Runbook Guard

Safety layer for operational automation runbooks
29 nodes

/projects/runbookguard

Runbook Guard

07

An open-source safety layer that turns a runbook request into a controlled workflow — read-only evidence, a typed plan, policy and approval gates, dry-run-by-default execution, postcondition checks, and a hashed audit bundle.

Project context05

Problem

Operational automation can be dangerous when runbooks jump straight from request to execution. Production teams need evidence, risk checks, approvals, dry runs, postconditions, and audit bundles.

Solution

Runbook Guard turns each runbook request into a controlled workflow: evidence collection, typed planning, policy gates, approval checks, dry-run write adapters, postcondition verification, and hashed audit output.

Challenges

The workflow must make operational safety practical: operators need CLI and API access, policies need typed contracts, and write actions must be testable before execution.

Innovation

The project frames runbook automation as a safety layer, not a convenience wrapper. Every potentially risky step is represented as data that can be approved, replayed, or audited.

Domain expertise

This demonstrates Stefan's operational governance expertise across FastAPI, Typer CLIs, Pydantic contracts, dry-run adapters, approval systems, and incident-safe automation design.

Case study evidence11

Outcomes

  • Turns operational automation into a controlled lifecycle with evidence, policy, approval, dry-run, verification, and audit records.
  • Gives teams a safer route to automate high-risk runbooks without hiding the risk from operators.
  • Creates a reusable governance pattern for platform actions that need proof before execution.

Architecture decisions

  • FastAPI and Typer expose the same lifecycle through HTTP and CLI operator surfaces.
  • Pydantic contracts make requests, plans, approvals, receipts, and audits explicit.
  • Dry-run adapters and postcondition checks separate intended action from verified outcome.

Domain expertise signals

Runbook automationSRE governanceDry-run safetyApproval gatesAudit bundles
Technical deep dive09

Runbook Guard is production automation with a safety lifecycle. It shows how to let agents assist operations without jumping straight from natural language to irreversible writes.

Lifecycle discipline

The runbook path moves through evidence collection, typed planning, policy gates, approval, dry-run execution, postcondition checks, and audit output. Each state has a purpose.

Policy surface

Risk thresholds, allowlists, denylists, and budgets are deterministic controls. They keep safety out of the prompt and inside contracts that operators can inspect.

Dry-run design

Write adapters default to dry-run receipts so operators can see intended effects before mutations happen. This is essential for infrastructure and incident workflows.

Audit packaging

A hashed audit bundle records request, evidence, plan, approval, receipts, and verification. That makes runbook execution explainable after the incident window closes.

What this proves

  • FastAPI and Typer expose the same control plane
  • Pydantic contracts shape every lifecycle object
  • Approval gates for higher-risk plans
  • Postcondition verification before success
7lifecycle stages
2adapter seams
dry-runby default
100%audited runs
3example workflows
hash · sign · chain
Technology stack07
Python

Python

Keeps the control plane approachable for SRE and platform automation scripts.

FastAPI

FastAPI

Provides typed HTTP endpoints for plan, status, execute, health, and readiness.

Typ

Typer

Gives operators a CLI that mirrors the API without duplicating command parsing.

Pyd

Pydantic

Makes runbook requests, plans, receipts, approvals, and audit bundles explicit contracts.

SQL

SQLite

Stores workflow state locally with almost no operational overhead.

Dk

Docker

Packages the guardrail service for repeatable local and deployment checks.

uv

uv

Keeps Python dependency resolution and command startup fast for operator workflows.

Tools implemented09

FastAPI control plane

Accepts plan, execute, status, health, and readiness calls.

Typer CLI

Runs validate, plan, execute, audit-list, and audit-show from the terminal.

Pydantic contracts

Rejects malformed requests before they enter the state machine.

Evidence collection

Pulls read-only evidence before any write action can be planned.

Risk checks

Applies allowlists, denylists, risk thresholds, and budget limits.

Approval gate

Holds higher-risk plans until a named human approves them.

Dry-run write adapters

Keep mutations behind a separate seam and emit receipts by default.

Postcondition verifiers

Confirm the intended outcome before the run is marked verified.

Hashed audit bundle

Seals request, evidence, plan, approvals, receipts, and verification into a reviewable record.

Stefan Creadore · @Eldergenixproduction agent systems mapped end to end