{"slug": "i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe", "title": "I gave Claude SSH access to my server ā€” here's the consent gate that makes it safe", "summary": "A developer built devops-mcp, a mode-based MCP server that lets AI assistants like Claude Desktop, Cursor, and Windsurf operate Linux servers with restricted permissions. The tool enforces a consent gate for state-changing commands, requiring an out-of-band secret token that the AI never sees, and adds extra confirmation for irreversible operations. It is open-source under MIT license and available on GitHub.", "body_md": "Letting an AI assistant run commands on a real server is genuinely useful ā€” and genuinely terrifying. A model with full shell on a live box can restart the wrong service, deploy onto an in-use port, or `docker prune`\n\na database volume because nothing told it not to.\n\nSo I built ** devops-mcp**: a mode-based MCP server that lets AI assistants (Claude Desktop, Cursor, Windsurf) operate Linux servers ā€” without handing them the keys to the kingdom.\n\nThe AI can connect, scan, plan, and run read-only diagnostics freely. But every command that *changes state* on a production-like server passes through a consent gate the AI **cannot self-approve** ā€” it requires a secret token that's passed out-of-band and that the model literally never sees.\n\n| Mode | Allows | Expiry |\n|---|---|---|\n| šŸŸ¢ SAFE (default) | Read-only allowlist (~250 verbs) | none |\n| šŸŸ” PROVISION | Package installs, Docker/Nginx setup | 1 hour |\n| šŸ”“ FULL | Root, anything | 30 min |\n\nOn a server marked `production`\n\n, any write is refused without the token + explicit acknowledgement. And for *irrecoverable* operations ā€” `rm -rf /`\n\n, `dd`\n\n, `mkfs`\n\n, SQL `DROP TABLE`\n\n, `docker volume rm`\n\nā€” it *additionally* makes you confirm a backup exists.\n\n`$(...)`\n\nsubstitutions are validated by their contents, not blanket-escalated.It's TypeScript, MIT-licensed, and works with any MCP client. Setup is four steps (the key one: generate your elevation token and save it).\n\nā­ **Repo:** [https://github.com/MHasnainJafri/devops-mcp](https://github.com/MHasnainJafri/devops-mcp)\n\nI'd love feedback ā€” especially on the threat model and whether the mode boundaries feel right for how you run infra.", "url": "https://wpnews.pro/news/i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe", "canonical_source": "https://dev.to/mhasnainjafri/i-gave-claude-ssh-access-to-my-server-heres-the-consent-gate-that-makes-it-safe-3am3", "published_at": "2026-06-27 05:07:39+00:00", "updated_at": "2026-06-27 06:03:57.941325+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "ai-safety", "ai-infrastructure"], "entities": ["devops-mcp", "Claude Desktop", "Cursor", "Windsurf", "MCP", "Linux", "GitHub", "MHasnainJafri"], "alternates": {"html": "https://wpnews.pro/news/i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe", "markdown": "https://wpnews.pro/news/i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe.md", "text": "https://wpnews.pro/news/i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe.txt", "jsonld": "https://wpnews.pro/news/i-gave-claude-ssh-access-to-my-server-here-s-the-consent-gate-that-makes-it-safe.jsonld"}}