Interpretos Local — Administrator Guide

Overview

Interpretos Local is an AI copilot for enterprise applications. It connects to Oracle E-Business Suite, PeopleSoft, and IBM Maximo and lets users query their systems using natural language.

This guide covers everything an administrator needs to install, configure, operate, and extend their Interpretos Local instance.

Setup Wizard

On first launch, a 6-step wizard guides you through initial configuration.

Step 0: License Key

Choose one of three paths:

I have a key: Paste your INTRP-xxx license key and click Install

Free trial: Enter your email to receive a temporary trial key (100 queries/day)

Air-gapped: For environments without internet access — contact support for an offline activation key

Step 1: Admin Account

Create the first administrator account.

Username defaults to "admin" (you can change it)

Password must be at least 8 characters

Display name is shown in the chat interface (e.g., "Database Administrator")

Step 2: AI Model Provider

Choose the LLM that powers your chat experience.

Provider	API Key Required	Recommended Model	Notes
Interpretos Cloud	No	Automatic	Free tier, 100 queries/day, no configuration
Google Gemini	Yes	gemini-3-flash-preview	Get key at aistudio.google.com/apikey
OpenAI	Yes	gpt-4.1-mini	Get key at platform.openai.com/api-keys
Anthropic	Yes	claude-sonnet-4-6	Get key at console.anthropic.com
Custom / Self-hosted	Yes	Varies	Any OpenAI-compatible endpoint (Ollama, vLLM, LiteLLM)

For self-hosted models, provide the base URL (e.g., http://localhost:11434/v1 for Ollama).

Click Test Connection to verify before proceeding.

Step 3: Integration Connections

Connect to your enterprise systems. You can configure one or more integrations.

Oracle E-Business Suite (EBS)

Direct Database Mode (recommended — 1-3 second queries):

DB Host: hostname of Oracle database server

DB Port: default 1521

DB User: read-only account (e.g., APPS_RO)

DB Password

DB Service: TNS service name (e.g., VIS, PROD)

SSH Tunnel Mode (11-17 second queries):

SSH Host: hostname or IP of the server with sqlplus

SSH User: OS user with sqlplus access (e.g., oracle, applmgr)

SSH Key: RSA private key in PEM format (must start with -----BEGIN RSA PRIVATE KEY-----)

Oracle Home: path containing bin/sqlplus (e.g., /u01/app/oracle/product/12.1.0)

DB credentials as above

Common issues:

SSH key in wrong format: convert with ssh-keygen -p -m PEM -f your_key

Oracle Home path wrong: run echo $ORACLE_HOME on the database server to find it

Firewall blocking port 22 (SSH) or 1521 (Oracle): verify with telnet host port

Wrong service name: check $ORACLE_HOME/network/admin/tnsnames.ora on the DB server

PeopleSoft

Connects via SSH tunnel to Oracle database (no direct mode).

Same SSH fields as EBS

DB User: typically SYSADM or PS_RO

DB Service: PDB name (e.g., HCMVRS, CSUAT, HRPRD)

Oracle Home: typically /opt/oracle/psft/db/oracle-server/19.3.0.0

PeopleSoft uses CDB/PDB architecture. The PDB name is critical — it's set via ALTER SESSION SET CONTAINER before any query. If you're unsure, ask your DBA for the PDB name or run SELECT name FROM v$pdbs on the CDB.

IBM Maximo

Connects via REST API (OSLC interface).

API Base URL: must include /maximo (e.g., https://maximo.example.com/maximo)

MAS 9.x: Use API Key authentication. Generate at Administration > API Keys in Maximo

Maximo 7.6: Use MAXAUTH (username + password, sent as Base64-encoded header)

Common issues:

Wrong base URL: must end with /maximo, not /maximo/api or just the hostname

API key not generated: MAS 9.x requires explicit key creation in the admin console

SSL certificate errors: ensure your instance's certificate is trusted, or set verify=false (not recommended for production)

Step 4: Telemetry (Optional)

Enable anonymous aggregate metrics to help improve the product.

Preview the exact payload before enabling

Data sent: query counts, response times, error rates, integration types

Data NOT sent: query content, usernames, credentials, IP addresses

All transmissions logged to /app/data/telemetry_audit.jsonl for your audit

Step 5: Review and Complete

Summary of all settings. Click Complete Setup to finish.

Admin Panel

Access the admin panel by clicking the gear icon in the header bar. Eight tabs provide full administrative control.

Users Tab

Manage system users and their roles.

Adding users:

Fill in username, display name, password, and role (user or admin)

"admin" role users can access the admin panel; "user" role can only chat

User actions:

Reset password (admin can reset any user's password)

Delete user (removes account, credentials, and chat history)

Click the credential count to jump to the Credentials tab for that user

Roles:

Role	Chat	Own Preferences	Admin Panel	Manage Users
user	Yes	Yes	No	No
admin	Yes	Yes	Yes	Yes

Credentials Tab

Map each user to their identity in each enterprise system. This controls what data they see through role-based access control (RBAC).

How RBAC works: When user "jsmith" sends a chat query, Interpretos uses jsmith's personal credentials (not the admin's) to query the enterprise system. If jsmith's Oracle account is restricted to the BEDFORD site, they'll only see BEDFORD data.

Setting credentials:

Select a user from the dropdown

Select an integration

Fill in that user's credentials for that system

Click Test to validate, then Save

If no per-user credentials are set, the user inherits the global admin connection — meaning they see ALL data. For security, configure per-user credentials for restricted users.

Credential fields by integration:

Integration	Key Fields
EBS	SSH host/user/key, DB user/password/service, Oracle Home, RBAC username
PeopleSoft	SSH host/user/key, DB user/password/service, PDB name, RBAC username
Maximo	Auth type, API base URL, API key or username/password

API Keys Tab

Generate programmatic API keys for automation, bots, and integrations.

Creating a key:

Select the user the key will act as (inherits their RBAC permissions)

Give it a descriptive name (e.g., "Slack Bot", "Daily Reports", "ETL Pipeline")

Click Create — the key is shown once only, copy it immediately

Using API keys:


# Via X-API-Key header
curl -X POST http://localhost:8080/api/chat \
  -H "Content-Type: application/json" \
  -H "X-API-Key: ik_your_key_here" \
  -d '{"message": "How many open work orders are there?"}'

# Via Authorization header
curl -X POST http://localhost:8080/api/chat \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ik_your_key_here" \
  -d '{"message": "Show me overdue POs"}'

Full API documentation is available at /api/docs (interactive Swagger UI).

Settings Tab

AI Provider Settings

Change the LLM provider after setup. Same options as setup step 2. Always test before saving.

Extra Parameters: Optional JSON object passed directly to the chat LLM API call. Use this for provider-specific tuning:

Provider	Example	Effect
Google Gemini	`{"thinking_budget": 0}`	Disables thinking mode for faster responses
Google Gemini	`{"thinking_level": "minimal"}`	Minimal thinking
OpenAI	`{"reasoning": {"effort": "low"}}`	Low reasoning effort for GPT-5.x
Ollama	`{"num_ctx": 8192}`	Sets context window size

Pattern Selection LLM (Advanced)

Configure an optional separate, faster LLM for pattern selection (the step that picks which knowledge pattern to use before answering).

Default: uses the same LLM as chat

Recommended: a fast, cheap model like Mercury-2 (~3ms) or gpt-4.1-mini

Benefit: faster first response time since pattern selection runs on every query

Click the "Pattern Selection LLM" section header to expand, enable the checkbox, configure, test, and save.

Extra Parameters: Optional JSON object passed directly to the LLM API call. Use this for provider-specific tuning without code changes:

Provider	Example	Effect
Google Gemini	`{"thinking_budget": 0}`	Disables thinking mode (prevents 26s+ delays on Gemini 3 Flash)
Google Gemini	`{"thinking_level": "minimal"}`	Minimal thinking (alternative to budget=0)
OpenAI	`{"reasoning": {"effort": "none"}}`	Disables reasoning for GPT-5.x models
Ollama	`{"num_ctx": 4096}`	Sets context window size

Pattern selection doesn't need reasoning/thinking — it's a simple pattern-matching task. If using a model with built-in thinking (Gemini 3 Flash, GPT-5.4 Thinking), disable it here for dramatically faster responses (26s to 2s in testing).

Integration Connection Settings

Update EBS, PeopleSoft, or Maximo connection settings. Same fields as setup step 3.

Custom Instructions

Set admin-wide default context for all users on a specific integration.

Examples:

"Unless otherwise specified, default answers to the BEDFORD site and EAGLENA org."

"Always include the PO number and buyer name in purchase order results."

"When showing headcount data, exclude terminated employees."

Select the integration from the dropdown, write instructions (max 1000 characters), and save. Users can also set their own personal instructions via the Preferences button in the chat header.

Restart Setup Wizard

Re-runs the guided setup. Preserves your license and user accounts but lets you reconfigure AI provider and integration connections.

Patterns Tab

Create custom patterns to teach the chatbot queries specific to your environment. Custom patterns extend the built-in knowledge without affecting it.

Creating a Pattern

Click + New Pattern and fill in:

Integration: Which system this pattern is for (EBS, PeopleSoft, or Maximo)

Description: What the chatbot should be able to answer (e.g., "Vendor aging report by vendor ID")

Data source: SQL Query or REST API

Query / Endpoint: The actual SQL or API call with parameter placeholders

Example questions: Natural language questions users might ask (one per line) — these help the AI match user queries to this pattern

Tables involved: Database tables referenced (comma-separated)

Entity types: Key concepts like "vendor", "employee", "asset" (comma-separated)

Notes: Optional gotchas or requirements

Click Save Pattern. The chatbot immediately starts using the new pattern — no restart needed.

Testing a Pattern

Click Test on any pattern, enter a sample question, and click Run Test. The system sends the query through the full chatbot pipeline and shows:

Whether the pattern was selected

The chatbot's response

Pass/fail status (saved for reference)

Managing Patterns

Action	Description
Enable/Disable	Toggle a pattern on or off without deleting it. Disabled patterns are ignored by the chatbot.
Edit	Modify any field. Test status resets after edits.
Clone	Duplicate a pattern — useful for creating variations (e.g., same query for a different entity).
Export	Download a single pattern as JSON for backup or sharing with another instance.
Delete	Permanently remove a pattern and its data.

Backup and Migration

Export All: Downloads all custom patterns as a JSON bundle. Use this before major upgrades or to migrate patterns to a new instance.

Import: Upload a JSON export file to restore patterns or import from another instance. Duplicates are skipped automatically.

Custom patterns are stored on the persistent data volume (/app/data/custom_patterns/) and survive container restarts and upgrades.

Updates Tab

Check for and install updates.

Container updates: new Docker image versions with features and fixes

Pattern updates: new or improved knowledge packs for your integrations

Installed modules: current integrations and pattern counts

Messages from Interpretos: service announcements and advisories

License Tab

View and manage your product license.

License status: ID, customer name, expiry date, included modules

Integration marketplace: available integrations with enable/purchase options

Upload new license: paste JSON or upload a .json file

Diagnostics Tab

Health monitoring, debugging, and audit trail for compliance.

System Health

Click Test All Connections to validate every configured service (LLM provider, databases, APIs). Green/red indicators show what's working.

Debug Logging

Toggle between INFO (normal) and DEBUG (verbose) log levels. Enable DEBUG when troubleshooting specific issues, then disable it — verbose logs consume more disk space.

Recent Errors

View recent server errors with timestamps, details, and stack traces. Useful for diagnosing connection failures or LLM errors.

Telemetry

Enable/disable anonymous telemetry

Preview the exact payload that will be sent

View the transmission log (every payload logged before sending)

Query Audit Log

Every query sent to connected enterprise systems is logged here — SQL statements for EBS/PeopleSoft, API calls for Maximo. Stored at /app/data/query_audit.jsonl.

Use this for: security audits, compliance reviews, debugging incorrect query results, and understanding what the AI is actually asking your systems.

Support Bundle

Download a diagnostic package to attach to support tickets. This bundle is privacy-safe: it excludes credentials, SQL text, conversation content, and usernames. It contains system info, connectivity results, error summaries, and anonymized metrics.

REST API Reference

Interpretos Local exposes a full REST API. Interactive documentation is available at /api/docs (Swagger UI) and the OpenAPI spec at /api/docs/openapi.yaml.

Authentication

Two methods:

JWT Token: POST /api/auth/login with {"username": "...", "password": "..."} — returns a token. Use as Authorization: Bearer .

API Key: Create in Admin Panel > API Keys. Use as X-API-Key: ik_xxx or Authorization: Bearer ik_xxx.

Core Endpoints

Endpoint	Method	Description
`/api/chat`	POST	Send a message, get full response
`/api/chat/stream`	POST	Send a message, get SSE streaming response
`/api/chat/cancel`	POST	Cancel an in-progress query
`/api/reset`	POST	Clear conversation state
`/api/conversations`	GET	List all conversations
`/api/conversations`	POST	Create new conversation
`/api/conversations/{id}`	GET	Get conversation history
`/api/conversations/{id}`	DELETE	Delete a conversation
`/api/status`	GET	Session status (model, integrations, RAG mode)
`/api/health`	GET	Health check (200 OK)
`/api/version`	GET	Container version
`/api/integrations`	GET	List available integrations

Admin Endpoints

Endpoint	Method	Description
`/api/admin/users`	GET	List all users
`/api/admin/users`	POST	Create user
`/api/admin/users/{username}`	DELETE	Delete user
`/api/admin/users/{username}/password`	PUT	Reset password
`/api/users/{username}/credentials/{integration}`	PUT	Set per-user credentials
`/api/users/{username}/credentials/{integration}`	GET	Get per-user credentials
`/api/admin/api-keys`	GET	List API keys
`/api/admin/api-keys`	POST	Create API key
`/api/admin/api-keys/{id}`	DELETE	Revoke API key
`/api/admin/settings`	GET	Get all settings
`/api/admin/settings/llm`	PUT	Update LLM provider
`/api/admin/settings/ebs`	PUT	Update EBS connection
`/api/admin/settings/peoplesoft`	PUT	Update PeopleSoft connection
`/api/admin/patterns/custom`	GET	List custom patterns
`/api/admin/patterns/custom`	POST	Create custom pattern
`/api/admin/patterns/custom/{id}`	GET	Get pattern details
`/api/admin/patterns/custom/{id}`	PUT	Update pattern
`/api/admin/patterns/custom/{id}`	DELETE	Delete pattern
`/api/admin/patterns/custom/{id}/test`	POST	Test pattern with a query
`/api/admin/patterns/custom/{id}/toggle`	PUT	Enable/disable pattern
`/api/admin/patterns/custom/{id}/duplicate`	POST	Clone pattern
`/api/admin/patterns/custom/{id}/export`	GET	Export single pattern (JSON)
`/api/admin/patterns/custom/export`	GET	Export all patterns (JSON bundle)
`/api/admin/patterns/custom/import`	POST	Import patterns from JSON
`/api/admin/diagnostics/test-connections`	POST	Test all connections
`/api/admin/diagnostics/errors`	GET	Recent errors
`/api/admin/diagnostics/export`	GET	Download support bundle
`/api/admin/audit/queries`	GET	Query audit log
`/api/admin/audit/telemetry`	GET	Telemetry transmission log

Automation Cookbook

These recipes show how to use the REST API to automate common administrative tasks. All examples use Python with the requests library.

1. Bulk User Creation from CSV


import csv
import requests

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key", "Content-Type": "application/json"}

with open("users.csv") as f:
    for row in csv.DictReader(f):  # columns: username, display_name, password, role
        resp = requests.post(f"{BASE}/api/admin/users", headers=HEADERS, json={
            "username": row["username"],
            "display_name": row["display_name"],
            "password": row["password"],
            "role": row.get("role", "user")
        })
        print(f"{row['username']}: {resp.json().get('status', resp.status_code)}")

CSV format:


username,display_name,password,role
jsmith,Jane Smith,Welcome123!,user
mbrown,Mike Brown,Welcome123!,user
admin2,Senior Admin,SecurePass!,admin

2. Bulk Credential Assignment


import csv
import requests

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key", "Content-Type": "application/json"}

with open("credentials.csv") as f:
    for row in csv.DictReader(f):  # columns: username, db_user, db_password, ...
        resp = requests.put(
            f"{BASE}/api/users/{row['username']}/credentials/oracle_ebs",
            headers=HEADERS,
            json={
                "EBS_DB_USER": row["db_user"],
                "EBS_DB_PASSWORD": row["db_password"],
                "EBS_DB_SERVICE": row.get("db_service", "VIS"),
                "username": row.get("ebs_username", row["username"])
            }
        )
        print(f"{row['username']}: {resp.json().get('status', resp.status_code)}")

3. Automated Health Monitoring


import requests
import smtplib
from email.mime.text import MIMEText

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key"}

# Check health
health = requests.get(f"{BASE}/api/health")
if health.status_code != 200:
    # Send alert email
    msg = MIMEText(f"Interpretos health check failed: {health.status_code}")
    msg["Subject"] = "ALERT: Interpretos Down"
    msg["From"] = "monitoring@company.com"
    msg["To"] = "admin@company.com"
    with smtplib.SMTP("smtp.company.com") as s:
        s.send_message(msg)

# Test all connections
conns = requests.post(f"{BASE}/api/admin/diagnostics/test-connections", headers=HEADERS)
for result in conns.json().get("results", []):
    if result.get("status") != "ok":
        print(f"FAILED: {result['name']} - {result.get('error', 'unknown')}")

4. Scheduled Daily Report


import requests

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_reports_user_key", "Content-Type": "application/json"}

questions = [
    "How many purchase orders were approved this week?",
    "Show me the top 5 vendors by PO spend this month",
    "Are there any overdue work orders?"
]

for q in questions:
    resp = requests.post(f"{BASE}/api/chat", headers=HEADERS, json={"message": q})
    data = resp.json()
    print(f"\nQ: {q}")
    print(f"A: {data.get('response', data.get('message', 'No response'))}")

# Reset conversation for next run
requests.post(f"{BASE}/api/reset", headers=HEADERS)

5. User Offboarding Script


import requests

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key"}

username = "departing_user"
resp = requests.delete(f"{BASE}/api/admin/users/{username}", headers=HEADERS)
print(f"Deleted {username}: {resp.json()}")
# This removes the user account, all their credentials, API keys, and chat history

6. Custom Pattern via API


import requests

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key", "Content-Type": "application/json"}

# Create a custom pattern for EBS employee lookup
resp = requests.post(f"{BASE}/api/admin/patterns/custom", headers=HEADERS, json={
    "integration": "oracle_ebs",
    "description": "Employee lookup by employee number",
    "query_type": "sql",
    "query": "SELECT employee_number, full_name, email_address FROM per_all_people_f WHERE employee_number = :emp_num AND SYSDATE BETWEEN effective_start_date AND effective_end_date",
    "example_questions": ["Who is employee 12345?", "Show employee details for 67890"],
    "entity_types": ["employee", "person", "hr"],
    "tables": ["PER_ALL_PEOPLE_F"]
})
print(f"Created: {resp.json()['pattern']['pattern_id']}")

# Export all patterns for backup
resp = requests.get(f"{BASE}/api/admin/patterns/custom/export", headers=HEADERS)
with open("patterns_backup.json", "w") as f:
    f.write(resp.text)
print(f"Exported {resp.json()['count']} patterns")

7. Export Query Audit for Compliance


import requests
import json

BASE = "http://localhost:8080"
HEADERS = {"X-API-Key": "ik_your_admin_key"}

# Get query audit log
audit = requests.get(f"{BASE}/api/admin/audit/queries", headers=HEADERS)
entries = audit.json().get("entries", [])

# Write to file for compliance archive
with open(f"query_audit_export.jsonl", "w") as f:
    for entry in entries:
        f.write(json.dumps(entry) + "\n")

print(f"Exported {len(entries)} audit entries")

Security Recommendations

Database Credentials

Always use read-only accounts. The chatbot only needs SELECT access. Create a dedicated read-only user (e.g., APPS_RO for EBS, PS_RO for PeopleSoft)

Check the "read-only acknowledgment" checkbox in the setup wizard as a defense-in-depth reminder

SSH Keys

Use dedicated SSH keys for the Interpretos service account — do not reuse personal keys

Keys must be in PEM format (starts with -----BEGIN RSA PRIVATE KEY-----)

Convert OpenSSH format keys: ssh-keygen -p -m PEM -f your_key

Network Security

Place a reverse proxy (Nginx, Caddy, HAProxy) with TLS in front of the instance for production

Set the CDDI_SECRET_KEY environment variable rather than relying on the auto-generated file

Restrict network access to the Interpretos port (default 8080) to authorized users

Maximo API Keys

Create API keys with minimal permissions — read-only access to object structures

Use a dedicated Maximo service account, not a personal admin account

RBAC Best Practices

Configure per-user credentials for every user who should have restricted access

Users without per-user credentials inherit the admin's global connection (full access)

Test RBAC by logging in as a restricted user and verifying they only see their authorized data

Review the query audit log to verify credential isolation is working

API Key Management

Create dedicated users for each bot/automation with appropriate RBAC restrictions

Name keys descriptively ("Slack Bot - Read Only", "ETL - EBS Only")

Revoke keys immediately when no longer needed

API keys are shown once at creation — store them securely (e.g., in a secrets manager)

Troubleshooting

EBS: "SSH connection failed"

Verify SSH host is reachable: telnet 22

Check key format: must be PEM (-----BEGIN RSA PRIVATE KEY-----)

Verify SSH user has access: ssh -i key.pem user@host

Check Oracle Home path: run echo $ORACLE_HOME on the server

EBS: "ORA-12154: TNS could not resolve connect identifier"

Wrong service name. Check tnsnames.ora on the DB server or ask your DBA

Verify the service name in the DB Service field matches exactly

EBS: "ORA-01017: invalid username/password"

Check DB User and DB Password. Note: Oracle passwords are case-sensitive in 11g+

Verify the account is not locked: SELECT account_status FROM dba_users WHERE username = 'YOUR_USER'

PeopleSoft: "ORA-65024: ALTER SESSION SET CONTAINER not allowed"

The DB user needs the SET CONTAINER privilege: GRANT SET CONTAINER TO your_user

Or connect directly to the PDB instead of the CDB

PeopleSoft: "PDB not found"

Check the PDB name: SELECT name FROM v$pdbs (run as SYSDBA on the CDB)

Common PDB names: HCMVRS, CSUAT, HRPRD, FSPRD

Maximo: "401 Unauthorized"

For MAS 9.x: verify API key is generated in Administration > API Keys

For 7.6: verify username and password are correct

Check that the user has access to the OSLC API

Maximo: "Connection refused" or "timeout"

Verify base URL includes /maximo (not /maximo/api)

Check firewall: telnet 443 (or 80 for HTTP)

Verify Maximo application server is running

LLM: "API key not valid"

Regenerate the key from the provider's console

Check for leading/trailing whitespace in the key field

Verify the key hasn't been rotated or revoked

LLM: "Model not found"

Model names change. Check the provider's current model list

For custom providers: ensure the model name matches what's available on your endpoint

Slow responses

Enable Pattern Selection LLM with a fast model (Settings > Advanced)

If using Gemini 3 Flash for pattern selection, set Extra Parameters to {"thinking_budget": 0} — thinking mode is on by default and adds 20-50s of unnecessary delay

For EBS: switch from SSH mode to Direct DB mode (1-3s vs 11-17s)

Check LLM provider latency: the "Test Connection" button shows response time

Enable debug logging temporarily to see which step is slow

Documentation Links

Terms of Service: /docs/terms

Privacy Policy: /docs/privacy

Security Policy: /docs/security

API Documentation: /api/docs (interactive Swagger UI)

OpenAPI Specification: /api/docs/openapi.yaml

*Interpretos Local is developed by Code Development Limited. For support, visit interpretos.ai.*