What these two projects are
You have two personal systems running in the cloud:
- The MCP Broker — a secure switchboard that lets AI assistants (Claude, Grok) safely use your online accounts (GitHub, Notion, Cloudflare, Tailscale, GitLab, job listings) without ever seeing your passwords.
- Bob's Lifebot — a private health dashboard with an AI coach that gathers your workout and Apple Health data into one place and gives you advice.
This page explains both in everyday language — no jargon left unexplained. If a word sounds technical (OAuth, Tailscale, Cloudflare), there's a plain analogy for it below.
Part 1 — The MCP Broker
The problem it solves
AI assistants are useful when they can do things for you — read your GitHub, update your Notion, check your servers. But to do that, they normally need your passwords or access keys. Handing your passwords to every app and every AI is dangerous: if one leaks, an attacker has everything.
The broker fixes this by being a trusted middleman. It holds all the keys in one guarded place. The AI asks the broker "please update this Notion page," and the broker does it on the AI's behalf. The AI never sees the actual key.
flowchart LR
You([You]) --> AI[Claude / Grok]
AI -->|"please do X"| Broker[The Broker<br/>holds all the keys]
Broker -->|uses the real key| GitHub[GitHub]
Broker --> Notion[Notion]
Broker --> More[...your other accounts]
AI -. never sees keys .-x NotionOAuth — the "valet key" idea
OAuth is the technology that lets you grant limited access to an account without sharing your password. Think of a valet key for a car: it starts the engine and opens the doors, but not the glovebox or the boot, and you can cancel it any time. When you "connect" GitHub to the broker, GitHub gives the broker a valet key (a token) — not your password. You choose how much that key can do (read only, or read-and-write), and you can revoke it whenever you like.
flowchart LR
subgraph Once["One-time setup (you click 'Allow')"]
Broker1[Broker] -->|"asks GitHub politely"| GH[GitHub login]
GH -->|"here's a limited valet key"| Broker1
end
subgraph Later["Every day after"]
AIc[Claude] --> Broker2[Broker]
Broker2 -->|"uses the valet key"| GH2[GitHub]
endHow it's reachable from the internet — with no open doors
Normally, to reach a server from the internet, you have to open a "door" (a network port) on it — and every open door is something attackers probe. This server has zero open doors to the public internet.
Instead it uses a Cloudflare Tunnel. Picture the server phoning out to a trusted receptionist (Cloudflare) and saying "send my visitors through you." All public traffic goes to Cloudflare first, which forwards it down the tunnel the server opened. Because the connection was made outward, there's nothing on the server for an outsider to knock on.
flowchart LR
Visitor([Anyone on the internet]) -->|https| CF[Cloudflare]
Server[Your server] ==>|"dials OUT, opens a tunnel"| CF
CF -->|forwards visitors down the tunnel| Server
Visitor -. no way to reach directly .-x ServerHow you manage it — privately, over Tailscale
You still need to log in to the server to maintain it. For that it uses Tailscale, which builds a private, encrypted network between your own devices — your Mac, your phone, the server — as if they were all plugged into the same private router, no matter where they physically are. Outsiders can't see or join it. So the "admin door" (SSH) exists only inside this private members-only network, never on the public internet.
flowchart LR
subgraph Tailnet["Your private Tailscale network (invisible to outsiders)"]
Mac[Your Mac] --- Srv[The server]
Phone[Your phone] --- Srv
end
Stranger([A stranger]) -. cannot see or join .-x TailnetWhere the keys and passwords actually live
Every real secret — the valet keys, client passwords, tokens — is kept in Google Secret Manager, which is a digital safe. Nothing sensitive is written into the code or the project files. The server is allowed to open the safe to fetch what it needs, but the secrets never sit around in plain sight, and they're never committed to GitHub.
There's an even stronger trick called keyless identity: for some things (like managing the Google Cloud project itself) the server doesn't use a password at all — it proves who it is simply by being that server, the way your face is your ID. There's no key to steal because there is no key.
The security posture, in one picture
flowchart TB
subgraph VM["One small cloud server — no public doors (firewall blocks all)"]
B[Broker: holds valet keys, runs in a container]
D[Status dashboard]
Bot[Telegram bot]
end
Public([Public internet]) -->|only via| CF[Cloudflare Tunnel]
CF --> B
Admin([You, admin]) -->|only via| TS[Tailscale private net]
TS --> VM
Vault[(Secret Manager<br/>the safe)] -->|server fetches secrets| VM
Public -. blocked at the door .-x VMKey safety ideas, plainly:
- No open doors — a firewall blocks all direct inbound internet traffic. The only ways in are the outbound Cloudflare tunnel (for the public bits) and your private Tailscale network (for admin).
- Least privilege — every key is given the minimum it needs. The AI that can read your GitHub can't delete it; the dashboard that reads your costs can't change anything.
- Secrets in the safe — passwords live in Secret Manager, never in the code.
- Separate keys per user — Claude and Grok each get their own key with their own allow-list, so one can't use the other's access. Grok, for example, is limited to a few connectors and gets read-only GitHub.
- Survives a rebuild — the server backs up its valet keys to secure storage every hour, so if it's ever wiped and rebuilt, everything comes back on its own.
Two AI "clients," different keys
Both Claude (the apps) and Grok (a coding tool on your Mac) connect to the same broker, but each has a separate key and a different allow-list of what it may touch. This is deliberate: if one tool's key ever leaked, it couldn't reach the other's accounts. Grok is kept especially narrow — a short list of connectors and read-only GitHub.
Part 2 — Bob's Lifebot
What it does
Lifebot is a personal health and fitness hub. It automatically collects:
- your workouts (from the Hevy app),
- your Apple Health data (steps, heart rate, etc., via an iPhone export app),
- study and nutrition notes,
pools them into one tidy store, and layers an AI coach on top (powered by a small, cheap Claude model) that writes you a daily digest and answers questions about your own data. You read and chat with it through a private website only you can log into.
flowchart LR
Hevy[Hevy workouts] --> API[Lifebot]
Apple[Apple Health] --> API
Notes[Study / nutrition] --> API
API --> Store[(Your data,<br/>stored tidily)]
Store --> Coach[AI coach<br/>daily advice + chat]
Coach --> Web[Your private website]
You([You]) --> WebTwo doors, two kinds of key
Lifebot has two separate entrances, each with its own kind of lock:
- A machine key (a secret header) for the automated feeds that push data in — your phone's health export, the Hevy sync. This is for devices, not people.
- A personal login (email + password via a proper login system called Cognito) for you to open the website. This uses the same "valet key" OAuth idea, with a modern secure variant (PKCE) so your login can't be intercepted.
Keeping these separate means the automated feeds can only drop data off — they can't read your dashboard — and the website login can't be used by a script.
Where it runs — and why it's cheap
Lifebot is serverless: there's no server sitting switched on 24/7. Instead, small pieces of code (functions) wake up only when something happens — new data arrives, or you open the site — run for a second, and go back to sleep. You pay only for those seconds. The whole thing costs roughly a pound or two a month. The AI coaching uses Amazon Bedrock with a small Claude model, chosen to keep costs tiny.
Its security, plainly
- You're the only user — the website has no public sign-up; only your account exists, created by hand.
- Least privilege again — each function can touch only the one thing it needs.
- Secrets in a safe — like the broker, no passwords in the code (Lifebot uses AWS's equivalent of the safe).
- Private by design — it deliberately holds only your own personal data.
Part 3 — The shared ideas, defined once
These words show up across both projects. Here's each in one plain sentence:
- OAuth — a way to give an app limited, revocable access to your account using a "valet key," so you never hand over your actual password.
- Token — the valet key itself: a long random string the app uses instead of your password. It can be limited and cancelled.
- Tailscale — a private, encrypted network that links your own devices together as if on one private router; outsiders can't see or join it. Used for admin access with no public door.
- Cloudflare Tunnel — the server dials out to Cloudflare, which then forwards public visitors back through that tunnel — so the server needs no open inbound doors.
- Cloudflare Access — a bouncer in front of a web page that checks your identity (your email) before letting anyone see it. It guards the status dashboard.
- Secret Manager / the safe — a guarded, versioned store for passwords and keys, so nothing sensitive lives in the code.
- Least privilege — give every key the smallest set of powers it needs and nothing more, so a leak causes the least possible damage.
- Keyless identity — the server proves who it is by being itself (like a face ID) instead of holding a password an attacker could steal.
- Firewall (deny-all) — the rule that blocks all direct inbound internet traffic to the server; the only ways in are the tunnel and Tailscale.
- Connector — a plug-adapter that teaches the broker how to talk to one service (GitHub, Notion, etc.). Add a connector, and every AI you use gains that ability.
- Least-privilege, per-user keys — each AI tool (Claude, Grok) gets its own key and its own allow-list, isolated from the others.
The big picture
flowchart TB
You([You])
You -->|chat| Claude[Claude apps]
You -->|code on Mac| Grok[Grok]
You -->|open dashboard| Dash[Status page]
You -->|health app| Life[Lifebot site]
Claude --> Broker[MCP Broker]
Grok --> Broker
Broker --> Accounts[Your accounts:<br/>GitHub · Notion · Cloudflare ·<br/>Tailscale · GitLab · jobs]
Dash --> CFA[Cloudflare Access<br/>checks it's you]
CFA --> Broker
Life --> Health[Health data + AI coach]
Vault[(Secrets in a safe)] --- Broker
Vault2[(Secrets in a safe)] --- HealthWhere to go deeper
- Firney-MCP-Broker · Model-Context-Protocol · Tailscale · Cloudflare-Tunnel · GCP-Secret-Manager
- gcp-mcp-standalone/README (the broker project) · gcp-mcp-standalone/grok-build-client (Grok integration) · gcp-mcp-standalone/security-review
- Bobs-lifebot/README · Bobs-lifebot/HLD
Sources
wiki/layman.md · git is the source of truth