runlore

module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 26, 2026 License: Apache-2.0

README ΒΆ

RunLore

RunLore

An open-source SRE agent that investigates incidents β€” and remembers what it learns.

CI Go Report Card Go Version Status


RunLore is an open-source SRE agent that investigates any incident β€” what changed? what's wrong? β€” and posts a confidence-scored root cause to chat (Slack, Matrix…). It is read-only by default: it reads your cluster, metrics, logs, and network flows β€” its only writes go to Git, via reviewed PRs.

What sets it apart: it learns your platform. Every investigation opens a PR in a Git repo you own; a human merges it, building a knowledge base of your incidents and context. The same pattern next time gets an instant answer β€” no fresh investigation.

Learns your platform Β· single Go binary Β· runs in your cluster Β· on your models.

Note: RunLore is read-only by default β€” it never mutates your cluster. An autonomy ladder (suggest β†’ approve β†’ auto) is on the roadmap for teams that want to go further.

Who it's for β€” teams on GitOps (Flux/Argo CD) who want their incident knowledge portable and self-hosted (no lock-in, your models, your data), and would rather an agent say "I don't know" than guess.

See it in action

A real RunLore investigation delivered to Slack: confidence-scored root cause, the evidence trail, suggested next steps, open questions for a human, and a link to the pull request it opened in your knowledge base.

How it works

flowchart LR
    A["Incident<br/>any alert Β· event"] -->|"trigger policy<br/>(prod Β· critical Β· ns…)"| B
    subgraph B["πŸ”Ž Investigate"]
      direction TB
      W["what changed?<br/>deploys Β· infra Β· certs Β· scaling<br/>(GitOps β†’ exact Git diff)"]
      C["what's wrong?<br/>saturation Β· network Β· nodes Β· deps"]
    end
    B --> R["🎯 Root cause<br/>+ confidence + evidence"]
    R --> D["πŸ’¬ Slack / Matrix<br/>findings + suggested fix"]
    R -. learn .-> K[("πŸ“š GitHub PR<br/>draft entry in your KB")]
    K -. instant recall .-> B
  1. Alert fires β€” Alertmanager or a GitOps failure event triggers RunLore via webhook.
  2. RunLore investigates β€” it reads your cluster, metrics, logs, and network flows.
  3. Findings land in Slack β€” ranked root causes with confidence, the evidence trail, and suggested next steps.
  4. A PR opens in your KB repo β€” RunLore drafts what it found as a knowledge-base entry.
  5. A human reviews and merges β€” after adding resolution context, the PR is merged. That entry is indexed: the same incident next time gets an instant answer, no re-investigation.

πŸ“ Detailed architecture: docs/architecture/runlore-architecture.md β€” the full component diagram (the flow above is the summary).

πŸ“š The learning loop

flowchart LR
    R["πŸ”Ž Retrieve<br/>recall a past answer"] --> C["πŸ§ͺ Capture<br/>record what happened"]
    C --> U["πŸ“ Curate<br/>write the entry (PR)"]
    U --> P["♻️ Compound<br/>merged note re-indexed"]
    P --> R
    classDef s fill:#eef,stroke:#557,stroke-width:1px,color:#113;
    class R,C,U,P s;

The autonomous alert β†’ RCA β†’ Slack loop is a commodity. What isn't: a knowledge base that compounds in a catalog you own. Every merged PR becomes a searchable entry β€” plain markdown in a Git repo you control, PR-reviewed, with full provenance. Knowledge that consistently resolves incidents gains trust; knowledge that keeps failing decays.

β†’ How the learning loop works Β· Reviewing & approving knowledge

πŸš€ Getting started

RunLore runs in your Kubernetes cluster as a single Go binary, deployed via Helm. RunLore is a single binary deployed via Helm. Before installing, you need:

  • Data sources β€” a cluster running Flux or Argo CD; optionally Prometheus/VictoriaMetrics, VictoriaLogs, Hubble for richer signals
  • An LLM β€” any OpenAI-compatible endpoint, Anthropic, or Gemini (in-cluster or external)
  • A knowledge-base repo β€” a private GitHub repo + a scoped GitHub App; this is where RunLore commits what it learns
  • A notification destination β€” a Slack webhook, Matrix, or both

Wire your credentials into a Kubernetes Secret, point the chart at them via a values.yaml (GitOps engine, LLM endpoint, KB repo, notification), and install:

helm install runlore deploy/helm/runlore -n runlore --create-namespace -f values.yaml

Then route your Alertmanager alerts to http://runlore.runlore.svc:8080/webhook/alertmanager β€” RunLore starts investigating immediately.

β†’ Full getting-started guide β€” KB repo setup, GitHub App, credentials, complete values.yaml reference, data sources, and verification steps.


Prefer to try it without a cluster first?

# fire mocked Alertmanager alerts through the trigger policy (no cluster)
hack/demo.sh

# verify every feature end-to-end on a throwaway k3d cluster
hack/e2e-k3d.sh

Why RunLore

What it is What RunLore adds
k8sgpt A detector β€” analyzers + LLM explanation An investigation loop, cross-signal correlation, real Git diffs, and learning
HolmesGPT The strongest OSS investigation agent Relies on your hand-curated runbooks (it doesn't learn); RunLore is what-changed-first and self-improving
kagent A generic in-cluster agent framework A focused, opinionated SRE agent (RunLore can run on kagent later)

RunLore is GitOps-engine-agnostic (Flux + Argo CD), metrics-backend-agnostic (VictoriaMetrics + Prometheus), with pluggable logs and CNI-agnostic network signals. Change-aware RCA isn't unique β€” commercial tools (Komodor, Anyshift) diff changes too (prior art) β€” so the wedge is the combination the open tools don't have: that signal feeding an open, portable catalog you own (OKF-compatible markdown, not a proprietary store), from an agent that's honest about the sub-50% reality β€” unresolved is a first-class answer, an adversarial verify pass can only ever lower a finding's confidence, and every claim is checked by a shipped eval harness.

Project status & stability

RunLore is pre-1.0 and under active development β€” interfaces and config may shift between commits. It's usable today, but "stable" means different things across the surface:

  • The supported golden path is eval-tested and stable. That's Flux + VictoriaMetrics / Prometheus + an Anthropic or OpenAI-compatible model + Slack + GitHub for the knowledge base. This is the path the nightly eval and the k3d e2e suite exercise β€” run it with confidence.
  • Functional but less exercised: Argo CD, Matrix, Gemini, cloud integrations, and the network (Hubble) provider. They work and are tested, but see less real-world mileage β€” expect rougher edges and please file issues.
  • The auto autonomy rung is experimental, frozen, and not recommended on real clusters. The supported posture is read-only β†’ suggest β†’ approve: RunLore reads and recommends, a human reviews and merges. Hands-off auto remains on the roadmap, off by default, and should not be pointed at production.

If you stay on the golden path with a human in the approval loop, you're on the surface we test hardest.

Docs

πŸ“ Design Β· πŸ“š Learning loop Β· βœ… Reviewing knowledge Β· πŸš€ Getting started Β· πŸ”Œ Data sources Β· πŸ“Š Observability Β· 🧭 Prior art Β· πŸ›  Contributing

License

Apache-2.0.

Directories ΒΆ

Path Synopsis
cmd
lore command
Command lore is the RunLore CLI and in-cluster agent entrypoint.
Command lore is the RunLore CLI and in-cluster agent entrypoint.
internal
action
Package action gates proposed remediations against the autonomy-ladder policy (config.actions: off | suggest | approve | auto).
Package action gates proposed remediations against the autonomy-ladder policy (config.actions: off | suggest | approve | auto).
app
Package app holds the dependency-injection builders and config predicates that assemble the RunLore agent.
Package app holds the dependency-injection builders and config predicates that assemble the RunLore agent.
audit
Package audit provides an append-only, tamper-evident record of every action the agent attempts β€” the accountability backbone for the autonomy ladder.
Package audit provides an append-only, tamper-evident record of every action the agent attempts β€” the accountability backbone for the autonomy ladder.
catalog
Package catalog loads and searches an OKF knowledge catalog (a directory of markdown files with YAML frontmatter) β€” the read half of RunLore's Learn pillar.
Package catalog loads and searches an OKF knowledge catalog (a directory of markdown files with YAML frontmatter) β€” the read half of RunLore's Learn pillar.
coalesce
Package coalesce folds correlated Alertmanager incidents into a single investigation, suppressing the redundant per-alert investigations a storm would otherwise spawn.
Package coalesce folds correlated Alertmanager incidents into a single investigation, suppressing the redundant per-alert investigations a storm would otherwise spawn.
config
Package config defines RunLore's configuration, including provider wiring and the trigger policy that decides which incidents start an investigation.
Package config defines RunLore's configuration, including provider wiring and the trigger policy that decides which incidents start an investigation.
curate
Package curate is the Phase-2 grooming agent: it dedups the KB backlog, gates the decision-ready queue on incident resolution, surfaces recurring blind spots as knowledge-gap issues, and drives lifecycle/decay.
Package curate is the Phase-2 grooming agent: it dedups the KB backlog, gates the decision-ready queue on incident resolution, surfaces recurring blind spots as knowledge-gap issues, and drives lifecycle/decay.
curator
Package curator is the file-time learning gate: it dedups a finding against the catalog and open PRs, gates on quality, and drafts a merge-ready PR for novel, quality findings.
Package curator is the file-time learning gate: it dedups a finding against the catalog and open PRs, gates on quality, and drafts a merge-ready PR for novel, quality findings.
embed
Package embed provides an OpenAI-compatible embeddings client and the similarity + fusion primitives for hybrid (BM25 + vector) catalog retrieval.
Package embed provides an OpenAI-compatible embeddings client and the similarity + fusion primitives for hybrid (BM25 + vector) catalog retrieval.
eval
Package eval replays recorded incident cases through the investigation loop and scores whether the agent identifies the root cause β€” a reproducible RCA benchmark (cf.
Package eval replays recorded incident cases through the investigation loop and scores whether the agent identifies the root cause β€” a reproducible RCA benchmark (cf.
executor/flux
Package flux executes safe, reversible Flux operations (suspend / resume / reconcile) on the cluster β€” the executable half of the autonomy ladder.
Package flux executes safe, reversible Flux operations (suspend / resume / reconcile) on the cluster β€” the executable half of the autonomy ladder.
forge/github
Package github is RunLore's GitHub forge client (curation + re-investigation) over the GitHub REST API, authenticated with short-lived GitHub App installation tokens.
Package github is RunLore's GitHub forge client (curation + re-investigation) over the GitHub REST API, authenticated with short-lived GitHub App installation tokens.
httpx
Package httpx provides small HTTP helpers shared across providers.
Package httpx provides small HTTP helpers shared across providers.
investigate
Package investigate routes triggers (incident alerts, GitOps failures) into a single async investigation queue.
Package investigate routes triggers (incident alerts, GitOps failures) into a single async investigation queue.
kbvalidate
Package kbvalidate provides deterministic structural validation of OKF knowledge-base entries (the merge gate) and an LLM-assisted semantic advisory.
Package kbvalidate provides deterministic structural validation of OKF knowledge-base entries (the merge gate) and an LLM-assisted semantic advisory.
logging
Package logging builds RunLore's slog logger with a configurable output format (human-readable text or structured JSON) and verbosity level.
Package logging builds RunLore's slog logger with a configurable output format (human-readable text or structured JSON) and verbosity level.
logs/victorialogs
Package victorialogs implements providers.LogsProvider against VictoriaLogs, querying with LogsQL and normalizing the NDJSON response into log lines.
Package victorialogs implements providers.LogsProvider against VictoriaLogs, querying with LogsQL and normalizing the NDJSON response into log lines.
mcp
Package mcp is a minimal Model Context Protocol server over the stdio transport (newline-delimited JSON-RPC 2.0) β€” enough to expose RunLore tools to MCP clients such as HolmesGPT, kagent, or Claude Desktop.
Package mcp is a minimal Model Context Protocol server over the stdio transport (newline-delimited JSON-RPC 2.0) β€” enough to expose RunLore tools to MCP clients such as HolmesGPT, kagent, or Claude Desktop.
metrics/prometheus
Package prometheus implements providers.MetricsProvider against the Prometheus HTTP API β€” also spoken by VictoriaMetrics β€” for instant and range PromQL queries.
Package prometheus implements providers.MetricsProvider against the Prometheus HTTP API β€” also spoken by VictoriaMetrics β€” for instant and range PromQL queries.
model/anthropic
Package anthropic implements providers.ModelProvider against the Anthropic Messages API (native tool use).
Package anthropic implements providers.ModelProvider against the Anthropic Messages API (native tool use).
model/gemini
Package gemini implements providers.ModelProvider against the Gemini API (generateContent with native function calling).
Package gemini implements providers.ModelProvider against the Gemini API (generateContent with native function calling).
model/openai
Package openai implements providers.ModelProvider against an OpenAI-compatible /chat/completions endpoint (OpenAI, in-cluster vLLM, Ollama, OpenRouter).
Package openai implements providers.ModelProvider against an OpenAI-compatible /chat/completions endpoint (OpenAI, in-cluster vLLM, Ollama, OpenRouter).
network/awsvpc
Package awsvpc implements providers.NetworkProvider against AWS VPC Flow Logs delivered to a CloudWatch Logs group, surfacing REJECT (denied) flows for an investigation.
Package awsvpc implements providers.NetworkProvider against AWS VPC Flow Logs delivered to a CloudWatch Logs group, surfacing REJECT (denied) flows for an investigation.
network/gcpfirewall
Package gcpfirewall implements providers.NetworkProvider against GCP Firewall Rules Logging, surfacing DENIED connections for an investigation.
Package gcpfirewall implements providers.NetworkProvider against GCP Firewall Rules Logging, surfacing DENIED connections for an investigation.
network/hubble
Package hubble implements providers.NetworkProvider against Cilium Hubble Relay (the observer gRPC API), surfacing dropped flows for an investigation.
Package hubble implements providers.NetworkProvider against Cilium Hubble Relay (the observer gRPC API), surfacing dropped flows for an investigation.
notify
Package notify delivers completed investigations to chat (Slack, Matrix).
Package notify delivers completed investigations to chat (Slack, Matrix).
outcome
Package outcome records, in an append-only JSONL ledger, whether an investigated incident later resolved and which answer was used for it β€” the "did it actually work?" signal the learning loop reads.
Package outcome records, in an append-only JSONL ledger, whether an investigated incident later resolved and which answer was used for it β€” the "did it actually work?" signal the learning loop reads.
providers
Package providers defines the pluggable backend contracts RunLore is built on.
Package providers defines the pluggable backend contracts RunLore is built on.
providers/cloud/aws
Package aws implements providers.CloudProvider against AWS using aws-sdk-go-v2 and in-cluster identity (EKS Pod Identity / IRSA, resolved by the SDK's default credential chain).
Package aws implements providers.CloudProvider against AWS using aws-sdk-go-v2 and in-cluster identity (EKS Pod Identity / IRSA, resolved by the SDK's default credential chain).
providers/cluster
Package cluster reads Kubernetes pod logs for investigation (read-only) via the client-go CoreV1 GetLogs API.
Package cluster reads Kubernetes pod logs for investigation (read-only) via the client-go CoreV1 GetLogs API.
providers/gitops/argocd
Package argocd implements providers.GitOpsProvider for Argo CD: it reads Argo CD Applications from the cluster and emits engine-agnostic Changes (diffable via whatchanged.Differ) and failure events β€” the same contract as the flux package.
Package argocd implements providers.GitOpsProvider for Argo CD: it reads Argo CD Applications from the cluster and emits engine-agnostic Changes (diffable via whatchanged.Differ) and failure events β€” the same contract as the flux package.
providers/gitops/flux
Package flux implements providers.GitOpsProvider for Flux: it reads Flux Kustomizations and their GitRepository sources from the cluster and emits engine-agnostic Changes, each diffable through whatchanged.Differ.
Package flux implements providers.GitOpsProvider for Flux: it reads Flux Kustomizations and their GitRepository sources from the cluster and emits engine-agnostic Changes, each diffable through whatchanged.Differ.
ratelimit
Package ratelimit provides a sliding-window start limiter β€” the windowed timestamp pattern from internal/action/auto.go:reserve(), reusable.
Package ratelimit provides a sliding-window start limiter β€” the windowed timestamp pattern from internal/action/auto.go:reserve(), reusable.
redact
Package redact masks secret-shaped values in free text before it crosses a trust boundary β€” specifically before tool output (pod/controller logs, git diffs, status/event messages) is fed to the LLM provider, from where the model's quoted evidence would otherwise flow on into a (possibly public) KB pull request and chat.
Package redact masks secret-shaped values in free text before it crosses a trust boundary β€” specifically before tool output (pod/controller logs, git diffs, status/event messages) is fed to the LLM provider, from where the model's quoted evidence would otherwise flow on into a (possibly public) KB pull request and chat.
server
Package server exposes RunLore's HTTP endpoints (incident webhooks).
Package server exposes RunLore's HTTP endpoints (incident webhooks).
telemetry
Package telemetry provides RunLore's self-instrumentation: an OpenTelemetry metric set plus a Prometheus-exporter HTTP handler.
Package telemetry provides RunLore's self-instrumentation: an OpenTelemetry metric set plus a Prometheus-exporter HTTP handler.
trigger
Package trigger ingests incidents (Alertmanager/VMAlert webhooks) and decides, per the configured policy, which ones start an investigation.
Package trigger ingests incidents (Alertmanager/VMAlert webhooks) and decides, per the configured policy, which ones start an investigation.
whatchanged
Package whatchanged produces the "what changed" delta between two GitOps revisions: a path-scoped unified diff (the actual landed change).
Package whatchanged produces the "what changed" delta between two GitOps revisions: a path-scoped unified diff (the actual landed change).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL