MXE
MXE Command Center dashboard
v — Agent Integration

Agentic Command Center

Orchestrate remote servers with cryptographic authority. Ed25519-signed command execution, Rust edge workers, real-time telemetry, and AI-powered triage — from a single desktop pane.

Download Hub Install Guide Architecture
128
Tests
28
Blocked Patterns
8
Secret Scrub Rules
15s
Exec Timeout
Ed25519
Signing

Capabilities

Security-first remote orchestration for operators who don't compromise.

Ed25519 Signed Commands

Every Hub→Satellite command is cryptographically signed with NaCl crypto_sign. Verify before execute — no trust assumptions.

Rust Satellites

Memory-safe edge workers: 28-pattern blocklist, 15s timeout, 1GB memory limit, rate limiting, OOM-proof frame caps.

7-Tab Server Modal

Deep server inspection: Overview, Repos, Services, Processes, AI Tools, Health, and Agents — all in one tabbed interface.

CPU Sparklines

Real-time CPU history rendered as sparkline charts on every server card. Live stats updated every 30 seconds with color-coded warnings.

Ghost Caching

Staleness badges show data freshness at a glance. Background refresh keeps the UI instant while discovery data stays current.

Health Checklist

Automated health monitoring: disk usage, system load, memory pressure, and zombie process detection with pass/fail indicators.

Agent Integration

Spawn Claude Code agents directly into remote repositories from the dashboard. AI-assisted development with full portal security.

Commander Chat

Conversational LLM with markdown rendering, command history, and ReAct tool-calling loop. Chains up to 5 command iterations.

Safety Toggle

Triage fix suggestions require explicit confirmation before execution. Toggle between assisted and hands-free modes per server.

Portal CRUD

Full connection management: edit, remove, or copy host:port for saved portals. Encrypted credential storage with zero-config resumption.

Repo Pinning

Pin important repositories to the dashboard for quick access. Pinned repos surface above the fold with at-a-glance status.

Secret Vault

Encrypted Hub storage. In-memory Satellite vault. API keys never leave the main process. Never persisted to disk remotely.

MXE — Matrix Execution Engine

Meet the Agents

MXE's architecture is modeled after an adventuring party. Each component has a distinct role:

  • The Hub — Your command center. Holds the keys, makes the calls, sees everything.
  • The Satellite — Your edge warrior. Memory-safe Rust, deployed to the front lines.
  • The Commander — Your strategist. AI-powered, delegates tasks, chains operations.
  • The Portal — Your secure channel. Ed25519-signed, rate-limited, keepalive-monitored.
Get Started

Architecture

Three components cooperate through a cryptographically authenticated WebSocket protocol.

System Topology

graph TB subgraph Hub["Hub (Electron Desktop)"] Renderer["React Renderer
Dashboard · Logs · Triage · Commander"] Main["Main Process
Encrypted Store · API Keys · IPC"] Renderer -- "contextBridge IPC" --> Main end subgraph VPS1["VPS 1 (Production)"] Sat1["Satellite (Rust) :9077"] Commander["Commander (Claude CLI)"] end subgraph VPS2["VPS 2 (Staging)"] Sat2["Satellite (Rust) :9077"] end Main -- "WSS Portal / Ed25519 Signed" --> Sat1 Main -- "WSS Portal / Ed25519 Signed" --> Sat2 Commander -. "orchestrates via Hub" .-> Sat1 Sat1 -- "Stats + Logs (30s)" --> Main Sat2 -- "Stats + Logs (30s)" --> Main Sat1 -. "Mesh Route via Hub" .-> Sat2

Ed25519 Pairing Handshake

sequenceDiagram participant H as Hub participant S as Satellite Note over S: Generate keypair + 6-digit code H->>S: WebSocket connect H->>S: mxe.pair { code, hubPubKey } alt Invalid Code S-->>H: error else Valid Note over S: Store Hub key S-->>H: { satPubKey, token, signature } Note over H: Verify + store + PAIRED loop Every 30s S-->>H: mxe.stats { cpu, mem } end end

Signed Command Execution

sequenceDiagram participant H as Hub participant S as Satellite H->>H: Ed25519 sign command H->>S: { signed: { payload, pubKey } } S->>S: Verify sender key S->>S: crypto_sign_open S->>S: Blocklist check (28 patterns) alt Blocked S-->>H: error: security policy else Safe S->>S: Execute (15s timeout) S-->>H: { output, exit_code } end

AI Triage Pipeline

flowchart LR A["Critical Log"] --> B["Secret Scrubber
(8 patterns)"] B --> C["LLM API"] C --> D{"Human
Needed?"} D -->|Yes| E["Suggestion + Fix Button"] D -->|No| F["Auto-Resolve"] E --> G["Signed Command → Satellite"] G --> H["Blocklist → Execute"]
Satellite workshop — building and deploying

Built to Deploy

The Satellite is a single Rust binary. No runtime dependencies, no containers, no configuration files. Upload it, launch it, pair it.

  • One-click deploy from the GUI with real-time SSH log streaming
  • Auto-pairing captures the 6-digit code and connects automatically
  • systemd-ready with security hardening built into the service unit
  • OTA updates push new binaries over the Portal — no SSH needed
Deploy Guide

Security Model

Defense-in-depth across every layer.

Cryptographic Auth

  • Ed25519 keypair pairing with 6-digit OOB code
  • NaCl crypto_sign combined mode on every command
  • Reject unsigned commands and unknown public keys
  • TweetNaCl (JS) + ed25519-dalek (Rust)

Execution Sandbox

  • 28-pattern command blocklist (case-insensitive)
  • 15-second timeout with SIGKILL on expiry
  • 1 GB memory limit per child process
  • ulimit + timeout OS-level enforcement

Secret Isolation

  • API keys encrypted in main process, never in renderer
  • 8 regex patterns scrub secrets before LLM submission
  • In-memory vault — never persisted to disk
  • DEFCON 1 clears all vaults fleet-wide

Platform Hardening

  • nodeIntegration: false, contextIsolation: true
  • Strict CSP: script-src 'self'
  • systemd: NoNewPrivileges, ProtectSystem=strict
  • 20 msg/sec rate limit, 5MB/1MB size caps
LayerProtectionEnforcement
TransportWebSocket size limits5MB message, 1MB frame
Rate LimitToken bucket20 msg/sec, disconnect on exceed
AuthenticationEd25519 signatureEvery command verified
AuthorizationSingle Hub bindingOnly paired key accepted
Blocklist28 destructive patternsCase-insensitive, pre-execution
TimeoutExecution sandbox15s + SIGKILL + 1GB ulimit
IsolationElectron + systemdContext isolation, privilege drop
Memory SafetyRust (Satellite)Zero buffer overflows by design

Blocked Command Patterns

rm -rf /
mkfs
dd if=
chmod 777 -R /
wget | sh
curl | bash
DROP TABLE
:(){ :|:& };:
shutdown
reboot
/dev/sda
mv /

+ 16 additional patterns: TRUNCATE, init 0/6, halt, poweroff, chown -R nobody, format c:, and more

AI That Knows Its Limits

The triage system is powerful but constrained. Every recommendation passes through multiple safety layers before it can affect your servers.

  • Secret scrubbing — 8 regex patterns strip API keys, tokens, and private keys before any data reaches the LLM
  • Blocklist backstop — Even if the AI suggests rm -rf /, the Satellite's 28-pattern blocklist catches it
  • Human approval — Critical findings require a manual click to execute
  • Depth limiter — Autonomous command loops capped at 5 iterations
AI triage — the analytical eye

How It Works

From install to full orchestration in under five minutes.

1

Install the Hub

Download the Electron app. Hardened shell: nodeIntegration: false, strict CSP. API keys encrypted in main process.

2

Deploy a Satellite

Click Slide Satellite, enter SSH details. MXE compiles Rust binary, uploads via SCP, launches with nohup, captures pairing code.

3

Cryptographic Pairing

Exchange Ed25519 public keys over WebSocket. Satellite signs proof with NaCl. Hub verifies. Trust is mutual and mathematical.

4

Live Telemetry & Commands

CPU/MEM/Disk stats every 30s. Discover repos, services, and processes. Dispatch signed commands with blocklist-checked, timeout-enforced, real-time results.

5

AI Triage & Commander

Critical logs auto-intercepted, scrubbed, LLM-evaluated. Commander Chat delegates bash commands to Satellites with tool calling.

6

Resilient by Design

Exponential backoff (1s→30s cap). Keepalive heartbeat. Crash telemetry. systemd hardening. OTA updates. DEFCON 1 kill switch.

Full Install Tutorial
The architect — planning the future

What's Next?

MXE is just getting started. Here's where we're headed.

Roadmap

The path from MVP to General Availability.

v0.1.2

MVP Release

  • Ed25519 signed execution
  • Rust Satellites + blocklist
  • Real-time telemetry
  • AI triage + Commander Chat
  • One-click deploy
  • DEFCON 1 kill switch
v0.2.0

Server Intelligence

  • CPU/MEM/Disk telemetry
  • Git repo discovery & deep scan
  • Service & process management
  • AI tool detection
  • Log viewer with live tail
  • Markdown file browser
  • Toast notifications
v0.3.0 — Current

Agent Integration

  • 7-tab server detail modal
  • CPU sparkline history
  • Ghost caching + staleness badges
  • Health checklist (disk/load/mem/zombies)
  • Spawn AI agents into remote repos
  • Safety toggle for triage fixes
  • Portal CRUD (edit/remove/copy)
  • Repo pinning to dashboard
v0.4.0 — Next

Hardened Transport

  • TLS/WSS enforcement
  • Persistent audit log
  • Encryption key rotation
  • Multi-operator RBAC
  • Connection health graphs
v0.5.0

Advanced AI

  • Scheduled task dispatch
  • Reusable playbooks
  • Proactive anomaly detection
  • Persistent Commander memory
v1.0.0

General Availability

  • macOS + ARM builds
  • Security audit
  • Stable protocol
  • Webhooks + REST API
  • Plugin system
MXE characters — the full team

Built for Operators

MXE is built with security and reliability as first principles. Every feature is tested, every command is signed, every action is auditable.

  • 128 tests across JavaScript and Rust stacks
  • GitHub Actions CI runs on every push
  • Full docs — architecture, protocol spec, security whitepaper
  • Contact us at mxe@gamingworld.uk

Downloads

Beta builds. Auto-updater checks on every launch.

MXE Hub (Windows)

Electron desktop app

Download .exe
x64 · Windows 10+ · Unsigned (click through SmartScreen)

MXE Hub (Linux)

AppImage — no install needed

Download AppImage
x64 · glibc 2.31+

Satellite Binary

Rust edge worker for VPS

Download Binary
x64 · Linux · ~8 MB

All releases on GitHub

MXE Rainbow Logo

Matrix eXecution Engine — Orchestrate with authority.