安装方式
命令行安装
在项目根目录执行以下命令,完成 Skill 安装。
npx bzskills add sickn33/antigravity-awesome-skills --skill sshepherd Zero-knowledge SSH ops CLI — server health checks, docker/systemd control, log tailing, Postgres introspection, and declarative deploys, without ever exposing credentials to the agent.
0
下载量
命令行安装
在项目根目录执行以下命令,完成 Skill 安装。
npx bzskills add sickn33/antigravity-awesome-skills --skill sshepherd name: sshepherd
description: Zero-knowledge SSH ops CLI — server health checks, docker/systemd control, log tailing, Postgres introspection, and declarative deploys, without ever exposing credentials to the agent.
category: devops
risk: critical
source: community
source_repo: Antheurus/sshepherd
source_type: community
date_added: "2026-07-15"
author: Antheurus
tags: [ssh, devops, cli, server-ops, postgres, deploy, zero-knowledge]
tools: [claude, cursor, gemini, codex]
license: "MIT"
license_source: "https://github.com/Antheurus/sshepherd/blob/main/LICENSE"sshepherd is a compiled Bun/TypeScript CLI that lets an agent operate a real remote server over SSH — health checks, docker/systemd service control, log tailing, config file edits, read-only Postgres introspection, and declarative deploys — without ever seeing a password, private key, hostname, username, or port. Every operation shells out to the system ssh binary through a single transport path and returns the same typed Envelope<T> (ok, alias, data, error), never a raw terminal dump. The agent passes only a *name* — an ssh alias, a Postgres target, or a deploy recipe — that resolves entirely outside the process.
Every connection detail is declared ahead of time and never appears on the command line: ssh aliases in ~/.ssh/config, Postgres targets in ~/.config/sshepherd/targets.toml, deploy recipes in recipe TOML files. OpenSSH resolves the real HostName/User/Port/IdentityFile internally.
sshepherd <group> <action> [positionals...] [--flag value]
Nine command groups — hosts, check, logs, services, deploy, config, db, files, security — 52 ops total. Output is JSON to stdout by default; add --pretty for a human-readable table/key-value view. The response only ever echoes back the alias it was given — there is no host/user/port/ip field anywhere in the response type, structurally.
./dist/sshepherd --help # list groups
./dist/sshepherd check --help # list actions + flags for one group
./dist/sshepherd check overview lms-server
Returns a JSON envelope with disk, memory, CPU, listening ports, and OOM history for the host behind the lms-server alias — the agent never learns the host's address.
./dist/sshepherd services restart lms-server --name api
./dist/sshepherd logs tail lms-server --name api --lines 100
./dist/sshepherd db tables prod
prod is a pg-target name that resolves to *how* to reach psql on a host — never a database password. psql runs inside the target container, authenticated by peer/trust/.pgpass already on the remote.
~/.ssh/config / targets.toml / recipe TOML — never inline connection details.--pretty for human review and default JSON output for machine parsing.ssh2 npm library or hand-rolled SSH; the whole point is delegating to the trusted system ssh binary.--yes confirm flag.setup ssh-alias install action opens a one-shot local browser form that only a human can type a password into — the agent can trigger and wait on it but never sees, logs, or relays the password.Solution: Register the target first (setup ssh-alias register / setup db-target), then reference it only by name.
Solution: Add the --yes confirm flag — mutations are gated by design.
@devops-automation - When you need broader CI/CD or infrastructure-as-code automation beyond SSH ops.