Zero-credential • Agent-first • TLS 1.3

Zero-credential control plane for hybrid infrastructure.No passwords. Just signed commands.

Built for platform, infrastructure, SRE, and MSP teams that need deterministic control without shared SSH/RDP secrets. Credential theft → lateral movement → domain takeover ends when agents authenticate outbound, commands arrive in signed envelopes, and every action lands in a unified audit log.

Review ArchitectureLaunch Docs

Prefer automation? The same actions are available via CLI and REST API with signed envelopes.

Zero credentials stored
Outbound-only agents
Unified audit chain

Command Envelope

restart-service

Signed

tenant: acme-prod

targets: web-01, web-02, web-03

signature: SHA256 9c1b...a4

Policy checks

  • ✔ Agent identity validated
  • ✔ Command approved (Operator role)
  • ✔ Audit stream armed

Live Telemetry

CPU

32%+2%

Memory

58%-5%

Latency

14ms-1ms

Problem Space

Why credential-based operations fail

Modern platforms mix on-prem, cloud, and MSP workloads. Credential theft → lateral movement → domain takeover remains the most common breach chain.

01

Credential Sprawl

Shared SSH keys, RDP accounts, and leaked CI secrets give attackers lateral movement across every Windows or Linux node.

Typical estates juggle 40+ shared accounts and dozens of forgotten secrets.

02

Inbound Exposure

Open ports, VPN tunnels, and bastion hosts stay visible to the internet, inviting brute-force and token replay attacks.

Zero-change firewall posture is now a hard requirement for hybrid platforms.

03

Untracked Scripts

Ad-hoc PowerShell or Bash automations run outside policy, with no unified audit trail or command provenance.

Runner compromise still maps directly to domain takeover in legacy workflows.

04

Missing Audit Chain

Most teams cannot answer who restarted IIS at 03:21 because logs are missing or scattered across tools.

Compliance teams now expect append-only evidence with correlation IDs.

Zero-Credential Model

Outbound-only agents, signed envelopes, unified audit

Control plane identities replace credentials. Commands are signed, verified by the intended agent, executed with least privilege, and logged end-to-end.

Zero Credentials Stored

No SSH keys, RDP passwords, or vault secrets live inside the control plane. Every server trusts its own agent identity.

Signed Command Envelopes

Commands leave the control plane in cryptographically signed envelopes with nonce, TTL, and role authorization metadata.

Outbound-Only Agents

Agents open outbound TLS 1.3 sessions only. No inbound firewall rules, bastions, or VPN tunnels are needed.

Multi-Factor Authentication

TOTP-based MFA for user accounts adds an extra layer of security. Setup, verify, and manage directly from the dashboard.

How we differ

Zero-credential by design, not by configuration

Traditional tools rely on stored credentials or inbound reachability. AxiNode removes both by binding trust to outbound agents and signed commands.

CI/CD Runners

Runners carry secrets and can SSH/RDP anywhere; compromise = full lateral movement.

AxiNode runners hold no credentials. They request signed envelopes; agents verify and execute with tenant-bound identity.

Config Management Tools

Require long-lived SSH/WinRM access and assume inbound reachability; audit is fragmented.

AxiNode is outbound-only, no inbound ports, and every command is signed + audit-linked per tenant and server.

Cloud-Native Agent Managers

Often tied to a single provider and mix credentials with control channels.

AxiNode is vendor-neutral with per-agent identities, signed command envelopes, and unified audit across on-prem + multi-cloud.

Lifecycle

Agent-based operations in five steps

From bootstrap token to verified execution, every hop is authenticated, authorized, and recorded.

Step 1

Bootstrap

Tenant operators mint a single-use bootstrap token via the dashboard or CLI.

Step 2

Enroll Agent

Agent generates its own keypair, registers over mTLS, and binds to a server record.

Step 3

Authenticate

Engineers sign in with SSO or API tokens; CLI and UI share the same API surface.

Step 4

Sign & Dispatch

Commands are signed, policy-checked, and queued for the intended agents.

Step 5

Verify & Execute

Agents verify signatures, run locally with least privilege, and stream telemetry + audit logs.

UI Trigger

Restart IIS from the dashboard

Signed command

• Button click: "Restart IIS" (Group: iis-prod)

• Role authorization: Member or higher

• Agent output streams back into the UI log

[UI] 10:42:01 user@acme triggered restart

[Agent] win-iis-01 OK • win-iis-02 OK

auditId=cmd-01h9... • zero credentials stored

Bootstrap Snippet

Issue token → register agent → confirm heartbeat

$ axn agents bootstrap-token --server win-iis-01
TOKEN=agt_01H8ZPXND...
$ axn-agent register --token $TOKEN --api https://api.axinode.com

agent[win-iis-01] ▸ online

lastHeartbeat=2025-11-28T18:04:11Z

policy=prod-windows, zero stored credentials

UI Overview

One dashboard for command, telemetry, and audit workflows

platform.axinode.com is the single pane: list servers, assemble signed commands, and watch agent output stream back in real time.

Inventory Windows and Linux nodes, filter by environment, and view heartbeat + agent posture in one grid.

Build signed command envelopes with policy preview, target groups, and deterministic fan-out.

Watch live telemetry widgets (CPU, memory, latency) without opening SSH or RDP sessions.

Audit feed shows who triggered what with ProblemDetails IDs and agent confirmations.

View Dashboard Overview →

Command Center

Restart IIS on win-iis-01

Signed envelope

Target group

iis-prod

Authorization

Member role verified

Live Output

[win-iis-01] 10:42:01 Restart-WebAppPool DefaultAppPool

[win-iis-02] 10:42:01 Restart-WebAppPool DefaultAppPool

auditId=cmd-01h8zq... • agent=agt_win_02

Core Modules

Servers, agents, commands, telemetry, and audit

The modular monolith keeps each responsibility isolated while sharing a single secure control plane.

Servers

Logical nodes with environment, OS, and tags. No credentials stored—only metadata required for grouping and audit scope.

Agents

Identity-per-agent lifecycle with bootstrap tokens, heartbeat tracking, and capability reporting.

Commands

Signed envelopes with execution logs, deterministic fan-out, and policy enforcement per tenant role.

Telemetry

CPU, memory, and latency samples streamed over gRPC, aggregated for dashboards and alerts.

Audit

Append-only records linking every command, actor, and server for compliance-grade traceability.

Infrastructure Coverage

One agent covers OS roles and managed services

Install the agent once, then orchestrate Windows Server roles, Linux workloads, and managed services like Elastic, Redis, or CDN edges from the same zero-credential surface.

Windows Server Roles

Manage IIS sites, Windows Services, Event Viewer logs, and PowerShell scripts through the same signed command pipeline.

Linux & Containers

Control systemd units, package updates, and container runtime tasks while streaming journal metrics over gRPC.

Managed Services

Drive search clusters, caching tiers, or CDN edges through agent-run playbooks without leaving the control plane.

Hybrid Topology

Mix on-prem racks and multi-cloud VMs in one tenant. Agents authenticate outbound, so topology doesn’t change your workflow.

MVP Scope

What ships in the first release

Initial focus: Windows Server 2016+ fleets and Linux estates that need zero-credential operations with full auditability.

OS Support

Windows Server 2016+

  • Service start/stop/restart
  • IIS website & pool control
  • Sandboxed PowerShell execution

Linux (systemd)

  • systemd unit orchestration
  • Shell script execution with sandboxing
  • CPU/RAM/Disk telemetry streaming

Core Capabilities

Agent Identity & Bootstrap

Bootstrap tokens mint once, agents generate their own keys, and mTLS binds identity to each server.

Signed Command Execution

Restart services or run scripts via envelopes signed by the control plane, verified locally before execution.

Secure File Transfer

Upload and download files to agents over the existing outbound connection—no additional ports or protocols required.

Unified UI / CLI / API

Server list, health view, command center, audit explorer, and CLI share the same control model.

Telemetry & Heartbeats

Agents stream CPU, memory, disk, and heartbeat signals for every node to keep posture visible.

CLI & API Parity

Automate every workflow without leaving the zero-credential surface

UI, CLI, REST, and gRPC share one contract. Operators can bootstrap agents, run commands, or pull telemetry programmatically and still inherit the same policies and audit trail.

CLI shares the same REST/gRPC surface as the UI — no extra permissions or secrets.

Login with short-lived API tokens; credentials stay in the OS keychain and auto-refresh.

Switch between human-readable and `--json` output for pipelines and runbooks.

Parallel dispatch uses signed envelopes, returning ProblemDetails errors with audit IDs.

$ axn auth login --token $AXN_TOKEN
$ axn servers list --status online --json
$ axn agents bootstrap-token --server web-01 --expires 24

GET /api/v1/servers

[
  {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "win-iis-01",
    "hostname": "win-iis-01.prod.local",
    "status": "Online",
    "environment": "Production",
    "hasAgent": true,
    "lastSeenAtUtc": "2025-11-28T18:02:11Z"
  },
  {
    "id": "8b2e4f9a-1234-5678-90ab-cdef12345678",
    "name": "web-02",
    "hostname": "web-02.prod.local",
    "status": "Online",
    "environment": "Production",
    "hasAgent": true,
    "lastSeenAtUtc": "2025-11-28T18:01:45Z"
  }
]

Errors follow RFC 7807 ProblemDetails with correlation IDs shared with the audit module. Agents connect via gRPC package axinode.agent.v1 using mTLS.

Multi-Tenant Control

Tenant isolation, roles, and API tokens by design

Every resource is scoped with TenantId and backed by append-only audit logs. Role tiers keep operators focused while API tokens inherit the same policies.

Tenant metadata, servers, agents, commands, telemetry and audit logs all carry a TenantId. Global filters enforce isolation inside the modular monolith, while audit entries use ProblemDetails correlation IDs.

  • • Roles: Owner → Admin → Member → Viewer with least privilege defaults.
  • • API tokens are minted per user & tenant; hashed server-side and revocable anytime.
  • • No server credentials stored, so a compromised tenant still can’t expose SSH/RDP secrets.

Tenant: Acme Prod

Role Matrix

Audit ID: LOG-6f32

Owner

Full tenant control, billing, bootstrap tokens

Admin

Manage servers, agents, roles

Member

Run commands, view telemetry

Viewer

Read-only dashboards and audit trails

POST /api/v1/api-tokens
{
  "name": "CI Deploy",
  "expiresAt": "2025-12-31T00:00:00Z"
}

Response includes hashed token reference only. Raw token shown once and scoped to tenant.

Telemetry & Audit

Observability and auditability built in

Command output, agent heartbeats, and audit logs ride the same data path, giving you a complete forensic view.

Telemetry Snapshot

Live
CPU32%+2%
Memory58%-5%
Latency14 ms-1 ms

agent[web-01] ▸ streaming logs…

cpu=0.32 mem=0.58 disk=0.41 latency=14ms

heartbeat=ok certificate=v3 rotation=2025-11-20

Audit Trail

Append-only records answer who executed what, where, and when in seconds.

10:42:05ops@tenant.io

Executed run-script on web-west group

10:39:11system

Agent agt_x8293 rotated certificate

10:33:55cli-token

Created bootstrap token for db shard

Advanced forensics: Merkle tree verification, chain integrity checks, and compliance archive export built-in.