Feature: ml.ink Skill — Agent-Native Production Deployment via MCP (Freysa AI)

[teknium1]

Overview

ml.ink is an MCP-native deployment platform built by Freysa AI that allows AI agents to autonomously deploy, scale, and manage production applications via the Model Context Protocol. It exposes 20+ MCP tools covering full-stack deployment, managed databases (SQLite/Turso), DNS/domain management, git hosting, and observability — all on bare metal infrastructure with gVisor sandboxing.

Source: ml.ink, docs, MCP tools reference, Freysa sovereign agents blueprint

This skill would give Hermes Agent the ability to deploy applications to production — writing code and shipping it live in a single conversation. Unlike #378 (here.now) which covers static file hosting only, ml.ink provides full-stack deployment with backends, databases, custom domains, and real-time observability. The two are complementary: here.now for quick static publishes, ml.ink for production applications.

Upcoming features on ml.ink's roadmap: x402 stablecoin payments (Coinbase's HTTP-native payment protocol on Base) and delegated identities from humans — positioning ml.ink as infrastructure for fully autonomous "sovereign agents" that can manage their own compute and finances.

---

Research Findings

How ml.ink Works

Architecture: Bare metal servers (currently eu-central-1, Germany) running gVisor-sandboxed containers. No cloud VMs — dedicated hardware managed end-to-end by Ink. NVMe storage, CDN-fronted serving.

MCP Endpoint: https://mcp.ml.ink/mcp

Authentication: Two methods:

• OAuth 2.1 PKCE — Browser-based flow for interactive clients (Claude Code, Cursor). Discovery at https://mcp.ml.ink/.well-known/oauth-authorization-server.
• API Key — Authorization: Bearer dk_live_... header. Generated at ml.ink/account/api-keys. Designed for programmatic/headless agents.

20 MCP Tools across 5 categories:

Category	Tools	What They Do
Services	create_service, list_services, get_service, update_service, delete_service	Deploy, monitor, scale, redeploy applications
Resources	create_resource, list_resources, get_resource, delete_resource	Provision managed SQLite databases (Turso with edge replication)
Git	create_repo, get_git_token	Create Ink-hosted or GitHub repos, get push credentials
Domains	add_custom_domain, remove_custom_domain, list_delegations, list_dns_records, add_dns_record, delete_dns_record	Full DNS management, custom domains with auto TLS
Identity	whoami, list_projects, list_workspaces	Auth verification, project/workspace enumeration

Deployment flow:

Agent writes code → create_repo() → git push → create_service(name, repo) → auto-detect framework → build → deploy → live at name.ml.ink

Supported stacks: 30+ frameworks auto-detected — React, Next.js, Vue, Svelte, Angular, Node.js, Python (FastAPI/Flask/Django), Go, Rust, Ruby, Java, PHP, .NET, Elixir, Bun, Deno, Zig, Haskell, Streamlit, Gradio, static HTML. Also supports custom Dockerfiles.

Default resources: 0.5 vCPU, 256 MB RAM (configurable up to 4 vCPU / 4 GB per service).

Key Design Decisions

1. MCP-first, not MCP-added — The platform was built around MCP from day one. The web dashboard is secondary; the MCP interface is the primary API.
2. Convention over configuration — Auto-detects frameworks, picks build strategies, allocates resources. Zero config for common cases.
3. Observable by default — CPU, memory, network metrics + build/runtime logs all accessible via MCP tools. Agents can self-diagnose and fix issues.
4. Cost-transparent — Agents can call check_credits to reason about costs before deploying. Per-minute billing with no hidden fees.
5. Workspace collaboration — Multiple agents can share a workspace, enabling specialized agent economies (one builds, one monitors, one manages billing).

Pricing

Plan	Monthly	Credits	Limits
Free Trial	$0	$2 one-time	1 project, 3 services, 2 vCPU / 4 GB
Hobby	$5/mo	$5/mo	5 projects, 25 services, 10 vCPU / 20 GB
Pro	$20/mo	$20/mo	Unlimited projects/services, 40 vCPU / 80 GB

Usage costs: $0.000393/vCPU/min + $0.000161/GB/min. Free ingress. 100 GB egress/mo included.

x402 Payment Protocol (Upcoming)

ml.ink plans to integrate x402 — Coinbase's open standard for HTTP-native payments using stablecoins. x402 revives the HTTP 402 "Payment Required" status code:

1. Agent sends HTTP request → server returns 402 Payment Required
2. Agent pays instantly with stablecoins (USDC on Base, Solana, Stellar, etc.)
3. API access granted — no accounts, no API keys, no subscriptions

This would allow agents to pay for compute with crypto wallets instead of credit cards — a key primitive for fully autonomous agents.

Freysa AI Context

ml.ink is built by Freysa AI, which is building toward "sovereign agents" — AI systems with provable autonomous execution, decentralized governance, and cryptographic guarantees. ml.ink is positioned as the infrastructure layer enabling agents to independently operate businesses, manage resources, and interact with each other at scale.

---

Current State in Hermes Agent

What we have:

• Native MCP client (tools/mcp_tool.py, ~1050 lines) — supports both stdio and HTTP/StreamableHTTP transport with auto-reconnection, credential security, and configurable timeouts
• HTTP transport with Bearer auth — config.yaml supports url + headers for MCP servers, which is exactly what ml.ink's API key auth needs
• here.now skill (Feature: here.now Skill — Instant Static Web Publishing for Agent-Created Content #378, proposed) — static file publishing (complementary, not overlapping)
• Pinggy skill (Feature: Pinggy Skill — Zero-Install Localhost Tunnels via SSH #361, proposed) — localhost tunneling (complementary — for dev servers, not production deployment)
• FastMCP skill (Feature: FastMCP Skill — Build, Test, and Deploy MCP Servers #343, proposed) — building MCP servers (could deploy TO ml.ink)

What we lack:

• No production deployment capability — agent can build apps but can't ship them
• No MCP OAuth 2.1 PKCE support — only static Bearer tokens (API keys work, but OAuth flow is unsupported)
• No deployment skill of any kind — this is a fundamental gap

Integration path (works TODAY):

# ~/.hermes/config.yaml
mcp_servers:
  ink:
    url: "https://mcp.ml.ink/mcp"
    headers:
      Authorization: "Bearer dk_live_YOUR_API_KEY"

This is all that's needed. Our MCP client will auto-discover all 20 ml.ink tools and register them for agent use. The skill provides the setup guide, usage patterns, and best practices.

---

Implementation Plan

Skill vs. Tool Classification

This should be a skill because:

• Our existing MCP client already handles the entire protocol — HTTP transport, tool discovery, tool calling
• The capability is expressed as configuration + instructions for using the auto-discovered MCP tools
• No custom Python integration needed — ml.ink tools appear as native tools once configured
• API key management is user-side (stored in config.yaml headers), not harness-managed
• Per CONTRIBUTING.md: "Make it a Skill when the capability can be expressed as instructions + shell commands + existing tools"

Should it be bundled? This is borderline. Deploying applications is broadly useful, but ml.ink is a specific commercial service (not a universal tool like git or curl). Recommendation: Skills Hub initially, promote to bundled if it becomes widely adopted or if ml.ink establishes itself as the standard agent deployment platform.

What We'd Need

1. SKILL.md — Setup guide (account creation, API key generation, config.yaml entry), usage patterns for all 20 tools, cost awareness guidance, troubleshooting
2. references/tool-reference.md — Detailed tool parameter reference (from docs.ml.ink)
3. templates/config-snippet.yaml — Ready-to-paste config.yaml MCP server entry

Phased Rollout

Phase 1: Core deployment skill

• SKILL.md with setup instructions for API key auth
• Tool usage patterns: deploy a service, provision a database, add a custom domain
• Cost awareness: always check credits before deploying, explain pricing to users
• Relationship guide: ml.ink vs here.now (Feature: here.now Skill — Instant Static Web Publishing for Agent-Created Content #378) vs Pinggy (Feature: Pinggy Skill — Zero-Install Localhost Tunnels via SSH #361)
• Error handling: common failures and how to debug via get_service logs

Phase 2: Advanced patterns + MCP OAuth

• Multi-service deployments (frontend + backend + database)
• Workspace collaboration patterns (multiple agents sharing infrastructure)
• MCP tool server deployment (deploy MCP servers TO ml.ink that extend Hermes's own capabilities)
• Enhancement to tools/mcp_tool.py: add OAuth 2.1 PKCE support for MCP servers that require it (currently we only support static headers). This would enable the interactive OAuth flow as an alternative to API keys.

Phase 3: Autonomous operations

• Cronjob-based monitoring: scheduled health checks via get_service metrics
• Auto-scaling patterns: agent monitors CPU/memory and calls update_service to adjust resources
• x402 integration (when ml.ink ships it): enable agents to pay for compute with crypto wallets
• Integration with Feature: FastMCP Skill — Build, Test, and Deploy MCP Servers #343 (FastMCP): build MCP servers → deploy to ml.ink → connect back to Hermes

---

Pros & Cons

Pros

• Zero-friction integration — Works TODAY with our existing MCP client. Just add 4 lines to config.yaml and all 20 tools appear.
• Full-stack deployment — Goes far beyond static hosting: backends, databases, DNS, observability, custom domains, Docker support.
• Agent-native design — Built around MCP from day one. Transparent pricing (agents can reason about costs), observable infrastructure (agents read their own logs).
• Bare metal performance — Dedicated hardware, gVisor isolation, NVMe storage. No noisy neighbors.
• Complements existing proposals — here.now for quick static publishes, Pinggy for dev tunnels, ml.ink for production apps. All three serve different needs.
• Future-forward — x402 payments and delegated identities align with the vision of autonomous agents managing their own infrastructure and finances.
• Low maintenance — The skill is primarily documentation/instructions. ml.ink handles all infrastructure. Auto-discovered MCP tools mean no schema maintenance on our side.
• MCP ecosystem alignment — Hermes already has a robust MCP client. This validates and exercises that investment.

Cons / Risks

• Vendor dependency — ml.ink is new (launched March 2026) with no track record. Built by Freysa AI, a crypto-adjacent project — sustainability depends on FAI token economics and Freysa's trajectory.
• Single region — Currently only eu-central-1 (Germany). No US or Asia regions yet. Latency for US users could be an issue.
• Cost accumulation — Per-minute billing can add up. Agent must be trained to always check credits and communicate costs to users before deploying. Risk of unexpected charges if services are left running.
• Commercial service — Unlike here.now (free/anonymous) or Pinggy (free tier), ml.ink requires signup and payment beyond the $2 trial. Not suitable for the bundled skills directory.
• No OAuth PKCE in our MCP client — API key auth works, but OAuth flow doesn't. This is a minor gap (API keys are fine for headless agents) but limits parity with Claude Code's smoother setup experience.
• Crypto association — Freysa AI has a token (FAI), x402 uses stablecoins. Some users may be wary of crypto-adjacent infrastructure.
• Terms restrictions — No crypto mining, no VPNs, no automation bots, strict content policies. Agent must be aware of prohibited use cases.

---

Open Questions

1. Skills Hub vs. Bundled? — ml.ink solves a real gap (production deployment), but it's a specific commercial service. Should we wait for broader adoption before bundling?
2. OAuth PKCE support — Should we add MCP OAuth support to tools/mcp_tool.py as part of this work, or track it as a separate enhancement? It would benefit all OAuth-requiring MCP servers, not just ml.ink.
3. Cost guardrails — Should the skill include hard instructions like "ALWAYS check credits before deploying" and "ALWAYS warn the user about per-minute costs"? Or leave it to agent judgment?
4. x402 integration — When ml.ink ships x402 payments, should Hermes Agent support crypto wallet integration for autonomous compute purchasing? This opens significant ethical/security questions.
5. Multi-agent workspace patterns — ml.ink supports multiple agents sharing a workspace. Should we explore this with Hermes's delegation/sub-agent features (Feature: Cross-CLI Agent Orchestration — Mixed Workflows with External Agent CLIs (inspired by AgentWorkforce/relay) #413)?
6. Competition/alternatives — Should we also evaluate Railway, Render, Fly.io, or Vercel's MCP integrations as alternatives/complements to ml.ink?

---

References

• ml.ink homepage
• ml.ink documentation
• MCP tools reference — all 20 tools documented
• Quick start guide
• Bare metal infrastructure — gVisor, NVMe, security details
• Platform philosophy — agent-first design principles
• Pricing — pay-per-minute usage model
• Freysa AI sovereign agents blueprint
• x402 protocol — HTTP-native payments standard by Coinbase
• x402 GitHub — Apache-2.0, Python/TS/Go/Java SDKs
• MCP Market listing
• OAuth discovery endpoint — confirmed working
• Related Hermes issues: Feature: here.now Skill — Instant Static Web Publishing for Agent-Created Content #378 (here.now static hosting), Feature: Pinggy Skill — Zero-Install Localhost Tunnels via SSH #361 (Pinggy tunnels), Feature: FastMCP Skill — Build, Test, and Deploy MCP Servers #343 (FastMCP), Feature: Hermes Agent as MCP Server — Expose Tools to the MCP Ecosystem #342 (Hermes as MCP server), Feature: Cross-CLI Agent Orchestration — Mixed Workflows with External Agent CLIs (inspired by AgentWorkforce/relay) #413 (cross-CLI agent orchestration)

[teknium1]

Related: #497 — MCP OAuth 2.1 PKCE support, which would enable smoother OAuth-based authentication with ml.ink as an alternative to API keys.

[teknium1]

Skills Hub → optional-skills/ placement note: This issue recommends a Skills Hub (non-bundled) skill. Per the optional skills system (commit f2e24fa), official-but-not-bundled skills should be placed in the optional-skills/ directory in the repo. These ship with hermes-agent but are not activated by default — users discover them via hermes skills search and install via hermes skills install.

Suggested path: optional-skills/<category>/<skill-name>/SKILL.md

[teknium1]

Updated direction: Rather than a pure skill with redundant MCP tool descriptions, ml.ink should be an official optional skill in optional-skills/mcp/ink/ that leverages #688 (Skill Requirements Declaration). The skill would declare requires.env: INK_API_KEY and requires.mcp: ink, and the install flow would handle API key prompting and MCP config injection automatically. The SKILL.md itself would be thin — just deployment best practices and cost awareness guidance, since the 20 MCP tools are self-describing.

[teknium1]

Architecture update: ml.ink integration now depends on #690 (MCP Server Management) for tool discovery/selection and #688 (env var prompting) for API key setup. The skill itself becomes thin guidance — deployment best practices, cost awareness. The MCP tools and config are managed through hermes mcp add ink.

[teknium1]

Closing — not planning to bundle an ml.ink-specific skill. Users who want it can add it themselves with our existing MCP client by pasting four lines into ~/.hermes/config.yaml:

mcp_servers:
  ink:
    url: "https://mcp.ml.ink/"
    headers:
      Authorization: "Bearer ${INK_API_KEY}"

Drop INK_API_KEY in ~/.hermes/.env and all 30+ Ink tools auto-register on next start. No skill needed.