Infrastructure Automation with Guardrails

Manage infrastructure.
Not tooling.

envrun translates human intent into controlled infrastructure actions — across cloud, hypervisors, network devices, and operational workflows. Every action is planned, confirmed, and auditable.

Request Access See How It Works
envrun — session
~ envrun "migrate VMs from cluster-3 to cluster-7"
planning...
┌ Migration Plan
│ 12 VMs across 3 hosts
│ target: cluster-7 (64 cores, 128GB free)
│ method: live migration, minimal downtime
│ estimated: ~8 minutes
confirm? [y/n] y
✓ 12/12 migrated — audit log: run-2847
~ envrun run --runbook dns-cutover --target prod-eu
loading runbook...
✓ 4 steps validated
executing step 1/4...
~
Infrastructure tooling
is stuck in 2015.

Your cloud has an API. Your hypervisor has a different API. Your network switches speak yet another language. Your databases, DNS, certificates, firewalls, backup jobs, DR runbooks — each with its own interface, its own logic, its own failure modes.

So you write scripts. Dozens of them. They break silently. They drift. Your backups run — you think — but nobody's tested a restore in months. Your DR plan is a wiki page from 2023. Nobody knows what any of it does at 3am when something goes wrong.

The tools we use to manage infrastructure haven't kept up with the infrastructure itself.

Cloud
VMs
Network
Databases
DNS
Firewalls
Backups
DR
Intent in.
Governed execution out.

Natural language or CLI — envrun accepts both. The result is always the same: a governed, auditable execution pipeline.

1
You describe what you want
Natural language or CLI command — envrun accepts both. Describe the outcome you need. The LLM translates your intent into a concrete, reviewable action plan.
2
envrun shows you the plan
Before anything executes, you see exactly what will happen: which systems, which API calls, what changes, what rollback looks like. Destructive actions are flagged. Nothing runs without your explicit confirmation.
3
Execution through approved connectors
Actions run through scoped connectors with least-privilege credentials — not raw API keys. Every step is logged end-to-end: inputs, plan, tool calls, outputs. Every run records inputs, the generated plan, approvals, tool calls, and outputs — so you can audit what happened and re-run the same workflow when conditions support it.
envrun — workflow
~ envrun "rotate db credentials for prod"
┌ Credential Rotation Plan
│ target: prod-db-01, prod-db-02
│ connector: postgres (scoped: rotate)
│ steps:
│ 1. generate new credentials
│ 2. update vault entries
│ 3. rolling restart app pools
│ 4. revoke old credentials
│ rollback: automatic where supported
⚠ destructive: revokes active creds
confirm? [y/n] y
✓ step 1/4 — credentials generated
✓ step 2/4 — vault updated
✓ step 3/4 — app pools restarted
✓ step 4/4 — old creds revoked
done — audit log: run-2851
One tool.
Every layer of your stack.

Cloud, compute, network, data, backups, disaster recovery — managed through one interface with consistent behavior and full audit trails.

Cloud Resources
Provision, modify, and decommission across AWS, Azure, GCP, and private clouds. One interface, consistent behavior.
cloud
Hypervisors
Manage VMware, Hyper-V, and Proxmox. Migrations, snapshots, resource allocation — without vendor-specific scripts.
compute
Network Devices
Configure switches, firewalls, load balancers, and DNS. Changes are planned and diffed before they touch the network.
network
Databases
Schema operations, credential rotation, automated backups with restore verification. Failovers planned, diffed, and tested — not hoped for.
data
Operational Workflows
Runbooks, backup schedules, DR failovers, maintenance windows. Chain multi-step operations with confirmation gates — rehearsed and executable, not a wiki page from 2023.
ops
Audit & Compliance
Every action logged. Every run recorded and replayable. Full trail from the why (intent) to the what (execution) — know not just what changed, but who asked for it and why.
governance
AI proposes. You decide.
The system enforces.
Most "AI automation" tools give you a black box and hope for the best. envrun separates intelligence from execution. LLMs translate intent into proposed plans — they hold no connector credentials and cannot execute actions. The execution engine enforces policy, permissions, and validation. Tool calls are permission-checked, parameter-validated, and fully logged.
Plan before execute
Every command produces a plan first. Execution requires explicit approval.
Explicit confirmation
Destructive actions require human sign-off. No silent mutations, no surprise deletions.
Scoped credentials
Connectors use least-privilege access. No shared admin keys, no ambient authority.
Full audit trail
Inputs, plan, tool calls, outputs — logged end-to-end. Reviewable. Replayable. Exportable.
Fast. Predictable.
No runtime surprises.
Single binary
No microservices, no container orchestration, no dependency trees. Download one binary, run it. That's the deployment.
No garbage collector
Predictable performance under load. No GC pauses when you're managing 2,000 machines at 3am.
Type-safe execution
The Rust type system catches many bugs before production does. Fewer surprises where surprises cost real money.
install + status
~ curl -fsSL https://envrun.com/install | sh
✓ envrun v0.9.2 (linux-amd64, 14MB)
~ envrun --version
envrun 0.9.2 (rustc 1.82, built 2026-03-01)
~ envrun status
connectors: 4 active
vmware ✓ vcenter-01.internal
aws ✓ eu-central-1
cloudflare ✓ zone: example.com
postgres ✓ prod-db-01
last run: run-2847 (success, 12m ago)
Built for teams where
downtime means lost revenue.
Infrastructure & Platform teams
Managing hybrid environments across cloud, on-prem, and edge. Tired of gluing together 15 different tools.
IT Operations at scale
Thousands of machines, dozens of sites, real SLAs. You need automation that's auditable, not just fast.
Engineering leadership
Looking for infrastructure automation that won't become the next risk on your security review.
Solo-founded from Prague.

envrun is built by Bohemia Systems — a one-person infrastructure automation company. 10+ years in enterprise IT, from support desks to architecture boards across manufacturing, telecom, and global operations. Every feature in envrun comes from a problem hit in production, under pressure, with real consequences.

Ready to stop scripting
and start governing?

envrun is in early access. If you're managing critical infrastructure and want automation you can actually trust — let's talk.