UpGal AI assistant
Configure, use, extend, and secure the UpGal operations assistant.
UpGal is the organization-scoped operations assistant built into the Upstand dashboard. It can inspect infrastructure and, with explicit approval, perform supported mutations such as creating projects, deploying resources, or controlling services.
Architecture
The dashboard chat uses the Vercel AI SDK UI message protocol and AI Elements for rendering conversations, streaming states, tool calls, errors, and approval controls. The server runs a ToolLoopAgent with a typed tool set. Each tool delegates to an existing Upstand use case, so dashboard actions and assistant actions share the same authorization and business rules.
sequenceDiagram
participant User
participant Dashboard
participant API as Hono API
participant Agent as UpGal agent
participant Domain as Use cases
participant DB as PostgreSQL
User->>Dashboard: Send message
Dashboard->>API: Typed UI messages
API->>DB: Verify organization/conversation
API->>Agent: Stream agent response
Agent->>Domain: Read or approved mutation
Domain->>DB: Apply existing business rules
Agent-->>Dashboard: Text, tool state, approval, resultConfigure a provider
Organization owners and administrators configure UpGal from Settings → UpGal Settings.
- Choose OpenAI, Anthropic, Google, OpenRouter, or the OpenAI-compatible AI Gateway.
- Click Load models to fetch the current catalog for the selected provider, then choose a model or enter any custom model ID. Catalog requests use the provider's native models endpoint; custom base URLs are supported for compatible gateways.
- Enter the API key and, when required, a custom base URL.
- Save the settings and use Test connection to verify the configuration. The test uses the values currently in the form, so you can validate a new key before saving it.
The API key is encrypted before persistence. The browser only receives provider, model, base URL, enabled state, and a boolean indicating whether a key is configured. The plaintext key is never returned by the API.
The server also requires the normal Upstand database, Redis, authentication, and encryption-key configuration. The encryption key must be backed up with the rest of the installation secrets; losing it prevents decryption of stored provider credentials.
Tool behavior and approvals
Read-only tools can run automatically after UpGal verifies that every referenced project, environment, and resource belongs to the active organization. Current read tools include listing projects, environments, resources, servers, and deployments, reading resource logs, and reading resource runtime statistics.
Mutation tools always request approval in the chat UI. The tool is not executed when the user rejects the request, and UpGal must not claim success until the approved tool returns successfully. Current mutation tools include project/environment creation, deployment, resource control, and project/resource deletion.
The Templates page also provides an AI draft generator. It returns validated Compose YAML only; it does not save a template or deploy a resource. Review the generated editor contents, then use the existing 2FA-protected save and explicit deployment actions. Generated drafts reject privileged mode, host namespaces, host bind mounts, Docker socket mounts, capabilities, and devices.
Approval is enforced at the AI SDK tool boundary. The external MCP surface does not bypass this rule: read-only tools can be exposed through a scoped key, while mutating MCP calls return an approval-required response and must be completed from the dashboard.
Conversations and runs
Conversations belong to one organization and one authenticated user. Incoming UI messages are validated against the typed UpGalUIMessage tool contract before they are stored or passed to the agent. Runs record the model, step count, status, and completion time for operational visibility.
The agent is bounded to twelve loop steps per request. It uses the same request-scoped dependency container as the rest of the API, which keeps repository and use-case lifetimes consistent and makes organization isolation explicit.
MCP access
UpGal exposes a reusable JSON-RPC MCP endpoint at /api/mcp. Create an external key from Settings → API Keys, choose only the tool scopes required by the integration, and keep the returned secret in a password manager. The secret is shown once; the database stores only its SHA-256 hash.
Use * for all tools or individual scopes such as tool:list_projects. Keys can expire and can be revoked without changing other organization settings. Every request is checked for expiry, revocation, scope, and organization ownership.
MCP currently supports initialize, tools/list, and tools/call. Treat tool results as untrusted operational data and keep the endpoint behind HTTPS. Do not put an external key in browser code, source control, URLs, or logs.
Extension guide
To add a new UpGal capability:
- Add or reuse a domain use case with its existing typed input and output.
- Add a Zod input schema and a typed entry in
packages/api/src/ai/upgal.ts. - Classify it as read-only or approval-required in the tool metadata.
- Add organization/resource ownership checks before executing it.
- Add the tool to the UI message type and render its states in the AI Elements tool component.
- Decide whether it is safe to expose through MCP and update the scope documentation.
- Add focused tests for validation, authorization, approval denial, successful execution, and MCP scope enforcement.
Keep provider access, persistence, and business operations separate. The runtime depends on the typed AI repository contract and existing use cases; it should not import Drizzle tables or duplicate domain rules.
Limitations and operational guidance
UpGal does not silently execute destructive work, and it does not currently provide a live human-support handoff channel. For support or incidents, stop the run, inspect the relevant logs and deployment status, and use the normal Upstand support/operations process. Streaming failures should be retried only after checking whether a mutation was already accepted.
For production, use a dedicated provider key with the smallest practical quota, restrict MCP scopes, enable 2FA for administrators, rotate keys periodically, and monitor AI run and application logs for unexpected tool activity.