Skip to content

CLI reference

Validate

automax validate --job job.yaml --inventory inventory.yaml

Useful options:

--vars PATH
--secrets PATH
--var KEY=VALUE
--tags TAGS
--skip-tags TAGS

Review

automax review --job job.yaml --inventory inventory.yaml --output review.md
automax review --job job.yaml --inventory inventory.yaml --secrets secrets.yaml --format=json

Builds a masked pre-run operator review report from the selected job. The report combines strict validation, selected targets, masked secret status, masked rendered vars, capability requirements, check preview, diff/manual preview coverage, resume points and ready-to-copy operator commands. Review reports that use --secrets are printed to stdout only; --output is accepted only when the review does not load a secrets file.

Approval gates

automax approval create --job job.yaml --inventory inventory.yaml --approved-by change-1234 --output approval.json
automax approval verify --job job.yaml --inventory inventory.yaml --approval approval.json
automax run --job job.yaml --inventory inventory.yaml --approval approval.json

Approval files are secret-free JSON gates for reviewed plans. Create and verify them without --secrets; execution may still pass --secrets because the gate compares the secret-free review digest.

Plan

automax plan --job job.yaml --inventory inventory.yaml

Prints target, checkpoint, plugin and tags without executing the job.

Check-mode preview for the selected job:

automax plan --check --job job.yaml --inventory inventory.yaml

File diff preview for supported file-oriented plugins:

automax plan --diff --job job.yaml --inventory inventory.yaml
automax plan --diff --job job.yaml --inventory inventory.yaml --format=json

Machine-readable output:

automax plan --job job.yaml --inventory inventory.yaml --format=json

Run

automax run --job job.yaml --inventory inventory.yaml --state-dir .automax/runs

For sudo-enabled remote substeps on targets that require a sudo password, pass the controller-side environment variable name instead of configuring passwordless sudo on the target:

export AUTOMAX_SUDO_PASSWORD='...'
automax run --job job.yaml --inventory inventory.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD

Preview the selected run without creating run state. By default this prints a compact per-task summary; add --verbose to show every per-target substep preview.

automax run --check --job job.yaml --inventory inventory.yaml
automax run --check --verbose --job job.yaml --inventory inventory.yaml

Machine-readable final summary:

automax run --job job.yaml --inventory inventory.yaml --format=json

Restart from an explicit checkpoint in a new run:

automax run --job job.yaml --inventory inventory.yaml --from task.install
automax run --job job.yaml --inventory inventory.yaml --from task.install:step.packages
automax run --job job.yaml --inventory inventory.yaml --from task.install:step.packages:substep.nginx

Capabilities

Inspect job-scoped remote tool requirements and install only the missing dependency packages for the selected job and targets:

automax capabilities requirements --job job.yaml --inventory inventory.yaml
automax capabilities install --job job.yaml --inventory inventory.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD

capabilities install prints live check/plan/install status plus a compact summary. Successful install command stdout/stderr is suppressed by default; add --verbose when troubleshooting package-manager output. --format=json keeps the full masked stdout/stderr payload for automation.

automax capabilities install --job job.yaml --inventory inventory.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD --verbose

Resume

automax resume <run-id> --state-dir .automax/runs

Resume modes:

automax resume <run-id> --skip-successful
automax resume <run-id> --only-failed
automax resume <run-id> --from task.deploy:step.restart:substep.service
automax resume <run-id> --skip-successful --sudo-password-env AUTOMAX_SUDO_PASSWORD

Runs

automax runs list --state-dir .automax/runs
automax runs show <run-id> --state-dir .automax/runs
automax runs show <run-id> --failed
automax runs show <run-id> --server web01
automax runs show <run-id> --json
automax runs export <run-id> --state-dir .automax/runs --output evidence.md
automax runs export <run-id> --state-dir .automax/runs --format json --output evidence.json
automax runs bundle <run-id> --state-dir .automax/runs --output automax-evidence.zip

OS information

Detect operating-system release facts for inventory targets before capability planning or dependency installation:

automax os info --inventory inventory.yaml
automax os info --inventory inventory.yaml --limit web --format=json

The output includes ID, ID_LIKE, pretty release name, version, codename, normalized family (debian, rhel or unknown) and package manager.

Inventory inspection

Show the inventory targets selected by a specific job:

automax inventory show --job job.yaml --inventory inventory.yaml
automax inventory show --job job.yaml --inventory inventory.yaml --limit web
automax inventory show --job job.yaml --inventory inventory.yaml --format=json

Vars render

Render the final target-specific variable context for the selected job while masking all secret values:

automax vars render --job job.yaml --inventory inventory.yaml --vars vars.yaml --secrets secrets.yaml
automax vars render --job job.yaml --inventory inventory.yaml --limit web01
automax vars render --job job.yaml --inventory inventory.yaml --format=json

Secrets check

Check secret providers referenced by the selected job without printing values:

automax secrets check --job job.yaml --inventory inventory.yaml --secrets secrets.yaml
automax secrets check --job job.yaml --inventory inventory.yaml --secrets secrets.yaml --all
automax secrets check --job job.yaml --inventory inventory.yaml --secrets secrets.yaml --format=json

Plugins

Inspect builtin and external plugins:

automax plugins list
automax plugins describe fs.file.template
automax plugins coverage --strict
automax plugins audit

Create, validate and package an external plugin source file:

automax plugins init company.echo --output ./plugins
automax plugins check ./plugins
automax plugins check ./plugins --format=json
automax plugins package ./plugins --output dist/company-plugins.zip
automax plugins package ./plugins --output dist/company-plugins.zip --automax-requires '>=1.0.0'
automax plugins verify-package dist/company-plugins.zip
automax plugins index dist/company-plugins.zip --output dist/automax-plugins-index.json
automax plugins verify-package dist/company-plugins.zip --format=json
automax plugins install dist/company-plugins.zip --dest .automax/plugins
automax plugins installed --dest .automax/plugins
automax plugins installed --dest .automax/plugins --format=json
automax plugins update dist/company-plugins.zip --dest .automax/plugins
automax plugins uninstall company-plugins.zip --dest .automax/plugins
automax plugins describe company.echo --plugin-path ./plugins
automax plugins describe company.echo --plugin-path dist/company-plugins.zip
automax plugins describe company.echo --plugin-path .automax/plugins

plugins check loads only the external plugin path and validates the public metadata contract: canonical name, description, category, parameter schemas, examples and result fields. plugins package runs the same check before writing a ZIP archive with the plugin sources, automax-plugin.json, Automax compatibility metadata and per-file SHA-256 checksums. plugins verify-package checks the manifest, canonical plugin names, file list, sizes and checksums. plugins index verifies one or more package ZIPs and writes a deterministic automax-external-plugin-index-v1 JSON file for repository publishing or change records. Verified package ZIPs can be used directly with --plugin-path without an unpack step; Automax validates manifest entries and checksums before loading the packaged Python plugin sources. plugins install copies a verified ZIP into a local plugin directory, records its checksum in automax-plugins.lock.json, plugins update replaces an installed package only after verification, and plugins uninstall removes both the ZIP and its lock entry. Normal --plugin-path .automax/plugins commands load installed packages from that directory and reject lock mismatches, missing locked packages and unmanaged ZIPs when a plugin lock is present.

Manual commands

Render copy/pasteable commands for selected substeps when a failed operation must be reproduced manually before restarting from a checkpoint:

automax commands render --job job.yaml --inventory inventory.yaml
automax commands render --job job.yaml --inventory inventory.yaml --limit web01 --tags install
automax commands render --job job.yaml --inventory inventory.yaml --format=json
# unavailable plugins are listed with an explicit reason instead of omitted

Text output marks each node with sudo=yes/no and prints a sudo note when rendered manual commands contain sudo -n. JSON output includes top-level uses_sudo/sudo_note fields and per-node uses_sudo flags for operator tooling.

SSH known_hosts scan

Scan SSH host keys for direct hosts or inventory-selected targets. The command prints fingerprints so operators can verify them over a trusted channel before using the generated known_hosts file:

automax ssh known-hosts scan --host web01.example.com
automax ssh known-hosts scan --inventory inventory/prod.yaml --limit web
automax ssh known-hosts scan --inventory inventory/prod.yaml --limit web --output ~/.ssh/automax_known_hosts
automax ssh known-hosts scan --host web01.example.com --format=json

Artifacts

automax artifacts list <run-id> --state-dir .automax/runs
automax artifacts path <run-id> --state-dir .automax/runs

Plugins

automax plugins list
automax plugins describe fs.file.template
automax plugins describe fs.file.template --json
automax plugins coverage
automax plugins coverage --format=markdown --output plugin-coverage.md
automax plugins coverage --strict
automax plugins audit

Schema export

automax schema export --kind job --format=json --output automax-job.schema.json
automax schema export --kind inventory --format=json

Documentation helpers

automax docs generate-plugins --output docs/plugins/generated.md

Explain

Inspect a resolved job without creating run state:

automax explain --job jobs/deploy.yaml --inventory inventory/prod.yaml
automax explain --job jobs/deploy.yaml --inventory inventory/prod.yaml --format=json

Graph

Render a resolved job graph:

automax graph --job jobs/deploy.yaml --inventory inventory/prod.yaml --format=mermaid
automax graph --job jobs/deploy.yaml --inventory inventory/prod.yaml --format=svg --output /tmp/job.svg
automax graph --job jobs/deploy.yaml --inventory inventory/prod.yaml --format=png --output /tmp/job.png

Runbook export

Export a Markdown runbook from a resolved job:

automax runbook export --job jobs/deploy.yaml --inventory inventory/prod.yaml --output /tmp/runbook.md

Run locking

Protect job and target concurrency with file-based locks:

automax run --job jobs/deploy.yaml --inventory inventory/prod.yaml --lock
automax resume <run-id> --lock --skip-successful

Retry policies

Retry policies are declared in job YAML, not as CLI flags. They can be inherited from job, task or step level and overridden on a substep:

retry:
  attempts: 3
  delay: 2
  backoff: exponential
  max_delay: 10

Text output prints [RETRY] lines for visible retry attempts before the final node result.