AI agent native DevOps bash script orchestrator.
ShellFlow is a minimal shell script orchestrator for mixed local and remote execution. You write one shell script, mark execution boundaries with comments, and ShellFlow runs each block in order while resolving remote targets from your SSH configuration.
- Split a shell script into
@LOCALand@REMOTEexecution blocks. - Run each block fail-fast, in order.
- Reuse the shared prelude before the first marker for every block.
- Pass the previous block output forward as
SHELLFLOW_LAST_OUTPUT. - Export named scalar values from a block into later block environments.
- Emit either a final JSON report or streaming JSON Lines events for agents.
- Support bounded
@TIMEOUTand@RETRYdirectives without embedding workflow logic. - Provide non-interactive, dry-run, and audit-log modes for automated execution.
- Resolve remote targets from
~/.ssh/configor a custom SSH config path.
uv tool install shellflow
shellflow run playbooks/hello.shuv tool install shellflow
shellflow --versionnpx skills add longcipher/shellflowThis installs the agent skill from this repository for writing and reviewing Shellflow playbooks.
To upgrade to the latest version:
uv tool upgrade shellflowgit clone https://github.com/longcipher/shellflow.git
cd shellflow
uv sync --all-groups # uv sync --refresh --reinstall --no-cacheuv tool install --force .
shellflow --versionuv pip install -e .
shellflow --versionShellflow recognizes two markers:
# @LOCAL# @REMOTE <ssh-host>
Shellflow also recognizes bounded block directives at the top of a block body:
# @TIMEOUT <seconds># @RETRY <count># @EXPORT NAME=stdout|stderr|output|exit_code
<ssh-host> must match a Host entry in your SSH config. Shellflow then connects using that SSH host definition, which means the actual machine can be resolved through the configured HostName, User, Port, and IdentityFile values.
Example:
#!/bin/bash
set -euo pipefail
# @LOCAL
# @EXPORT VERSION=stdout
echo "runs locally"
# @REMOTE sui
uname -a
# @LOCAL
echo "remote output: $SHELLFLOW_LAST_OUTPUT"
echo "version = $VERSION"Example ~/.ssh/config entry:
Host sui
HostName 192.168.1.100
User deploy
Port 22
IdentityFile ~/.ssh/id_ed25519With that config, this block is valid:
# @REMOTE sui
hostnameThis is intentional:
- Shellflow accepts configured SSH host names, not arbitrary free-form targets.
- Unknown remote targets fail early with a clear error before spawning
ssh. - You can override the default config path with
--ssh-config.
Each block runs in a fresh shell.
- Shell options from the prelude are copied into every block.
- Shell state like
cd, shell variables, aliases, andexportcommands does not persist across blocks. - Explicit context values are passed forward through environment variables.
Example:
# @LOCAL
echo "build-123"
# @LOCAL
echo "last output = $SHELLFLOW_LAST_OUTPUT"Named exports are additive to SHELLFLOW_LAST_OUTPUT:
# @LOCAL
# @EXPORT VERSION=stdout
echo "2026.03.15"
# @REMOTE sui
echo "deploying $VERSION"
echo "last output = $SHELLFLOW_LAST_OUTPUT"Lines before the first marker are treated as a shared prelude and prepended to every executable block:
#!/bin/bash
set -euo pipefail
# @LOCAL
echo "prelude is active"
# @REMOTE sui
echo "prelude is also active here"Shellflow is designed to be the execution substrate for an outer agent, not an embedded planner.
- Use
--jsonwhen you want one final machine-readable run report. - Use
--jsonlwhen you want ordered event records while the script runs. - Use
--no-inputfor CI or agent runs where interactive prompts must fail deterministically. - Use
--dry-runto preview planned execution without running commands. - Use
--audit-log <path>to mirror the structured event stream into a redacted JSONL file.
Recommended agent flow:
- Generate or select a plain shell script with
@LOCALand@REMOTEmarkers. - Add bounded directives only where needed:
@TIMEOUT,@RETRY, and@EXPORT. - Run with
--jsonor--jsonl. - Let the outer agent decide whether to retry, branch, or stop based on Shellflow's structured result.
Shellflow intentionally does not provide:
- Conditional directives such as
@IF stdout_contains=... - A workflow DSL or embedded ReAct loop
- Heuristic destructive-command detection
Those decisions belong in the outer agent or automation layer.
shellflow run <script>
shellflow run <script> --verbose
shellflow run <script> --json
shellflow run <script> --jsonl
shellflow run <script> --no-input
shellflow run <script> --dry-run
shellflow run <script> --audit-log ./audit.jsonl --jsonl
shellflow run <script> --ssh-config ./ssh_config
shellflow --version
Examples:
shellflow run playbooks/hello.sh
shellflow run playbooks/hello.sh -v
shellflow run playbooks/hello.sh --json
shellflow run playbooks/hello.sh --jsonl --no-input
shellflow run playbooks/hello.sh --dry-run --jsonl
shellflow run playbooks/hello.sh --audit-log ./audit.jsonl --jsonl
shellflow run playbooks/hello.sh --ssh-config ~/.ssh/config.workUseful commands:
just sync
just test
just bdd
just test-all
just typecheck
just build
just publishDirect verification commands:
uv run pytest -q
uv run behave features
uv run ruff check .
uv run ty check src tests
uv buildShellflow supports both local publishing and GitHub Actions release publishing.
just publishuv publish uses standard uv authentication mechanisms such as UV_PUBLISH_TOKEN, or PyPI trusted publishing when supported by the environment.
The repository includes:
.github/workflows/ci.ymlfor lint, type-check, test, and build verification..github/workflows/release.ymlfor publishing to PyPI when a tag likev0.1.0is pushed.
Recommended release flow:
git tag v0.1.0
git push origin v0.1.0To use trusted publishing with PyPI:
- Create a
pypienvironment in GitHub repository settings. - Add this repository as a trusted publisher in the PyPI project settings.
- Push a
v*tag.
The release workflow then runs verification, builds distributions with uv build, and uploads them with uv publish.
shellflow/
├── src/shellflow.py
├── tests/
├── features/
├── playbooks/
├── pyproject.toml
├── Justfile
└── README.md
Apache-2.0