SkyfloDocs
ConceptsExecution Model

Execution Model

Skyflo uses a graph-based workflow powered by LangGraph. The workflow enforces a deterministic loop for every infrastructure change. Not a single LLM call. A compiled graph with distinct phases: Plan → Approve → Execute → Verify.

Overview

The execution model is the core differentiator. Every operation flows through the same control loop. Read operations can auto-continue. Mutations always pause for explicit approval.

Plan

The agent analyzes your natural language to determine intent. Performs lightweight discovery when needed. Produces structured tool calls for execution.

Planning happens in the model phase. The LLM receives context (cluster state, prior tool results) and outputs typed MCP tool invocations. No prompt-hacking. Schema-validated parameters.

Approve

Every mutating tool call requires explicit approval before execution. Read-only operations flow freely. The approval gate is driven by MCP tool annotations (readOnlyHint, destructiveHint). Approval enforcement is implemented in the Engine runtime and cannot be disabled through configuration.

When the agent proposes a mutation, the Command Center surfaces the plan. You approve or reject. No shortcuts. No "trust mode" that bypasses the gate.

Execute

Tools run via MCP inside the MCP server container. Supports kubectl (22 tools), Helm (16), Argo (13), Jenkins (13). Streams progress and results in real-time via SSE.

Each tool receives schema-validated inputs matching only the parameters it declares. No raw shell injection. No arbitrary command execution.

Verify

The agent evaluates outcomes against original intent. Decides whether to auto-continue, request approval, or stop. Routes context back to the model for refinement if issues are detected.

Verification is not a separate human step. The model consumes tool results and determines next actions. For mutations, the next action is always "wait for approval" before any further writes.

Persistence

Persistence is separate from the control loop. Every tool call, its parameters, and results are stored. This supports audit and replay. You can trace who asked, what was planned, who approved, and what executed.

Persistence is append-only. No deletion of audit records. Exportable for compliance.

Auto-Continue

The engine can decide to continue automatically for read operations. Discovery, logs, status checks. These flow through without approval.

Exec operations are treated as read-only by default but depend on the command executed.

For mutations, the engine always pauses. Apply, scale, rollback, delete, upgrade. Every write waits for explicit approval.