Production deletion
An agent told to clean up or reset state can hit the wrong database if you hand it raw DB or shell access.
Replace Raw Agent Access with a Scoped Broker
Your AI agent should not be one bad step away from dropping production or leaking your source code.
Teams want AI agents to help with releases, operations, and internal workflows. The danger is simple: if the agent has the raw shell, raw database access, or the raw publishing path, one mistake can become a catastrophic action. OpenScope prevents that by replacing raw power with narrow, approved actions.
CLI v2.0.4
$ agent: deploy the new release
raw path: ssh prod && run release script
risk: skipped checklist, uploaded source bundle
$ agent: fix the production incident
@agent_call: openscope release publish_build --agent claude --build 2026.04.02
Checks: signed artifact | checklist complete | source bundle forbidden
BROKER: Approved only after required release checks passed
The problem is not that agents are evil. It is that they are fast, literal, and one bad action can be irreversible.
A helpful agent can still delete the wrong database, restart the wrong service, or skip a publishing checklist and expose private source code. If the raw privileged path is available, the blast radius is available too.
Release checklist failure
An agent can publish the wrong artifact or leak source if release safety steps live only in prompts or docs.
Literal execution
Agents often do exactly what seems locally useful, not what your broader operational intent required.
Fast blast radius
When an agent has raw power, mistakes happen at machine speed across sensitive systems.
The OpenScope Model
OpenScope turns dangerous raw access into safe, reviewable actions.
Instead of giving the agent shell, database credentials, or a direct publishing path, you give it a brokered action like restart_service, publish_build, or refund_payment.
Capability example
restart_service(service="api") publish_build(build="2026.04.02") refund_payment(charge_id="...")
The broker keeps the key material, enforces the checklist, and exposes only the smaller action surface you meant the agent to use.
Security Difference
The key idea: do not ask the agent to be careful with raw power.
Use OpenScope when prompts, checklists, and monitoring are not enough because one wrong action would be too costly.
Execution containment
A monitored raw path is still a raw path.
If the agent can still reach the shell, production database, or release pipeline directly, catastrophic mistakes remain possible. OpenScope replaces that with a narrower action surface.
- The agent does not receive the raw privileged primitive.
- Policy applies to named actions and their parameters.
- The exposed surface is smaller, checklistable, and easier to review.
Key containment
The stronger requirement is that the agent never holds the dangerous path.
OpenScope keeps the key, token, database credential, or publishing control inside the broker instead of leaving it reachable through a raw tool path.
- Keys and broad permissions stay inside the broker.
- The agent sees approved capabilities, not credentials or unsafe shortcuts.
- The trust boundary is simpler to explain to engineering and security teams.
Use Cases
Where capability brokering becomes necessary
Best fit when a single wrong step could create a production, security, or customer-impacting incident.
Production operations
SSH-based remediation
Sensitive databases
Internal admin APIs
Endpoint automation
Finance and support actions
OpenClaw on macOS
Sandboxed NemoClaw
Brokered Jira and SSH extensions
Architecture Overview
OpenScope sits between the intelligence layer and the execution layer.
A broker that translates high-level intents into safe, low-level calls.
Decision Lens
Use OpenScope when “just be careful” is not a sufficient control.
If a mistaken delete, publish, refund, or restart would hurt, move that workflow behind brokered actions.
Use a gateway for governance.
Routing, visibility, review, and broad traffic-plane control still matter.
Use OpenScope for containment.
Brokered actions help when the agent should never receive the raw primitive.
Use both when needed.
Governance and execution containment solve different trust problems.
Quick Start
Try the broker model with real commands.
The banner handles the external calls to action. The homepage keeps one repo-backed command path handy.
openscope init --force openscope status openscope notes list_notes --agent openclaw --folder Work openscope notes read_note --agent openclaw --folder Work --note "My Note"