Doberman

A Zero Trust authorization broker that stops rogue AI by replacing raw passwords with short-lived, task-scoped tokens.

Comment

💡 Inspiration

In April 2026, a startup called PocketOS made headlines when an autonomous AI coding agent encountered a credential error and autonomously wiped their entire production database and backups in exactly nine seconds. The root cause had nothing to do with malicious AI, but a Supervision Gap.

Right now, developers are giving agentic AI the equivalent of the CEO's corporate credit card and root server passwords, relying entirely on system prompts like "NEVER run destructive commands" for safety. We realized that as AI moves from chatbots to autonomous agents, we can't rely on the models to police themselves. Agentic AI needs a Zero Trust architecture.

⚙️ What it does

Doberman is a scoped access broker that acts as an un-bypassable authorization layer between AI agents and the third-party services they interact with.

Instead of hardcoding a raw Amazon password or a GitHub Admin token into an agent's context window, the agent uses our MCP (Model Context Protocol) server to request access for a specific task.

  1. Request: The agent submits a task (e.g., "Compare prices on 3 laptops").
  2. Policy Engine: Doberman translates that natural language task into a strict permission matrix, granting [search, read] but explicitly blocking [purchase, delete].
  3. Approval: A human admin sees the live request pop up on the Doberman dashboard and clicks "Approve."
  4. Execution: The agent receives a short-lived, Ed25519-signed JWT. If the agent attempts to execute an action outside of its cryptographically signed scope, the request is instantly blocked.
  5. Audit: Every request, grant, and scope denial is permanently recorded in a SQLite-backed, immutable audit log.

🛠️ How we built it

We built Doberman as a highly modular, secure, full-stack application:

  • Backend: Python and Flask, utilizing FastMCP to seamlessly expose our access tools natively to Claude and other MCP-compliant agents.
  • Cryptography: We went deep into modern crypto primitives. We used Argon2id for key derivation, AES-256-GCM to securely encrypt the underlying credential "hints," and EdDSA (Ed25519) to sign the short-lived JWTs.
  • Frontend: A Vite/React dashboard featuring a "bento-box" style dark-mode UI. We used SocketIO to stream real-time events between the backend queue and the frontend, meaning approval cards glide onto the screen instantly.
  • Integrations: We integrated Authlib for enterprise OAuth flows and Playwright to manage headless session cookies for services that don't support traditional API tokens.

🚧 Challenges we ran into

The biggest technical hurdle was bridging the asynchronous gap between an AI agent requesting access and a human approving it. AI agents generally expect synchronous tool calls. To solve this, we designed a robust state-machine RequestQueue that holds the agent's connection open via a polling mechanism, while simultaneously firing SocketIO broadcasts to the React frontend.

Another challenge was securing the credentials themselves. We didn't want Doberman to become a massive target for hackers. We engineered a system where the actual third-party credentials (the "hints") are encrypted via AES-GCM and stored inside the agent's JWT itself—meaning Doberman is essentially stateless and doesn't store raw passwords at rest.

🏆 Accomplishments that we're proud of

  • Implementing native Model Context Protocol (MCP) support. You can plug Doberman directly into Claude Desktop or Claude CLI with a single line of JSON configuration.
  • Building a beautiful, responsive, real-time React dashboard that makes managing AI permissions feel like a superpower rather than a chore.
  • Successfully implementing production-grade cryptography from scratch without relying on bloated, enterprise IDaaS providers.

🧠 What we learned

We learned that the future of AI safety isn't just about training "safer" foundation models; it's about building secure infrastructure around them. We also learned the intricacies of the new Model Context Protocol (MCP) and how it is fundamentally changing the way AI agents interact with local tools and APIs.

🚀 What's next for Doberman

Currently, Doberman relies on human-in-the-loop approvals. The next step is integrating with OPA (Open Policy Agent) to allow for automatic, rules-based approvals for low-risk tasks (e.g., "Auto-approve any read request to the staging database, but block all write requests"). We also plan to expand our adapter ecosystem to support out-of-the-box headless integrations for hundreds of legacy SaaS platforms.

Built With

  • aes-256-gcm
  • argon2
  • authlib
  • cryptography
  • ed25519
  • fastmcp
  • flask
  • jwt
  • model-context-protocol
  • playwright
  • python
  • react
  • socket-io
  • sqlite
  • vite
Share this project:

Updates