Roadmap
What's built, what's next, and where we need help
Status:
โ
Live ยท ๐จ In Progress ยท ๐ Planned ยท โ ๏ธ Deprecated
Broker Endpoints
| Endpoint | Status | Purpose |
|---|---|---|
POST /secrets/get | โ | Fetch a secret value |
POST /secrets/list | โ | List available secret names |
POST /proxy/request | โ | Generic proxied HTTP with credential injection |
POST /api/s3/presign | ๐จ | Generate presigned S3 URLs (no keys on disk) |
ALL /api/openai/* | โ | Passthrough proxy to OpenAI |
ALL /api/anthropic/* | โ | Passthrough proxy to Anthropic |
ALL /api/github/* | โ | Passthrough proxy to GitHub |
ALL /api/notion/* | โ | Passthrough proxy to Notion |
ALL /api/gemini/* | โ | Passthrough proxy to Gemini |
ALL /api/cloudflare/* | โ | Passthrough proxy to Cloudflare |
ALL /api/brave/* | โ | Passthrough proxy to Brave |
ALL /api/aws/s3/* | โ | S3 passthrough with SigV4 signing |
Agent Tools
| Command | Status | Purpose |
|---|---|---|
botster-http | โ | HTTP requests with secret injection |
botster-git | โ | Git operations with token injection |
listsecrets | โ | List available secrets |
getsek (seksh legacy) | โ ๏ธ | Raw secret fetch (security risk) โ seksh era, do not use |
Escape Hatches
Tools where agents currently use getsek or bare keys โ each is a candidate for a proper wrapped command.
| Tool | Current Method | What We Need |
|---|---|---|
flyctl | getsek to env var | botster-fly or /api/fly/* |
aws CLI | not yet used | botster-aws wrapped command |
gh CLI | getsek or local PAT | botster-gh wrapper |
Gmail OAuth | tokens in broker | OAuth token refresh flow |
wrangler | local auth | botster-wrangler or passthrough |
Planned Work
P0
- Tests for S3 presign endpoint โ SigV4 is fiddly, needs test coverage
- Merge s3-presign branch โ Deploy once tests pass
- Scoped secret stores โ Global + per-agent, eliminates AEONBYTE_ prefix hack
P1
- botster-fly โ Wrapped command for flyctl operations
- botster-aws โ AWS CLI with credential injection
- /api/fly/* passthrough โ Fly Machines API proxy in broker
P2
- botster-gh โ GitHub CLI wrapper
- botster-wrangler โ Cloudflare Wrangler CLI wrapper
- OAuth token refresh โ Broker-managed OAuth flows
- Secret rotation API โ Rotate keys without touching agent configs
P3
- Audit dashboard โ View broker logs โ which agent used which secret
- Rate limiting โ Per-agent, per-secret rate limits
- Secret expiry โ Auto-rotate or alert on aging credentials
Design Principle
If an agent needs a credential, it should go through the broker.
Every getsek call is technical debt. Every bare key on disk is a security gap. The goal is zero escape hatches โ every tool we use has either a wrapped command or a broker passthrough.
Want to request a feature or integration? Send us feedback or click any ๐ก Suggest button above.