Zero-Trust mTLS Agents
Secure your remote discovery and terminal access with short-lived, rotated certificates.
The Security Problem
Managing engineering context across local, remote, and production servers usually requires complex VPNs or risky static SSH keys. TraceFlow solves this by using a **Zero-Trust Agent** architecture. We don't trust your network - we trust your certificates.
How mTLS Works in TraceFlow
TraceFlow uses Mutual TLS (mTLS) for all agent-to-hub communication. Unlike standard HTTPS, where only the server is verified, mTLS requires both the Hub and the Agent to present valid certificates to each other.
- Dynamic Signing: When you run the install script, the agent generates a private key locally and sends a CSR (Certificate Signing Request) to the Hub.
- Short-Lived Certs: Certificates are rotated automatically, reducing the risk of a compromised key.
- Outbound-Only: Agents connect *out* to the Hub via WebSockets. You never need to open inbound ports on your firewalls.
Terminal Access Security
TraceFlow's embedded terminal features (xterm.js) are tunneled through this mTLS connection. This allows developers to access remote tmux sessions securely without traditional SSH, with full session history preserved for context recovery.
Key Benefits
No Static Keys
Stop worrying about ~/.ssh/authorized_keys bloat or leaked PEM files.
Instant Offboarding
Revoke a machine's certificate in the Hub dashboard to immediately kill all access.