Veeam Backup & Replication AI-powered backup operations with a built-in governance harness (audit, budget, undo, risk tiers)
Project description
Veeam AIops
Disclaimer: Community-maintained open-source project. Not affiliated with, endorsed by, or sponsored by Veeam Software. "Veeam" is a trademark of its owner. MIT licensed.
AI-powered Veeam Backup & Replication operations with a built-in governance
harness — unified audit log, policy engine, token/runaway budget guard,
undo-token recording, and graduated-autonomy risk tiers. Self-contained: no
external dependencies beyond httpx and the MCP SDK. Coverage is not yet full
coverage of every Veeam operation.
Verification status: the test suite is mock-based; this package has not yet been validated against a live Veeam B&R server. See docs/VERIFICATION.md.
What works
- CLI (
veeam-aiops ...):init,overview,job list/get/start/stop/retry/enable/disable,restore list-points/start,repository list/get/state,session list/get/log/stop,backup list/objects,diagnose job-failures/repo-capacity,infra servers/proxies,secret set/list/rm/migrate/rotate-password,doctor,mcp. - MCP server (
veeam-aiops mcporveeam-aiops-mcp): 25 tools (17 read, 8 write), every one wrapped with the bundled@governed_toolharness. - Diagnostics / RCA (read-only):
diagnose job-failurestriages recent job sessions — flags every Failed/Warning run and categorizes the likely cause (repository full, source/guest unreachable, credential/VSS failure, retry exhaustion), citing the session result + matched error substring;diagnose repo-capacityflags repositories under the free-space thresholds (<15% warn, <10% critical). Both cite the measured number that tripped each finding, worst-first. - Encrypted credentials: passwords live in an encrypted store
~/.veeam-aiops/secrets.enc(Fernet + scrypt) — never plaintext on disk. Unlock with a master password fromVEEAM_AIOPS_MASTER_PASSWORD(MCP/CI) or an interactive prompt (CLI). - Reversibility: write ops with a clean inverse (job start/stop/retry, enable/disable) record an inverse undo descriptor; the irreversible VM restore declares none and is tagged
highrisk. - Async sessions: Veeam jobs and restores run as sessions — poll progress with
session list/session get/session log(the runaway budget guard prevents poll loops from running away).
Security: read-only mode
This tool is meant to be handed to an AI agent, so its safety story is enforced by the server rather than requested in a prompt:
export VEEAM_READ_ONLY=1
With that set, the 8 write tools are never registered. An MCP client lists 17 tools instead of 25 — the writes are not hidden, not gated behind a flag, and not merely refused when called. They are absent from the session. A model cannot invoke a tool it was never offered, and cannot be argued into one.
That distinction is the whole point. A tool that exists but refuses still invites retry loops and "I'll describe the call instead" behaviour from smaller models, and it leaves a reviewer trusting a promise. An absent tool is a fact you can check: connect, list the tools, and see that the writes are not there.
Enforcement is two layers deep, so the switch cannot be sidestepped by changing entry point:
| Layer | What it does | Covers |
|---|---|---|
@governed_tool harness |
refuses every non-read operation outright | MCP, CLI, and in-process callers |
| MCP registration | write tools are removed from list_tools() |
anything speaking MCP |
Read operations are unaffected, and every call is still audited to
~/.veeam-aiops/audit.db.
The read/write split is derived from each tool's declared
risk_level, and a test asserts that this never disagrees with the[READ]/[WRITE]tag in the tool's own documentation — so a write can't quietly present itself as a read.
Running a smaller / local model? See agent-guardrails.md — it lists the guardrails this tool now enforces for you (so you don't spend prompt budget restating them) and gives a ready-made system prompt for what's left.
Quick start
uv tool install veeam-aiops
veeam-aiops init # interactive wizard: connection details + encrypted password
veeam-aiops doctor # verify config, encrypted store, connectivity
init writes ~/.veeam-aiops/config.yaml (non-secret connection details) and
stores the login password encrypted in ~/.veeam-aiops/secrets.enc. Example
config it produces:
targets:
- name: vbr-lab
host: 10.0.0.20
username: "DOMAIN\\backup-admin"
port: 9419
verify_ssl: false # self-signed lab certs only
For non-interactive use (MCP server, CI, cron) export the master password so the store can be unlocked without a prompt:
export VEEAM_AIOPS_MASTER_PASSWORD='your-master-password'
Managing secrets
veeam-aiops secret set vbr-lab # prompts hidden for the password
veeam-aiops secret list # names only, values never shown
veeam-aiops secret rm vbr-lab
veeam-aiops secret rotate-password # re-encrypt under a new master password
veeam-aiops secret migrate # import a legacy plaintext .env, then deletes it
Migrating from an old ~/.veeam-aiops/.env (legacy VEEAM_<TARGET>_PASSWORD
vars)? Run veeam-aiops secret migrate; the old .env is renamed to
.env.migrated. The plaintext env var is still honoured as a fallback (with a
deprecation warning) for a smooth transition.
Audit & safety
All operations are logged to a local SQLite audit DB under ~/.veeam-aiops/
(relocatable via VEEAM_AIOPS_HOME). Every write tool passes through the
governance harness: policy pre-check, token/runaway budget guard, graduated
risk-tier gate, and audit logging. Destructive CLI commands (job stop,
restore start) require double confirmation and support --dry-run.
API-returned text is run through a prompt-injection sanitizer.
Contributing & feature requests
Coverage is intentionally focused. Missing a device, action, or feature you need? Open an issue or pull request at github.com/AIops-tools/Veeam-AIops — feature requests, contributions, and comments are all welcome.
License: MIT.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file veeam_aiops-0.5.0.tar.gz.
File metadata
- Download URL: veeam_aiops-0.5.0.tar.gz
- Upload date:
- Size: 129.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e3b11fb30c29073a4960dc9532e32c25ac3c97e413e3e5e0610ca94519a517d1
|
|
| MD5 |
9507926ae1e639829152bb8d0c0eb55c
|
|
| BLAKE2b-256 |
d35bff9d8788da6a5c9311d8480586d403728d046b9299111ac0600007617511
|
Provenance
The following attestation bundles were made for veeam_aiops-0.5.0.tar.gz:
Publisher:
publish.yml on AIops-tools/Veeam-AIops
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
veeam_aiops-0.5.0.tar.gz -
Subject digest:
e3b11fb30c29073a4960dc9532e32c25ac3c97e413e3e5e0610ca94519a517d1 - Sigstore transparency entry: 2198436256
- Sigstore integration time:
-
Permalink:
AIops-tools/Veeam-AIops@e1637d24c9a46a17f41ed724389e3032ae7b409e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/AIops-tools
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e1637d24c9a46a17f41ed724389e3032ae7b409e -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file veeam_aiops-0.5.0-py3-none-any.whl.
File metadata
- Download URL: veeam_aiops-0.5.0-py3-none-any.whl
- Upload date:
- Size: 87.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4a8c80d2dbccaa149e4b3a99d39751547054cc84ae108aa636c7f166f402c6ab
|
|
| MD5 |
4d00bc6c2bd1725429ac42825790bbf5
|
|
| BLAKE2b-256 |
80c69afcf2a2b616cc64d9d9bb022e4b809f2de084c331996e9645809c6cd380
|
Provenance
The following attestation bundles were made for veeam_aiops-0.5.0-py3-none-any.whl:
Publisher:
publish.yml on AIops-tools/Veeam-AIops
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
veeam_aiops-0.5.0-py3-none-any.whl -
Subject digest:
4a8c80d2dbccaa149e4b3a99d39751547054cc84ae108aa636c7f166f402c6ab - Sigstore transparency entry: 2198436715
- Sigstore integration time:
-
Permalink:
AIops-tools/Veeam-AIops@e1637d24c9a46a17f41ed724389e3032ae7b409e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/AIops-tools
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e1637d24c9a46a17f41ed724389e3032ae7b409e -
Trigger Event:
workflow_dispatch
-
Statement type: