Model Context Protocol from Anthropic solves the problem of AI integration with DevOps tools. The Ophis library allows you to turn any Cobra CLI (kubectl, helm, terraform) into an AI agent without a single line of new code. Incident diagnosis time reduced from 25 to 3 minutes.
Alexander Mayorsky
Imagine a typical DevOps engineer's workflow with an AI assistant:
# Human copies to Cursor:
$ kubectl get pods -n production
NAME READY STATUS RESTARTS AGE
api-service-7d4b5c6-x2kl9 1/1 Running 0 5h
api-service-7d4b5c6-m3nq2 0/1 Pending 0 2m
worker-5f6d7c8-p4rs5 1/1 Running 3 12h
# Cursor: "I see an issue with pod api-service-7d4b5c6-m3nq2..."
# Human: copies describe
# Cursor: "Check events..."
# Human: copies events
# And so on for 10 iterations...
The pain is obvious: manual copying, context loss, impossible automation. Up to 40% of time can be spent on such "manual debugging" with AI.
MCP (Model Context Protocol) is an open protocol from Anthropic for connecting LLMs to external tools. Think of it as LSP (Language Server Protocol) but for AI.
Key MCP Concepts:
This article shows what happens under the hood. Ophis elegantly solves the task of turning a Cobra CLI into an MCP server:
package main
import (
"github.com/spf13/cobra"
"github.com/spf13/pflag"
)
// MCPParameter represents an MCP tool parameter
type MCPParameter struct {
Name string `json:"name"`
Type string `json:"type"`
Description string `json:"description"`
Required bool `json:"required"`
}
// MCPTool represents an MCP tool
type MCPTool struct {
Name string `json:"name"`
Description string `json:"description"`
Parameters []MCPParameter `json:"parameters"`
Handler func(args []string) error
}
// OphisServer simplified architecture
type OphisServer struct {
cobraRoot *cobra.Command
tools []MCPTool
}
func (s *OphisServer) TransformCobraToMCP(cmd *cobra.Command) MCPTool {
return MCPTool{
Name: cmd.CommandPath(),
Description: cmd.Short,
Parameters: s.extractFlags(cmd),
Handler: cmd.RunE,
}
}
// Magic happens here: Cobra flags → MCP parameters
func (s *OphisServer) extractFlags(cmd *cobra.Command) []MCPParameter {
var params []MCPParameter
cmd.Flags().VisitAll(func(flag *pflag.Flag) {
params = append(params, MCPParameter{
Name: flag.Name,
Type: s.inferType(flag),
Description: flag.Usage,
Required: !flag.Changed && flag.DefValue == "",
})
})
return params
}
func (s *OphisServer) inferType(flag *pflag.Flag) string {
switch flag.Value.Type() {
case "bool":
return "boolean"
case "int", "int64":
return "number"
default:
return "string"
}
}
Key Components:
// cmd/root.go
package cmd
import (
"github.com/spf13/cobra"
)
var rootCmd = &cobra.Command{
Use: "devops-cli",
Short: "DevOps automation toolkit",
}
// cmd/deploy.go
var deployCmd = &cobra.Command{
Use: "deploy [service]",
Short: "Deploy service to Kubernetes",
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
service := args[0]
env, _ := cmd.Flags().GetString("env")
version, _ := cmd.Flags().GetString("version")
dryRun, _ := cmd.Flags().GetBool("dry-run")
return deployService(service, env, version, dryRun)
},
}
func init() {
deployCmd.Flags().StringP("env", "e", "staging", "Environment")
deployCmd.Flags().StringP("version", "v", "latest", "Version to deploy")
deployCmd.Flags().BoolP("dry-run", "d", false, "Dry run mode")
rootCmd.AddCommand(deployCmd)
}
// mcp/server.go
package main
import (
"context"
"fmt"
"log"
"time"
"golang.org/x/time/rate"
"github.com/your-org/devops-cli/cmd"
"github.com/abhishekjawali/ophis"
)
// Request represents an MCP request
type Request struct {
Tool string `json:"tool"`
Parameters map[string]interface{} `json:"parameters"`
}
// Response represents an MCP response
type Response struct {
Content string `json:"content"`
IsError bool `json:"is_error"`
}
// Handler represents an MCP request handler
type Handler func(ctx context.Context, req *Request) (*Response, error)
func main() {
// Initialize Ophis with our CLI
server := NewServer(cmd.RootCmd())
// Add middleware for auditing
server.Use(auditMiddleware)
// Add rate limiting for security
server.Use(rateLimitMiddleware)
// Custom handling for sensitive commands
server.RegisterHook("deploy", validateDeployPermissions)
// Start MCP server
if err := server.Start(":8080"); err != nil {
log.Fatal(err)
}
}
func auditMiddleware(next Handler) Handler {
return func(ctx context.Context, req *Request) (*Response, error) {
start := time.Now()
// Log request
log.Printf("MCP Request: %s %v", req.Tool, req.Parameters)
resp, err := next(ctx, req)
// Log result
log.Printf("MCP Response: %dms, error=%v",
time.Since(start).Milliseconds(), err)
return resp, err
}
}
func rateLimitMiddleware(next Handler) Handler {
limiter := rate.NewLimiter(rate.Every(time.Second), 10)
return func(ctx context.Context, req *Request) (*Response, error) {
if !limiter.Allow() {
return nil, fmt.Errorf("rate limit exceeded")
}
return next(ctx, req)
}
}
// Cursor Settings → Features → Model Context Protocol
{
"mcpServers": {
"devops-cli": {
"command": "/usr/local/bin/devops-mcp",
"args": ["--port", "8080"],
"env": {
"KUBECONFIG": "/Users/alex/.kube/config",
"VAULT_ADDR": "https://vault.vk.internal"
},
"capabilities": {
"tools": true,
"resources": true
}
}
}
}
// Alternatively: via Cursor Composer
// 1. Open Cursor Composer (Cmd+I)
// 2. Configure MCP server in workspace settings
// 3. Use @devops-cli to invoke commands
// Event represents a deployment progress event
type Event struct {
Type string `json:"type"`
Message string `json:"message"`
}
// DeployRequest represents a deployment request
type DeployRequest struct {
Service string `json:"service"`
Version string `json:"version"`
Env string `json:"env"`
}
// Streaming for long-running operations
func (s *OphisServer) StreamingDeploy(ctx context.Context, req *DeployRequest) (<-chan Event, error) {
events := make(chan Event, 100)
go func() {
defer close(events)
// Phase 1: Validation
events <- Event{Type: "validation", Message: "Validating manifests..."}
if err := s.validateManifests(req); err != nil {
events <- Event{Type: "error", Message: err.Error()}
return
}
// Phase 2: Build
events <- Event{Type: "build", Message: "Building images..."}
imageID, err := s.buildImage(ctx, req)
if err != nil {
events <- Event{Type: "error", Message: err.Error()}
return
}
// Phase 3: Deploy
events <- Event{Type: "deploy", Message: fmt.Sprintf("Deploying %s...", imageID)}
if err := s.deploy(ctx, imageID, req); err != nil {
events <- Event{Type: "error", Message: err.Error()}
return
}
events <- Event{Type: "success", Message: "Deployment completed"}
}()
return events, nil
}
// Graceful shutdown with cleanup
func (s *OphisServer) Shutdown(ctx context.Context) error {
log.Println("Starting graceful shutdown...")
// Stop accepting new requests
s.mu.Lock()
s.shuttingDown = true
s.mu.Unlock()
// Wait for active operations to complete
done := make(chan struct{})
go func() {
s.activeOps.Wait()
close(done)
}()
select {
case <-done:
log.Println("All operations completed")
case <-ctx.Done():
log.Println("Forced shutdown after timeout")
}
return nil
}
Before Ophis: SRE copied logs between 5-7 tools, losing 20-30 minutes per incident.
After Ophis:
// Cursor can execute full runbook automatically
"Check api-service status in production and find the cause of 500 errors"
// MCP automatically executes:
// 1. kubectl get pods -n production -l app=api-service
// 2. kubectl logs -n production api-service-xxx --tail=100
// 3. kubectl describe pod api-service-xxx
// 4. prometheus-cli query 'rate(http_requests_total{status="500"}[5m])'
// 5. Analysis and data correlation
Result: Average diagnosis time reduced from 25 to 3 minutes.
// ValidateDeployPermissions checks deployment access rights
func ValidateDeployPermissions(ctx context.Context, tool string, params map[string]any) error {
// Get user from context
user, ok := ctx.Value("user").(User)
if !ok {
return fmt.Errorf("user context not found")
}
env, ok := params["env"].(string)
if !ok {
return fmt.Errorf("env parameter required")
}
service, ok := params["service"].(string)
if !ok {
return fmt.Errorf("service parameter required")
}
// Juniors can only deploy to staging
if user.Level == "junior" && env == "production" {
return fmt.Errorf("insufficient permissions: junior developers cannot deploy to production")
}
// Check critical services
if isCriticalService(service) {
if !hasApproval(ctx, service) {
return fmt.Errorf("deployment of critical service '%s' requires approval from team lead", service)
}
}
// Check time restrictions for production
if env == "production" && !isDeploymentWindow() {
return fmt.Errorf("production deployments are only allowed during business hours (10:00-18:00 UTC)")
}
// Check team membership
if !hasTeamAccess(user, service) {
return fmt.Errorf("user %s does not have access to service %s", user.ID, service)
}
return nil
}
func isCriticalService(service string) bool {
criticalServices := []string{
"payment-service", "auth-service", "user-service", "billing-service",
}
for _, critical := range criticalServices {
if service == critical {
return true
}
}
return false
}
func hasApproval(ctx context.Context, service string) bool {
// In a real system, this would query an approval API
return false
}
func isDeploymentWindow() bool {
now := time.Now().UTC()
hour := now.Hour()
return hour >= 10 && hour < 18 // 10:00-18:00 UTC
}
func hasTeamAccess(user User, service string) bool {
serviceTeams := map[string][]string{
"api-service": {"backend", "platform"},
"payment-service": {"payment", "platform"},
"auth-service": {"security", "platform"},
}
allowedTeams, exists := serviceTeams[service]
if !exists {
return true // If service not in mapping, allow all
}
for _, userTeam := range user.Teams {
for _, allowedTeam := range allowedTeams {
if userTeam == allowedTeam {
return true
}
}
}
return false
}
// benchmark_test.go
func BenchmarkOphisOverhead(b *testing.B) {
testCmd := &cobra.Command{
Use: "test",
Short: "Test command",
RunE: func(cmd *cobra.Command, args []string) error { return nil },
}
server := NewServer(testCmd)
b.Run("DirectCLI", func(b *testing.B) {
for i := 0; i < b.N; i++ {
_ = exec.Command("echo", "test").Run()
}
})
b.Run("ThroughOphis", func(b *testing.B) {
for i := 0; i < b.N; i++ {
ctx := context.Background()
req := &Request{Tool: "test", Parameters: map[string]interface{}{}}
server.executeCommand(ctx, req)
}
})
}
// 🔍 HONEST BENCHMARK RESULTS (MacBook Pro M4, 14 cores):
// Important: Both approaches execute REAL commands
// 📊 SINGLE COMMANDS:
// Direct binary: 5.05ms average
// Ophis MCP: 2.39ms average
// Result: Ophis is 52.6% faster
// 🤖 BATCH OPERATIONS (15 diagnostic commands):
// Direct approach: 165.26ms total (11.02ms per command)
// Ophis approach: 34.66ms total (2.31ms per command)
// Result: Ophis is 79.0% faster (saves 130.60ms)
// 🔬 COMPONENT ANALYSIS:
// Process startup overhead: 16.56ms (eliminated in Ophis)
// MCP processing overhead: 1.72μs (added in Ophis)
// Net benefit: 9,631x reduction in overhead
// 💡 WHY OPHIS IS FASTER:
// • Avoids repeated application startup (16ms → 0ms each time)
// • MCP overhead is minimal (1.72μs vs 16.56ms startup)
// • Connection reuse: already loaded Go runtime
// • Batch optimization: effect accumulates with multiple commands
// • Caching potential: command discovery and results can be cached
// 🌍 REAL AI WORKFLOWS:
// Human incident response: 7-10 minutes (command → analysis → command)
// Cursor via Ophis: 35ms technical execution
// Time-to-resolution: MINUTES → SECONDS
import (
"fmt"
"strings"
"sync"
"os/exec"
"github.com/coocood/freecache"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
)
// 1. Command output caching
type CommandCache struct {
cache *freecache.Cache
}
func (c *CommandCache) Execute(cmd string, args []string) ([]byte, error) {
key := fmt.Sprintf("%s:%s", cmd, strings.Join(args, ":"))
// Check cache for read-only commands
if isReadOnly(cmd) {
if cached, err := c.cache.Get([]byte(key)); err == nil {
return cached, nil
}
}
// Execute command
output, err := executeCommand(cmd, args)
if err != nil {
return nil, err
}
// Cache for 5 seconds for read-only
if isReadOnly(cmd) {
c.cache.Set([]byte(key), output, 5)
}
return output, nil
}
func executeCommand(cmd string, args []string) ([]byte, error) {
return exec.Command(cmd, args...).Output()
}
func isReadOnly(cmd string) bool {
readOnlyCommands := []string{"kubectl get", "kubectl describe", "helm list"}
for _, readCmd := range readOnlyCommands {
if strings.HasPrefix(cmd, readCmd) {
return true
}
}
return false
}
// 2. Connection pooling for frequent commands
type ConnectionPool struct {
kubeClients sync.Pool
}
func (p *ConnectionPool) GetClient() *kubernetes.Clientset {
if client := p.kubeClients.Get(); client != nil {
return client.(*kubernetes.Clientset)
}
// Create new client if pool is empty
kubeconfig := "/home/user/.kube/config"
config, _ := clientcmd.BuildConfigFromFlags("", kubeconfig)
client, _ := kubernetes.NewForConfig(config)
return client
}
type MCPVersion struct {
Major int `json:"major"`
Minor int `json:"minor"`
Patch int `json:"patch"`
Tools []ToolVersion `json:"tools"`
}
type ToolVersion struct {
Name string `json:"name"`
Version string `json:"version"`
Hash string `json:"hash"` // Hash for compatibility checking
}
// GetVersion returns current MCP interface version
func (s *Server) GetVersion() MCPVersion {
tools := s.DiscoverTools()
toolVersions := make([]ToolVersion, len(tools))
for i, tool := range tools {
toolVersions[i] = ToolVersion{
Name: tool.Name,
Version: "1.0.0",
Hash: s.calculateToolHash(tool),
}
}
return MCPVersion{
Major: 1,
Minor: 0,
Patch: 0,
Tools: toolVersions,
}
}
// IsCompatible checks version compatibility
func (v MCPVersion) IsCompatible(other MCPVersion) bool {
return v.Major == other.Major // Compatible if major versions match
}
Log all operations for audit
Use circuit breaker for external services
// Circuit breaker protects from cascading failures
type CircuitBreaker struct {
mu sync.RWMutex
state CircuitState
failures int
threshold int // Number of errors to open
timeout time.Duration // Time until half-open transition
}
func (cb *CircuitBreaker) Execute(fn func() error) error {
if !cb.canExecute() {
return fmt.Errorf("circuit breaker is %s", cb.state)
}
err := fn()
cb.recordResult(err == nil)
return err
}
// Middleware with circuit breaker
func CircuitBreakerMiddleware(cb *CircuitBreaker) Middleware {
return func(next Handler) Handler {
return func(ctx context.Context, req *Request) (*Response, error) {
var resp *Response
var err error
cbErr := cb.Execute(func() error {
resp, err = next(ctx, req)
return err
})
if cbErr != nil {
return &Response{
Content: fmt.Sprintf("Service temporarily unavailable: %v", cbErr),
IsError: true,
}, cbErr
}
return resp, err
}
}
}
If work can continue without result from some command, log a warning and continue execution.
// BAD
cmd := exec.Command("sh", "-c", userInput)
// GOOD
cmd := exec.Command(allowedCommands[cmdName], sanitizedArgs...)
Don't cache write operations
Don't ignore timeouts
Don't forget about rate limiting
1. Context propagation
// AI doesn't pass context between calls
// Solution: full session management
type Session struct {
ID string `json:"id"`
UserID string `json:"user_id"`
Context map[string]interface{} `json:"context"`
CreatedAt time.Time `json:"created_at"`
LastAccess time.Time `json:"last_access"`
mu sync.RWMutex
}
type SessionManager struct {
sessions map[string]*Session
mu sync.RWMutex
timeout time.Duration
}
func (sm *SessionManager) GetOrCreate(sessionID, userID string) *Session {
sm.mu.Lock()
defer sm.mu.Unlock()
session, exists := sm.sessions[sessionID]
if exists {
session.updateLastAccess()
return session
}
// Create new session
session = &Session{
ID: sessionID,
UserID: userID,
Context: make(map[string]interface{}),
CreatedAt: time.Now(),
LastAccess: time.Now(),
}
sm.sessions[sessionID] = session
return session
}
// Middleware for automatic session recovery
func SessionMiddleware(sm *SessionManager) Middleware {
return func(next Handler) Handler {
return func(ctx context.Context, req *Request) (*Response, error) {
sessionID := getSessionID(req)
userID := getUserID(req)
session := sm.GetOrCreate(sessionID, userID)
ctx = context.WithValue(ctx, "session", session)
return next(ctx, req)
}
}
}
2. Streaming vs Batch
// For large outputs, use streaming
if expectedOutputSize > 1*MB {
return streamResponse(output)
}
return batchResponse(output)
Ophis opens a new paradigm: instead of writing AI-specific APIs, we turn existing CLIs into AI-ready tools in minutes.
go get github.com/abhishekjawali/ophisWorkspace setup for DevOps:
// .cursor/settings.json
{
"mcpServers": {
"devops": {
"command": "./devops-mcp-server",
"autoStart": true
}
},
"composer.defaultInstructions": [
"Use @devops for all infrastructure commands",
"Always check deployment status after changes",
"Use dry-run for production deployments"
]
}
Cursor Rules examples:
# .cursorrules
When user mentions deployment:
1. Use @devops status first to check current state
2. Suggest dry-run for production changes
3. Validate environment and version parameters
4. Show deployment steps before execution
For incident response:
1. Start with @devops status --verbose
2. Check logs with @devops logs --tail=100
3. Analyze metrics with @devops metrics
4. Suggest rollback steps if needed
P.S. If any readers have already tried MCP — share your experience in the comments. Especially interested in security and compliance cases.
Building MCP servers and AI-powered automation is what we do. If you need help integrating AI with your infrastructure — we can help.
What we build:
Custom AI solutions from $60. Go, Python, Node.js.
Related services:
Share with colleagues and friends