// Plan/apply/verify cloud environment config and secret references using env contract + policy/inventory routing; detect drift, rotate secrets, and decommission environments with approval gates. Use for staging/prod deployments and maintenance.
Entry workflow for LLM engineering tasks (provider integration, calling wrapper, routing profiles, prompt templates, cost/telemetry, credentials/config keys). Routes to one procedure and enforces required verification.
Enable and operate the CI feature (GitHub Actions / GitLab CI) with repeatable templates, artifact conventions, and opt-in delivery enablement.
Bootstrap, diagnose (doctor), and reconcile local dev environment from env contract/values/secret refs; generate .env.local and redacted docs/context/env/effective-*. Use when local env is broken or needs syncing.
One-command UI governance gate that enforces the data-ui contract + semantic-token Tailwind policy and (optionally) orchestrates ESLint/Stylelint/Playwright under the same evidence run directory.
| name | env-cloudctl |
| description | Plan/apply/verify cloud environment config and secret references using env contract + policy/inventory routing; detect drift, rotate secrets, and decommission environments with approval gates. Use for staging/prod deployments and maintenance. |
Manage cloud environment configuration under the repo-env-contract SSOT model, with a strict plan โ approval โ apply โ verify workflow.
The env-cloudctl skill:
env/contract.yamlenv/values/<env>.yamlenv/secrets/<env>.ref.yaml (refs only)docs/project/policy.yaml (policy.env.cloud.targets, preferred)env/inventory/<env>.yaml (fallback routing)repo-env-contract.
docs/project/env-ssot.jsondocs/project/policy.yaml with policy.env.cloud.targetsenv/inventory/<env>.yamlIf neither is true, STOP.
If docs/project/policy.yaml sets policy.env.cloud.require_target: true, a matching
policy.env.cloud.targets entry is mandatory and inventory fallback is disabled.
If docs/project/env-ssot.json or env/contract.yaml does not exist (first-time setup), run:
python3 -B -S .ai/skills/features/environment/env-contractctl/scripts/env_contractctl.py init --root .
Then customize the contract and inventory before using cloud operations.
Use when the user asks to:
Avoid when:
env-contractctl)env-localctl)apply --approve --approve-remote (only when injection.transport=ssh)verify --remote --approve-remote (remote hash checks)env/contract.yamlenv/values/<env>.yamlenv/secrets/<env>.ref.yamldocs/project/policy.yaml (policy.env.cloud.targets, preferred)env/inventory/<env>.yaml
--runtime-target / --workload to select policy targets (runtime_target: local | ecs; remote is an alias for ecs)envfile (or legacy ecs-envfile), inventory must include injection.env_file (see references)aliyun-eci-container-group, inventory or policy target must include container_group.template and container_group.rendered_outputinjection.transport: ssh and injection.ssh (hosts + auth)
ssh.hosts) or IaC outputs (ssh.hosts_file)Choose one evidence location (no secrets):
dev-docs/active/<task-slug>/artifacts/env-cloud/.ai/.tmp/env-cloud/<run-id>/Evidence files (templates available in ./templates/):
00-target-and-scope.md01-drift-report.md02-apply-plan.md03-execution-log.md04-post-verify.md05-context-refresh.mddocs/context/env/effective-cloud-<env>-<workload>.json (redacted)staging / prod / other.python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py plan --root . --env <env> --out <EVIDENCE_DIR>/02-apply-plan.md
00-target-and-scope.md and summarize high-risk operations.If the inventory provider is envfile (or legacy ecs-envfile), generate the env-file
first with env-localctl, then plan/apply with env-cloudctl:
python3 -B -S .ai/skills/features/environment/env-localctl/scripts/env_localctl.py compile \
--root . \
--env staging \
--runtime-target ecs \
--workload api \
--env-file ops/deploy/env-files/staging.env \
--no-context
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py plan \
--root . \
--env staging \
--runtime-target ecs \
--workload api
Apply (transport: local):
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py apply \
--root . \
--env staging \
--runtime-target ecs \
--workload api \
--approve
Apply (transport: ssh):
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py apply \
--root . \
--env staging \
--runtime-target ecs \
--workload api \
--approve \
--approve-remote
Optional remote verification (only for transport: ssh):
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py verify \
--root . \
--env staging \
--runtime-target ecs \
--workload api \
--remote \
--approve-remote
--approve):python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py apply --root . --env <env> --approve --out <EVIDENCE_DIR>/03-execution-log.md
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py verify --root . --env <env> --out <EVIDENCE_DIR>/04-post-verify.md
python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py drift --root . --env <env> --out <EVIDENCE_DIR>/01-drift-report.md
--approve):python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py rotate --root . --env <env> --secret <secret_ref_name> --approve --out <EVIDENCE_DIR>/03-execution-log.md
--approve):python3 -B -S .ai/skills/features/environment/env-cloudctl/scripts/env_cloudctl.py decommission --root . --env <env> --approve --out <EVIDENCE_DIR>/03-execution-log.md
repo-env-contractnode .ai/tests/run.mjs --suite environmentenv/contract.yaml as part of the env-cloudctl workflow.