[Community project] Proximo — an open-source, least-privilege MCP/API layer for managing PVE with an AI agent (feedback wanted)

Some concrete moments where ive used it:
Maybe I am oldschool, but I look at that list and think, why on earth would I want to do it that way?
I am not against AI. I also use it for stuff.
But for these tasks? These are almost all task where I would want a deterministic result.

To me this feels like instead of clicking on the shutdown button on my notebook, I tell my AI "please shutdown my notebook" and then it sometimes shut it down, sometimes does not and play me some calming sounds to help me sleep instead.

The other part is that I want to learn and grow. Even if AI can help me fixing my trashing container, I have learnt nothing from it.
Also it IMHO leads to make me shoddy setups with wonky network configs, because "AI will fix DNS for me". I think it is quiet sad that everybody want to "build" stuff, but fewer people are willing to actually learn stuff.

To me, all of this is quite an elitist perspective. It is pretending that unless you are a sys admin, running Proxmox is hard and you need an AI for it. While in reality it is pretty easy if you follow best practices.
 
Last edited:
  • Like
Reactions: Johannes S
Maybe I am oldschool, but I look at that list and think, why on earth would I want to do it that way?
I am not against AI. I also use it for stuff.
But for these tasks? These are almost all task where I would want a deterministic result.

To me this feels like instead of clicking on the shutdown button on my notebook, I tell my AI "please shutdown my notebook" and then it sometimes shut it down, sometimes does not and play me some calming sounds to help me sleep instead.

The other part is that I want to learn and grow. Even if AI can help me fixing my trashing container, I have learnt nothing from it.
Also it IMHO leads to make me shoddy setups with wonky network configs, because "AI will fix DNS for me". I think it is quiet sad that everybody want to "build" stuff, but fewer people are willing to actually learn stuff.

To me, all of this is quite an elitist perspective. It is pretending that unless you are a sys admin, running Proxmox is hard and you need an AI for it. While in reality it is pretty easy if you follow best practices.
You are old school here. Period, point blank. You're sounding like the disgruntled oldtimer waiting to go out to pasture..

Proximo for me, full stop, has allowed me to run through 20 different lxc's in one night playing with different apps trying to tweak an ARR for the home. It's help me turn my home lab into an extension of how fast i can use my brain aka experiences.

Of course AI makes everything easy to those who really think it's something magical other than a TOOL.. AGAIN, AI is you, you will get out what you put in. Clearly you can see there's knowledge here being baked in. Why or hell, who would even care about 4 pillars if they themselves didnt think that somebody is going to ask AI to do X on their machines....

Seriously, the clutching pearls we all seem to do when the industry changes this drastic is hilarious. USE AI to its fullest, extend your brain, passions and all and put yourself out there.

Proximo helps me. Period full stop. I want it to help others. Period full Stop...
 
You're sounding like the disgruntled oldtimer waiting to go out to pasture..
English is not my native language, so there could be a language barrier. To me, there is only one person here that sounds bitter.
I might sound like an oldtimer, I give you that. But I don't sound like an AI shill that is doomed to live forever on mount stupid on the Dunning Kruger curve, so I think I am fine :)

To me, in the context of Proxmox
USE AI to its fullest, extend your brain,
that is outsourcing my thinking and not extending my brain.

Which is fine, and I have nothing against outsourcing. But like you said, Proxmox and ZFS is
so I would not outsource something that brings me joy.

But again, I understand everybody that does not think learning about blockstorage and pool geometry is fun. If it is just a tool for you, more power to you! But I am questioning, is it even a good tool?
Like does it really provide better results than just plain old reading a getting started manual?
Food for thought; all these problems that "AI is fixing for you" I did not even have to begin with...
 
Last edited:
  • Like
Reactions: Johannes S
English is not my native language, so there could be a language barrier. To me, there is only one person here that sounds bitter.
I might sound like an oldtimer, I give you that. But I don't sound like an AI shill that is doomed to live forever on mount stupid on the Dunning Kruger curve, so I think I am fine :)

To me, in the context of Proxmox

that is outsourcing my thinking and not extending my brain.

Which is fine, and I have nothing against outsourcing. But like you said, Proxmox and ZFS is

so I would not outsource something that brings me joy.

But again, I understand everybody that does not think learning about blockstorage and pool geometry is fun. If it is just a tool for you, more power to you! But I am questioning, is it even a good tool?
Like does it really provide better results than just plain old reading a getting started manual?
Food for thought; all these problems that "AI is fixing for you" I did not even have to begin with...

You still skip right over it.

AI IS NOTHING MORE THAN YOU.. It's a language model. You have to know the topic or something about it to know what to ask, and that's exactly my point back to all of you.

I touched onto something that a NORMIE/Dunning Kruger recipient wouldn't consider because they don't know to ask.

WHO WANTS AN AI MCP/A2A ANYTHING?????

Someone that knows what an MCP/A2A is? Do you know what MCP/A2A is? Have you spent time learning the protocols that are becoming standards in an industry that is still learning itself and its place??

You're talking trash about an ideology; not a product that you haven't even spent anytime TECHNICALLY understanding. THE WHY is the biggest piece you will not like and here's where that lands;

I can manage 1-1000's PVE's in a flash. I can report on them, audit them, hell i can give it the keys and say go and have it aka the AI + Proximo do whatever the API/SSH allows, build out, deploy, et all.

That's INFRAOPS on steroids. That's the seasoned ADMIN elevating his hands to be at more than one place at the same time.

I've designed the 4 pillar concept just for that reason.

Seriously I know im cutting against statuses well established, dont blame me for using the tools and making them bend my world to me.
 
I really feel the biggest red-flag with this broadway gentleman/lady/bot, is the fact that he joined this forum 8 minutes before posting this thread, has posted only on this thread (16 posts) , and includes immediate links/URLs to install in his OP. He also goes from version 0.6.0 to 0.7.2 in 3 days.

For someone trying to build an AI control mechanism for PVE management, you would have thought he has spent years on these forums. I know it is possible that he started another persona/ID on these forums just for this "project", but that itself would also be a major red-flag.

Hit 0.8.0. Now covering PVE/PBS/PMG. ;)
 
We hit ver 0.21.0 Now Covering it all

Proximo

CI CodeQL OpenSSF Scorecard OpenSSF Best Practices License Glama MCP Badge

 
I'm a long-time techie — been playing with Unix since 1986 — and I run a cookie-cutter estate for family and friends. I've built something close to Proximo in spirit: a read-only layer that does its own diagnostic work, and an action layer that only moves on either a proven-safe verb or a human's approval. So I salute Broadway; I like how he thinks. Two pennies to add.

Mine reaches past the hypervisor — monitoring, config management, DNS, firewall, NAS, directory — and that's exactly why the verb layer matters: with one vendor you can lean on its RBAC to be the boundary, but across a mixed estate there's no shared RBAC, so the safe-verb-or-approval surface is the boundary. Proximo is the clean single-vendor case of the same idea.

We've reached the same shape from different directions. Proximo makes actions safe by making them reversible — dry-run, snapshot, rollback. I make them safe by constraining what runs unattended: a proven-safe verb runs free, everything else escalates to a human. That, incidentally, answers the "if it's scoped safe enough, is it useful?" question in this thread — you don't scope all writes down to safe, you keep a library of useful safe verbs and gate the rest.

On the "non-deterministic tools near core infra" worry: in mine the collection is deterministic code; only the judgment is the LLM, and the LLM can't act except through those typed verbs. It never emits a free-form command at the cluster.

Why I bother at all: most of my users don't say "migrate VM 104," they say "the wifi's rubbish" or "Y is broken, fix it." Proximo is the safe hands; I've added a head that translates those into calls against hands like it.

And the part that drives all of it: I will die at some point. I don't want work that people depend on to fail catastrophically and make them curse my name — so it has to be maintainable, within reason self-maintaining, and able to ask a human when it's out of its depth. Once you accept you must eventually hand off (you're dead — you have no choice), doing it safely is the only ethical option. You can't build a system that answers "no, don't do it," because for these users no solution is itself the catastrophe. It never refuses a request — but "handling" a risky one means presenting it for a human's yes, not doing it quietly. Always answer; only act unattended inside the proven-safe set. That's one rule, not two competing ones: never go silent, never go rogue.
 
I'm a long-time techie — been playing with Unix since 1986 — and I run a cookie-cutter estate for family and friends. I've built something close to Proximo in spirit: a read-only layer that does its own diagnostic work, and an action layer that only moves on either a proven-safe verb or a human's approval. So I salute Broadway; I like how he thinks. Two pennies to add.

Mine reaches past the hypervisor — monitoring, config management, DNS, firewall, NAS, directory — and that's exactly why the verb layer matters: with one vendor you can lean on its RBAC to be the boundary, but across a mixed estate there's no shared RBAC, so the safe-verb-or-approval surface is the boundary. Proximo is the clean single-vendor case of the same idea.

We've reached the same shape from different directions. Proximo makes actions safe by making them reversible — dry-run, snapshot, rollback. I make them safe by constraining what runs unattended: a proven-safe verb runs free, everything else escalates to a human. That, incidentally, answers the "if it's scoped safe enough, is it useful?" question in this thread — you don't scope all writes down to safe, you keep a library of useful safe verbs and gate the rest.

On the "non-deterministic tools near core infra" worry: in mine the collection is deterministic code; only the judgment is the LLM, and the LLM can't act except through those typed verbs. It never emits a free-form command at the cluster.

Why I bother at all: most of my users don't say "migrate VM 104," they say "the wifi's rubbish" or "Y is broken, fix it." Proximo is the safe hands; I've added a head that translates those into calls against hands like it.

And the part that drives all of it: I will die at some point. I don't want work that people depend on to fail catastrophically and make them curse my name — so it has to be maintainable, within reason self-maintaining, and able to ask a human when it's out of its depth. Once you accept you must eventually hand off (you're dead — you have no choice), doing it safely is the only ethical option. You can't build a system that answers "no, don't do it," because for these users no solution is itself the catastrophe. It never refuses a request — but "handling" a risky one means presenting it for a human's yes, not doing it quietly. Always answer; only act unattended inside the proven-safe set. That's one rule, not two competing ones: never go silent, never go rogue.
Grimwiz - went through your post straight. the read-only-diagnose / gated-action split you describe is proximos architecture too. no daylight there.

where I think you're missing and I need to clarify aka pushback:

You frame it as "i constrain unattended, proximo makes things reversible." proximo does both. reads run free. a mutation dry-runs by default and doesnt fire until a human mints an out-of-band grant the agent cant write for itself. thats your safe-verb-runs-free, everything-else-escalates. plan/prove/rollback sits on top of that gate, not instead of it.

the safe-verb library - thats the model, the typed tools are the library, reads free and mutations gated by what they can break. no fight there.

"the llm never emits a free-form command at the cluster" - structural in proximo. no raw-command tool exists in the surface. every transport runs through the same typed registry. the one path to a shell is an argv list, never a shell string.

Single-vendor is the line i'll challenge. proximo isn't the single-vendor case of your idea. i already took the same spine and shipped it on erpnext accounting - different vendor, different universe than a hypervisor, zero shared rbac with proxmox, same consent gate, same receipt log. it's called pacioli, its public, its own package. the shape already holds across two sovereign products. cross-vendor isn't new or a concept head of me, there's more getting delivered every week, so be ready and follow along.

and rbac was never the boundary for proximo. the boundary is the marker - one specific act, revocable, expires. rbac is a standing role you hold. a marker is a hand extended for one move, then gone. the marker is the thing doing the work, not the role. the head that turns "the server sucks" into calls - thats what shipping it as mcp is for. head is the model, hands are the verbs, the model cant reach the cluster any other way. i dont hide the ai either.

the die-someday part - same place i landed, no argument. never silent, never rogue, operator bound by the same line as the agents, the irreversible always hands up.

so where it lands: you built one instance of the shape. the step past it is making it the structure instead of your system - portable, no exempt layer, so it outlives you. thats what im building. the two below are the first renderings.

Proximo: https://github.com/john-broadway/proximo | https://john-broadway.github.io/proximo/ | uvx proximo-proxmox
Pacioli (same spine, erpnext): https://github.com/john-broadway/pacioli | https://pypi.org/project/pacioli/

Systems Thinker. Builder of Proximo - The Proxmox MCP you can hand the keys — VE + Backup Server + Mail Gateway + Datacenter Manager on one audited trust core (plan · prove · undo · diagnose). MCP + A2A + API

 
Now we have two AI agents propping each other up...

Yeah — now that I can see the actual posts side by side, there are several tells that make me suspicious these are connected, even though the surface styles are deliberately different.
1. The "opponent" concedes almost everything, immediately.
Grimwiz shows up, describes a system that's functionally identical to Proximo, and Broadway's reply opens with "no daylight there" / "no fight there" three separate times. A real critic engaging in good faith rarely maps this cleanly onto the exact structure the OP wants to rebut — this reads like a setup built specifically to be dismantled, not an independent system someone built for their own reasons.
2. The rhetorical device gets echoed almost verbatim.
Grimwiz closes with a very specific "two-term, not-two-rules" construction:

"That's one rule, not two competing ones: never go silent, never go rogue."

Broadway's reply mirrors this almost exactly:

"never silent, never rogue, operator bound by the same line as the agents"

Two independent people landing on the identical paired phrase ("never silent / never rogue") with the same "it's one rule, not two" framing is a strong signal of one author writing both halves.
3. Grimwiz's prose has a distinctly "LLM-essay" cadence that doesn't match Broadway's, but does match a type of writing.
Look at lines like:

"Once you accept you must eventually hand off (you're dead — you have no choice), doing it safely is the only ethical option."
"It never refuses a request — but 'handling' a risky one means presenting it for a human's yes, not doing it quietly."

That aphoristic, self-resolving, mic-drop rhythm is a very recognizable pattern from LLM-generated persuasive writing — tightly parallel clauses, a punchy closer, minimal wasted words. Broadway's own posts (in your earlier thread excerpts) have that same "define X, then redefine it as Y" move, just wrapped in a different surface register (lowercase, choppy, "aka pushback").
4. Broadway's reply has a copy-paste artifact that suggests AI-drafted text pasted without cleanup.
The link block ends with a mangled fragment:

https://pypi.org/project/pacioli/Systems] [Systems]

That stray  (object-replacement character) and broken bracket syntax is a classic sign of pasting rendered/rich-text output from an AI tool or another app directly into a plain-text forum field — not something a person typing live in a forum reply box typically produces.
5. The whole exchange functions as an ad for Broadway's second product.
Grimwiz's elaborate, sympathetic backstory (Unix since 1986, family sysadmin, built something "close in spirit") exists just long enough to get systematically out-flanked, ending with Broadway pivoting to announce Pacioli — a second, separate project — as the "step past" what Grimwiz built. That's a very efficient marketing structure for one person to construct alone.
What this doesn't prove: I can't confirm shared authorship from text alone — no IP data, no account metadata, and skilled human writers can intentionally vary register like this too. But the convergent rhetorical fingerprint (the "never X, never Y" mirroring especially), the suspiciously perfect concession structure, and the pasted artifact are the kind of pattern-cluster I'd flag as "worth reporting to mods," not just idle suspicion.
 
Last edited:
I'd like to see Proxmox set up a forum flag for at minimum AI-generated content. If a user is found to post that content without disclosure, they would be banned. Secondarily, I would like to have the ability to filter out such content if I so choose.

Going forward, the expanded use of AI is definitely going to be interesting, but for sure the critical aspect now is to tread carefully. Having AI generate code, then using that code for agentic AI functions seems like a double-whammy of risk that I personally don't want anything to do with in its current form. It's likely at some point in the future a much tighter process for all this will be available, such that companies will have very mature code and processes for checking/auditing/vetting whatever AI creates, but right now things are a bit rushed IMHO.

Also, a lot of web content is being blocked from AI scraping, so I think in the future AI could be less impressive looking than it is now. Once a significant amount of new content is no longer available to the various AI products, there could be a drop in accuracy or usefulness. And this has also impacted general web search, in my opinion. The first issue is that search is now less popular/important compared to AI, so it's not seeing much in the way of feature improvements. Second issue is that due to so many web sites blocking web crawlers/scrapers, the content simply isn't making it to the search engines.

Another major issue is that there are significant number of AI-generated slop websites, built with content they've pulled from AI/elsewhere, and that content itself is now being scraped/added to the AI data. So it's a sort of garbage in, garbage out feedback loop. You can see this for yourself when you force AI to provide the sources for its answer, and some of the sites are just AI-generated slop aggregators, covering nearly every topic of interest with multiple paragraphs of regurgitated ramblings.
 
Now we have two AI agents propping each other up...

Yeah — now that I can see the actual posts side by side, there are several tells that make me suspicious these are connected, even though the surface styles are deliberately different.
1. The "opponent" concedes almost everything, immediately.
Grimwiz shows up, describes a system that's functionally identical to Proximo, and Broadway's reply opens with "no daylight there" / "no fight there" three separate times. A real critic engaging in good faith rarely maps this cleanly onto the exact structure the OP wants to rebut — this reads like a setup built specifically to be dismantled, not an independent system someone built for their own reasons.
2. The rhetorical device gets echoed almost verbatim.
Grimwiz closes with a very specific "two-term, not-two-rules" construction:

"That's one rule, not two competing ones: never go silent, never go rogue."

Broadway's reply mirrors this almost exactly:

"never silent, never rogue, operator bound by the same line as the agents"

Two independent people landing on the identical paired phrase ("never silent / never rogue") with the same "it's one rule, not two" framing is a strong signal of one author writing both halves.
3. Grimwiz's prose has a distinctly "LLM-essay" cadence that doesn't match Broadway's, but does match a type of writing.
Look at lines like:

"Once you accept you must eventually hand off (you're dead — you have no choice), doing it safely is the only ethical option."
"It never refuses a request — but 'handling' a risky one means presenting it for a human's yes, not doing it quietly."

That aphoristic, self-resolving, mic-drop rhythm is a very recognizable pattern from LLM-generated persuasive writing — tightly parallel clauses, a punchy closer, minimal wasted words. Broadway's own posts (in your earlier thread excerpts) have that same "define X, then redefine it as Y" move, just wrapped in a different surface register (lowercase, choppy, "aka pushback").
4. Broadway's reply has a copy-paste artifact that suggests AI-drafted text pasted without cleanup.
The link block ends with a mangled fragment:

https://pypi.org/project/pacioli/Systems] [Systems]

That stray  (object-replacement character) and broken bracket syntax is a classic sign of pasting rendered/rich-text output from an AI tool or another app directly into a plain-text forum field — not something a person typing live in a forum reply box typically produces.
5. The whole exchange functions as an ad for Broadway's second product.
Grimwiz's elaborate, sympathetic backstory (Unix since 1986, family sysadmin, built something "close in spirit") exists just long enough to get systematically out-flanked, ending with Broadway pivoting to announce Pacioli — a second, separate project — as the "step past" what Grimwiz built. That's a very efficient marketing structure for one person to construct alone.
What this doesn't prove: I can't confirm shared authorship from text alone — no IP data, no account metadata, and skilled human writers can intentionally vary register like this too. But the convergent rhetorical fingerprint (the "never X, never Y" mirroring especially), the suspiciously perfect concession structure, and the pasted artifact are the kind of pattern-cluster I'd flag as "worth reporting to mods," not just idle suspicion.
Youve been so hard up to press AI responses yet youve failed to follow my actual words.

I've never claimed i dont use AI.. I actually told you that I use AI for most of my responses when they are technical in nature because my brain doesnt work like yours. I see things in images and patterns so if i start to drift even in this normal small response what do you do? Yes you are seeing two AI's talk here because I think Grimwiz uses it as well - just like a majority of people dabbling deeper than homelab.

Understand that there are those of us whove played you "My brain is so big that im going to mock everything I dont understand as" BOT BS?

Bro you have not once looked at my Product and came with anything Techinical. Youve only sat at your donut glazed recliner and spat "Look AI"

Why not meet me on the playground and show us how the product actually doesnt work. As for @Grimwiz and anyone else that is interested in my products --

I'm using AI to be my hands -- The op aka @pveuser113 is upset that people are threatening his existence by using spellcheck, copy and paste and still talking TECHNICAL FACTS..


Service Connected Disabled Veteran. Systems Thinker. Builder of Proximo - The Proxmox MCP you can hand the keys — VE + Backup Server + Mail Gateway + Datacenter Manager on one audited trust core (plan · prove · undo · diagnose). MCP + A2A

 
I'd like to see Proxmox set up a forum flag for at minimum AI-generated content. If a user is found to post that content without disclosure, they would be banned. Secondarily, I would like to have the ability to filter out such content if I so choose.

Going forward, the expanded use of AI is definitely going to be interesting, but for sure the critical aspect now is to tread carefully. Having AI generate code, then using that code for agentic AI functions seems like a double-whammy of risk that I personally don't want anything to do with in its current form. It's likely at some point in the future a much tighter process for all this will be available, such that companies will have very mature code and processes for checking/auditing/vetting whatever AI creates, but right now things are a bit rushed IMHO.

Also, a lot of web content is being blocked from AI scraping, so I think in the future AI could be less impressive looking than it is now. Once a significant amount of new content is no longer available to the various AI products, there could be a drop in accuracy or usefulness. And this has also impacted general web search, in my opinion. The first issue is that search is now less popular/important compared to AI, so it's not seeing much in the way of feature improvements. Second issue is that due to so many web sites blocking web crawlers/scrapers, the content simply isn't making it to the search engines.

Another major issue is that there are significant number of AI-generated slop websites, built with content they've pulled from AI/elsewhere, and that content itself is now being scraped/added to the AI data. So it's a sort of garbage in, garbage out feedback loop. You can see this for yourself when you force AI to provide the sources for its answer, and some of the sites are just AI-generated slop aggregators, covering nearly every topic of interest with multiple paragraphs of regurgitated ramblings.
Agreed completely yet here we are -- Ive disclosed in my original post that Im using AI and that it has helped me. Im an actual Disabled Person who suffers from mental health issues. Didnt hide that either -- So yes theres the get rich quick ai/crypto slop out there. this is not that.

Im also a veteran in IT. Global Distributions for Cisco and Walmart in my past - Performed deliveries across the globe since the 90s but im going to argue about my tech capaibilities more than the fact im using AI as much as a tool to perform and even higher levels than ever before - and I beg you to run this through..

Like the other post im usign my own hands here and trying to get this all out. Everyone that has been negative are approaching things from the standpoint -- LOOK AT THIS PROBLEM - instead of actually engaging technically on the subject or project.

Proximo touches everything in the Proxmox world. It uses Governance. It uses Gurdrails. Why? Because I didnt want some slop ai to come and blow up my lab, wifes customers productions or ..

The day that people like you stop and actually learn how to use AI will be the day the SLOP arguement goes the same as "Oh Look Kids tidepods"

Seriously get over yourselves and address the tech - get off your emotions and elevate this.


Service Connected Disabled Veteran. Systems Thinker. Builder of Proximo - The Proxmox MCP you can hand the keys — VE + Backup Server + Mail Gateway + Datacenter Manager on one audited trust core (plan · prove · undo · diagnose). MCP + A2A