AUTOMATE EVERYTHING.
A growing field guide to automating everything with OrchStep — developer daily workflows, team CI/CD, configuration management, enterprise automation, and AI agents. Real code, runnable demos, measured results.

Why OrchStep: compose workflows like Lego bricks
The design idea behind OrchStep: you don't carve automation from one block of bash — you snap together small, typed, well-understood pieces. Functions, steps, tasks, and modules are the bricks; your orchstep.yml is the model.
- READING
- 7 min
- ROLE
- Tech Lead
- SCALE
- Any
What an OrchStep module really is
A module isn't a plugin or a magic import — it's a packaged, versioned kit of tasks. Here's the anatomy: a manifest that declares the contract, and a workflow that implements it.
Local modules: reuse a task without leaving your repo
The lightest possible module is a folder in your own repo. No registry, no publishing, no Git URL — just source: "./modules/x" and you're sharing tasks across your workflows.
Publish a module: turn a task into a shareable package
You've got a task other people keep asking for. Here's how to wrap it in a manifest, validate it, tag a version, and let anyone import it with a single Git URL.
Run a module as a configured instance, not just a function
A shared deploy module either forces every caller to re-pass all the config, or its environment leaks across calls. instance_profile + isolate let a module load its OWN per-environment config — so one release fans out to every service's own prod profile, scoped and clean.
Consume a remote module from Git
Stop copy-pasting the same task block between repos. Point a module source at a Git URL, pin a semver range, and call its exported task — OrchStep fetches, caches, and pins it for you.
A company module registry: share modules across teams
Map a company scope to one monorepo and every team imports the same versioned modules by @scope/name. The open way uses a registries: block; the managed way is OrchStep Pro's private registry.
Reproducible modules with the lockfile
A Git tag can be force-moved to different bytes tomorrow. orchstep.lock pins each remote module to an immutable commit and content hash, so module verify in CI fails on supply-chain drift instead of running it.
Your callee's environment shouldn't haunt your caller
A task loads staging secrets, calls a helper, and three steps later your prod deploy is running with a leaked DATABASE_URL. Scoped environments fix the class of bug: a callee's dotenv/env are its batteries, the caller can override them, and they unwind on return.
OrchShell: the ad-hoc command that already knows your environment
You keep a folder of wrapper scripts just to run helm and kubectl with the right per-environment values. orchstep do renders any command with your structured, layered config — objects and all — and runs it. dotenv++ for applications, no orchstep.yml required.
The three module trust tiers: @orchstep, @community, @ai
OrchStep ships three built-in module scopes — @orchstep, @community, and @ai — all hosted in one public registry repo. Here's what each tier means, how to find and install modules, and how a source resolves to a versioned tag.
Module design patterns (and anti-patterns)
A good OrchStep module has one job, a typed config schema, documented exports, and semver discipline. A bad one is a god-module with hardcoded env values and leaked internals. Here's how to tell them apart — with a manifest that passes validation.
An end-to-end platform: golden-path modules for the whole org
A platform team publishes build, deploy, and notify kits to a registry. Dozens of app teams compose them in a few lines and ship the same way. This is the whole modules series in one runnable workflow — sources, scopes, versions, and a graph you can see.
Pin the engine version with required:
A workflow that uses a feature your teammate's orchstep doesn't have fails in a confusing place. Declare the minimum engine version once, and an out-of-date binary fails fast with a clear message instead.
JavaScript expressions: when Go templates aren't enough
Go templates are great for interpolation and clumsy for logic. OrchStep also evaluates plain JavaScript in conditions and transform steps, so real computation reads the way you think it.
Pipe JSON into a workflow
curl, terraform output, gh api — they all speak JSON on stdout. OrchStep reads stdin, auto-detects JSON, and exposes it as a typed namespace, so it drops straight into a Unix pipe.
The git function: clone, commit, tag without shelling out
Cloning and reading a repo in a workflow usually means parsing git stdout with awk. func: git does the common operations as first-class steps and hands back structured outputs instead.
Bootstrap a dev machine in one command
The onboarding wiki everyone follows differently. The setup script that only works on one OS. Here's how to turn 'install these 15 tools' into a single idempotent OrchStep command that runs the same on macOS and Linux.
Grow a workflow into a real project: task files, environments, and a live graph
One orchstep.yml is great until it isn't. Here's how to split a workflow into discoverable task files and external environments — without losing the single-command UX or the live run graph.
Interactive prompts that auto-skip in CI
A runbook that asks 'deploy to prod?' is great for a human and a deadlock in CI. func: prompt asks when there's a terminal and quietly uses defaults when there isn't — one workflow for both.
OrchStep as a program launcher
Every tool you run is a program plus a fistful of flags. Here are five ways to launch one with OrchStep — from raw CLI to interactive menu to the new saved run aliases — each more ergonomic than the last, and all built on the same workflow.
Why OrchStep: compose workflows like Lego bricks
The design idea behind OrchStep: you don't carve automation from one block of bash — you snap together small, typed, well-understood pieces. Functions, steps, tasks, and modules are the bricks; your orchstep.yml is the model.
Replace the bash script you keep rewriting
Every repo has a scripts/ folder that grew teeth. Here's how to turn the 200-line deploy.sh into a readable OrchStep workflow you can run, preview, and trust — without giving up the shell.
True parallel fan-out
Three health checks that don't depend on each other shouldn't run one after another. A parallel block launches steps concurrently, waits for all of them, and merges their outputs back.
Go templates + Sprig: the templating you already know
OrchStep's template layer is plain Go templates plus the Sprig function library — default, regexFind, semverCompare and 100+ more — with JavaScript waiting for the logic that templates make ugly.
Run your tests the same way everywhere
The way your tests run on your laptop should be the way they run in CI — same command, same steps, same result. Here's one OrchStep task that does unit, integration, and lint in parallel, then asserts on the outcome.
Database migrations without the 2am dread
A migration is the one deploy you can't easily undo — so wrap it in a backup, a rollback that fires on failure, and a notification that always runs. One OrchStep task, previewable before it touches the database.
Run the same workflow on Windows (no bash)
OrchStep ships a Go-native shell. Set one config line and your sh-style workflow runs identically on Windows, Alpine, and distroless — no bash, no WSL, nothing to install.
Autocomplete & validation for orchstep.yml in your editor
OrchStep publishes a JSON Schema at a stable URL. Point your editor's YAML language server at it and get field autocomplete, hover docs, and inline errors before you ever run a workflow.
Git hooks that don't fight you
Most git hooks are a tangle of inline bash that's slow, undebuggable, and impossible to run by hand. Point them at one OrchStep task instead — fast, readable, and runnable outside the hook.
Scaffold a CI-wired project with the starter template
orchstep init scaffolds a runnable workflow in one command, and the orchstep-starter GitHub template gives you build/test/deploy tasks with CI already wired up. From zero to a green pipeline in minutes.
Scaffold a new service in one command
Stop copy-pasting last quarter's service and find-replacing the name. One OrchStep task prompts for a name and renders every file from templates — interactive locally, fully scriptable in CI.
A real changelog and release, from the terminal
Cutting a release shouldn't mean remembering the version-bump rules, the tag format, and the build flags. One OrchStep task computes the next version, writes the changelog, tags, and builds — and shows you the plan before it runs.
Machine-readable runs: --output json and the exit-code contract
OrchStep auto-detects pretty vs plain output, emits a single clean JSON document on demand, writes a result file alongside human logs, and follows a documented exit-code contract so CI can branch on the kind of failure.
Stop memorizing commands: the task menu
Every repo accumulates a pile of scripts nobody can remember the names of. `orchstep menu` turns your tasks into a fuzzy picker with single-key hotkeys — and stays out of the way in CI.
Test expressions fast with the eval playground
orchstep eval evaluates any template or JavaScript expression against your real workflow context — environments, vars-files, --var and all — without running a single step. It replaces the throwaway echo-step debug loop.
Docker builds you can actually read
The build-tag-push dance is always the same, always slightly wrong in each repo. Here it is as one OrchStep task: multi-stage build, an image ref computed once, and a push that retries the flaky registry.
A fast local Kubernetes loop
Build, load, apply, wait for rollout, tail logs. The inner loop every platform engineer retypes a hundred times a day — turned into one OrchStep task that waits until the pods are actually Ready.
API smoke tests in five lines
After every deploy, someone curls a few endpoints to make sure the service is alive. Turn that ritual into a loop of http + assert steps you can run from your terminal or from CI.
Tame your monorepo scripts
Every package has its own build, lint, and dev commands, and the root package.json has thirty scripts nobody can keep straight. Give the monorepo one entry point with per-package tasks and task calls.
One-command onboarding for new laptops
The setup wiki is always out of date and the new hire is blocked. Turn day-one setup into a single idempotent task that checks for tools, installs what's missing, and asserts the prerequisites before it starts.
Scheduled jobs without cron soup
The crontab line is a wall of redirections, lock files, and a script that swallows its own errors. Point cron at one OrchStep task instead — structured steps, JSON output, and an exit code your timer can trust.
Backups and restore drills you can trust
A backup you've never restored is a guess. Make the backup verify its own integrity, rehearse a real restore on a schedule, and alert the moment either one fails — all in one OrchStep workflow.
Parse JSON and YAML without jq golf
Stop piping API output through three nested jq filters nobody can read. OrchStep parses JSON with a real JS expression and exposes YAML as a plain object — then hands the fields to the next step.
Render config files from templates
One template, one source of truth, a config file per environment. func: render turns variables into nginx.conf, app.ini, or any text file — no envsubst, no sed, no copy-pasted near-duplicates.
Poll until ready, the right way
The until-loop you copy into every deploy script is a hang waiting to happen. OrchStep has no unbounded while — every 'wait for X' maps to a primitive with a built-in stop: func: wait, retry, or loop until.
Retries and timeouts as syntax, not boilerplate
The retry loop you paste from Stack Overflow gets backoff subtly wrong and never times out. OrchStep makes retries, backoff, and two kinds of timeout declarative fields on the step.
Dry-run everything before you run it
Stop guessing what your deploy script will do. --dry-run resolves every variable, renders every command, decides every branch it can, and executes nothing — in the terminal or as a self-contained HTML plan.
From Makefile to OrchStep in an afternoon
Your Makefile stopped being about files years ago — it's a task runner fighting tab-sensitive syntax and fake .PHONY targets. Here's the mechanical port to orchstep.yml, target by target.
The same orchstep.yml locally and in CI
The bug that only reproduces in CI usually isn't a bug — it's a second copy of your pipeline. Here's how to run one orchstep.yml on your laptop and on the runner, byte for byte.
GitHub Actions without the YAML sprawl
Your .github/workflows folder has six files and 400 lines you can't run locally. Move the logic into orchstep tasks and let the workflow do one job: call them.
GitLab CI pipelines that read like intent
A .gitlab-ci.yml should read like a table of contents, not a shell script smeared across stages. Let each stage call one orchstep task and keep the work where you can run it.
PR gates that actually gate
A green check that doesn't catch the thing you added it to catch is worse than no check. Here's a PR gate that lints, validates every variable resolves, and fails on a missing var before a single test runs.
Build only what changed in your monorepo
Rebuilding 40 packages because someone touched the README is how a monorepo's CI ends up taking 25 minutes. Detect the affected set, build and test only those, and gate the merge on the result.
Blue/green deploys with instant rollback
Rollback shouldn't mean a frantic re-deploy of the last good build while the pager screams. Deploy to the idle slot, verify it before any traffic moves, flip atomically, and let a catch block undo it.
Canary releases, step by step
Ship to a slice of traffic, watch the metrics, then promote or abort — with the decision written as one if/else block you can read and dry-run before it ever touches production.
Promote one build through every environment
Build the artifact once, then walk the exact same bytes from dev to staging to prod with a single --env flag. No rebuilds, no per-environment copy-paste, no drift.
A semver release pipeline, end to end
Preflight checks, version bump, changelog, tag, build, and a channel-gated publish — the whole release ritual as one readable workflow you can dry-run before you cut the tag.
Multi-arch Docker images in one workflow
Build for amd64, arm64, and arm/v7 by looping over a platform list instead of copy-pasting build steps — add or drop an architecture by editing one line.
Ephemeral preview environments per PR
Spin up a throwaway environment when a PR opens and tear it down when it closes — namespace, deploy target, and URL all derived from the one input that matters: the PR number.
Rollback runbooks you can rehearse
A rollback you've never run is a hope, not a plan. Write it as a workflow, rehearse it with --dry-run on a calm afternoon, and let catch/finally handle the parts you'd forget at 3am.
Shard your test suite for speed
A 22-minute test job is a 22-minute feedback loop. Split the suite into shards, run them in a loop, aggregate the results, and gate the merge on a full set — all from one OrchStep workflow.
Quarantine flaky tests automatically
A flaky test that fails one run in twenty trains your team to hit re-run on red. Retry the known-flaky ones, and when they still fail, record them to a quarantine list instead of blocking the merge.
Deploy approvals and manual gates
A human confirmation before a production publish — that prompts when a person runs it, and auto-skips to a safe default in CI. One workflow, two audiences, no separate 'CI version'.
Sign and SBOM every release
Signing the image and generating an SBOM are the supply-chain steps everyone agrees to and then forgets under deadline. Make them steps in the release workflow, with a verify that won't let an unsigned artifact through.
Scheduled CI jobs and nightly pipelines
The nightly build is the most fragile job you own — it only runs when you're asleep, so it breaks in silence. Keep the cron in your runner, but make the work a workflow you can run by hand and always get a report from.
Detect infra drift on a schedule
Someone fixed prod by hand at 3am and your Terraform state no longer matches reality. Run a plan on a schedule, count what differs, and alert only when there's actual drift.
One workflow, every environment
Stop forking your deploy script per environment. Declare shared values in groups, per-target values in environments, and pick the target at the CLI with --env — the steps never change.
Externalize env config into files
When your inline environments block stops fitting on a screen, move each target into its own file. The filename becomes the hierarchy — defaults, group, group-env — and --env picks the path.
dotenv done right
Loading .env files is easy to get subtly wrong: order, optionality, and required values. Here is a deterministic load order, an optional file that won't break CI, and a required-var check that fails fast.
Secrets without leaks: the conduit model
A workflow tool should never store your credentials. OrchStep is a conduit, not a vault: it resolves a secret from your own tool at the moment it's needed, hands the real value over, and masks it everywhere else.
Resolve secrets from Vault, SOPS, or 1Password
OrchStep doesn't reinvent secret storage — it shells out to the tool you already run. One cmd resolver, fetch-once-pull-many with field extraction, and the value stays masked end to end.
A coverage matrix that catches missing vars
A variable set in one environment file and forgotten in another renders as an empty value at runtime. orchstep validate turns that into a static env-by-var matrix — and --strict fails CI before the gap ships.
Per-tenant config at scale
When 'an environment' is really 200 tenants, you can't write 200 tasks. Keep the roster as data, loop the provisioning once, give each tenant its own config, and factor the repeated work into a module.
Multi-region configuration
Three regions, one artifact, one config file. Keep per-region overrides in environments, loop over the region list to fan out, and stop copy-pasting deploy steps you have to keep in sync.
Feature flags from config
You don't always need a flag SaaS. Keep boolean flags in config, gate steps on them, and render a flags file your app reads at boot — flip a feature with one --var, no redeploy of the logic.
Render Kubernetes manifests per environment
Stop maintaining near-identical YAML for staging and prod. Keep one manifest template, feed it per-environment vars, and apply — without pulling in a whole templating platform.
Wrap Terraform with guardrails
fmt, validate, plan, approve, apply — in that order, every time. Wrap your Terraform commands in a workflow so the safety steps aren't optional and the apply is gated behind a confirm and a dry-run.
Validate config in CI before prod
Catch the broken config in the pull request, not in the 2am page. Lint the structure, validate references with --strict, and assert the values are sane — three commands that turn config mistakes into a red CI check.
Rotate secrets on a schedule
Make credential rotation a task a timer can call: mint a new value, activate it, verify, and write an audit record. Keep the secret out of the workflow with a resolver, and let cron own the schedule.
Golden paths for platform teams
A golden path is only golden if everyone actually takes it. Here's how to ship the sanctioned build-verify-deploy flow as a versioned OrchStep module instead of a wiki page nobody reads.
Service scaffolding with a catalog
A new service shouldn't take a week of copy-paste and a forgotten catalog entry. Here's a single OrchStep task that scaffolds the repo, registers it in your service catalog, and smoke tests it before anyone touches it.
Incident response runbooks that actually run
A runbook in a wiki is a suggestion you read while paging through panic. Here's the same runbook as an OrchStep workflow: classify severity, fan out diagnostics in parallel, route by severity, and record the incident.
Change management with audit trails
Change management shouldn't mean a screenshot pasted into a ticket. Here's an OrchStep workflow that gates a change behind policy checks and approval, then writes a hashed, chained record an auditor can actually trust.
A private module registry for your org
Copy-pasted YAML is the new copy-pasted bash. Here's how to publish shared OrchStep workflows to a private registry under your own @scope and pin them with semver tags — so every team consumes the same versioned modules instead of a fork.
Evidence bundles for compliance
When an auditor asks for evidence, you shouldn't spend a day grepping CI logs and screenshotting dashboards. Here's an OrchStep workflow that gathers the artifacts, hashes each one, and seals them into a single bundle per release.
Disaster recovery drills you'll actually run
A backup you've never restored is a hope, not a recovery plan. Here's an OrchStep workflow that backs up, restores to a scratch target, verifies the data is really there, and emits a report — cheap enough to run every week.
Cost reporting automation
The daily cloud-cost report that lives in a cron'd shell script nobody trusts. Here's how to turn pull -> transform -> report -> gate into an OrchStep workflow that fails loudly when spend blows past budget.
SLO and error-budget gates
Stop eyeballing a Grafana panel before every release. Compute availability from logs, compare it to the SLO, and let an OrchStep workflow promote or freeze the release on the error budget.
Security response automation
The vulnerability response that lives in five browser tabs and a runbook nobody follows the same way twice. Here's scan -> triage -> ticket -> notify as one ordered OrchStep workflow.
Onboarding and offboarding automation
Provisioning and deprovisioning people across SSO, groups, and hardware — without the half-applied state a failed script leaves behind. Build idempotent onboard/offboard tasks in OrchStep.
Cross-cloud orchestration
Provisioning that spans AWS and GCP usually means two runbooks and a handoff. Here's one OrchStep workflow that applies both clouds in parallel and verifies them together.
Data pipeline orchestration at scale
Parallel extracts, a quality gate per dataset, alerting on load failure, and staging cleanup that always runs — built as one OrchStep workflow with a reusable quality module.
OrchStep for backend developers
The inner loop of backend work is a pile of half-remembered commands: bring up the database, migrate, seed, run the integration suite. Here's how to make that loop one readable workflow you can run, preview, and trust.
OrchStep for frontend developers
Frontend work means running the same five checks CI runs — lint, types, tests, build — against the right API base URL, then shipping a preview. Here's how to make that one workflow instead of five memorized commands.
OrchStep for SREs
Runbooks rot in wikis and get typed by hand at 3am. Here's how to turn triage, safe-restart, and error-budget runbooks into executable OrchStep workflows that poll, retry, and roll back on purpose.
OrchStep for DevOps engineers
Pipeline logic lives in YAML you can only test by pushing. Here's how to move the steps into one OrchStep workflow your laptop and your pipeline both run — so CI YAML shrinks to one line and green-locally means green-in-CI.
OrchStep for platform engineers
Golden paths only stay golden if every team runs the same steps. Here's how to ship a paved-road scaffold and onboarding as OrchStep workflows app teams run themselves — versioned, previewable, and reusable across repos.
OrchStep for data engineers
Cron-driven pipelines fail halfway, leave half-loaded tables, and make backfills a manual chore. Here's how to write an ETL flow with retries, a quarantine path, and a partition backfill loop you can preview before it runs.
OrchStep for ML engineers
Training runs fail near the end, swallow the data-prep step, and ship models that didn't clear the bar. Here's how to write a train flow with timeouts, a metric gate, and a hyperparameter sweep you can preview before burning GPU hours.
OrchStep for security engineers
Scan tools sprawl, gates are informal, and proving a release was clean means screenshots. Here's how to write one scan workflow that runs SAST, deps, and image scans, fails on critical findings, and you can dry-run before it gates a release.
OrchStep for QA engineers
Smoke checks, sharded suites, flaky-test quarantine, and one-command bug repro — the things QA repeats by hand, written down once as a workflow you can run anywhere.
OrchStep for engineering managers
Onboarding, release checklists, and the rituals your team runs from memory — written down once as workflows, so the process survives the person who knows it.
OrchStep for tech leads
The merge bar you enforce in code review by memory — format, vet, tests, coverage — written down once as a gate anyone can run locally and CI can run identically.
OrchStep for solutions architects
One reference deployment, many target environments, selected at the CLI with --env — the repeatable stack you hand to customers instead of a 12-page runbook.
OrchStep for support engineers
Turn 'can you send me your logs?' into one command — version, connectivity, logs, and a diagnostics bundle collected the same way every ticket, ready to escalate.
OrchStep for release managers
Cut, ship, verify, roll back — the release checklist as code, with retries on the flaky publish and an automatic rollback in a catch block when verification fails.
OrchStep for indie hackers
You're the whole team. Ship, back up, and check your numbers from one binary — every chore you repeat written down once, so future-you doesn't relearn it at midnight.
OrchStep for solo developers
When you're the only person on the project, your automation is a drawer of half-remembered shell commands. Here's how OrchStep gives a one-person team the smallest amount of structure that still pays off.
OrchStep for early startups
Your first three engineers are shipping faster than they can document. Here's how one orchstep.yml runs the same locally and in CI, so the deploy works the same on a laptop as in the pipeline.
OrchStep for scale-ups
Multiple services, three or four environments, and a deploy that has to behave differently in production than in staging. Here's how OrchStep keeps one workflow honest across every environment.
OrchStep for mid-market companies
Enough teams that consistency matters, not so many that you have a platform org. Here's how OrchStep encodes a golden path every team can follow — with the checks, rollback, and audit trail built in.
OrchStep for enterprises
Change boards, signed artifacts, immutable audit trails, and a deploy that has to prove it followed the rules. Here's where OrchStep fits inside an enterprise delivery stack — and where it deliberately doesn't.
OrchStep for agencies and consultancies
Every client repo is a little different, but the delivery dance is the same. Here's how a consultancy turns build-package-ship-handoff into one workflow that travels from client to client.
OrchStep for open-source maintainers
Maintainers run the same release and triage steps over and over, usually from memory at 11pm. Here's how to put the project's rituals in one file contributors can run too.
OrchStep for regulated industries
In regulated shops the deploy isn't the hard part — proving who approved it and what shipped is. Here's how to make the change record a byproduct of running the change.
OrchStep for e-commerce teams
Your storefront has two states: a normal Tuesday and a sale you've been dreading for a month. Here's how to make pre-sale readiness and catalog pushes boring, repeatable commands.
OrchStep for SaaS companies
Promoting a build from staging to production sounds like one step. It's actually migrate, deploy, gate, provision — and the gaps between them are where SaaS outages live. Here's how to make the seam one workflow.
Capture an agent session, replay it for free
Your coding agent just spent twenty minutes and a pile of tokens solving something. Capture that session into a replayable orchstep.yml, and the next run costs zero tokens.
The replay layer for AI coding agents
An agent's reasoning is expensive and non-deterministic. Its result doesn't have to be. OrchStep is the layer that turns a solved agent session into a deterministic recipe you can review in a PR and run in CI.
The OrchStep MCP server for agents
Run orchstep mcp serve and your agent calls workflows as native tools — run tasks, list them, lint, manage modules, and scaffold new YAML, all over the Model Context Protocol.
Teach an agent to author workflows
The orchstep-workflow-design skill turns a fuzzy request into production-grade YAML — with error handling, assertions, and rollback paths. Quick mode for concrete asks, wizard mode for the vague ones.
Zero-token replay economics
A concrete look at what repeated agent work actually costs — and what happens to the bill when you capture the result once and replay it for free.
Agents in CI: deterministic ops
An agent figures out the deploy interactively. CI shouldn't. Replay the captured workflow headless with ORCHSTEP_NON_INTERACTIVE and --output json, and your pipeline runs the exact same steps every time — no model required.
Agent runbooks for on-call
Your agent already triaged the 3am incident. The fix lives in a chat log nobody will find next time. Capture it as an OrchStep runbook and replay it the moment the same alert fires again.
Claude Code + OrchStep
Claude Code is great at doing a multi-step task once. OrchStep is how you keep it. Capture the session into a replayable workflow, then call OrchStep back as an MCP tool the next time you need it.
Cursor + OrchStep
Cursor writes the code; OrchStep runs the procedure. Drive your captured workflows from Cursor's agent with one shell command and structured JSON it can actually read.
Guardrails for agent automation
Letting an agent run your deploy procedure doesn't mean letting it run wild. Dry-run to preview, validate to catch missing variables, a prompt to require a human yes, and secrets that never land in the transcript.
Human-in-the-loop agent workflows
The reliable division of labor for agent automation: the agent proposes, a human approves, and OrchStep executes. A prompt step makes the approval a real gate, not a vibe.
Testing agent-generated workflows
An agent can write you a workflow in seconds. Don't run it on faith. Lint, validate, and dry-run make a three-stage test harness that catches the agent's mistakes before they touch anything real.