Submit

Devops Mcp — Safe Ai Devops & Linux Server Automation Over Ssh

@MHasnainJafri

Visit Server
5 hours ago
devops-mcp lets AI assistants (Claude Desktop, Cursor, Windsurf) connect, scan, plan, and deploy on real Linux servers over SSH — without handing the model the keys to the kingdom. Reading is always allowed; anything that changes state on a production-like server is refused unless the user supplies a secret elevation token the model never sees. Three time-limited modes (SAFE / PROVISION / FULL) with auto-expiry, a production write-gate that demands backup confirmation for irrecoverable ops, shell-quoted arguments, prompt-injection-tagged output, and a full JSON-lines audit log. Self-hosted: clone and build the project locally — an online/hosted MCP is not safe for this security tooling. 32 tools, TypeScript, MIT.
OverviewToolsComments
Overview

devops-mcp

Let AI assistants operate your Linux servers — behind a human consent gate the model can't self-approve.

devops-mcp is a mode-based MCP (Model Context Protocol) server that lets AI assistants such as Claude Desktop, Cursor, and Windsurf actually operate Linux servers over SSH — without handing them the keys to the kingdom. The model can connect, scan, plan, and deploy, but every step that changes state on a production-like server passes through a consent gate the AI cannot self-approve. Discovery is read-only by design.

Self-hosted by design: clone and build the project locally. An online/hosted instance is NOT safe for this security tooling, because the elevation token must stay out-of-band and invisible to the model.

Why this exists

Generic "run-any-command" MCP servers are dangerous on production boxes. A model with full shell on a live server can restart the wrong service, deploy onto an in-use port, prune a database volume, or escalate itself to root because nothing told it not to. devops-mcp draws a hard line between reading and changing: reading is always allowed within a read-only SAFE allowlist, while changing on a production-like server requires the human's token, passed out-of-band and invisible to the model.

Key features

  • Three-tier access modes: SAFE (read-only allowlist, no expiry), PROVISION (system installs, 1h), FULL (root, 30min). Sessions auto-expire back to SAFE.
    • Out-of-band consent token: elevation and approvals require a string only the user has. The model literally cannot read it.
    • Production write-gate: any non-SAFE command on a production server needs the consent token plus explicit acknowledgement; irrecoverable/catastrophic ops additionally require backup confirmation.
    • Safety hardening: shell-quoted arguments, quote-aware chain splitting, a ~250-verb read-only allowlist, recursive command-substitution validation, and write-redirect detection.
    • Prompt-injection defense: content scraped from servers is returned tagged as untrusted DATA, not instructions.
    • Full audit trail: every command, mode change, approval, and scan is written to a JSON-lines audit log.

  • Tech

  • TypeScript, stdio transport, 32 tools, MIT license.
  • Repository: https://github.com/MHasnainJafri/devops-mcp
Try in Playground

Server Config

{
  "mcpServers": {
    "devops-mcp": {
      "command": "node",
      "args": [
        "/absolute/path/to/devops-mcp/dist/index.js"
      ],
      "env": {
        "DEVOPS_MCP_ELEVATION_TOKEN": "<your-generated-token>",
        "LOG_LEVEL": "info"
      }
    }
  }
}
© 2025 MCP.so. All rights reserved.

Build with ShipAny.

- MCP Server