Runbooks
Chain tools into repeatable workflows with per-step permission gating and continue_on logic.
Anatomy of a runbook
A runbook is an ordered list of steps. Each step picks a tool from the catalog (DNS tools, network tools, integrations) and binds its parameters. At run time Meridian:
- Checks the invoking user holds the tool's
required_permission. Skips any step the user cannot run (recorded in the run log as "skipped"). - Executes the step. Captures output, exit status, duration.
- Applies continue_on: if the step's outcome is worse than the configured threshold (e.g.
continue_on = "ok"stops at first warn/fail), the runbook short-circuits.
Shared vs private
A private runbook is only visible to its owner. A shared runbook is visible and runnable by anyone with the component permissions. Only admins can toggle the shared flag on someone else's runbook.
Common patterns
- Incident triage — ping the host, HTTP test the app, dig the DNS, check cert expiry. Stop on first warn for a fast answer.
- New-domain checklist — dig NS/SOA/MX/TXT, AXFR audit, DNSSEC chain, crt.sh history, WHOIS. Always run all.
- Pre-deploy sanity — port scan the target, HTTP 200 check, cert expiry check.
Gotchas
- You can't run a runbook until it has been saved. The Run button shows a warning until you do.
- Run history lives in the
runbook_runstable. You can review prior step-by-step output at any time.