AgentOpsSec

Run the AgentOpsSec stack from one CLI.

AgentOpsSec is the stack/kit command for the AgentOpsSec toolchain. Each project in the suite can still run on its own, but this CLI gives teams one entry point for setup, scanning, monitoring, and wrapped agent runs.

agentopssec init
agentopssec check
agentopssec start -- codex "work on this repo"

What It Does

AgentOpsSec detects and coordinates the standalone tools:

• MCP Doctor: scans MCP configuration risk.
• MCP Firewall: registers MCP configs and logs policy decisions.
• Agent Flight Recorder: records agent runs.
• Agent Review: reviews diffs, run logs, sandbox runs, and firewall logs.
• MCP Radar: scores MCP servers from registry data.
• Agent Sandbox: runs agents in an isolated workspace.
• Agent Cost Lens: tracks local agent cost records.

The stack CLI does not import code from those projects. It discovers installed CLIs, runs them as commands, and connects them through JSON reports and local log files.

Install

npm install -g agentopssec

Each individual tool ships under the @agentopssec/ scope on npm. During agentopssec init, the CLI checks for each standalone command and asks whether you want to install missing tools globally:

npm install -g @agentopssec/mcp-doctor
npm install -g @agentopssec/mcp-firewall
npm install -g @agentopssec/agent-flight-recorder
npm install -g @agentopssec/agent-review
npm install -g @agentopssec/mcp-radar
npm install -g @agentopssec/agent-sandbox
npm install -g @agentopssec/agent-cost-lens

Update

agentopssec update checks the registry for the orchestrator and every sub-tool, lists each tool's current vs. latest version, and offers to install all available updates in one batch:

agentopssec update          # interactive: prompts before installing
agentopssec update --yes    # apply every available update without prompting

Each tool also has its own update command if you want to update just one:

mcp-doctor update
agent-flight update --yes

Init

Run this from the repo you want to protect:

agentopssec init

Init will:

1. Choose a stack profile.
2. Check whether each selected standalone AgentOpsSec CLI is installed.
3. Ask before installing missing tools globally.
4. Create .agentopssec/config.json.
5. Configure the selected tools that are available.
6. Run an initial MCP scan when MCP Doctor is enabled.
7. Feed the scan into MCP Firewall and MCP Radar when those tools are enabled.

Profiles:

agentopssec init --profile minimal
agentopssec init --profile security
agentopssec init --profile observe
agentopssec init --profile full
agentopssec init --profile custom

• minimal: MCP Doctor
• security: MCP Doctor, MCP Firewall, Agent Review
• observe: Agent Flight Recorder, Agent Cost Lens
• full: all tools
• custom: prompt for each tool

Useful init options:

agentopssec init --yes
agentopssec init --no-install
agentopssec init --dry-run
agentopssec init --cwd /path/to/repo
agentopssec init --package-manager npm

--yes installs missing tools globally without prompting. --no-install skips prompts and configures only what is already installed. Package manager detection uses the current npm user agent when available and supports global installs via npm, pnpm, bun, or yarn.

Commands

agentopssec status
agentopssec tools
agentopssec scan
agentopssec check
agentopssec ci
agentopssec monitor
agentopssec start -- codex "fix the failing tests"
agentopssec start --sandbox -- claude "make this change safely"
agentopssec init-shell
agentopssec repair
agentopssec contract
agentopssec review latest
agentopssec review firewall
agentopssec review sandbox
agentopssec cost month
agentopssec update [--yes]

agentopssec --help prints a one-line description for every command and flag. Run it any time you want a refresher.

Output

Reports use plain-language status words instead of raw exit codes:

• ok — the step ran successfully (green).
• ok (exit 0) — same, but on commands that wrap an external agent so you can still see the real exit code.
• failed (exit N) — the step exited non-zero (red). The original code is preserved for debugging.
• skipped (reason) — the step was not applicable (dim).

Severity colors follow the AgentOpsSec palette: green for safe, amber for warning, red for high risk. The palette honors NO_COLOR and FORCE_COLOR, and JSON / CSV output stays plain.

Stack Workflows

Scan

agentopssec scan

When available, this runs:

mcp-doctor scan --json --output .agentopssec/mcp-doctor-scan.json
mcp-firewall import-doctor .agentopssec/mcp-doctor-scan.json
mcp-radar score-doctor .agentopssec/mcp-doctor-scan.json

Start

agentopssec start -- codex "work on this repo"

The stack chooses the strongest available wrapper chain:

Agent Cost Lens -> Agent Flight Recorder -> MCP Firewall -> agent command

With --sandbox, the chain becomes:

Agent Cost Lens -> Agent Sandbox -> MCP Firewall -> agent command

After the run, AgentOpsSec runs available review and cost summaries.

By default, start uses compact output: AgentOpsSec shows one summary and captures child tool output. Use --verbose when you want the underlying tools to stream directly:

agentopssec start --verbose -- codex "work on this repo"

Shell Integration

eval "$(agentopssec init-shell)"
codex "fix tests"
claude "review this repo"
gemini "summarize the diff"
opencode "refactor this file"

The shell functions route normal agent commands through agentopssec start. Use agentopssec init-shell --sandbox to make the wrappers use Agent Sandbox by default.

Check and CI

agentopssec check
agentopssec ci

check is a local audit snapshot. ci runs the same style of stack checks as a gate and exits nonzero when a configured risk threshold or budget check fails.

When available, CI runs:

MCP Doctor CI
MCP Firewall import
MCP Radar score
Agent Review over git diff
Agent Review over firewall logs
Agent Cost Lens budget check

Monitor

agentopssec monitor

Monitor runs a passive snapshot of stack signals that are available in the repo. It is not a live watch process.

• MCP Doctor scan
• MCP Firewall import
• MCP Radar scoring
• Agent Review over firewall logs
• Agent Cost Lens daily summary

Repair

agentopssec repair

Repair re-checks installed tools, recreates missing stack folders, refreshes the stack config, validates known JSON and JSONL contract files, and suggests exact global install commands for enabled tools that are missing.

Data Contract

agentopssec contract

The stack connects tools through local files:

.agentopssec/config.json
.agentopssec/mcp-doctor-scan.json
.agentopssec/mcp-radar-doctor.json
.mcp-firewall/logs.jsonl
.agent-flight/runs/*.json
.agent-sandbox/runs/*.json
.agent-cost/records.jsonl

Those files are the integration boundary. The stack CLI does not import code from the standalone tools.

Pass-Through Commands

You can call the standalone tools through the stack CLI:

agentopssec doctor scan --json
agentopssec firewall logs
agentopssec radar score github/server
agentopssec flight list
agentopssec sandbox diff latest
agentopssec cost export --csv

This is a convenience layer. The underlying standalone commands remain the source of truth for each tool.

Development

AgentOpsSec is a dependency-free Node.js CLI.

npm test
node ./bin/agentopssec.js status
node ./bin/agentopssec.js tools --use-local
node ./bin/agentopssec.js init --use-local --no-install

--use-local makes the orchestrator resolve sibling tool folders directly without needing global installs. Useful when you have all the tool repos checked out side by side under one workspace.

Links

• Stack repo: https://github.com/AgentOpsSec/stack
• Website: https://AgentOpsSec.com
• GitHub org: https://github.com/AgentOpsSec
• X: https://x.com/AgentOpsSec

Author

Created and developed by Aunt Gladys Nephew.

• Website: https://auntgladysnephew.com
• GitHub: https://github.com/auntgladysnephew
• X: https://x.com/AGNonX