Letting an AI assistant run commands on a real server is genuinely useful — and genuinely terrifying. A model with full shell on a live box can restart the wrong service, deploy onto an in-use port, or docker prune a database volume because nothing told it not to.
So I built devops-mcp: a mode-based MCP server that lets AI assistants (Claude Desktop, Cursor, Windsurf) operate Linux servers — without handing them the keys to the kingdom.
The one rule: reading is free, changing needs a human
The AI can connect, scan, plan, and run read-only diagnostics freely. But every command that changes state on a production-like server passes through a consent gate the AI cannot self-approve — it requires a secret token that's passed out-of-band and that the model literally never sees.
Three trust levels, not one god-mode
