Letting an AI assistant run commands on a real server is genuinely useful — and genuinely terrifying. A model with full shell on a live box can restart the wrong service, deploy onto an in-use port, or docker prune
a database volume because nothing told it not to.
So I built ** devops-mcp**: a mode-based MCP server that lets AI assistants (Claude Desktop, Cursor, Windsurf) operate Linux servers — without handing them the keys to the kingdom.
The AI can connect, scan, plan, and run read-only diagnostics freely. But every command that changes state on a production-like server passes through a consent gate the AI cannot self-approve — it requires a secret token that's passed out-of-band and that the model literally never sees.
| Mode | Allows | Expiry |
|---|---|---|
| 🟢 SAFE (default) | Read-only allowlist (~250 verbs) | none |
| 🟡 PROVISION | Package installs, Docker/Nginx setup | 1 hour | | 🔴 FULL | Root, anything | 30 min |
On a server marked production
, any write is refused without the token + explicit acknowledgement. And for irrecoverable operations — rm -rf /
, dd
, mkfs
, SQL DROP TABLE
, docker volume rm
— it additionally makes you confirm a backup exists.
$(...)
substitutions are validated by their contents, not blanket-escalated.It's TypeScript, MIT-licensed, and works with any MCP client. Setup is four steps (the key one: generate your elevation token and save it).
⭐ Repo: https://github.com/MHasnainJafri/devops-mcp I'd love feedback — especially on the threat model and whether the mode boundaries feel right for how you run infra.