skelm
Build secure, agentic, long-running workflows in TypeScript. Run them anywhere Node runs.
Why skelm exists
Most LLM workflow tools make security an afterthought. Agents call arbitrary tools, read arbitrary files, hit arbitrary URLs — because the framework has no model for preventing it. When something goes wrong (prompt injection, runaway loops, accidental secret exfiltration), you find out after the fact.
skelm is built the other way around. Every agent step starts with zero privileges. Filesystem roots, network hosts, MCP servers, CLI binaries, secrets — each is declared upfront in the step definition. Anything not declared is denied at dispatch, before the backend ever starts. The audit log records every privileged action in a tamper-evident chain so you can always reconstruct what happened.
The rest of the design follows from that principle:
- Real TypeScript. Workflows are
.tsmodules you type-check, refactor, test, and version like any other code. No DSL, no YAML, no JSON config. - Three step kinds, none wrapping another.
code()for deterministic logic,llm()for single inference calls,agent()for full multi-turn loops. Mix them freely in a single pipeline. - Multi-backend agents. Opencode, ACP (Copilot, Claude Code, Gemini), OpenAI, Anthropic, Pi — plus a provider SPI for custom backends. Switch backends by changing one config key.
- First-class MCP support. MCP servers are lifecycle-managed by the gateway, not bolted on. Attach them per-step; the permission model governs which steps can reach which servers.
- Native control flow.
parallel,forEach,branch,loop,wait, and nested pipelines are core primitives. - Schedulable. Cron, interval, webhook, one-shot, and queue triggers. The gateway hosts everything long-running.
- Tamper-evident audit. Hash-chained audit log. Query it with
skelm audit query.
Get started in 60 seconds
# 1. Install the CLI
npm install -g skelm
# 2. Scaffold a project
skelm init my-bot && cd my-bot && npm install
# 3. Run your first workflow
skelm run workflows/hello.workflow.ts --input '{"name":"world"}'
# 4. Stand up the gateway (long-running, handles scheduling + agent steps)
skelm gateway start
When this skill activates
Use this skill when:
- The user is working in a skelm project (any
*.workflow.ts/*.pipeline.tsfile) - The user wants to scaffold, author, or modify a pipeline
- The user asks about
AgentPermissions,skelm.config.ts, MCP wiring, backend setup - The user wants to run, inspect, schedule, or debug a pipeline
- The user is migrating from another workflow tool (LangChain, Inngest, llm-task, lobster)
The unit of work
A pipeline is a TypeScript file that exports a pipeline() call:
import { code, llm, agent, pipeline } from 'skelm'
import { z } from 'zod'
export default pipeline({
id: 'my-workflow',
description: 'What this pipeline does.',
input: z.object({ task: z.string() }),
output: z.object({ result: z.string() }),
steps: [ /* Step[] */ ],
finalize: (ctx) => ctx.steps['last-step'] as { result: string },
})
Step kinds: code · llm · agent · parallel · forEach · branch · loop · wait · pipelineStep · idempotent
Import everything from 'skelm'. Access prior step outputs via ctx.steps['step-id'].
Step kind quick reference
code() — deterministic logic
code({
id: 'parse',
run: (ctx) => ({ value: (ctx.input as { raw: string }).raw.trim() }),
})
llm() — single-shot inference
llm({
id: 'classify',
backend: 'openai',
prompt: (ctx) => `Classify: ${(ctx.input as { text: string }).text}`,
output: z.object({ label: z.string(), confidence: z.number() }),
maxTokens: 512,
})
agent() — full agentic loop (default-deny)
agent({
id: 'implement',
backend: 'pi',
prompt: (ctx) => `Implement ticket ${(ctx.input as { id: string }).id}. Return JSON {prUrl}.`,
permissions: {
allowedTools: ['gh.*'],
allowedExecutables: ['git'],
allowedMcpServers: ['github'],
fsRead: ['./'],
fsWrite: ['./src/'],
networkEgress: { allowHosts: ['api.github.com'] },
},
workspace: { mode: 'ephemeral', cleanup: 'on-run-end' },
output: z.object({ prUrl: z.string() }),
maxTurns: 20,
})
Default-deny: every
AgentPermissionsfield defaults to deny when omitted. An agent with nopermissionsblock cannot call tools, read files, execute binaries, attach MCP servers, or make network requests.
Permissions are part of the API
| Dimension | Field | Default |
|---|---|---|
| Tool | allowedTools / deniedTools | deny |
| Executable | allowedExecutables | deny |
| MCP server | allowedMcpServers | deny |
| Skill | allowedSkills | deny |
| Secret | allowedSecrets | deny |
| Network | networkEgress | deny |
| FS read | fsRead | deny |
| FS write | fsWrite | deny |
| Approval gate | approval | — |
Composition is intersection-only. Project defaults → named profile → step-level. Each layer can only narrow, never widen.
Named profiles in skelm.config.ts:
defaults: {
permissionProfiles: {
'github-write': {
allowedExecutables: ['git'],
allowedTools: ['gh.*'],
allowedMcpServers: ['github'],
fsRead: ['./'],
fsWrite: ['./'],
networkEgress: { allowHosts: ['api.github.com'] },
},
},
}
Apply: permissions: { profile: 'github-write', allowedTools: ['gh.create_pr'] }
Full permissions reference: {baseDir}/references/permissions.md
Project layout
my-project/
├── skelm.config.ts # Required for gateway + agent steps
├── workflows/
│ └── hello.workflow.ts # One pipeline per file
├── package.json # { "dependencies": { "skelm": "^0.3.7", "zod": "^4" } }
└── tsconfig.json
Scaffold a new pipeline from template:
bash {baseDir}/scripts/new-pipeline.sh my-pipeline "What it does"
bash {baseDir}/scripts/new-pipeline.sh my-pipeline "What it does" --agent
Config reference: {baseDir}/references/config.md
CLI essentials
skelm run <workflow.ts> --input '<json>' # run once
skelm list # discover pipelines
skelm describe <id> --format mermaid # visualize
skelm history --last 10 # run history
skelm validate <workflow.ts> # static preflight
skelm logs # stream gateway logs
skelm audit query --run <id> # tamper-evident audit trail
skelm schedule add <id> --cron '0 * * * *' # schedule
skelm gateway start # long-running gateway
Exit codes: 0 ok · 1 CLI error · 2 schema validation · 3 run failed · 4 cancelled · 5 wait timeout · 6 permission denied · 7 step timeout
Full CLI reference: {baseDir}/references/cli.md
The gateway is the trust boundary
The gateway owns permission resolution, enforcement, secret resolution, audit log, approval gating, trigger dispatch, and registry management.
Never write permission enforcement in pipeline or step code. Pipelines are the user layer. The gateway is the trust layer.
skelm gateway start
skelm gateway status
skelm gateway install --systemd # systemd unit at ~/.config/systemd/user/skelm-gateway.service
Gateway reference: {baseDir}/references/gateway.md
Common pitfalls
- Widening at step level —
networkEgress: 'allow'in a step when the project default isdenyhas no effect. Intersection always wins. - Missing Zod schema —
input/outputare validated at run boundaries; omitting them skips validation silently. agent()with an unregistered backend — step fails at runtime ifbackendreferences an id with no matching entry in configbackends:orinstances:. The pi SDK backend must be ininstances:.- Step id collisions inside
parallel()— sibling ids must be unique within the parallel block. - Editing
dist/— never edit generated files. Runpnpm buildto regenerate.
Full references
{baseDir}/references/pipeline-authoring.md— all builders, control flow, context shape, retry{baseDir}/references/agent-step.md—agent()signature, backends, workspace modes, MCP{baseDir}/references/permissions.md— full permission model, TrustEnforcer, testing{baseDir}/references/config.md—skelm.config.tsshape, backends, MCP entries{baseDir}/references/gateway.md— gateway lifecycle, HTTP surface, audit log, systemd{baseDir}/references/cli.md— complete CLI reference with all flags and exit codes
skelm v0.3.7 · MIT · npm