Metadata-Version: 2.4
Name: workpilot
Version: 0.5.7
Summary: Enterprise AI assistant with Microsoft ecosystem integration — safe, lightweight, multi-channel
Project-URL: Homepage, https://aka.ms/workpilot
Author: WorkPilot Team
License-Expression: MIT
Keywords: agent,ai,assistant,enterprise,mcp
Requires-Python: >=3.11
Requires-Dist: apscheduler>=3.11
Requires-Dist: claude-agent-sdk>=0.1.40
Requires-Dist: fastapi>=0.135
Requires-Dist: github-copilot-sdk>=0.1
Requires-Dist: httpx>=0.28
Requires-Dist: loguru>=0.7
Requires-Dist: msal>=1.35.1
Requires-Dist: openai<3,>=2.24
Requires-Dist: playwright>=1.58
Requires-Dist: prompt-toolkit>=3.0
Requires-Dist: pydantic<3,>=2.12
Requires-Dist: pyjwt[crypto]>=2.8
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=14.3
Requires-Dist: typer>=0.24
Requires-Dist: uvicorn[standard]>=0.41
Requires-Dist: websockets>=16.0
Provides-Extra: all
Requires-Dist: beautifulsoup4>=4.14; extra == 'all'
Requires-Dist: markdownify>=1.2; extra == 'all'
Requires-Dist: msal[broker]>=1.35.1; extra == 'all'
Requires-Dist: numpy>=2.4; extra == 'all'
Provides-Extra: broker
Requires-Dist: msal[broker]>=1.35.1; extra == 'broker'
Provides-Extra: dev
Requires-Dist: mypy>=1.19; extra == 'dev'
Requires-Dist: pytest-asyncio>=1.3; extra == 'dev'
Requires-Dist: pytest-cov>=7.0; extra == 'dev'
Requires-Dist: pytest>=9.0; extra == 'dev'
Requires-Dist: ruff>=0.15; extra == 'dev'
Requires-Dist: types-pyyaml>=6.0; extra == 'dev'
Description-Content-Type: text/markdown

# WorkPilot

**An autonomous AI assistant that codes, communicates, and ships across your entire Microsoft stack — proactively and securely.**

Most AI coding tools require you to send your code to a third-party cloud. WorkPilot runs entirely on your machine, inside your corporate network. Your source code, credentials, and conversations never leave your infrastructure — yet your team can still reach WorkPilot directly from Microsoft Teams.

[![CI](https://github.com/gim-home/WorkPilot/actions/workflows/workpilot-ci.yml/badge.svg)](https://github.com/gim-home/WorkPilot/actions/workflows/workpilot-ci.yml)
[![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/)

---

## Why WorkPilot for enterprise?

Most AI assistants are cloud-hosted SaaS — acceptable for personal use, not for organizations with data governance requirements. WorkPilot takes the opposite approach:

- **Your infra, your data.** The assistant runs on your own machine or VM. Nothing is persisted outside your network.
- **Your identity provider.** Authentication flows through Microsoft Entra ID (Azure AD). No separate accounts or API keys to manage.
- **Your compliance posture.** Four security profiles (`open` → `standard` → `controlled` → `restricted`) let security teams tune autonomy without touching code.
- **Your Microsoft stack.** Native Teams bot, Outlook, Graph API, and Azure DevOps integration — WorkPilot lives where your org already works.

---

## Install

**Requirements:** Python 3.11+

### pip install (recommended)

```bash
pip install --upgrade workpilot
workpilot version              # verify installation
workpilot init                 # guided setup — creates workpilot.local.yaml
workpilot                      # smart start — init if needed, then launch server
```

### One-click bootstrap

The bootstrap scripts automatically install Python 3.13 if needed, configure pip, install WorkPilot from PyPI, and verify the CLI is on your PATH.

**Windows (PowerShell):**
```powershell
irm https://aka.ms/workpilot/install.ps1 | iex
```

**macOS / Linux:**
```bash
curl -fsSL https://aka.ms/workpilot/install.sh | bash
```

### Platform notes

| Platform | Notes |
|----------|-------|
| **Windows** | If `workpilot` isn't found after install, ensure `%APPDATA%\Python\Python3x\Scripts` is on your PATH, or use the PowerShell bootstrap script above. |
| **macOS** | You may need `python3` instead of `python`. Homebrew: `brew install python@3.11` |
| **Linux** | Use your distro's package manager (e.g., `sudo apt install python3.11 python3.11-venv`) if Python 3.11+ isn't available. |

> **Tip:** Using a virtual environment is recommended for isolated installs:
> ```bash
> python -m venv .venv && source .venv/bin/activate  # or .venv\Scripts\activate on Windows
> pip install workpilot
> ```

> **Teams user?** [Add WorkPilot to Teams](https://teams.microsoft.com/l/app/cfcdde49-617a-4fbd-bf0f-7c3bab131982?installAppPackage=true) *(Microsoft Preview)* then run `workpilot cloud` to bring WorkPilot online.

---

## What it does

| | |
|--|--|
| **Write & edit code** | Reads, writes, refactors, and debugs across your entire codebase |
| **Run commands** | Shell, git, tests, build tools — sandboxed with deny-pattern controls |
| **Browse & search** | Web search, HTTP requests, Playwright browser automation |
| **Talk to Microsoft 365** | Teams messages, Outlook email, Graph API, Azure DevOps |
| **Schedule work** | Cron jobs, event triggers, recurring automated tasks |

---

## Three ways to use it

### 1. Terminal
```bash
workpilot chat               # interactive REPL
workpilot run "write tests"  # one-shot
```

### 2. Self-hosted web UI
```bash
workpilot serve     # http://localhost:3003
```
Chat UI, REST API, WebSocket, and OpenAI-compatible endpoint — all on your own server.

### 3. Microsoft Teams + Web Chat
```bash
workpilot cloud   # authenticate with Entra ID — Teams messages reach WorkPilot
```
A stateless Cloud Gateway relays messages between Teams and your machine. Nothing is stored in the cloud. If the assistant is offline, Teams users receive an instant notification with reconnection instructions.

---

## Security architecture

WorkPilot implements defense-in-depth security at every layer:

### Access control
- **Entra ID SSO** — MSAL authentication for Teams and Web Chat; no passwords, no shared secrets
- **Security profiles** — tune the autonomy level across your deployment without modifying code

### Runtime protection
- **3-phase tool hook pipeline** — preflight classifiers reject suspicious actions *before* execution; postflight scanners redact credentials from *tool output*
- **Security Classifier** — a fast secondary LLM reviews every tool call; results are cached for 5 minutes to minimize cost
- **Command sandbox** — configurable deny patterns block destructive shell commands (`rm -rf`, `curl | bash`, etc.)
- **Path sandbox** — workspace restriction and SSRF protection prevent access outside permitted directories

### Observability & incident response
- **Audit log** — append-only record of every tool call, message, and security event; auto-redacted before writing
- **Secret redaction** — API keys, JWT tokens, AWS credentials, and high-entropy strings masked in real time
- **E-stop** — global kill switch triggered manually or automatically on credential leak detection; halts all processing and returns 503 on the gateway

---

## Built-in agents

| Agent | Purpose |
|-------|---------|
| `default` | Full-capability orchestrator — user-facing |
| `explorer` | Fast, read-only search — 10× cheaper, spawned automatically |
| `security` | Internal Security Classifier — not user-facing |

Templates (`coder`, `reviewer`, `tester`, `researcher`, `communicator`) can be enabled per-project in `workpilot.yaml`.

---

## Development

```bash
git clone https://github.com/gim-home/WorkPilot.git
cd WorkPilot
pip install -e ".[dev]"        # editable install with dev dependencies
pip install -e ".[all]"        # editable install with all optional deps
pytest tests/ -v
python -m ruff check && python -m ruff format
```

All changes via pull request. Never push directly to `main`.

---

## Links

- [Official Website](https://aka.ms/workpilot)
- [Add to Microsoft Teams](https://teams.microsoft.com/l/app/cfcdde49-617a-4fbd-bf0f-7c3bab131982?installAppPackage=true) *(Preview)*
- [Architecture docs](design/core-infra.md)
- [Cloud Gateway (.NET)](cloud_gateway/)
