Concept

The Whole Thing, in Plain English

type conceptstatus activeoverview · layman · security · oauth

What these two projects are

You have two personal systems running in the cloud:

  1. The MCP Broker — a secure switchboard that lets AI assistants (Claude, Grok) safely use your online accounts (GitHub, Notion, Cloudflare, Tailscale, GitLab, job listings) without ever seeing your passwords.
  2. Bob's Lifebot — a private health dashboard with an AI coach that gathers your workout and Apple Health data into one place and gives you advice.

This page explains both in everyday language — no jargon left unexplained. If a word sounds technical (OAuth, Tailscale, Cloudflare), there's a plain analogy for it below.


Part 1 — The MCP Broker

The problem it solves

AI assistants are useful when they can do things for you — read your GitHub, update your Notion, check your servers. But to do that, they normally need your passwords or access keys. Handing your passwords to every app and every AI is dangerous: if one leaks, an attacker has everything.

The broker fixes this by being a trusted middleman. It holds all the keys in one guarded place. The AI asks the broker "please update this Notion page," and the broker does it on the AI's behalf. The AI never sees the actual key.

flowchart LR
    You([You]) --> AI[Claude / Grok]
    AI -->|"please do X"| Broker[The Broker<br/>holds all the keys]
    Broker -->|uses the real key| GitHub[GitHub]
    Broker --> Notion[Notion]
    Broker --> More[...your other accounts]
    AI -. never sees keys .-x Notion

OAuth — the "valet key" idea

OAuth is the technology that lets you grant limited access to an account without sharing your password. Think of a valet key for a car: it starts the engine and opens the doors, but not the glovebox or the boot, and you can cancel it any time. When you "connect" GitHub to the broker, GitHub gives the broker a valet key (a token) — not your password. You choose how much that key can do (read only, or read-and-write), and you can revoke it whenever you like.

flowchart LR
    subgraph Once["One-time setup (you click 'Allow')"]
        Broker1[Broker] -->|"asks GitHub politely"| GH[GitHub login]
        GH -->|"here's a limited valet key"| Broker1
    end
    subgraph Later["Every day after"]
        AIc[Claude] --> Broker2[Broker]
        Broker2 -->|"uses the valet key"| GH2[GitHub]
    end

How it's reachable from the internet — with no open doors

Normally, to reach a server from the internet, you have to open a "door" (a network port) on it — and every open door is something attackers probe. This server has zero open doors to the public internet.

Instead it uses a Cloudflare Tunnel. Picture the server phoning out to a trusted receptionist (Cloudflare) and saying "send my visitors through you." All public traffic goes to Cloudflare first, which forwards it down the tunnel the server opened. Because the connection was made outward, there's nothing on the server for an outsider to knock on.

flowchart LR
    Visitor([Anyone on the internet]) -->|https| CF[Cloudflare]
    Server[Your server] ==>|"dials OUT, opens a tunnel"| CF
    CF -->|forwards visitors down the tunnel| Server
    Visitor -. no way to reach directly .-x Server

How you manage it — privately, over Tailscale

You still need to log in to the server to maintain it. For that it uses Tailscale, which builds a private, encrypted network between your own devices — your Mac, your phone, the server — as if they were all plugged into the same private router, no matter where they physically are. Outsiders can't see or join it. So the "admin door" (SSH) exists only inside this private members-only network, never on the public internet.

flowchart LR
    subgraph Tailnet["Your private Tailscale network (invisible to outsiders)"]
        Mac[Your Mac] --- Srv[The server]
        Phone[Your phone] --- Srv
    end
    Stranger([A stranger]) -. cannot see or join .-x Tailnet

Where the keys and passwords actually live

Every real secret — the valet keys, client passwords, tokens — is kept in Google Secret Manager, which is a digital safe. Nothing sensitive is written into the code or the project files. The server is allowed to open the safe to fetch what it needs, but the secrets never sit around in plain sight, and they're never committed to GitHub.

There's an even stronger trick called keyless identity: for some things (like managing the Google Cloud project itself) the server doesn't use a password at all — it proves who it is simply by being that server, the way your face is your ID. There's no key to steal because there is no key.

The security posture, in one picture

flowchart TB
    subgraph VM["One small cloud server — no public doors (firewall blocks all)"]
        B[Broker: holds valet keys, runs in a container]
        D[Status dashboard]
        Bot[Telegram bot]
    end
    Public([Public internet]) -->|only via| CF[Cloudflare Tunnel]
    CF --> B
    Admin([You, admin]) -->|only via| TS[Tailscale private net]
    TS --> VM
    Vault[(Secret Manager<br/>the safe)] -->|server fetches secrets| VM
    Public -. blocked at the door .-x VM

Key safety ideas, plainly:

  • No open doors — a firewall blocks all direct inbound internet traffic. The only ways in are the outbound Cloudflare tunnel (for the public bits) and your private Tailscale network (for admin).
  • Least privilege — every key is given the minimum it needs. The AI that can read your GitHub can't delete it; the dashboard that reads your costs can't change anything.
  • Secrets in the safe — passwords live in Secret Manager, never in the code.
  • Separate keys per user — Claude and Grok each get their own key with their own allow-list, so one can't use the other's access. Grok, for example, is limited to a few connectors and gets read-only GitHub.
  • Survives a rebuild — the server backs up its valet keys to secure storage every hour, so if it's ever wiped and rebuilt, everything comes back on its own.

Two AI "clients," different keys

Both Claude (the apps) and Grok (a coding tool on your Mac) connect to the same broker, but each has a separate key and a different allow-list of what it may touch. This is deliberate: if one tool's key ever leaked, it couldn't reach the other's accounts. Grok is kept especially narrow — a short list of connectors and read-only GitHub.


Part 2 — Bob's Lifebot

What it does

Lifebot is a personal health and fitness hub. It automatically collects:

  • your workouts (from the Hevy app),
  • your Apple Health data (steps, heart rate, etc., via an iPhone export app),
  • study and nutrition notes,

pools them into one tidy store, and layers an AI coach on top (powered by a small, cheap Claude model) that writes you a daily digest and answers questions about your own data. You read and chat with it through a private website only you can log into.

flowchart LR
    Hevy[Hevy workouts] --> API[Lifebot]
    Apple[Apple Health] --> API
    Notes[Study / nutrition] --> API
    API --> Store[(Your data,<br/>stored tidily)]
    Store --> Coach[AI coach<br/>daily advice + chat]
    Coach --> Web[Your private website]
    You([You]) --> Web

Two doors, two kinds of key

Lifebot has two separate entrances, each with its own kind of lock:

  1. A machine key (a secret header) for the automated feeds that push data in — your phone's health export, the Hevy sync. This is for devices, not people.
  2. A personal login (email + password via a proper login system called Cognito) for you to open the website. This uses the same "valet key" OAuth idea, with a modern secure variant (PKCE) so your login can't be intercepted.

Keeping these separate means the automated feeds can only drop data off — they can't read your dashboard — and the website login can't be used by a script.

Where it runs — and why it's cheap

Lifebot is serverless: there's no server sitting switched on 24/7. Instead, small pieces of code (functions) wake up only when something happens — new data arrives, or you open the site — run for a second, and go back to sleep. You pay only for those seconds. The whole thing costs roughly a pound or two a month. The AI coaching uses Amazon Bedrock with a small Claude model, chosen to keep costs tiny.

Its security, plainly

  • You're the only user — the website has no public sign-up; only your account exists, created by hand.
  • Least privilege again — each function can touch only the one thing it needs.
  • Secrets in a safe — like the broker, no passwords in the code (Lifebot uses AWS's equivalent of the safe).
  • Private by design — it deliberately holds only your own personal data.

Part 3 — The shared ideas, defined once

These words show up across both projects. Here's each in one plain sentence:

  • OAuth — a way to give an app limited, revocable access to your account using a "valet key," so you never hand over your actual password.
  • Token — the valet key itself: a long random string the app uses instead of your password. It can be limited and cancelled.
  • Tailscale — a private, encrypted network that links your own devices together as if on one private router; outsiders can't see or join it. Used for admin access with no public door.
  • Cloudflare Tunnel — the server dials out to Cloudflare, which then forwards public visitors back through that tunnel — so the server needs no open inbound doors.
  • Cloudflare Access — a bouncer in front of a web page that checks your identity (your email) before letting anyone see it. It guards the status dashboard.
  • Secret Manager / the safe — a guarded, versioned store for passwords and keys, so nothing sensitive lives in the code.
  • Least privilege — give every key the smallest set of powers it needs and nothing more, so a leak causes the least possible damage.
  • Keyless identity — the server proves who it is by being itself (like a face ID) instead of holding a password an attacker could steal.
  • Firewall (deny-all) — the rule that blocks all direct inbound internet traffic to the server; the only ways in are the tunnel and Tailscale.
  • Connector — a plug-adapter that teaches the broker how to talk to one service (GitHub, Notion, etc.). Add a connector, and every AI you use gains that ability.
  • Least-privilege, per-user keys — each AI tool (Claude, Grok) gets its own key and its own allow-list, isolated from the others.

The big picture

flowchart TB
    You([You])
    You -->|chat| Claude[Claude apps]
    You -->|code on Mac| Grok[Grok]
    You -->|open dashboard| Dash[Status page]
    You -->|health app| Life[Lifebot site]

    Claude --> Broker[MCP Broker]
    Grok --> Broker
    Broker --> Accounts[Your accounts:<br/>GitHub · Notion · Cloudflare ·<br/>Tailscale · GitLab · jobs]

    Dash --> CFA[Cloudflare Access<br/>checks it's you]
    CFA --> Broker

    Life --> Health[Health data + AI coach]

    Vault[(Secrets in a safe)] --- Broker
    Vault2[(Secrets in a safe)] --- Health

Where to go deeper

Sources

Compiled from wiki/layman.md · git is the source of truth