Proximo brings plan-before-execute trust to Proxmox AI management
John Broadway built Proximo, an open-source Apache-2.0 Proxmox MCP + A2A server designed around a mandatory dry-run, hash-chained audit ledger, and auto-snapshot rollback so an AI agent can never mutate a cluster without prior human review.
Score breakdown
Proximo's mandatory pre-mutation dry-run and blast-radius computation mean an AI agent structurally cannot modify a Proxmox cluster without first producing a human-reviewable plan — directly addressing the "Lack of Audit and Telemetry" and "irrecoverable data loss" risks named in the OWASP MCP Top 10 and official MCP security guidance.
- 01Proximo is an open-source (Apache-2.0) Proxmox MCP + A2A server at v0.6.0, described as days old with zero adoption at time of writing.
- 02Every mutation is gated by a mandatory PLAN dry-run that computes a blast radius, naming specific guests that would be affected before any change is permitted.
- 03PROVE records all plans and confirmations in a hash-chained, tamper-evident audit ledger stored locally, not on a SaaS dashboard.
John Broadway built Proximo after identifying a gap in the existing Proxmox MCP server landscape: tools were either read-mostly "safe inspectors" or full-featured mutators that required blind trust. Proximo aims to be a third option — full cluster management with trust built into the architecture rather than added as an afterthought. Every mutation in the system is governed by three non-optional primitives: PLAN forces a dry-run that returns the exact proposed change, the guest's live state, and a computed blast radius (for example, deleting a storage pool names every VM that would lose its boot disk); PROVE records plans and confirmations into a hash-chained, tamper-evident audit ledger stored on the user's own machine; and UNDO takes an auto-snapshot before any risky change and provides one-call rollback, failing closed if the storage cannot snapshot. A fourth primitive, DIAGNOSE, provides a read-only evidence battery where an empty findings list is never treated as a clean bill of health.\n\nProximo is API-only by default, communicating with Proxmox exclusively over its REST API using a scoped token that is never read or logged. The one structural exception is container exec: because the Proxmox REST API has no container-exec endpoint, Proximo optionally routes that capability over SSH, gated behind an opt-in flag (`PROXIMO_ENABLE_EXEC=1`) and a fail-closed CTID allowlist. At v0.6.0, the project has 145 tools and 2,394 tests, though Broadway notes most of that surface still runs against mocks. Live-proven capabilities include the trust spine end-to-end, the governance and dangerous plane (roles, groups, users, ACLs, storage, SDN/network, realms), offline guest migration, and HA config. Broadway explicitly acknowledges comparable projects — proxxx and RekklesNA's ProxmoxMCP-Plus — and notes that Proximo's specific bet is trust by construction across the whole control plane plus auto-UNDO and governance-plane exposure. He also discloses that Claude (Anthropic's model) did much of the actual implementation, with every commit carrying a co-author trailer.
Key facts
- 01Proximo is an open-source (Apache-2.0) Proxmox MCP + A2A server at v0.6.0, described as days old with zero adoption at time of writing.
- 02Every mutation is gated by a mandatory PLAN dry-run that computes a blast radius, naming specific guests that would be affected before any change is permitted.
- 03PROVE records all plans and confirmations in a hash-chained, tamper-evident audit ledger stored locally, not on a SaaS dashboard.
- 04UNDO takes an auto-snapshot before risky changes and provides one-call rollback, failing closed if the storage cannot snapshot.
- 05The project ships 145 tools and 2,394 tests, but Broadway notes most of the surface still runs against mocks; live-proven against a real PVE 9.2 API.
- 06Container exec is opt-in via `PROXIMO_ENABLE_EXEC=1`, routed over SSH with a fail-closed CTID allowlist, because the Proxmox REST API has no container-exec endpoint.
- 07Claude (Anthropic's model) did much of the actual implementation; every commit carries a co-author trailer disclosing the human+AI partnership.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 20, 2026 · 08:55 UTC. How this works →