@c0x12c/ai-toolkit 1.15.0

package/commands/spartan/tf-module.md

@@ -0,0 +1,121 @@
+---
+name: spartan:tf-module
+description: Create or extend a Terraform module with proper interface, docs, and examples
+argument-hint: "[module-name]"
+preamble-tier: 3
+---
+@rules/infrastructure/MODULES.md
+@rules/infrastructure/NAMING.md
+@rules/infrastructure/VARIABLES.md
+
+# Terraform Module: {{ args[0] | default: "new module" }}
+
+Create a reusable Terraform module following best practices.
+
+**Before creating, reference:** `terraform-module-creator` skill
+
+## Step 1: Determine Purpose
+
+Ask the user:
+
+> **What does this module manage?** Describe the AWS resources and their purpose.
+>
+> Examples: "RDS PostgreSQL instance with parameter group and subnet group",
+> "ECS service with task definition, ALB target group, and auto-scaling"
+
+## Step 2: Create Module Structure
+
+```
+modules/{module-name}/
+├── main.tf           # Resource definitions
+├── variables.tf      # Input variables
+├── outputs.tf        # Exported attributes
+├── versions.tf       # Required providers and terraform version
+├── locals.tf         # Computed values (if needed)
+└── README.md         # Auto-generated docs
+```
+
+## Step 3: Define the Interface
+
+### variables.tf
+
+Group variables logically with comments:
+
+```hcl
+# --- Required ---
+variable "name" {
+  description = "Name prefix for all resources"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (dev, staging, prod)"
+  type        = string
+}
+
+# --- Optional ---
+variable "tags" {
+  description = "Additional tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+```
+
+### outputs.tf
+
+Export everything downstream modules might need:
+
+```hcl
+output "id" {
+  description = "The ID of the primary resource"
+  value       = aws_resource.this.id
+}
+
+output "arn" {
+  description = "The ARN of the primary resource"
+  value       = aws_resource.this.arn
+}
+```
+
+## Step 4: Add Resources
+
+Write `main.tf` with:
+- Merge tags using `locals` — combine module defaults with user-provided tags
+- Use `for_each` over `count` when creating multiple similar resources
+- Reference variables — never hardcode values
+
+## Step 5: Set Provider Constraints
+
+```hcl
+# versions.tf
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+```
+
+## Step 6: Validate
+
+```bash
+cd modules/{module-name}
+terraform init
+terraform validate
+terraform fmt -check
+```
+
+## Rules
+
+- One module = one logical concern (don't mix unrelated resources)
+- Every variable needs `description` and explicit `type`
+- Every output needs `description`
+- Use `locals` for tag merging and computed values
+- No provider blocks inside modules — let the caller configure providers
+- No backend blocks inside modules
+- Use `for_each` over `count` — it handles additions/removals without index shifting
+- Sensitive outputs must be marked `sensitive = true`

package/commands/spartan/tf-plan.md

@@ -0,0 +1,100 @@
+---
+name: spartan:tf-plan
+description: Guided terraform plan workflow — init, plan, review output, flag destructive changes
+argument-hint: "[environment]"
+preamble-tier: 2
+---
+@rules/infrastructure/STATE_AND_BACKEND.md
+
+# Terraform Plan: {{ args[0] | default: "target environment" }}
+
+Run a guided `terraform plan` with safety checks.
+
+## Step 1: Verify Working Directory
+
+```bash
+ls *.tf 2>/dev/null || echo "NO_TF_FILES"
+ls backend.tf 2>/dev/null || echo "NO_BACKEND"
+```
+
+If no `.tf` files found, ask the user to navigate to the correct environment directory (e.g., `live/dev/`).
+
+## Step 2: Check Backend Config
+
+```bash
+cat backend.tf
+```
+
+Verify:
+- Backend type is `s3` with DynamoDB lock table
+- Key path includes the environment name
+- Region is set
+
+## Step 3: Initialize
+
+```bash
+terraform init -backend-config=../../envs/{{ args[0] | default: "dev" }}.tfbackend
+```
+
+If init fails, check:
+- AWS credentials are configured (`aws sts get-caller-identity`)
+- Backend bucket and DynamoDB table exist
+- Network connectivity to AWS
+
+## Step 4: Run Plan
+
+```bash
+terraform plan \
+  -var-file=../../envs/{{ args[0] | default: "dev" }}.tfvars \
+  -out=tfplan \
+  -detailed-exitcode
+```
+
+Exit codes: `0` = no changes, `1` = error, `2` = changes present.
+
+## Step 5: Review Plan Output
+
+Analyze the plan and categorize changes:
+
+| Symbol | Meaning | Risk |
+|--------|---------|------|
+| `+` | Create | Low |
+| `~` | Update in-place | Medium |
+| `-/+` | Destroy and recreate | HIGH |
+| `-` | Destroy | CRITICAL |
+
+### Flag Destructive Changes
+
+If the plan shows `-/+` (replace) or `-` (destroy):
+
+> **WARNING: Destructive changes detected.**
+>
+> The following resources will be destroyed or replaced:
+> - `[resource address]` — [reason]
+>
+> Is this intentional? Common causes:
+> - Name change without `moved` block
+> - Force-new attribute changed (e.g., `name` on RDS)
+> - Provider upgrade changed resource schema
+
+## Step 6: Summary
+
+```
+## Plan Summary: {{ args[0] | default: "dev" }}
+
+- **Add:** [N] resources
+- **Change:** [N] resources
+- **Destroy:** [N] resources
+
+### Destructive changes: [none / list them]
+### Estimated impact: [low / medium / high]
+### Safe to apply: [yes / review destructive changes first]
+```
+
+## Rules
+
+- Never run `terraform apply` from this command — use `/spartan:tf-deploy` for that
+- Always use `-out=tfplan` to save the plan for exact apply
+- Always use `-var-file` — never rely on auto-loaded `.tfvars`
+- Flag every destroy or replace action explicitly
+- If credentials are missing, help the user configure them — don't proceed without auth

package/commands/spartan/tf-review.md

@@ -0,0 +1,106 @@
+---
+name: spartan:tf-review
+description: PR review for Terraform changes — 8-stage checklist covering structure, security, naming, and state safety
+argument-hint: "[optional: branch or PR]"
+preamble-tier: 3
+---
+@rules/infrastructure/STRUCTURE.md
+@rules/infrastructure/MODULES.md
+@rules/infrastructure/PROVIDERS.md
+@rules/infrastructure/NAMING.md
+
+# Terraform Review: {{ args[0] | default: "current changes" }}
+
+Perform a comprehensive review of Terraform changes.
+
+**Before reviewing, reference these infrastructure rules:**
+- `rules/infrastructure/STRUCTURE.md` — Directory layout and file organization
+- `rules/infrastructure/MODULES.md` — Module design and composition
+- `rules/infrastructure/NAMING.md` — Resource and variable naming
+- `rules/infrastructure/SECURITY.md` — IAM, encryption, network security
+- `rules/infrastructure/VARIABLES.md` — Variable definitions and validation
+- `rules/infrastructure/PROVIDERS.md` — Provider configuration and versioning
+- `rules/infrastructure/STATE_AND_BACKEND.md` — State management and locking
+
+## Review Checklist
+
+### Stage 1: Structure
+- [ ] Files follow standard layout (`main.tf`, `variables.tf`, `outputs.tf`, `versions.tf`)
+- [ ] Modules are in `modules/` directory, environments in `live/` or `envs/`
+- [ ] No monolithic files — resources grouped by logical concern
+- [ ] Backend config is separate per environment
+
+### Stage 2: State Safety
+- [ ] No resources moved or renamed without `moved` blocks or import
+- [ ] State backend uses S3 + DynamoDB lock table
+- [ ] No `terraform state` commands in scripts without safeguards
+- [ ] Destructive changes (replace, destroy) are intentional and documented
+- [ ] `prevent_destroy` lifecycle on critical resources (databases, S3 buckets)
+
+### Stage 3: Security
+- [ ] No secrets in `.tf` files or `.tfvars` committed to repo
+- [ ] IAM policies follow least privilege — no `*` actions or resources
+- [ ] Security groups restrict ingress to required ports only
+- [ ] Encryption enabled: RDS `storage_encrypted`, S3 `server_side_encryption`, EBS volumes
+- [ ] No public access unless explicitly required (S3 ACLs, RDS `publicly_accessible`)
+- [ ] KMS keys used for sensitive resources
+
+### Stage 4: Naming
+- [ ] Resources use consistent naming: `{project}-{env}-{service}-{resource}`
+- [ ] Variables are descriptive with `_` separators (not camelCase)
+- [ ] All resources tagged: `project`, `environment`, `service`, `managed_by`
+
+### Stage 5: Modules
+- [ ] Modules have a single responsibility
+- [ ] No provider blocks inside modules
+- [ ] No backend blocks inside modules
+- [ ] Variables have `description` and explicit `type`
+- [ ] Outputs have `description`
+- [ ] `for_each` preferred over `count`
+
+### Stage 6: Variables
+- [ ] All variables have `description` and `type`
+- [ ] Sensitive variables marked `sensitive = true`
+- [ ] Validation blocks for constrained inputs (environment names, CIDR blocks)
+- [ ] Defaults are sensible — no default for required values
+
+### Stage 7: Providers
+- [ ] Provider versions pinned with `>=` lower bound
+- [ ] `required_version` set for Terraform itself
+- [ ] No deprecated provider features used
+
+### Stage 8: CI/CD
+- [ ] Pipeline runs `fmt -check`, `validate`, `plan` on PR
+- [ ] Apply requires approval for production
+- [ ] Plan output is posted to PR for review
+
+## Output Format
+
+```
+## Terraform Review Summary
+
+### Approved / Needs Changes / Blocked
+
+### Critical Issues (must fix)
+- [issue with file:line reference]
+
+### State Safety Warnings
+- [any resource replacements or deletions flagged]
+
+### Security Findings
+- [IAM, network, encryption issues]
+
+### Suggestions (nice to have)
+- [improvements]
+
+### Verdict
+[Final recommendation]
+```
+
+## Rules
+
+- Always use `git diff` to inspect actual changes — don't guess from filenames
+- Every finding must include file:line reference
+- Flag ALL destructive plan actions (destroy, replace) as critical unless justified
+- Separate "must fix" from "nice to have" — don't block PRs on formatting
+- Check `.tfvars` files for accidentally committed secrets

package/commands/spartan/tf-scaffold.md

@@ -0,0 +1,109 @@
+---
+name: spartan:tf-scaffold
+description: Scaffold service-level Terraform with live/, modules/, envs/ structure and CI/CD
+argument-hint: "[service-name]"
+preamble-tier: 3
+---
+@rules/infrastructure/STRUCTURE.md
+@rules/infrastructure/NAMING.md
+@rules/infrastructure/VARIABLES.md
+
+# Terraform Scaffold: {{ args[0] | default: "new service" }}
+
+Scaffold production-ready Terraform infrastructure for a service.
+
+**Before scaffolding, reference:** `terraform-service-scaffold` skill
+
+## Step 1: Gather Requirements
+
+Ask the user:
+
+> **Container host:** Which platform runs this service?
+>
+> I'd go with **A** — ECS is simpler for single-service deployments.
+>
+> - **A) ECS Fargate** — serverless containers, simpler ops
+> - **B) EKS** — Kubernetes, more control, higher complexity
+> - **C) Other** — specify (Lambda, EC2, etc.)
+
+> **Resources needed:** What does this service depend on?
+> - Database (RDS PostgreSQL / Aurora)
+> - Cache (ElastiCache Redis)
+> - Queue (SQS)
+> - Object storage (S3)
+> - CDN (CloudFront)
+> - Other
+
+## Step 2: Detect Infrastructure Remote State
+
+```bash
+# Check for existing infra state
+find . -name "backend.tf" -o -name "*.tfbackend" 2>/dev/null | head -20
+find . -name "remote-state*" -o -name "terraform.tfstate" 2>/dev/null | head -20
+```
+
+Identify the remote state backend pattern (S3 + DynamoDB lock table) and region convention.
+
+## Step 3: Scaffold Directory Structure
+
+Create the standard layout:
+
+```
+{service}/
+├── live/
+│   ├── dev/
+│   │   ├── main.tf
+│   │   ├── variables.tf
+│   │   ├── outputs.tf
+│   │   ├── backend.tf
+│   │   └── dev.tfvars
+│   ├── staging/
+│   │   └── ... (same structure)
+│   └── prod/
+│       └── ... (same structure)
+├── modules/
+│   ├── service/          # ECS/EKS task + service
+│   ├── networking/       # Security groups, ALB target groups
+│   └── {resource}/       # One module per resource type
+└── envs/
+    ├── dev.tfvars
+    ├── staging.tfvars
+    └── prod.tfvars
+```
+
+## Step 4: Generate Module Stubs
+
+For each resource the user selected, create a module with:
+- `main.tf` — resource definitions
+- `variables.tf` — input variables with descriptions and types
+- `outputs.tf` — exported values other modules consume
+
+## Step 5: Wire Up Live Environments
+
+Each environment's `main.tf` calls modules with environment-specific values. Use `data` sources to reference shared infrastructure (VPC, subnets, DNS).
+
+## Step 6: Generate CI/CD Pipeline
+
+Create pipeline config that runs:
+1. `terraform fmt -check`
+2. `terraform validate`
+3. `terraform plan` (on PR)
+4. `terraform apply` (on merge to main, with approval gate for prod)
+
+## Step 7: Verify
+
+```bash
+cd {service}/live/dev
+terraform init
+terraform validate
+terraform plan -var-file=../../envs/dev.tfvars
+```
+
+## Rules
+
+- Every variable must have a `description` and explicit `type`
+- Use `locals` for computed values — never repeat expressions
+- Remote state backend must use S3 + DynamoDB lock table
+- Environment differences live in `.tfvars` files, not conditionals
+- Tag all resources with `project`, `environment`, `service`, `managed_by = "terraform"`
+- Never hardcode AWS account IDs, regions, or resource ARNs

package/commands/spartan/tf-security.md

@@ -0,0 +1,147 @@
+---
+name: spartan:tf-security
+description: Security audit across IAM, networking, encryption, secrets, access control, and compliance
+argument-hint: "[optional: focus-area]"
+preamble-tier: 3
+---
+@rules/infrastructure/SECURITY.md
+
+# Terraform Security Audit: {{ args[0] | default: "full audit" }}
+
+Run a comprehensive security audit on Terraform infrastructure code.
+
+**Before auditing, reference:** `terraform-security-audit` skill
+
+## Audit Scope
+
+If a focus area is provided, audit only that area. Otherwise, run all 6 stages.
+
+Focus areas: `iam`, `network`, `encryption`, `secrets`, `access`, `compliance`
+
+## Stage 1: IAM
+
+```bash
+grep -rn "aws_iam" *.tf modules/ 2>/dev/null
+```
+
+Check for:
+- [ ] No `"*"` in IAM policy actions — use specific actions
+- [ ] No `"*"` in IAM policy resources — scope to specific ARNs
+- [ ] Roles use `assume_role_policy` with specific principals (not `"*"`)
+- [ ] Service roles follow least privilege
+- [ ] No inline policies on users — use groups or roles
+- [ ] MFA condition on sensitive operations
+- [ ] IAM policies use conditions where applicable (`aws:SourceIp`, `aws:PrincipalOrgID`)
+
+### Common Violations
+
+```hcl
+# WRONG — too permissive
+statement {
+  actions   = ["*"]
+  resources = ["*"]
+}
+
+# CORRECT — scoped
+statement {
+  actions   = ["s3:GetObject", "s3:PutObject"]
+  resources = ["arn:aws:s3:::{project}-{env}-*/*"]
+}
+```
+
+## Stage 2: Network
+
+```bash
+grep -rn "aws_security_group" *.tf modules/ 2>/dev/null
+grep -rn "cidr_blocks" *.tf modules/ 2>/dev/null
+```
+
+Check for:
+- [ ] No `0.0.0.0/0` ingress on non-public ports (only 80/443 for ALB)
+- [ ] No `0.0.0.0/0` egress unless justified
+- [ ] Database security groups only allow app security group ingress
+- [ ] SSH access (port 22) restricted to VPN/bastion CIDR
+- [ ] Security group descriptions are meaningful
+- [ ] VPC flow logs enabled
+
+## Stage 3: Encryption
+
+```bash
+grep -rn "encrypted\|kms\|server_side_encryption" *.tf modules/ 2>/dev/null
+```
+
+Check for:
+- [ ] RDS: `storage_encrypted = true`
+- [ ] S3: `server_side_encryption_configuration` block present
+- [ ] EBS: `encrypted = true` on volumes
+- [ ] ElastiCache: `transit_encryption_enabled = true`, `at_rest_encryption_enabled = true`
+- [ ] Secrets Manager / SSM Parameter Store: KMS key specified
+- [ ] ALB: HTTPS listeners with TLS 1.2+ policy
+
+## Stage 4: Secrets
+
+```bash
+grep -rn "password\|secret\|api_key\|token\|credential" *.tf *.tfvars 2>/dev/null
+```
+
+Check for:
+- [ ] No plaintext secrets in `.tf` files
+- [ ] No secrets in `.tfvars` committed to git
+- [ ] Secrets referenced via `aws_secretsmanager_secret` or `aws_ssm_parameter`
+- [ ] Sensitive variables marked `sensitive = true`
+- [ ] Sensitive outputs marked `sensitive = true`
+- [ ] `.gitignore` includes `*.tfvars` (or only example tfvars are committed)
+
+## Stage 5: Access Control
+
+```bash
+grep -rn "publicly_accessible\|public_access\|acl" *.tf modules/ 2>/dev/null
+```
+
+Check for:
+- [ ] RDS: `publicly_accessible = false`
+- [ ] S3: `block_public_acls = true`, `block_public_policy = true`
+- [ ] ElastiCache: not in public subnet
+- [ ] EKS: API server endpoint not public (or restricted by CIDR)
+- [ ] Resources in private subnets where possible
+
+## Stage 6: Compliance
+
+Check for:
+- [ ] All resources tagged: `project`, `environment`, `service`, `managed_by`
+- [ ] Logging enabled: CloudTrail, ALB access logs, S3 access logs
+- [ ] Backup configured: RDS automated backups, S3 versioning
+- [ ] `prevent_destroy` on stateful resources (databases, S3 buckets with data)
+- [ ] Terraform state bucket has versioning and encryption enabled
+
+## Output Format
+
+```
+## Security Audit Results
+
+### Critical (must fix before deploy)
+- [finding with file:line reference]
+
+### High (fix in next PR)
+- [finding with file:line reference]
+
+### Medium (plan to address)
+- [finding]
+
+### Low (nice to have)
+- [finding]
+
+### Passed Checks
+- [what looks good]
+
+### Score: [X/6 stages passed without critical findings]
+```
+
+## Rules
+
+- Every finding must include file:line reference
+- Critical findings block deployment — no exceptions
+- Check `.tfvars` files for secrets even if they're in `.gitignore`
+- `0.0.0.0/0` ingress is only acceptable on ALB ports 80/443
+- `"*"` in IAM actions/resources is always a critical finding
+- Praise good security patterns — teams should know what they're doing right