# I gave Claude SSH access to my server — here's the consent gate that makes it safe > Source: > Published: 2026-06-27 05:07:39+00:00 Letting an AI assistant run commands on a real server is genuinely useful — and genuinely terrifying. A model with full shell on a live box can restart the wrong service, deploy onto an in-use port, or `docker prune` a database volume because nothing told it not to. So I built ** devops-mcp**: a mode-based MCP server that lets AI assistants (Claude Desktop, Cursor, Windsurf) operate Linux servers — without handing them the keys to the kingdom. The AI can connect, scan, plan, and run read-only diagnostics freely. But every command that *changes state* on a production-like server passes through a consent gate the AI **cannot self-approve** — it requires a secret token that's passed out-of-band and that the model literally never sees. | Mode | Allows | Expiry | |---|---|---| | 🟢 SAFE (default) | Read-only allowlist (~250 verbs) | none | | 🟡 PROVISION | Package installs, Docker/Nginx setup | 1 hour | | 🔴 FULL | Root, anything | 30 min | On a server marked `production` , any write is refused without the token + explicit acknowledgement. And for *irrecoverable* operations — `rm -rf /` , `dd` , `mkfs` , SQL `DROP TABLE` , `docker volume rm` — it *additionally* makes you confirm a backup exists. `$(...)` substitutions are validated by their contents, not blanket-escalated.It's TypeScript, MIT-licensed, and works with any MCP client. Setup is four steps (the key one: generate your elevation token and save it). ⭐ **Repo:** [https://github.com/MHasnainJafri/devops-mcp](https://github.com/MHasnainJafri/devops-mcp) I'd love feedback — especially on the threat model and whether the mode boundaries feel right for how you run infra.