This document explains what happens when SPP runs a custom platform script — from the moment you upload a JSON file to the moment a task executes against a target system.
When you upload a script (via the web UI or Import-SafeguardCustomPlatformScript), SPP performs these steps in order:
- JSON parse — The file must be valid JSON. Syntax errors are rejected immediately.
- Structure validation — SPP checks for required top-level keys (
Id,BackEnd). Operations and functions are validated for correct structure butParametersdefaults to an empty array andDomay be absent. - Parameter type checking — Each parameter is validated against known types (string, boolean, integer, password/secret). Reserved parameter names are matched against their expected types.
- Import expansion — If the script declares
Imports, SPP locates the referenced function libraries and loads their function definitions into memory for runtime use. The imported functions are not serialized into the stored definition. - Feature flag derivation — SPP scans the operations present in the script and sets capability flags automatically. See Feature Flags.
- Storage — The validated script is stored in the SPP database and the platform is ready for use.
When SPP needs to perform an operation (e.g., a scheduled password check), this is the execution flow:
SPP determines which operation to call based on the task type:
- A password check task invokes
CheckPassword - A password change task invokes
ChangePassword - An account discovery task invokes
DiscoverAccounts - And so on for the other supported operations
SPP auto-populates reserved parameters from the asset and account configuration:
Address← asset network addressPort← asset connection portFuncUserName/FuncPassword← service account credentialsAccountUserName/AccountPassword← managed account credentialsNewPassword← the SPP-generated replacement password (for change operations)
Custom parameters retain their configured default values unless overridden at the asset level.
The scripting engine processes the operation's Do array sequentially:
- Each command in the
Doarray is executed in order. - Variable interpolation (
%VariableName%) is resolved at execution time. - Commands may set variables, make connections, send data, or branch execution.
- Flow control commands (
Condition,Switch,For,ForEach) alter the execution path. - Functions can be called and may return values.
- Error handling (
Try/Catch) provides recovery paths.
The operation result is determined by:
- Success — The
Doblock completes with result typeOk. For check operations (e.g.,CheckPassword), the boolean return value indicates the check outcome (match vs. mismatch) but the operation itself succeeds either way when the result type isOk. - Failure — The result type is not
Ok, the return data cannot be parsed as a boolean, or an unhandled exception escapes theDoblock.
For discovery operations, success is determined by the result type and return value, not by whether WriteDiscoveredAccount (or WriteDiscoveredService) was called.
For SSH operations, the connection lifecycle is:
Connectopens the SSH session (interactive or batch mode)- Commands interact with the remote system
Disconnectcloses the session- If the script ends without
Disconnect, the engine cleans up automatically
For HTTP operations, there is no persistent connection — each Request is independent (though cookies and session state persist across requests within a single operation execution).
When a script declares Imports, the referenced function libraries are loaded into memory at upload time. At runtime, these imported functions are available for the script to call just like locally-defined functions.
Import libraries provide reusable patterns for common tasks (e.g., SSH login sequences, privilege escalation, output parsing). See Imports Reference for the full catalog.
Errors propagate up the call stack:
- A command fails or
Throwis called - If inside a
Tryblock, execution jumps to theCatchblock - If not caught, the error propagates to the calling function
- If uncaught at the top level, the operation fails
The task log captures all errors and, with ExtendedLogging enabled, captures the full execution trace.
- Architecture — high-level overview
- Feature Flags — how capabilities are derived
- Operations Reference — all 24 supported operations
- Testing and Debugging — how to diagnose execution issues