@jetrabbits/agentic 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +143 -0
- package/README.md +154 -0
- package/agentic +1615 -0
- package/areas/devops/ci-cd/AGENTS.md +48 -0
- package/areas/devops/ci-cd/PROMPTS.md +7 -0
- package/areas/devops/ci-cd/prompts/onboard-repo.md +97 -0
- package/areas/devops/ci-cd/prompts/pipeline-debug.md +103 -0
- package/areas/devops/ci-cd/prompts/release-pipeline.md +115 -0
- package/areas/devops/ci-cd/rules/pipeline-standards.md +33 -0
- package/areas/devops/ci-cd/rules/quality-gates.md +24 -0
- package/areas/devops/ci-cd/rules/supply-chain-security.md +34 -0
- package/areas/devops/ci-cd/skills/artifact-management/SKILL.md +157 -0
- package/areas/devops/ci-cd/skills/build-optimization/SKILL.md +168 -0
- package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md +190 -0
- package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md +169 -0
- package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md +161 -0
- package/areas/devops/ci-cd/workflows/onboard-repo.md +73 -0
- package/areas/devops/ci-cd/workflows/pipeline-debug.md +66 -0
- package/areas/devops/ci-cd/workflows/release-pipeline.md +115 -0
- package/areas/devops/database-ops/AGENTS.md +47 -0
- package/areas/devops/database-ops/prompts/backup-verify.md +83 -0
- package/areas/devops/database-ops/prompts/db-incident.md +127 -0
- package/areas/devops/database-ops/rules/access-control.md +20 -0
- package/areas/devops/database-ops/rules/backup-policy.md +33 -0
- package/areas/devops/database-ops/rules/migration-runbook.md +32 -0
- package/areas/devops/database-ops/skills/backup-restore/SKILL.md +226 -0
- package/areas/devops/database-ops/skills/db-performance/SKILL.md +205 -0
- package/areas/devops/database-ops/skills/migration-safety/SKILL.md +155 -0
- package/areas/devops/database-ops/skills/postgres-operations/SKILL.md +156 -0
- package/areas/devops/database-ops/skills/redis-operations/SKILL.md +174 -0
- package/areas/devops/database-ops/workflows/backup-verify.md +107 -0
- package/areas/devops/database-ops/workflows/db-incident.md +86 -0
- package/areas/devops/devsecops/AGENTS.md +47 -0
- package/areas/devops/devsecops/prompts/policy-onboard.md +79 -0
- package/areas/devops/devsecops/prompts/security-scan-pipeline.md +131 -0
- package/areas/devops/devsecops/rules/container-security.md +22 -0
- package/areas/devops/devsecops/rules/policy-as-code.md +37 -0
- package/areas/devops/devsecops/rules/shift-left-policy.md +26 -0
- package/areas/devops/devsecops/skills/container-hardening/SKILL.md +146 -0
- package/areas/devops/devsecops/skills/opa-policies/SKILL.md +188 -0
- package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md +165 -0
- package/areas/devops/devsecops/skills/secret-detection/SKILL.md +190 -0
- package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md +184 -0
- package/areas/devops/devsecops/workflows/policy-onboard.md +104 -0
- package/areas/devops/devsecops/workflows/security-scan-pipeline.md +155 -0
- package/areas/devops/infrastructure/AGENTS.md +50 -0
- package/areas/devops/infrastructure/prompts/destroy-environment.md +81 -0
- package/areas/devops/infrastructure/prompts/drift-remediation.md +71 -0
- package/areas/devops/infrastructure/prompts/module-development.md +69 -0
- package/areas/devops/infrastructure/prompts/provision-environment.md +121 -0
- package/areas/devops/infrastructure/rules/iac-standards.md +80 -0
- package/areas/devops/infrastructure/rules/immutability.md +28 -0
- package/areas/devops/infrastructure/rules/secret-hygiene.md +53 -0
- package/areas/devops/infrastructure/rules/state-management.md +47 -0
- package/areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md +174 -0
- package/areas/devops/infrastructure/skills/cost-optimization/SKILL.md +177 -0
- package/areas/devops/infrastructure/skills/drift-detection/SKILL.md +178 -0
- package/areas/devops/infrastructure/skills/state-management/SKILL.md +159 -0
- package/areas/devops/infrastructure/skills/terraform-modules/SKILL.md +169 -0
- package/areas/devops/infrastructure/workflows/destroy-environment.md +96 -0
- package/areas/devops/infrastructure/workflows/drift-remediation.md +66 -0
- package/areas/devops/infrastructure/workflows/module-development.md +101 -0
- package/areas/devops/infrastructure/workflows/provision-environment.md +96 -0
- package/areas/devops/kubernetes/AGENTS.md +57 -0
- package/areas/devops/kubernetes/PROMPTS.md +9 -0
- package/areas/devops/kubernetes/prompts/cluster-bootstrap.md +67 -0
- package/areas/devops/kubernetes/prompts/debug-workload.md +91 -0
- package/areas/devops/kubernetes/prompts/onboard-service.md +101 -0
- package/areas/devops/kubernetes/prompts/upgrade-cluster.md +63 -0
- package/areas/devops/kubernetes/rules/cluster-standards.md +51 -0
- package/areas/devops/kubernetes/rules/resource-governance.md +80 -0
- package/areas/devops/kubernetes/rules/upgrade-policy.md +52 -0
- package/areas/devops/kubernetes/rules/workload-security.md +64 -0
- package/areas/devops/kubernetes/skills/cluster-operations/SKILL.md +136 -0
- package/areas/devops/kubernetes/skills/helm-charts/SKILL.md +152 -0
- package/areas/devops/kubernetes/skills/network-policies/SKILL.md +169 -0
- package/areas/devops/kubernetes/skills/pod-troubleshooting/SKILL.md +129 -0
- package/areas/devops/kubernetes/skills/rbac-design/SKILL.md +148 -0
- package/areas/devops/kubernetes/skills/resource-tuning/SKILL.md +156 -0
- package/areas/devops/kubernetes/workflows/cluster-bootstrap.md +194 -0
- package/areas/devops/kubernetes/workflows/debug-workload.md +108 -0
- package/areas/devops/kubernetes/workflows/onboard-service.md +124 -0
- package/areas/devops/kubernetes/workflows/upgrade-cluster.md +165 -0
- package/areas/devops/networking/AGENTS.md +47 -0
- package/areas/devops/networking/prompts/onboard-ingress.md +119 -0
- package/areas/devops/networking/prompts/service-mesh-onboard.md +77 -0
- package/areas/devops/networking/rules/ingress-standards.md +17 -0
- package/areas/devops/networking/rules/network-segmentation.md +24 -0
- package/areas/devops/networking/rules/tls-policy.md +32 -0
- package/areas/devops/networking/skills/dns-management/SKILL.md +169 -0
- package/areas/devops/networking/skills/ingress-patterns/SKILL.md +165 -0
- package/areas/devops/networking/skills/service-mesh/SKILL.md +206 -0
- package/areas/devops/networking/skills/tls-termination/SKILL.md +198 -0
- package/areas/devops/networking/skills/vpc-design/SKILL.md +132 -0
- package/areas/devops/networking/workflows/onboard-ingress.md +64 -0
- package/areas/devops/networking/workflows/service-mesh-onboard.md +122 -0
- package/areas/devops/observability/AGENTS.md +48 -0
- package/areas/devops/observability/prompts/alert-investigation.md +117 -0
- package/areas/devops/observability/prompts/observability-stack-setup.md +99 -0
- package/areas/devops/observability/prompts/onboard-service-monitoring.md +79 -0
- package/areas/devops/observability/rules/alerting-standards.md +36 -0
- package/areas/devops/observability/rules/data-retention.md +19 -0
- package/areas/devops/observability/rules/golden-signals.md +28 -0
- package/areas/devops/observability/skills/distributed-tracing/SKILL.md +149 -0
- package/areas/devops/observability/skills/grafana-dashboards/SKILL.md +201 -0
- package/areas/devops/observability/skills/log-aggregation/SKILL.md +159 -0
- package/areas/devops/observability/skills/prometheus-alertmanager/SKILL.md +188 -0
- package/areas/devops/observability/skills/slo-implementation/SKILL.md +189 -0
- package/areas/devops/observability/workflows/alert-investigation.md +98 -0
- package/areas/devops/observability/workflows/observability-stack-setup.md +156 -0
- package/areas/devops/observability/workflows/onboard-service-monitoring.md +83 -0
- package/areas/devops/sre/AGENTS.md +48 -0
- package/areas/devops/sre/prompts/incident-response.md +129 -0
- package/areas/devops/sre/prompts/postmortem.md +101 -0
- package/areas/devops/sre/prompts/slo-review.md +125 -0
- package/areas/devops/sre/rules/error-budget-policy.md +25 -0
- package/areas/devops/sre/rules/on-call-standards.md +25 -0
- package/areas/devops/sre/rules/slo-policy.md +31 -0
- package/areas/devops/sre/skills/capacity-planning/SKILL.md +162 -0
- package/areas/devops/sre/skills/chaos-engineering/SKILL.md +186 -0
- package/areas/devops/sre/skills/incident-command/SKILL.md +119 -0
- package/areas/devops/sre/skills/postmortem-analysis/SKILL.md +104 -0
- package/areas/devops/sre/skills/slo-sli-design/SKILL.md +145 -0
- package/areas/devops/sre/workflows/incident-response.md +66 -0
- package/areas/devops/sre/workflows/postmortem.md +90 -0
- package/areas/devops/sre/workflows/slo-review.md +95 -0
- package/areas/software/backend/AGENTS.md +59 -0
- package/areas/software/backend/PROMPTS.md +50 -0
- package/areas/software/backend/README.md +48 -0
- package/areas/software/backend/prompts/add-migration.md +93 -0
- package/areas/software/backend/prompts/create-endpoint.md +97 -0
- package/areas/software/backend/prompts/debug-issue.md +87 -0
- package/areas/software/backend/prompts/develop-epic.md +83 -0
- package/areas/software/backend/prompts/develop-feature.md +91 -0
- package/areas/software/backend/prompts/refactor-module.md +79 -0
- package/areas/software/backend/prompts/test-feature.md +89 -0
- package/areas/software/backend/rules/architecture.md +20 -0
- package/areas/software/backend/rules/data_access.md +20 -0
- package/areas/software/backend/rules/security.md +20 -0
- package/areas/software/backend/rules/testing.md +19 -0
- package/areas/software/backend/skills/api-design/SKILL.md +170 -0
- package/areas/software/backend/skills/async-processing/SKILL.md +152 -0
- package/areas/software/backend/skills/database-modeling/SKILL.md +173 -0
- package/areas/software/backend/skills/observability/SKILL.md +162 -0
- package/areas/software/backend/skills/troubleshooting/SKILL.md +139 -0
- package/areas/software/backend/workflows/add-migration.md +79 -0
- package/areas/software/backend/workflows/create-endpoint.md +89 -0
- package/areas/software/backend/workflows/debug-issue.md +77 -0
- package/areas/software/backend/workflows/develop-epic.md +78 -0
- package/areas/software/backend/workflows/develop-feature.md +98 -0
- package/areas/software/backend/workflows/refactor-module.md +73 -0
- package/areas/software/backend/workflows/test-feature.md +67 -0
- package/areas/software/data-engineering/AGENTS.md +59 -0
- package/areas/software/data-engineering/PROMPTS.md +32 -0
- package/areas/software/data-engineering/prompts/backfill-data.md +107 -0
- package/areas/software/data-engineering/prompts/data-quality-incident.md +109 -0
- package/areas/software/data-engineering/prompts/lineage-trace.md +121 -0
- package/areas/software/data-engineering/prompts/new-model.md +117 -0
- package/areas/software/data-engineering/prompts/schema-migration.md +111 -0
- package/areas/software/data-engineering/rules/data-governance.md +11 -0
- package/areas/software/data-engineering/rules/pii-handling.md +19 -0
- package/areas/software/data-engineering/rules/pipeline-integrity.md +11 -0
- package/areas/software/data-engineering/rules/schema-management.md +21 -0
- package/areas/software/data-engineering/skills/data-modeling/SKILL.md +49 -0
- package/areas/software/data-engineering/skills/dbt-patterns/SKILL.md +43 -0
- package/areas/software/data-engineering/skills/lineage-governance/SKILL.md +38 -0
- package/areas/software/data-engineering/skills/orchestration/SKILL.md +35 -0
- package/areas/software/data-engineering/skills/quality-checks/SKILL.md +50 -0
- package/areas/software/data-engineering/skills/sql-optimization/SKILL.md +47 -0
- package/areas/software/data-engineering/skills/streaming-patterns/SKILL.md +48 -0
- package/areas/software/data-engineering/workflows/backfill-data.md +59 -0
- package/areas/software/data-engineering/workflows/data-quality-incident.md +64 -0
- package/areas/software/data-engineering/workflows/lineage-trace.md +56 -0
- package/areas/software/data-engineering/workflows/new-model.md +71 -0
- package/areas/software/data-engineering/workflows/schema-migration.md +67 -0
- package/areas/software/frontend/AGENTS.md +60 -0
- package/areas/software/frontend/PROMPTS.md +32 -0
- package/areas/software/frontend/prompts/a11y-fix.md +75 -0
- package/areas/software/frontend/prompts/bundle-analyze.md +75 -0
- package/areas/software/frontend/prompts/release-prep.md +83 -0
- package/areas/software/frontend/prompts/scaffold-component.md +69 -0
- package/areas/software/frontend/prompts/visual-regression.md +73 -0
- package/areas/software/frontend/rules/accessibility.md +16 -0
- package/areas/software/frontend/rules/architecture.md +29 -0
- package/areas/software/frontend/rules/performance.md +23 -0
- package/areas/software/frontend/rules/quality.md +12 -0
- package/areas/software/frontend/skills/a11y-audit/SKILL.md +61 -0
- package/areas/software/frontend/skills/api-integration/SKILL.md +58 -0
- package/areas/software/frontend/skills/component-design/SKILL.md +171 -0
- package/areas/software/frontend/skills/css-architecture/SKILL.md +146 -0
- package/areas/software/frontend/skills/error-handling/SKILL.md +55 -0
- package/areas/software/frontend/skills/performance-tuning/SKILL.md +58 -0
- package/areas/software/frontend/skills/state-management/SKILL.md +54 -0
- package/areas/software/frontend/skills/testing-patterns/SKILL.md +69 -0
- package/areas/software/frontend/workflows/a11y-fix.md +63 -0
- package/areas/software/frontend/workflows/bundle-analyze.md +56 -0
- package/areas/software/frontend/workflows/release-prep.md +66 -0
- package/areas/software/frontend/workflows/scaffold-component.md +67 -0
- package/areas/software/frontend/workflows/visual-regression.md +65 -0
- package/areas/software/full-stack/AGENTS.md +72 -0
- package/areas/software/full-stack/PROMPTS.md +66 -0
- package/areas/software/full-stack/prompts/backend-project-full-cycle.md +141 -0
- package/areas/software/full-stack/prompts/debug-issue.md +115 -0
- package/areas/software/full-stack/prompts/develop-feature.md +119 -0
- package/areas/software/full-stack/prompts/feature-implementation-flow.md +137 -0
- package/areas/software/full-stack/prompts/testing-ci-pipeline.md +119 -0
- package/areas/software/full-stack/rules/api-design-guide.md +24 -0
- package/areas/software/full-stack/rules/async-concurrency-guide.md +21 -0
- package/areas/software/full-stack/rules/backend-architecture-rule.md +41 -0
- package/areas/software/full-stack/rules/background-jobs-guide.md +20 -0
- package/areas/software/full-stack/rules/code-quality-guide.md +22 -0
- package/areas/software/full-stack/rules/database-access-guide.md +24 -0
- package/areas/software/full-stack/rules/database-migrations-guide.md +24 -0
- package/areas/software/full-stack/rules/domain-models-guide.md +28 -0
- package/areas/software/full-stack/rules/e2e-test-guide.md +18 -0
- package/areas/software/full-stack/rules/env-settings-guide.md +34 -0
- package/areas/software/full-stack/rules/error-handling-guide.md +20 -0
- package/areas/software/full-stack/rules/logging-observability-guide.md +22 -0
- package/areas/software/full-stack/rules/project-guide.md +34 -0
- package/areas/software/full-stack/rules/python-venv-guide.md +23 -0
- package/areas/software/full-stack/rules/security-guide.md +22 -0
- package/areas/software/full-stack/rules/svt-test-guide.md +17 -0
- package/areas/software/full-stack/rules/testing-ci-guide.md +25 -0
- package/areas/software/full-stack/skills/api-design-principles/SKILL.md +125 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/areas/software/full-stack/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/areas/software/full-stack/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/areas/software/full-stack/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/areas/software/full-stack/skills/api-patterns/SKILL.md +81 -0
- package/areas/software/full-stack/skills/api-patterns/api-style.md +42 -0
- package/areas/software/full-stack/skills/api-patterns/auth.md +24 -0
- package/areas/software/full-stack/skills/api-patterns/documentation.md +26 -0
- package/areas/software/full-stack/skills/api-patterns/graphql.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/rate-limiting.md +31 -0
- package/areas/software/full-stack/skills/api-patterns/response.md +37 -0
- package/areas/software/full-stack/skills/api-patterns/rest.md +40 -0
- package/areas/software/full-stack/skills/api-patterns/scripts/api_validator.py +211 -0
- package/areas/software/full-stack/skills/api-patterns/security-testing.md +122 -0
- package/areas/software/full-stack/skills/api-patterns/trpc.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/versioning.md +22 -0
- package/areas/software/full-stack/skills/app-builder/SKILL.md +135 -0
- package/areas/software/full-stack/skills/app-builder/agent-coordination.md +71 -0
- package/areas/software/full-stack/skills/app-builder/feature-building.md +53 -0
- package/areas/software/full-stack/skills/app-builder/project-detection.md +34 -0
- package/areas/software/full-stack/skills/app-builder/scaffolding.md +118 -0
- package/areas/software/full-stack/skills/app-builder/tech-stack.md +40 -0
- package/areas/software/full-stack/skills/app-builder/templates/SKILL.md +39 -0
- package/areas/software/full-stack/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
- package/areas/software/full-stack/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
- package/areas/software/full-stack/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +82 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +100 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-static/TEMPLATE.md +106 -0
- package/areas/software/full-stack/skills/app-builder/templates/nuxt-app/TEMPLATE.md +101 -0
- package/areas/software/full-stack/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/react-native-app/TEMPLATE.md +93 -0
- package/areas/software/full-stack/skills/backend-developer/SKILL.md +58 -0
- package/areas/software/full-stack/skills/bash-pro/SKILL.md +310 -0
- package/areas/software/full-stack/skills/blackbox-test/SKILL.md +84 -0
- package/areas/software/full-stack/skills/prompt-project-planner/SKILL.md +130 -0
- package/areas/software/full-stack/skills/prompt-project-planner/output.schema.md +68 -0
- package/areas/software/full-stack/skills/prompt-project-planner/questions.md +80 -0
- package/areas/software/full-stack/skills/python-pro/SKILL.md +158 -0
- package/areas/software/full-stack/skills/skill-creator/LICENSE.txt +202 -0
- package/areas/software/full-stack/skills/skill-creator/SKILL.md +356 -0
- package/areas/software/full-stack/skills/skill-creator/references/output-patterns.md +82 -0
- package/areas/software/full-stack/skills/skill-creator/references/workflows.md +28 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/init_skill.py +303 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/package_skill.py +110 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/quick_validate.py +95 -0
- package/areas/software/full-stack/workflows/backend-project-full-cycle.md +132 -0
- package/areas/software/full-stack/workflows/debug-issue.md +70 -0
- package/areas/software/full-stack/workflows/develop-feature.md +85 -0
- package/areas/software/full-stack/workflows/feature-implementation-flow.md +78 -0
- package/areas/software/full-stack/workflows/testing-ci-pipeline.md +65 -0
- package/areas/software/general/AGENTS.md +68 -0
- package/areas/software/general/prompts/code-review-workflow.md +87 -0
- package/areas/software/general/prompts/development-cycle-workflow.md +83 -0
- package/areas/software/general/prompts/project-setup-workflow.md +93 -0
- package/areas/software/general/rules/code-style-guide.md +31 -0
- package/areas/software/general/rules/docker-compose-guide.md +27 -0
- package/areas/software/general/rules/git-workflow-guide.md +27 -0
- package/areas/software/general/rules/github-workflow-guide.md +27 -0
- package/areas/software/general/rules/gitlab-ci-guide.md +27 -0
- package/areas/software/general/rules/lint-format-guide.md +29 -0
- package/areas/software/general/rules/makefile-guide.md +34 -0
- package/areas/software/general/rules/readme-sync-guide.md +40 -0
- package/areas/software/general/rules/sdlc-methodology-guide.md +27 -0
- package/areas/software/general/rules/sdlc-role-responsibilities.md +108 -0
- package/areas/software/general/skills/general-dev-tools/SKILL.md +324 -0
- package/areas/software/general/workflows/code-review-workflow.md +84 -0
- package/areas/software/general/workflows/development-cycle-workflow.md +85 -0
- package/areas/software/general/workflows/project-setup-workflow.md +94 -0
- package/areas/software/mlops/AGENTS.md +57 -0
- package/areas/software/mlops/PROMPTS.md +32 -0
- package/areas/software/mlops/prompts/champion-challenger.md +87 -0
- package/areas/software/mlops/prompts/deploy-endpoint.md +91 -0
- package/areas/software/mlops/prompts/evaluate-model.md +87 -0
- package/areas/software/mlops/prompts/model-incident.md +87 -0
- package/areas/software/mlops/prompts/train-experiment.md +83 -0
- package/areas/software/mlops/rules/data-integrity.md +9 -0
- package/areas/software/mlops/rules/model-governance.md +9 -0
- package/areas/software/mlops/rules/production-safety.md +9 -0
- package/areas/software/mlops/rules/reproducibility.md +9 -0
- package/areas/software/mlops/skills/experiment-tracking/SKILL.md +29 -0
- package/areas/software/mlops/skills/feature-engineering/SKILL.md +44 -0
- package/areas/software/mlops/skills/inference-serving/SKILL.md +35 -0
- package/areas/software/mlops/skills/model-evaluation/SKILL.md +40 -0
- package/areas/software/mlops/skills/model-monitoring/SKILL.md +32 -0
- package/areas/software/mlops/workflows/champion-challenger.md +65 -0
- package/areas/software/mlops/workflows/deploy-endpoint.md +70 -0
- package/areas/software/mlops/workflows/evaluate-model.md +63 -0
- package/areas/software/mlops/workflows/model-incident.md +64 -0
- package/areas/software/mlops/workflows/train-experiment.md +56 -0
- package/areas/software/mobile/AGENTS.md +58 -0
- package/areas/software/mobile/PROMPTS.md +32 -0
- package/areas/software/mobile/prompts/crash-triage.md +63 -0
- package/areas/software/mobile/prompts/device-testing.md +83 -0
- package/areas/software/mobile/prompts/ota-update.md +75 -0
- package/areas/software/mobile/prompts/release-build.md +67 -0
- package/areas/software/mobile/prompts/store-submission.md +79 -0
- package/areas/software/mobile/rules/offline-first.md +10 -0
- package/areas/software/mobile/rules/performance-budget.md +20 -0
- package/areas/software/mobile/rules/platform-compliance.md +17 -0
- package/areas/software/mobile/rules/security-mobile.md +9 -0
- package/areas/software/mobile/skills/app-store-prep/SKILL.md +27 -0
- package/areas/software/mobile/skills/mobile-testing/SKILL.md +36 -0
- package/areas/software/mobile/skills/native-modules/SKILL.md +38 -0
- package/areas/software/mobile/skills/navigation-patterns/SKILL.md +49 -0
- package/areas/software/mobile/skills/push-notifications/SKILL.md +40 -0
- package/areas/software/mobile/skills/state-sync/SKILL.md +48 -0
- package/areas/software/mobile/workflows/crash-triage.md +63 -0
- package/areas/software/mobile/workflows/device-testing.md +54 -0
- package/areas/software/mobile/workflows/ota-update.md +54 -0
- package/areas/software/mobile/workflows/release-build.md +67 -0
- package/areas/software/mobile/workflows/store-submission.md +63 -0
- package/areas/software/platform/AGENTS.md +67 -0
- package/areas/software/platform/PROMPTS.md +32 -0
- package/areas/software/platform/prompts/cost-audit.md +117 -0
- package/areas/software/platform/prompts/deploy-production.md +109 -0
- package/areas/software/platform/prompts/drift-check.md +107 -0
- package/areas/software/platform/prompts/incident-response.md +121 -0
- package/areas/software/platform/prompts/provision-env.md +113 -0
- package/areas/software/platform/rules/cost-governance.md +11 -0
- package/areas/software/platform/rules/immutability.md +17 -0
- package/areas/software/platform/rules/reliability.md +19 -0
- package/areas/software/platform/rules/security-posture.md +12 -0
- package/areas/software/platform/skills/ci-cd-pipelines/SKILL.md +58 -0
- package/areas/software/platform/skills/incident-response/SKILL.md +41 -0
- package/areas/software/platform/skills/k8s-manifests/SKILL.md +56 -0
- package/areas/software/platform/skills/networking/SKILL.md +44 -0
- package/areas/software/platform/skills/observability-setup/SKILL.md +49 -0
- package/areas/software/platform/skills/secrets-management/SKILL.md +43 -0
- package/areas/software/platform/skills/terraform-patterns/SKILL.md +75 -0
- package/areas/software/platform/workflows/cost-audit.md +61 -0
- package/areas/software/platform/workflows/deploy-production.md +67 -0
- package/areas/software/platform/workflows/drift-check.md +61 -0
- package/areas/software/platform/workflows/incident-response.md +69 -0
- package/areas/software/platform/workflows/provision-env.md +77 -0
- package/areas/software/qa/AGENTS.md +58 -0
- package/areas/software/qa/PROMPTS.md +32 -0
- package/areas/software/qa/prompts/flakiness-investigation.md +61 -0
- package/areas/software/qa/prompts/performance-audit.md +65 -0
- package/areas/software/qa/prompts/regression-suite.md +61 -0
- package/areas/software/qa/prompts/smoke-test.md +65 -0
- package/areas/software/qa/prompts/test-coverage-report.md +61 -0
- package/areas/software/qa/rules/flakiness-policy.md +12 -0
- package/areas/software/qa/rules/quality-gates.md +28 -0
- package/areas/software/qa/rules/test-data.md +9 -0
- package/areas/software/qa/rules/test-strategy.md +11 -0
- package/areas/software/qa/skills/accessibility-testing/SKILL.md +139 -0
- package/areas/software/qa/skills/api-testing/SKILL.md +140 -0
- package/areas/software/qa/skills/e2e-patterns/SKILL.md +152 -0
- package/areas/software/qa/skills/performance-testing/SKILL.md +177 -0
- package/areas/software/qa/skills/test-data-management/SKILL.md +161 -0
- package/areas/software/qa/skills/test-pyramid/SKILL.md +127 -0
- package/areas/software/qa/workflows/flakiness-investigation.md +63 -0
- package/areas/software/qa/workflows/performance-audit.md +59 -0
- package/areas/software/qa/workflows/regression-suite.md +59 -0
- package/areas/software/qa/workflows/smoke-test.md +64 -0
- package/areas/software/qa/workflows/test-coverage-report.md +57 -0
- package/areas/software/security/AGENTS.md +58 -0
- package/areas/software/security/PROMPTS.md +32 -0
- package/areas/software/security/prompts/compliance-report.md +113 -0
- package/areas/software/security/prompts/pen-test-sim.md +113 -0
- package/areas/software/security/prompts/secret-rotation.md +115 -0
- package/areas/software/security/prompts/security-scan.md +91 -0
- package/areas/software/security/prompts/threat-model-review.md +105 -0
- package/areas/software/security/rules/compliance-baseline.md +23 -0
- package/areas/software/security/rules/dependency-policy.md +12 -0
- package/areas/software/security/rules/secrets-policy.md +22 -0
- package/areas/software/security/rules/secure-coding.md +22 -0
- package/areas/software/security/skills/auth-patterns/SKILL.md +42 -0
- package/areas/software/security/skills/crypto-standards/SKILL.md +42 -0
- package/areas/software/security/skills/dependency-audit/SKILL.md +29 -0
- package/areas/software/security/skills/sast-dast-interpretation/SKILL.md +33 -0
- package/areas/software/security/skills/security-headers/SKILL.md +29 -0
- package/areas/software/security/skills/threat-modeling/SKILL.md +36 -0
- package/areas/software/security/workflows/compliance-report.md +57 -0
- package/areas/software/security/workflows/pen-test-sim.md +63 -0
- package/areas/software/security/workflows/secret-rotation.md +67 -0
- package/areas/software/security/workflows/security-scan.md +64 -0
- package/areas/software/security/workflows/threat-model-review.md +62 -0
- package/areas/template/AGENTS-area.tmpl.md +61 -0
- package/areas/template/AGENTS.tmpl.md +67 -0
- package/areas/template/GUIDE.md +102 -0
- package/areas/template/PROMPTS.tmpl.md +29 -0
- package/areas/template/README.md +57 -0
- package/areas/template/README.tmpl.md +51 -0
- package/areas/template/prompt.tmpl.md +101 -0
- package/areas/template/rule.tmpl.md +71 -0
- package/areas/template/skill.tmpl.md +108 -0
- package/areas/template/workflow.tmpl.md +104 -0
- package/bin/agentic.js +24 -0
- package/extensions/antigravity/GEMINI.md +10 -0
- package/extensions/claude/CLAUDE.md +10 -0
- package/extensions/codex/AGENTS.override.md +93 -0
- package/extensions/gemini/GEMINI.md +10 -0
- package/extensions/opencode/agents/designer.md +65 -0
- package/extensions/opencode/agents/developer.md +63 -0
- package/extensions/opencode/agents/devops-engineer.md +69 -0
- package/extensions/opencode/agents/pm.md +61 -0
- package/extensions/opencode/agents/product-owner.md +76 -0
- package/extensions/opencode/agents/qa.md +66 -0
- package/extensions/opencode/agents/team-lead.md +67 -0
- package/extensions/opencode/commands/feature.md +75 -0
- package/extensions/opencode/opencode.json +93 -0
- package/extensions/opencode/plugins/model-checker.json +14 -0
- package/extensions/opencode/plugins/model-checker.ts +279 -0
- package/extensions/opencode/plugins/sound-notification.ts +13 -0
- package/extensions/opencode/plugins/telegram-notification.ts +86 -0
- package/extensions/opencode/skills/code_review_expert/SKILL.md +144 -0
- package/extensions/opencode/skills/design_expert/SKILL.md +42 -0
- package/extensions/opencode/skills/qa_expert/SKILL.md +116 -0
- package/package.json +19 -0
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-scan-pipeline
|
|
3
|
+
type: workflow
|
|
4
|
+
trigger: /security-scan-pipeline
|
|
5
|
+
description: Run a full security scan pipeline — SAST, dependency CVE, secrets, container image, IaC, and SBOM generation.
|
|
6
|
+
inputs:
|
|
7
|
+
- service_name
|
|
8
|
+
- version_or_sha
|
|
9
|
+
- scan_scope (code|image|iac|all)
|
|
10
|
+
outputs:
|
|
11
|
+
- scan_report
|
|
12
|
+
- findings_by_severity
|
|
13
|
+
- sbom
|
|
14
|
+
roles:
|
|
15
|
+
- devops-engineer
|
|
16
|
+
- developer
|
|
17
|
+
execution:
|
|
18
|
+
initiator: developer
|
|
19
|
+
related-rules:
|
|
20
|
+
- shift-left-policy.md
|
|
21
|
+
- container-security.md
|
|
22
|
+
uses-skills:
|
|
23
|
+
- secret-detection
|
|
24
|
+
- container-hardening
|
|
25
|
+
- sbom-supply-chain
|
|
26
|
+
- sigstore-signing
|
|
27
|
+
quality-gates:
|
|
28
|
+
- zero Critical/High unresolved before release
|
|
29
|
+
- SBOM generated and attached to image
|
|
30
|
+
- no secrets found in code or git history
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## Steps
|
|
34
|
+
|
|
35
|
+
### 1. Secrets Scan — `@devops-engineer`
|
|
36
|
+
```bash
|
|
37
|
+
# Scan git history for secrets
|
|
38
|
+
trufflehog git file://. \
|
|
39
|
+
--since-commit HEAD~20 \
|
|
40
|
+
--only-verified \
|
|
41
|
+
--fail
|
|
42
|
+
|
|
43
|
+
# Scan current working tree
|
|
44
|
+
gitleaks detect --source . --config .gitleaks.toml --exit-code 1
|
|
45
|
+
```
|
|
46
|
+
- **Done when:** zero verified secrets found; false positives documented in `.gitleaksignore`
|
|
47
|
+
|
|
48
|
+
### 2. SAST (Static Analysis) — `@devops-engineer`
|
|
49
|
+
```bash
|
|
50
|
+
# semgrep (language-aware rules)
|
|
51
|
+
semgrep scan \
|
|
52
|
+
--config=p/python \
|
|
53
|
+
--config=p/owasp-top-ten \
|
|
54
|
+
--config=p/secrets \
|
|
55
|
+
--error \ # non-zero exit on findings
|
|
56
|
+
--output=sast-results.sarif \
|
|
57
|
+
--sarif \
|
|
58
|
+
src/
|
|
59
|
+
|
|
60
|
+
# Upload to GitHub Security tab
|
|
61
|
+
gh api -X POST repos/:owner/:repo/code-scanning/sarifs \
|
|
62
|
+
-f ref="refs/heads/main" \
|
|
63
|
+
-f sarif="$(cat sast-results.sarif | gzip | base64)"
|
|
64
|
+
```
|
|
65
|
+
- Block on: Critical/High severity findings without suppression comment
|
|
66
|
+
- **Done when:** clean or all findings triaged with `# nosemgrep` + justification
|
|
67
|
+
|
|
68
|
+
### 3. Dependency CVE Scan — `@devops-engineer`
|
|
69
|
+
```bash
|
|
70
|
+
# Scan source dependencies (before build)
|
|
71
|
+
trivy fs . \
|
|
72
|
+
--severity CRITICAL,HIGH \
|
|
73
|
+
--exit-code 1 \
|
|
74
|
+
--format table \
|
|
75
|
+
--ignorefile .trivyignore
|
|
76
|
+
|
|
77
|
+
# Language-specific (alternative)
|
|
78
|
+
# Python
|
|
79
|
+
pip-audit -r requirements.txt --fail-on-severity high
|
|
80
|
+
# Node
|
|
81
|
+
npm audit --audit-level=high
|
|
82
|
+
# Go
|
|
83
|
+
govulncheck ./...
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### 4. Container Image Scan — `@devops-engineer`
|
|
87
|
+
```bash
|
|
88
|
+
IMAGE=registry.example.com/myorg/${SERVICE}:${VERSION}
|
|
89
|
+
|
|
90
|
+
trivy image \
|
|
91
|
+
--severity CRITICAL,HIGH \
|
|
92
|
+
--exit-code 1 \
|
|
93
|
+
--format sarif \
|
|
94
|
+
--output image-scan.sarif \
|
|
95
|
+
--ignorefile .trivyignore \
|
|
96
|
+
${IMAGE}
|
|
97
|
+
|
|
98
|
+
# Also scan for misconfiguration in image layers
|
|
99
|
+
trivy image \
|
|
100
|
+
--scanners misconfig \
|
|
101
|
+
--exit-code 0 \ # warn only for misconfig
|
|
102
|
+
${IMAGE}
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### 5. IaC Security Scan — `@devops-engineer`
|
|
106
|
+
```bash
|
|
107
|
+
# Terraform
|
|
108
|
+
checkov -d terraform/ \
|
|
109
|
+
--quiet \
|
|
110
|
+
--compact \
|
|
111
|
+
--framework terraform \
|
|
112
|
+
--output sarif \
|
|
113
|
+
--output-file-path iac-scan.sarif
|
|
114
|
+
|
|
115
|
+
# Or: tfsec
|
|
116
|
+
tfsec terraform/ \
|
|
117
|
+
--format sarif \
|
|
118
|
+
--out tfsec.sarif
|
|
119
|
+
|
|
120
|
+
# K8s manifests
|
|
121
|
+
checkov -d charts/${SERVICE}/templates \
|
|
122
|
+
--framework kubernetes \
|
|
123
|
+
--quiet
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
### 6. Generate SBOM — `@devops-engineer`
|
|
127
|
+
```bash
|
|
128
|
+
IMAGE_DIGEST=$(crane digest ${IMAGE})
|
|
129
|
+
|
|
130
|
+
# Generate CycloneDX SBOM
|
|
131
|
+
syft ${IMAGE} -o cyclonedx-json=sbom.cdx.json
|
|
132
|
+
|
|
133
|
+
# Attach as OCI attestation
|
|
134
|
+
cosign attest \
|
|
135
|
+
--predicate sbom.cdx.json \
|
|
136
|
+
--type cyclonedx \
|
|
137
|
+
${IMAGE}@${IMAGE_DIGEST}
|
|
138
|
+
|
|
139
|
+
echo "SBOM attached to ${IMAGE}@${IMAGE_DIGEST}"
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
### 7. Collate Report — `@devops-engineer`
|
|
143
|
+
```bash
|
|
144
|
+
# Summary output
|
|
145
|
+
echo "=== Security Scan Report: ${SERVICE} ${VERSION} ==="
|
|
146
|
+
echo "Secrets: $(cat secrets-results.json | jq length) findings"
|
|
147
|
+
echo "SAST: $(cat sast-results.sarif | jq '.runs[0].results | length') findings"
|
|
148
|
+
echo "Dependencies: $(trivy fs . --quiet --format json 2>/dev/null | jq '.Results[].Vulnerabilities | length // 0' | paste -sd+ | bc) findings"
|
|
149
|
+
echo "Image: $(cat image-scan.sarif | jq '.runs[0].results | length') findings"
|
|
150
|
+
echo "IaC: $(cat iac-scan.sarif | jq '.runs[0].results | length') findings"
|
|
151
|
+
echo "SBOM: attached to registry"
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
## Exit
|
|
155
|
+
Zero unresolved Critical/High + SBOM attached + scan report filed = security scan complete.
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
# Infrastructure — guidance index
|
|
2
|
+
|
|
3
|
+
## What this area covers
|
|
4
|
+
|
|
5
|
+
Infrastructure-as-Code lifecycle: Terraform module authoring, environment provisioning and destruction, drift detection and remediation, state management, Ansible playbooks, cost optimization, and secret hygiene.
|
|
6
|
+
|
|
7
|
+
## Guidance chain
|
|
8
|
+
|
|
9
|
+
1. Project `.agent/` baseline
|
|
10
|
+
2. `infrastructure/rules/*` — load all
|
|
11
|
+
3. `infrastructure/skills/*/SKILL.md` — load only the skill matching the current task
|
|
12
|
+
4. `infrastructure/workflows/*` — load the workflow matching the triggered command
|
|
13
|
+
|
|
14
|
+
## Cross-cutting constraints
|
|
15
|
+
|
|
16
|
+
- **IaC-only changes** — zero manual console or CLI changes in non-development environments; document exceptions.
|
|
17
|
+
- **State is sacred** — never manually edit Terraform state; always use `terraform state` commands with documented justification.
|
|
18
|
+
- **Immutability over mutation** — replace resources rather than patching them in place where possible.
|
|
19
|
+
- **Secret hygiene** — no credentials, tokens, or keys in IaC code, state, or commit history.
|
|
20
|
+
|
|
21
|
+
## Spec map
|
|
22
|
+
|
|
23
|
+
```text
|
|
24
|
+
infrastructure/
|
|
25
|
+
├── rules/
|
|
26
|
+
│ ├── iac-standards.md ← module structure, naming, provider pinning
|
|
27
|
+
│ ├── immutability.md ← replace-before-destroy, no in-place secret mutations
|
|
28
|
+
│ ├── secret-hygiene.md ← vault integration, forbidden patterns, rotation policy
|
|
29
|
+
│ └── state-management.md ← backend config, state locking, import procedures
|
|
30
|
+
├── skills/
|
|
31
|
+
│ ├── terraform-modules/SKILL.md ← module authoring, variable design, output contracts
|
|
32
|
+
│ ├── ansible-playbooks/SKILL.md ← idempotency, role structure, vault integration
|
|
33
|
+
│ ├── drift-detection/SKILL.md ← plan-diff analysis, scheduled drift checks
|
|
34
|
+
│ ├── state-management/SKILL.md ← import, mv, rm, split-state patterns
|
|
35
|
+
│ └── cost-optimization/SKILL.md ← right-sizing, reserved capacity, unused resource cleanup
|
|
36
|
+
├── workflows/
|
|
37
|
+
│ ├── provision-environment.md ← /provision-environment
|
|
38
|
+
│ ├── destroy-environment.md ← /destroy-environment
|
|
39
|
+
│ ├── drift-remediation.md ← /drift-remediation
|
|
40
|
+
│ └── module-development.md ← /module-development
|
|
41
|
+
└── prompts/
|
|
42
|
+
└── *.md
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Discovery patterns
|
|
46
|
+
|
|
47
|
+
- `rules/*.md`
|
|
48
|
+
- `skills/*/SKILL.md`
|
|
49
|
+
- `workflows/*.md`
|
|
50
|
+
- `prompts/*.md`
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: destroy-environment
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/destroy-environment`
|
|
6
|
+
|
|
7
|
+
Use when: safely tearing down a temporary or obsolete environment and validating cleanup before cost, security, or data risks remain.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Decommission sandbox environment
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/destroy-environment
|
|
16
|
+
|
|
17
|
+
Environment: sandbox-us-east-2
|
|
18
|
+
Provider: AWS
|
|
19
|
+
Resources expected: VPC, ECS service, RDS instance, S3 state bucket
|
|
20
|
+
Safety checks:
|
|
21
|
+
- confirm no production tags
|
|
22
|
+
- ensure latest backup snapshot exists
|
|
23
|
+
- require team-lead approval
|
|
24
|
+
Output: destruction plan, executed steps, leftover resources report
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
**RU:**
|
|
28
|
+
```
|
|
29
|
+
/destroy-environment
|
|
30
|
+
|
|
31
|
+
Окружение: sandbox-us-east-2
|
|
32
|
+
Провайдер: AWS
|
|
33
|
+
Ожидаемые ресурсы: VPC, ECS сервис, RDS инстанс, S3 state bucket
|
|
34
|
+
Проверки безопасности:
|
|
35
|
+
- подтвердить отсутствие production-тегов
|
|
36
|
+
- убедиться, что есть свежий backup snapshot
|
|
37
|
+
- обязательное подтверждение team-lead
|
|
38
|
+
Результат: план удаления, выполненные шаги, отчёт по оставшимся ресурсам
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## Example 2 — Emergency cleanup of abandoned preview environment
|
|
44
|
+
|
|
45
|
+
**EN:**
|
|
46
|
+
```
|
|
47
|
+
/destroy-environment
|
|
48
|
+
|
|
49
|
+
Environment: pr-482-preview
|
|
50
|
+
Provider: Hetzner Cloud + Cloudflare DNS
|
|
51
|
+
Reason: preview stack was left running after branch deletion; monthly cost already > EUR 180
|
|
52
|
+
Resources expected:
|
|
53
|
+
- 3 VMs (1 control plane, 2 workers)
|
|
54
|
+
- k3s load balancer IP
|
|
55
|
+
- wildcard DNS record *.pr-482.dev.example.com
|
|
56
|
+
- object storage bucket with test uploads
|
|
57
|
+
Safety checks:
|
|
58
|
+
- verify no shared production bucket or DNS zone is referenced
|
|
59
|
+
- export last Terraform state and inventory before destroy
|
|
60
|
+
- confirm no QA session scheduled in the next 24h
|
|
61
|
+
Output: ordered teardown plan, DNS cleanup confirmation, cost savings estimate, and list of any dangling resources that require manual follow-up
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
**RU:**
|
|
65
|
+
```
|
|
66
|
+
/destroy-environment
|
|
67
|
+
|
|
68
|
+
Окружение: pr-482-preview
|
|
69
|
+
Провайдер: Hetzner Cloud + Cloudflare DNS
|
|
70
|
+
Причина: preview-стек остался запущенным после удаления ветки; ежемесячная стоимость уже > EUR 180
|
|
71
|
+
Ожидаемые ресурсы:
|
|
72
|
+
- 3 VM (1 control plane, 2 workers)
|
|
73
|
+
- k3s load balancer IP
|
|
74
|
+
- wildcard DNS запись *.pr-482.dev.example.com
|
|
75
|
+
- bucket объектного хранилища с тестовыми загрузками
|
|
76
|
+
Проверки безопасности:
|
|
77
|
+
- убедиться, что не используется общий production bucket или DNS зона
|
|
78
|
+
- экспортировать последний Terraform state и inventory перед удалением
|
|
79
|
+
- подтвердить, что в ближайшие 24ч не запланирована QA сессия
|
|
80
|
+
Результат: упорядоченный план удаления, подтверждение очистки DNS, оценка экономии и список dangling-ресурсов для ручного завершения
|
|
81
|
+
```
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: drift-remediation
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/drift-remediation`
|
|
6
|
+
|
|
7
|
+
Use when: detecting and remediating infrastructure drift between Terraform state and actual cloud resources.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Scheduled weekly drift audit
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/drift-remediation
|
|
16
|
+
|
|
17
|
+
Environment: production
|
|
18
|
+
Scope: all Terraform components (vpc, k8s-nodes, rds, iam-roles)
|
|
19
|
+
Mode: detect + classify (do NOT apply automatically)
|
|
20
|
+
Output:
|
|
21
|
+
- Drifted resources with change type (add/change/destroy)
|
|
22
|
+
- Classification: ACCEPT / REMEDIATE / INVESTIGATE per finding
|
|
23
|
+
- IAM or security group drift → automatic INVESTIGATE + incident
|
|
24
|
+
- Cost impact of untracked resources
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
**RU:**
|
|
28
|
+
```
|
|
29
|
+
/drift-remediation
|
|
30
|
+
|
|
31
|
+
Окружение: production
|
|
32
|
+
Скоуп: все Terraform компоненты (vpc, k8s-nodes, rds, iam-roles)
|
|
33
|
+
Режим: обнаружение + классификация (НЕ применять автоматически)
|
|
34
|
+
Вывод:
|
|
35
|
+
- Ресурсы с отклонением и типом изменения (add/change/destroy)
|
|
36
|
+
- Классификация: ACCEPT / REMEDIATE / INVESTIGATE для каждой находки
|
|
37
|
+
- Отклонение IAM или security group → автоматически INVESTIGATE + инцидент
|
|
38
|
+
- Влияние на стоимость неотслеживаемых ресурсов
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## Example 2 — Post-incident: codify manual change
|
|
44
|
+
|
|
45
|
+
**EN:**
|
|
46
|
+
```
|
|
47
|
+
/drift-remediation
|
|
48
|
+
|
|
49
|
+
Context: INC-2024-099 — RDS manually scaled during P1 (db.r6g.large → db.r6g.xlarge)
|
|
50
|
+
Environment: production / Component: rds-postgres only
|
|
51
|
+
Decision: keep larger instance; codify in Terraform
|
|
52
|
+
Task:
|
|
53
|
+
1. Confirm drift = only instance class change
|
|
54
|
+
2. Update terraform.tfvars: db_instance_class = "db.r6g.xlarge"
|
|
55
|
+
3. Run plan — must show 0 changes (no-op = codified)
|
|
56
|
+
4. Merge PR; close incident
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**RU:**
|
|
60
|
+
```
|
|
61
|
+
/drift-remediation
|
|
62
|
+
|
|
63
|
+
Контекст: INC-2024-099 — RDS вручную масштабирован во время P1 (db.r6g.large → db.r6g.xlarge)
|
|
64
|
+
Окружение: production / Компонент: только rds-postgres
|
|
65
|
+
Решение: оставить более крупный инстанс; закодировать в Terraform
|
|
66
|
+
Задача:
|
|
67
|
+
1. Подтвердить что отклонение = только изменение класса инстанса
|
|
68
|
+
2. Обновить terraform.tfvars: db_instance_class = "db.r6g.xlarge"
|
|
69
|
+
3. Запустить plan — должен показать 0 изменений (no-op = закодировано)
|
|
70
|
+
4. Слить PR; закрыть инцидент
|
|
71
|
+
```
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: module-development
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/module-development`
|
|
6
|
+
|
|
7
|
+
Use when: creating or refactoring a Terraform module for team-wide reuse.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — New cloud-agnostic K8s node pool module
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/module-development
|
|
16
|
+
|
|
17
|
+
Module: k8s-node-pool
|
|
18
|
+
Purpose: provision worker nodes with uniform config (Hetzner primary, AWS secondary)
|
|
19
|
+
Inputs: node_count, instance_type, zone, k8s_version (label only), common_tags
|
|
20
|
+
Outputs: node IPs (list), SSH fingerprints
|
|
21
|
+
Constraints:
|
|
22
|
+
- No provider config inside module
|
|
23
|
+
- All sensitive outputs marked sensitive = true
|
|
24
|
+
- validation{} blocks on all critical variables
|
|
25
|
+
- example/ dir with both Hetzner + AWS usage
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
**RU:**
|
|
29
|
+
```
|
|
30
|
+
/module-development
|
|
31
|
+
|
|
32
|
+
Модуль: k8s-node-pool
|
|
33
|
+
Назначение: создание worker нод с единой конфигурацией (Hetzner основной, AWS вторичный)
|
|
34
|
+
Входные параметры: node_count, instance_type, zone, k8s_version (только лейбл), common_tags
|
|
35
|
+
Выходные данные: IP нод (list), SSH fingerprints
|
|
36
|
+
Ограничения:
|
|
37
|
+
- Без конфигурации провайдера внутри модуля
|
|
38
|
+
- Все sensitive выходные данные: sensitive = true
|
|
39
|
+
- validation{} блоки для всех критических переменных
|
|
40
|
+
- Директория example/ с примерами для Hetzner и AWS
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## Example 2 — Refactor: extract reusable VPC module from monolith
|
|
46
|
+
|
|
47
|
+
**EN:**
|
|
48
|
+
```
|
|
49
|
+
/module-development
|
|
50
|
+
|
|
51
|
+
Task: extract VPC/subnet config from environments/production/main.tf into reusable module
|
|
52
|
+
Current state: all networking hardcoded in one file (3 AZs, specific CIDRs, specific tags)
|
|
53
|
+
Target: generic modules/vpc/ with variable inputs for CIDR, AZ count, tags
|
|
54
|
+
Safety: use moved{} blocks to prevent destroy+recreate during extraction
|
|
55
|
+
Must work for: AWS (VPC/subnets/IGW/NAT) and Hetzner (network/subnets)
|
|
56
|
+
Include: README.md with required vs optional variables, outputs, example usage
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**RU:**
|
|
60
|
+
```
|
|
61
|
+
/module-development
|
|
62
|
+
|
|
63
|
+
Задача: извлечь конфигурацию VPC/подсетей из environments/production/main.tf в переиспользуемый модуль
|
|
64
|
+
Текущее состояние: вся сеть захардкожена в одном файле (3 AZ, конкретные CIDR, конкретные теги)
|
|
65
|
+
Цель: универсальный modules/vpc/ с переменными для CIDR, количества AZ, тегов
|
|
66
|
+
Безопасность: использовать блоки moved{} для предотвращения destroy+recreate при рефакторинге
|
|
67
|
+
Должен работать для: AWS (VPC/подсети/IGW/NAT) и Hetzner (network/подсети)
|
|
68
|
+
Включить: README.md с обязательными и опциональными переменными, outputs, примером использования
|
|
69
|
+
```
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: provision-environment
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/provision-environment`
|
|
6
|
+
|
|
7
|
+
Use when: provisioning or expanding infrastructure environments with Terraform and Ansible, while keeping cost, node configuration, and rollout safety explicit.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Full staging environment on Hetzner
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/provision-environment
|
|
16
|
+
|
|
17
|
+
Environment: staging / Cloud: Hetzner Cloud
|
|
18
|
+
Scope: all (network + compute + K8s-ready node config)
|
|
19
|
+
Resources:
|
|
20
|
+
- Private network: 10.0.0.0/16
|
|
21
|
+
- 1× cx31 control plane + 3× cx21 workers (Ubuntu 22.04)
|
|
22
|
+
- Load balancer for K8s API (port 6443)
|
|
23
|
+
- Firewall: deny-all inbound; allow SSH from jump-host IP only
|
|
24
|
+
IaC: Terraform for cloud resources, Ansible for OS config (K8s prereqs, containerd, kubeadm)
|
|
25
|
+
Outputs: server IPs to SSM; Ansible inventory file
|
|
26
|
+
Cost estimate: required in plan output
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
**RU:**
|
|
30
|
+
```
|
|
31
|
+
/provision-environment
|
|
32
|
+
|
|
33
|
+
Окружение: staging / Облако: Hetzner Cloud
|
|
34
|
+
Скоуп: всё (сеть + вычисления + конфигурация нод для K8s)
|
|
35
|
+
Ресурсы:
|
|
36
|
+
- Приватная сеть: 10.0.0.0/16
|
|
37
|
+
- 1× cx31 control plane + 3× cx21 workers (Ubuntu 22.04)
|
|
38
|
+
- Load balancer для K8s API (порт 6443)
|
|
39
|
+
- Firewall: deny-all входящий; разрешить SSH только с IP jump-host
|
|
40
|
+
IaC: Terraform для облачных ресурсов, Ansible для конфига ОС
|
|
41
|
+
Выходные данные: IP серверов в SSM; inventory файл для Ansible
|
|
42
|
+
Оценка стоимости: обязательна в выводе plan
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## Example 2 — Ansible role for K8s node prerequisites
|
|
48
|
+
|
|
49
|
+
**EN:**
|
|
50
|
+
```
|
|
51
|
+
/provision-environment
|
|
52
|
+
|
|
53
|
+
Task: write idempotent Ansible role for K8s node prerequisites
|
|
54
|
+
Target OS: Ubuntu 22.04 LTS
|
|
55
|
+
Role name: k8s-prereqs
|
|
56
|
+
Tasks to cover:
|
|
57
|
+
- Disable swap (permanent, survives reboot: /etc/fstab edit)
|
|
58
|
+
- Load kernel modules: overlay, br_netfilter (persistent via /etc/modules-load.d)
|
|
59
|
+
- Set sysctl params: net.bridge.bridge-nf-call-iptables=1, net.ipv4.ip_forward=1
|
|
60
|
+
- Install containerd (from official apt repo, pin version)
|
|
61
|
+
- Configure containerd: SystemdCgroup=true, correct config.toml
|
|
62
|
+
- Install kubeadm, kubelet, kubectl (pinned to 1.31.x; apt-mark hold)
|
|
63
|
+
- Restart containerd handler (only on config change)
|
|
64
|
+
Testing: molecule test scenario with Ubuntu 22.04 container
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
**RU:**
|
|
68
|
+
```
|
|
69
|
+
/provision-environment
|
|
70
|
+
|
|
71
|
+
Задача: написать идемпотентную Ansible роль для K8s node prerequisites
|
|
72
|
+
Целевая ОС: Ubuntu 22.04 LTS
|
|
73
|
+
Название роли: k8s-prereqs
|
|
74
|
+
Задачи для покрытия:
|
|
75
|
+
- Отключение swap (постоянно, переживает перезагрузку: редактирование /etc/fstab)
|
|
76
|
+
- Загрузка kernel modules: overlay, br_netfilter (постоянно через /etc/modules-load.d)
|
|
77
|
+
- Установка sysctl параметров: net.bridge.bridge-nf-call-iptables=1, net.ipv4.ip_forward=1
|
|
78
|
+
- Установка containerd (из официального apt репозитория, с pinned версией)
|
|
79
|
+
- Конфигурация containerd: SystemdCgroup=true, корректный config.toml
|
|
80
|
+
- Установка kubeadm, kubelet, kubectl (pinned to 1.31.x; apt-mark hold)
|
|
81
|
+
- Handler перезапуска containerd (только при изменении конфига)
|
|
82
|
+
Тестирование: molecule test сценарий с Ubuntu 22.04 контейнером
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## Example 3 — Monthly cloud cost audit (Hetzner + AWS)
|
|
88
|
+
|
|
89
|
+
**EN:**
|
|
90
|
+
```
|
|
91
|
+
/provision-environment
|
|
92
|
+
|
|
93
|
+
Scope: full infrastructure cost audit
|
|
94
|
+
Cloud providers: Hetzner (bare-metal K8s cluster) + AWS (S3, SES, Route53)
|
|
95
|
+
Monthly budget: €2,000 / actual last 3 months: €2,800 (+40% over budget)
|
|
96
|
+
Terraform state available: all resources tagged with Project, Environment, Owner
|
|
97
|
+
Goals:
|
|
98
|
+
1. Identify top-5 most expensive resources
|
|
99
|
+
2. Find unused resources: stopped VMs, unattached volumes, unused LBs, idle databases
|
|
100
|
+
3. Right-size: find over-provisioned nodes (< 20% average CPU/memory utilization)
|
|
101
|
+
4. Spot opportunities: which workloads could use spot/preemptible instances?
|
|
102
|
+
5. Output: prioritized savings plan with estimated monthly savings per action
|
|
103
|
+
Tools available: infracost (for TF estimate), Prometheus for utilization metrics
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
**RU:**
|
|
107
|
+
```
|
|
108
|
+
/provision-environment
|
|
109
|
+
|
|
110
|
+
Скоуп: полный аудит затрат на инфраструктуру
|
|
111
|
+
Облачные провайдеры: Hetzner (bare-metal K8s кластер) + AWS (S3, SES, Route53)
|
|
112
|
+
Месячный бюджет: €2,000 / фактически последние 3 месяца: €2,800 (+40% сверх бюджета)
|
|
113
|
+
Terraform state доступен: все ресурсы тегированы Project, Environment, Owner
|
|
114
|
+
Цели:
|
|
115
|
+
1. Определить топ-5 самых дорогих ресурсов
|
|
116
|
+
2. Найти неиспользуемые ресурсы: остановленные ВМ, неподключённые диски, простаивающие LB и БД
|
|
117
|
+
3. Right-size: найти избыточно выделенные ноды (< 20% среднего использования CPU/памяти)
|
|
118
|
+
4. Spot возможности: какие workloads могут использовать spot/preemptible инстансы?
|
|
119
|
+
5. Результат: приоритизированный план экономии с оценкой ежемесячной экономии на каждое действие
|
|
120
|
+
Доступные инструменты: infracost (для оценки TF), Prometheus для метрик использования
|
|
121
|
+
```
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# Rule: IaC Standards
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — IaC violations block infrastructure changes.
|
|
4
|
+
|
|
5
|
+
## Terraform
|
|
6
|
+
|
|
7
|
+
1. **All infrastructure is code**
|
|
8
|
+
- Every production resource must have a corresponding Terraform resource.
|
|
9
|
+
- Resources created outside Terraform are subject to automated removal within 7 days.
|
|
10
|
+
- Exception process: emergency manual change → IaC PR within 24 hours.
|
|
11
|
+
|
|
12
|
+
2. **Module structure**
|
|
13
|
+
```
|
|
14
|
+
terraform/
|
|
15
|
+
├── modules/ ← reusable, generic (no env-specific values)
|
|
16
|
+
│ ├── vpc/
|
|
17
|
+
│ ├── eks-cluster/ or k8s-node-pool/
|
|
18
|
+
│ ├── rds-postgres/
|
|
19
|
+
│ └── object-storage/
|
|
20
|
+
└── environments/
|
|
21
|
+
├── staging/ ← tfvars + backend config
|
|
22
|
+
└── production/ ← tfvars + backend config
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
3. **Version pinning — mandatory**
|
|
26
|
+
```hcl
|
|
27
|
+
terraform {
|
|
28
|
+
required_version = ">= 1.9, < 2.0"
|
|
29
|
+
required_providers {
|
|
30
|
+
aws = { source = "hashicorp/aws", version = "~> 5.50" }
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
# Module references: use version tags, never ?ref=main in production
|
|
34
|
+
module "vpc" {
|
|
35
|
+
source = "git::https://git.example.com/infra/modules//vpc?ref=v1.4.2"
|
|
36
|
+
}
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
4. **Naming convention**
|
|
40
|
+
```hcl
|
|
41
|
+
# pattern: {project}-{environment}-{resource}-{optional-suffix}
|
|
42
|
+
name = "${var.project}-${var.environment}-${var.name}"
|
|
43
|
+
# e.g. myapp-production-postgres-primary
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
5. **Mandatory tags on every resource**
|
|
47
|
+
```hcl
|
|
48
|
+
locals {
|
|
49
|
+
common_tags = {
|
|
50
|
+
Project = var.project
|
|
51
|
+
Environment = var.environment
|
|
52
|
+
ManagedBy = "terraform"
|
|
53
|
+
Owner = var.team_name
|
|
54
|
+
CostCenter = var.cost_center
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
## Ansible
|
|
60
|
+
|
|
61
|
+
6. **Idempotency required** — every task must be safe to run multiple times with identical outcome.
|
|
62
|
+
|
|
63
|
+
7. **Roles structure**
|
|
64
|
+
```
|
|
65
|
+
roles/
|
|
66
|
+
└── my-role/
|
|
67
|
+
├── tasks/main.yml
|
|
68
|
+
├── defaults/main.yml ← all variables with safe defaults
|
|
69
|
+
├── vars/main.yml ← internal constants
|
|
70
|
+
├── templates/
|
|
71
|
+
├── handlers/main.yml
|
|
72
|
+
└── meta/main.yml ← dependencies declared
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
8. **No inline secrets** — use `ansible-vault` or reference from HashiCorp Vault / environment variables. Plain-text secrets in playbooks or vars files are a P0 violation.
|
|
76
|
+
|
|
77
|
+
## Universal
|
|
78
|
+
|
|
79
|
+
9. **Peer review required for all IaC changes** — `terraform plan` output attached to PR; `ansible-lint` must pass.
|
|
80
|
+
10. **Dry-run before apply** — `terraform plan` / `--check` mode reviewed and approved; never skip in CI.
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# Rule: Immutable Infrastructure
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Manual changes to running infrastructure are a critical policy violation.
|
|
4
|
+
|
|
5
|
+
## Core Constraints
|
|
6
|
+
|
|
7
|
+
1. **No SSH patching of running servers** — the fix is a new image + redeploy, not in-place modification.
|
|
8
|
+
|
|
9
|
+
2. **Terraform is the single source of truth** — cloud console, CLI, or SDK changes that bypass Terraform are forbidden in production. Drift = violation.
|
|
10
|
+
|
|
11
|
+
3. **Immutable image tags** — container images in production always reference content-addressed digest (`image@sha256:...`), never `:latest` or mutable tags.
|
|
12
|
+
|
|
13
|
+
4. **Module versioning** — all Terraform module references pinned to semantic version tags. `?ref=main` is forbidden in staging and production.
|
|
14
|
+
|
|
15
|
+
5. **Emergency exception process**
|
|
16
|
+
- Manual change allowed only for P0 incidents.
|
|
17
|
+
- Requires: Slack announcement + ticket + on-call sign-off.
|
|
18
|
+
- IaC PR to codify the change must be merged within **24 hours**.
|
|
19
|
+
- Recurring manual changes for the same resource = architecture review required.
|
|
20
|
+
|
|
21
|
+
## Drift Policy
|
|
22
|
+
|
|
23
|
+
6. **Drift detection runs every 6 hours** via CI scheduled job (`terraform plan`).
|
|
24
|
+
7. **Detected drift classifications:**
|
|
25
|
+
- `ACCEPT`: approved architectural exception (documented in PR) → suppress alert
|
|
26
|
+
- `REMEDIATE`: unintended change → create ticket, remediate within 48h
|
|
27
|
+
- `INVESTIGATE`: unknown origin → P1 incident, may indicate unauthorized access
|
|
28
|
+
8. **Drift in production security groups or IAM** → automatic P1 incident regardless of size.
|