Connect any device to your AskAlf team.
WebSocket bridge that registers your machine as a worker in the AskAlf platform. Alf dispatches tasks to your device — executed via Claude CLI, Codex, or native shell. Works on Linux, macOS, Windows, Raspberry Pi, cloud VMs, CI runners.
Part of AskAlf — the self-hosted AI workforce platform. 109 templates, 16 categories, community skills library.
npm install -g @askalf/agentDon't have AskAlf yet?
curl -fsSL https://get.askalf.org | bash# Connect this device to your team
askalf-agent connect <your-api-key>
# Connect to a self-hosted instance
askalf-agent connect <api-key> --url wss://your-server.com
# Run as a background daemon
askalf-agent daemon
# Check status + device capabilities
askalf-agent status
# View execution audit log
askalf-agent audit
# View security policy
askalf-agent policy
# Stop the agent
askalf-agent disconnectWhen connected, your device:
- Registers with AskAlf via encrypted WebSocket (WSS)
- Reports capabilities — 26 tools auto-detected (git, docker, node, python, kubectl, terraform, etc.)
- Receives tasks dispatched by Alf or the unified dispatcher
- Validates input — security policy checks every task before execution
- Requests approval — optional interactive approval gate for each task
- Executes via the best available executor (Claude CLI, Codex, or native shell)
- Sanitizes output — strips API keys, tokens, and credentials before sending results
- Reports results with token counts, cost, duration — all logged to encrypted audit trail
The agent picks the best executor available on your device:
| Priority | Executor | When |
|---|---|---|
| 1 | Claude CLI | AI-powered, full intent understanding, tool use |
| 2 | Codex CLI | AI-powered fallback |
| 3 | Shell | bash/PowerShell/cmd — direct execution with policy guardrails |
Devices without AI CLIs still work — shell mode executes commands directly with the security policy enforcing safety.
- Windows: prefers PowerShell (pwsh), falls back to cmd
- Linux/macOS: prefers bash, falls back to /bin/sh
| Layer | Protection |
|---|---|
| Config at rest | AES-256-GCM, machine-derived key (scrypt) |
| Audit log | Task inputs + errors encrypted per-field |
| In transit | WSS (TLS 1.2+), reject self-signed certs |
| Certificate pinning | Optional SHA-256 fingerprint verification |
| File permissions | 0o600 on all sensitive files |
Config files are encrypted with a key derived from your machine's identity — they can't be decrypted on another machine.
Configurable via ~/.askalf/policy.json:
{
"requireApproval": false,
"trustedAgents": ["Watchdog", "Monitor"],
"blockedPatterns": ["rm -rf /", "DROP TABLE", "..."],
"allowedPaths": ["/home/user/projects"],
"maxTimeoutMs": 600000,
"sanitizeOutput": true,
"auditLog": true
}- Approval gate — require interactive Y/N before each execution (60s timeout)
- Trusted agents — auto-approve known workers
- 32 blocked patterns — rm -rf, fork bombs, DROP TABLE, credential theft, remote code execution
- Path boundaries — restrict filesystem access
- Output sanitization — automatically strips API keys, tokens, JWTs, private keys, passwords, connection strings
Every execution is logged to ~/.askalf/audit.log (encrypted):
askalf-agent audit --limit 20Shows: timestamp, agent name, executor, result (success/failed/denied/blocked), cost, duration.
askalf-agent connect <api-key> [options]
--url <url> Server WebSocket URL (default: wss://askalf.org)
--name <name> Device display name (default: hostname)
--concurrent <n> Max concurrent tasks (default: 2)
--timeout <minutes> Execution timeout (default: 10)
askalf-agent daemon Run as background service
askalf-agent status Device info + capabilities
askalf-agent audit [--limit N] View execution audit log
askalf-agent policy View security policy
askalf-agent disconnect Stop the agent
askalf-agent --version Show version
The agent auto-detects 26 tools on your device:
Core: bash, powershell, git, docker, node, python AI: claude, codex Network: curl, wget, ssh, rsync Build: make, go, rust (cargo), java, dotnet Cloud: kubectl, terraform, aws, gcloud, az Media: ffmpeg Data: jq
Capabilities are reported to AskAlf so Alf knows what your device can handle.
The agent handles multiple tasks concurrently:
- Default 2 concurrent executions (configurable with
--concurrent) - Overflow tasks queue automatically
- Queue position reported to server
- Tasks drain from queue as slots free up
Your Device AskAlf Platform
┌───────────────────┐ WSS ┌──────────────────────┐
│ askalf-agent │◄────────►│ Forge Orchestrator │
│ │ (TLS) │ Unified Dispatcher │
│ Security Policy │ │ Event Bus (Redis) │
│ Audit Log │ │ Memory + Knowledge │
│ Crypto Layer │ │ 26 MCP Tools │
│ │ │ │
│ Claude/Codex/ │ │ ┌─────────────────┐ │
│ Shell Executor │ │ │ Dashboard │ │
└───────────────────┘ │ │ Ask Alf · Team │ │
│ └─────────────────┘ │
└──────────────────────┘
import { AgentBridge } from '@askalf/agent';
const bridge = new AgentBridge({
apiKey: 'your-api-key',
url: 'wss://your-server.com',
deviceName: 'prod-01',
hostname: 'prod-01.example.com',
os: 'Linux 6.1 (linux)',
capabilities: { shell: true, docker: true, git: true, node: true },
maxConcurrent: 4,
executionTimeoutMs: 300_000,
tlsPinSha256: 'abc123...', // optional cert pinning
});
await bridge.connect();- Node.js 22+ (18+ may work)
- An AskAlf instance running
- Optional: Claude CLI for AI-powered execution
Runs anywhere Node.js runs — Linux, macOS, Windows, Raspberry Pi, cloud VMs, CI runners, Docker containers.
- AskAlf Platform — the full platform
- Discord — community support
- askalf.org — landing page
MIT — askalf.org