npm - @intentius/chant-lexicon-k8s - Versions diffs - 0.0.15 → 0.0.16 - Mend

@intentius/chant-lexicon-k8s 0.0.15 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/integrity.json +4 -3
package/dist/manifest.json +1 -1
package/dist/rules/latest-image-tag.ts +121 -0
package/dist/rules/missing-resource-limits.ts +111 -0
package/package.json +1 -1
package/src/composites/agic-ingress.ts +0 -1
package/src/composites/aks-external-dns-agent.ts +199 -0
package/src/composites/azure-monitor-collector.ts +2 -2
package/src/composites/composites.test.ts +359 -0
package/src/composites/gce-ingress.ts +143 -0
package/src/composites/gke-external-dns-agent.ts +175 -0
package/src/composites/gke-fluent-bit-agent.ts +219 -0
package/src/composites/gke-otel-collector.ts +229 -0
package/src/composites/index.ts +12 -0
package/src/index.ts +14 -0
package/src/lint/rules/latest-image-tag.ts +121 -0
package/src/lint/rules/missing-resource-limits.ts +111 -0
package/src/lint/rules/rules.test.ts +192 -0
package/src/plugin.ts +125 -208
package/src/skills/chant-k8s-aks.md +146 -0
package/src/skills/chant-k8s-gke.md +191 -0
package/src/skills/kubernetes-patterns.md +183 -0
package/src/skills/kubernetes-security.md +237 -0
/package/{dist → src}/skills/chant-k8s-eks.md +0 -0

package/src/lint/rules/missing-resource-limits.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+/**
+ * WK8003: Missing Resource Limits
+ *
+ * Detects when a container in a Deployment/StatefulSet spec doesn't have
+ * resource limits or requests. Without resource limits, a container can
+ * consume unbounded cluster resources and cause noisy-neighbour issues.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0", resources: { limits: { cpu: "500m", memory: "256Mi" } } }] } } } })
+ */
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+]);
+export const missingResourceLimitsRule: LintRule = {
+  id: "WK8003",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "Detects containers without resource limits/requests — always set resource constraints",
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+    function objectLiteralHasProperty(
+      obj: ts.ObjectLiteralExpression,
+      name: string,
+    ): boolean {
+      return obj.properties.some(
+        (p) =>
+          ts.isPropertyAssignment(p) &&
+          ts.isIdentifier(p.name) &&
+          p.name.text === name,
+      );
+    }
+    function visit(node: ts.Node): void {
+      // Look for object literals inside arrays that represent container specs.
+      // A container object literal typically has "name" and "image" properties.
+      // We flag it if it lacks a "resources" property.
+      if (
+        ts.isObjectLiteralExpression(node) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const hasName = objectLiteralHasProperty(node, "name");
+        const hasImage = objectLiteralHasProperty(node, "image");
+        const hasResources = objectLiteralHasProperty(node, "resources");
+        if (hasName && hasImage && !hasResources) {
+          // Confirm we're inside an array literal (containers array)
+          if (node.parent && ts.isArrayLiteralExpression(node.parent)) {
+            const { line, character } =
+              sourceFile.getLineAndCharacterOfPosition(node.getStart());
+            // Try to extract the container name for a better message
+            let containerName = "unknown";
+            for (const prop of node.properties) {
+              if (
+                ts.isPropertyAssignment(prop) &&
+                ts.isIdentifier(prop.name) &&
+                prop.name.text === "name" &&
+                ts.isStringLiteral(prop.initializer)
+              ) {
+                containerName = prop.initializer.text;
+                break;
+              }
+            }
+            diagnostics.push({
+              file: sourceFile.fileName,
+              line: line + 1,
+              column: character + 1,
+              ruleId: "WK8003",
+              severity: "warning",
+              message: `Container "${containerName}" is missing resource limits/requests. Set resources.limits and resources.requests to prevent unbounded resource consumption.`,
+            });
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/rules.test.ts CHANGED Viewed

@@ -1,5 +1,7 @@
 import { describe, test, expect } from "bun:test";
 import { hardcodedNamespaceRule } from "./hardcoded-namespace";
+import { latestImageTagRule } from "./latest-image-tag";
+import { missingResourceLimitsRule } from "./missing-resource-limits";
 import * as ts from "typescript";
 function createContext(code: string) {
@@ -67,3 +69,193 @@ describe("WK8001: Hardcoded Namespace", () => {
     expect(diags.length).toBe(2);
   });
 });
+// ── WK8002: Latest Image Tag ────────────────────────────────────────
+describe("WK8002: Latest Image Tag", () => {
+  test("rule metadata", () => {
+    expect(latestImageTagRule.id).toBe("WK8002");
+    expect(latestImageTagRule.severity).toBe("warning");
+    expect(latestImageTagRule.category).toBe("security");
+  });
+  test("flags image: 'nginx:latest'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8002");
+    expect(diags[0].message).toContain(":latest");
+  });
+  test("flags untagged image: 'nginx'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8002");
+    expect(diags[0].message).toContain("no tag");
+  });
+  test("flags registry-prefixed untagged image: 'ghcr.io/org/app'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "ghcr.io/org/app" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+  test("does NOT flag explicitly tagged image: 'nginx:1.25'", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx:1.25" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+  test("does NOT flag image with digest", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "nginx@sha256:abc123" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+  test("flags :latest in StatefulSet", () => {
+    const ctx = createContext(
+      `new StatefulSet({ spec: { template: { spec: { containers: [{ name: "db", image: "postgres:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+  test("flags :latest in DaemonSet", () => {
+    const ctx = createContext(
+      `new DaemonSet({ spec: { template: { spec: { containers: [{ name: "agent", image: "datadog:latest" }] } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+  test("flags :latest in CronJob", () => {
+    const ctx = createContext(
+      `new CronJob({ spec: { jobTemplate: { spec: { template: { spec: { containers: [{ name: "job", image: "worker:latest" }] } } } } } });`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(1);
+  });
+  test("does NOT flag image property outside workload constructor", () => {
+    const ctx = createContext(
+      `const config = { image: "nginx:latest" };`,
+    );
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+  test("flags multiple containers with bad images", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "app", image: "nginx:latest" },
+                { name: "sidecar", image: "envoy" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = latestImageTagRule.check(ctx);
+    expect(diags.length).toBe(2);
+  });
+});
+// ── WK8003: Missing Resource Limits ─────────────────────────────────
+describe("WK8003: Missing Resource Limits", () => {
+  test("rule metadata", () => {
+    expect(missingResourceLimitsRule.id).toBe("WK8003");
+    expect(missingResourceLimitsRule.severity).toBe("warning");
+    expect(missingResourceLimitsRule.category).toBe("correctness");
+  });
+  test("flags container without resources property", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0" }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].ruleId).toBe("WK8003");
+    expect(diags[0].message).toContain("app");
+    expect(diags[0].message).toContain("resource limits");
+  });
+  test("does NOT flag container with resources property", () => {
+    const ctx = createContext(
+      `new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0", resources: { limits: { cpu: "500m", memory: "256Mi" } } }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+  test("flags container in StatefulSet", () => {
+    const ctx = createContext(
+      `new StatefulSet({ spec: { template: { spec: { containers: [{ name: "db", image: "postgres:15" }] } } } });`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].message).toContain("db");
+  });
+  test("flags only containers without resources in mixed array", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "app", image: "app:1.0", resources: { limits: { cpu: "1" } } },
+                { name: "sidecar", image: "envoy:1.0" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].message).toContain("sidecar");
+  });
+  test("does NOT flag outside workload constructor", () => {
+    const ctx = createContext(
+      `const containers = [{ name: "app", image: "app:1.0" }];`,
+    );
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+  test("flags multiple containers without resources", () => {
+    const ctx = createContext(`
+      new Deployment({
+        spec: {
+          template: {
+            spec: {
+              containers: [
+                { name: "web", image: "nginx:1.25" },
+                { name: "api", image: "api:2.0" },
+              ],
+            },
+          },
+        },
+      });
+    `);
+    const diags = missingResourceLimitsRule.check(ctx);
+    expect(diags.length).toBe(2);
+  });
+});

package/src/plugin.ts CHANGED Viewed

@@ -18,7 +18,9 @@ export const k8sPlugin: LexiconPlugin = {
   lintRules(): LintRule[] {
     const { hardcodedNamespaceRule } = require("./lint/rules/hardcoded-namespace");
-    return [hardcodedNamespaceRule];
+    const { latestImageTagRule } = require("./lint/rules/latest-image-tag");
+    const { missingResourceLimitsRule } = require("./lint/rules/missing-resource-limits");
+    return [hardcodedNamespaceRule, latestImageTagRule, missingResourceLimitsRule];
   },
   postSynthChecks(): PostSynthCheck[] {
@@ -715,213 +717,6 @@ const { job, serviceAccount, role, roleBinding } = BatchJob({
   command: ["python", "manage.py", "migrate"],
   backoffLimit: 3,
   ttlSecondsAfterFinished: 3600,
-});`,
-          },
-        ],
-      },
-      {
-        name: "chant-k8s-eks",
-        description: "EKS-specific Kubernetes composites — IRSA, ALB, EBS/EFS, Fluent Bit, ExternalDNS, ADOT",
-        content: `---
-skill: chant-k8s-eks
-description: EKS-specific Kubernetes patterns and composites
-user-invocable: true
----
-# EKS Kubernetes Patterns
-## EKS Composites Overview
-These composites produce K8s YAML with EKS-specific annotations and configurations.
-### IrsaServiceAccount — ServiceAccount with IAM Role annotation
-\`\`\`typescript
-import { IrsaServiceAccount } from "@intentius/chant-lexicon-k8s";
-const { serviceAccount, role, roleBinding } = IrsaServiceAccount({
-  name: "app-sa",
-  iamRoleArn: "arn:aws:iam::123456789012:role/my-app-role",
-  rbacRules: [
-    { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
-  ],
-  namespace: "prod",
-});
-\`\`\`
-### AlbIngress — Ingress with AWS ALB Controller annotations
-\`\`\`typescript
-import { AlbIngress } from "@intentius/chant-lexicon-k8s";
-const { ingress } = AlbIngress({
-  name: "api-ingress",
-  hosts: [
-    {
-      hostname: "api.example.com",
-      paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
-    },
-  ],
-  scheme: "internet-facing",
-  certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abc-123",
-  groupName: "shared-alb",
-  healthCheckPath: "/healthz",
-});
-\`\`\`
-Features:
-- Auto-sets \`alb.ingress.kubernetes.io/*\` annotations
-- SSL redirect enabled by default when \`certificateArn\` set
-- \`groupName\` for shared ALB across multiple Ingresses
-- \`wafAclArn\` for WAFv2 integration
-### EbsStorageClass — StorageClass for EBS CSI
-\`\`\`typescript
-import { EbsStorageClass } from "@intentius/chant-lexicon-k8s";
-const { storageClass } = EbsStorageClass({
-  name: "gp3-encrypted",
-  type: "gp3",
-  encrypted: true,
-  iops: "3000",
-  throughput: "125",
-});
-\`\`\`
-### EfsStorageClass — StorageClass for EFS CSI (ReadWriteMany)
-\`\`\`typescript
-import { EfsStorageClass } from "@intentius/chant-lexicon-k8s";
-const { storageClass } = EfsStorageClass({
-  name: "efs-shared",
-  fileSystemId: "fs-12345678",
-});
-\`\`\`
-Use EFS when you need ReadWriteMany (shared across pods/nodes). Use EBS for ReadWriteOnce (single pod).
-### FluentBitAgent — DaemonSet for CloudWatch logging
-\`\`\`typescript
-import { FluentBitAgent } from "@intentius/chant-lexicon-k8s";
-const result = FluentBitAgent({
-  logGroup: "/aws/eks/my-cluster/containers",
-  region: "us-east-1",
-  clusterName: "my-cluster",
-});
-\`\`\`
-### ExternalDnsAgent — ExternalDNS for Route53
-\`\`\`typescript
-import { ExternalDnsAgent } from "@intentius/chant-lexicon-k8s";
-const result = ExternalDnsAgent({
-  iamRoleArn: "arn:aws:iam::123456789012:role/external-dns-role",
-  domainFilters: ["example.com"],
-  txtOwnerId: "my-cluster",
-});
-\`\`\`
-### AdotCollector — ADOT for CloudWatch/X-Ray
-\`\`\`typescript
-import { AdotCollector } from "@intentius/chant-lexicon-k8s";
-const result = AdotCollector({
-  region: "us-east-1",
-  clusterName: "my-cluster",
-  exporters: ["cloudwatch", "xray"],
-});
-\`\`\`
-## Pod Identity vs IRSA
-| Feature | IRSA | Pod Identity |
-|---------|------|-------------|
-| K8s annotation needed | Yes (\`eks.amazonaws.com/role-arn\`) | No |
-| Composite available | **IrsaServiceAccount** | None needed |
-| Setup | OIDC provider + IAM role trust policy | EKS Pod Identity Agent add-on + association |
-| When to use | Existing clusters, broad compatibility | New clusters (EKS 1.28+), simpler management |
-For Pod Identity, no K8s-side composite is needed — configure the association via AWS API/CloudFormation and use a plain ServiceAccount.
-## Karpenter
-Karpenter replaces Cluster Autoscaler for node provisioning. Karpenter NodePool and EC2NodeClass are simple CRDs — use CRD import rather than composites:
-\`\`\`bash
-# Import Karpenter CRDs into your chant project
-chant import --url https://raw.githubusercontent.com/aws/karpenter/main/pkg/apis/crds/karpenter.sh_nodepools.yaml
-\`\`\`
-## Fargate Considerations
-When running on EKS Fargate:
-- **No DaemonSets** — FluentBitAgent and AdotCollector cannot run on Fargate nodes
-- **No hostPath volumes** — use EFS for shared storage
-- **No privileged containers** — security context restrictions apply
-- For Fargate logging, use the built-in Fluent Bit log router (Fargate logging configuration)
-## EKS Add-ons
-Common add-ons managed via AWS (not K8s manifests):
-- **vpc-cni** — Amazon VPC CNI plugin
-- **coredns** — Cluster DNS
-- **kube-proxy** — Network proxy
-- **aws-ebs-csi-driver** — EBS CSI driver (required for EbsStorageClass)
-- **aws-efs-csi-driver** — EFS CSI driver (required for EfsStorageClass)
-- **adot** — AWS Distro for OpenTelemetry (alternative to AdotCollector composite)
-- **aws-guardduty-agent** — Runtime threat detection
-Configure add-ons via the AWS lexicon (\`@intentius/chant-lexicon-aws\`) CloudFormation resources.
-`,
-        triggers: [
-          { type: "context", value: "eks" },
-          { type: "context", value: "irsa" },
-          { type: "context", value: "alb" },
-          { type: "context", value: "ebs" },
-          { type: "context", value: "efs" },
-          { type: "context", value: "fluent-bit" },
-          { type: "context", value: "cloudwatch" },
-          { type: "context", value: "karpenter" },
-          { type: "context", value: "fargate" },
-        ],
-        preConditions: [
-          "chant CLI is installed (chant --version succeeds)",
-          "EKS cluster is provisioned",
-          "kubectl is configured for the EKS cluster",
-        ],
-        postConditions: [
-          "EKS-specific resources are deployed and functional",
-        ],
-        parameters: [],
-        examples: [
-          {
-            title: "IRSA ServiceAccount",
-            description: "Create a ServiceAccount with IAM role for S3 access",
-            input: "Create an IRSA ServiceAccount for my app that needs S3 access",
-            output: `import { IrsaServiceAccount } from "@intentius/chant-lexicon-k8s";
-const { serviceAccount } = IrsaServiceAccount({
-  name: "app-sa",
-  iamRoleArn: "arn:aws:iam::123456789012:role/app-s3-role",
-  namespace: "prod",
-});`,
-          },
-          {
-            title: "ALB Ingress with TLS",
-            description: "Create an ALB Ingress with ACM certificate",
-            input: "Set up an internet-facing ALB with TLS for my API",
-            output: `import { AlbIngress } from "@intentius/chant-lexicon-k8s";
-const { ingress } = AlbIngress({
-  name: "api-ingress",
-  hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
-  certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abc-123",
 });`,
           },
         ],
@@ -1225,5 +1020,127 @@ const { deployment, service, serviceMonitor, prometheusRule } = MonitoredService
         ],
       },
     ];
+    // Load file-based skills from src/skills/
+    const { readFileSync } = require("fs");
+    const { join, dirname } = require("path");
+    const { fileURLToPath } = require("url");
+    const dir = dirname(fileURLToPath(import.meta.url));
+    const skillFiles = [
+      {
+        file: "kubernetes-patterns.md",
+        name: "kubernetes-patterns",
+        description: "Kubernetes deployment strategies, stateful workloads, RBAC, and networking patterns",
+        triggers: [
+          { type: "context" as const, value: "deployment strategy" },
+          { type: "context" as const, value: "statefulset" },
+          { type: "context" as const, value: "rbac" },
+          { type: "context" as const, value: "network policy" },
+          { type: "context" as const, value: "rolling update" },
+          { type: "context" as const, value: "blue green" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "Blue/Green Deployment",
+            input: "Set up a blue/green deployment for my app",
+            output: "import { WebApp } from \"@intentius/chant-lexicon-k8s\";\n\nconst blue = WebApp({ name: \"app-blue\", image: \"app:1.0\" });\nconst green = WebApp({ name: \"app-green\", image: \"app:2.0\" });",
+          },
+        ],
+      },
+      {
+        file: "kubernetes-security.md",
+        name: "kubernetes-security",
+        description: "Kubernetes pod security, image scanning, network policies, and secrets management",
+        triggers: [
+          { type: "context" as const, value: "k8s security" },
+          { type: "context" as const, value: "pod security" },
+          { type: "context" as const, value: "image security" },
+          { type: "context" as const, value: "k8s secrets" },
+          { type: "context" as const, value: "security context" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "Hardened Container",
+            input: "Create a hardened container with security context",
+            output: "WebApp({ name: \"api\", image: \"api:1.0\", securityContext: { runAsNonRoot: true, readOnlyRootFilesystem: true, capabilities: { drop: [\"ALL\"] } } })",
+          },
+        ],
+      },
+      {
+        file: "chant-k8s-eks.md",
+        name: "chant-k8s-eks",
+        description: "EKS-specific Kubernetes composites — IRSA, ALB, EBS/EFS, Fluent Bit, ExternalDNS, ADOT",
+        triggers: [
+          { type: "context" as const, value: "eks composites" },
+          { type: "context" as const, value: "irsa" },
+          { type: "context" as const, value: "alb ingress" },
+          { type: "context" as const, value: "ebs storage" },
+          { type: "context" as const, value: "karpenter" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "IRSA ServiceAccount",
+            input: "Create an IRSA ServiceAccount for my app",
+            output: "import { IrsaServiceAccount } from \"@intentius/chant-lexicon-k8s\";\n\nconst { serviceAccount } = IrsaServiceAccount({ name: \"app-sa\", iamRoleArn: \"arn:aws:iam::123456789012:role/app-role\" });",
+          },
+        ],
+      },
+      {
+        file: "chant-k8s-gke.md",
+        name: "chant-k8s-gke",
+        description: "GKE-specific Kubernetes composites — Workload Identity, GCE PD, Filestore, FluentBit, OTel, ExternalDNS, Gateway",
+        triggers: [
+          { type: "context" as const, value: "gke composites" },
+          { type: "context" as const, value: "workload identity gke" },
+          { type: "context" as const, value: "config connector k8s" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "GKE Workload Identity",
+            input: "Create a ServiceAccount with GKE Workload Identity",
+            output: "import { WorkloadIdentityServiceAccount } from \"@intentius/chant-lexicon-k8s\";\n\nconst { serviceAccount } = WorkloadIdentityServiceAccount({ name: \"app-sa\", gcpServiceAccountEmail: \"app@project.iam.gserviceaccount.com\" });",
+          },
+        ],
+      },
+      {
+        file: "chant-k8s-aks.md",
+        name: "chant-k8s-aks",
+        description: "AKS-specific Kubernetes composites — Workload Identity, AGIC, Azure Disk/File, ExternalDNS, Azure Monitor",
+        triggers: [
+          { type: "context" as const, value: "aks composites" },
+          { type: "context" as const, value: "workload identity aks" },
+          { type: "context" as const, value: "agic ingress" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "AKS Workload Identity",
+            input: "Create a ServiceAccount with AKS Workload Identity",
+            output: "import { AksWorkloadIdentityServiceAccount } from \"@intentius/chant-lexicon-k8s\";\n\nconst { serviceAccount } = AksWorkloadIdentityServiceAccount({ name: \"app-sa\", clientId: \"12345678-abcd-1234-abcd-123456789012\" });",
+          },
+        ],
+      },
+    ];
+    for (const skill of skillFiles) {
+      try {
+        const content = readFileSync(join(dir, "skills", skill.file), "utf-8");
+        skills.push({
+          name: skill.name,
+          description: skill.description,
+          content,
+          triggers: skill.triggers,
+          parameters: skill.parameters,
+          examples: skill.examples,
+        });
+      } catch { /* skip missing skills */ }
+    }
+    return skills;
   },
 };