Skip to content

RamazanKara/openexit

BranchesTags

Repository files navigation

OpenExit

Local-first migration assessments from proprietary SaaS platforms to open-source infrastructure.

OpenExit collects migration inventory, normalizes it, analyzes migration risks, generates candidate target files, validates outputs, and exports a local evidence bundle.

The Datadog to Grafana LGTM path includes both fixture import and a read-only live Datadog collector. The GitHub Enterprise to Forgejo path includes fixture import and a read-only GitHub/GitHub Enterprise collector for repository migration inventory. The Okta/Auth0 to Keycloak/Zitadel path includes fixture import and read-only live Okta and Auth0 collectors. The Cloudflare/Akamai to Varnish/HAProxy/Coraza path includes fixture import and read-only live Cloudflare and Akamai collectors. The OpenAI/Anthropic path includes fixture import and read-only OpenAI and Anthropic aggregate usage collectors.

Safety Model

  • No production writes.
  • No one-click migration.
  • No hidden hosted backend.
  • No credential storage.
  • No direct SaaS deletion.
  • No AI dependency.
  • No generated config is production-ready without review.

Quick Start

make build
./bin/openexit demo ./demo

openexit demo uses built-in redacted fixture data, runs the deterministic workflow, validates the output, and writes ./demo/openexit-demo.zip.

Install Release Binary

curl -fsSL https://github.com/RamazanKara/openexit/releases/latest/download/install.sh | sh
openexit doctor
openexit demo ./demo

The installer detects Linux or macOS plus amd64 or arm64, downloads the matching release binary, verifies it against SHA256SUMS, verifies that artifact against RELEASE_MANIFEST.json, and installs openexit into /usr/local/bin when writable or ~/.local/bin otherwise. Set OPENEXIT_VERSION=v0.1.0 for a specific release or BIN_DIR=/path/to/bin for a custom install location.

Install From Source

git clone https://github.com/RamazanKara/openexit.git
cd openexit
make verify
make build VERSION=0.1.0
./bin/openexit version

Release candidates can be built locally with:

make release-check VERSION=0.1.0

This runs the release gate, writes OS/architecture binaries, writes dist/SHA256SUMS, writes dist/RELEASE_MANIFEST.json, writes dist/SBOM.cdx.json, and verifies the release artifacts.

Refresh the checked-in Datadog example project with:

make example VERSION=0.1.0-dev

Commands

  • openexit version
  • openexit doctor [--json] [--strict]
  • openexit init <project-dir> [--source <type> --target <type>]
  • openexit demo <project-dir> [--source <type>] [--out <file>] [--force]
  • openexit status --project <project-dir> [--json]
  • openexit run --project <project-dir> [--strict] [--export --out <file>]
  • openexit collect fixture --project <project-dir> --input <file>
  • openexit collect github --project <project-dir> --owner <org> [--base-url https://github.example.com/api/v3] [--token-env GITHUB_TOKEN] [--repo owner/name]
  • openexit collect github-fixture --project <project-dir> --input <file>
  • openexit collect okta --project <project-dir> --org-url https://dev-123456.okta.com [--token-env OKTA_API_TOKEN] [--break-glass-user admin@example.com]
  • openexit collect auth0 --project <project-dir> --domain https://example.us.auth0.com [--token-env AUTH0_MANAGEMENT_TOKEN] [--break-glass-user admin@example.com]
  • openexit collect identity-fixture --project <project-dir> --input <file>
  • openexit collect cloudflare --project <project-dir> --zone-id <zone-id> [--token-env CLOUDFLARE_API_TOKEN]
  • openexit collect akamai --project <project-dir> [--zone example.com] [--property-id prp_123] [--security-config-id 123:7]
  • openexit collect edge-fixture --project <project-dir> --input <file>
  • openexit collect openai --project <project-dir> [--admin-key-env OPENAI_ADMIN_KEY] [--days 30] [--owner team@example.com]
  • openexit collect anthropic --project <project-dir> [--admin-key-env ANTHROPIC_ADMIN_KEY] [--days 30] [--workspace-id wrkspc_...]
  • openexit collect ai-fixture --project <project-dir> --input <file>
  • openexit collect datadog --project <project-dir> --site datadoghq.eu --api-key-env DATADOG_API_KEY --app-key-env DATADOG_APP_KEY
  • openexit assess --project <project-dir> --target grafana-lgtm
  • openexit map --project <project-dir>
  • openexit generate --project <project-dir> --all
  • openexit validate --project <project-dir>
  • openexit export --project <project-dir> --format zip --out <file>
  • openexit verify-bundle <file> [--json]
  • openexit release-manifest [--dist dist --out dist/RELEASE_MANIFEST.json]
  • openexit verify-release <manifest.json> [--dist dist] [--artifact <name>] [--require-checksums] [--json]
  • openexit completion [bash|zsh|fish|powershell]
  • openexit sbom [--out SBOM.cdx.json]
  • openexit assist summarize --project <project-dir> --provider noop

The Datadog, GitHub, Okta, Auth0, Cloudflare, Akamai, OpenAI, and Anthropic collectors are read-only. API tokens are read from environment variables or local credential files, are not printed, and are not stored. When --target is omitted during init, OpenExit selects the standard target for the chosen source.

Supported Paths

Source Target Status Collector
Datadog Grafana LGTM, Prometheus-compatible alerting, OpenTelemetry Collector/Alloy Primary path Fixture and read-only live Datadog collector
GitHub Enterprise Forgejo Repository migration assessment path Fixture and read-only live GitHub/GitHub Enterprise collector
Okta/Auth0 Keycloak/Zitadel Identity migration assessment path Fixture and read-only live Okta/Auth0 collectors
Cloudflare/Akamai Varnish/HAProxy/Coraza Edge migration assessment path Fixture and read-only live Cloudflare/Akamai collectors
OpenAI/Anthropic vLLM/LiteLLM AI provider migration assessment path Fixture and read-only live OpenAI/Anthropic aggregate usage collectors

Fixture workflows run the full local OpenExit workflow with sample or customer-provided JSON fixture data. They are assessment and planning tools for offline review.

Current Scope

Included in the current implementation:

  • CLI skeleton and project init/status.
  • Runtime doctor for version metadata, embedded schemas, and optional validator availability.
  • Built-in demo project generation for release binaries without repository-local fixture files.
  • Project readiness status with pipeline counts, validation state, export readiness, and JSON output for automation.
  • One-command deterministic workflow runner for collected projects, with optional evidence bundle export.
  • Typed project, inventory, assessment, mapping, and validation manifests.
  • Fixture-based Datadog inventory import.
  • Read-only Datadog collection for dashboards, monitors, SLOs, installed integration metadata, and referenced metric/tag metadata.
  • Read-only GitHub/GitHub Enterprise collection for repositories, teams, branch protection, Actions workflows, secret metadata, runners, deploy keys, and GitHub App installations.
  • Read-only Okta collection for applications, groups, policy/rule metadata, org MFA factors, and explicit break-glass user metadata.
  • Read-only Auth0 collection for clients, roles, action/rule metadata, Guardian MFA factors, and explicit break-glass user metadata.
  • Read-only Cloudflare collection for DNS records, WAF rulesets, cache rules, redirects, inferred origins, TLS settings, bot rules, and page rules.
  • Read-only Akamai collection for Edge DNS recordsets, Property Manager hostnames/rules, origins, cache behaviors, redirects, TLS/HSTS metadata, Bot Manager behavior metadata, and optional AppSec custom-rule metadata.
  • Read-only OpenAI collection for model-grouped aggregate completions usage, token volumes, available model metadata, and hourly peak estimates.
  • Read-only Anthropic collection for model-grouped Messages API token usage, server web-search tool metadata, filters, and hourly peak estimates.
  • Deterministic risk assessment.
  • Deterministic source-to-target mapping manifest and summary.
  • Markdown handover artifacts.
  • Grafana dashboard candidate JSON.
  • Prometheus alert rule candidate YAML with simple Datadog threshold conversion hints.
  • OpenTelemetry Collector sketch.
  • ArgoCD starter manifest.
  • Typed migration plan manifest and phase-gate Markdown plan.
  • Validation report with embedded JSON Schema checks, Grafana dashboard, Prometheus alert, OpenTelemetry collector, ArgoCD, Forgejo migration, identity realm/client, edge VCL/HAProxy/Coraza, and LiteLLM/vLLM candidate checks, YAML/JSON parsing, evidence ref checks, secret scan, and optional promtool/kubeconform checks.
  • Evidence bundle export with README, checksums, and a schema-backed machine-readable manifest.
  • Offline evidence bundle verification for manifest schema, checksums, digest/size metadata, and archive path safety.
  • Release artifact manifest generation with binary OS/architecture metadata, auxiliary asset metadata, sizes, and SHA-256 digests.
  • Offline release artifact verification for binaries and auxiliary assets against RELEASE_MANIFEST.json and optional SHA256SUMS.
  • Release installer script that selects the current platform binary and verifies it before installation.
  • Shell completion generation for Bash, Zsh, Fish, and PowerShell, including release-provided completion assets.
  • CycloneDX JSON SBOM generation for the OpenExit binary and Go module dependencies.
  • Evidence bundle path-safety checks that reject symlinks in exported project sections.
  • No-op assist provider and explicit opt-in LiteLLM assist.
  • GitHub Enterprise to Forgejo assessment path with fixture import and live repository inventory collection.
  • Okta/Auth0 to Keycloak/Zitadel assessment path with fixture import and live Okta/Auth0 identity inventory collection.
  • Cloudflare/Akamai to Varnish/HAProxy/Coraza assessment path with fixture import and live Cloudflare/Akamai edge inventory collection.
  • OpenAI/Anthropic to vLLM/LiteLLM assessment path with fixture import and live OpenAI/Anthropic aggregate usage inventory collection.

Not included in the current release:

  • Automatic cutover.
  • Production apply.
  • Hosted portal.
  • Perfect Datadog to Grafana parity.
  • AI-required decision making.

Optional Assist

openexit assist summarize defaults to the local no-op provider. LiteLLM is available only when openexit.yaml explicitly sets policy.allowAI: true, assist.enabled: true, assist.provider: litellm, and assist.allowExternalProvider: true.

Assist inputs are redacted before provider calls, outputs must use .ai.md, and deterministic artifacts are never overwritten.

Candidate Conversion Policy

OpenExit is intentionally conservative:

  • Simple Datadog metric thresholds can be translated into PromQL candidates.
  • Complex functions such as anomaly, outlier, forecast, timeshift, or composite behavior stay as vector(0) placeholders with source queries preserved.
  • Every generated alert remains labeled openexit_candidate=true and production_ready=false.
  • Human review and shadowing are required before operational use.

Risk Coverage

The assessment engine includes dashboard, monitor, SLO, cost, scale, identity, edge, repository, and AI provider risk rules from the implementation plan. Findings have stable IDs, severity, affected assets, evidence refs, and recommendations. openexit map writes a typed mapping manifest under mapping/; generate --all refreshes mapping and writes a typed migration plan under assessment/ with assessment, pilot, shadow, and cutover phase gates. openexit validate checks generated manifests against embedded public JSON Schemas as well as typed consistency rules.

Release Process

The release checklist lives in docs/release.md. A release build should pass make verify, make release-dist VERSION=0.1.0, openexit verify-release dist/RELEASE_MANIFEST.json --dist dist --require-checksums, make example VERSION=0.1.0-dev, the Datadog definition-of-done pipeline, and validation/export for every supported assessment path.

Assessment Paths

GitHub Enterprise to Forgejo collects repository, team, branch protection, Actions workflow, secret metadata, runner, deploy key, and GitHub App installation metadata from live GitHub/GitHub Enterprise APIs or local fixtures. It generates Forgejo migration assessment, CI compatibility, branch protection mapping, runner migration, repository ownership reports, and a validated Forgejo migration candidate YAML.

Okta/Auth0 to Keycloak/Zitadel collects applications, SAML/OIDC client metadata, groups, policies, MFA settings, redirect URIs, owners, and break-glass account metadata from live Okta/Auth0 APIs or local fixtures. It generates identity migration risk, validated realm/client candidate config, break-glass, cutover, and rollback artifacts.

Cloudflare/Akamai to Varnish/HAProxy/Coraza collects DNS records, WAF rules, cache rules, redirects, origins, TLS settings, bot rules, and page rules from live Cloudflare/Akamai APIs or local fixtures. The Akamai collector uses read-only EdgeGrid-authenticated calls for Edge DNS, Property Manager, and optional AppSec metadata. It generates validated VCL, HAProxy, Coraza, cache parity, and WAF enforcement review artifacts.

OpenAI/Anthropic to vLLM/LiteLLM collects model usage classes, token volumes, latency expectations, sensitive prompt categories, tool usage, and fallback behavior from local fixtures. It can also collect model-grouped aggregate OpenAI completions usage, aggregate Anthropic Messages API usage, available model metadata where exposed, server web-search tool metadata, and hourly peak estimates from live provider APIs without storing prompts or credentials. The path generates self-hosted LLM readiness, validated LiteLLM routing, vLLM sizing, evaluation, and data sensitivity artifacts.

License

Apache-2.0.

About

Local-first migration assessments from SaaS to open source

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages