Skip to main content

pronounced "eh‑feer"

Ephyr

Cryptographically bounded agent authority with centralized audit.

The first open-source implementation of the Delegation Capability Token architecture from Google DeepMind's "Intelligent AI Delegation" framework.

Get Started View Source

See It In Action

SSH execution, macaroon delegation, cascade revocation, and real-time monitoring - all through one MCP endpoint.

Ephyr Demo

Deep Dive Podcast (generated with NotebookLM)

System Architecture
Broker internals, MCP server, policy engine, dashboard
v0.3 · March 2026
Architecture

Ephyr Architecture Whitepaper

Three-process design, MCP server implementation, HTTP proxy engine, federation, policy engine, task identity, dashboard, metrics, and deployment topology.

Read →
Security Model
Security

Security Whitepaper

Trust model, authentication layers, cryptographic choices, network isolation, hardening guide. 14 enumerated threats with mitigations.

Read →
Task Identity
Identity

Task-Scoped Portable Identity

Why task runs - not service accounts - should be the unit of agent identity. CTT-E tokens, capability envelopes, epoch watermarks.

Read →

The Problem

MCP gives agents tools. It doesn't govern what happens when agents delegate to sub-agents, when permissions need to attenuate, or when actions need to trace back to the task that initiated them.

Static credentials are a liability

SSH keys don't expire. API tokens can't be scoped per-task. When an agent session ends, the access remains. Rotation is manual and error-prone.

No delegation model

When agent A delegates to B, and B delegates to C - who authorized C to do what? MCP has no policy layer for permission propagation across delegation chains.

Authority can't be proven

Can you prove the authority only narrowed? Without cryptographic caveat accumulation and deterministic reduction, the answer is no.

What Ephyr Does

Three isolated processes between AI agents and infrastructure. One MCP endpoint replaces scattered credentials with policy-governed, ephemeral, SIEM-ready access.

Ephyr Architecture

ephyr signer

Holds the Ed25519 CA private key in a systemd sandbox. ProtectSystem=strict, MemoryDenyWriteExecute, zero capabilities. Unix socket IPC only. The CA key never leaves this process, never touches the network.

ephyr broker

HMAC chain verification, caveat reduction, policy evaluation, SSH certificate requests, HTTP proxy with credential injection, MCP federation, task tree management, structured audit, admin dashboard.

How It Works

HMAC-Chained Macaroons

Task tokens use HMAC-SHA256 caveat chains. Restriction removal is cryptographically impossible. The effective envelope reducer derives the most-restrictive authority using set intersection, minimums, and boolean AND.

Ephemeral SSH Certificates

Ed25519 certificates with 5-minute default TTL. Per-request issuance by the isolated signer. Persistent sessions reduce latency from ~850ms to ~14ms - 60x faster for sequential commands.

Task-Scoped Identity

Every action correlates to a task run with a ULID. Capability envelopes bound what a token can do. Epoch watermark revocation invalidates entire task trees instantly - O(depth), no blocklists.

Broker-Mediated Delegation

Parent tasks delegate to children with attenuated scope. Cross-agent delegation supported. The child gets the intersection of parent ceiling and child policy. Max depth 5. No offline delegation.

Policy & RBAC

Declarative YAML, hot-reload via SIGHUP. Eight-step evaluation pipeline. Per-agent RBAC across SSH, HTTP, and MCP federation with template inheritance and wildcard support. Every denial includes a reason.

Three Proxy Paths

SSH certificates, HTTP APIs with credential injection (bearer, basic, header, query param), and federated MCP servers with automatic discovery. Agents connect once; the broker handles everything.

15 MCP Tools · 7 Resource URIs

JSON-RPC 2.0 over Streamable HTTP, implementing MCP 2025-03-26. Works with Claude Code, Claude Desktop, Cursor, Cline, and any MCP client.

Infrastructure

  • exec - Run commands via ephemeral SSH cert
  • session_create / session_close - Persistent sessions
  • list_targets / list_sessions / list_certs

HTTP Proxy

  • http_request - Authenticated proxy (credentials auto-injected)
  • list_services

Task Identity & Delegation

  • task_create / task_delegate - Scoped tasks with attenuation
  • task_bind - Holder binding with proof-of-possession
  • task_info / task_list / task_revoke

Resources (Self-Discovery)

  • ephyr://overview - System summary + permissions
  • ephyr://targets / ephyr://services / ephyr://roles
  • ephyr://status / ephyr://tools / ephyr://remotes

Capability Tiers

Each tier is a strict superset of the previous.

Ephyr Core

Brokered access, ephemeral credentials, task-scoped identity with ULID correlation, declarative policy with hot-reload, RBAC, epoch watermark revocation, structured audit trail.

Ephyr Delegation

Pure-stdlib macaroon engine (HMAC-SHA256). Fuzz-tested reducer (220k executions). Broker-mediated delegation with cryptographic caveat accumulation. Cross-agent delegation. ephyr inspect CLI.

Ephyr Bind

DPoP-style proof-of-possession enforced in the auth hot path. Ephemeral Ed25519 keypair per task. Leaked macaroons are useless without the corresponding private key. No mTLS infrastructure required. ~132us full PoP pipeline.

By the Numbers

<1ms Warm auth (187x over cold)
~34µs Macaroon mint
~32µs Macaroon verify
~132µs PoP pipeline (full)
~6µs Envelope reducer
14ms SSH exec (persistent session)
60x Session speedup
541k+ Fuzz executions (0 failures)
377+ Tests (unit + integration)
3 Dependencies
0 External databases

Benchmarked on Debian 12 LXC, 1 vCPU, 512MB RAM. Macaroon implementation is pure stdlib (HMAC-SHA256 from crypto/hmac).

Security Model

Defense in Depth

Five authentication layers: SO_PEERCRED (kernel-verified UID), 256-bit session tokens, constant-time dashboard auth, bcrypt API keys, and Ed25519 SSH certificates.

CA Key Isolation

The CA private key exists only in the signer process. Systemd sandbox with ProtectSystem=strict, MemoryDenyWriteExecute, and zero capabilities. Never on the network.

Network Isolation

nftables UID-based rules block direct agent-to-backend traffic. All access routes through the broker. CIDR allow/deny policy for HTTP proxy destinations.

14 Enumerated Threats

Documented threat model covering broker compromise, agent takeover, token leakage, network attacks, and more. Each threat has explicit mitigations and residual risk assessment. T6 (SSH MITM) mitigated via host key pinning. T7 (TLS MITM) mitigated via per-service TLS config.

Command/Request Filtering

Opt-in deny/allow patterns on SSH commands, HTTP proxy requests, and MCP federation calls. Auto-revoke on violation suspends agent access. Defense-in-depth layer with zero overhead when disabled (~3.9ns).

Proxy Hardening

Hop-by-hop header stripping, httpoxy mitigation (CVE-2016-5385), and redirect blocking. Prevents credential exfiltration via open redirect chains. Always active, zero configuration.

Designed for environments that demand verifiable control over autonomous agents.

Self-hosted, single-tenant, zero external dependencies. Your infrastructure, your policy, your audit trail.

Get Started Read the Whitepapers GitHub

Apache 2.0 · Go 1.24+ · Linux · 3 dependencies · Zero external databases