Error Triage Agent (V0)

Java 17 AWS Lambda that scans SFTP for error files, parses them, learns MySQL schema, runs read-only investigations, and emails a concise report. Includes a lightweight browser UI to view/edit configuration. Supports both local file-based mode (no AWS) and AWS deployment.

Local Run (Laptop)

Use file-based config and seen store. No AWS required.

1. Prepare local config and secrets

• Copy example config and edit values:

mkdir -p local
cp src/main/resources/config.example.json local/config.json

• Create a local/secrets folder with JSON files for referenced secrets:
  • local/secrets/mysql/ro.json: { "username": "readonly", "password": "<pwd>" }
  • local/secrets/sftp/cred.json (password auth): { "password": "<pwd>" } or for key auth: { "privateKey": "<PEM contents>", "passphrase": "optional" }
  • local/secrets/smtp/cred.json (if using SMTP): { "username": "<user>", "password": "<pwd>" }

Ensure the secretRef values in local/config.json match the relative names above (e.g., "mysql/ro", "sftp/cred", "smtp/cred").

2. Build the jar

mvn -q -DskipTests package

3. Start the local UI + API

export CONFIG_PATH="$(pwd)/local/config.json"
export SECRETS_DIR="$(pwd)/local/secrets"
export SEEN_STORE_PATH="$(pwd)/local/seen.json"
export LOCAL_PORT=8080
java -cp target/error-triage-agent-0.1.0-SNAPSHOT.jar com.acme.triage.LocalMain

Open http://localhost:8080 to view/edit config. The API is at /config; run a manual scan via POST /run.

4. Optional: schedule local runs

export LOCAL_SCHEDULE_MINUTES=60
java -cp target/error-triage-agent-0.1.0-SNAPSHOT.jar com.acme.triage.LocalMain

Notes:

• Email: set provider to smtp and point to a local SMTP dev tool like MailHog (host localhost, port 1025, TLS off).
• SFTP: connect to any reachable SFTP server; for pure local testing use a local SFTP container/service.
• Seen store: persisted at local/seen.json.

Deploy (SAM)

Prereqs: AWS CLI, SAM CLI, Java 17, SES verified sender (if using SES), Secrets Manager secret created for config JSON.

1. Create the config secret (replace values):

aws secretsmanager create-secret \
  --name error-triage/config \
  --secret-string fileb://src/main/resources/config.example.json

2. Build & deploy:

sam build
sam deploy --guided \
  --parameter-overrides ConfigSecretName=error-triage/config DdbTableName=agent_seen_files EnablePublicUi=false

3. Note outputs:

• ApiUrl: base URL exposing /config endpoints
• UiBucketName: S3 bucket to host UI (optional public)

4. Upload UI (optional):

API_BASE=$(aws cloudformation describe-stacks --stack-name <stack> --query "Stacks[0].Outputs[?OutputKey=='ApiUrl'].OutputValue" --output text)
echo "window.API_BASE='${API_BASE}';" > ui/ui-config.js
aws s3 sync ui s3://<UiBucketName>/ --delete

If you set environment variable CONFIG_UI_TOKEN on ConfigApiFunction, set the same token in ui/ui-config.js as window.CONFIG_UI_TOKEN='...';.

Runtime Env Vars

• CONFIG_SECRET_NAME: Secrets Manager secret id for JSON config
• AWS_REGION: AWS region (injected by Lambda)
• DDB_TABLE: DynamoDB table for seen file fingerprints
• CONFIG_UI_TOKEN (Config API only): optional bearer token for UI/API access

Project Structure

See src/main/java/com/acme/triage for components and ui/ for the minimal web UI.

Notes

• API updates only change the JSON config; secrets (passwords/keys) are referenced by secretRef and never exposed.
• Restrict access to the API (IAM or CONFIG_UI_TOKEN) and prefer private hosting for the UI.