How It Works

How OpenScope Works

A thin client sends scoped requests to a broker daemon that enforces policy, performs the approved action, and records the result.

One perimeter, both halves

OpenScope governs the full agent trust perimeter. The AI Router governs what an agent sends to a model, DLP, metering, receipts, and the broker governs what an agent does, scoped actions through a protected executor, with human approval. Both run inside the customer's perimeter; the data and control paths stay yours.

Approve/Deny
Approve/Deny
Developer tools /AI Agents
Codex
Claude Code
OpenCode
Developer tools /AI Agent...
OpenScope Secure AI Router
Customer-owned
DLP + policy + audit
OpenScope Secure AI Router...
OpenScope Action Broker
Scoped capabilities · circuit breaker
Customer-owned
OpenScope Action Broker
OpenScope AI Router/Executor control plane
updates, policies, usage, billing
OpenScope AI Router/Executor co...
Human Approval
Change Owner/ SRE/ Manager
Human Approval...
Physical
Out of Band Control
Circuit Breaker/Kill Switch
HSM YubiKey
PAM
Physical...
Claude
AWS Bedrock
Claude...
OpenAI
Azure OpenAI
OpenAI...
Other approved models
Other approved models
Privileged Resources
Production Server
Databases
Cloud
CI/CD
Privileged Resources...
Data Path
Data Path
Control Path
Control Path
Customer Owned
Customer Owned
Model Provider Owned
Model Provider Owned
OpenScope Owned
OpenScope Owned
Approved Prompt/Response
Approved Prompt/Response
Usage metadata only
NO prompts or responses
Usage metadata only...
Approved Action/Response
Approved Action/Response
Approve/Deny
Approve/Deny
Armed/Paused
Armed/Paused
Privileged Action/Response
Privileged Action/Respo...
Prompt/Response
Prompt/Response
Two deployment targets

Run it on a laptop, or as an enterprise perimeter.

Same philosophy, scoped, allowlisted, validatable, at two very different scales.

Personal · local

OpenScope on your machine

Open source, runs fully local, no server. The action broker governs Notes, Mail, SSH, and YAML-defined apps for Claude Code, OpenClaw, and Codex on your own host. Install it and go.

  • Local broker daemon; keys and approvals stay on your own machine.
  • Best for individual developers and small teams.
Enterprise · in-VPC

A trust perimeter for a fleet

OpenScope runs as endpoints in your VPC, the AI Router (what agents see) and the Action Broker (what agents do), behind a customer-owned control plane, with a real-time SOC view your security team holds.

  • The device holds only a scoped token, no model keys, DB creds, or admin secrets.
  • Credentials and execution stay central in your VPC; the CLI is a thin client.
Two halves of the perimeter

The other half: what the agent sees.

The flow above is the action side, what the agent does. The OpenScope AI Router governs the prompt side, what the agent sends to a model, before it leaves your VPC. One trust boundary, both halves.

DLP at the edge

Inspect every prompt

Content-aware detection blocks proprietary source (HDL / SPICE / netlists), classification and export markers, secrets and PII, before a prompt ever reaches a model.

Metered & receipted

Per-model spend, signed

Every call is metered by model and Ed25519-signed, so spend reconciles without anyone reading prompt content.

In your VPC

Validatable, not promised

It runs in your perimeter and is structurally blind to your content, the database refuses the query, and you can check it yourself in the demo.

Request lifecycle

Every OpenScope request follows the same predictable flow.

1. The agent asks for a scoped action

The agent requests a predefined operation rather than a raw tool surface.

2. The broker validates and authorizes

OpenScope checks agent identity, app, action, and parameter-specific allow rules.

3. The privileged operation stays inside the broker

Automation approvals, credentials, profiles, or targets stay in the broker boundary.

4. The broker records the decision

Allow and deny outcomes are auditable after the fact.

Scoped capabilities, not raw tools

A capability is narrower than a raw tool surface. Instead of generic shell or automation access, the broker exposes named actions whose parameters can participate in policy.

Action examples

openscope notes list_notes --agent openclaw --folder Work
openscope notes read_note --agent openclaw --folder Work --note "Sprint Plan"
openscope mail list_messages --agent openclaw --mailbox Inbox --limit 20 --unread true

Policy examples

sudo openscope policy allow --agent my-agent --app notes --action list_notes --folder Work
sudo openscope policy allow --agent my-agent --app notes --action read_note --folder Work
sudo openscope policy deny  --agent my-agent --app notes --action list_notes --folder Private

Protected integrations

OpenScope starts with Notes and Mail and extends the same broker model to external systems through HTTP profiles, SSH targets, and YAML-defined custom apps.

Notes and Mail

Scoped actions for protected local apps instead of raw automation power.

HTTP profiles

Broker-owned base URLs and auth headers for integrations such as Jira.

SSH targets

Named targets and approved services rather than broad shell access.

Custom apps

YAML-defined actions that preserve the same trust boundary and policy model.

Jira example

A Jira integration can be split into a broker-owned HTTP profile and a user-defined app manifest. The broker keeps the base URL and authorization header while the manifest defines narrow actions.

Packaging and runtime shape

On macOS, OpenScope packages a signed runtime so stable Automation approval attaches to the broker, not to the agent. The CLI stays lightweight while the privileged daemon remains the narrow execution boundary.

  • Signed app bundle for stable identity
  • LaunchAgent-managed daemon
  • CLI wrapper installed on PATH
  • Protected resources bundled with the broker runtime

Build around a broker, not around raw power

OpenScope keeps the request path simple: agent request, broker enforcement, protected executor, auditable result.