OpenScope Docs
Architecture, setup, integrations, packaging, and deployment guidance.
Get started
Understand the model, then put the broker between your coding agent and your privileged operations.
Overview →
Start here, core architecture, CLI model, quick start, commands, policy model, and configuration layout.
Coding agents →
Govern Claude Code, Codex CLI, OpenCode, Gemini CLI, Cursor, and more: brokered SSH to production, sudo-free system actions, per-agent policy and audit.
Set up by asking your agent →
Hand setup to your coding agent: it drafts a typed, lintable proposal with a root-owned bounds envelope; you review it with plan and apply it, instead of an AI-authored setup script.
AI Router and the live demo
The prompt-side perimeter, content-aware DLP, per-model metering, and signed receipts, plus a hosted demo you can drive end to end.
AI Router & DLP →
The full picture: layered DLP, real-time audit, per-model metering and receipts, and why it is structurally blind to your content.
Live demo ↗
A hosted, role-scoped console, trigger a block, watch the SOC feed, inspect a signed receipt. No setup.
Bring your own agent →
Point Cursor, Claude Code, opencode, or Codex at the router, base URL and key, that is it.
Architecture
The full picture: coding agents reach models through the in-VPC AI Router, DLP, metering, receipts, and agents reach privileged resources through the broker and executor, scoped actions, human approval. Both halves are customer-owned.
Architecture →
The Router + broker/executor model, control vs data paths, and where credentials live.
Implementation spec →
The full technical spec, broker, executor, policy model, and audit.
OpenScope diagrams ↗
The architecture, bypass-risk, execution-containment, and key-containment diagrams.
Integration guides
OpenScope can broker both local app actions and external system actions through the same trust model.
Jira over HTTP →
Keep the Jira token in a broker-owned HTTP profile while exposing narrow actions like get issue and search issues.
SSH target validation ↗
Named targets, scoped services, and explicit policy for SSH-backed operations (in the README).
Custom app manifests ↗
Define new app actions in YAML with action-level parameters and outputs (in the README).
OpenClaw user guide →
How OpenScope fits the local OpenClaw workflow, and why brokered actions are safer than raw local automation.
NemoClaw install →
The client-only sandbox model, the broker stays on the host while the sandbox uses a narrow client surface.
Packaging and operations
OpenScope has a few deployment concerns that matter in practice: signed runtime packaging, broker startup, validation, and pilot readiness.
Suggested reading order
A simple sequence for new visitors.
- Start with the README.
- Read the architecture overview.
- Understand why OpenScope differs from a gateway.
- Wire up your coding agent, Claude Code, Codex CLI, OpenCode, or Gemini CLI.
- Use the validation runbook to test the setup.