Execution drift
Agents can change behavior without a normal redeploy.
Infrastructure for Autonomous Intelligence
Don’t give AI agents raw power. Give them scoped capabilities.
OpenScope turns raw privileged access into narrow, policy-bound actions. Keep keys in the broker, remove raw interfaces from the agent path, and audit every decision.
CLI v2.0.4
$ openscope init --force
Writing default config and policy...
✓ Broker configuration initialized
✓ Default policy file written
$ openscope status
@agent_call: openscope notes list_notes --agent openclaw --folder Work
App: notes | Action: list_notes | Folder: Work
BROKER: Request approved by policy
AI gateways help. High-risk workflows still need stronger containment.
AI gateways improve governance and visibility. OpenScope is for the stricter case: the agent should not receive the raw privileged path at all.
Adaptive routing
Prompt and config changes can alter access patterns fast.
Alternate paths
Adaptive agents search for alternate paths.
Coverage risk
Coverage-dependent filtering is weaker when the actor is goal-seeking.
The OpenScope Model
Contain keys. Remove raw powers. Expose only approved actions.
OpenScope inserts a broker between the agent and the sensitive system. The agent gets explicit actions, not raw tools.
Capability example
read_note(folder="Work") restart_service(service="api") refund_payment(charge_id="...")
The broker keeps the key material and privileged interface. The agent only sees a reviewable action surface.
Security Difference
The security difference is not filtering better. It is removing the raw path.
A gateway inspects a raw privileged path. A brokered-capability model removes that path from the agent entirely.
Execution containment
A gateway path is still a raw path.
OpenScope replaces the broad privileged surface with a constrained capability surface that is easier to reason about and harder to bypass.
- The agent does not receive the raw privileged tool.
- Policy applies to named actions and their parameters.
- The exposed surface is smaller and easier to review.
Key containment
The stronger requirement is that the agent never holds the key.
OpenScope keeps the key, token, or broad permission inside the broker instead of leaving it reachable through a raw tool path.
- Keys and broad permissions stay inside the broker.
- The agent sees approved capabilities, not credentials.
- The trust boundary is simpler to explain and enforce.
Use Cases
Where capability brokering becomes necessary
Best fit when the agent should never hold the raw primitive.
Production operations
SSH-based remediation
Sensitive databases
Internal admin APIs
Endpoint automation
Finance and support actions
OpenClaw on macOS
Sandboxed NemoClaw
Brokered Jira and SSH extensions
Architecture Overview
OpenScope sits between the intelligence layer and the execution layer.
A broker that translates high-level intents into safe, low-level calls.
Decision Lens
Use OpenScope when raw privileged access should disappear from the agent path.
The homepage gives the high-level model. The deeper comparison lives in Why OpenScope.
Use a gateway for governance.
Routing, visibility, review, and broad traffic-plane control still matter.
Use OpenScope for containment.
Brokered actions help when the agent should never receive the raw primitive.
Use both when needed.
Governance and execution containment solve different trust problems.
Quick Start
Try the broker model with real commands.
The banner handles the external calls to action. The homepage keeps one repo-backed command path handy.
openscope init --force openscope status openscope notes list_notes --agent openclaw --folder Work openscope notes read_note --agent openclaw --folder Work --note "My Note"