Roadmap
What's built, what's next, and where we need help
Status:
โ
Live ยท ๐จ In Progress ยท ๐ Planned ยท โ ๏ธ Deprecated
Broker Endpoints
| Endpoint | Status | Purpose |
|---|---|---|
POST /secrets/get | โ | Fetch a secret value |
POST /secrets/list | โ | List available secret names |
POST /proxy/request | โ | Generic proxied HTTP with credential injection |
POST /api/s3/presign | ๐จ | Generate presigned S3 URLs (no keys on disk) |
ALL /api/openai/* | โ | Passthrough proxy to OpenAI |
ALL /api/anthropic/* | โ | Passthrough proxy to Anthropic |
ALL /api/github/* | โ | Passthrough proxy to GitHub |
ALL /api/notion/* | โ | Passthrough proxy to Notion |
ALL /api/gemini/* | โ | Passthrough proxy to Gemini |
ALL /api/cloudflare/* | โ | Passthrough proxy to Cloudflare |
ALL /api/brave/* | โ | Passthrough proxy to Brave |
ALL /api/aws/s3/* | โ | S3 passthrough with SigV4 signing |
seksh Commands
| Command | Status | Purpose |
|---|---|---|
seksh-http | โ | HTTP requests with secret injection |
seksh-git | โ | Git operations with token injection |
listseks | โ | List available secrets |
getseks | โ ๏ธ | Raw secret fetch (security risk) |
Escape Hatches
Tools where agents currently use getseks or bare keys โ each is a candidate for a proper wrapped command.
| Tool | Current Method | What We Need |
|---|---|---|
flyctl | getseks โ env var | seksh-fly or /api/fly/* |
aws CLI | Not yet used | seksh-aws wrapped command |
gh CLI | getseks or local PAT | seksh-gh wrapper |
Gmail OAuth | Tokens in broker | OAuth token refresh flow |
wrangler | Local auth | seksh-wrangler or passthrough |
Planned Work
P0
- Tests for S3 presign endpoint โ SigV4 is fiddly, needs test coverage
- Merge s3-presign branch โ Deploy once tests pass
- Scoped secret stores โ Global + per-agent (eliminates AEONBYTE_ prefix hack)
P1
- seksh-fly โ Wrapped command for flyctl operations
- seksh-aws โ AWS CLI with credential injection
- /api/fly/* passthrough โ Fly Machines API proxy in broker
P2
- seksh-gh โ GitHub CLI wrapper
- seksh-wrangler โ Cloudflare Wrangler CLI wrapper
- OAuth token refresh โ Broker-managed OAuth flows
- Secret rotation API โ Rotate keys without touching agent configs
P3
- Audit dashboard โ View broker logs (which agent used which secret)
- Rate limiting โ Per-agent, per-secret rate limits
- Secret expiry โ Auto-rotate or alert on aging credentials
Design Principle
If an agent needs a credential, it should go through the broker.
Every getseks call is technical debt. Every bare key on disk is a security gap. The goal is zero escape hatches โ every tool we use has either a wrapped command or a broker passthrough.
Want to request a feature or integration? Send us feedback or click any ๐ก Suggest button above.