I've been using Claude Code for infrastructure work for months. And every session followed the same pattern:
- Ask Claude what command to run
- Read Claude's answer
- Open terminal
- Copy-paste the command
- Read output
- Paste output back to Claude
- Repeat
It felt like I'd hired a senior engineer who wasn't allowed to touch the keyboard. So I built Conduit — and gave Claude the keyboard.
What is Conduit?
Conduit is a cross-platform remote connection manager (SSH, RDP, VNC, web) with a built-in MCP server. Think Termius or Royal TS, but the whole thing is wired up as an MCP server so Claude Code can drive it directly.
Apache 2.0 open source: https://github.com/advenimus/conduit-desktop
The MCP integration
When you add Conduit as an MCP server in Claude Code:
claude mcp add conduit -- node "/Applications/Conduit.app/Contents/Resources/mcp/dist/index.js" \
--env CONDUIT_SOCKET_PATH="$HOME/Library/Application Support/conduit/conduit.sock" \
--env CONDUIT_ENV="production"
Claude gets access to 60+ tools across five categories.
Terminal (SSH)
-
terminal_execute— run a command in an SSH session and get the output back -
terminal_read_pane— read the current terminal buffer -
terminal_send_keys— send raw keystrokes (including Ctrl+C, arrow keys, etc.)
Now instead of "run df -h on each server," Claude just does it. Across all of them.
RDP / VNC
-
rdp_screenshot— capture a screenshot of a remote desktop -
rdp_click— click at coordinates -
rdp_type— type text -
rdp_send_key— send keyboard shortcuts (Win+R, Ctrl+Alt+Del, etc.) - Same set for VNC sessions
This unlocks something surprisingly powerful: Claude can look at a Windows server, read error dialogs, and click through them. Not just SSH into the host — actually drive the graphical interface.
Web sessions
-
website_click_element— click by CSS selector (more reliable than coordinates) -
website_fill_input— fill inputs with React/Vue/Angular event dispatch -
website_execute_js— run JavaScript in the page -
website_get_elements— discover all interactive elements on a page
Web sessions are driven by Electron's WebContentsView — a full browser engine. Claude can navigate admin dashboards, fill forms, and execute JavaScript in sessions that are already logged in.
Credential vault
-
credential_list— list stored credentials (metadata only) -
credential_read— retrieve a secret (requires explicit user approval prompt)
AES-256, local-first. Secrets never leave your machine. When the agent wants a credential, you get an approval prompt — you see exactly what's being requested and why.
How it actually works under the hood
Claude Code ──(MCP protocol)──> Conduit MCP binary (Node.js)
│
(Unix socket)
│
Conduit desktop app
│
┌────────────────────┼─────────────────────┐
│ │ │
SSH session RDP session Web session
(node-pty) (FreeRDP C helper) (Electron WebContentsView)
The MCP binary is a separate Node.js process that connects to the desktop app over a Unix domain socket. Every tool call goes through the main process where it's rate-limited, audited, quota-checked, and approval-prompted.
The MCP binary holds no session state — it's a thin proxy. If it crashes or restarts, it reconnects automatically.
Safety model
"AI agent with SSH access to all your servers" is a large trust surface. Here's how Conduit handles it:
Approval prompts are color-coded by risk:
- 🔵 Read operations (list connections, read terminal buffer)
- 🟡 Execute operations (run commands, navigate web)
- 🟠 Write operations (fill forms, click UI elements)
- 🔴 Credential operations (read secrets from vault)
Every prompt has a 120-second auto-deny timeout — walk away from your machine and nothing sensitive happens.
Audit log records every tool call: timestamp, tool name, arguments (secrets masked), result status.
Rate limiting: 30 calls/minute per connection by default, token bucket algorithm.
Bring-your-own-subscription: Claude Code authenticates directly with Anthropic. Conduit never proxies API calls or sees your API keys.
A real example
Here's a real workflow:
"Check disk usage on all prod servers, find the one with least headroom, and tell me what's in its largest directories"
Claude:
-
connection_list→ gets my SSH connections -
terminal_executeon each → runsdf -h - Parses output, identifies the problem server
-
terminal_execute→ runsdu -sh /* 2>/dev/null | sort -rh | head -20 - Reports back with findings
What used to be 10 minutes of tabbing between terminals is a 30-second conversation.
Tech stack
For the curious:
- App: Electron 34 + React 18 + TypeScript
- SSH: ssh2 + node-pty + xterm.js
- RDP: FreeRDP 3.x (custom C helper binary with binary protocol to the main process)
- VNC: rfb2
- MCP: @modelcontextprotocol/sdk
- Vault: AES-256-GCM, local storage, optional Supabase cloud sync
- Auth: Supabase
The FreeRDP integration was the hardest part — building the C helper, the binary protocol, and getting screenshots flowing at acceptable latency took weeks. Happy to write a separate post on that if there's interest.
Try it
- GitHub (Apache 2.0): https://github.com/advenimus/conduit-desktop
- Download (macOS/Windows/Linux): https://conduitdesktop.com/download
- Free for personal use
Happy to answer questions in the comments — especially about the MCP tool design, the FreeRDP C helper, or the approval/safety system.
Top comments (2)
The approval prompt color-coding by risk level is a smart design choice. I run a production MCP server over a 130k-node Neo4j graph and the permission boundary question is the hardest part of the whole architecture. We ended up with scoped bearer tokens where different agents see different data slices, but your visual risk-level approach for interactive use is cleaner than anything I considered.
One question: how does the rate limiting interact with multi-step chains? When Claude is doing something like your disk usage example (list connections, df -h across each, then du on the worst one), does the 30 calls/minute bucket ever become a bottleneck for larger fleets? Seems like it could get tight with 20+ servers.
The Unix domain socket as the transport layer between the MCP binary and the desktop app is a nice touch too. Keeps the Anthropic API key completely out of the MCP server's process space.
This is a game changer for AI-assisted infra work! Going from "here's the command" to actually executing it with proper safety guardrails is the natural evolution of Claude Code.