Production deletion
Told to clean up or reset state, an agent can hit the wrong database if it holds raw DB or shell access.
OpenScope is an action broker: it replaces an agent's raw access (shell, databases, production) with a short list of narrow, approved actions, and can stop the whole fleet on demand.
So your agents can do real work on auto — install build deps with sudo, SSH into prod, ship a signed macOS build, even bring in remote help — without you babysitting every command.
Open source · runs on your own infrastructure.
$ agent: clear user data for inactive accounts
@agent_call: delete_user_data(account_scope="all", confirmed=false)
Requested scope exceeds allowed action policy
OPENSCOPE: Request denied
Action: delete_user_data | Scope: all accounts | Confirmation: missing
Suggested safe action: view_eligible_accounts or delete_user_data(account_scope="single")
A helpful agent can still delete the wrong database, restart the wrong service, or skip a publishing checklist and leak source code. If the raw privileged path is available, the blast radius is available too.
Told to clean up or reset state, an agent can hit the wrong database if it holds raw DB or shell access.
An agent can publish the wrong artifact or leak source if release safety steps live only in prompts or docs.
Agents do what seems locally useful, not what your broader operational intent required.
With raw power, mistakes happen at machine speed across sensitive systems.
OpenScope acts as a broker, a checkpoint your agents call instead of touching systems directly. It holds the real keys and exposes only a short list of named, approved actions, each one scoped, policy-checked, and logged.
It runs a scoped command through the CLI, e.g. openscope ssh restart_service, never raw ssh, sudo, or a database credential.
Default-deny: an allow rule plus exact parameter scope decides whether the call runs. The keys never reach the agent.
The narrow action executes against the real system, SSH, shell, Notes, or HTTP, with credentials held inside the broker.
Every allow and deny is appended to an audit log, and an out-of-band kill switch can halt the fleet on demand.
They solve different parts of the problem, and OpenScope composes with all of them. A monitored or routed raw path is still a raw path; the broker replaces the dangerous power instead of watching it. And where an agent's own auto mode only decides whether to pause and ask, the broker is the enforced bound that makes leaving it on safe.
Isolates the agent's process, files, and network. Valuable, but an agent inside a sandbox still needs a safe way to act on real systems, so it calls the broker. Complementary, not the same job.
Filters prompts and routes models, but the raw privileged tool still sits behind it, security depends on perfect coverage. The broker removes the raw path rather than watching it. Use both: gateway for traffic, broker for actions.
Decides which MCP servers and tools an agent may reach, but still hands over the tool itself. The broker hands over a narrow, named action instead of the tool.
A friction dial inside the agent's own trust domain, and the allow-list is in-process, editable by the agent itself. Turning it up removes the human, not the danger. The broker is the bound that lives outside the agent, so leaving auto mode on stays safe.
No raw primitive: named, scoped actions, with the keys held inside the broker and a fleet-wide kill switch. Every privileged call is bounded by a root-owned policy the agent can't edit, so the safe actions run without a human tap and only the operations that should ask you still do. This is the layer the others don't cover, and it sits behind any of them.
The same broker either way: one agent on your laptop, or a fleet of coding agents in production.
Runs fully local, no server. Broker sudo and shell, SSH, and Apple Notes & Mail for Claude Code, Codex, and other agents. One install, nothing leaves your machine.
Run the broker in your own VPC: scoped capabilities and a fleet-wide kill switch, plus prompt-side controls (data-loss prevention, per-model metering) when you need them.
openscope init --force openscope status openscope notes list_notes --agent openclaw --folder Work openscope notes read_note --agent openclaw --folder Work --note "My Note"