Protocol // ZERO_TRUST
PROXY_ACTIVE

AI INFRA
ACCESS

Zero-trust command proxy for AI agents accessing production infrastructure.
Read everything. Write nothing... unless authorized.

Works with Claude Code, Codex, Cursor, Devin, Copilot — any agent that speaks kubectl.
[ VIEW_SOURCE ] // VIEW_POLICY_DOCS

Get Started

Install the desktop app or CLI proxy. Reads flow instantly. Writes require your approval.

terminal
# Install the CLI proxy via Homebrew
$ brew install leonardaustin/tap/iddio
# Initialize iddio in ~/.iddio/
$ iddio init --kubeconfig ~/.kube/config
# Create an agent identity with a scoped kubeconfig
$ iddio agent add claude-code
# Start the proxy — approve writes in this terminal
$ iddio start
Point your agent's KUBECONFIG at ~/.iddio/agents/claude-code/kubeconfig and it connects through the proxy. The agent sees a normal cluster. Iddio classifies every request.

Where Iddio
Sits

Iddio is a transparent proxy between your AI agents and your infrastructure. Every command flows through it. Nothing reaches production without classification and policy evaluation.

AI Agents

Claude Code
OpenAI Codex
Cursor AI
Devin
GitHub Copilot
Custom Agents

Iddio Proxy

01 INTERCEPT Capture raw command
02 CLASSIFY Parse API path, assign tier
03 ENFORCE Evaluate against YAML policies
04 ESCALATE Prompt operator if needed
05 EXECUTE Forward to real cluster
06 AUDIT Record to JSON audit log

Infrastructure

Kubernetes Clusters
SSH Hosts PLANNED
Terraform State PLANNED
AWS / GCP / Azure PLANNED

Tiered Access
Architecture

Every command is classified in real-time. Read operations flow freely. Write operations require escalation through a structured privilege model based on blast radius and reversibility.

ACCESS // 0x000

TIER 0 // OBSERVE

Read-only by default. All GET, HEAD, and OPTIONS requests pass through with zero latency.

kubectl get, kubectl logs, kubectl describe
ACCESS // 0x001

TIER 1 // OPERATE

Pre-approved runbooks for common operations. Scale deployments, restart pods via sanctioned playbooks.

kubectl scale, kubectl rollout restart (with runbooks)
ACCESS // 0x010

TIER 2 // MODIFY

Human-in-the-loop approval for standard write operations. POST, PUT, and PATCH requests are escalated.

kubectl apply, kubectl create, kubectl patch
ACCESS // 0x011

TIER 3 // SENSITIVE

Irreversible or sensitive operations requiring quick operator confirmation. All DELETE requests and secret reads.

kubectl delete pod, kubectl get secret
ACCESS // 0x100

TIER 4 // BREAK-GLASS

Highest-risk operations: exec into pods, portforward, attach, proxy, and RBAC mutations. Blocked by default.

kubectl exec, kubectl delete namespace

Policy Engine & Guardrails

Define fine-grained access policies using simple YAML rules. Iddio classifies every request through its tier engine before it reaches your cluster.

// IDDIO_POLICY.YAML 
# ~/.iddio/policy.yaml
runbooks:
  restart-deploy:
    operations:
      - methods: [PATCH]
        resources: [deployments]

agents:
  claude-code:
    rules:
      - namespaces: ["payments", "api-gateway"]
        runbooks: [restart-deploy]
        tiers:
          0: allow           # OBSERVE
          1: allow           # OPERATE
          2: escalate        # MODIFY
          3: escalate        # SENSITIVE
          4: deny            # BREAK-GLASS
SECURE

LET AI AGENTS
IN. SAFELY.

Your AI agents need infrastructure access to be useful. Iddio makes that access auditable, revocable, and safe by default.

Open-source core. Self-hosted on your infrastructure. Deploy as a single binary in minutes.

View on GitHub Talk to Engineering