Releases: AIops-tools/Container-Host-AIops
Release list
v0.4.0
Release notes — container-host-aiops 0.4.0
Previous release: 0.3.0.
Headline: read-only mode
export CONTAINER_HOST_READ_ONLY=1With this set the 9 write tools are never registered — an MCP
client lists 29 tools instead of 38. The writes are not hidden
behind a flag and not merely refused on call: they are absent from the session,
so a model cannot invoke one and cannot be argued into one. For a reviewer this
is checkable rather than promised — connect, list the tools, and the writes are
not there.
Enforcement is two layers deep: the @governed_tool harness refuses every
non-read operation (covering the CLI and in-process callers too), and the MCP
server removes write tools from list_tools(). Changing entry point does not
get around it.
BREAKING — return shapes changed
This release changes payloads that callers may be parsing. Both changes exist
to stop a result from misrepresenting itself:
- Absent fields are now
null, not"". A missing value and an empty value
were previously indistinguishable, which invited consumers to invent the
difference. Keys are still always present — only the value may be null. - Anything with a
limitnow returns an envelope —
{"<items>": [...], "returned": N, "limit": L, "truncated": bool}. Truncation is
measured (one extra row is fetched), never inferred from the page happening to
be full. Where a genuine pre-cap total is knowable it is reported astotal;
where it isn't,totalis deliberately omitted rather than echoingreturned.
Also in this release
docs/VERIFICATION.md— what the mock suite actually guarantees, a live
verification checklist, and the criteria for claiming this tool verified.skills/container-host-aiops/references/agent-guardrails.md— for driving this tool with a
smaller / local model: which guardrails are now enforced for you, and a
ready-made system prompt for the rest.- Expanded operator playbooks in the skill documentation.
- The advertised tool count now matches what an MCP client actually lists
(it includesundo_list/undo_apply), and a release gate keeps it honest. - The
(preview)label has been dropped. It never meant unreleased; verification
status now lives indocs/VERIFICATION.mdwhere it can be specific.
v0.3.0
v0.2.1
v0.2.0
Security-hardening release from a line-wide code review. Highlights: secure-by-default approver gate for high/critical operations (init seeds a starter rules.yaml), percent-encoded URL path segments, single-sourced version, governance persistence + CLI write-path tests. See CHANGELOG.md for the full list. BREAKING: fresh installs with no rules.yaml now deny high/critical writes until an approver is recorded.
Container-Host-AIops v0.1.1
Patch: config.yaml now honors the *_AIOPS_HOME env var; CLI writes are now audited + undo-recorded through the governance path (previously MCP-only). See CHANGELOG.
container-host-aiops v0.1.0 — preview
Container Host AIops v0.1.0 — preview
Governed AI-ops for non-orchestrator container hosts across the Docker
Engine API (unix socket or TCP) and Portainer (its management API, which
also proxies Docker) for AI agents, with a built-in governance harness (audit,
policy, token/runaway budget, undo-token recording, graduated risk tiers) and an
encrypted credential store. Standalone — no external skill-family dependency. One
config can span many hosts; a per-target platform field selects the API shape.
Preview / mock-only. All behaviour is validated against mocked Docker /
Portainer responses; it has not been run against a live daemon or server. The
fastest live check iscontainer-host-aiops doctor.
Highlights
- 34 MCP tools (26 read, 8 write), every one wrapped with
@governed_tool.- Overview —
overview(host version + container state rollup + disk). - Containers —
list_containers,inspect_container,container_logs,
container_stats,container_top,container_restart_summary. - Images —
list_images,inspect_image,dangling_images,
image_disk_usage. - Volumes / Networks —
list_volumes,inspect_volume,dangling_volumes;
list_networks,inspect_network. - System —
system_info,system_version,system_df,system_events. - Stacks (Portainer) —
list_endpoints,list_stacks,stack_detail. - Writes —
restart_container,stop_container/start_container,
update_container,remove_container,prune_images/prune_volumes,
recreate_stack.
- Overview —
- Three flagship analyses —
restart_loop_rca(crash-looping containers +
cause/action from exit code + log tail),resource_pressure_analysis(CPU/memory
vs limits + recommendation),image_and_volume_bloat(prune candidates +
reclaimable bytes). Each accepts injected data for offline analysis or pulls live. - Connection layer — Docker over a unix socket (
httpx.HTTPTransport(uds=...))
or a TCP host; Portainer over HTTPS with anX-API-Keytoken that proxies the
Docker API of a managed endpoint. A local Docker socket needs no secret. - Encrypted secret store (
~/.container-host-aiops/secrets.enc, Fernet + scrypt)
— the Portainer API token, never plaintext on disk; legacy
CONTAINER_HOST_<TARGET>_TOKENenv fallback. - Guarded writes — destructive ops (
remove_container,prune_images,
prune_volumes,recreate_stack) require dry-run + double-confirm; prune
previews list what would be removed + reclaimable bytes first. Reversible writes
capture before-state and record an inverse undo descriptor. - CLI with an
initplatform-picking wizard,secretmanagement, and a
platform-awaredoctor.
Install
uv tool install container-host-aiops
container-host-aiops init # pick platform (docker/portainer) + connect
container-host-aiops doctorCaveats
- Preview / mock-only: the Docker Engine + Portainer API responses are mocked and
need live verification. - Single-host focus by design: cluster orchestrators, hypervisors, storage
appliances, and backup products are out of scope (separate AIops-tools).