One-click verification. Verify the entire chain's integrity from the audit viewer at any time.
launch · site.ymlrunning
0
ok
0
changed
0
failed
Fleet automation
Scope precisely. Target a project, a host group, or an ad-hoc selection. The run only touches what you choose.
Engine-ready. Ansible today, with Terraform, OpenTofu, and SaltStack on the same launch flow.
Built for scale. Structured per-host results stay readable whether you run on 3 hosts or 3,000.
template library
Template library
Vetted and categorized. Every built-in template is validated; browse by engine and category.
Check vs. change gating. Read-only checks for all; state-changing templates restricted to admins.
Custom templates. Create your own and deploy them to agents with safe upsert semantics.
edit · deploy.ymlvalid YAML
Validated editors
Live YAML linting. Syntax errors surface as you type, with a clear validity indicator.
Validate on agent. Run a real --syntax-check on the control node, not just client-side guesses.
Role-gated. Editing is restricted to infrastructure admins and above.
discover · multi-cloudscanning…
Cloud onboarding
Multi-cloud. AWS, Azure, GCP, Proxmox, VMware, Nutanix, and Virtualizor from one wizard.
Agent-side discovery. Credentials stay in the vault; discovery runs through the agent, not the browser.
Import as hosts. Turn a discovered instance into a managed host in a couple of clicks.
sync inventory · japan-serversinspecting…
Host inventory discovery
Reads the real config. OS, version, primary address, and the actual listening SSH port are read from the host, not guessed.
Provenance on every field. Each value is marked discovered or manual; a re-sync re-asserts the truth and heals stale edits.
Fills gaps without overwriting. Manual entries cover what discovery cannot reach, and an explicit, audited override exists for emergencies.
access & secrets
vieweroperatorinfra adminorg admin
••••••••••••••••
Access & secrets
Least privilege. Viewer, operator, infra admin, org admin — assignable per project.
Per-host secrets. Scope credentials to a tenant, project, or a single host; host secrets are admin-reveal only.
SSH key vault. Store and inspect SSH keys with fingerprint and passphrase detection, never exposed in plain text.
Just-in-time injection. Runs fetch the right secret per host on demand at execution time — never bundled into job payloads, never written to disk, and shredded the moment the run finishes.
reports · last 30 days
Reporting & insight
Run health at a glance. Success rate, failures, and activity trends over your chosen window.
Activity breakdowns. See what's happening by action type and which projects are busiest.
Real data. Every figure is computed from your own tenant's runs and audit activity.
security audit
0
Security audit
Scored findings. Pass / warn / fail checks weighted by severity into a clear score and grade.
Actionable remediation. Every finding comes with a specific fix, not just a flag.
Host checks. Run safe, read-only security checks against your hosts through the agent.
agent · outbound only
portal
agentcontrol node
firewall · no inbound
Remote agent
Firewall-friendly. The agent dials out. Nothing needs to be exposed to the internet.
Sandboxed execution. Runs are confined to an approved playbook directory on the agent host.
Self-updating. Agents update from a source you pin, with host allow-listing and version gating.
Technical specifications
Automation engines
Ansible, Terraform, OpenTofu, SaltStack
Scale
Thousands of hosts per project; structured results at any size
Agent connectivity
Outbound polling over HTTPS — no inbound ports or VPN
Agent platform
Runs on your Ansible control node; Python 3.6+
Terminal access
Recorded SSH sessions via the agent, with host-key verification