CICDee stores deploy intent and evidence. Windmill or an installed runner performs host-side execution.
The preferred path is private runner or agent execution. Public SSH is not the default architecture.
Dangerous hooks are detected before save, destructive commands are blocked, and tokens/passwords/private material are redacted in UI output.