Bolt

Bolt is a plugin-based MCP server that provides security tools through a Docker container running Ubuntu. Each tool is a direct plugin — no meta-tools, no dynamic loading, just call the tool you need.

📸 SCREENSHOT: bolt-hero.png

Bolt running nmap scan through Cyberstrike

Why Bolt?

Bolt solves the problem of running security tools that require a Linux environment. Instead of installing tools locally, Bolt runs them in an isolated Docker container with a plugin architecture.

Feature	Without Bolt	With Bolt
Tool Installation	Manual for each tool	Pre-installed via plugins
Platform Support	Linux only for most tools	Any platform with Docker
Isolation	Tools run on your system	Sandboxed in container
Setup Time	Hours	Minutes
Updates	Manual	`docker pull`
Tool Calls	N/A	Direct — 1 LLM turn per tool

Architecture

flowchart TB
    subgraph Client["Cyberstrike CLI"]
        Agent[AI Agent]
        MCPClient[MCP Client]
        Auth[Ed25519 Auth]
    end

    subgraph Network["Network Layer"]
        HTTP[HTTP/MCP Transport]
    end

    subgraph Bolt["Bolt Container (Ubuntu)"]
        Server[HTTP Server]
        Loader[Plugin Loader]
        Executor[Bun.spawn Executor]
    end

    subgraph Plugins["Plugins"]
        subfinder[subfinder]
        nmap[nmap]
        nuclei[nuclei]
        httpx[httpx]
        ffuf[ffuf]
        run_command[run_command]
    end

    Agent --> MCPClient
    MCPClient --> Auth
    Auth --> HTTP
    HTTP --> Server
    Server --> Loader
    Loader --> Executor
    Executor --> subfinder
    Executor --> nmap
    Executor --> nuclei
    Executor --> httpx
    Executor --> ffuf
    Executor --> run_command

    style Client fill:#3b82f6,color:#fff
    style Network fill:#8b5cf6,color:#fff
    style Bolt fill:#10b981,color:#fff
    style Plugins fill:#f59e0b,color:#fff

Component Details

Component	Description
MCP Client	Handles JSON-RPC communication with Bolt
Ed25519 Auth	Asymmetric key authentication for secure access
Plugin Loader	Discovers and registers plugins from config
Executor	Spawns tool processes via Bun.spawn

Quick Start

1. Start Bolt Server

# One-liner install
curl -sSL https://bolt.cyberstrike.io/install.sh | bash

Or manually with Docker:

docker run -d \
  --name bolt \
  -p 3001:3001 \
  -e MCP_ADMIN_TOKEN=$(openssl rand -hex 32) \
  --cap-add NET_RAW \
  --cap-add NET_ADMIN \
  ghcr.io/cyberstrikeus/bolt:latest

2. Get the Admin Token

docker logs bolt | grep "Admin token"

3. Add to Cyberstrike

Use the /bolt command in the TUI:

Press / and type bolt
Press a to add a new server
Enter URL: http://localhost:3001
Enter the admin token
Give it a name (e.g., “local”)

Or add manually to config:

{
  "mcp": {
    "bolt": {
      "type": "remote",
      "url": "http://localhost:3001/mcp",
      "bolt": true,
      "headers": {
        "Authorization": "Bearer YOUR_ADMIN_TOKEN"
      }
    }
  }
}

4. Use Bolt Tools

All tools are directly available — no searching or loading required:

> Run nmap against 192.168.1.1 with service detection
> Use subfinder to enumerate subdomains of example.com

The agent calls the tool directly in a single turn.

Available Plugins

Bolt ships with 6 plugins, each providing a directly callable tool:

Plugin	Tool	Description
subfinder	`subfinder`	Fast passive subdomain enumeration
nmap	`nmap`	Network scanner and service detection
nuclei	`nuclei`	Template-based vulnerability scanner
httpx	`httpx`	HTTP probing and technology detection
ffuf	`ffuf`	Web fuzzer for directories, vhosts, parameters
run_command	`run_command`	Execute any shell command (escape hatch)

Plugin Architecture

Each plugin is a self-contained module that defines:

Tool name, description, and input schema
Execute function (Bun.spawn wrapper)
Optional check() to verify binary is installed
Optional install() for auto-installation

Plugins are configured in bolt.config.json:

{
  "port": 3001,
  "plugins": [
    "@cyberstrike-io/bolt-subfinder",
    "@cyberstrike-io/bolt-nmap",
    "@cyberstrike-io/bolt-nuclei",
    "@cyberstrike-io/bolt-httpx",
    "@cyberstrike-io/bolt-ffuf",
    "@cyberstrike-io/bolt-run-command"
  ]
}

Installation Methods

Docker (Recommended)

The official Docker image (Ubuntu 24.04) includes all plugins pre-installed:

# Using docker run
docker run -d \
  --name bolt \
  --restart unless-stopped \
  -p 3001:3001 \
  -v bolt-data:/data \
  -e MCP_ADMIN_TOKEN=$(openssl rand -hex 32) \
  --cap-add NET_RAW \
  --cap-add NET_ADMIN \
  ghcr.io/cyberstrikeus/bolt:latest

# View the admin token
docker logs bolt

Docker Compose

services:
  bolt:
    image: ghcr.io/cyberstrikeus/bolt:latest
    ports:
      - "3001:3001"
    environment:
      - MCP_ADMIN_TOKEN=${MCP_ADMIN_TOKEN}
    cap_add:
      - NET_RAW
      - NET_ADMIN
    volumes:
      - bolt-data:/data
    restart: unless-stopped

volumes:
  bolt-data:

export MCP_ADMIN_TOKEN=$(openssl rand -hex 32)
docker compose up -d

Bare Metal Installation

Install directly on an Ubuntu/Debian server:

curl -sSL https://bolt.cyberstrike.io/install.sh | sudo bash

This installs Bun, clones the Bolt repo, installs Go tools (subfinder, nuclei, httpx, ffuf), and sets up a systemd service.

TUI Management

The /bolt command is the unified interface for managing all MCP servers — both Bolt and custom local/remote MCP servers.

The /bolt Command

Access MCP server management with /bolt in the TUI:

Key	Action
a	Add new MCP server (local or remote)
space	Toggle connection
ctrl+d	Delete server
esc	Close dialog

Server Type Indicators

Icon	Type
⚡	Bolt container
◆	Local MCP server (stdio)
◇	Remote MCP server (HTTP)

Connection States

Color	Status
Green	Connected and ready
Gray	Disabled
Red	Failed (with error message)
Yellow	Needs authentication

Usage Examples

Network Reconnaissance

> Use bolt to scan 192.168.1.0/24 for open ports and services

The agent calls nmap directly — no loading step needed.

Subdomain Enumeration

> Find all subdomains of example.com using bolt

Calls subfinder directly.

Vulnerability Scanning

> Scan https://target.com with nuclei using all templates

Calls nuclei directly.

Web Fuzzing

> Fuzz directories on https://target.com using bolt

Calls ffuf directly.

Custom Commands

> Run "dig +short example.com" on bolt

Uses the run_command escape hatch for any command not covered by plugins.

Security Features

Authentication Methods

flowchart LR
    subgraph Simple["Admin Token (Simple)"]
        Token[Bearer Token]
        Header[Authorization Header]
        Token --> Header
    end

    subgraph Advanced["Ed25519 (Advanced)"]
        KeyPair[Key Pair]
        Sign[Sign Request]
        Verify[Server Verify]
        KeyPair --> Sign
        Sign --> Verify
    end

    style Simple fill:#3b82f6,color:#fff
    style Advanced fill:#10b981,color:#fff

Admin Token (Simple)

Use a bearer token for authentication:

{
  "headers": {
    "Authorization": "Bearer YOUR_ADMIN_TOKEN"
  }
}

Ed25519 Keys (Advanced)

For production deployments, use asymmetric key authentication:

Generate client keys
Pair with the server via /pair endpoint
Sign requests with your private key

Configuration

Environment Variables

Variable	Default	Description
`PORT`	3001	HTTP server port
`HOST`	0.0.0.0	Bind address
`MCP_ADMIN_TOKEN`	-	Admin bearer token
`DATA_DIR`	/data	Persistent data directory

Docker Capabilities

For full functionality, Bolt needs:

Capability	Purpose
`NET_RAW`	Raw socket access for nmap SYN scans
`NET_ADMIN`	Network configuration for tools requiring elevated access

Volumes

Path	Purpose
`/data`	Persistent keys, scan results

Troubleshooting

Connection Refused

Error: Connection refused

Check Docker is running: docker ps
Verify port mapping: docker port bolt
Test health endpoint: curl http://localhost:3001/health

Tools Not Available

> Agent says "tool not found"

Verify MCP is connected: /bolt in TUI
Check model supports MCP (not subprocess models like claude-cli)
Restart Cyberstrike after adding Bolt

Subprocess Models

Caution

Models running as subprocesses (like claude-cli/opus) cannot access Cyberstrike’s MCP servers.

Use direct API models:

anthropic/claude-sonnet-4
anthropic/claude-opus-4
openai/gpt-4o

API Reference

Health Check

curl http://localhost:3001/health

Response:

{
  "status": "ok",
  "tools": 6,
  "plugins": 6
}

MCP Endpoint

POST /mcp

Standard MCP JSON-RPC endpoint for tool calls.

Pairing (Ed25519)

POST /pair          # Start pairing with code
POST /pair/exchange # Exchange public keys
GET  /pair/clients  # List paired clients (admin only)

Uninstalling

curl -sSL https://bolt.cyberstrike.io/uninstall.sh | sudo bash

This removes the Bolt installation, systemd service, and data directory.

Bolt / MCP Overview - Architecture and concepts
Remote Servers - Remote MCP configuration
Local Servers - Alternative local setup
Permissions - Tool permissions

Danger

Only use Bolt tools against authorized targets. Unauthorized penetration testing is illegal.