Noureddine RAMDI / OpsKat: AI-first secure infrastructure management with policy-enforced AI agents

Created Sat, 23 May 2026 20:41:14 +0000 Modified Sat, 23 May 2026 20:41:27 +0000
974 Words
github-stars typescript go ai infrastructure ssh databases security

opskat/opskat

OpsKat tackles a problem that most infrastructure operators quietly dread: how to safely give AI coding assistants and automated agents direct, auditable access to production systems. By combining a policy-driven security model with an AI-first interface, OpsKat lets you unify SSH servers, databases, and message brokers under a single desktop app where natural language commands are actually executed against your remote infrastructure. This isn’t just a fancy dashboard; it’s a grounded attempt to securely bridge AI-driven automation and production ops.

What OpsKat does and how it’s built

At its core, OpsKat is an open-source desktop application designed to manage a variety of remote infrastructure assets including SSH-accessible servers, MySQL and PostgreSQL databases, Redis, MongoDB, and Kafka clusters. It uses Wails v2 to combine a Go backend with a modern React 19 + TypeScript frontend, providing a native desktop experience without sacrificing web stack flexibility.

The standout feature is the AI agent that interprets operations described in natural language and executes them with strict policy enforcement. Under the hood, OpsKat unifies multiple infrastructure types into a consistent interface, allowing users to query databases, manage Kafka topics, browse Redis keys, and open SSH terminals all from one place.

Security is baked into the architecture. Operations pass through customizable allow and deny lists, and a SQL parser actively blocks dangerous queries like unqualified DELETE operations. These policies can be grouped into templates and pre-approved permission sets, enabling granular control over what AI agents or users can do.

Audit logging is comprehensive, capturing not just executed commands but also the decision trail of policy enforcement, which is critical for compliance and incident analysis.

Besides the GUI, OpsKat includes a standalone CLI called opsctl, designed to integrate with AI coding assistants such as Claude Code, Codex, and Gemini CLI. This CLI shares the same policy and audit enforcement, enabling programmatic AI-driven management workflows that remain secure and traceable.

Technical strengths and design tradeoffs

The technical centerpiece of OpsKat is its policy-enforced AI agent execution model. Allowing AI agents to run commands directly on production infrastructure is risky, and OpsKat mitigates this by implementing strict operation policies that act as gatekeepers. This approach balances flexibility with safety, but it also introduces complexity in policy management. Administrators must carefully define and maintain allow/deny lists, which could become cumbersome in highly dynamic environments.

The SQL parser that blocks unsafe queries is a practical safeguard. It prevents common destructive mistakes, such as accidental full-table deletes, which are a notorious pain point in database operations. This parser, however, adds overhead and complexity to query execution, and edge cases in SQL dialects might require fine-tuning.

The audit logging is a strong point. By capturing the full decision trail, OpsKat provides transparency into what happened and why. This is invaluable for troubleshooting and regulatory compliance. The tradeoff here is the additional storage and processing overhead, which may become significant in large-scale environments.

The choice of Wails v2 to build a desktop app with a Go backend and React frontend is sensible. It provides native experience with the robustness and performance of Go, while React ensures a responsive and modern UI. However, this stack introduces the complexity of maintaining two languages and their integration.

The opsctl CLI integration with AI coding assistants is an unusual and interesting feature. It opens the door for AI-driven infrastructure automation workflows, but it also demands rigorous security auditing and policy enforcement to avoid accidental or malicious misuse.

Quick start

Prerequisites: Go 1.25+, Node.js 22+ with pnpm, Wails v2 CLI

make install        # Install frontend dependencies
make dev            # Development mode (hot reload)
make build          # Production build
make build-embed    # Production build with embedded opsctl
make build-cli      # Build opsctl CLI only

This straightforward set of commands covers setting up dependencies, running the app in development with hot reload, and producing production builds for both the desktop app and the CLI. It reflects a typical modern Go + React build pipeline with some Wails-specific tooling.

Verdict

OpsKat is a nuanced attempt to bring AI agents directly into the infrastructure management workflow without compromising on security and auditability. Its strong policy enforcement and comprehensive logging make it suitable for teams willing to invest in crafting and maintaining operation policies.

It’s especially relevant for organizations exploring AI-assisted operations but wary of the risks of giving AI too much freedom. The integration with AI coding assistants via the opsctl CLI is a glimpse into where AI-driven devops might head next.

That said, the complexity of policy management and potential edge cases in multi-asset support mean OpsKat is not a plug-and-play solution. Teams need to be comfortable with both the underlying technologies and the operational discipline required.

For developers and operators curious about the intersection of AI, infrastructure management, and security, OpsKat offers a valuable, hands-on toolkit to experiment with these ideas in a real production-grade environment.

→ GitHub Repo: opskat/opskat ⭐ 380 · TypeScript