ops-copilot 0.1.0__py3-none-any.whl

ops_copilot/__init__.py

@@ -0,0 +1,17 @@
+from .graph import InvestigationGraph
+from .secrets import redact_secrets
+from .ssh import SSHClient, SSHError
+from .tools.base import RemoteTool, ToolResult
+from .tools.registry import ToolRegistry
+from .tools.shell import ShellTool
+
+__all__ = [
+    "InvestigationGraph",
+    "RemoteTool",
+    "SSHClient",
+    "SSHError",
+    "ShellTool",
+    "ToolRegistry",
+    "ToolResult",
+    "redact_secrets",
+]

ops_copilot/graph.py

@@ -0,0 +1,191 @@
+from __future__ import annotations
+
+import logging
+import time
+from collections.abc import AsyncGenerator, Callable, Sequence
+from typing import Annotated, Any
+
+from langchain_core.language_models.chat_models import BaseChatModel
+from langchain_core.messages import AIMessage, BaseMessage, HumanMessage, SystemMessage, ToolMessage
+from langgraph.graph import END, StateGraph
+from langgraph.graph.message import add_messages
+from langgraph.prebuilt import ToolNode
+from lc_content_normalizer import (
+    build_human_message_content,
+    extract_text_content,
+    normalize_tool_output,
+)
+from typing_extensions import TypedDict
+
+from ops_copilot.sanitizers import sanitize_agent_output
+
+logger = logging.getLogger(__name__)
+
+
+class AgentState(TypedDict):
+    messages: Annotated[Sequence[BaseMessage], add_messages]
+    tools_used: list[str]
+    iteration: int
+
+
+class InvestigationGraph:
+    """Two-node LangGraph investigation loop: agent -> tools -> agent."""
+
+    def __init__(
+        self,
+        llm: BaseChatModel,
+        tools: list,
+        *,
+        system_prompt: str,
+        vision_format: str = "openai",
+        sanitize_output: Callable[[str], str] = sanitize_agent_output,
+    ) -> None:
+        if not system_prompt:
+            raise ValueError("system_prompt is required")
+        self._system_prompt = system_prompt
+        self._vision_format = vision_format
+        self._sanitize_output = sanitize_output
+        self._tool_node = ToolNode(tools, handle_tool_errors=True)
+        try:
+            self._llm_with_tools = llm.bind_tools(tools) if tools else llm
+        except NotImplementedError:
+            self._llm_with_tools = llm
+        self._graph = self._build_graph()
+
+    @property
+    def vision_format(self) -> str:
+        return self._vision_format
+
+    def _build_graph(self) -> Any:
+        graph = StateGraph(AgentState)
+        graph.add_node("agent", self._agent_node)
+        graph.add_node("tools", self._tool_node_wrapper)
+        graph.set_entry_point("agent")
+        graph.add_conditional_edges("agent", self._should_continue, {"tools": "tools", "end": END})
+        graph.add_edge("tools", "agent")
+        return graph.compile()
+
+    async def _agent_node(self, state: AgentState) -> dict[str, Any]:
+        iteration = state.get("iteration", 0) + 1
+        response = await self._llm_with_tools.ainvoke(list(state["messages"]))
+        logger.debug(
+            "agent_iteration iteration=%d tool_calls=%d",
+            iteration,
+            len(response.tool_calls),
+        )
+        return {"messages": [response], "iteration": iteration}
+
+    async def _tool_node_wrapper(self, state: AgentState) -> dict[str, Any]:
+        result = await self._tool_node.ainvoke(state)
+        tools_used = list(state.get("tools_used", []))
+        for message in result.get("messages", []):
+            if isinstance(message, ToolMessage):
+                if message.name and message.name not in tools_used:
+                    tools_used.append(message.name)
+                content = extract_text_content(message.content)
+                if content.startswith("[TOOL ERROR]"):
+                    logger.warning("tool_error name=%s output=%s", message.name, content[:300])
+                message.content = self._sanitize_output(content)
+        return {**result, "tools_used": tools_used}
+
+    def _should_continue(self, state: AgentState) -> str:
+        last = state["messages"][-1]
+        return "tools" if isinstance(last, AIMessage) and last.tool_calls else "end"
+
+    async def run(
+        self,
+        user_message: str,
+        *,
+        history: list[BaseMessage] | None = None,
+        images: list[dict[str, str]] | None = None,
+    ) -> dict[str, Any]:
+        messages = self._build_messages(user_message, history=history, images=images)
+        start = time.monotonic()
+        final_state = await self._graph.ainvoke(
+            {"messages": messages, "tools_used": [], "iteration": 0}
+        )
+        duration = time.monotonic() - start
+        new_messages = list(final_state["messages"])[len(messages) :]
+        for message in new_messages:
+            if isinstance(message, AIMessage) and message.content:
+                message.content = self._sanitize_output(extract_text_content(message.content))
+        return {
+            "messages": new_messages,
+            "tools_used": final_state.get("tools_used", []),
+            "duration": duration,
+        }
+
+    async def stream(
+        self,
+        user_message: str,
+        *,
+        history: list[BaseMessage] | None = None,
+        images: list[dict[str, str]] | None = None,
+    ) -> AsyncGenerator[dict[str, Any], None]:
+        messages = self._build_messages(user_message, history=history, images=images)
+        try:
+            async for event in self._graph.astream_events(
+                {"messages": messages, "tools_used": [], "iteration": 0},
+                version="v2",
+            ):
+                event_name = event["event"]
+                if event_name == "on_chat_model_stream":
+                    chunk = event["data"].get("chunk")
+                    text = extract_text_content(getattr(chunk, "content", None)) if chunk else ""
+                    if text:
+                        yield {"event": "token", "data": self._sanitize_output(text)}
+                elif event_name == "on_tool_start":
+                    tool_name = event.get("name", "unknown")
+                    call_id = event.get("run_id") or event.get("data", {}).get("id") or ""
+                    step_id = (
+                        f"{tool_name}:{call_id}"
+                        if call_id
+                        else f"{tool_name}:{time.monotonic_ns()}"
+                    )
+                    yield {
+                        "event": "tool_start",
+                        "data": {
+                            "tool": tool_name,
+                            "input": event.get("data", {}).get("input", {}),
+                            "call_id": str(call_id),
+                            "step_id": step_id,
+                        },
+                    }
+                elif event_name == "on_tool_end":
+                    tool_name = event.get("name", "unknown")
+                    call_id = event.get("run_id") or event.get("data", {}).get("id") or ""
+                    step_id = f"{tool_name}:{call_id}" if call_id else ""
+                    output = self._sanitize_output(
+                        normalize_tool_output(event.get("data", {}).get("output", ""))
+                    )
+                    yield {
+                        "event": "tool_end",
+                        "data": {
+                            "tool": tool_name,
+                            "output": output,
+                            "call_id": str(call_id),
+                            "step_id": step_id,
+                        },
+                    }
+        except Exception as exc:
+            logger.error("stream_investigation_failed", exc_info=True)
+            yield {"event": "error", "data": {"error": str(exc)}}
+            return
+        yield {"event": "done", "data": {}}
+
+    def _build_messages(
+        self,
+        user_message: str,
+        *,
+        history: list[BaseMessage] | None = None,
+        images: list[dict[str, str]] | None = None,
+    ) -> list[BaseMessage]:
+        messages: list[BaseMessage] = [SystemMessage(content=self._system_prompt)]
+        if history:
+            messages.extend(history)
+        messages.append(
+            HumanMessage(
+                content=build_human_message_content(user_message, images, self._vision_format)
+            )
+        )
+        return messages

ops_copilot/sanitizers.py

@@ -0,0 +1,46 @@
+from __future__ import annotations
+
+import re
+
+from ops_copilot.secrets import redact_secrets
+
+_IMAGE_PLACEHOLDER_RE = re.compile(r"\[Image\s+\d+\]", re.IGNORECASE)
+_CLIPBOARD_ERROR_RE = re.compile(
+    r"ERROR:\s*Cannot read \"clipboard\" "
+    r"\(this model does not support image input\)\.?(?:\s*Inform the user\.?)?",
+    re.IGNORECASE,
+)
+_SYSTEM_REMINDER_RE = re.compile(
+    r"<system-reminder>.*?</system-reminder>",
+    re.IGNORECASE | re.DOTALL,
+)
+
+
+def sanitize_user_message(message: str) -> str:
+    cleaned = _SYSTEM_REMINDER_RE.sub(" ", message)
+    cleaned = _CLIPBOARD_ERROR_RE.sub(" ", cleaned)
+    cleaned = _IMAGE_PLACEHOLDER_RE.sub(" ", cleaned)
+    cleaned = re.sub(r"\n{2,}", "\n", cleaned)
+    cleaned = re.sub(r"[ \t]{2,}", " ", cleaned)
+    cleaned = re.sub(r" ?\n ?", "\n", cleaned)
+    lines = [line.strip() for line in cleaned.splitlines() if line.strip()]
+    return "\n".join(lines)
+
+
+def sanitize_agent_output(text: str) -> str:
+    text = redact_secrets(text)
+    text = _SYSTEM_REMINDER_RE.sub("", text)
+    if _CLIPBOARD_ERROR_RE.search(text):
+        return (
+            "The configured model rejected image input. Use a vision-capable model "
+            "or paste the alert text instead."
+        )
+    return text
+
+
+def build_user_display_message(message: str, image_count: int = 0) -> str:
+    cleaned = sanitize_user_message(message)
+    if image_count <= 0:
+        return cleaned
+    prefix = f"[Attached images: {image_count}]"
+    return f"{prefix}\n{cleaned}" if cleaned else prefix

ops_copilot/secrets.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+import re
+from collections.abc import Iterable
+
+__all__ = ["DEFAULT_SECRET_KEY_PATTERNS", "build_secret_key_regex", "redact_secrets"]
+
+DEFAULT_SECRET_KEY_PATTERNS: tuple[str, ...] = (
+    "password",
+    "secret",
+    "token",
+    "api_key",
+    "apikey",
+    "access_key",
+    "private_key",
+    "credential",
+)
+
+_ENV_LINE_RE = re.compile(r"^(\s*[A-Z_][A-Z0-9_]*\s*[=:]\s*)(.+)$", re.MULTILINE)
+_BEARER_RE = re.compile(r"(Bearer\s+)[^\s\"']+", re.IGNORECASE)
+_OPENAI_KEY_RE = re.compile(r"(sk-[A-Za-z0-9]{3})[A-Za-z0-9]{10,}")
+_JWT_RE = re.compile(r"eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}")
+_HEX_RUN_RE = re.compile(r"\b[0-9a-fA-F]{32,}\b")
+_DATA_URL_RE = re.compile(r"data:image/([a-zA-Z0-9.+-]+);base64,([A-Za-z0-9+/=]+)")
+
+
+def build_secret_key_regex(patterns: Iterable[str] | None = None) -> re.Pattern[str]:
+    items = list(patterns) if patterns is not None else list(DEFAULT_SECRET_KEY_PATTERNS)
+    items = [item.strip() for item in items if item and item.strip()]
+    if not items:
+        return re.compile(r"(?!x)x")
+    return re.compile("|".join(re.escape(item) for item in items), re.IGNORECASE)
+
+
+def _redact_image_data_urls(text: str) -> str:
+    return _DATA_URL_RE.sub(
+        lambda match: (
+            f"[REDACTED_IMAGE mime=image/{match.group(1)} bytes={len(match.group(2))}]"
+        ),
+        text,
+    )
+
+
+_DEFAULT_REGEX = build_secret_key_regex(DEFAULT_SECRET_KEY_PATTERNS)
+
+
+def redact_secrets(text: str) -> str:
+    if not text:
+        return text
+
+    def _mask_env_line(match: re.Match[str]) -> str:
+        prefix = match.group(1)
+        if _DEFAULT_REGEX.search(prefix):
+            return f"{prefix}[REDACTED]"
+        return match.group(0)
+
+    text = _ENV_LINE_RE.sub(_mask_env_line, text)
+    text = _BEARER_RE.sub(r"\1[REDACTED]", text)
+    text = _OPENAI_KEY_RE.sub(r"\1...[REDACTED]", text)
+    text = _JWT_RE.sub("[REDACTED_JWT]", text)
+    text = _HEX_RUN_RE.sub("[REDACTED_HEX]", text)
+    return _redact_image_data_urls(text)

ops_copilot/server.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+import json
+import os
+from collections.abc import AsyncGenerator, Callable
+from typing import Any
+
+from fastapi import Depends, FastAPI, Header, HTTPException
+from pydantic import BaseModel, Field
+from sse_starlette.sse import EventSourceResponse
+
+from ops_copilot.graph import InvestigationGraph
+
+
+class ImageInput(BaseModel):
+    data_url: str
+    mime_type: str
+    name: str | None = None
+
+
+class InvestigateRequest(BaseModel):
+    message: str = Field(min_length=1)
+    images: list[ImageInput] = Field(default_factory=list)
+
+
+def verify_api_key(x_api_key: str | None = Header(default=None)) -> None:
+    expected = os.getenv("OPS_COPILOT_API_KEY")
+    if expected and x_api_key != expected:
+        raise HTTPException(status_code=401, detail="Invalid API key")
+
+
+def create_app(graph_factory: Callable[[], InvestigationGraph]) -> FastAPI:
+    app = FastAPI(title="ops-copilot", version="0.1.0")
+
+    @app.post("/investigate", dependencies=[Depends(verify_api_key)])
+    async def investigate(request: InvestigateRequest) -> dict[str, Any]:
+        graph = graph_factory()
+        images = [image.model_dump() for image in request.images]
+        result = await graph.run(request.message, images=images)
+        return {
+            "messages": [
+                getattr(message, "content", str(message)) for message in result["messages"]
+            ],
+            "tools_used": result["tools_used"],
+            "duration": result["duration"],
+        }
+
+    @app.post("/investigate/stream", dependencies=[Depends(verify_api_key)])
+    async def investigate_stream(request: InvestigateRequest) -> EventSourceResponse:
+        graph = graph_factory()
+        images = [image.model_dump() for image in request.images]
+
+        async def event_generator() -> AsyncGenerator[dict[str, str], None]:
+            async for event in graph.stream(request.message, images=images):
+                data = (
+                    event["data"] if isinstance(event["data"], str) else json.dumps(event["data"])
+                )
+                yield {"event": event["event"], "data": data}
+
+        return EventSourceResponse(event_generator())
+
+    return app

ops_copilot/ssh.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+import asyncio
+import os
+
+import asyncssh
+
+
+class SSHError(Exception):
+    def __init__(self, message: str, exit_code: int | None = None, stderr: str = "") -> None:
+        super().__init__(message)
+        self.exit_code = exit_code
+        self.stderr = stderr
+
+
+class SSHClient:
+    def __init__(
+        self,
+        host: str,
+        user: str,
+        *,
+        port: int = 22,
+        key_path: str | None = None,
+        password: str | None = None,
+        known_hosts: str | None = None,
+        connect_timeout: int = 10,
+        command_timeout: int = 30,
+    ) -> None:
+        self.host = host
+        self.user = user
+        self.port = port
+        self.key_path = key_path
+        self.password = password
+        self.known_hosts = known_hosts
+        self.connect_timeout = connect_timeout
+        self.command_timeout = command_timeout
+        self._conn: asyncssh.SSHClientConnection | None = None
+        self._lock = asyncio.Lock()
+
+    async def _get_connection(self) -> asyncssh.SSHClientConnection:
+        async with self._lock:
+            if self._conn is not None:
+                return self._conn
+            connect_kwargs: dict = {}
+            if self.key_path and os.path.exists(self.key_path):
+                connect_kwargs["client_keys"] = [self.key_path]
+            elif self.password:
+                connect_kwargs = {"password": self.password, "client_keys": []}
+            else:
+                raise SSHError("No SSH credentials configured: provide key_path or password")
+
+            known_hosts = (
+                self.known_hosts
+                if self.known_hosts and os.path.exists(self.known_hosts)
+                else None
+            )
+            self._conn = await asyncssh.connect(
+                host=self.host,
+                port=self.port,
+                username=self.user,
+                known_hosts=known_hosts,
+                connect_timeout=self.connect_timeout,
+                **connect_kwargs,
+            )
+            return self._conn
+
+    async def run(self, command: str, timeout: int | None = None) -> str:
+        effective_timeout = timeout or self.command_timeout
+        for attempt in range(2):
+            conn = await self._get_connection()
+            try:
+                result = await asyncio.wait_for(
+                    conn.run(command, check=False), timeout=effective_timeout
+                )
+                if result.exit_status != 0:
+                    raise SSHError("Command failed", result.exit_status, str(result.stderr or ""))
+                return str(result.stdout or "")
+            except TimeoutError as exc:
+                raise SSHError(f"Command timeout after {effective_timeout}s", -1) from exc
+            except asyncssh.Error as exc:
+                async with self._lock:
+                    self._conn = None
+                if attempt == 1:
+                    raise SSHError(f"SSH connection failed: {exc}") from exc
+        raise SSHError("SSH connection failed after retry")
+
+    async def close(self) -> None:
+        if self._conn is not None:
+            self._conn.close()
+            self._conn = None

ops_copilot/tools/__init__.py

@@ -0,0 +1,6 @@
+from .base import RemoteTool, ToolResult
+from .executor import LangChainToolWrapper
+from .registry import ToolRegistry
+from .shell import ShellTool
+
+__all__ = ["LangChainToolWrapper", "RemoteTool", "ShellTool", "ToolRegistry", "ToolResult"]

ops_copilot/tools/base.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from typing import Any
+
+from pydantic import BaseModel
+
+from ops_copilot.secrets import redact_secrets
+from ops_copilot.ssh import SSHClient, SSHError
+
+
+class ToolResult(BaseModel):
+    success: bool = True
+    output: str = ""
+    error: str | None = None
+
+
+class RemoteTool(ABC):
+    name: str
+    description: str
+
+    def __init__(self, ssh_client: SSHClient, *, meta: dict[str, Any] | None = None) -> None:
+        self.ssh = ssh_client
+        self.meta = meta or {}
+
+    @abstractmethod
+    async def execute(self, **kwargs: Any) -> ToolResult:
+        ...
+
+    async def _run_cmd(self, command: str, timeout: int | None = None) -> str:
+        try:
+            return redact_secrets(await self.ssh.run(command, timeout=timeout))
+        except SSHError as exc:
+            return redact_secrets(f"[ERROR] {exc} | stderr: {exc.stderr}")

ops_copilot/tools/executor.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+from langchain_core.tools import BaseTool
+from pydantic import BaseModel, Field, PrivateAttr, create_model
+
+from ops_copilot.tools.base import RemoteTool
+
+logger = logging.getLogger(__name__)
+
+_TYPE_MAP: dict[str, type] = {
+    "string": str,
+    "integer": int,
+    "number": float,
+    "boolean": bool,
+}
+
+
+def _build_schema(tool: RemoteTool, tool_meta: dict[str, Any]) -> type[BaseModel]:
+    fields: dict[str, Any] = {}
+    for name, definition in tool_meta.get("parameters", {}).items():
+        ptype = _TYPE_MAP.get(definition.get("type", "string"), str)
+        default = definition.get("default", ...)
+        description = definition.get("description")
+        if default is ... and not definition.get("required", True):
+            fields[name] = (ptype | None, Field(default=None, description=description))
+        elif default is ...:
+            fields[name] = (ptype, Field(description=description))
+        else:
+            fields[name] = (ptype, Field(default=default, description=description))
+    if not fields:
+        fields["no_input"] = (str | None, Field(default=None))
+    return create_model(f"{tool.name}_Input", **fields)
+
+
+class LangChainToolWrapper(BaseTool):
+    name: str = ""
+    description: str = ""
+    args_schema: Any = None
+    _remote_tool: RemoteTool = PrivateAttr()
+
+    model_config = {"arbitrary_types_allowed": True}
+
+    def __init__(self, remote_tool: RemoteTool, tool_meta: dict[str, Any]):
+        super().__init__(
+            name=remote_tool.name,
+            description=remote_tool.description,
+            args_schema=_build_schema(remote_tool, tool_meta),
+        )
+        self._remote_tool = remote_tool
+
+    def _run(self, **kwargs: Any) -> str:
+        raise NotImplementedError
+
+    async def _arun(self, **kwargs: Any) -> str:
+        kwargs.pop("no_input", None)
+        try:
+            result = await self._remote_tool.execute(**kwargs)
+        except Exception as exc:
+            logger.error("tool_execute_exception name=%s", self.name, exc_info=True)
+            return f"[TOOL ERROR] {type(exc).__name__}: {exc}"
+        if not result.success:
+            logger.warning("tool_failed name=%s error=%s", self.name, result.error)
+            return f"[TOOL ERROR] {result.error}"
+        return result.output

ops_copilot/tools/registry.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+
+import logging
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+from ops_copilot.ssh import SSHClient
+from ops_copilot.tools.base import RemoteTool
+from ops_copilot.tools.executor import LangChainToolWrapper
+from ops_copilot.tools.shell import ShellTool
+
+logger = logging.getLogger(__name__)
+
+
+class ToolRegistry:
+    def __init__(
+        self,
+        ssh_client: SSHClient,
+        tool_classes: dict[str, type[RemoteTool]] | None = None,
+        config_path: str | Path = "tools.yaml",
+    ) -> None:
+        self._ssh = ssh_client
+        self._tool_classes = tool_classes or {}
+        self._config_path = Path(config_path)
+        self._tools: dict[str, LangChainToolWrapper] = {}
+        self._meta: dict[str, dict[str, Any]] = {}
+
+    def load(self) -> list[LangChainToolWrapper]:
+        with self._config_path.open(encoding="utf-8") as fh:
+            config = yaml.safe_load(fh) or {}
+
+        loaded: list[LangChainToolWrapper] = []
+        for definition in self._iter_tool_definitions(config):
+            name = definition["name"]
+            tool_cls = self._resolve_tool_class(definition)
+            if tool_cls is None:
+                logger.warning("tool_unknown name=%s", name)
+                continue
+            instance = tool_cls(ssh_client=self._ssh, meta=definition)
+            instance.name = name
+            instance.description = definition.get("description", instance.description)
+            wrapper = LangChainToolWrapper(remote_tool=instance, tool_meta=definition)
+            self._tools[name] = wrapper
+            self._meta[name] = definition
+            loaded.append(wrapper)
+        return loaded
+
+    def get_tool(self, name: str) -> LangChainToolWrapper | None:
+        return self._tools.get(name)
+
+    def get_all_meta(self) -> dict[str, dict[str, Any]]:
+        return dict(self._meta)
+
+    def list_names(self) -> list[str]:
+        return list(self._tools.keys())
+
+    def _resolve_tool_class(self, definition: dict[str, Any]) -> type[RemoteTool] | None:
+        if definition.get("type") == "shell" or "command" in definition:
+            return ShellTool
+        return self._tool_classes.get(definition["name"])
+
+    @staticmethod
+    def _iter_tool_definitions(config: dict[str, Any]) -> list[dict[str, Any]]:
+        if "tools" in config:
+            return list(config.get("tools") or [])
+        definitions: list[dict[str, Any]] = []
+        for category in (config.get("categories") or {}).values():
+            definitions.extend(category.get("tools") or [])
+        return definitions

ops_copilot/tools/shell.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+import string
+from typing import Any
+
+from ops_copilot.tools.base import RemoteTool, ToolResult
+
+
+class ShellTool(RemoteTool):
+    name = "shell"
+    description = "Run a configured shell command over SSH."
+
+    def __init__(self, ssh_client, *, meta: dict[str, Any] | None = None) -> None:
+        super().__init__(ssh_client, meta=meta)
+        self.name = self.meta.get("name", self.name)
+        self.description = self.meta.get("description", self.description)
+        self.command = self.meta.get("command", "")
+        self.timeout = self.meta.get("timeout")
+        if not self.command:
+            raise ValueError("ShellTool requires a command in tool metadata")
+
+    async def execute(self, **kwargs: Any) -> ToolResult:
+        try:
+            command = self._render_command(kwargs)
+            output = await self._run_cmd(command, timeout=self.timeout)
+            if output.startswith("[ERROR]"):
+                return ToolResult(success=False, error=output)
+            return ToolResult(output=output)
+        except KeyError as exc:
+            return ToolResult(success=False, error=f"Missing command parameter: {exc.args[0]}")
+
+    def _render_command(self, values: dict[str, Any]) -> str:
+        formatter = string.Formatter()
+        names = [field_name for _, field_name, _, _ in formatter.parse(self.command) if field_name]
+        missing = [name for name in names if name not in values or values[name] is None]
+        if missing:
+            raise KeyError(missing[0])
+        return self.command.format(**values)

ops_copilot-0.1.0.dist-info/METADATA

@@ -0,0 +1,192 @@
+Metadata-Version: 2.4
+Name: ops-copilot
+Version: 0.1.0
+Summary: Self-hosted SRE investigation copilot with YAML tools, SSH execution, SSE streaming, and secret redaction.
+Project-URL: Homepage, https://github.com/benjaminjornet/ops-copilot
+Project-URL: Issues, https://github.com/benjaminjornet/ops-copilot/issues
+Author-email: Benjamin Jornet <benjamin.jornet@gmail.com>
+License: MIT License
+        
+        Copyright (c) 2026 Benjamin Jornet
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: incident-response,langgraph,llm,ops,sre,ssh
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.11
+Requires-Dist: asyncssh>=2.14
+Requires-Dist: langchain-content-normalizer>=0.1.0
+Requires-Dist: langchain-core>=0.3
+Requires-Dist: langgraph>=0.2
+Requires-Dist: pydantic>=2
+Requires-Dist: pyyaml>=6
+Provides-Extra: ollama
+Requires-Dist: langchain-community>=0.3; extra == 'ollama'
+Provides-Extra: openai
+Requires-Dist: langchain-openai>=0.2; extra == 'openai'
+Provides-Extra: server
+Requires-Dist: fastapi>=0.115; extra == 'server'
+Requires-Dist: sse-starlette>=2; extra == 'server'
+Requires-Dist: uvicorn>=0.32; extra == 'server'
+Description-Content-Type: text/markdown
+
+# ops-copilot
+
+[![CI](https://github.com/BenjaminJornet/ops-copilot/actions/workflows/ci.yml/badge.svg)](https://github.com/BenjaminJornet/ops-copilot/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Python](https://img.shields.io/badge/python-3.11%2B-blue.svg)](pyproject.toml)
+
+Self-hosted SRE investigation copilot for production systems.
+
+`ops-copilot` lets an LLM call tools defined in YAML, execute safe remote commands over SSH, redact secrets from outputs, and stream investigation events through LangGraph or an optional FastAPI SSE server.
+
+## Architecture
+
+```text
+User question -> InvestigationGraph -> LLM -> YAML tools -> SSH host
+                                      <- redacted tool output <- command result
+```
+
+The package is intentionally generic. You can start with shell tools from YAML, then inject custom Python `RemoteTool` classes for richer workflows.
+
+## Install
+
+```bash
+uv add ops-copilot
+```
+
+Optional extras:
+
+```bash
+uv add 'ops-copilot[server]'
+uv add 'ops-copilot[openai]'
+uv add 'ops-copilot[ollama]'
+```
+
+## YAML tools
+
+```yaml
+tools:
+  - name: disk_usage
+    type: shell
+    description: Show filesystem usage.
+    command: df -h
+
+  - name: journalctl_service
+    type: shell
+    description: Show recent logs for a systemd service.
+    command: journalctl -u {service} --since '{since}' --no-pager
+    parameters:
+      service:
+        type: string
+      since:
+        type: string
+        required: false
+        default: "30 minutes ago"
+```
+
+## Minimal usage
+
+```python
+from ops_copilot import InvestigationGraph, SSHClient, ToolRegistry
+
+ssh = SSHClient(host="server.example.com", user="deploy", key_path="~/.ssh/id_ed25519")
+tools = ToolRegistry(ssh, config_path="tools.yaml").load()
+
+graph = InvestigationGraph(
+    llm=your_langchain_chat_model,
+    tools=tools,
+    system_prompt="You are an SRE copilot. Investigate safely and report evidence.",
+)
+
+async for event in graph.stream("The API is slow. What should I check?"):
+    print(event)
+```
+
+## Streaming events
+
+`InvestigationGraph.stream()` yields dictionaries with these event names:
+
+| Event | Meaning |
+| --- | --- |
+| `token` | streamed model text |
+| `tool_start` | tool call started with input and step id |
+| `tool_end` | tool call finished with redacted output |
+| `error` | graph or stream error |
+| `done` | investigation complete |
+
+## Optional FastAPI server
+
+The `ops_copilot.server.create_app()` helper exposes:
+
+- `POST /investigate`
+- `POST /investigate/stream`
+
+If `OPS_COPILOT_API_KEY` is set, clients must send `X-API-Key`.
+
+## Security notes
+
+This project executes commands on servers you control. Treat `tools.yaml` as privileged code.
+
+Recommendations:
+
+- Use SSH key auth with least-privilege users.
+- Review every command template before exposing it to an LLM.
+- Avoid destructive commands in YAML.
+- Keep parameterized commands narrow.
+- Store no secrets in YAML or prompts.
+- Rely on built-in redaction as a safety net, not as your only control.
+
+Built-in redaction covers env-style secret lines, Bearer tokens, OpenAI-style keys, JWTs, long hex runs, and inline image data URLs.
+
+## Documentation and examples
+
+- `docs/security-model.md` documents threat boundaries and deployment controls.
+- `docs/writing-tools.md` explains YAML and custom Python tools.
+- `docs/server.md` covers the optional FastAPI/SSE integration.
+- `docs/maintenance-workflows.md` describes maintainer workflows and review checklists.
+- `examples/local_demo.py` runs without a real SSH host using fake outputs.
+- `examples/custom_tool.py` shows how to inject a custom `RemoteTool` class.
+
+## Roadmap
+
+- Command allowlist validation for shell tools.
+- Built-in Docker and systemd tool packs.
+- Persistent investigation sessions.
+- Audit log export.
+- More fake incident fixtures for regression tests.
+
+## Development
+
+```bash
+uv sync --dev
+uv run ruff check .
+uv run pytest
+uv run python scripts/smoke.py
+```
+
+## License
+
+MIT

ops_copilot-0.1.0.dist-info/RECORD

@@ -0,0 +1,15 @@
+ops_copilot/__init__.py,sha256=Qr4TVrJt8pmbpPVfNv2J6qoYOk-Dfvk_JIPVWf3b6Fo,403
+ops_copilot/graph.py,sha256=ruDxwePfYOZpdS95GPf1TEqRuhhfWIG_RzJ-RLn0c3s,7661
+ops_copilot/sanitizers.py,sha256=6qNH6QwpAouIMLbZi2RiHwy-LbtDgMrglE8CmQcm7Io,1529
+ops_copilot/secrets.py,sha256=1cPbh9FOq0HOE1wfUpjgGmYXPm70VHZq59LSrNnRRCQ,2033
+ops_copilot/server.py,sha256=N7X7LQQ2WDSRz5hfuDh0a1xfu4cdVVH1eyWiYXbufmQ,2190
+ops_copilot/ssh.py,sha256=hNtNi8ejk2STxIwNHCRz83fVkKpZ_DPkSglcR8XD-S8,3177
+ops_copilot/tools/__init__.py,sha256=QmJZxov-R_jNqFpcDLkTIjC1OwpM24b5GK8H02MovOw,241
+ops_copilot/tools/base.py,sha256=pqtcdf8VNJJ68eOx8nqyzOl36WkLNCN4-aYSY29VxOw,916
+ops_copilot/tools/executor.py,sha256=212NtgpTIryvtxlL5zkYQP9IhekdRxn9D_P6N4aWwZ0,2353
+ops_copilot/tools/registry.py,sha256=Fp48mFi7X7hLfsUM9ipoqb_xOqYmhcotqKW-CKJJM_s,2598
+ops_copilot/tools/shell.py,sha256=hAdjIY8_mT4QUFUMQQbFwoYUWbFwKz9HbmfGzL6nWx8,1580
+ops_copilot-0.1.0.dist-info/METADATA,sha256=t-4pD3fjbI8zn2uwckvZGhxq5u_7WvhT9N57bn7mVPQ,6614
+ops_copilot-0.1.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+ops_copilot-0.1.0.dist-info/licenses/LICENSE,sha256=WdZfrCBxqj0eY04I5UNmeuqGPeyWa4YGULcHq6cWXS8,1072
+ops_copilot-0.1.0.dist-info/RECORD,,

ops_copilot-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.29.0
+Root-Is-Purelib: true
+Tag: py3-none-any

ops_copilot-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Benjamin Jornet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.