tryaudex 0.1.5

CLI for issuing short-lived, scoped cloud credentials to AI coding agents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

# tryaudex

Stop giving your AI agent full cloud access.

**Audex** wraps any command with temporary cloud credentials scoped to only the permissions needed. When the command exits, credentials are automatically revoked.

```bash
# AWS — S3 read-only for 5 minutes
tryaudex run --ttl 5m --allow "s3:GetObject,s3:ListBucket" -- aws s3 ls

# GCP — Storage read-only
tryaudex run --provider gcp --allow "storage.objects.list" -- gcloud storage ls

# Azure — Storage account list
tryaudex run --provider azure --allow "Microsoft.Storage/storageAccounts/read" -- az storage account list
```

One command. Scoped access. Auto-revoked. Full audit trail.

## Install

```bash
cargo install tryaudex
```

## Quick start

```bash
# 1. Set your IAM role
export AUDEX_ROLE_ARN="arn:aws:iam::123456789:role/AgentRole"

# 2. Run with scoped credentials
tryaudex run --allow "s3:GetObject" -- aws s3 cp s3://bucket/file .

# 3. Use built-in profiles
tryaudex run --profile lambda-deploy -- ./deploy.sh

# 4. View audit trail
tryaudex audit recent
```

## Features

- **Multi-cloud** — AWS, GCP, and Azure with unified policy syntax
- **Policy engine** — Action parsing, wildcard matching, deny lists, 20+ built-in profiles
- **Smart TTL** — Estimates session duration from the command (`aws s3 ls` → 2m, `terraform apply` → 30m)
- **Auto-suggest** — On AccessDenied, suggests the missing permission
- **MCP server** — Native Claude Code / Cursor / Windsurf integration via `tryaudex mcp`
- **TUI dashboard** — Interactive terminal UI with session overview, audit trail
- **Audit logging** — Append-only JSONL with HMAC integrity chain
- **Credential security** — Encrypted at rest, leak detection, automatic rotation
- **Team features** — SSO, approval workflows, role mapping, rate limiting
- **Observability** — OpenTelemetry traces, Prometheus metrics, Grafana dashboards

## CLI reference

```
tryaudex run [OPTIONS] -- <COMMAND>...
  --provider <PROVIDER>     aws, gcp, or azure [default: aws]
  --allow <ACTIONS>         Comma-separated IAM actions
  --profile <NAME>          Named policy profile (e.g. s3-readonly)
  --ttl <DURATION>          Session time-to-live [default: 15m]
  --budget <USD>            Advisory budget limit
  --account <NAME>          Multi-account alias
  --role-arn <ARN>          AWS role [env: AUDEX_ROLE_ARN]
  --service-account <EMAIL> GCP SA [env: AUDEX_GCP_SERVICE_ACCOUNT]

tryaudex sessions list         List all sessions
tryaudex sessions kill <ID>    Revoke a session
tryaudex audit recent          Recent audit entries
tryaudex audit verify          Check audit log integrity
tryaudex mcp                   Start MCP server
tryaudex health                Check provider connectivity
tryaudex                    Launch TUI dashboard
```

## Documentation

Full docs at [tryaudex.adityaps.work/docs](https://tryaudex.adityaps.work/docs). Source at [github.com/Aditya-PS-05/tryaudex](https://github.com/Aditya-PS-05/tryaudex).

## License

MIT