Declare
Describe services, ports, domains, volumes, and backup policy in YAML.
operational safety / evidence first
opsctl brings registry, backup, recovery, approval, and audit into one verifiable workflow. It is read-only by default, rejects vague authority, and leaves high-risk actions to explicit human decisions.
01 / PRINCIPLE
Every command is designed around one question: before production changes, can we prove the target, blast radius, recovery path, and authority boundary?
02 / WORKFLOW
Describe services, ports, domains, volumes, and backup policy in YAML.
Observe reality, explain drift, and produce non-executing plans and risk decisions.
Create snapshots, verify backups, restore in isolation, and sign the evidence chain.
Only specific, unexpired human approval can advance controlled execution.
03 / SURFACE
Turn server intent into a reviewable, validated source of truth.
Block port conflicts, volume risk, and missing backup evidence.
Restore in isolation and verify files, hashes, and database signatures.
Ed25519 signatures, audit checkpoints, and restorable archives.
Global serialization, bounded waiting, and deterministic spreading.
Read-only tools for AI and an operator-focused terminal view.
04 / BOUNDARY
opsctl does not auto-approve and does not delete Docker volumes. Planning, evidence, and human execution are deliberately separate boundaries.
05 / BEGIN
Validate the registry and runtime before entering backup and recovery workflows.