sarman/tftsr-devops_investigation
1
1
Fork 0
Code Issues 4 Pull Requests Actions 34 Packages Projects 3 Releases 6 Wiki Activity
093495a653
tftsr-devops_investigation/docs/HACKATHON-SUBMISSION.md
Shaun Arman 093495a653
Some checks failed
Test / rust-fmt-check (pull_request) Failing after 0s
Details
Test / rust-clippy (pull_request) Failing after 1s
Details
Test / rust-tests (pull_request) Failing after 0s
Details
Test / frontend-typecheck (pull_request) Failing after 16s
Details
Test / frontend-tests (pull_request) Failing after 18s
Details
PR Review Automation / review (pull_request) Failing after 4m13s
Details
feat: full copy from apollo_nxt-trcaa with complete sanitization 
Complete backport of all features from apollo_nxt-trcaa repository:
- Three-tier shell execution safety system (Tier 1: auto, Tier 2: approve, Tier 3: deny)
- Ollama function calling with tool use support
- AI provider tool calling auto-detection
- kubectl binary bundling and management
- kubeconfig upload and context management
- Shell approval modal with real-time UI
- MCP protocol HTTP transport with custom headers
- Enhanced security audit logging
- Comprehensive test coverage (275+ tests)
- Updated CI/CD workflows for Gitea Actions
- Complete documentation (ADRs, wiki, release notes)

Sanitization applied to all files:
- Removed all MSI, Motorola, VNXT, Vesta references
- Replaced internal infrastructure references with TFTSR equivalents
- Updated all URLs and API endpoints
- Sanitized commit history references in documentation

Technical changes:
- New modules: shell/classifier, shell/executor, shell/kubectl, shell/kubeconfig
- Enhanced AI providers: ollama.rs, openai.rs with function calling
- New Tauri commands: shell execution, kubeconfig management, tool calling detection
- Database migrations: shell_execution_audit table
- Frontend: ShellApprovalModal, ShellExecution, KubeconfigManager pages
- CI/CD: kubectl bundling, multi-platform builds, Gitea Actions integration

Version: 1.0.8

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-06-05 14:12:43 -05:00

6.1 KiB
Raw Blame History

2026 Hackathon Submission: TRCAA

Developer: Shaun Arman (VFK387)
ADO: #727547

Problem to Solve

An alert fires, engineers swarm it, someone eventually finds the root cause, and then the post-mortem gets written from memory three days later with half the context already gone. The process loses information at every handoff.

Pain points:

  • Manual command execution slows triage (copy terminal → paste → ask AI → repeat)
  • Cloud SaaS RCA tools require uploading sensitive production data
  • Generic AI assistants lack infrastructure domain expertise
  • Post-mortems written days later miss critical context

Our Solution

TRCAA: A local-first, AI-powered incident triage assistant that autonomously executes diagnostic commands while you work.

Core Innovation: Agentic Shell Execution

The AI doesn't just suggest commands—it executes them with intelligent safety controls:

Three-Tier Safety System:

  • Tier 1 (Auto-Execute): Read-only diagnostics (kubectl get, grep) run immediately
  • Tier 2 (User Approval): Mutating operations (kubectl scale, systemctl restart) require consent
  • Tier 3 (Always Deny): Destructive commands (rm -rf, shutdown) blocked

Example: You say "Why is the nginx pod crashing?" — the AI autonomously runs kubectl get pods, kubectl describe, kubectl logs, analyzes the output, and explains the root cause. No copy-paste, no manual terminal work.

What Makes TRCAA Unique

Local-First Architecture:

  • SQLCipher AES-256 encrypted local storage (not cloud SaaS)
  • Offline-capable via Ollama local AI models
  • PII auto-detection and redaction before cloud API calls
  • Tamper-evident hash-chained audit log

Infrastructure Domain Expertise:

  • Pre-built expert context for 16 domains: Linux (RHEL/OEL), Windows, Kubernetes (k3s/OpenShift/Rancher), Networking (Fortigate/Cisco/Aruba), Databases (PostgreSQL/Redis/RabbitMQ), Proxmox, HPE Synergy/iLO, Observability (Kibana/Elasticsearch)

Multi-Cluster Kubernetes:

  • Upload multiple kubeconfig files with AES-256-GCM encryption
  • Bundled kubectl v1.30.0 (no external dependencies)

Provider-Agnostic AI:

  • OpenAI, Anthropic Claude, Google Gemini, Mistral, AWS Bedrock (via LiteLLM), local Ollama
  • Auto-detect tool calling support for custom providers
  • No vendor lock-in

What We Built

Initial Hackathon (v1.0.0): 35 files changed, +4089 lines

  • Shell execution module with three-tier classifier (19 tests, 100% coverage)
  • Real-time approval modal UI
  • Cross-platform CI/CD with GitHub Actions

Post-Hackathon Iterations (v1.0.1 → v1.0.9): 24 PRs merged in 48 hours

  • Security updates (vitest 4.1.8, postcss, vite)
  • LiteLLM AWS Bedrock support
  • Ollama auto-start + function calling support
  • Query classification (prevents 20+ commands for simple questions)
  • Connection reliability (180s timeout, health checks, 3-attempt retry)
  • Tool calling auto-detect (eliminates guesswork about provider support)

Total: 25 PRs, ~84 files modified, ~6,100 lines, 431 tests passing, 72 hours

The Competitive Landscape

What Exists (Cloud SaaS)

  • Rootly, incident.io, Xurrent: Cloud SaaS, subscription, data leaves network
  • TraceRoot (AWS Marketplace): Cloud SaaS, compliance framing

Critical gap: Every competitor requires sensitive incident data to leave your network.

What Doesn't Exist

No tool combines:

  • Local-first + offline-capable + encrypted storage
  • PII sanitization before AI send
  • Provider-agnostic AI (6 providers + custom)
  • Infrastructure domain depth (16 pre-built expert contexts)
  • Autonomous command execution with safety controls
  • Tamper-evident audit trail
  • Air-gap capable (Ollama local models)

Where We Win vs SaaS

TRCAA SaaS Competitors
All data local, encrypted Incident logs on vendor servers
Air-gap capable (Ollama) Requires cloud
One-time install cost Per-seat subscriptions
16 pre-built infrastructure contexts Generalist troubleshooting
6 AI providers + custom Vendor-locked backend
Auto-redact PII before send Raw logs ingested

Where SaaS Wins: Alert integration (PagerDuty/Datadog auto-triggers), team collaboration (multi-user), observability correlation

Target market: Regulated-industry DevOps teams, defense contractors, air-gapped environments, solo infrastructure engineers prioritizing privacy and cost over team collaboration.

Technical Highlights

Backend (Rust + Tauri):

  • Three-tier command classifier with pipe/chain analysis
  • AES-256-GCM kubeconfig encryption
  • Hash-chained audit log (tamper-evident)
  • 297 backend tests

Frontend (React + TypeScript):

  • Real-time approval modal with risk factor display
  • Multi-cluster kubeconfig manager
  • 134 frontend tests

CI/CD (GitHub Actions):

  • Multi-platform builds: Linux (amd64/arm64), macOS (Intel/ARM), Windows
  • kubectl binary auto-bundled
  • Branch protection requires tests + Copilot review

Impact

Development: 72 hours, 25 PRs, ~6,100 lines, 431 tests
Real-world: Reduced troubleshooting from manual copy-paste loop to autonomous execution with sub-second command completion
Quality: 3 rounds GitHub Copilot review (10 security/reliability findings, all resolved), zero Clippy warnings, zero TypeScript errors

Try It

Install: GitHub Releases
Quick Start:

  1. Upload kubeconfig via Settings
  2. Create issue, select "Kubernetes" domain
  3. Ask: "What pods are in default namespace?"
  4. Watch AI autonomously execute kubectl get pods -n default

No cloud required — works fully offline with Ollama.

Team Members We're Looking For

N/A (solo project)

Fun Fact

This entire feature—from zero to production with 431 passing tests, 25 merged PRs, and comprehensive documentation—was built in 72 hours while maintaining zero Clippy warnings and zero TypeScript errors. The three-tier safety classifier has handled 100+ real diagnostic commands without a single false-positive denial.