rauto - Network Device Automation CLI
rauto is a powerful CLI tool for network device automation, written in Rust. It leverages the rneter library for intelligent SSH connection management and utilizes minijinja for flexible command templating.
Features
- Double Template System: Command Templates (Jinja2) & Device Profiles (TOML).
- Intelligent Connection Handling: Uses
rneterfor SSH state management. - Dry Run Support: Preview commands before execution.
- Variable Injection: Load variables from JSON.
- Extensible: Custom TOML device profiles.
- Built-in Web Console: Start browser UI with
rauto web. - Embedded Web Assets: Frontend files are embedded into the binary for release usage.
- Saved Connection Profiles: Reuse named connection settings across commands.
- Session Recording & Replay: Record SSH sessions to JSONL and replay offline.
- Data Backup & Restore: Backup full
~/.rautoruntime data and restore when needed. - Multi-device Orchestration (Web + CLI): Run staged serial/parallel plans across multiple devices, reusing saved connections and current
tx/tx-workflowcapabilities. - Command Blacklist: Block dangerous commands globally before they are sent, with
*wildcard support.
Installation
From Binary (Recommended)
Download the latest release for your platform from GitHub Releases.
From Crates.io
From Source
Ensure you have Rust and Cargo installed.
The binary will be available at target/release/rauto.
Codex Skill (Optional)
This repo includes a Codex skill for rauto usage under skills/rauto-usage/.
Recommended usage:
- If you are operating
rautothrough Codex or Claude Code, using the skill is the cleanest path. - The skill is action-first: it prefers running read-only
rautocommands directly, and for config changes it preferstx/tx-workflowwith rollback or--dry-runfirst. - It also returns a compact execution summary instead of raw terminal noise.
Install to your machine
- Clone the repo:
- Copy the skill into your Codex skills folder:
Notes:
- If
CODEX_HOMEis not set, it usually defaults to~/.codex. - You can verify the skill is present at
$CODEX_HOME/skills/rauto-usage.
Recommended prompts
You can explicitly invoke the skill with $rauto-usage, for example:
Use $rauto-usage to test connection lab1 and run "show version".
Use $rauto-usage to preview templates/examples/fabric-advanced-orchestration.json, then wait for my confirmation before execution.
Use $rauto-usage to show connection history for lab1 and summarize failures only.
Use $rauto-usage to render configure_vlan.j2 with templates/example_vars.json and dry-run it first.
If your agent supports automatic skill routing, natural requests like these usually work too:
Run one show command on my saved connection lab1.
Preview this tx workflow and tell me the rollback plan.
Check recent execution history for core-01 and summarize the errors.
Claude Code example
If you use Claude Code skills, copy the folder into your Claude Code skills directory:
~/.claude/skills/ is a common personal skills location for Claude Code. If your local setup uses a different skills directory, copy it there instead.
Usage
1. Template Mode (Recommended)
Render commands from a template and execute them on a device.
Templates are stored in SQLite and managed with rauto templates or the Web UI.
Basic Usage:
With Variables:
Given a stored template configure_vlan.j2 and variables file templates/example_vars.json:
Dry Run (Preview):
2. Direct Execution
Execute raw commands directly without templates.
Specifying Execution Mode:
Execute a command in a specific mode (e.g., Enable, Config).
3. Device Profiles
rauto supports built-in device profiles (inherited from rneter) and custom TOML profiles.
List Available Profiles:
Using a Specific Profile:
Default is cisco. To use Huawei VRP:
Custom Device Profile:
Custom device profiles are stored in SQLite and managed through rauto device or the Web UI.
Use it after creating or copying a custom profile:
Useful profile management commands:
4. Web Console (Axum)
Start the built-in web service and open the visual console in your browser:
Then visit http://127.0.0.1:3000.
Web assets are embedded into the binary at build time.
For released binaries, users only need to run the executable (no extra static/ files required at runtime).
Web console key capabilities:
- Manage saved connections in UI: add, load, update, delete, and inspect details.
- Choose SSH security profile in UI connection defaults and saved connections:
secure,balanced, orlegacy-compatible. - Execute commands with saved connection info (load one connection, then run direct or template mode).
- Manage profiles (builtin/custom) and templates in dedicated tabs.
- Manage command blacklist patterns in UI: add/delete/check
*wildcard rules before execution. - Manage data backups in UI: create/list/download/restore
~/.rautobackup archives. - Diagnose profile state machines in Prompt Management -> Diagnostics with visualized result fields.
- Switch Chinese/English in UI.
- Record execution sessions and replay recorded outputs in browser (list events or replay by command/mode).
Agent Mode
rauto web remains the local self-management UI. Managed mode now starts from rauto agent, which is dedicated to rauto-manager registration, heartbeat, protected APIs, and task callbacks.
You can also keep defaults in ~/.rauto/agent.toml:
[]
= "http://manager:50051"
= "my-secret-token"
= "grpc"
[]
= "agent-beijing-01"
= 30
= 300
Agent mode adds:
- Public
GET /api/agent/infofor manager-side reachability/discovery. - Protected
GET /api/agent/statusfor runtime status and heartbeat metadata. - Protected
POST /api/devices/probefor batch TCP reachability checks of saved connections. - Background manager registration, heartbeat, and best-effort offline notification on shutdown.
- Manager reporting supports two transports:
grpc(default): usesrauto.manager.v1.AgentReportingService, best when manager can expose a gRPC endpoint.http: uses manager HTTP endpoints, useful when manager only exposes HTTP(S), such as Vercel-style deployments.- Full inventory sync after registration and on saved-connection changes; this only syncs
name,host,port, anddevice_profile. - Periodic liveness probe refresh (
probe_report_interval, default300, set0to disable) with incrementalreachableupdates. task_idenables async task callbacks in agent mode; callbacks are reported back to manager through the selected transport.- Outbound manager requests now send both
Authorization: Bearer <token>andX-API-Key: <token>when a token is configured. - When agent mode is started with a token, browser-side Web UI requests must provide the same token in the page header token field.
5. Template Storage Commands
6. Saved Connection Profiles
You can save and reuse connection settings by name:
# Add/update a profile directly from CLI args
# Reuse the saved profile
# Save current effective connection after a successful run
# Manage saved profiles
Password behavior:
--save-connection(used inexec/template/connection test) saves without password by default; add--save-passwordto include password fields.connection addsaves password only when--password/--enable-passwordis explicitly provided.- Saved passwords are encrypted and stored in
~/.rauto/rauto.db; the local encryption key is stored in~/.rauto/master.key. --ssh-security <secure|balanced|legacy-compatible>controls SSH algorithm compatibility and is also stored in saved connections.
7. Backup & Restore
Backup the current rauto runtime data store and backup configuration:
Note: backup archives include both rauto.db and master.key, so saved-connection passwords remain restorable from the backup.
# Create backup to default path: ~/.rauto/backups/rauto-backup-<timestamp>.tar.gz
# Create backup to custom output path
# List default backup archives
# Restore archive (merge into current ~/.rauto)
# Restore archive and replace current ~/.rauto data first
8. Command Blacklist
Use a global blacklist to reject commands before they are sent from CLI or Web execution paths (exec, template execute, tx, tx-workflow, orchestrate, interactive command).
# List current patterns
# Add blocked patterns
# Check one command against the blacklist
# Remove a pattern
Notes:
*matches any character sequence, including spaces.- Matching is case-insensitive and applies to the full command text.
- Blacklist data is stored in
~/.rauto/rauto.db.
9. CLI Quick Reference
Connection troubleshooting
Saved connection profiles
Command blacklist
Profile management
Template storage management
Session recording & replay
# Record direct exec
# Record template execution
# Replay / inspect
Backup & restore
Transaction blocks
# Tx block with inferred per-step rollback
# Tx block with explicit per-step rollback (repeatable flags)
# Tx block with per-step rollback from file (one per line, empty lines ignored)
# Tx block with per-step rollback from JSON array
# Tx block with whole-resource rollback
Transaction workflow
# Visualize workflow structure in terminal (ANSI colors enabled by default)
# Disable colors with: NO_COLOR=1
# Execute a workflow from JSON
# Dry-run: print workflow plan and exit
# Dry-run raw JSON
Transaction workflow JSON example
Ready-to-edit sample files:
Advanced sample files:
Multi-device orchestration
# Preview orchestration structure in terminal
# Dry-run: print normalized plan and exit
# Execute a multi-device plan
# Print execution result as JSON
Orchestration plan JSON example
Inventory + group example
Ready-to-edit sample files:
Advanced sample files:
- templates/examples/fabric-advanced-orchestration.json
- templates/examples/fabric-advanced-inventory.json
Notes:
targetscan reference saved connections by name or provide inline connection fields.target_groupscan load target lists frominventory_fileor inlineinventory.groups.inventory.defaultsapplies to all groups and stage-level inlinetargets; groupdefaultsoverride inventory defaults.tx_blockstages reuse existing template/rollback behavior and support per-targetvars.tx_workflowstages reuse existing single-device workflow JSON.- Multi-device orchestration is available in both Web UI and CLI.
CLI ⇄ Web UI mapping
Operations (Web) CLI
-------------------------------- ---------------------------------------------
Direct Execute rauto exec
Template Render + Execute rauto template
Transaction Block (Tx Block) rauto tx
Transaction Workflow (Tx Flow) rauto tx-workflow
Multi-device Orchestration rauto orchestrate
Saved connections rauto connection
Connection history rauto history
Command blacklist rauto blacklist
Prompt Profiles (Web) CLI
-------------------------------- ---------------------------------------------
Built-in profiles rauto device list / rauto device show <name>
Copy builtin to custom rauto device copy-builtin <builtin> <custom>
Custom profiles CRUD rauto device show/delete <custom>
Template Manager (Web) CLI
-------------------------------- ---------------------------------------------
List templates rauto templates list
Show template rauto templates show <name>
Delete template rauto templates delete <name>
Session Replay (Web) CLI
-------------------------------- ---------------------------------------------
List records rauto replay <jsonl> --list
Replay command rauto replay <jsonl> --command "<cmd>" [--mode <Mode>]
Feature availability
Feature Web UI CLI
----------------------------------------- ------- ----
Connection profiles CRUD Yes Yes
Execution history browser Yes Yes (by file)
Session recording (auto) Yes Yes
Session replay list/inspect Yes Yes
Session replay UI table/detail Yes No
Prompt profile diagnose view Yes No
Workflow builder (visual) Yes No
Transaction workflow JSON execution Yes Yes
Multi-device orchestration (plan JSON) Yes Yes
Command blacklist management Yes Yes
Migration tips (Web ⇄ CLI)
Workflow Builder → CLI
1. In Web, open Tx Workflow step and click "Generate JSON".
2. Download JSON (More Actions → Download JSON).
3. Run: rauto tx-workflow ./workflow.json
Tx Block (custom per-step rollback) → CLI
1. In Web, choose Rollback mode = "custom per-step".
2. Use "text" to copy rollback lines.
3. Run: rauto tx --rollback-commands-file ./rollback.txt ... (commands in same order)
CLI recordings → Web Replay
1. Run with --record-file to create JSONL.
2. Open Web → Session Replay, paste JSONL and inspect.
Start web console
Directory Structure
By default, rauto stores runtime data under ~/.rauto/.
Default runtime data:
~/.rauto/rauto.db(saved connections, history recordings, blacklist patterns, custom device profiles, managed command templates)~/.rauto/backups(backup archives)
~/.rauto and ~/.rauto/backups are auto-created on startup.
~/.rauto
├── rauto.db # SQLite runtime store
└── backups/ # Backup archives (*.tar.gz)
Configuration
| Argument | Env Var | Description |
|---|---|---|
--host |
- | Device hostname or IP |
--username |
- | SSH username |
--password |
RAUTO_PASSWORD |
SSH password |
--enable-password |
- | Enable/Secret password |
--ssh-port |
- | SSH port (default: 22) |
--ssh-security |
- | SSH security profile: secure, balanced, legacy-compatible |
--device-profile |
- | Device type (default: cisco) |
--connection |
- | Load saved connection profile by name |
--save-connection |
- | Save effective connection profile after successful connect |
--save-password |
- | With --save-connection, also save password/enable_password |
Recording-related options (command-specific):
exec/template --record-file <path>: Save recording JSONL after execution.exec/template --record-level <off|key-events-only|full>: Recording granularity.replay <record_file> --list: List recorded command output events.replay <record_file> --command <cmd> [--mode <mode>]: Replay one command output.
Template Syntax
rauto uses Minijinja, which is compatible with Jinja2.
Example configure_vlan.j2:
conf t
{% for vlan in vlans %}
vlan {{ vlan.id }}
name {{ vlan.name }}
{% endfor %}
end
Example variables:
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
License
MIT