"
Fair skepticism — giving an AI write access to a firewall does sound alarming on the surface.
A few clarifications:
The MCP server connects via a restricted API key scoped only to firmware and diagnostics endpoints. It cannot touch firewall rules, VPN, DHCP, or any other config.
Write tools require explicit confirmation — Claude asks before running any update, upgrade, or reboot. It's more like a structured CLI than an autopilot.
OPNSENSE_READ_ONLY=true disables all write tools entirely if you only want monitoring.
Every API call is logged under System > Log Files > Audit.
As for the upgrade problem — glad you haven't hit it. It typically surfaces during major version upgrades (branch changes), not minor updates. The pkg ABI mismatch after a base/kernel upgrade is a known issue, just not one everyone encounters.
The SSH script exists precisely for people who want zero AI involvement and full control — it's a standalone Python script with no external dependencies.
Thank you for your comments.
A few clarifications:
The MCP server connects via a restricted API key scoped only to firmware and diagnostics endpoints. It cannot touch firewall rules, VPN, DHCP, or any other config.
Write tools require explicit confirmation — Claude asks before running any update, upgrade, or reboot. It's more like a structured CLI than an autopilot.
OPNSENSE_READ_ONLY=true disables all write tools entirely if you only want monitoring.
Every API call is logged under System > Log Files > Audit.
As for the upgrade problem — glad you haven't hit it. It typically surfaces during major version upgrades (branch changes), not minor updates. The pkg ABI mismatch after a base/kernel upgrade is a known issue, just not one everyone encounters.
The SSH script exists precisely for people who want zero AI involvement and full control — it's a standalone Python script with no external dependencies.
Thank you for your comments.
