Platform Features
Every feature, fully documented
ScriptMesh is a cloud-hosted script orchestration platform built on FastAPI, Docker agents, APScheduler, and Fernet AES-128 encryption. Here is everything it does.
Execution Engine
HTTP-based remote script execution with full async job support
Remote Execution via REST API
Trigger any whitelisted script on any registered agent with a single HTTP POST. The agent executes the script and returns stdout, stderr, exit code, and duration.
Async Job Model
Execution is non-blocking. Receive a job_id immediately, then poll for completion or register a webhook callback. Jobs are tracked in SQLite WAL for durability.
Group / Fan-out Triggers
Trigger the same script across multiple agents simultaneously using tag-based targeting. Results are collected and stored per agent.
Parameterized Execution
Pass key-value parameters to scripts at trigger time. Parameters are securely forwarded to the agent and available as environment variables inside the script.
Job History & Observability
Complete execution records with stdout, stderr, and timing data
Full stdout / stderr Capture
Every execution captures the full standard output and standard error from the script. Nothing is truncated. Scroll through megabytes of output in the dashboard.
Exit Codes & Duration
Record the exact exit code and wall-clock duration (in milliseconds) for every job. Use exit codes to drive alerting and integration events.
Filterable Job List
Filter executions by agent, script name, status (success / failed / running / pending), or date range. Pro plan retains 90 days of history.
Per-Tenant Isolation
Each tenant only sees their own executions. Cross-tenant data access is prevented at the database query level with tenant_id scoping on every query.
Scheduling
APScheduler cron with missed-fire detection and webhook callbacks
Full Cron Expression Support
Define schedules using standard 5-field cron expressions. The APScheduler engine handles timezone awareness and daylight saving transitions.
Missed-Fire Detection
If the orchestrator was offline during a scheduled trigger, missed-fire events are detected and logged. Configurable catch-up policy per schedule.
Webhook Callbacks on Completion
Attach a webhook URL to any schedule. The orchestrator POSTs the full job result to your URL when the script completes — success or failure.
Enable / Disable Without Deletion
Pause a schedule at any time without losing its configuration. Re-enable it with a single API call or dashboard toggle.
Security
Fernet encryption, whitelist-first design, dual auth, and rate limiting
Fernet AES-128 Encryption at Rest
All agent API keys are stored encrypted using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). The key material is derived from the environment — never hardcoded.
Script Manifest Whitelisting
Each agent maintains a manifest of exactly which scripts it may execute. Any trigger request for an unlisted script is rejected with no execution attempted.
Dual Authentication (JWT + API Keys)
Human users authenticate with short-lived JWTs (15 min) plus 7-day refresh tokens. Programmatic integrations use scoped API keys (sm_live_...) with optional expiry.
Rate Limiting via slowapi
All endpoints are rate limited. Login: 10/min, registration: 5/min, password reset: 5/min, verification resend: 3/min. Prevents brute force and abuse.
Agent Infrastructure
Outbound-only Docker agents with live CPU/memory/disk telemetry
Outbound Connections Only
Agents connect OUT to the orchestrator. You don't need to open inbound firewall ports, configure VPN, or expose agents to the internet.
Docker-Native Deployment
Agents ship as a lightweight Docker image. Deploy on any host running Docker — bare metal, VM, or Kubernetes sidecar. Single docker run command.
Heartbeat Health Monitoring
Agents send CPU percent, memory percent, disk percent, and uptime metrics to the orchestrator every 60 seconds. The dashboard shows live health status.
Online / Offline Events
When an agent transitions from online to offline (or vice versa), integration events fire automatically. Alert your team via PagerDuty or Slack when an agent goes dark.
Integration Bus
7 native integrations, all configurable per tenant
Slack & Discord
Post job completion events, failures, and agent health changes to any Slack channel or Discord webhook. Configurable per event type per tenant.
Microsoft Teams
Send adaptive card notifications to Teams channels when scripts complete, fail, or when agents go offline.
PagerDuty
Open and resolve PagerDuty incidents automatically based on job failure events or agent offline events. Deduplication key is the job ID.
Datadog, Splunk, Prometheus, Webhooks
Ship execution metrics to Datadog metrics API, Splunk HEC, or expose them at the Prometheus /metrics endpoint. Generic outbound webhooks for everything else.
Multi-Tenant Isolation
Per-tenant data isolation with role-based access control
Per-Tenant Data Isolation
Every resource — agents, schedules, executions, API keys, integrations — is scoped to a tenant. No cross-tenant leakage at any layer.
API Keys Per Tenant
Generate multiple scoped API keys for a tenant. Each key can have restricted permissions and an expiry date. Revoke any key instantly.
Role-Based Access (Owner / Admin / Member)
Three roles control what users can do within a tenant. Owners manage billing and users. Admins manage agents and integrations. Members trigger and view executions.
Plan Enforcement
Starter plan: 3 agents, 5 schedules. Pro plan: unlimited agents, unlimited schedules. Limits are enforced at the API layer before resource creation.
Developer Experience
REST API, OpenAPI docs, Microsoft SSO, and password reset
REST API with OpenAPI / Swagger
Every operation is available via REST. Interactive API documentation at /docs. Use curl, Python, JavaScript, or any HTTP client.
Microsoft SSO via MSAL
Enterprise users sign in with their Microsoft 365 account. No separate password needed. Auto-creates a tenant on first sign-in.
Email Verification & Password Reset
Accounts require 6-digit code email verification on signup. Secure password reset links via Resend expire in 1 hour and can only be used once.
SQLite WAL for Durability
All state is persisted in SQLite with WAL (Write-Ahead Logging) mode. Crash recovery marks in-flight jobs as failed on restart, preserving data integrity.
See it in action
Sign up free or read the docs to deploy your first agent in minutes.