Skip to main content

Your AI agent needs production access — not your SSH key.

emisar is one governed MCP server that connects Claude, Cursor, ChatGPT — any AI agent — to your infrastructure. One server covers production access, debugging, alerting, runbooks, and internal ops — so a new capability is another pack, not another MCP server to roll out to every client. Your agent reads real production state to debug what it shipped and help work incidents. Safe reads run on their own. A risky change waits for a human to approve it. No SSH key, no always-on access, every call on the record.

Free for 3 runners · No credit card · Apache-2.0 open-source runner

claude · emisar MCP
nomad.alloc_logs checkout allowed
prom.query rate(http_5xx) allowed
nomad.job_history checkout allowed
nomad.job_revert checkout approval
then claude opens a PR with the durable fix — the corrected Nomad job spec, in its own coding tools. emisar gave it the facts; the agent writes the fix.
Safe reads run on their own · risky changes wait for one human · every call audited
1,270
audited actions · 80 packs
Zero-Trust for AI
built to Anthropic's control set
Hash-chained journal
every action, tamper-evident on the host
Open code
Apache-2.0 runner · read the whole control plane

With eyes on production

Your AI is brilliant. And blind.

Claude, Cursor, and ChatGPT reason about your stack all day — but they can't see it running. emisar gives your agent eyes on production. It reads live logs, metrics, hosts, datastores, and the network, so its plan matches what's actually running. It catches its own mistakes. It works incidents beside you. And it stops for you only when a change is actually risky.

Browse the full catalog it can reach

Starts from real state

Before it writes a line, the agent reads live logs, metrics, configs, and process state. Its plan is based on what's actually running — not a stale guess from training data.

Debugs what it shipped

Deployed something that misbehaves? The agent inspects the running result, finds its own mistake, and proposes the fix. You don't have to gather the context for it.

Works the incident

When the page fires, it triages across the fleet, lines up logs against metrics, and narrows the cause. Then it hands you a fix it can run the moment you approve.

The change waits for you

When the fix actually changes something, that's the one moment you step in — one approval, scoped and logged. Everything safe runs without you.

How it's done today

Today, your AI agent is either:

Three common setups for letting an agent act — and each fails the same way: no gate before the action, no trustworthy record after.

Given a raw SSH key

Full shell on prod. The model is "creative." A malformed request can become rm -rf /var/lib/postgresql with no policy gate and no durable record of why it happened.

Wired to a custom tool server

Two engineers built a custom MCP server in a weekend. It hardcodes one cluster, swallows stderr, has no approval flow, and lives in a repo nobody dares touch.

Asked to "/runbook" in Slack

Twenty-three slash commands, three owners, two of whom left in 2024. Write-only output, lost in channel scrollback, and the audit trail is whatever you remember from the postmortem.

Three pillars

A catalog, a gate, and a ledger.

Every request is handled the same way. Each action declares what it can do and carries a risk tier — low, medium, high, or critical. The policy you set decides which tiers need a human to approve. The runner re-checks the request before it runs. Then every call is recorded twice — to the searchable audit in the portal, and to a hash-chained journal on the runner host.

Versioned action catalog

Packs live in git, and each one is fingerprinted by its contents. The AI sees only the actions you declared — it can't ask for anything else. Change a pack and emisar stops running it until an admin trusts the new version. A new surface — another datastore, your alerting stack, an internal API — is one more trusted pack on the same gate, not another MCP server to roll out to every client.

linux-core/actions/systemctl_status.yaml
schema_version: 1
id: linux.systemctl_status
title: "Systemd unit status"
kind: exec
risk: low
args:
  - name: unit
    type: string
    required: true
    validation:
      pattern: "^[a-zA-Z0-9@._-]{1,128}$"
execution:
  command:
    binary: /usr/bin/systemctl
    argv: ["status", "{{ args.unit }}"]

Policy & approval

Set allow, ask-for-approval, or deny for each risk tier, then override specific actions. Risky calls wait for a human. Or hand out a limited, revocable pass so routine ones don't ask every time.

Risk-tier defaults
lowallow
mediumallow
highrequire approval
criticaldeny
Overrides first match wins
*.delete_* deny
nomad.job_* require approval
Or scope a stricter ruleset to a single runner or a group.

Audit + runner journal

Every input, output, exit code, and redaction is recorded. On the host it's a hash-chained log — change one line and emisar audit verify catches it. It's mirrored to the searchable audit in the portal, and it can stream to your SIEM.

emisar.dev / audit
14:02
Run succeeded
action_run.success nomad.alloc_logs
api_key: claude-prod
14:01
Awaiting approval
action_run.pending_approval nomad.job_revert
api_key: claude-prod
13:58
Approval granted
approval.approved caddy.reload_config
user: ops@acme.co
13:52
Denied by policy
action_run.denied linux.reboot_host
api_key: claude-prod

Watch it work

A real incident, start to finish.

A CSI driver reformatted a live LUN and wiped 33 hours of metrics. Watch the agent investigate through declared actions, stop the writes behind one approval, and hand back the durable fix as a Terraform PR — over MCP, no SSH, every step on the record.

# nomad-hvn03 · Dell R640 · Pure FlashArray over iSCSI multipath · democratic-csi v1.9.5
curl -sSL https://emisar.dev/install.sh | sudo bash
downloading emisar-v0.2.0-linux-amd64.tar.gz
checksum verified sha256:9f2c1e7b4a0d… · installed v0.2.0
emisar connecting to wss://emisar.dev/runner/socket/websocket (group=storage packs=multipath,iscsi,pure,nomad,debugging,docker)
runner online · nomad-hvn03 · advertising 84 actions, every one policy-gated
level=INFO msg="run dispatched" action=nomad.alloc_stop run=run_5d36c9 via=approval
level=INFO msg="run complete" action=nomad.alloc_stop exit=0 dur=0.38s

Real catalog actions. Reads run on policy; risky steps always stop for approval.

Any MCP client
OAuth for cloud clients, stdio bridge for local tools — access scoped to selected runners or groups.
Pack trust
New or changed packs stop running until an admin trusts the contents.
Approvals & grants
Approve one call, or hand out a revocable pass — limited by time, arguments, runner, and number of uses.
Searchable audit
See who ran what, and on whose behalf, in the portal — or stream it to your SIEM.

Read the full post-mortem — the multipath race, the dmesg window, and the Terraform fix

Why not just…

The alternatives, honestly.

emisar Raw SSH key Custom MCP server
Typed action contract Yes No Partial
Pack drift blocks dispatch Yes No No
Risk-tier policy + overrides Yes No Partial
Approvals + standing grants Yes No No
Per-user runner scopes Yes No Partial
Streaming stdout/stderr Yes Yes Partial
Audit + SIEM export Yes No Partial
Setup time 5 min instant + nightmares 1-2 weeks

Case studies

Two incidents, in full.

The storage wipe from the demo, written up end to end — and a completely different failure on the network. Both real, both logged with the command output to prove it.

storage

A CSI driver wiped 33 hours of metrics

The incident from the demo, in full — including the twist. The obvious one-line fix was a no-op, so the durable fix the agent shipped is a guard that refuses to trust the driver.

Read the post-mortem
ingress

A fleet-wide 502 no backend was causing

Every app behind one edge threw intermittent 502s — yet every backend was green. The agent traced it across five layers to an OOM loop and a wedged node still advertising a dead ingress, then stopped the bleed behind gated approvals.

Read the post-mortem

See every use case — the daily wins and the war stories

Zero Trust for AI Agents

The framework a frontier lab published — enforced by emisar.

Anthropic's Zero Trust for AI Agents guide says an agent with access to real systems needs four things: least agency, deny-by-default tools, human approval for high-risk actions, and an audit trail no one can edit. emisar enforces exactly that. And the controls the framework reserves for its top tiers ship on emisar's Free plan.

Least agency

The agent only sees the actions you declared

Human in the loop

High-risk actions stop for a one-click approval

Full audit trail

Searchable portal audit, a tamper-evident hash-chained host journal, and SIEM export

Assume breach

Even a jailbroken agent can't get past the catalog

See emisar mapped to the framework, control by control

Not affiliated with or endorsed by Anthropic. We cite the framework because emisar is built to the control set it describes.

Pricing

Pay per runner. Not per seat.

Free for 3 runners and 1 user. Team is $20/runner/month with unlimited users.

Free

For homelab and tinkering.

$0 / forever
Start free
  • 3 runners
  • 1 user
  • 7-day audit retention
  • Community support
Most popular

Team

For teams running real production.

$20 / runner / month
Start free trial
  • Up to 100 runners
  • Unlimited users
  • 90-day audit retention
  • Automated invoices, email support

Enterprise

For regulated environments & fleets.

Custom
Talk to sales
  • Unlimited runners & users
  • 365-day audit retention
  • Security and procurement review
  • Design-partner deployment planning

FAQ

The skeptical questions, answered.

Can the LLM run anything it wants?

No. The runner only exposes actions declared in a content-addressed pack. Anything else is rejected at the runner before it touches your shell. The model literally cannot see undeclared commands.

What can it actually do?

Read and tail logs, query metrics, inspect processes, memory, disk, and containers, check your databases, and trace DNS, TLS, and connectivity — across your whole fleet. And, behind approval, act: restart a unit, stop a runaway job, fail over, scale. It's a finite catalog of declared actions, never a raw shell.

Where do approvals happen?

In the web UI today. The approver sees the actor, the arguments, the target host, and the policy rule that triggered the gate. One click to allow, one to deny.

Do I have to approve every action?

No — you decide per action. Reads run automatically; you reserve approvals for the risky, mutating ones. Policy sets allow / require-approval / deny by risk tier, with per-action overrides, and the destructive verbs are deny-by-default.

What if my runner dies mid-run?

Child processes are reaped with PR_SET_PDEATHSIG on Linux — no zombies, no orphans. If the runner stays offline, the cloud's dispatch-timeout sweep marks its in-flight runs as errored with the reason within minutes, so nothing reads as running forever.

Is this MCP-compatible?

Yes. Claude.ai and ChatGPT connect to emisar's remote JSON-RPC MCP server through OAuth. Claude Code, Claude Desktop, Cursor, Gemini CLI, and Codex CLI can use the emisar-mcp stdio bridge.

Can I self-host the control plane?

The current product uses the hosted emisar control plane. The repository includes deployable control-plane code for evaluation, but supported self-hosted and air-gapped deployments are not generally available today. Contact us if that boundary is a requirement.

What about secrets?

The runner runs a redaction pipeline on every stdout/stderr stream before forwarding. Patterns are declared per-action; sane defaults catch AWS keys, JWTs, and bearer tokens. The cloud receives only the redacted output stream — never the raw bytes.

Give your AI production access. You keep the last word.

Three runners. Seven-day audit. No credit card. Read the quickstart and run your first gated action.

Prefer a walkthrough first? Book a 30-minute demo.

No credit card. Cancel anytime. Your audit log is yours to export.