Community-maintained open-source project. Not affiliated with, endorsed by, or sponsored by any endpoint-management vendor. Product and trademark names belong to their owners. Source is publicly auditable under the MIT license.
Report privately via a GitHub Security Advisory on github.com/AIops-tools/Endpoint-AIops or email zhouwei008@gmail.com. Please do not open public issues for security reports.
- Per-target Endpoint API keys live encrypted in
~/.endpoint-aiops/secrets.enc(Fernet/AES-128 + scrypt-derived key; chmod 600), never inconfig.yamland never in source. The master password is never stored — only a per-store random salt and the ciphertext are on disk. - A legacy plaintext env var
ENDPOINT_<TARGET_NAME_UPPER>_APIKEYis still honoured as a fallback with a deprecation warning (migrate withendpoint-aiops secret migrate). - The API key is sent as an
Authorization: Bearerheader at request time and held only in memory. Keys are never logged or echoed; the config file holds only host, port, api_path, and TLS settings.
Every MCP tool runs through the bundled @governed_tool harness
(endpoint_aiops.governance):
- Audit — every call logged to a local SQLite DB under
~/.endpoint-aiops/(relocatable viaENDPOINT_AIOPS_HOME), agent-attributed, secret-redacted. - Token/runaway budget — hard ceilings (
ENDPOINT_MAX_TOOL_CALLS/ENDPOINT_MAX_TOOL_SECONDS) plus an on-by-default guard that trips a tight poll/retry loop, preventing unbounded API consumption (e.g. polling a slow session). - Graduated risk tiers —
~/.endpoint-aiops/rules.yamlrisk_tiersgate writes by environment/tag; the highest tiers require a recorded approver. - Undo-token recording —
endpoint_assign_profilecaptures the prior profile and records an inverse "reassign the prior profile" descriptor so the change can be rolled back.
endpoint assign-profile and endpoint reboot require double confirmation at
the CLI layer and support --dry-run. endpoint_assign_profile is
risk_level=high and reversible (captures the prior profile, records an undo
descriptor); endpoint_reboot is risk_level=medium and has no safe inverse
(captures the before-state for the audit record, records no undo token).
verify_ssl defaults to true; disable only for self-signed lab certificates.
All server-returned text (hostnames, usernames, profile ids, session fields) is
passed through a sanitize() truncate + control-character strip before reaching
the agent.
No webhooks, no telemetry, no outbound calls beyond the configured endpoint-management REST API endpoint. No post-install scripts or background services.
uvx bandit -r endpoint_aiops/ mcp_server/
uv run ruff check .The latest released version receives security fixes. This is a preview (0.x); pin a version in production.