Protocol // ZERO_TRUST
PROXY_ACTIVE

AI INFRA
ACCESS

Zero-trust command proxy for AI agents accessing production infrastructure.
Read everything. Write nothing... unless authorized.

Works with Claude Code, Codex, Cursor, Devin, Copilot — any agent that speaks kubectl.
[ VIEW_SOURCE ] // VIEW_POLICY_DOCS

Get Started

Install the desktop app or CLI proxy. Reads flow instantly. Writes require your approval.

terminal
# Install the CLI proxy via Homebrew
$ brew install leonardaustin/tap/iddio
# Install and start the background daemon
$ iddio install
# Route this shell through the proxy
$ eval "$(iddio shell-init bash)"
# Point agents at the proxy, then approve write requests
$ iddio approval list
$ iddio approval allow <id>
Set HTTPS_PROXY to the daemon address and your agents connect through the proxy transparently. Reads pass instantly. Writes block until you approve in the desktop app or CLI.

Where Iddio
Sits

Iddio is a transparent proxy between your AI agents and your infrastructure. Every command flows through it. Nothing reaches production without classification and policy evaluation.

AI Agents

Claude Code
OpenAI Codex
Cursor AI
Devin
GitHub Copilot
Custom Agents

Iddio Proxy

01 INTERCEPT Capture raw command
02 CLASSIFY Parse API path, assign tier
03 ENFORCE Evaluate against YAML policies
04 ESCALATE Prompt operator if needed
05 EXECUTE Forward to real cluster
06 AUDIT Record to JSON audit log

Infrastructure

Kubernetes Clusters
SSH Hosts PLANNED
Terraform State PLANNED
AWS / GCP / Azure PLANNED

Tiered Access
Architecture

Every command is classified in real-time. Read operations flow freely. Write operations require escalation through a structured privilege model based on blast radius and reversibility.

ACCESS // 0x000

TIER 0 // OBSERVE

Read-only by default. All GET, HEAD, and OPTIONS requests pass through without prompting.

kubectl get, kubectl logs, kubectl describe
ACCESS // 0x001

TIER 1 // MODIFY

Human-in-the-loop approval for standard write operations. POST, PUT, and PATCH requests are escalated.

kubectl apply, kubectl create, kubectl patch
ACCESS // 0x010

TIER 2 // SENSITIVE

Irreversible or sensitive operations requiring operator confirmation. DELETE requests and secret reads.

kubectl delete pod, kubectl get secret
ACCESS // 0x011

TIER 3 // BREAK-GLASS

Highest-risk operations: exec into pods, portforward, attach, proxy, and RBAC mutations. Blocked by default.

kubectl exec, kubectl delete namespace

Policy Engine & Guardrails

Define fine-grained access policies using simple YAML rules. Iddio classifies every request through its tier engine before it reaches your cluster.

// IDDIO_POLICY.YAML 
# ~/.iddio/policy.yaml
kubectl:
  inspect:
    - "*.eks.amazonaws.com"
    - "*.gke.goog"
  default: escalate

  groups:
    read:
      tiers: [observe]
    mutate:
      tiers: [modify]
    delete:
      tiers: [sensitive]
    admin:
      tiers: [break-glass]
    exec:
      commands: [exec, attach, port-forward]

  namespaces:
    - names: [prod-*, production]
      rules:
        allow:
          groups: [read]
        escalate:
          groups: [mutate, delete, admin]
        deny:
          groups: [exec]
    - names: ["*"]
      rules:
        allow:
          groups: [read]
        escalate:
          groups: [mutate, delete, admin]
        deny:
          groups: [exec]
SECURE

LET AI AGENTS
IN. SAFELY.

Your AI agents need infrastructure access to be useful. Iddio makes that access auditable, revocable, and safe by default.

Open-source core. Self-hosted on your infrastructure. Deploy as a single binary in minutes.

View on GitHub Talk to Engineering