MXE
Matrix eXecution Engine — orchestrate remote servers with cryptographic authority.
MXE pairs a desktop Hub (Electron + React) with edge Satellites (Rust binaries) deployed onto VPS instances. Every command is Ed25519-signed end-to-end, executes inside a sandboxed worker with timeouts and a 28-pattern blocklist, and streams CPU / memory / disk telemetry back to the Hub every 30 seconds. Claude triages logs and proposes commands; humans approve. One desktop pane, many remote machines, zero shared secrets.
- TypeScript
- React
- Electron
- Rust
- ed25519-dalek
- TweetNaCl (JS)
- WebSocket Secure (WSS)
- Claude API
- GitHub Actions
MXE — Matrix eXecution Engine is the desktop command center we built after losing patience with the "fifteen SSH terminals + a shared note for which fleet member I'm yelling at" school of remote-server management. The Hub runs locally as an Electron + React app; the Satellites are Rust binaries you push to each box; every command crossing the wire is Ed25519-signed, every output is signed back, and the audit log is the ground truth.
The Hub
- Single desktop pane for every server in your fleet — connection state, signed-command history, live telemetry, log tail, AI-suggested triage.
- Claude integration — when a Satellite reports anomalous logs or a stuck service, the Hub feeds the context to Claude and shows the suggested commands next to a human-approval gate. Nothing executes unless the operator clicks.
- One-click Satellite deployment over SSH — bootstrap a new edge worker on a fresh VPS without leaving the Hub. The Hub generates the keypair, ships the binary, registers it in the local fleet ledger.
- Real-time telemetry — CPU, memory, disk, running processes, discovered services and git repos, streamed via WSS every 30 seconds.
The Satellite
- Rust binary built for small footprint and predictable resource use — the last thing we want on a stressed VPS is a heavy agent.
- Sandboxed execution with memory limits, per-command timeouts, and a 28-pattern blocklist on the commands the operator can request.
- Signature verification on every inbound message — ed25519-dalek on the Rust side, TweetNaCl on the JS side. The two sides only trust signed traffic; an unsigned WSS frame is dropped at the protocol layer.
- Auto-discovery of git repositories, systemd services, and notable processes — the Hub gets a map of "what's actually on this box" without the operator having to type it.
Why "Matrix eXecution Engine"
The name is the architecture: a matrix of machines, executing signed instructions, viewed through one console. MXE is what we point our own fleet at — the same Galaxy ledger that powers the brag numbers on the home page is part of the same operations pattern this product exists to formalize.
Straight from the source
The project's own README.
Rendered in place — every link, image, and code block carried over from the repo. The page below is what a contributor would see opening the project for the first time.
MXE — Agentic Command Center
Orchestrate remote servers with cryptographic authority.
Ed25519-signed command execution • Rust edge workers • AI-powered triage • Real-time telemetry
Website • Install Guide • Documentation • Contact
MXE is a desktop command center for managing fleets of remote Linux servers through Ed25519-signed WebSocket channels, real-time telemetry, AI-powered log triage, and conversational command delegation.
Built with Electron + React + Tailwind (Hub) and Rust (Satellite edge workers).
Status: v0.1.0 MVP — Beta
Quick Start
# Install dependencies
just install
# Run the full Electron app with hot reload
just dev
# Or run the renderer only in a browser (fast iteration)
just dev-web
# Launch a local Satellite for testing
just run-sat
# Run all tests (JS + Rust)
just test
Architecture
┌──────────────────────────────────┐
│ Hub (Electron) │
│ ┌──────────┐ ┌──────────────┐ │ ┌────────────────────┐
│ │ Renderer │ │ Main Process │ │◄─ WS ──►│ Satellite (Rust) │
│ │ (React) │◄─┤ (Node.js) │ │ Portal │ Edge Worker │
│ └──────────┘ └──────────────┘ │ └────────────────────┘
│ ▲ contextBridge │ │
│ │ (IPC only) │ │
└──────────────────────────┼──────┘
│
┌──────┴──────┐
│ Commander │
│ (Claude CLI │
│ on VPS) │
└─────────────┘
Hub — Electron desktop app. Main process holds encrypted secrets and manages portal connections. The renderer is an untrusted React SPA communicating only via contextBridge IPC.
Satellite — Rust binary deployed to remote Linux servers. Exposes a WebSocket server for stats streaming and signed command execution. Ships with a 28-pattern command blocklist, 15-second execution timeout, and rate limiting.
Commander — A root-level Claude Code instance on a VPS that orchestrates Satellites via tool delegation through the Hub's chat interface.
See ARCHITECTURE.md for the full system design, and docs/ for detailed documentation.
Core Capabilities
| Capability | Description |
|---|---|
| Ed25519 Signed Commands | Every Hub→Satellite command is cryptographically signed. Satellites verify before execution. |
| Rust Edge Workers | Memory-safe Satellites with command blocklist, execution timeout, rate limiting, and OOM protection. |
| AI Log Triage | Critical logs are auto-intercepted, scrubbed of secrets, and evaluated by an LLM for remediation. |
| Real-Time Telemetry | Live CPU/MEM stats streamed every 5 seconds from all connected Satellites. |
| One-Click Deploy | SSH bootstrapper builds, uploads, launches, and auto-pairs Satellites from the GUI. |
| Commander Chat | Conversational LLM with tool delegation — ask questions, run diagnostics, delegate bash commands. |
| Global Kill Switch | DEFCON 1 button terminates all running processes and clears secrets across all Satellites. |
| Secret Vault | Encrypted in-memory secret injection. API keys never hit disk on remote servers. |
| Mesh Routing | Satellite-to-satellite message forwarding through the Hub. |
| OTA Updates | Push binary updates to remote Satellites over the authenticated Portal channel. |
| Portal Persistence | Encrypted local storage of connection credentials with auto-reconnect on app restart. |
| Repo Security Audit | Automated npm audit + git status analysis with LLM evaluation of findings. |
Security Model
MXE implements defense-in-depth across every layer:
- Cryptographic auth — Ed25519 keypair pairing with 6-digit out-of-band code, NaCl
crypto_signon every command - Command blocklist — 28 destructive patterns blocked at the Satellite (rm -rf /, mkfs, dd, DROP TABLE, etc.)
- Execution sandbox — 15-second timeout, 1GB memory limit, ulimit wrapping, child process kill on expiry
- Rate limiting — 20 messages/sec per WebSocket connection
- Secret isolation — API keys encrypted in Electron main process, never exposed to renderer; log sanitization strips 8+ secret patterns before LLM evaluation
- Electron hardening —
nodeIntegration: false,contextIsolation: true, strict CSP, nowebviewTag - Systemd hardening —
NoNewPrivileges,ProtectSystem=strict,MemoryMax=256M,CPUQuota=80%
See docs/SECURITY.md for the full security whitepaper.
Project Structure
src/
main/index.ts Electron main process (IPC, encrypted store, SSH deploy, AI APIs)
preload/index.ts contextBridge IPC exposure
renderer/src/
App.tsx Dashboard: server grid, logs, modals, Commander chat
components/ ServerCard, LogStream, CommanderChat, PairServerModal, DeployModal,
SettingsModal, RepoModal
lib/
crypto.ts Ed25519 (TweetNaCl): sign, verify, pairing codes
portal.ts WebSocket Portal: pair, reconnect, signed commands, keepalive
ai.ts Triage: API calls + mock fallback + response parsing
dispatch.ts Local script execution via IPC
sanitize.ts Secret redaction (8 patterns: API keys, tokens, private keys)
react-loop.ts ReAct depth limiter for Commander auto-reply
icons.ts Service/OS icon mapper
types.ts Shared TypeScript interfaces
packages/satellite/src/
main.rs WebSocket server, pairing, stats, kill switch, OTA upgrade
crypto.rs Ed25519: sign, verify, combined signatures
execution.rs Command blocklist (28 patterns), timeout, vault injection
scripts/
payloads/commander_init.sh Server scanner → Master Manifest JSON
prompts/triage_audit.md LLM triage prompt template
deploy_web.sh Deploy landing page to mxe.namek.top
publish_release.sh Build artifacts + upload to download server
apps/web/index.html Landing page (mxe.namek.top)
Testing
just test # All tests (JS + Rust)
just test-watch # Vitest watch mode
just test-sat # Rust satellite tests only
82 tests across two stacks:
| Suite | Tests | Coverage |
|---|---|---|
| Cryptography (JS + Rust) | 22 | Ed25519 sign/verify, payload signing, pairing codes, key uniqueness |
| Command Blocklist (Rust) | 11 | All 28 destructive patterns + safe command allowlist |
| Execution Engine (Rust) | 7 | Timeout, stderr capture, vault injection, resource limits |
| Secret Scrubbing (JS + Rust) | 12 | 8+ patterns: API keys, Bearer tokens, AWS keys, private keys |
| Portal Connection (JS) | 14 | Backoff, keepalive, state machine, signed messages, persistence |
| AI Triage (JS) | 10 | Mock evaluation, JSON parsing, markdown handling, field defaults |
| React Components (JS) | 18 | ServerCard, PairServerModal, RepoModal rendering + interactions |
| ReAct Loop Limiter (JS) | 6 | Depth enforcement, reset on user message, tool call detection |
| Integration (JS) | 4 | Cross-system Hub→Satellite signed command round-trip |
See docs/TESTING.md for detailed test documentation.
Deployment
# Deploy a Satellite to a remote server
just slide <host> [user] [key]
# Or from the GUI: click "Slide Satellite" and enter SSH details
# Tag a release — GitHub Actions builds .exe, AppImage, and Satellite
just tag-release
# Deploy the landing page
just deploy-web
See docs/DEPLOYMENT.md for the full deployment guide.
Development Commands
| Command | Description |
|---|---|
just dev |
Full Electron app with hot reload |
just dev-web |
Renderer only in browser (fast iteration, no Electron) |
just build |
Compile without packaging |
just build-sat |
Build Rust Satellite (release) |
just run-sat |
Launch local Satellite on port 9077 |
just test |
Run all tests (JS + Rust) |
just tag-release |
Tag + push to trigger GitHub Actions release build |
just audit |
npm audit + cargo audit |
just clean |
Remove build artifacts |
just status |
Show project stats |
just resurrect |
Restore dev environment after reboot |
Documentation
- ARCHITECTURE.md — System design, IPC boundaries, protocol spec
- CHANGELOG.md — Version history
- docs/SECURITY.md — Security whitepaper
- docs/PROTOCOL.md — Portal WebSocket protocol specification
- docs/DEPLOYMENT.md — Deployment and operations guide
- docs/TESTING.md — Test suite documentation
- docs/ROADMAP.md — Future feature roadmap
- docs/features/ — Individual feature documentation
Tech Stack
- Desktop Shell: Electron 33 + electron-vite
- Frontend: React 18 + TypeScript 5.7 + Tailwind CSS 3.4
- Cryptography: TweetNaCl (JS) + ed25519-dalek (Rust)
- Edge Workers: Rust + tokio + tungstenite + sysinfo
- AI: Anthropic Claude / OpenRouter (configurable)
- Testing: Vitest + React Testing Library + Cargo test
- CI/CD: GitHub Actions (parallel JS/Rust matrix)
- Storage: electron-store (encrypted)
License
MIT License — see LICENSE for details.
Matrix eXecution Engine — mxe.namek.top — [email protected]
Gallery
The full set.
Build something like this
Want a tool like this for your shop?
We've shipped this kind of thing before. Twenty-minute intro call, no slides.