Features that keep every action secure, auditable, and agent-driven.
Platform.axinode.com is the single pane for triggering commands, managing servers, and observing telemetry. Agents execute everything with signed envelopes—no SSH keys, no passwords, no guesswork.
Phase 1
Plan workflows
Define server groups, managed service targets, and policy guardrails inside the control plane.
Phase 2
Trigger actions
Use the dashboard, CLI, or REST API to sign envelopes. Agents execute with outbound mTLS.
Phase 3
Observe & audit
Telemetry cards, JSON logs, and append-only audit feed confirm every step with correlation IDs.
Control Plane UI
Trigger workflows from the dashboard
Click an action, confirm policy, and watch live output. Agents execute via outbound mTLS connections, so you never expose SSH or RDP.
Command Center
Restart IIS on win-iis-01
• Target group: iis-prod
• Policy: AllowRestart
• Agent output streams into the UI log in real time
[UI] 10:42:01 user@acme triggered restart
[Agent] win-iis-01 OK • win-iis-02 OK
auditId=cmd-01h9z... • zero credentials stored
Secure outbound agents
Lightweight binaries install in minutes, establish outbound mTLS, and authenticate via signed bootstrap tokens. No inbound firewall rules or stored root credentials.
- • Zero inbound ports or VPN tunnels.
- • Automatic certificate rotation and health checks.
- • Agent capabilities advertise Windows roles, Linux services, or managed plugins.
● Agent Connected
ID: agt_x8293...
OS: Windows Server 2022
Uptime: 14d 2h • Mem: 45MB / 120MB
Last heartbeat: 15s ago
Signed commands & streaming output
Every command is enveloped, signed, and verified before execution. Output streams back to the UI, CLI, or API with immutable audit IDs.
- • Command builder in UI mirrors CLI/REST payloads.
- • ProblemDetails errors include correlation IDs for debugging.
- • Parallel fan-out across hundreds of servers with backpressure controls.
$ axinode exec --group=iis-prod "Restart-WebAppPool DefaultAppPool"
[win-iis-02] Restart-WebAppPool DefaultAppPool — OK
auditId=cmd-01h8zq...
Envelope internals
Command envelope fields and validation
Signed envelopes carry policy, routing, and anti-replay controls. Agents verify signature, TTL, nonce, and intended target before execution.
{
"commandId": "cmd-01h9p...",
"tenantId": "tnt_acme",
"target": {
"serverGroup": "iis-prod",
"agentIds": ["agt_win_01","agt_win_02"]
},
"payload": {
"type": "RestartService",
"serviceName": "W3SVC"
},
"timestamp": "2025-12-01T10:42:01Z",
"ttlSeconds": 300,
"nonce": "9f6c8d...",
"signature": "base64(ed25519)",
"policy": "AllowRestart"
}Validation: signature → nonce/TTL → tenant/server/agent binding → policy allowlist.
Lifecycle
Agent lifecycle and heartbeat schema
Bootstrap tokens mint once, agents generate keypairs, and heartbeats report posture, version, and certificate expiry.
{
"agentId": "agt_win_01",
"version": "0.9.3",
"status": "healthy",
"timestamp": "2025-12-01T10:42:05Z",
"metrics": {
"cpu": 0.32,
"memoryMb": 5800,
"latencyMs": 14
},
"lastCommandId": "cmd-01h9p...",
"certExpiresAt": "2026-01-01T00:00:00Z"
}Outbound-only mTLS; no stored credentials. Health drives UI status and policy gates.
API & CLI: deep dive
REST `/api/v1` + CLI share the same contracts, ProblemDetails errors, and correlation IDs. Automate without a second control plane.
GET /api/v1/servers
{ "items": [ { "id": "srv_01h8v...", "hostName": "win-iis-01" } ], "total": 6 }
Error sample:
{
"type": "https://api.axinode.com/errors/command-policy",
"title": "Policy validation failed",
"status": 403,
"correlationId": "cmd-01h9p...",
"detail": "Policy AllowRestart denied for target group iis-prod",
"errors": ["policy_denied"]
}$ axinode servers list --env production --json
Audit & telemetry
Schema snippets for forensic trails
Audit entries link command → agent → tenant, while telemetry snapshots keep live posture visible.
Audit entry
{
"id": "audit-01h9...",
"actor": "user@acme",
"tenantId": "tnt_acme",
"action": "RunCommand",
"entity": "srv_01h8v",
"commandId": "cmd-01h9p",
"correlationId": "cmd-01h9p",
"timestamp": "2025-12-01T10:42:07Z"
}Telemetry snapshot
{
"serverId": "srv_01h8v",
"agentId": "agt_win_01",
"cpu": 0.32,
"memoryMb": 5800,
"diskPct": 0.41,
"latencyMs": 14,
"timestamp": "2025-12-01T10:42:05Z"
}Playbooks
Common operations mapped to AxiNode workflows. Adapt or automate them in the UI, CLI, or REST API.
Playbook
Windows IIS Rollout
- CLI generates bootstrap tokens for new IIS nodes and registers agents.
- Dashboard command sends Restart-WebAppPool to iis-prod group with policy guardrails.
- Telemetry verifies CPU/memory spikes and audit log records who triggered the action.
Playbook
Linux Patch Orchestration
- Feature flags tag target Debian servers; CLI builds a signed command to run apt update.
- Agents execute in parallel, streaming logs back to UI and Slack webhook (future).
- ProblemDetails errors include correlation IDs for fast rollback if needed.
Playbook
Elastic/Redis Provisioning
- Operator selects Elastic template from command builder; agent runs Terraform/Ansible module.
- Redis cache nodes join automatically; telemetry monitors latency and memory usage.
- Audit trail anchors the provisioning run for compliance.
Operations snapshot
Signed command payloads, target groups, and audit IDs side by side with tenant context.
Data snapshot: command envelope
Every command envelope carries metadata for audit, policy, and routing. Here’s a typical payload for a production IIS restart.
POST /api/v1/commands
{
"serverGroup": "iis-prod",
"command": "Restart-WebAppPool",
"parameters": {
"name": "DefaultAppPool"
},
"policy": "AllowRestart",
"signed": true
}ProblemDetails errors include { "correlationId": "cmd-01h8zq..." } to align CLI, UI, and audit feeds.