asfops 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. asfops-0.1.0/.github/workflows/ci.yml +60 -0
  2. asfops-0.1.0/.github/workflows/release.yml +40 -0
  3. asfops-0.1.0/.gitignore +218 -0
  4. asfops-0.1.0/.python-version +1 -0
  5. asfops-0.1.0/CONTRIBUTING.md +56 -0
  6. asfops-0.1.0/LICENSE +21 -0
  7. asfops-0.1.0/PKG-INFO +118 -0
  8. asfops-0.1.0/README.md +91 -0
  9. asfops-0.1.0/pyproject.toml +91 -0
  10. asfops-0.1.0/src/asfops/__init__.py +83 -0
  11. asfops-0.1.0/src/asfops/_version.py +1 -0
  12. asfops-0.1.0/src/asfops/api.py +128 -0
  13. asfops-0.1.0/src/asfops/cli/__init__.py +5 -0
  14. asfops-0.1.0/src/asfops/cli/app.py +282 -0
  15. asfops-0.1.0/src/asfops/cli/render.py +76 -0
  16. asfops-0.1.0/src/asfops/config.py +56 -0
  17. asfops-0.1.0/src/asfops/exceptions.py +33 -0
  18. asfops-0.1.0/src/asfops/fleet/__init__.py +31 -0
  19. asfops-0.1.0/src/asfops/fleet/member.py +20 -0
  20. asfops-0.1.0/src/asfops/fleet/roles.py +57 -0
  21. asfops-0.1.0/src/asfops/fleet/roster.py +285 -0
  22. asfops-0.1.0/src/asfops/fleet/schemas.py +90 -0
  23. asfops-0.1.0/src/asfops/models/__init__.py +18 -0
  24. asfops-0.1.0/src/asfops/models/bridge.py +136 -0
  25. asfops-0.1.0/src/asfops/models/client.py +58 -0
  26. asfops-0.1.0/src/asfops/models/copilot.py +382 -0
  27. asfops-0.1.0/src/asfops/models/resolve.py +23 -0
  28. asfops-0.1.0/src/asfops/orchestrator.py +268 -0
  29. asfops-0.1.0/src/asfops/py.typed +0 -0
  30. asfops-0.1.0/src/asfops/results.py +330 -0
  31. asfops-0.1.0/tests/__init__.py +0 -0
  32. asfops-0.1.0/tests/conftest.py +105 -0
  33. asfops-0.1.0/tests/fakes/__init__.py +0 -0
  34. asfops-0.1.0/tests/fakes/copilot_fakes.py +104 -0
  35. asfops-0.1.0/tests/test_api.py +85 -0
  36. asfops-0.1.0/tests/test_bridge.py +72 -0
  37. asfops-0.1.0/tests/test_cli.py +166 -0
  38. asfops-0.1.0/tests/test_client.py +60 -0
  39. asfops-0.1.0/tests/test_copilot_model.py +189 -0
  40. asfops-0.1.0/tests/test_orchestrator.py +145 -0
  41. asfops-0.1.0/tests/test_render.py +100 -0
  42. asfops-0.1.0/tests/test_results_usage.py +190 -0
  43. asfops-0.1.0/tests/test_roster.py +67 -0
  44. asfops-0.1.0/tests/test_schemas.py +30 -0
  45. asfops-0.1.0/tests/test_version.py +6 -0
  46. asfops-0.1.0/uv.lock +2167 -0
@@ -0,0 +1,60 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ branches: [main]
6
+ pull_request:
7
+
8
+ concurrency:
9
+ group: ${{ github.workflow }}-${{ github.ref }}
10
+ cancel-in-progress: true
11
+
12
+ jobs:
13
+ lint:
14
+ name: Lint & typecheck
15
+ runs-on: ubuntu-latest
16
+ steps:
17
+ - uses: actions/checkout@v4
18
+ - uses: astral-sh/setup-uv@v5
19
+ with:
20
+ python-version: "3.13"
21
+ - name: Install dependencies
22
+ run: uv sync --group dev
23
+ - name: Ruff format
24
+ run: uv run ruff format --check .
25
+ - name: Ruff lint
26
+ run: uv run ruff check .
27
+ - name: Mypy
28
+ run: uv run mypy src tests
29
+
30
+ test:
31
+ name: Test (py${{ matrix.python-version }})
32
+ runs-on: ubuntu-latest
33
+ strategy:
34
+ fail-fast: false
35
+ matrix:
36
+ python-version: ["3.13", "3.14"]
37
+ steps:
38
+ - uses: actions/checkout@v4
39
+ - uses: astral-sh/setup-uv@v5
40
+ with:
41
+ python-version: ${{ matrix.python-version }}
42
+ - name: Install dependencies
43
+ run: uv sync --group dev
44
+ - name: Pytest with coverage
45
+ run: uv run pytest --cov=asfops --cov-report=term --cov-report=xml
46
+
47
+ build:
48
+ name: Build distribution
49
+ runs-on: ubuntu-latest
50
+ steps:
51
+ - uses: actions/checkout@v4
52
+ - uses: astral-sh/setup-uv@v5
53
+ with:
54
+ python-version: "3.13"
55
+ - name: Build sdist and wheel
56
+ run: uv build
57
+ - name: Check metadata
58
+ run: uvx twine check dist/*
59
+ - name: Import smoke test
60
+ run: uv run --isolated --no-project --with dist/*.whl python -c "import asfops; print(asfops.__version__)"
@@ -0,0 +1,40 @@
1
+ name: Release
2
+
3
+ on:
4
+ push:
5
+ tags: ["v*"]
6
+
7
+ jobs:
8
+ build:
9
+ name: Build distribution
10
+ runs-on: ubuntu-latest
11
+ steps:
12
+ - uses: actions/checkout@v4
13
+ - uses: astral-sh/setup-uv@v5
14
+ with:
15
+ python-version: "3.13"
16
+ - name: Build sdist and wheel
17
+ run: uv build
18
+ - name: Check metadata
19
+ run: uvx twine check dist/*
20
+ - uses: actions/upload-artifact@v4
21
+ with:
22
+ name: dist
23
+ path: dist/
24
+
25
+ publish:
26
+ name: Publish to PyPI
27
+ needs: build
28
+ runs-on: ubuntu-latest
29
+ environment:
30
+ name: pypi
31
+ url: https://pypi.org/p/asfops
32
+ permissions:
33
+ id-token: write
34
+ steps:
35
+ - uses: actions/download-artifact@v4
36
+ with:
37
+ name: dist
38
+ path: dist/
39
+ - name: Publish (trusted publishing)
40
+ uses: pypa/gh-action-pypi-publish@release/v1
@@ -0,0 +1,218 @@
1
+ # Byte-compiled / optimized / DLL files
2
+ __pycache__/
3
+ *.py[codz]
4
+ *$py.class
5
+
6
+ # C extensions
7
+ *.so
8
+
9
+ # Distribution / packaging
10
+ .Python
11
+ build/
12
+ develop-eggs/
13
+ dist/
14
+ downloads/
15
+ eggs/
16
+ .eggs/
17
+ lib/
18
+ lib64/
19
+ parts/
20
+ sdist/
21
+ var/
22
+ wheels/
23
+ share/python-wheels/
24
+ *.egg-info/
25
+ .installed.cfg
26
+ *.egg
27
+ MANIFEST
28
+
29
+ # PyInstaller
30
+ # Usually these files are written by a python script from a template
31
+ # before PyInstaller builds the exe, so as to inject date/other infos into it.
32
+ *.manifest
33
+ *.spec
34
+
35
+ # Installer logs
36
+ pip-log.txt
37
+ pip-delete-this-directory.txt
38
+
39
+ # Unit test / coverage reports
40
+ htmlcov/
41
+ .tox/
42
+ .nox/
43
+ .coverage
44
+ .coverage.*
45
+ .cache
46
+ nosetests.xml
47
+ coverage.xml
48
+ *.cover
49
+ *.py.cover
50
+ .hypothesis/
51
+ .pytest_cache/
52
+ cover/
53
+
54
+ # Translations
55
+ *.mo
56
+ *.pot
57
+
58
+ # Django stuff:
59
+ *.log
60
+ local_settings.py
61
+ db.sqlite3
62
+ db.sqlite3-journal
63
+
64
+ # Flask stuff:
65
+ instance/
66
+ .webassets-cache
67
+
68
+ # Scrapy stuff:
69
+ .scrapy
70
+
71
+ # Sphinx documentation
72
+ docs/_build/
73
+
74
+ # PyBuilder
75
+ .pybuilder/
76
+ target/
77
+
78
+ # Jupyter Notebook
79
+ .ipynb_checkpoints
80
+
81
+ # IPython
82
+ profile_default/
83
+ ipython_config.py
84
+
85
+ # pyenv
86
+ # For a library or package, you might want to ignore these files since the code is
87
+ # intended to run in multiple environments; otherwise, check them in:
88
+ # .python-version
89
+
90
+ # pipenv
91
+ # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
92
+ # However, in case of collaboration, if having platform-specific dependencies or dependencies
93
+ # having no cross-platform support, pipenv may install dependencies that don't work, or not
94
+ # install all needed dependencies.
95
+ # Pipfile.lock
96
+
97
+ # UV
98
+ # Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
99
+ # This is especially recommended for binary packages to ensure reproducibility, and is more
100
+ # commonly ignored for libraries.
101
+ # uv.lock
102
+
103
+ # poetry
104
+ # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
105
+ # This is especially recommended for binary packages to ensure reproducibility, and is more
106
+ # commonly ignored for libraries.
107
+ # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
108
+ # poetry.lock
109
+ # poetry.toml
110
+
111
+ # pdm
112
+ # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
113
+ # pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
114
+ # https://pdm-project.org/en/latest/usage/project/#working-with-version-control
115
+ # pdm.lock
116
+ # pdm.toml
117
+ .pdm-python
118
+ .pdm-build/
119
+
120
+ # pixi
121
+ # Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
122
+ # pixi.lock
123
+ # Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
124
+ # in the .venv directory. It is recommended not to include this directory in version control.
125
+ .pixi
126
+
127
+ # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
128
+ __pypackages__/
129
+
130
+ # Celery stuff
131
+ celerybeat-schedule
132
+ celerybeat.pid
133
+
134
+ # Redis
135
+ *.rdb
136
+ *.aof
137
+ *.pid
138
+
139
+ # RabbitMQ
140
+ mnesia/
141
+ rabbitmq/
142
+ rabbitmq-data/
143
+
144
+ # ActiveMQ
145
+ activemq-data/
146
+
147
+ # SageMath parsed files
148
+ *.sage.py
149
+
150
+ # Environments
151
+ .env
152
+ .envrc
153
+ .venv
154
+ env/
155
+ venv/
156
+ ENV/
157
+ env.bak/
158
+ venv.bak/
159
+
160
+ # Spyder project settings
161
+ .spyderproject
162
+ .spyproject
163
+
164
+ # Rope project settings
165
+ .ropeproject
166
+
167
+ # mkdocs documentation
168
+ /site
169
+
170
+ # mypy
171
+ .mypy_cache/
172
+ .dmypy.json
173
+ dmypy.json
174
+
175
+ # Pyre type checker
176
+ .pyre/
177
+
178
+ # pytype static type analyzer
179
+ .pytype/
180
+
181
+ # Cython debug symbols
182
+ cython_debug/
183
+
184
+ # PyCharm
185
+ # JetBrains specific template is maintained in a separate JetBrains.gitignore that can
186
+ # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
187
+ # and can be added to the global gitignore or merged into this file. For a more nuclear
188
+ # option (not recommended) you can uncomment the following to ignore the entire idea folder.
189
+ # .idea/
190
+
191
+ # Abstra
192
+ # Abstra is an AI-powered process automation framework.
193
+ # Ignore directories containing user credentials, local state, and settings.
194
+ # Learn more at https://abstra.io/docs
195
+ .abstra/
196
+
197
+ # Visual Studio Code
198
+ # Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore
199
+ # that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
200
+ # and can be added to the global gitignore or merged into this file. However, if you prefer,
201
+ # you could uncomment the following to ignore the entire vscode folder
202
+ # .vscode/
203
+ # Temporary file for partial code execution
204
+ tempCodeRunnerFile.py
205
+
206
+ # Ruff stuff:
207
+ .ruff_cache/
208
+
209
+ # PyPI configuration file
210
+ .pypirc
211
+
212
+ # Marimo
213
+ marimo/_static/
214
+ marimo/_lsp/
215
+ __marimo__/
216
+
217
+ # Streamlit
218
+ .streamlit/secrets.toml
@@ -0,0 +1 @@
1
+ 3.13
@@ -0,0 +1,56 @@
1
+ # Contributing to asfops
2
+
3
+ ## Development setup
4
+
5
+ ```bash
6
+ uv sync --group dev
7
+ ```
8
+
9
+ ## Checks (what CI runs)
10
+
11
+ ```bash
12
+ uv run ruff format --check .
13
+ uv run ruff check .
14
+ uv run mypy src tests
15
+ uv run pytest --cov=asfops --cov-report=term
16
+ ```
17
+
18
+ All of the above must pass. Coverage is gated at 85%. Tests never require a
19
+ GitHub Copilot subscription — the Copilot SDK is faked and pydantic-ai's
20
+ `TestModel`/`FunctionModel` stand in for live models. Live tests are marked
21
+ `@pytest.mark.copilot` and are deselected by default; run them with
22
+ `uv run pytest -m copilot` once you're authenticated.
23
+
24
+ ## Architecture
25
+
26
+ - `models/` — the `CopilotModel` pydantic-ai provider (Copilot SDK bridge),
27
+ the shared client lifecycle, the fallback `CopilotBridge`, and model-ref
28
+ resolution. All Copilot-SDK touchpoints live here.
29
+ - `fleet/` — role schemas, the role registry, the 17-role roster, and the
30
+ per-member agent builder.
31
+ - `orchestrator.py` — triage → fan-out → synthesis.
32
+ - `results.py` — result models, usage aggregation, markdown report assembly.
33
+ - `api.py` — the public `Fleet` and module-level helpers.
34
+ - `cli/` — the typer + rich command-line interface.
35
+
36
+ ## Releasing to PyPI (trusted publishing)
37
+
38
+ Publishing is automated via GitHub Actions using PyPI
39
+ [trusted publishing](https://docs.pypi.org/trusted-publishers/) (OIDC — no API
40
+ tokens stored).
41
+
42
+ **One-time setup (maintainer):**
43
+
44
+ 1. On <https://pypi.org>, add a **pending publisher** for the project `asfops`:
45
+ - Owner: `brettbergin`
46
+ - Repository: `agentic-security-fleet-ops`
47
+ - Workflow: `release.yml`
48
+ - Environment: `pypi`
49
+ 2. In the GitHub repo settings, create an **Environment** named `pypi`
50
+ (optionally add required reviewers as a release gate).
51
+
52
+ **Each release:**
53
+
54
+ 1. Bump the version in `src/asfops/_version.py`.
55
+ 2. Commit, then tag: `git tag vX.Y.Z && git push origin vX.Y.Z`.
56
+ 3. The `Release` workflow builds the sdist/wheel and publishes to PyPI.
asfops-0.1.0/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Brett Bergin
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
asfops-0.1.0/PKG-INFO ADDED
@@ -0,0 +1,118 @@
1
+ Metadata-Version: 2.4
2
+ Name: asfops
3
+ Version: 0.1.0
4
+ Summary: Agentic Security Fleet Ops — an LLM-agent security department with a Security Orchestrator, built on pydantic-ai with a GitHub Copilot SDK provider.
5
+ Project-URL: Homepage, https://github.com/brettbergin/agentic-security-fleet-ops
6
+ Project-URL: Repository, https://github.com/brettbergin/agentic-security-fleet-ops
7
+ Project-URL: Issues, https://github.com/brettbergin/agentic-security-fleet-ops/issues
8
+ Author-email: Brett Bergin <brettberginbc@yahoo.com>
9
+ License-Expression: MIT
10
+ License-File: LICENSE
11
+ Keywords: agents,copilot,llm,orchestration,pydantic-ai,security
12
+ Classifier: Development Status :: 4 - Beta
13
+ Classifier: Intended Audience :: Developers
14
+ Classifier: Intended Audience :: Information Technology
15
+ Classifier: Operating System :: OS Independent
16
+ Classifier: Programming Language :: Python :: 3.13
17
+ Classifier: Programming Language :: Python :: 3.14
18
+ Classifier: Topic :: Security
19
+ Classifier: Typing :: Typed
20
+ Requires-Python: >=3.13
21
+ Requires-Dist: github-copilot-sdk<2,>=1.0.2
22
+ Requires-Dist: pydantic-ai>=1.0
23
+ Requires-Dist: pydantic>=2.10
24
+ Requires-Dist: rich>=13.9
25
+ Requires-Dist: typer>=0.15
26
+ Description-Content-Type: text/markdown
27
+
28
+ # asfops — Agentic Security Fleet Ops
29
+
30
+ [![CI](https://github.com/brettbergin/agentic-security-fleet-ops/actions/workflows/ci.yml/badge.svg)](https://github.com/brettbergin/agentic-security-fleet-ops/actions/workflows/ci.yml)
31
+ [![PyPI](https://img.shields.io/pypi/v/asfops.svg)](https://pypi.org/project/asfops/)
32
+ [![Python](https://img.shields.io/pypi/pyversions/asfops.svg)](https://pypi.org/project/asfops/)
33
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
34
+
35
+ An entire security department as a fleet of LLM agents. Give `asfops` any security-relevant input — a code change, a design doc, an incident description, a compliance question — and the **Security Orchestrator** decides which security specialists should weigh in, runs them in parallel, and composes their findings into a single comprehensive markdown report.
36
+
37
+ Built on [pydantic-ai](https://ai.pydantic.dev/), with the [GitHub Copilot SDK](https://github.com/github/copilot-sdk) exposed as a first-class pydantic-ai provider (`CopilotModel`) — so the fleet runs on your GitHub Copilot subscription by default, or on any pydantic-ai model (OpenAI, Anthropic, …) you choose.
38
+
39
+ ## Install
40
+
41
+ ```bash
42
+ pip install asfops
43
+ # or
44
+ uv add asfops
45
+ ```
46
+
47
+ ## Quickstart
48
+
49
+ ```python
50
+ import asfops
51
+
52
+ result = asfops.assess_sync(
53
+ "Review this design: a public REST API that accepts file uploads "
54
+ "to S3 using presigned URLs, authenticated with long-lived API keys."
55
+ )
56
+
57
+ print(result.report_md) # the composed security report
58
+ print(result.triage.selected) # which specialists were engaged, and why
59
+ print(result.metadata) # per-agent model + token usage, per-model totals
60
+ ```
61
+
62
+ Async, with configuration:
63
+
64
+ ```python
65
+ from asfops import Fleet, FleetConfig
66
+
67
+ fleet = Fleet(FleetConfig(
68
+ default_model="copilot:claude-sonnet-4.5", # any pydantic-ai model ref works too
69
+ model_overrides={"threat-model": "anthropic:claude-sonnet-4-5"},
70
+ force_roles=("grc",),
71
+ max_concurrency=5,
72
+ ))
73
+ result = await fleet.assess("...")
74
+ ```
75
+
76
+ ## CLI
77
+
78
+ ```bash
79
+ asfops assess "We're adding a webhook receiver that executes user-supplied templates"
80
+ asfops roster # meet the department
81
+ asfops run threat-model "..." # engage a single specialist
82
+ asfops models # check Copilot availability / list models
83
+ ```
84
+
85
+ ## The fleet
86
+
87
+ 17 specialists covering the modern security department: Product Security, Security Architecture, Threat Modeling, AppSec, Cloud Security, IAM, Pen Testing, Red Team, Bug Bounty, Vulnerability Management, Supply Chain Security, Threat Detection, SOC, Incident Response/DFIR, GRC & Compliance, Privacy, and CISO-level leadership framing. `asfops roster` shows each role's charter.
88
+
89
+ ## Authentication
90
+
91
+ By default the fleet runs on the GitHub Copilot runtime (bundled CLI, auto-downloaded). You need a GitHub Copilot subscription and one of:
92
+
93
+ - being logged in via `gh auth login` / Copilot CLI, or
94
+ - `COPILOT_GITHUB_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN` set.
95
+
96
+ No Copilot? Point the fleet at any pydantic-ai provider: `FleetConfig(default_model="openai:gpt-5.2")` or `anthropic:claude-sonnet-4-5` with the corresponding API key.
97
+
98
+ ## Result metadata
99
+
100
+ Every `FleetResult` optionally includes (`include_metadata=True`, default):
101
+
102
+ - per-agent: role, resolved model id, input/output/cache token counts, duration
103
+ - totals per model, plus a grand total across the whole assessment
104
+
105
+ ## Development
106
+
107
+ ```bash
108
+ uv sync --group dev
109
+ uv run pytest --cov=asfops
110
+ uv run ruff format --check . && uv run ruff check .
111
+ uv run mypy src tests
112
+ ```
113
+
114
+ Releases: bump `src/asfops/_version.py`, tag `vX.Y.Z`, push the tag — GitHub Actions publishes to PyPI via [trusted publishing](https://docs.pypi.org/trusted-publishers/).
115
+
116
+ ## License
117
+
118
+ MIT
asfops-0.1.0/README.md ADDED
@@ -0,0 +1,91 @@
1
+ # asfops — Agentic Security Fleet Ops
2
+
3
+ [![CI](https://github.com/brettbergin/agentic-security-fleet-ops/actions/workflows/ci.yml/badge.svg)](https://github.com/brettbergin/agentic-security-fleet-ops/actions/workflows/ci.yml)
4
+ [![PyPI](https://img.shields.io/pypi/v/asfops.svg)](https://pypi.org/project/asfops/)
5
+ [![Python](https://img.shields.io/pypi/pyversions/asfops.svg)](https://pypi.org/project/asfops/)
6
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
7
+
8
+ An entire security department as a fleet of LLM agents. Give `asfops` any security-relevant input — a code change, a design doc, an incident description, a compliance question — and the **Security Orchestrator** decides which security specialists should weigh in, runs them in parallel, and composes their findings into a single comprehensive markdown report.
9
+
10
+ Built on [pydantic-ai](https://ai.pydantic.dev/), with the [GitHub Copilot SDK](https://github.com/github/copilot-sdk) exposed as a first-class pydantic-ai provider (`CopilotModel`) — so the fleet runs on your GitHub Copilot subscription by default, or on any pydantic-ai model (OpenAI, Anthropic, …) you choose.
11
+
12
+ ## Install
13
+
14
+ ```bash
15
+ pip install asfops
16
+ # or
17
+ uv add asfops
18
+ ```
19
+
20
+ ## Quickstart
21
+
22
+ ```python
23
+ import asfops
24
+
25
+ result = asfops.assess_sync(
26
+ "Review this design: a public REST API that accepts file uploads "
27
+ "to S3 using presigned URLs, authenticated with long-lived API keys."
28
+ )
29
+
30
+ print(result.report_md) # the composed security report
31
+ print(result.triage.selected) # which specialists were engaged, and why
32
+ print(result.metadata) # per-agent model + token usage, per-model totals
33
+ ```
34
+
35
+ Async, with configuration:
36
+
37
+ ```python
38
+ from asfops import Fleet, FleetConfig
39
+
40
+ fleet = Fleet(FleetConfig(
41
+ default_model="copilot:claude-sonnet-4.5", # any pydantic-ai model ref works too
42
+ model_overrides={"threat-model": "anthropic:claude-sonnet-4-5"},
43
+ force_roles=("grc",),
44
+ max_concurrency=5,
45
+ ))
46
+ result = await fleet.assess("...")
47
+ ```
48
+
49
+ ## CLI
50
+
51
+ ```bash
52
+ asfops assess "We're adding a webhook receiver that executes user-supplied templates"
53
+ asfops roster # meet the department
54
+ asfops run threat-model "..." # engage a single specialist
55
+ asfops models # check Copilot availability / list models
56
+ ```
57
+
58
+ ## The fleet
59
+
60
+ 17 specialists covering the modern security department: Product Security, Security Architecture, Threat Modeling, AppSec, Cloud Security, IAM, Pen Testing, Red Team, Bug Bounty, Vulnerability Management, Supply Chain Security, Threat Detection, SOC, Incident Response/DFIR, GRC & Compliance, Privacy, and CISO-level leadership framing. `asfops roster` shows each role's charter.
61
+
62
+ ## Authentication
63
+
64
+ By default the fleet runs on the GitHub Copilot runtime (bundled CLI, auto-downloaded). You need a GitHub Copilot subscription and one of:
65
+
66
+ - being logged in via `gh auth login` / Copilot CLI, or
67
+ - `COPILOT_GITHUB_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN` set.
68
+
69
+ No Copilot? Point the fleet at any pydantic-ai provider: `FleetConfig(default_model="openai:gpt-5.2")` or `anthropic:claude-sonnet-4-5` with the corresponding API key.
70
+
71
+ ## Result metadata
72
+
73
+ Every `FleetResult` optionally includes (`include_metadata=True`, default):
74
+
75
+ - per-agent: role, resolved model id, input/output/cache token counts, duration
76
+ - totals per model, plus a grand total across the whole assessment
77
+
78
+ ## Development
79
+
80
+ ```bash
81
+ uv sync --group dev
82
+ uv run pytest --cov=asfops
83
+ uv run ruff format --check . && uv run ruff check .
84
+ uv run mypy src tests
85
+ ```
86
+
87
+ Releases: bump `src/asfops/_version.py`, tag `vX.Y.Z`, push the tag — GitHub Actions publishes to PyPI via [trusted publishing](https://docs.pypi.org/trusted-publishers/).
88
+
89
+ ## License
90
+
91
+ MIT
@@ -0,0 +1,91 @@
1
+ [build-system]
2
+ requires = ["hatchling"]
3
+ build-backend = "hatchling.build"
4
+
5
+ [project]
6
+ name = "asfops"
7
+ description = "Agentic Security Fleet Ops — an LLM-agent security department with a Security Orchestrator, built on pydantic-ai with a GitHub Copilot SDK provider."
8
+ readme = "README.md"
9
+ license = "MIT"
10
+ license-files = ["LICENSE"]
11
+ authors = [{ name = "Brett Bergin", email = "brettberginbc@yahoo.com" }]
12
+ requires-python = ">=3.13"
13
+ dynamic = ["version"]
14
+ keywords = ["security", "agents", "llm", "pydantic-ai", "copilot", "orchestration"]
15
+ classifiers = [
16
+ "Development Status :: 4 - Beta",
17
+ "Intended Audience :: Developers",
18
+ "Intended Audience :: Information Technology",
19
+ "Operating System :: OS Independent",
20
+ "Programming Language :: Python :: 3.13",
21
+ "Programming Language :: Python :: 3.14",
22
+ "Topic :: Security",
23
+ "Typing :: Typed",
24
+ ]
25
+ dependencies = [
26
+ "pydantic>=2.10",
27
+ "pydantic-ai>=1.0",
28
+ "github-copilot-sdk>=1.0.2,<2",
29
+ "typer>=0.15",
30
+ "rich>=13.9",
31
+ ]
32
+
33
+ [project.urls]
34
+ Homepage = "https://github.com/brettbergin/agentic-security-fleet-ops"
35
+ Repository = "https://github.com/brettbergin/agentic-security-fleet-ops"
36
+ Issues = "https://github.com/brettbergin/agentic-security-fleet-ops/issues"
37
+
38
+ [project.scripts]
39
+ asfops = "asfops.cli.app:main"
40
+
41
+ [dependency-groups]
42
+ dev = [
43
+ "pytest>=8.3",
44
+ "pytest-asyncio>=0.25",
45
+ "pytest-cov>=6.0",
46
+ "mypy>=1.14",
47
+ "ruff>=0.9",
48
+ ]
49
+
50
+ [tool.hatch.version]
51
+ path = "src/asfops/_version.py"
52
+
53
+ [tool.hatch.build.targets.wheel]
54
+ packages = ["src/asfops"]
55
+
56
+ [tool.ruff]
57
+ line-length = 100
58
+ target-version = "py313"
59
+
60
+ [tool.ruff.lint]
61
+ select = ["E", "F", "I", "UP", "B", "ASYNC", "RUF"]
62
+
63
+ [tool.mypy]
64
+ python_version = "3.13"
65
+ strict = true
66
+ warn_unreachable = true
67
+
68
+ [[tool.mypy.overrides]]
69
+ module = "copilot.*"
70
+ ignore_missing_imports = true
71
+ follow_untyped_imports = true
72
+
73
+ [tool.pytest.ini_options]
74
+ asyncio_mode = "auto"
75
+ testpaths = ["tests"]
76
+ addopts = "-m 'not copilot'"
77
+ markers = [
78
+ "copilot: live tests requiring GitHub Copilot auth (deselected by default)",
79
+ ]
80
+
81
+ [tool.coverage.run]
82
+ source = ["asfops"]
83
+
84
+ [tool.coverage.report]
85
+ fail_under = 85
86
+ show_missing = true
87
+ exclude_also = [
88
+ "if TYPE_CHECKING:",
89
+ "raise NotImplementedError",
90
+ "@overload",
91
+ ]