Self-hosted SRE investigation copilot with YAML tools, SSH execution, SSE streaming, and secret redaction.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for benjamin-j from gravatar.com benjamin-j

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Benjamin Jornet
  • Tags incident-response , langgraph , llm , ops , sre , ssh
  • Requires: Python >=3.11
  • Provides-Extra: ollama , openai , server
Classifiers
Report project as malware

Project description

ops-copilot

CI PyPI Downloads License: MIT Python

Self-hosted SRE investigation copilot for production systems.

ops-copilot lets an LLM call tools defined in YAML, execute safe remote commands over SSH, redact secrets from outputs, and stream investigation events through LangGraph or an optional FastAPI SSE server.

Who this is for

  • SREs and platform engineers running self-hosted infrastructure.
  • Open source maintainers operating docs, bots, CI runners, demos, or package services.
  • Teams that want reviewed operational tools instead of free-form shell access.
  • Developers building incident-investigation UIs around LangGraph or LangChain.

Maintenance workflows

This repository is maintained with CI, build checks, smoke tests, release workflows, Dependabot, issue templates, PR checklists, a security model, and PyPI releases.

Typical maintainer tasks include reviewing YAML tools, triaging operational edge cases, adding tests for sanitizer and command-rendering behavior, and preparing safe releases.

Architecture

User question -> InvestigationGraph -> LLM -> YAML tools -> SSH host
                                      <- redacted tool output <- command result

The package is intentionally generic. You can start with shell tools from YAML, then inject custom Python RemoteTool classes for richer workflows.

Install

uv add ops-copilot

Optional extras:

uv add 'ops-copilot[server]'
uv add 'ops-copilot[openai]'
uv add 'ops-copilot[ollama]'

YAML tools

tools:
  - name: disk_usage
    type: shell
    description: Show filesystem usage.
    command: df -h

  - name: journalctl_service
    type: shell
    description: Show recent logs for a systemd service.
    command: journalctl -u {service} --since '{since}' --no-pager
    parameters:
      service:
        type: string
      since:
        type: string
        required: false
        default: "30 minutes ago"

Minimal usage

from ops_copilot import InvestigationGraph, SSHClient, ToolRegistry

ssh = SSHClient(host="server.example.com", user="deploy", key_path="~/.ssh/id_ed25519")
tools = ToolRegistry(ssh, config_path="tools.yaml").load()

graph = InvestigationGraph(
    llm=your_langchain_chat_model,
    tools=tools,
    system_prompt="You are an SRE copilot. Investigate safely and report evidence.",
)

async for event in graph.stream("The API is slow. What should I check?"):
    print(event)

Streaming events

InvestigationGraph.stream() yields dictionaries with these event names:

Event Meaning
token streamed model text
tool_start tool call started with input and step id
tool_end tool call finished with redacted output
error graph or stream error
done investigation complete

Optional FastAPI server

The ops_copilot.server.create_app() helper exposes:

  • POST /investigate
  • POST /investigate/stream

If OPS_COPILOT_API_KEY is set, clients must send X-API-Key.

Security notes

This project executes commands on servers you control. Treat tools.yaml as privileged code.

Recommendations:

  • Use SSH key auth with least-privilege users.
  • Review every command template before exposing it to an LLM.
  • Avoid destructive commands in YAML.
  • Keep parameterized commands narrow.
  • Store no secrets in YAML or prompts.
  • Rely on built-in redaction as a safety net, not as your only control.

Built-in redaction covers env-style secret lines, Bearer tokens, OpenAI-style keys, JWTs, long hex runs, and inline image data URLs.

Documentation and examples

  • docs/security-model.md documents threat boundaries and deployment controls.
  • docs/why-ops-copilot.md explains the project scope and ecosystem need.
  • docs/demo.md shows a local demo that runs without real SSH credentials.
  • docs/writing-tools.md explains YAML and custom Python tools.
  • docs/server.md covers the optional FastAPI/SSE integration.
  • docs/maintenance-workflows.md describes maintainer workflows and review checklists.
  • docs/toolpacks.md documents reviewed example toolpacks.
  • examples/local_demo.py runs without a real SSH host using fake outputs.
  • examples/custom_tool.py shows how to inject a custom RemoteTool class.

Roadmap

  • Command allowlist validation for shell tools.
  • Built-in Docker and systemd tool packs.
  • Persistent investigation sessions.
  • Audit log export.
  • More fake incident fixtures for regression tests.

Development

uv sync --dev
uv run ruff check .
uv run pytest
uv run python scripts/smoke.py

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for benjamin-j from gravatar.com benjamin-j

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT License)
  • Author: Benjamin Jornet
  • Tags incident-response , langgraph , llm , ops , sre , ssh
  • Requires: Python >=3.11
  • Provides-Extra: ollama , openai , server
Classifiers

Release history Release notifications | RSS feed

0.1.10

0.1.9

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

This version

0.1.3

0.1.2

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ops_copilot-0.1.3.tar.gz (205.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ops_copilot-0.1.3-py3-none-any.whl (15.8 kB view details)

Uploaded Python 3

File details

Details for the file ops_copilot-0.1.3.tar.gz.

File metadata

  • Download URL: ops_copilot-0.1.3.tar.gz
  • Upload date:
  • Size: 205.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ops_copilot-0.1.3.tar.gz
Algorithm Hash digest
SHA256 a19676a3f8506466dde35297827332d9d60ee3a4d5226700531aa63ba4d87354
MD5 6d56f328fec326020a42b9688db45d97
BLAKE2b-256 fc3f84f313ceac0ad8ec74ab37f02d142dc4fba814216bbfbd77d82774e77eba

See more details on using hashes here.

Provenance

The following attestation bundles were made for ops_copilot-0.1.3.tar.gz:

Publisher: publish.yml on BenjaminJornet/ops-copilot

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ops_copilot-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: ops_copilot-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 15.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ops_copilot-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 9ab2124b8c469bc669dbab53df9c5f938723d34aa31f4ca615e7cb9309ded0ac
MD5 97e2a80dca96320ab8a3c1d98f02e6c4
BLAKE2b-256 e307c7adc27009545b8ce4f994dbd36bd3f0d80879dbb985bebc01879a9b482e

See more details on using hashes here.

Provenance

The following attestation bundles were made for ops_copilot-0.1.3-py3-none-any.whl:

Publisher: publish.yml on BenjaminJornet/ops-copilot

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page