aiops-mcp
Integrates with Ansible for configuration management and automation of host state, enabling playbook execution and drift convergence.
Integrates with OpenTofu for infrastructure provisioning and state management, supporting drift detection and convergence.
Integrates with Talos Linux API for managing Kubernetes nodes and cluster operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@aiops-mcpcheck drift for production webserver fleet"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AIOps-MCP
praxis, the unified AI-operations MCP.
Documentation site (rendered from docs/): https://rmednitzer.github.io/aiops-mcp/
Status: v0, stdio default with an opt-in HTTP transport, single-operator, in iterative security hardening.
make ci-successis green (ruff + mypy strict + pytest + the schema-drift guard + the dispatch eval gate) and each of the nine invariants has a passing test. The deep review (ADR-0015) found that several load-bearing controls were specified but not yet wired into the running server; the ADR-0016 enforcement wave and the waves through ADR-0042 closed those findings. The implemented backlog is resolved; the two open items are both forward-looking: BL-111 (first-class kubectl/helm actuation, gated on the ADR-0043 credential contract; nothing built yet) and BL-113 (re-confirm the EU AI Act high-risk dates against the Official Journal once the Digital Omnibus publishes, ADR-0044). Read "Maturity and honest limitations" below andLIMITATIONS.mdfor the known remaining boundaries before relying on it. The design reference isdocs/architecture.md.
What it is
praxis is a self-contained, security-first, single-operator-operable,
EU-sovereign unified AI-operations MCP server. It fuses three things into one
control plane:
A live bitemporal model of the fleet. Hosts, services, packages, storage, networks, identities, and alerts as typed vertices and edges, with every fact carrying four timestamps and never being deleted (corrections supersede). The source of truth.
A drift engine. Observed host state vs desired state (IaC plan, config baseline, or an operator-blessed known-good snapshot), with structured drift findings and human-gated convergence.
A tiered, audited actuator. A single execution path that classifies every action T0-T3, gates state-changing actions behind human confirmation, and wraps the right tool per host type (ssh/ansible/opentofu/runbooks/talosctl/redfish/ cloud) instead of reinventing it.
It is self-contained: no imports from, or runtime coupling to, any sibling fleet repository. Third-party libraries are kept minimal and license-vetted (pydantic for input validation; psycopg for the optional Postgres backend), and the execution core stays dependency-free (ADR-0001, ADR-0014).
Related MCP server: LUMINO MCP Server
Why
It is the engineered successor to a hand-run fleet gateway: graduated autonomy being made load-bearing in code (not just a design note), drift detection formalized out of manual markdown baselines into a queryable bitemporal store, scattered state unified, and flat skills given a real registry and router. Security-first by design and intended for real production deployments, with the gaps still on the way to that bar tracked openly (see below).
Maturity and honest limitations
v0 is real and tested, but it is a hardening-in-progress security project, not a finished product. The deep review in ADR-0015 (2026-06-08) verified the spine is sound (storage-layer append-only state, parameterised SQL, inert untrusted skill bundles, an option-injection-guarded SSH target, an RFC 6962 Merkle implementation, a robust SSRF filter) and that all nine invariants have a proving test; the ADR-0016 enforcement wave (2026-06-10) closed its P1 and wiring findings. The honest current state:
HTTP transport is implemented and opt-in (ADR-0041): a stdlib
http.serverwith anMcp-Session-Idsession lifecycle, per-session isolation (each session has its own trifecta taint latch, approval nonces, budget, and consent ceiling), constant-time bearer-token auth, a request-body cap, and a per-client consent ceiling. It stays default-closed (token + non-loopback opt-in + SSRF egress, ADR-0006); stdio is still the default. Serving is concurrent (ADR-0042, BL-110): aThreadingHTTPServerover a store that serialises on a per-instance lock, so a slow actuation does not block other clients while the bitemporal/append-only invariants hold.The human-approval gate is human-binding (ADR-0016, BL-072): a gated dry run mints a server-generated, single-use, TTL-bound token surfaced on the operator console, out-of-band from the MCP channel. The token never appears in a tool response, so an automated caller cannot reproduce or replay it. Free-form shell actuation floors at T2 (BL-073).
Every registered tool, including the read tools and
ingest_observation, runs through the single audited path (BL-017, BL-062, BL-085); reads that return observed facts arm the trifecta latch, enforced inside the path (BL-083).Scoped credentials (opt-in via the first grant), per-session budgets, and an audited
emergency_stopactuator with a durable kill-switch sentinel are wired (BL-049, BL-074, BL-075). WithPRAXIS_AUDIT_PATHset, the server also produces runtime Merkle checkpoints over the trail (every N records and at shutdown) and an optional anchored high-water mark (PRAXIS_ANCHOR_PATH) that detects truncation of log plus evidence together (ADR-0019; BL-076, BL-050). The default checkpoint stamper is the keylessLocalStamper; a non-forgeable RFC 3161 TSA stamper is available opt-in (PRAXIS_TSA_URLplusPRAXIS_TSA_CERT, the TSA signing certificate in PEM, plus thetsaextra; BL-095, ADR-0030). With the default stamper, OS-level append-only storage remains the required control against an attacker who can rewrite the files. Audit records can also be forwarded best-effort to syslog for SIEM/journald visibility (PRAXIS_AUDIT_SYSLOG_ADDRESS, opt-in); the append-only file stays the authoritative, tamper-evident sink (BL-100, ADR-0037). Each record carries optionalrequest_id/client_idcorrelation fields, set per request by the transport, so concurrent calls can be tied to their audit entries (BL-101, ADR-0038).
These and the rest are tracked as BL-NNN in docs/backlog.md with severities in
ADR-0015. LIMITATIONS.md is the running list of what is specified but not yet
delivered.
Quickstart
For a complete, task-oriented walkthrough of running the server and using every tool, see the how-to guide (also on the docs site).
praxis is self-contained: the default path is the SQLite store over stdio with no
external services.
uv sync --extra dev # add --extra postgres for the production store backend
make check # ruff + mypy strict + pytest
make ci-success # the above plus the schema-drift guard and eval gate
python -m praxis # serve over stdio (JSON-RPC 2.0); refuses unsafe HTTP bindsConfiguration is PRAXIS_-prefixed and bound once at import (src/praxis/config.py).
For the architecture and layout see docs/architecture.md; the nine non-negotiable
invariants are in CLAUDE.md.
Layout
See docs/architecture.md for the full tree. The spine: src/praxis/execution/
(the single audited executor), src/praxis/store/ (the pluggable bitemporal
store), src/praxis/drift/ (the drift engine), src/praxis/actuation/ (tool
adapters), src/praxis/tools/ (the MCP surface), and docs/{adr,stpa}/ plus
docs/backlog.md (governance-as-code).
Governance
Decisions:
docs/adr/(Architecture Decision Records).Safety and security requirements:
docs/stpa/(System-Theoretic Process Analysis, including STPA-Sec).Work tracking:
docs/backlog.md(stableBL-NNNids).Compliance mapping:
docs/governance/(EU AI Act, NIS2/NISG, CRA, GDPR, ISO 27001).
License
Apache-2.0 (see LICENSE) and NOTICE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/rmednitzer/aiops-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server