Documentation

Security & Tenancy

Built-in safety controls for the AI-native control plane.

Authentication

OpsOrch supports industry-standard authentication protocols to ensure only authorized operators can access the control plane.

  • API Tokens

    Scoped tokens for CI/CD pipelines and external automation.

Safe Control Plane

A core design principle of OpsOrch is that the control plane itself must be safe by default.

Read-Only Defaults

Global "Observer" mode can be enforced to prevent any write actions (restarts, rollbacks) from the Console.

Audit Logs

Every action - whether by a human click or AI Copilot execution - is logged with identity, timestamp, and inputs.

AI Safety & Sandboxing

When using OpsOrch Copilot, you are granting an AI agent access to your infrastructure. We take this seriously.

1. Human-in-the-Loop for Write Actions

The Copilot can plan destructive actions (e.g., "Rollback service X"), but it cannot execute them without explicit user confirmation in the UI. The "Execute" button is physically separate and protected.

2. Tool Sandboxing (MCP)

The AI does not have direct SSH access or database credentials. It can only call specific, typed tools exposed by the MCP server (e.g., `list_incidents`, `restart_service`). You define exactly what tools are available.

3. Zero Data Retention

OpsOrch Core does not train on your data. Context retrieved for RAG (Retrieval Augmented Generation) is transient and exists only for the duration of the request.

Security is not an afterlife. It is baked into the contract-first architecture.