Open-source action broker for AI agents

Your AI agent shouldn't be one step away from sending PII to a public model.

OpenScope is an action broker: it replaces an agent's raw access (shell, databases, production) with a short list of narrow, approved actions, and can stop the whole fleet on demand.

So your agents can do real work on auto — install build deps with sudo, SSH into prod, ship a signed macOS build, even bring in remote help — without you babysitting every command.

Open source · runs on your own infrastructure.

Open source
Runs fully local, no server
Narrow, named actions
Stop the fleet on demand
openscope

$ agent: clear user data for inactive accounts

@agent_call: delete_user_data(account_scope="all", confirmed=false)

Requested scope exceeds allowed action policy

OPENSCOPE: Request denied

Action: delete_user_data | Scope: all accounts | Confirmation: missing

Suggested safe action: view_eligible_accounts or delete_user_data(account_scope="single")

Why you need it

The problem isn't that agents are evil. It's that they're fast, literal, and one bad action can be irreversible.

A helpful agent can still delete the wrong database, restart the wrong service, or skip a publishing checklist and leak source code. If the raw privileged path is available, the blast radius is available too.

Production deletion

Told to clean up or reset state, an agent can hit the wrong database if it holds raw DB or shell access.

Release checklist failure

An agent can publish the wrong artifact or leak source if release safety steps live only in prompts or docs.

Literal execution

Agents do what seems locally useful, not what your broader operational intent required.

Fast blast radius

With raw power, mistakes happen at machine speed across sensitive systems.

How it works

Every privileged action runs through the broker.

OpenScope acts as a broker, a checkpoint your agents call instead of touching systems directly. It holds the real keys and exposes only a short list of named, approved actions, each one scoped, policy-checked, and logged.

Approve/Deny
Approve/Deny
Developer tools /AI Agents
Codex
Claude Code
OpenCode
Developer tools /AI Agent...
OpenScope Secure AI Router
Customer-owned
DLP + policy + audit
OpenScope Secure AI Router...
OpenScope Action Broker
Scoped capabilities · circuit breaker
Customer-owned
OpenScope Action Broker
OpenScope AI Router/Executor control plane
updates, policies, usage, billing
OpenScope AI Router/Executor co...
Human Approval
Change Owner/ SRE/ Manager
Human Approval...
Physical
Out of Band Control
Circuit Breaker/Kill Switch
HSM YubiKey
PAM
Physical...
Claude
AWS Bedrock
Claude...
OpenAI
Azure OpenAI
OpenAI...
Other approved models
Other approved models
Privileged Resources
Production Server
Databases
Cloud
CI/CD
Privileged Resources...
Data Path
Data Path
Control Path
Control Path
Customer Owned
Customer Owned
Model Provider Owned
Model Provider Owned
OpenScope Owned
OpenScope Owned
Approved Prompt/Response
Approved Prompt/Response
Usage metadata only
NO prompts or responses
Usage metadata only...
Approved Action/Response
Approved Action/Response
Approve/Deny
Approve/Deny
Armed/Paused
Armed/Paused
Privileged Action/Response
Privileged Action/Respo...
Prompt/Response
Prompt/Response
Step 1

The agent calls a named action

It runs a scoped command through the CLI, e.g. openscope ssh restart_service, never raw ssh, sudo, or a database credential.

Step 2

The broker checks policy

Default-deny: an allow rule plus exact parameter scope decides whether the call runs. The keys never reach the agent.

Step 3

A scoped executor runs it

The narrow action executes against the real system, SSH, shell, Notes, or HTTP, with credentials held inside the broker.

Step 4

Logged, and stoppable

Every allow and deny is appended to an audit log, and an out-of-band kill switch can halt the fleet on demand.

What's the difference?

An action broker is not a sandbox, an API gateway, or an MCP gateway, and it makes auto mode securely far more automatic.

They solve different parts of the problem, and OpenScope composes with all of them. A monitored or routed raw path is still a raw path; the broker replaces the dangerous power instead of watching it. And where an agent's own auto mode only decides whether to pause and ask, the broker is the enforced bound that makes leaving it on safe.

Sandboxing · e.g. OpenShell

Contains where the agent runs

Isolates the agent's process, files, and network. Valuable, but an agent inside a sandbox still needs a safe way to act on real systems, so it calls the broker. Complementary, not the same job.

API / LLM gateway · LiteLLM, Bifrost

Inspects and routes the traffic

Filters prompts and routes models, but the raw privileged tool still sits behind it, security depends on perfect coverage. The broker removes the raw path rather than watching it. Use both: gateway for traffic, broker for actions.

MCP gateway · e.g. MintMCP

Curates which tools are exposed

Decides which MCP servers and tools an agent may reach, but still hands over the tool itself. The broker hands over a narrow, named action instead of the tool.

Agent auto mode · Claude Code, Cursor, Codex

Only decides whether to ask you

A friction dial inside the agent's own trust domain, and the allow-list is in-process, editable by the agent itself. Turning it up removes the human, not the danger. The broker is the bound that lives outside the agent, so leaving auto mode on stays safe.

Action broker · OpenScope

Contains what the agent can do, so auto mode can stay on

No raw primitive: named, scoped actions, with the keys held inside the broker and a fleet-wide kill switch. Every privileged call is bounded by a root-owned policy the agent can't edit, so the safe actions run without a human tap and only the operations that should ask you still do. This is the layer the others don't cover, and it sits behind any of them.

How to try it

Run it on your machine, or govern a fleet.

The same broker either way: one agent on your laptop, or a fleet of coding agents in production.

Personal · open source

Scope the agent on your machine

Runs fully local, no server. Broker sudo and shell, SSH, and Apple Notes & Mail for Claude Code, Codex, and other agents. One install, nothing leaves your machine.

Enterprise · in-VPC

Govern a fleet of coding agents

Run the broker in your own VPC: scoped capabilities and a fleet-wide kill switch, plus prompt-side controls (data-loss prevention, per-model metering) when you need them.

Quick start, install and broker your first action
openscope init --force
openscope status
openscope notes list_notes --agent openclaw --folder Work
openscope notes read_note --agent openclaw --folder Work --note "My Note"

Production operations

SSH-based remediation

Sensitive databases

Internal admin APIs

Endpoint automation

Finance and support actions

Desktop automation on macOS

Sandboxed agents

Brokered Jira and SSH extensions

Remote ops without a VPN

See it govern a real agent, then talk to us.

The live demo governs a real coding agent end to end, in a customer-owned perimeter you can inspect. We are pre-first-customer and working closely with a small number of design partners running AI agents in production, if that is you, we want to hear what you are trying to address.

Would this workflow still be safe if the agent took one wrong step?