container lifecycle, rotation.
  • · Webhook deltas push config changes to your client in real time.
  • · Tier model gates the catalog at the API key — DB-level, not app-side.
  • · Gaia tends sandbox lifecycle, host audits, and incident triage.
your-client/server/webhooks.ts
// Listen for config deltas — your client picks them up live.
app.post("/webhooks/infrastracture", verifySig, (req, res) => {
  const { event, data } = req.body;
  switch (event) {
    case "installation_created":
    case "installation_updated":
      mcpClient.addServer(data.user_id, data.tool, data.url);
      break;
    case "installation_deleted":
      mcpClient.removeServer(data.user_id, data.tool);
      break;
  }
  res.sendStatus(200);
});
Onboarding

Find. Configure. Run. Connect.

The path from ‘I want this tool’ to ‘my agent is using it’ should not require a Helm chart.

01
Find

Browse the marketplace — GitHub, Google, Tavily, browser-use, code-runner, your own image.

02
Configure

Set env, OAuth, scopes. Per-user. Persisted. Rotatable.

03
Run

Container starts on demand. The control plane manages lifecycle, logs, health.

04
Connect

One signed MCP URL is delivered to your client. Webhook deltas keep it live.

Tiers

One key. Two surfaces. Same call.

The tier of your API key decides what the catalog returns. Filtering happens at the database, not in your app — there is no ‘forgot to check the role’ failure mode.

standard tierend-user / app-bound key
[
  { "name": "github" },
  { "name": "browser-use" },
  { "name": "tavily" }
]
admin tieroperator / Gaia / DevOps key
[
  { "name": "github" },
  { "name": "browser-use" },
  { "name": "tavily" },
  { "name": "infra-ssh" },
  { "name": "infra-terminal" },
  { "name": "infra-logs" }
]

Implementation: toolRegistryService.listTools(filter, keyTier) — SQL WHERE tier = $1.

Ships with the plane.

Meet Gaia. The system that tends the system.

Gaia is the operator agent that ships with infrastrActure. She knows every primitive — installations, sandboxes, hosts — and uses them to keep your fleet healthy. She is not a chat toy. She is a steward.

Operate

Diagnose container, sandbox, and host issues using the same MCP tools your users have. Trace, decide, act.

Onboard

Walk a new tool installation through the marketplace. Configure scopes, mint keys, hand a working URL back.

Tend

Watch lifecycle events. Reap stale sandboxes. Roll OAuth tokens. Surface incidents before they page anyone.

Sample exchange
userWe've got two browser-use sandboxes pinned at 100% CPU on host-3.
gaiaConfirmed via infra-logs.tail. Both belong to user_88's automation runs. Pausing the runs and snapshotting one for diff. I'll spawn a replacement on host-1 (lower load) once cleared.
userApprove.
gaiaApproval leased. infra-ssh.exec ran the snapshot. Replacement sandbox is up. Webhook sandbox_started fired to your client. Audit row written. Anything else to tend?

“This prompt can go stale. The tools can’t.”

Gaia’s system prompt is versioned. Her capabilities aren’t — they come from the same MCP catalog your users see. Swap her brain. The hands stay calibrated.

MCP surface · 35 tools

One MCP server. Nine families. Every primitive, addressable.

Whatever your agent client is, it speaks to infrastrActure the same way: as an MCP server. Operators get the full set; standard keys get a curated subset.

containers3
  • containers.list
  • containers.start
  • containers.stop
infra-logs2
  • infra-logs.tail
  • infra-logs.search
infra-ssh14
  • ssh.hosts.list
  • ssh.actions.list
  • ssh.exec
  • ssh.session.open
  • ssh.session.close
  • ssh.session.list
  • + 8 more
infra-terminal5
  • terminal.open
  • terminal.exec
  • terminal.read
  • terminal.close
  • terminal.list
installations3
  • installations.list
  • installations.create
  • installations.delete
marketplace2
  • marketplace.list
  • marketplace.tool.detail
sandboxes4
  • sandboxes.list
  • sandboxes.start
  • sandboxes.stop
  • sandboxes.destroy
service1
  • service.health
shared1
  • shared.tools.list
When to use it

Where infrastrActure sits in the stack.

Honest about what we are — and aren't.

Raw Docker / Compose
You wire identity, OAuth, lifecycle, and audit yourself.
infrastrActure does that — and exposes the result as MCP.
Helm / k8s operators
Powerful, but optimised for cluster ops, not per-user agent tooling.
infrastrActure is built around the per-user agent surface from day one.
Smithery / hosted MCP
Hosted catalogs, multi-tenant, no host-side ops.
Self-host, per-tenant identity, full host operations included.
E2B / hosted sandboxes
Sandbox runtime as a service.
Sandboxes are one of three primitives — colocated with tools and hosts.
Teleport / bastion hosts
Human-first SSH; LLM clients aren't first-class.
SSH-as-MCP — every action is an addressable, audited tool.
Trust & isolation

Built so a single rogue agent can’t become an incident.

The control plane is opinionated about identity, lifecycle, and audit. These are not features you opt into.

Instance binding

Each deployment carries a unique instance ID. API keys are minted against that instance — keys from one deployment do not authenticate against another.

Container provenance

Every container started by the control plane is labelled with the user, tool, and tier that requested it. Reaping is identity-aware; nothing is reaped by name alone.

Approval leases

High-impact host actions (SSH exec, destroy, role-change) require a leased approval. Leases expire. Audit rows record requester, approver, and lease window.

Signed webhooks

All deltas are HMAC-signed with WEBHOOK_CLIENT_SECRET (falls back to your admin tier API key secret if unset). Replay window is enforced.

Tier-gated catalog

Tier filtering is wire-level: SQL WHERE clause in toolRegistryService.listTools. There is no app-side ‘forgot to check role’ bug to write.

Audit by default

Sessions, sandbox lifecycle, host actions and approvals all write append-only rows. Gaia (and you) read them through MCP — same surface, same identity model.

Stack

A boring, durable foundation under a new shape.

No magic. TypeScript, Node, Postgres, Docker. The interesting work happens at the control-plane layer.

TYTypeScriptNONode 20EXExpress 5POPostgres 16DODockerAnthropicMCP SDKZOZod 4MIMinIOPIPinoSWSwaggerGIWebhooksTYTypeScriptNONode 20EXExpress 5POPostgres 16DODockerAnthropicMCP SDKZOZod 4MIMinIOPIPinoSWSwaggerGIWebhooks

Run it yourself.
Or have us run it with you.

Self-hosting is a one-line Docker pull and a Postgres URL. Want a sharper path — bring a use case, and we’ll plumb the first tool, sandbox, and host wired up for you.

Self-host on GitHub →Request early access
Early beta · Waitlist

Have us run it with you.

Self-hosting from GitHub is always free. If you’d rather not, we onboard early-beta teams hands-on — bring a use case and we’ll plumb the first tool, sandbox, and host wired up for you.

We only use this to invite you to the beta.