Skip to main content

CLI for Google Gemini Enterprise

Project description

getop

Gemini Enterprise PyPI uv Python

getop is a command-line tool for Google Gemini Enterprise administrators.

getop allows you to:

  • Inventory everything deployed — engines, data stores, connectors, agents, and license seats in one overview
  • Monitor connector health — sync state, freshness, and errors across every collection
  • Investigate prompts and replies (if logging is enabled) — per user or fleet-wide, live-tailable
  • See what Model Armor caught — jailbreak, RAI, and malicious-URI hits, plus the active policy
  • Stay ahead of quota — usage vs limits with one-click links to the Cloud console
  • Run a health check — a parallel PASS/WARN/FAIL sweep with CI-friendly exit codes

Read-only by design — every command runs with viewer roles alone.

$ getop info
             Gemini Enterprise — acme-search-prod (global)

╭──── Engines ─────╮  ╭── Data stores ───╮  ╭──── Connectors ────╮
│        2         │  │        9         │  │     2/3 ACTIVE     │
╰──────────────────╯  ╰──────────────────╯  ╰────────────────────╯
╭───── Agents ─────╮  ╭───── Licenses ─────╮
│        41        │  │   418/500 (84%)    │
╰──────────────────╯  ╰────────────────────╯

╭────────────── Support Search ──────────────╮  ╭───────────────── Sandbox ──────────────────╮
│ SEARCH · GENERIC · intranet · 2026-04-08   │  │ SEARCH · GENERIC · intranet · 2026-03-26   │
│ Data stores (4)                            │  │ Data stores (3)                            │
│   • sharepoint_1774_file  ← sharepoint     │  │   • sharepoint_1774_file  ← sharepoint     │
│   • sharepoint_1774_page  ← sharepoint     │  │   • onedrive_1775_file    ← onedrive       │
│   • onedrive_1775_file    ← onedrive       │  │   • gdrive_1778_file      ← google_drive   │
│   • jira_1778_issue  ← jira  PAUSED        │  │ Agents (4 — 4 enabled, 0 defaults)         │
│ Agents (41 — 4 enabled, 37 defaults)       │  │   • Security Reviewer   ENABLED            │
│   • Deep Research      ENABLED             │  │   • Deep Research       ENABLED            │
│   • Contract Analyst   ENABLED             │  │   • Idea Generation     ENABLED            │
│   • My Agent ×37 (user defaults)           │  │ Features (14 on · 7 off)                   │
│ Features (16 on · 5 off)                   │  │   ✓ agent-gallery model-selector           │
│   ✓ agent-gallery model-selector           │  │   ✗ session-sharing onedrive-upload        │
│   ✗ agent-sharing-without-approval         │  ╰──────────── sandbox_1774543712 ────────────╯
╰──────── support-search_1775663018 ─────────╯

Two environments side by side. At a glance: prod's Jira connector is PAUSED (the 2/3 tile), licenses are at 84%, and sandbox has session-sharing and onedrive-upload disabled where prod allows them.

By design, the current release is strictly read-only — every command works with viewer roles alone, so it can be handed to anyone on the team without change-risk. It may grow administrative verbs (e.g. triggering connector syncs, managing agents) in a future release.

Contributing with an AI coding agent? Read AGENTS.md — it maps the project subagents, skills and hard constraints.

Install

pipx install getop

Also works with uv tool install getop or pip install getop. See Authentication for the one-time credential setup.

Commands

getop info — project overview

A whole-project dashboard: summary tiles (engines, data stores, connector health, agents, and license seats / activation / unmet demand) plus a card per engine showing its data stores with their connector sources, its agents ("My Agent" user defaults collapsed into a single ×N line), and its feature toggles. Diffing two environments' cards is the fastest way to spot config drift. Output is shown at the top of this page.

getop ls — inventory

getop ls engines|datastores|connectors|agents|licenses

Lists resources across the collection hierarchy: engines and data stores under default_collection, data connectors across all collections (each connector-backed source lives in its own), agents per engine, and user licenses.

$ getop ls connectors
                               Data Connectors
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Collection           ┃ Data Source ┃ State  ┃ Refresh Interval ┃ Entities ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ acme-sharepoint_1774 │ sharepoint  │ ACTIVE │ 86400s           │ 5        │
│ acme-onedrive_1775   │ onedrive    │ ACTIVE │ 86400s           │ 1        │
└──────────────────────┴─────────────┴────────┴──────────────────┴──────────┘

$ getop ls licenses
                                 User Licenses
┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ User              ┃ State    ┃ Config      ┃ Last Login          ┃
┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ alice@example.com │ ASSIGNED │ enterprise  │ 2026-07-03T12:47:25 │
│ bob@example.com   │ ASSIGNED │ enterprise  │ 2026-07-03T11:25:22 │
└───────────────────┴──────────┴─────────────┴─────────────────────┘

getop logs — view and tail logs

getop logs connector [--datastore ID] [--severity ERROR] [--since 1h]
getop logs user [email] [--since 24h] [--follow]
getop logs ai [--since 24h] [--follow]

connector shows sync activity. user shows end-user activity — prompts, replies, searches, and Model Armor events — for one user or all. ai streams the raw gen_ai content logs (no identity field; use user to scope by principal). --follow/-f tails any stream; an empty result says whether logging is off or just unmatched.

$ getop logs user --since 24h
╭──────────────────────────────── SENSITIVE ─────────────────────────────────╮
│ ⚠  Output may include end-user prompt/response content if prompt/response   │
│ logging is enabled on this project.                                         │
╰─────────────────────────────────────────────────────────────────────────────╯
                          User activity: all users (24h)
┏━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Time     ┃ Severity ┃ User            ┃ Message               ┃ Reply (truncated)   ┃
┡━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ 16:57:06 │ INFO     │ alice@example.… │ StreamAssist: What's  │ Your travel policy  │
│          │          │                 │ our travel policy?    │ allows economy fa…  │
│ 12:49:04 │ WARNING  │ bob@example.com │ ModelArmorAudit:      │                     │
│          │          │                 │ Ignore all previous…  │                     │
└──────────┴──────────┴─────────────────┴───────────────────────┴─────────────────────┘

The WARNING row is Model Armor flagging a prompt-injection attempt. Tail it live with getop logs user -f, or pull full transcripts with --json.

getop armor — Model Armor violations

getop armor [--since 24h] [--all]

Surfaces prompts and responses that Model Armor flagged, with the filters that tripped and their confidence (jailbreak, RAI categories, CSAM, malicious URIs). Violations only by default; --all includes clean screenings. Carries no user identity — pair with getop logs user.

Add --summary for a per-filter rollup — hit counts, last seen, and an example input per category — instead of the event-by-event list:

$ getop armor --summary --since 7d
              Model Armor hits by filter (7d)
┏━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Filter           ┃ Hits ┃ Last seen           ┃ Example input       ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ pi_and_jailbreak │ 3    │ 2026-07-03T12:49:03 │ Ignore all previou… │
│ malicious_uris   │ 2    │ 2026-07-03T09:14:00 │ http://testsafebro… │
└──────────────────┴──────┴─────────────────────┴─────────────────────┘

Add --policy to print the configured Model Armor template(s) instead — the filters that are enabled and at what confidence:

$ getop armor --policy
            Model Armor policy — ge-default-amer (us)
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Filter                            ┃ Enforcement ┃ Confidence       ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ Prompt injection & jailbreak      │ ENABLED     │ HIGH             │
│ Responsible AI: DANGEROUS         │ ENABLED     │ MEDIUM_AND_ABOVE │
│ Malicious URIs                    │ ENABLED     │                  │
└───────────────────────────────────┴─────────────┴──────────────────┘
$ getop armor --since 7d
                          Model Armor violations (7d)
┏━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ Time     ┃ Direction ┃ Match       ┃ Filters                   ┃ Content        ┃
┡━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ 12:49:03 │ prompt    │ MATCH_FOUND │ pi_and_jailbreak(HIGH),   │ Ignore all     │
│          │           │             │ rai:dangerous(HIGH)       │ previous inst… │
└──────────┴───────────┴─────────────┴───────────────────────────┴────────────────┘

getop stats — metrics

getop stats [--engine ID] [--since 24h]

Discovers the project's discoveryengine.googleapis.com metrics at runtime and summarises query volume, latency and connector sync freshness over the window.

$ getop stats --since 24h
                 Discovery Engine metrics — acme-search-prod (global)
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Metric type                       ┃ Category  ┃ Points ┃ Aggregate           ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ …/serving/search_request_count    │ volume    │ 288    │ 1,204 (sum)         │
│ …/serving/search_latencies        │ latency   │ 288    │ 342 (p95)           │
│ …/dataconnector/synced_doc_count  │ connector │ 24     │ 48,102 (sum)        │
└───────────────────────────────────┴───────────┴────────┴─────────────────────┘

getop quota — quota usage

getop quota [--since 24h]

Pairs each Discovery Engine quota's latest usage with its limit per location: percent used (highlighted at ≥75% / ≥90%), byte quotas in human units, and counts of quota-exceeded events over the window — the quickest way to spot the next capacity ceiling before ingestion hits it. On terminals that support hyperlinks, each quota name links to the project's Cloud console quotas page.

$ getop quota
                Discovery Engine quotas — acme-search-prod (global)
┏━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Quota                  ┃ Location ┃ Usage     ┃ Limit      ┃ Used ┃ Exceeded ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ document_size_tier_st… │ global   │ 85.6 MiB  │ 1.0 GiB    │ 8.4% │          │
│ data_stores_regional   │ global   │ 8         │ 100        │ 8.0% │          │
│ documents_regional     │ global   │ 76        │ 10,000,000 │ 0.0% │          │
└────────────────────────┴──────────┴───────────┴────────────┴──────┴──────────┘

getop doctor — health check

getop doctor [--since 24h]

Runs the whole suite concurrently and renders a live PASS/WARN/FAIL table across inventory reachability, connector states and sync freshness, connector/API error logs, and metric availability. Exits non-zero if any check fails, so it drops straight into CI or cron.

$ getop doctor
                     getop doctor — acme-search-prod (global)
┏━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Check                  ┃ Status ┃ Detail                                    ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ engines                │ OK     │ 1 engine(s): support-search               │
│ datastores             │ OK     │ 6 data store(s)                           │
│ data connectors        │ OK     │ 2 connector(s), all ACTIVE, synced <24h   │
│ agents                 │ OK     │ 37 agent(s) across 1 engine(s)            │
│ connector errors (24h) │ OK     │ no connector ERROR logs since 24h         │
│ API errors (24h)       │ OK     │ no discoveryengine API ERROR logs         │
│ monitoring metrics     │ OK     │ 369 metric type(s) discovered             │
└────────────────────────┴────────┴───────────────────────────────────────────┘

getop version

$ getop version
getop 0.2.2 (v0.2.2, commit a1854e8)

Prints the release, tag and the git commit the package was built from.

getop update

$ getop update
Update available: 0.2.2 → 0.3.0
$ pipx upgrade getop

Checks PyPI for a newer release and upgrades in place, detecting whether you installed via pipx, uv or pip. Use --check to only report.

Global options

Available on every command:

Switch Meaning
--project / -p Target GCP project. Defaults to the ADC project; also reads GOOGLE_CLOUD_PROJECT.
--location / -l Gemini Enterprise location (default global). Regional values route to {location}-discoveryengine.googleapis.com.
--quota-project Project to bill API quota against when you lack serviceusage.services.use on the target; also reads GOOGLE_CLOUD_QUOTA_PROJECT.
--json Machine-readable output on every command (newline-delimited JSON in --follow mode).
--since Look-back window on time-based commands: 30m, 1h, 24h, 7d.

Every table above is also available as JSON — pipe it straight into jq:

getop quota --json | jq '.[] | select(.percent_used > 75)'
getop ls licenses --json | jq '[.[] | select(.last_login_time == null)] | length'

Authentication

Authenticate once with Application Default Credentials:

gcloud auth application-default login

getop never reads or writes key files. Each command needs only a viewer role:

Role Used by
roles/discoveryengine.viewer getop ls …, getop info, getop doctor
roles/logging.viewer getop logs …, getop doctor
roles/monitoring.viewer getop stats, getop quota, getop doctor
roles/modelarmor.viewer getop armor --policy

User credentials (as opposed to service accounts) also need a quota project: getop uses the target project automatically, which requires serviceusage.services.use there. If you don't have it, use --quota-project.

Enabling connector/observability logging on a project is a one-time setup step requiring roles/discoveryengine.agentspaceAdmin; getop only ever reads what's there.

License

MIT © Egen — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

getop-1.0.1.tar.gz (54.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

getop-1.0.1-py3-none-any.whl (46.5 kB view details)

Uploaded Python 3

File details

Details for the file getop-1.0.1.tar.gz.

File metadata

  • Download URL: getop-1.0.1.tar.gz
  • Upload date:
  • Size: 54.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for getop-1.0.1.tar.gz
Algorithm Hash digest
SHA256 b09e44a747bfc08148321bbc83fc9ac8776593bdc17422c0a52d3a6e345a439c
MD5 920eba94097eba4ff0f5e61c789b62ee
BLAKE2b-256 9e9cda592a6955aa5337aed299ebbdc260dc63eb6ede5387ff6295cc66a03065

See more details on using hashes here.

Provenance

The following attestation bundles were made for getop-1.0.1.tar.gz:

Publisher: release.yml on egen/getop

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file getop-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: getop-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 46.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for getop-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f2d301b83b5aadd8b3729c3e79ccbf1b1be819109511222b3f5bad2c4e9b2855
MD5 39512fa0c3a5436fd59ad050e8f97bea
BLAKE2b-256 626704c5d477553cb75e64edc6aaf6be532d883a35bcdafdfaaccababeac597d

See more details on using hashes here.

Provenance

The following attestation bundles were made for getop-1.0.1-py3-none-any.whl:

Publisher: release.yml on egen/getop

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page