Menu
Server intelligence layer for RunCloud-managed Linux servers. Use when the user mentions Perch, /perch_*, RunCloud, nginx-rc, server intelligence, server diagnosis, WordPress site auditing, plugin vulnerability scanning, or any time they want to investigate, monitor, or heal a server they own.
| name | perch |
| description | Server intelligence layer for RunCloud-managed Linux servers. Use when the user mentions Perch, /perch_*, RunCloud, nginx-rc, server intelligence, server diagnosis, WordPress site auditing, plugin vulnerability scanning, or any time they want to investigate, monitor, or heal a server they own. |
| when_to_use | User says "perch", "/perch_X", "runcloud", "nginx-rc", "audit my site", "site is white-screening", "what's wrong with the server", or any server-debugging request on a host they manage. |
| when_not_to_use | Tasks that target servers Perch is not connected to. Pure local development. Anything that requires modifying public/shared infrastructure without explicit confirmation. |
Perch is a self-hosted intelligence layer that watches, diagnoses, and (within strict bounds) heals Linux servers managed by RunCloud — or any plain Ubuntu/Debian/AlmaLinux box. It runs as an MCP server, an HTTP API, and a Telegram bot. The brain (SQLite) accumulates per-server, per-webapp knowledge over time.
This skill teaches Claude how to use Perch correctly and safely.
~/.perch/brain.db (SQLite, on the user's server) and ~/.perch/vault.json (AES-256-GCM encrypted credentials). Nothing leaves the box unless the user explicitly configures a webhook.You (Claude Code / Telegram / Slack / HTTP)
↓
PERCH CORE
├── brain.ts SQLite KB (servers, webapps, problems, plugins, knowledge, actions_log)
├── gateway.ts Friendly alert formatter (multi-channel)
├── ssh-enhanced.ts SSH with TOFU host verification + WP-CLI helper
├── vault.ts AES-256-GCM credential vault
└── redact.ts Centralized privacy redactor (16 patterns)
↓
MODULES
├── wordpress/ db, plugins, security, backup, images, perf, errors
├── api/server.ts HTTP wrapper for external integration
└── monitor.sh 14-rule cron automation engine
list_servers, get_server, get_server_stats, get_server_healthcontrol_service, clean_server_disk, get_server_logsupdate_ssh_settings, update_server_autoupdatesrc/index.tsssh_run_command — arbitrary SSH (validate inputs)ssh_server_status, ssh_smart_fix, ssh_restart_servicessh_kill_orphans, ssh_disk_cleanup, ssh_check_portsssh_wp_cli, ssh_artisan, ssh_tail_logperch_wp_db_audit — autoload, transients, orphans, fragmentationperch_wp_db_clean — drop expired transients/sessions (idempotent)perch_wp_plugins — list + Wordfence Intelligence vulnerability scanperch_wp_plugin_update, perch_wp_plugin_deactivate (logs to undo)perch_wp_security — 12-check hardening auditperch_wp_backup — backup healthperch_wp_images_scan, perch_wp_images_optimizeperch_wp_perf — performance snapshotperch_wp_errors — diagnose PHP fatals + white screensperch_vault_put, perch_vault_get, perch_vault_list, perch_vault_deleteperch_brain — KB summaryperch_webapp_history — per-webapp problem historyperch_brain_search — FTS5 search across all problemsperch_actions_log — recent destructive actionsperch_undo — reverse the last destructive actionperch_multi_server_dashboard — one-shot all-server statusperch_self_update — pull latest, rebuild, restart| Wrong | Right (RunCloud) |
|---|---|
nginx | nginx-rc |
nginx.service | nginx-rc.service |
/etc/nginx/ | /etc/nginx-rc/ |
php8.x-fpm | php8x-fpm-rc |
/etc/nginx/conf.d/ (overwritten) | /etc/nginx-rc/extra.d/ (custom-safe) |
/var/log/nginx/error.log | /var/log/nginx-rc/error.log |
/var/www/ | /home/{appuser}/webapps/{appname}/ |
www-data | each webapp's own system user |
Never edit /etc/nginx-rc/conf.d/ — RunCloud regenerates these and your changes vanish. Use /etc/nginx-rc/extra.d/ for custom blocks.
PHP-FPM logs: /home/{user}/logs/php_error.log per webapp.
nginx-rc, php*-fpm-rc, MySQL/MariaDB/tmp PHP sessions older than 24hperch_wp_plugin_deactivate)rm outside /tmpPERCH_MASTER_KEY (env var) is the only thing protecting the credential vault. Rules:
~/.perch/.env mode 0600, sourced by systemd EnvironmentFile).~/.perch/.env.npm run vault rotate -- --old-key=....perch_wp_errors with domain → returns root cause + suggested fixfixableByPerch: true and user confirms → perch_wp_plugin_deactivateperch_wp_errors again to verify the fatal clearedlist_servers → for each server, list_webappsperch_wp_db_audit, perch_wp_security, perch_wp_pluginsperch_vault_get with runcloud:apikey (current value, redact in summary)perch_vault_put with the new valueping tool (returns pong if auth works)perch_self_update with dryRun: true first (returns commit count + changelog)perch_self_update (real) if confirmedperch_brain_search with query "disk full"PERCH_MASTER_KEY, vault values, or wp-config DB_PASSWORD into chat output/etc/nginx-rc/conf.d/ filesperch_wp_plugin_deactivate without explicit user confirmation*delete* tool without dry-run firstnginx -t config validityperch_brain_search summariesAuto-load when the user mentions any of:
The repo at https://github.com/adityaarsharma/perch is canonical. When this skill conflicts with the repo, the repo wins. Specifically read:
README.md — vision + comparison + connectorsdocs/install.md — install pathsdocs/automation.md — 14 cron rules + thresholdsdocs/safety.md — auto/confirm/never policy (verbatim authority)docs/master-key.md — encryption key lifecycledocs/runcloud.md — RunCloud-specific operational referencesrc/index.ts — authoritative tool list (tools array)# Drop this skill where Claude Code looks for skills
mkdir -p ~/.claude/skills/perch
cp /path/to/perch/skills/perch/SKILL.md ~/.claude/skills/perch/SKILL.md
# Restart Claude Code
Skill version 1.0 — generated April 2026 from the live Perch codebase.