MechaMental
Admin Guide

Bridges Setup

Install the WireGuard bridge agent, register it with MechaMental, and configure private endpoints.

Bridges provide secure, encrypted connectivity between MechaMental and your private infrastructure using WireGuard tunnels. This guide walks you through the complete setup process: creating a bridge, installing the agent, registering endpoints, and using them in your tool configurations.

Prerequisites

  • A server in your private network that can make outbound HTTPS connections
  • Admin access to your MechaMental organization
  • Internal services you want to connect (databases, APIs, file shares, etc.)

No inbound ports required

The bridge agent initiates all connections outbound to MechaMental. You do not need to open any inbound ports or modify firewall rules in your network.

Setup Workflow

Create a Bridge in the Admin Panel

  1. Go to Admin -> Bridges in the sidebar
  2. Click New Bridge
  3. Enter a name for the bridge (e.g., datacenter-east, office-vpn, aws-vpc-prod)
  4. Optionally add a description
  5. Click Create
  6. Copy the connection token that is displayed -- you will need it to configure the agent

Save the token

The connection token is only shown once at creation time. Copy it immediately. If you lose it, you will need to regenerate a new token from the bridge settings.

Install the Bridge Agent

The bridge agent is a lightweight WireGuard-based binary that runs on a server inside your private network. Download and install it for your platform.

# Download the agent
curl -L https://releases.mechamental.com/bridge/latest/linux-amd64 -o mm-bridge

# Make executable
chmod +x mm-bridge

# Move to a standard location
sudo mv mm-bridge /usr/local/bin/
# Download the agent
curl -L https://releases.mechamental.com/bridge/latest/linux-arm64 -o mm-bridge

# Make executable
chmod +x mm-bridge

# Move to a standard location
sudo mv mm-bridge /usr/local/bin/
# Download the agent
curl -L https://releases.mechamental.com/bridge/latest/darwin-amd64 -o mm-bridge

# Make executable
chmod +x mm-bridge

# Move to a standard location
sudo mv mm-bridge /usr/local/bin/

Configure and Start the Agent

Set the connection token and bridge name as environment variables, then start the agent.

# Set environment variables
export MM_BRIDGE_TOKEN="brg_tok_..."
export MM_BRIDGE_NAME="datacenter-east"

# Start the agent
mm-bridge start

For production deployments, run the agent as a systemd service:

# /etc/systemd/system/mm-bridge.service
[Unit]
Description=MechaMental Bridge Agent
After=network.target

[Service]
Type=simple
Environment=MM_BRIDGE_TOKEN=brg_tok_...
Environment=MM_BRIDGE_NAME=datacenter-east
ExecStart=/usr/local/bin/mm-bridge start
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
sudo systemctl enable mm-bridge
sudo systemctl start mm-bridge

Once the agent starts, it establishes a WireGuard tunnel to MechaMental. The bridge status in the admin panel will change from Disconnected to Connected.

Register Internal Endpoints

After the agent connects, define which internal services should be accessible through the bridge.

  1. In Admin -> Bridges, click on your bridge to open its detail view
  2. Click Add Endpoint
  3. For each internal service, configure:
FieldDescriptionExample
NameA human-readable identifier for the endpointinternal-api
URLThe internal network address of the servicehttp://internal-api.corp:8080
TypeThe kind of resourceHTTP API, Database, File Path
DescriptionOptional context for what this endpoint connects toCustomer data REST API

Verify Connectivity

After registering endpoints, verify they are reachable:

  1. In the bridge detail view, find the endpoint you added
  2. Click Test Connection
  3. MechaMental routes a health check through the bridge tunnel to the internal endpoint
  4. A successful test confirms end-to-end connectivity

Using Bridged Endpoints in Tools

Once a bridge and its endpoints are configured, workspace users can reference them in tool configurations.

  1. When configuring a tool instance, select the Bridge for connectivity
  2. Choose the registered endpoint from the dropdown
  3. The tool routes its requests through the bridge tunnel to the internal service

This means your AI pipelines can securely query internal databases, call private APIs, and access file shares -- all without exposing those services to the public internet.

Monitoring Bridge Health

Monitor your bridges from the admin panel. Each bridge shows:

MetricDescription
Connection StatusConnected, Disconnected, or Reconnecting
LatencyRound-trip time between MechaMental and the bridge agent
TrafficRequest count and bandwidth usage
ErrorsFailed connection attempts and routing errors
UptimeTime since the agent last connected

The agent automatically reconnects if the connection drops. During reconnection, requests to endpoints on that bridge queue briefly and retry once the tunnel is re-established.

Security

All traffic through a bridge is encrypted with WireGuard. Key security properties:

  • Outbound only -- the agent initiates the connection; no inbound ports needed
  • Unique keypair -- each bridge agent authenticates with a unique WireGuard keypair
  • Workspace isolation -- one workspace's bridge cannot access another workspace's private resources
  • Audit logged -- all bridge connections and endpoint access are recorded in the audit log

Bridges Concept

Learn how WireGuard tunnels, endpoint routing, and bridge security work in MechaMental.

Working with Tools

Configure tool instances to route through bridges to internal services.

Router Policies

Configure model routing strategies, fallback chains, and rate limits.

Prompt Protection

Configure PII detection, content filtering, and deny lists to safeguard your AI pipelines.

On this page

PrerequisitesSetup WorkflowCreate a Bridge in the Admin PanelInstall the Bridge AgentConfigure and Start the AgentRegister Internal EndpointsVerify ConnectivityUsing Bridged Endpoints in ToolsMonitoring Bridge HealthSecurityRelated