OpenScope
Try the demoDownload OpenScope
Personal · open source

Scoped capabilities for the agents on your machine.

OpenScope is the layer between your AI agents and your real systems — here, the ones on your machine. It runs fully local (no server) and replaces raw shell and Apple-automation access with narrow, named actions for Claude Code, Codex, and other agents. Install it and go.

Download OpenScopeView on GitHub
Get started · runs fully local

Let your agent set it up — you review and apply.

Install the broker, then ask your coding agent to draft a proposal of what it needs. You review it with one command and apply it. The agent proposes; it never grants itself access.

Ask → review → apply
# 1. install + register (no sudo)
openscope doctor && openscope agent register claude-code

# 2. give your agent the openscope skill (SKILL.md), then ask
#    it to draft setup.proposal.yaml — it runs the review for you:
openscope plan --file setup.proposal.yaml

# 3. you apply it — the only sudo step
sudo openscope apply --file setup.proposal.yaml

Give your agent the openscope skill (SKILL.md) so it drafts a proposal instead of editing config, then ask it to set OpenScope up. It runs plan (read-only) — it can't run apply or edit broker config. Risky grants are flagged and blocked before anything is written.

Signed macOS packaging and a LaunchAgent keep the broker running headless on the host — your keys and approvals stay on your own machine. Best for individual developers and small teams who want scoped actions without standing up any server.

How to ask your agent to set it up →DownloadREADME →

See a real blocked plan report →

Don't ask the agent to be careful with raw power.

Agents are fast, literal, and search for alternate paths. One wrong action — rm on the wrong host, a destructive automation, a leaked secret — can be irreversible. The fix is to remove the raw primitive, not to monitor every possible use of it.

Raw automation

No blanket Apple automation or shell

Keep host-level power out of the agent's hands; expose only the actions you meant it to use.

Key containment

Credentials stay in the broker

Tokens and profiles live in the broker on your host, not reachable through a raw tool path.

Auditable

Every call is logged

Allow and deny outcomes are recorded, so you can see exactly what the agent did and asked for.

The OpenScope model

Narrow, named actions instead of raw tools.

Instead of shell, database credentials, or a direct publishing path, the agent calls a brokered action. The broker keeps the key material, enforces the checklist, and exposes only the smaller action surface you meant the agent to use.

Capability examples
read_note(folder="Work", note="Spec")
send_mail(to="…", subject="…")
ssh_status(target="build-01", service="nginx")

Parameter-level policy applies to each action. The agent sees approved capabilities — not credentials, and not an unsafe shortcut.

  • The agent does not receive the raw privileged primitive.
  • Policy applies to named actions and their parameters.
  • The exposed surface is smaller, checklistable, and easy to review.
How it works →
How it works

From your prompt to a logged, scoped action — in four steps.

The agent calls the broker instead of the raw tool. Everything below runs on your own machine.

Step 1

The agent calls a named action

It runs a scoped command through the CLI — e.g. openscope ssh restart_service — never raw ssh, sudo, or a database credential.

Step 2

The broker checks policy

Default-deny: an allow rule plus exact parameter scope decides whether the call runs. The keys never reach the agent.

Step 3

A scoped executor runs it

The narrow action executes against the real system — SSH, shell, Notes, or HTTP — with credentials held inside the broker.

Step 4

Logged, and stoppable

Every allow and deny is appended to an audit log, and an out-of-band kill switch can halt the fleet on demand.

Full architecture & request lifecycle →

Local workflows it fits

Coding agents like Claude Code and Codex are the primary targets; the same broker also fits OpenClaw, sandboxed NemoClaw, and scoped Notes / Mail / SSH.

Claude Code

A primary target. Broker its shell, SSH, and macOS automation — Claude Code calls named actions through the broker instead of raw ssh / sudo.

Codex CLI

A primary target. Point Codex at the broker (it allowlists the broker's unix socket) so privileged steps run as scoped actions, not raw commands.

OpenClaw on macOS

Brokered Notes and Mail actions instead of handing the agent raw Apple automation access.

Sandboxed NemoClaw

Keep the broker on the host while a sandboxed client calls through a socket or HTTP bridge.

Notes & Mail, scoped

Constrain folders, mailboxes, and action surfaces so the agent gets a narrower, safer interface.

Scoped SSH operations

Name specific targets and allowed services so the agent can request status without broad shell access.

Local use cases →Set up your coding agent →Docs →

Replace raw power with scoped capabilities.

Harness AI agents for real work on your machine without leaving them one prompt away from a destructive mistake.

Download OpenScopeView Code on GitHub
Would this workflow still be safe if the agent took one wrong step?