@jetrabbits/agentic 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +143 -0
- package/README.md +154 -0
- package/agentic +1615 -0
- package/areas/devops/ci-cd/AGENTS.md +48 -0
- package/areas/devops/ci-cd/PROMPTS.md +7 -0
- package/areas/devops/ci-cd/prompts/onboard-repo.md +97 -0
- package/areas/devops/ci-cd/prompts/pipeline-debug.md +103 -0
- package/areas/devops/ci-cd/prompts/release-pipeline.md +115 -0
- package/areas/devops/ci-cd/rules/pipeline-standards.md +33 -0
- package/areas/devops/ci-cd/rules/quality-gates.md +24 -0
- package/areas/devops/ci-cd/rules/supply-chain-security.md +34 -0
- package/areas/devops/ci-cd/skills/artifact-management/SKILL.md +157 -0
- package/areas/devops/ci-cd/skills/build-optimization/SKILL.md +168 -0
- package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md +190 -0
- package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md +169 -0
- package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md +161 -0
- package/areas/devops/ci-cd/workflows/onboard-repo.md +73 -0
- package/areas/devops/ci-cd/workflows/pipeline-debug.md +66 -0
- package/areas/devops/ci-cd/workflows/release-pipeline.md +115 -0
- package/areas/devops/database-ops/AGENTS.md +47 -0
- package/areas/devops/database-ops/prompts/backup-verify.md +83 -0
- package/areas/devops/database-ops/prompts/db-incident.md +127 -0
- package/areas/devops/database-ops/rules/access-control.md +20 -0
- package/areas/devops/database-ops/rules/backup-policy.md +33 -0
- package/areas/devops/database-ops/rules/migration-runbook.md +32 -0
- package/areas/devops/database-ops/skills/backup-restore/SKILL.md +226 -0
- package/areas/devops/database-ops/skills/db-performance/SKILL.md +205 -0
- package/areas/devops/database-ops/skills/migration-safety/SKILL.md +155 -0
- package/areas/devops/database-ops/skills/postgres-operations/SKILL.md +156 -0
- package/areas/devops/database-ops/skills/redis-operations/SKILL.md +174 -0
- package/areas/devops/database-ops/workflows/backup-verify.md +107 -0
- package/areas/devops/database-ops/workflows/db-incident.md +86 -0
- package/areas/devops/devsecops/AGENTS.md +47 -0
- package/areas/devops/devsecops/prompts/policy-onboard.md +79 -0
- package/areas/devops/devsecops/prompts/security-scan-pipeline.md +131 -0
- package/areas/devops/devsecops/rules/container-security.md +22 -0
- package/areas/devops/devsecops/rules/policy-as-code.md +37 -0
- package/areas/devops/devsecops/rules/shift-left-policy.md +26 -0
- package/areas/devops/devsecops/skills/container-hardening/SKILL.md +146 -0
- package/areas/devops/devsecops/skills/opa-policies/SKILL.md +188 -0
- package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md +165 -0
- package/areas/devops/devsecops/skills/secret-detection/SKILL.md +190 -0
- package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md +184 -0
- package/areas/devops/devsecops/workflows/policy-onboard.md +104 -0
- package/areas/devops/devsecops/workflows/security-scan-pipeline.md +155 -0
- package/areas/devops/infrastructure/AGENTS.md +50 -0
- package/areas/devops/infrastructure/prompts/destroy-environment.md +81 -0
- package/areas/devops/infrastructure/prompts/drift-remediation.md +71 -0
- package/areas/devops/infrastructure/prompts/module-development.md +69 -0
- package/areas/devops/infrastructure/prompts/provision-environment.md +121 -0
- package/areas/devops/infrastructure/rules/iac-standards.md +80 -0
- package/areas/devops/infrastructure/rules/immutability.md +28 -0
- package/areas/devops/infrastructure/rules/secret-hygiene.md +53 -0
- package/areas/devops/infrastructure/rules/state-management.md +47 -0
- package/areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md +174 -0
- package/areas/devops/infrastructure/skills/cost-optimization/SKILL.md +177 -0
- package/areas/devops/infrastructure/skills/drift-detection/SKILL.md +178 -0
- package/areas/devops/infrastructure/skills/state-management/SKILL.md +159 -0
- package/areas/devops/infrastructure/skills/terraform-modules/SKILL.md +169 -0
- package/areas/devops/infrastructure/workflows/destroy-environment.md +96 -0
- package/areas/devops/infrastructure/workflows/drift-remediation.md +66 -0
- package/areas/devops/infrastructure/workflows/module-development.md +101 -0
- package/areas/devops/infrastructure/workflows/provision-environment.md +96 -0
- package/areas/devops/kubernetes/AGENTS.md +57 -0
- package/areas/devops/kubernetes/PROMPTS.md +9 -0
- package/areas/devops/kubernetes/prompts/cluster-bootstrap.md +67 -0
- package/areas/devops/kubernetes/prompts/debug-workload.md +91 -0
- package/areas/devops/kubernetes/prompts/onboard-service.md +101 -0
- package/areas/devops/kubernetes/prompts/upgrade-cluster.md +63 -0
- package/areas/devops/kubernetes/rules/cluster-standards.md +51 -0
- package/areas/devops/kubernetes/rules/resource-governance.md +80 -0
- package/areas/devops/kubernetes/rules/upgrade-policy.md +52 -0
- package/areas/devops/kubernetes/rules/workload-security.md +64 -0
- package/areas/devops/kubernetes/skills/cluster-operations/SKILL.md +136 -0
- package/areas/devops/kubernetes/skills/helm-charts/SKILL.md +152 -0
- package/areas/devops/kubernetes/skills/network-policies/SKILL.md +169 -0
- package/areas/devops/kubernetes/skills/pod-troubleshooting/SKILL.md +129 -0
- package/areas/devops/kubernetes/skills/rbac-design/SKILL.md +148 -0
- package/areas/devops/kubernetes/skills/resource-tuning/SKILL.md +156 -0
- package/areas/devops/kubernetes/workflows/cluster-bootstrap.md +194 -0
- package/areas/devops/kubernetes/workflows/debug-workload.md +108 -0
- package/areas/devops/kubernetes/workflows/onboard-service.md +124 -0
- package/areas/devops/kubernetes/workflows/upgrade-cluster.md +165 -0
- package/areas/devops/networking/AGENTS.md +47 -0
- package/areas/devops/networking/prompts/onboard-ingress.md +119 -0
- package/areas/devops/networking/prompts/service-mesh-onboard.md +77 -0
- package/areas/devops/networking/rules/ingress-standards.md +17 -0
- package/areas/devops/networking/rules/network-segmentation.md +24 -0
- package/areas/devops/networking/rules/tls-policy.md +32 -0
- package/areas/devops/networking/skills/dns-management/SKILL.md +169 -0
- package/areas/devops/networking/skills/ingress-patterns/SKILL.md +165 -0
- package/areas/devops/networking/skills/service-mesh/SKILL.md +206 -0
- package/areas/devops/networking/skills/tls-termination/SKILL.md +198 -0
- package/areas/devops/networking/skills/vpc-design/SKILL.md +132 -0
- package/areas/devops/networking/workflows/onboard-ingress.md +64 -0
- package/areas/devops/networking/workflows/service-mesh-onboard.md +122 -0
- package/areas/devops/observability/AGENTS.md +48 -0
- package/areas/devops/observability/prompts/alert-investigation.md +117 -0
- package/areas/devops/observability/prompts/observability-stack-setup.md +99 -0
- package/areas/devops/observability/prompts/onboard-service-monitoring.md +79 -0
- package/areas/devops/observability/rules/alerting-standards.md +36 -0
- package/areas/devops/observability/rules/data-retention.md +19 -0
- package/areas/devops/observability/rules/golden-signals.md +28 -0
- package/areas/devops/observability/skills/distributed-tracing/SKILL.md +149 -0
- package/areas/devops/observability/skills/grafana-dashboards/SKILL.md +201 -0
- package/areas/devops/observability/skills/log-aggregation/SKILL.md +159 -0
- package/areas/devops/observability/skills/prometheus-alertmanager/SKILL.md +188 -0
- package/areas/devops/observability/skills/slo-implementation/SKILL.md +189 -0
- package/areas/devops/observability/workflows/alert-investigation.md +98 -0
- package/areas/devops/observability/workflows/observability-stack-setup.md +156 -0
- package/areas/devops/observability/workflows/onboard-service-monitoring.md +83 -0
- package/areas/devops/sre/AGENTS.md +48 -0
- package/areas/devops/sre/prompts/incident-response.md +129 -0
- package/areas/devops/sre/prompts/postmortem.md +101 -0
- package/areas/devops/sre/prompts/slo-review.md +125 -0
- package/areas/devops/sre/rules/error-budget-policy.md +25 -0
- package/areas/devops/sre/rules/on-call-standards.md +25 -0
- package/areas/devops/sre/rules/slo-policy.md +31 -0
- package/areas/devops/sre/skills/capacity-planning/SKILL.md +162 -0
- package/areas/devops/sre/skills/chaos-engineering/SKILL.md +186 -0
- package/areas/devops/sre/skills/incident-command/SKILL.md +119 -0
- package/areas/devops/sre/skills/postmortem-analysis/SKILL.md +104 -0
- package/areas/devops/sre/skills/slo-sli-design/SKILL.md +145 -0
- package/areas/devops/sre/workflows/incident-response.md +66 -0
- package/areas/devops/sre/workflows/postmortem.md +90 -0
- package/areas/devops/sre/workflows/slo-review.md +95 -0
- package/areas/software/backend/AGENTS.md +59 -0
- package/areas/software/backend/PROMPTS.md +50 -0
- package/areas/software/backend/README.md +48 -0
- package/areas/software/backend/prompts/add-migration.md +93 -0
- package/areas/software/backend/prompts/create-endpoint.md +97 -0
- package/areas/software/backend/prompts/debug-issue.md +87 -0
- package/areas/software/backend/prompts/develop-epic.md +83 -0
- package/areas/software/backend/prompts/develop-feature.md +91 -0
- package/areas/software/backend/prompts/refactor-module.md +79 -0
- package/areas/software/backend/prompts/test-feature.md +89 -0
- package/areas/software/backend/rules/architecture.md +20 -0
- package/areas/software/backend/rules/data_access.md +20 -0
- package/areas/software/backend/rules/security.md +20 -0
- package/areas/software/backend/rules/testing.md +19 -0
- package/areas/software/backend/skills/api-design/SKILL.md +170 -0
- package/areas/software/backend/skills/async-processing/SKILL.md +152 -0
- package/areas/software/backend/skills/database-modeling/SKILL.md +173 -0
- package/areas/software/backend/skills/observability/SKILL.md +162 -0
- package/areas/software/backend/skills/troubleshooting/SKILL.md +139 -0
- package/areas/software/backend/workflows/add-migration.md +79 -0
- package/areas/software/backend/workflows/create-endpoint.md +89 -0
- package/areas/software/backend/workflows/debug-issue.md +77 -0
- package/areas/software/backend/workflows/develop-epic.md +78 -0
- package/areas/software/backend/workflows/develop-feature.md +98 -0
- package/areas/software/backend/workflows/refactor-module.md +73 -0
- package/areas/software/backend/workflows/test-feature.md +67 -0
- package/areas/software/data-engineering/AGENTS.md +59 -0
- package/areas/software/data-engineering/PROMPTS.md +32 -0
- package/areas/software/data-engineering/prompts/backfill-data.md +107 -0
- package/areas/software/data-engineering/prompts/data-quality-incident.md +109 -0
- package/areas/software/data-engineering/prompts/lineage-trace.md +121 -0
- package/areas/software/data-engineering/prompts/new-model.md +117 -0
- package/areas/software/data-engineering/prompts/schema-migration.md +111 -0
- package/areas/software/data-engineering/rules/data-governance.md +11 -0
- package/areas/software/data-engineering/rules/pii-handling.md +19 -0
- package/areas/software/data-engineering/rules/pipeline-integrity.md +11 -0
- package/areas/software/data-engineering/rules/schema-management.md +21 -0
- package/areas/software/data-engineering/skills/data-modeling/SKILL.md +49 -0
- package/areas/software/data-engineering/skills/dbt-patterns/SKILL.md +43 -0
- package/areas/software/data-engineering/skills/lineage-governance/SKILL.md +38 -0
- package/areas/software/data-engineering/skills/orchestration/SKILL.md +35 -0
- package/areas/software/data-engineering/skills/quality-checks/SKILL.md +50 -0
- package/areas/software/data-engineering/skills/sql-optimization/SKILL.md +47 -0
- package/areas/software/data-engineering/skills/streaming-patterns/SKILL.md +48 -0
- package/areas/software/data-engineering/workflows/backfill-data.md +59 -0
- package/areas/software/data-engineering/workflows/data-quality-incident.md +64 -0
- package/areas/software/data-engineering/workflows/lineage-trace.md +56 -0
- package/areas/software/data-engineering/workflows/new-model.md +71 -0
- package/areas/software/data-engineering/workflows/schema-migration.md +67 -0
- package/areas/software/frontend/AGENTS.md +60 -0
- package/areas/software/frontend/PROMPTS.md +32 -0
- package/areas/software/frontend/prompts/a11y-fix.md +75 -0
- package/areas/software/frontend/prompts/bundle-analyze.md +75 -0
- package/areas/software/frontend/prompts/release-prep.md +83 -0
- package/areas/software/frontend/prompts/scaffold-component.md +69 -0
- package/areas/software/frontend/prompts/visual-regression.md +73 -0
- package/areas/software/frontend/rules/accessibility.md +16 -0
- package/areas/software/frontend/rules/architecture.md +29 -0
- package/areas/software/frontend/rules/performance.md +23 -0
- package/areas/software/frontend/rules/quality.md +12 -0
- package/areas/software/frontend/skills/a11y-audit/SKILL.md +61 -0
- package/areas/software/frontend/skills/api-integration/SKILL.md +58 -0
- package/areas/software/frontend/skills/component-design/SKILL.md +171 -0
- package/areas/software/frontend/skills/css-architecture/SKILL.md +146 -0
- package/areas/software/frontend/skills/error-handling/SKILL.md +55 -0
- package/areas/software/frontend/skills/performance-tuning/SKILL.md +58 -0
- package/areas/software/frontend/skills/state-management/SKILL.md +54 -0
- package/areas/software/frontend/skills/testing-patterns/SKILL.md +69 -0
- package/areas/software/frontend/workflows/a11y-fix.md +63 -0
- package/areas/software/frontend/workflows/bundle-analyze.md +56 -0
- package/areas/software/frontend/workflows/release-prep.md +66 -0
- package/areas/software/frontend/workflows/scaffold-component.md +67 -0
- package/areas/software/frontend/workflows/visual-regression.md +65 -0
- package/areas/software/full-stack/AGENTS.md +72 -0
- package/areas/software/full-stack/PROMPTS.md +66 -0
- package/areas/software/full-stack/prompts/backend-project-full-cycle.md +141 -0
- package/areas/software/full-stack/prompts/debug-issue.md +115 -0
- package/areas/software/full-stack/prompts/develop-feature.md +119 -0
- package/areas/software/full-stack/prompts/feature-implementation-flow.md +137 -0
- package/areas/software/full-stack/prompts/testing-ci-pipeline.md +119 -0
- package/areas/software/full-stack/rules/api-design-guide.md +24 -0
- package/areas/software/full-stack/rules/async-concurrency-guide.md +21 -0
- package/areas/software/full-stack/rules/backend-architecture-rule.md +41 -0
- package/areas/software/full-stack/rules/background-jobs-guide.md +20 -0
- package/areas/software/full-stack/rules/code-quality-guide.md +22 -0
- package/areas/software/full-stack/rules/database-access-guide.md +24 -0
- package/areas/software/full-stack/rules/database-migrations-guide.md +24 -0
- package/areas/software/full-stack/rules/domain-models-guide.md +28 -0
- package/areas/software/full-stack/rules/e2e-test-guide.md +18 -0
- package/areas/software/full-stack/rules/env-settings-guide.md +34 -0
- package/areas/software/full-stack/rules/error-handling-guide.md +20 -0
- package/areas/software/full-stack/rules/logging-observability-guide.md +22 -0
- package/areas/software/full-stack/rules/project-guide.md +34 -0
- package/areas/software/full-stack/rules/python-venv-guide.md +23 -0
- package/areas/software/full-stack/rules/security-guide.md +22 -0
- package/areas/software/full-stack/rules/svt-test-guide.md +17 -0
- package/areas/software/full-stack/rules/testing-ci-guide.md +25 -0
- package/areas/software/full-stack/skills/api-design-principles/SKILL.md +125 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/areas/software/full-stack/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/areas/software/full-stack/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/areas/software/full-stack/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/areas/software/full-stack/skills/api-patterns/SKILL.md +81 -0
- package/areas/software/full-stack/skills/api-patterns/api-style.md +42 -0
- package/areas/software/full-stack/skills/api-patterns/auth.md +24 -0
- package/areas/software/full-stack/skills/api-patterns/documentation.md +26 -0
- package/areas/software/full-stack/skills/api-patterns/graphql.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/rate-limiting.md +31 -0
- package/areas/software/full-stack/skills/api-patterns/response.md +37 -0
- package/areas/software/full-stack/skills/api-patterns/rest.md +40 -0
- package/areas/software/full-stack/skills/api-patterns/scripts/api_validator.py +211 -0
- package/areas/software/full-stack/skills/api-patterns/security-testing.md +122 -0
- package/areas/software/full-stack/skills/api-patterns/trpc.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/versioning.md +22 -0
- package/areas/software/full-stack/skills/app-builder/SKILL.md +135 -0
- package/areas/software/full-stack/skills/app-builder/agent-coordination.md +71 -0
- package/areas/software/full-stack/skills/app-builder/feature-building.md +53 -0
- package/areas/software/full-stack/skills/app-builder/project-detection.md +34 -0
- package/areas/software/full-stack/skills/app-builder/scaffolding.md +118 -0
- package/areas/software/full-stack/skills/app-builder/tech-stack.md +40 -0
- package/areas/software/full-stack/skills/app-builder/templates/SKILL.md +39 -0
- package/areas/software/full-stack/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
- package/areas/software/full-stack/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
- package/areas/software/full-stack/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +82 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +100 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-static/TEMPLATE.md +106 -0
- package/areas/software/full-stack/skills/app-builder/templates/nuxt-app/TEMPLATE.md +101 -0
- package/areas/software/full-stack/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/react-native-app/TEMPLATE.md +93 -0
- package/areas/software/full-stack/skills/backend-developer/SKILL.md +58 -0
- package/areas/software/full-stack/skills/bash-pro/SKILL.md +310 -0
- package/areas/software/full-stack/skills/blackbox-test/SKILL.md +84 -0
- package/areas/software/full-stack/skills/prompt-project-planner/SKILL.md +130 -0
- package/areas/software/full-stack/skills/prompt-project-planner/output.schema.md +68 -0
- package/areas/software/full-stack/skills/prompt-project-planner/questions.md +80 -0
- package/areas/software/full-stack/skills/python-pro/SKILL.md +158 -0
- package/areas/software/full-stack/skills/skill-creator/LICENSE.txt +202 -0
- package/areas/software/full-stack/skills/skill-creator/SKILL.md +356 -0
- package/areas/software/full-stack/skills/skill-creator/references/output-patterns.md +82 -0
- package/areas/software/full-stack/skills/skill-creator/references/workflows.md +28 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/init_skill.py +303 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/package_skill.py +110 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/quick_validate.py +95 -0
- package/areas/software/full-stack/workflows/backend-project-full-cycle.md +132 -0
- package/areas/software/full-stack/workflows/debug-issue.md +70 -0
- package/areas/software/full-stack/workflows/develop-feature.md +85 -0
- package/areas/software/full-stack/workflows/feature-implementation-flow.md +78 -0
- package/areas/software/full-stack/workflows/testing-ci-pipeline.md +65 -0
- package/areas/software/general/AGENTS.md +68 -0
- package/areas/software/general/prompts/code-review-workflow.md +87 -0
- package/areas/software/general/prompts/development-cycle-workflow.md +83 -0
- package/areas/software/general/prompts/project-setup-workflow.md +93 -0
- package/areas/software/general/rules/code-style-guide.md +31 -0
- package/areas/software/general/rules/docker-compose-guide.md +27 -0
- package/areas/software/general/rules/git-workflow-guide.md +27 -0
- package/areas/software/general/rules/github-workflow-guide.md +27 -0
- package/areas/software/general/rules/gitlab-ci-guide.md +27 -0
- package/areas/software/general/rules/lint-format-guide.md +29 -0
- package/areas/software/general/rules/makefile-guide.md +34 -0
- package/areas/software/general/rules/readme-sync-guide.md +40 -0
- package/areas/software/general/rules/sdlc-methodology-guide.md +27 -0
- package/areas/software/general/rules/sdlc-role-responsibilities.md +108 -0
- package/areas/software/general/skills/general-dev-tools/SKILL.md +324 -0
- package/areas/software/general/workflows/code-review-workflow.md +84 -0
- package/areas/software/general/workflows/development-cycle-workflow.md +85 -0
- package/areas/software/general/workflows/project-setup-workflow.md +94 -0
- package/areas/software/mlops/AGENTS.md +57 -0
- package/areas/software/mlops/PROMPTS.md +32 -0
- package/areas/software/mlops/prompts/champion-challenger.md +87 -0
- package/areas/software/mlops/prompts/deploy-endpoint.md +91 -0
- package/areas/software/mlops/prompts/evaluate-model.md +87 -0
- package/areas/software/mlops/prompts/model-incident.md +87 -0
- package/areas/software/mlops/prompts/train-experiment.md +83 -0
- package/areas/software/mlops/rules/data-integrity.md +9 -0
- package/areas/software/mlops/rules/model-governance.md +9 -0
- package/areas/software/mlops/rules/production-safety.md +9 -0
- package/areas/software/mlops/rules/reproducibility.md +9 -0
- package/areas/software/mlops/skills/experiment-tracking/SKILL.md +29 -0
- package/areas/software/mlops/skills/feature-engineering/SKILL.md +44 -0
- package/areas/software/mlops/skills/inference-serving/SKILL.md +35 -0
- package/areas/software/mlops/skills/model-evaluation/SKILL.md +40 -0
- package/areas/software/mlops/skills/model-monitoring/SKILL.md +32 -0
- package/areas/software/mlops/workflows/champion-challenger.md +65 -0
- package/areas/software/mlops/workflows/deploy-endpoint.md +70 -0
- package/areas/software/mlops/workflows/evaluate-model.md +63 -0
- package/areas/software/mlops/workflows/model-incident.md +64 -0
- package/areas/software/mlops/workflows/train-experiment.md +56 -0
- package/areas/software/mobile/AGENTS.md +58 -0
- package/areas/software/mobile/PROMPTS.md +32 -0
- package/areas/software/mobile/prompts/crash-triage.md +63 -0
- package/areas/software/mobile/prompts/device-testing.md +83 -0
- package/areas/software/mobile/prompts/ota-update.md +75 -0
- package/areas/software/mobile/prompts/release-build.md +67 -0
- package/areas/software/mobile/prompts/store-submission.md +79 -0
- package/areas/software/mobile/rules/offline-first.md +10 -0
- package/areas/software/mobile/rules/performance-budget.md +20 -0
- package/areas/software/mobile/rules/platform-compliance.md +17 -0
- package/areas/software/mobile/rules/security-mobile.md +9 -0
- package/areas/software/mobile/skills/app-store-prep/SKILL.md +27 -0
- package/areas/software/mobile/skills/mobile-testing/SKILL.md +36 -0
- package/areas/software/mobile/skills/native-modules/SKILL.md +38 -0
- package/areas/software/mobile/skills/navigation-patterns/SKILL.md +49 -0
- package/areas/software/mobile/skills/push-notifications/SKILL.md +40 -0
- package/areas/software/mobile/skills/state-sync/SKILL.md +48 -0
- package/areas/software/mobile/workflows/crash-triage.md +63 -0
- package/areas/software/mobile/workflows/device-testing.md +54 -0
- package/areas/software/mobile/workflows/ota-update.md +54 -0
- package/areas/software/mobile/workflows/release-build.md +67 -0
- package/areas/software/mobile/workflows/store-submission.md +63 -0
- package/areas/software/platform/AGENTS.md +67 -0
- package/areas/software/platform/PROMPTS.md +32 -0
- package/areas/software/platform/prompts/cost-audit.md +117 -0
- package/areas/software/platform/prompts/deploy-production.md +109 -0
- package/areas/software/platform/prompts/drift-check.md +107 -0
- package/areas/software/platform/prompts/incident-response.md +121 -0
- package/areas/software/platform/prompts/provision-env.md +113 -0
- package/areas/software/platform/rules/cost-governance.md +11 -0
- package/areas/software/platform/rules/immutability.md +17 -0
- package/areas/software/platform/rules/reliability.md +19 -0
- package/areas/software/platform/rules/security-posture.md +12 -0
- package/areas/software/platform/skills/ci-cd-pipelines/SKILL.md +58 -0
- package/areas/software/platform/skills/incident-response/SKILL.md +41 -0
- package/areas/software/platform/skills/k8s-manifests/SKILL.md +56 -0
- package/areas/software/platform/skills/networking/SKILL.md +44 -0
- package/areas/software/platform/skills/observability-setup/SKILL.md +49 -0
- package/areas/software/platform/skills/secrets-management/SKILL.md +43 -0
- package/areas/software/platform/skills/terraform-patterns/SKILL.md +75 -0
- package/areas/software/platform/workflows/cost-audit.md +61 -0
- package/areas/software/platform/workflows/deploy-production.md +67 -0
- package/areas/software/platform/workflows/drift-check.md +61 -0
- package/areas/software/platform/workflows/incident-response.md +69 -0
- package/areas/software/platform/workflows/provision-env.md +77 -0
- package/areas/software/qa/AGENTS.md +58 -0
- package/areas/software/qa/PROMPTS.md +32 -0
- package/areas/software/qa/prompts/flakiness-investigation.md +61 -0
- package/areas/software/qa/prompts/performance-audit.md +65 -0
- package/areas/software/qa/prompts/regression-suite.md +61 -0
- package/areas/software/qa/prompts/smoke-test.md +65 -0
- package/areas/software/qa/prompts/test-coverage-report.md +61 -0
- package/areas/software/qa/rules/flakiness-policy.md +12 -0
- package/areas/software/qa/rules/quality-gates.md +28 -0
- package/areas/software/qa/rules/test-data.md +9 -0
- package/areas/software/qa/rules/test-strategy.md +11 -0
- package/areas/software/qa/skills/accessibility-testing/SKILL.md +139 -0
- package/areas/software/qa/skills/api-testing/SKILL.md +140 -0
- package/areas/software/qa/skills/e2e-patterns/SKILL.md +152 -0
- package/areas/software/qa/skills/performance-testing/SKILL.md +177 -0
- package/areas/software/qa/skills/test-data-management/SKILL.md +161 -0
- package/areas/software/qa/skills/test-pyramid/SKILL.md +127 -0
- package/areas/software/qa/workflows/flakiness-investigation.md +63 -0
- package/areas/software/qa/workflows/performance-audit.md +59 -0
- package/areas/software/qa/workflows/regression-suite.md +59 -0
- package/areas/software/qa/workflows/smoke-test.md +64 -0
- package/areas/software/qa/workflows/test-coverage-report.md +57 -0
- package/areas/software/security/AGENTS.md +58 -0
- package/areas/software/security/PROMPTS.md +32 -0
- package/areas/software/security/prompts/compliance-report.md +113 -0
- package/areas/software/security/prompts/pen-test-sim.md +113 -0
- package/areas/software/security/prompts/secret-rotation.md +115 -0
- package/areas/software/security/prompts/security-scan.md +91 -0
- package/areas/software/security/prompts/threat-model-review.md +105 -0
- package/areas/software/security/rules/compliance-baseline.md +23 -0
- package/areas/software/security/rules/dependency-policy.md +12 -0
- package/areas/software/security/rules/secrets-policy.md +22 -0
- package/areas/software/security/rules/secure-coding.md +22 -0
- package/areas/software/security/skills/auth-patterns/SKILL.md +42 -0
- package/areas/software/security/skills/crypto-standards/SKILL.md +42 -0
- package/areas/software/security/skills/dependency-audit/SKILL.md +29 -0
- package/areas/software/security/skills/sast-dast-interpretation/SKILL.md +33 -0
- package/areas/software/security/skills/security-headers/SKILL.md +29 -0
- package/areas/software/security/skills/threat-modeling/SKILL.md +36 -0
- package/areas/software/security/workflows/compliance-report.md +57 -0
- package/areas/software/security/workflows/pen-test-sim.md +63 -0
- package/areas/software/security/workflows/secret-rotation.md +67 -0
- package/areas/software/security/workflows/security-scan.md +64 -0
- package/areas/software/security/workflows/threat-model-review.md +62 -0
- package/areas/template/AGENTS-area.tmpl.md +61 -0
- package/areas/template/AGENTS.tmpl.md +67 -0
- package/areas/template/GUIDE.md +102 -0
- package/areas/template/PROMPTS.tmpl.md +29 -0
- package/areas/template/README.md +57 -0
- package/areas/template/README.tmpl.md +51 -0
- package/areas/template/prompt.tmpl.md +101 -0
- package/areas/template/rule.tmpl.md +71 -0
- package/areas/template/skill.tmpl.md +108 -0
- package/areas/template/workflow.tmpl.md +104 -0
- package/bin/agentic.js +24 -0
- package/extensions/antigravity/GEMINI.md +10 -0
- package/extensions/claude/CLAUDE.md +10 -0
- package/extensions/codex/AGENTS.override.md +93 -0
- package/extensions/gemini/GEMINI.md +10 -0
- package/extensions/opencode/agents/designer.md +65 -0
- package/extensions/opencode/agents/developer.md +63 -0
- package/extensions/opencode/agents/devops-engineer.md +69 -0
- package/extensions/opencode/agents/pm.md +61 -0
- package/extensions/opencode/agents/product-owner.md +76 -0
- package/extensions/opencode/agents/qa.md +66 -0
- package/extensions/opencode/agents/team-lead.md +67 -0
- package/extensions/opencode/commands/feature.md +75 -0
- package/extensions/opencode/opencode.json +93 -0
- package/extensions/opencode/plugins/model-checker.json +14 -0
- package/extensions/opencode/plugins/model-checker.ts +279 -0
- package/extensions/opencode/plugins/sound-notification.ts +13 -0
- package/extensions/opencode/plugins/telegram-notification.ts +86 -0
- package/extensions/opencode/skills/code_review_expert/SKILL.md +144 -0
- package/extensions/opencode/skills/design_expert/SKILL.md +42 -0
- package/extensions/opencode/skills/qa_expert/SKILL.md +116 -0
- package/package.json +19 -0
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# Rule: Secret Hygiene in IaC
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Secrets in IaC code or state are treated as compromised immediately.
|
|
4
|
+
|
|
5
|
+
## Forbidden Patterns
|
|
6
|
+
|
|
7
|
+
1. **No secrets in `.tf` files or `tfvars`**
|
|
8
|
+
```hcl
|
|
9
|
+
# ❌ NEVER
|
|
10
|
+
resource "aws_db_instance" "this" {
|
|
11
|
+
password = "mypassword123"
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
# ✅ Read from Secrets Manager at plan/apply time
|
|
15
|
+
data "aws_secretsmanager_secret_value" "db_password" {
|
|
16
|
+
secret_id = "/${var.environment}/postgres/password"
|
|
17
|
+
}
|
|
18
|
+
resource "aws_db_instance" "this" {
|
|
19
|
+
password = data.aws_secretsmanager_secret_value.db_password.secret_string
|
|
20
|
+
}
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
2. **No secrets in Ansible vars, inventory, or group_vars without vault encryption**
|
|
24
|
+
```yaml
|
|
25
|
+
# ❌ NEVER in plain-text
|
|
26
|
+
db_password: supersecret
|
|
27
|
+
|
|
28
|
+
# ✅ Ansible Vault encrypted
|
|
29
|
+
db_password: !vault |
|
|
30
|
+
$ANSIBLE_VAULT;1.1;AES256
|
|
31
|
+
...
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
3. **No `sensitive = false` overrides** — sensitive Terraform outputs stay sensitive.
|
|
35
|
+
|
|
36
|
+
## Required Patterns
|
|
37
|
+
|
|
38
|
+
4. **Secret injection at runtime, not provision time**
|
|
39
|
+
- Preferred: External Secrets Operator pulls from Vault/SM into K8s Secrets at pod start.
|
|
40
|
+
- Acceptable: `terraform apply` reads from SM/Vault, writes to K8s secret as part of bootstrap.
|
|
41
|
+
- Never: secrets in container environment variables set from Terraform string literals.
|
|
42
|
+
|
|
43
|
+
5. **State file protection** — state may contain sensitive values; always encrypt (see state-management.md).
|
|
44
|
+
|
|
45
|
+
6. **Pre-commit secret scanning** — `git-secrets` or `trufflehog` pre-commit hook required on infra repos.
|
|
46
|
+
|
|
47
|
+
## Incident Response
|
|
48
|
+
|
|
49
|
+
If a secret is found in Git history:
|
|
50
|
+
1. Rotate the secret immediately (before anything else).
|
|
51
|
+
2. Remove from history: `git filter-repo` + force push.
|
|
52
|
+
3. Audit access logs for the exposed secret.
|
|
53
|
+
4. File security incident report.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# Rule: State Management
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — State corruption or conflicts can cause catastrophic resource deletion.
|
|
4
|
+
|
|
5
|
+
## Remote State (mandatory for all non-local environments)
|
|
6
|
+
|
|
7
|
+
1. **Backend configuration**
|
|
8
|
+
```hcl
|
|
9
|
+
# AWS
|
|
10
|
+
terraform {
|
|
11
|
+
backend "s3" {
|
|
12
|
+
bucket = "${project}-terraform-state"
|
|
13
|
+
key = "${environment}/${component}/terraform.tfstate"
|
|
14
|
+
region = "us-east-1"
|
|
15
|
+
encrypt = true
|
|
16
|
+
kms_key_id = "arn:aws:kms:..."
|
|
17
|
+
dynamodb_table = "terraform-state-lock"
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
# GCS (GCP)
|
|
22
|
+
terraform {
|
|
23
|
+
backend "gcs" {
|
|
24
|
+
bucket = "${project}-terraform-state"
|
|
25
|
+
prefix = "${environment}/${component}"
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
2. **State isolation by environment AND component**
|
|
31
|
+
- One state file per `environment/component` (not one global state).
|
|
32
|
+
- Staging and production MUST use separate backends (separate buckets/prefix).
|
|
33
|
+
- Never share state between environments.
|
|
34
|
+
|
|
35
|
+
3. **State locking** — DynamoDB (AWS) or GCS built-in locking must be enabled. Never disable locking.
|
|
36
|
+
|
|
37
|
+
4. **No `terraform_remote_state` across environment boundaries**
|
|
38
|
+
- Cross-stack values shared via SSM Parameter Store, Consul KV, or environment-specific outputs file.
|
|
39
|
+
|
|
40
|
+
## State File Security
|
|
41
|
+
|
|
42
|
+
5. **State contains secrets** — treat state files with the same security as production secrets:
|
|
43
|
+
- S3 bucket: versioning enabled, public access blocked, KMS encryption.
|
|
44
|
+
- GCS: uniform bucket-level access, CMEK encryption.
|
|
45
|
+
- Access: only CI/CD pipeline roles and on-call engineers (MFA required for humans).
|
|
46
|
+
|
|
47
|
+
6. **State file backup** — versioned storage satisfies this; never manually delete old versions.
|
|
@@ -0,0 +1,174 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: ansible-playbooks
|
|
3
|
+
type: skill
|
|
4
|
+
description: Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap.
|
|
5
|
+
related-rules:
|
|
6
|
+
- iac-standards.md
|
|
7
|
+
- secret-hygiene.md
|
|
8
|
+
allowed-tools: Read, Write, Edit, Bash
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Skill: Ansible Playbooks
|
|
12
|
+
|
|
13
|
+
> **Expertise:** Idempotent roles, inventory patterns, Vault integration, molecule testing, bare-metal K8s node prep.
|
|
14
|
+
|
|
15
|
+
## When to load
|
|
16
|
+
|
|
17
|
+
When configuring bare-metal servers, provisioning K8s nodes, managing OS-level config, or rotating OS credentials.
|
|
18
|
+
|
|
19
|
+
## Role Structure (Standard)
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
roles/base-server/
|
|
23
|
+
├── tasks/
|
|
24
|
+
│ ├── main.yml ← imports sub-task files
|
|
25
|
+
│ ├── packages.yml
|
|
26
|
+
│ ├── sysctl.yml
|
|
27
|
+
│ └── users.yml
|
|
28
|
+
├── defaults/
|
|
29
|
+
│ └── main.yml ← all variables with sensible defaults
|
|
30
|
+
├── vars/
|
|
31
|
+
│ └── main.yml ← internal constants (not overridable)
|
|
32
|
+
├── templates/
|
|
33
|
+
│ └── sysctl.conf.j2
|
|
34
|
+
├── handlers/
|
|
35
|
+
│ └── main.yml ← restart services on change
|
|
36
|
+
└── meta/
|
|
37
|
+
└── main.yml ← role dependencies
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
## Idempotency Patterns
|
|
41
|
+
|
|
42
|
+
```yaml
|
|
43
|
+
# ✅ Package install — idempotent
|
|
44
|
+
- name: Install required packages
|
|
45
|
+
ansible.builtin.apt:
|
|
46
|
+
name:
|
|
47
|
+
- containerd
|
|
48
|
+
- curl
|
|
49
|
+
- jq
|
|
50
|
+
state: present
|
|
51
|
+
update_cache: true
|
|
52
|
+
when: ansible_os_family == "Debian"
|
|
53
|
+
|
|
54
|
+
# ✅ File with checksum validation — only copies if changed
|
|
55
|
+
- name: Configure containerd
|
|
56
|
+
ansible.builtin.template:
|
|
57
|
+
src: containerd-config.toml.j2
|
|
58
|
+
dest: /etc/containerd/config.toml
|
|
59
|
+
owner: root
|
|
60
|
+
group: root
|
|
61
|
+
mode: "0644"
|
|
62
|
+
notify: Restart containerd # handler only fires if file changed
|
|
63
|
+
|
|
64
|
+
# ✅ Service management
|
|
65
|
+
- name: Enable and start containerd
|
|
66
|
+
ansible.builtin.systemd:
|
|
67
|
+
name: containerd
|
|
68
|
+
enabled: true
|
|
69
|
+
state: started
|
|
70
|
+
daemon_reload: true
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
## Handlers Pattern
|
|
74
|
+
|
|
75
|
+
```yaml
|
|
76
|
+
# handlers/main.yml
|
|
77
|
+
- name: Restart containerd
|
|
78
|
+
ansible.builtin.systemd:
|
|
79
|
+
name: containerd
|
|
80
|
+
state: restarted
|
|
81
|
+
|
|
82
|
+
- name: Reload sysctl
|
|
83
|
+
ansible.builtin.command: sysctl --system
|
|
84
|
+
changed_when: false
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
## Inventory Structure
|
|
88
|
+
|
|
89
|
+
```ini
|
|
90
|
+
# inventory/production/hosts.ini
|
|
91
|
+
[control_plane]
|
|
92
|
+
cp-01 ansible_host=192.168.10.10
|
|
93
|
+
cp-02 ansible_host=192.168.10.11
|
|
94
|
+
cp-03 ansible_host=192.168.10.12
|
|
95
|
+
|
|
96
|
+
[workers]
|
|
97
|
+
worker-01 ansible_host=192.168.10.20
|
|
98
|
+
worker-02 ansible_host=192.168.10.21
|
|
99
|
+
|
|
100
|
+
[k8s_cluster:children]
|
|
101
|
+
control_plane
|
|
102
|
+
workers
|
|
103
|
+
|
|
104
|
+
[k8s_cluster:vars]
|
|
105
|
+
ansible_user=ubuntu
|
|
106
|
+
ansible_ssh_private_key_file=~/.ssh/infra-key
|
|
107
|
+
ansible_python_interpreter=/usr/bin/python3
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
## Vault for Secrets
|
|
111
|
+
|
|
112
|
+
```bash
|
|
113
|
+
# Encrypt a vars file
|
|
114
|
+
ansible-vault encrypt group_vars/all/vault.yml
|
|
115
|
+
|
|
116
|
+
# Inline encrypted variable
|
|
117
|
+
ansible-vault encrypt_string 'supersecretpassword' --name 'db_password'
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
```yaml
|
|
121
|
+
# group_vars/all/vault.yml (encrypted)
|
|
122
|
+
vault_db_password: !vault |
|
|
123
|
+
$ANSIBLE_VAULT;1.1;AES256
|
|
124
|
+
...
|
|
125
|
+
|
|
126
|
+
# group_vars/all/vars.yml (plain, references vault vars)
|
|
127
|
+
db_password: "{{ vault_db_password }}"
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
## K8s Node Prep Playbook (bare-metal)
|
|
131
|
+
|
|
132
|
+
```yaml
|
|
133
|
+
# playbooks/k8s-node-prep.yml
|
|
134
|
+
---
|
|
135
|
+
- name: Prepare K8s nodes
|
|
136
|
+
hosts: k8s_cluster
|
|
137
|
+
become: true
|
|
138
|
+
roles:
|
|
139
|
+
- role: base-server # OS hardening, packages
|
|
140
|
+
- role: k8s-prereqs # swap off, kernel modules, sysctl
|
|
141
|
+
- role: containerd # install + configure containerd
|
|
142
|
+
- role: kubeadm-install # install kubeadm, kubelet, kubectl (pinned)
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
## Running Playbooks
|
|
146
|
+
|
|
147
|
+
```bash
|
|
148
|
+
# Dry run (check mode)
|
|
149
|
+
ansible-playbook -i inventory/production/hosts.ini \
|
|
150
|
+
playbooks/k8s-node-prep.yml --check --diff
|
|
151
|
+
|
|
152
|
+
# Run with vault password
|
|
153
|
+
ansible-playbook -i inventory/production/hosts.ini \
|
|
154
|
+
playbooks/k8s-node-prep.yml \
|
|
155
|
+
--vault-password-file ~/.ansible-vault-password
|
|
156
|
+
|
|
157
|
+
# Limit to specific hosts
|
|
158
|
+
ansible-playbook -i inventory/production/hosts.ini \
|
|
159
|
+
playbooks/k8s-node-prep.yml \
|
|
160
|
+
--limit "worker-01,worker-02"
|
|
161
|
+
|
|
162
|
+
# Tags for partial runs
|
|
163
|
+
ansible-playbook ... --tags "packages,sysctl" --skip-tags "users"
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
## Lint & Test
|
|
167
|
+
|
|
168
|
+
```bash
|
|
169
|
+
# Lint (enforce best practices)
|
|
170
|
+
ansible-lint playbooks/k8s-node-prep.yml
|
|
171
|
+
|
|
172
|
+
# Molecule test (spins container, runs playbook, verifies)
|
|
173
|
+
cd roles/base-server && molecule test
|
|
174
|
+
```
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cost-optimization
|
|
3
|
+
type: skill
|
|
4
|
+
description: Identify and reduce cloud infrastructure costs — right-sizing, reserved capacity, waste detection, tagging for cost attribution.
|
|
5
|
+
related-rules:
|
|
6
|
+
- iac-standards.md
|
|
7
|
+
allowed-tools: Read, Write, Edit, Bash
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# Skill: Cost Optimization
|
|
11
|
+
|
|
12
|
+
> **Expertise:** Cloud cost analysis, right-sizing recommendations, reserved/spot instances, tagging strategy, cost alerting.
|
|
13
|
+
|
|
14
|
+
## When to load
|
|
15
|
+
|
|
16
|
+
When investigating unexpectedly high cloud bills, right-sizing instances, or setting up cost attribution by team/environment.
|
|
17
|
+
|
|
18
|
+
## Mandatory Cost Tags (every resource)
|
|
19
|
+
|
|
20
|
+
```hcl
|
|
21
|
+
locals {
|
|
22
|
+
cost_tags = {
|
|
23
|
+
Project = var.project # e.g. "checkout"
|
|
24
|
+
Environment = var.environment # prod / staging / dev
|
|
25
|
+
Team = var.team # e.g. "backend-team"
|
|
26
|
+
CostCenter = var.cost_center # e.g. "eng-platform"
|
|
27
|
+
ManagedBy = "terraform"
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
# Apply to every resource via merge(local.cost_tags, {...})
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
## AWS Cost Discovery
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
# Top 10 most expensive services this month
|
|
37
|
+
aws ce get-cost-and-usage \
|
|
38
|
+
--time-period Start=$(date +%Y-%m-01),End=$(date +%Y-%m-%d) \
|
|
39
|
+
--granularity MONTHLY \
|
|
40
|
+
--metrics BlendedCost \
|
|
41
|
+
--group-by Type=DIMENSION,Key=SERVICE \
|
|
42
|
+
--query 'ResultsByTime[0].Groups | sort_by(@, &Metrics.BlendedCost.Amount) | reverse(@) | [:10]' \
|
|
43
|
+
--output table
|
|
44
|
+
|
|
45
|
+
# Cost by tag (Team)
|
|
46
|
+
aws ce get-cost-and-usage \
|
|
47
|
+
--time-period Start=$(date +%Y-%m-01),End=$(date +%Y-%m-%d) \
|
|
48
|
+
--granularity MONTHLY \
|
|
49
|
+
--metrics BlendedCost \
|
|
50
|
+
--group-by Type=TAG,Key=Team
|
|
51
|
+
|
|
52
|
+
# Idle EC2 instances (< 5% CPU, last 2 weeks)
|
|
53
|
+
aws cloudwatch get-metric-statistics \
|
|
54
|
+
--namespace AWS/EC2 \
|
|
55
|
+
--metric-name CPUUtilization \
|
|
56
|
+
--dimensions Name=InstanceId,Value=<instance-id> \
|
|
57
|
+
--start-time $(date -d '-14 days' --iso-8601) \
|
|
58
|
+
--end-time $(date --iso-8601) \
|
|
59
|
+
--period 1209600 --statistics Average
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Right-Sizing Workflow
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
# Step 1: Get actual utilisation (Prometheus, last 7 days)
|
|
66
|
+
# CPU: avg and p99
|
|
67
|
+
avg(avg_over_time(instance:node_cpu_utilisation:rate5m[7d])) by (instance)
|
|
68
|
+
quantile_over_time(0.99, instance:node_cpu_utilisation:rate5m[7d])
|
|
69
|
+
|
|
70
|
+
# Memory: peak working set
|
|
71
|
+
max_over_time(node_memory_MemUsed_bytes[7d]) / node_memory_MemTotal_bytes
|
|
72
|
+
|
|
73
|
+
# Step 2: Recommendation formula
|
|
74
|
+
# New CPU = p99_cpu × 1.3 (30% headroom)
|
|
75
|
+
# New memory = peak_mem × 1.2 (20% headroom)
|
|
76
|
+
|
|
77
|
+
# Step 3: Find next smaller instance type
|
|
78
|
+
# AWS: use ec2-instance-selector
|
|
79
|
+
ec2-instance-selector --vcpus-min 2 --vcpus-max 4 \
|
|
80
|
+
--memory-min 4 --memory-max 8 \
|
|
81
|
+
--region eu-west-1 \
|
|
82
|
+
--output table-wide
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
## Reserved / Spot Instances
|
|
86
|
+
|
|
87
|
+
```hcl
|
|
88
|
+
# Spot instances for non-critical worker nodes (60-80% savings)
|
|
89
|
+
resource "aws_launch_template" "workers" {
|
|
90
|
+
instance_market_options {
|
|
91
|
+
market_type = "spot"
|
|
92
|
+
spot_options {
|
|
93
|
+
max_price = "0.10" # cap to avoid surprise costs
|
|
94
|
+
spot_instance_type = "persistent"
|
|
95
|
+
interruption_behavior = "terminate"
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
# Mixed: 70% spot, 30% on-demand for K8s node groups
|
|
101
|
+
resource "aws_autoscaling_group" "workers" {
|
|
102
|
+
mixed_instances_policy {
|
|
103
|
+
instances_distribution {
|
|
104
|
+
on_demand_base_capacity = 2 # always 2 on-demand
|
|
105
|
+
on_demand_percentage_above_base_capacity = 30 # 30% on-demand, 70% spot
|
|
106
|
+
spot_allocation_strategy = "capacity-optimized"
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## Waste Detection Checklist
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
# Unattached EBS volumes
|
|
116
|
+
aws ec2 describe-volumes \
|
|
117
|
+
--filters Name=status,Values=available \
|
|
118
|
+
--query 'Volumes[*].{ID:VolumeId,Size:Size,Created:CreateTime}' \
|
|
119
|
+
--output table
|
|
120
|
+
|
|
121
|
+
# Unused Elastic IPs
|
|
122
|
+
aws ec2 describe-addresses \
|
|
123
|
+
--query 'Addresses[?AssociationId==null].{IP:PublicIp,AllocationId:AllocationId}'
|
|
124
|
+
|
|
125
|
+
# Old snapshots (> 90 days, no associated AMI)
|
|
126
|
+
aws ec2 describe-snapshots --owner-ids self \
|
|
127
|
+
--query 'Snapshots[?StartTime<`2024-08-01`].{ID:SnapshotId,Size:VolumeSize,Date:StartTime}' \
|
|
128
|
+
--output table
|
|
129
|
+
|
|
130
|
+
# Unused load balancers (0 healthy targets)
|
|
131
|
+
aws elbv2 describe-target-health \
|
|
132
|
+
--target-group-arn <arn> \
|
|
133
|
+
--query 'TargetHealthDescriptions[?TargetHealth.State==`unused`]'
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
## Cost Alerting (AWS Budgets)
|
|
137
|
+
|
|
138
|
+
```hcl
|
|
139
|
+
resource "aws_budgets_budget" "monthly_limit" {
|
|
140
|
+
name = "${var.project}-${var.environment}-monthly"
|
|
141
|
+
budget_type = "COST"
|
|
142
|
+
limit_amount = var.monthly_budget_usd
|
|
143
|
+
limit_unit = "USD"
|
|
144
|
+
time_unit = "MONTHLY"
|
|
145
|
+
|
|
146
|
+
notification {
|
|
147
|
+
comparison_operator = "GREATER_THAN"
|
|
148
|
+
threshold = 80
|
|
149
|
+
threshold_type = "PERCENTAGE"
|
|
150
|
+
notification_type = "ACTUAL"
|
|
151
|
+
subscriber_email_addresses = [var.billing_alert_email]
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
notification {
|
|
155
|
+
comparison_operator = "GREATER_THAN"
|
|
156
|
+
threshold = 100
|
|
157
|
+
threshold_type = "FORECASTED"
|
|
158
|
+
notification_type = "FORECASTED"
|
|
159
|
+
subscriber_email_addresses = [var.billing_alert_email]
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
## K8s Cost Visibility (Kubecost / OpenCost)
|
|
165
|
+
|
|
166
|
+
```bash
|
|
167
|
+
# Install OpenCost (open-source K8s cost allocation)
|
|
168
|
+
helm install opencost opencost/opencost -n opencost --create-namespace
|
|
169
|
+
|
|
170
|
+
# Query cost by namespace
|
|
171
|
+
curl http://localhost:9003/allocation \
|
|
172
|
+
'?window=7d&aggregate=namespace&accumulate=true' | jq '.data[0]'
|
|
173
|
+
|
|
174
|
+
# Cost by label (team)
|
|
175
|
+
curl http://localhost:9003/allocation \
|
|
176
|
+
'?window=7d&aggregate=label:team&accumulate=true'
|
|
177
|
+
```
|
|
@@ -0,0 +1,178 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: drift-detection
|
|
3
|
+
type: skill
|
|
4
|
+
description: Detect, classify, and automate Terraform drift detection in CI — scheduled plans, drift metrics, cloud-native audit log correlation.
|
|
5
|
+
related-rules:
|
|
6
|
+
- immutability.md
|
|
7
|
+
- iac-standards.md
|
|
8
|
+
allowed-tools: Read, Write, Edit, Bash
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Skill: Drift Detection
|
|
12
|
+
|
|
13
|
+
> **Expertise:** Terraform plan-based drift detection, CI scheduling, cloud audit log correlation, drift classification.
|
|
14
|
+
|
|
15
|
+
## When to load
|
|
16
|
+
|
|
17
|
+
When setting up scheduled drift detection, investigating detected drift, or correlating drift with cloud audit events.
|
|
18
|
+
|
|
19
|
+
## Scheduled Drift Detection (GitHub Actions)
|
|
20
|
+
|
|
21
|
+
```yaml
|
|
22
|
+
# .github/workflows/drift-detection.yml
|
|
23
|
+
name: Drift Detection
|
|
24
|
+
|
|
25
|
+
on:
|
|
26
|
+
schedule:
|
|
27
|
+
- cron: '0 */6 * * *' # every 6 hours
|
|
28
|
+
workflow_dispatch: # manual trigger
|
|
29
|
+
|
|
30
|
+
jobs:
|
|
31
|
+
detect-drift:
|
|
32
|
+
runs-on: ubuntu-latest
|
|
33
|
+
strategy:
|
|
34
|
+
matrix:
|
|
35
|
+
component: [network, k8s-cluster, databases, iam-roles]
|
|
36
|
+
steps:
|
|
37
|
+
- uses: actions/checkout@v4
|
|
38
|
+
|
|
39
|
+
- name: Configure AWS credentials (OIDC)
|
|
40
|
+
uses: aws-actions/configure-aws-credentials@v4
|
|
41
|
+
with:
|
|
42
|
+
role-to-assume: ${{ vars.DRIFT_DETECTOR_ROLE_ARN }}
|
|
43
|
+
aws-region: eu-west-1
|
|
44
|
+
|
|
45
|
+
- name: Terraform init
|
|
46
|
+
working-directory: terraform/environments/production/${{ matrix.component }}
|
|
47
|
+
run: terraform init -backend-config=backend.hcl
|
|
48
|
+
|
|
49
|
+
- name: Terraform plan (drift check)
|
|
50
|
+
id: plan
|
|
51
|
+
working-directory: terraform/environments/production/${{ matrix.component }}
|
|
52
|
+
run: |
|
|
53
|
+
terraform plan \
|
|
54
|
+
-var-file=terraform.tfvars \
|
|
55
|
+
-detailed-exitcode \
|
|
56
|
+
-out=drift-check.plan \
|
|
57
|
+
2>&1 | tee drift-output.txt
|
|
58
|
+
echo "exit_code=$?" >> $GITHUB_OUTPUT
|
|
59
|
+
continue-on-error: true # exit 2 = changes, don't fail job
|
|
60
|
+
|
|
61
|
+
- name: Classify drift
|
|
62
|
+
if: steps.plan.outputs.exit_code == '2'
|
|
63
|
+
run: |
|
|
64
|
+
# Check for security-sensitive resource changes
|
|
65
|
+
if grep -E "aws_iam|aws_security_group|aws_kms|encryption" drift-output.txt; then
|
|
66
|
+
echo "SEVERITY=INVESTIGATE" >> $GITHUB_ENV
|
|
67
|
+
else
|
|
68
|
+
echo "SEVERITY=REMEDIATE" >> $GITHUB_ENV
|
|
69
|
+
fi
|
|
70
|
+
|
|
71
|
+
- name: Create GitHub Issue on drift
|
|
72
|
+
if: steps.plan.outputs.exit_code == '2'
|
|
73
|
+
uses: actions/github-script@v7
|
|
74
|
+
with:
|
|
75
|
+
script: |
|
|
76
|
+
const fs = require('fs');
|
|
77
|
+
const plan = fs.readFileSync('terraform/environments/production/${{ matrix.component }}/drift-output.txt', 'utf8');
|
|
78
|
+
await github.rest.issues.create({
|
|
79
|
+
owner: context.repo.owner,
|
|
80
|
+
repo: context.repo.repo,
|
|
81
|
+
title: `[DRIFT] ${{ matrix.component }} — ${process.env.SEVERITY}`,
|
|
82
|
+
body: `## Drift detected in \`${{ matrix.component }}\`\n\n**Severity:** ${process.env.SEVERITY}\n\n\`\`\`\n${plan.slice(0, 3000)}\n\`\`\``,
|
|
83
|
+
labels: ['infrastructure', 'drift', process.env.SEVERITY.toLowerCase()]
|
|
84
|
+
});
|
|
85
|
+
|
|
86
|
+
- name: Alert on INVESTIGATE drift
|
|
87
|
+
if: env.SEVERITY == 'INVESTIGATE'
|
|
88
|
+
uses: slackapi/slack-github-action@v1
|
|
89
|
+
with:
|
|
90
|
+
payload: |
|
|
91
|
+
{"text": "🚨 *INVESTIGATE drift* in `${{ matrix.component }}` — may indicate unauthorized change. <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View>"}
|
|
92
|
+
env:
|
|
93
|
+
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_ONCALL_WEBHOOK }}
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
## GitLab CI Scheduled Drift
|
|
97
|
+
|
|
98
|
+
```yaml
|
|
99
|
+
# .gitlab-ci.yml — drift detection job (triggered by schedule)
|
|
100
|
+
drift-detect:
|
|
101
|
+
stage: audit
|
|
102
|
+
rules:
|
|
103
|
+
- if: $CI_PIPELINE_SOURCE == "schedule"
|
|
104
|
+
script:
|
|
105
|
+
- cd terraform/environments/production/${COMPONENT}
|
|
106
|
+
- terraform init -backend-config=backend.hcl
|
|
107
|
+
- terraform plan -var-file=terraform.tfvars -detailed-exitcode
|
|
108
|
+
-out=drift.plan 2>&1 | tee drift-output.txt || EXITCODE=$?
|
|
109
|
+
- |
|
|
110
|
+
if [ "${EXITCODE}" == "2" ]; then
|
|
111
|
+
echo "DRIFT DETECTED in ${COMPONENT}"
|
|
112
|
+
# Post to Slack, create MR, or alert via API
|
|
113
|
+
curl -X POST "$SLACK_WEBHOOK" \
|
|
114
|
+
-H 'Content-type: application/json' \
|
|
115
|
+
--data "{\"text\":\"Drift in ${COMPONENT}\"}"
|
|
116
|
+
exit 1
|
|
117
|
+
fi
|
|
118
|
+
parallel:
|
|
119
|
+
matrix:
|
|
120
|
+
- COMPONENT: [network, k8s-cluster, databases]
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
## Drift Classification Logic
|
|
124
|
+
|
|
125
|
+
```bash
|
|
126
|
+
# Parse terraform plan output for drift classification
|
|
127
|
+
classify_drift() {
|
|
128
|
+
local plan_output="$1"
|
|
129
|
+
|
|
130
|
+
# INVESTIGATE: security-sensitive resources changed
|
|
131
|
+
if echo "$plan_output" | grep -qE \
|
|
132
|
+
"aws_iam_policy|aws_security_group|kms_key|aws_s3_bucket_server_side_encryption|encryption_at_rest"; then
|
|
133
|
+
echo "INVESTIGATE"
|
|
134
|
+
return
|
|
135
|
+
fi
|
|
136
|
+
|
|
137
|
+
# INVESTIGATE: resources deleted unexpectedly
|
|
138
|
+
if echo "$plan_output" | grep -q "# .* will be destroyed"; then
|
|
139
|
+
echo "INVESTIGATE"
|
|
140
|
+
return
|
|
141
|
+
fi
|
|
142
|
+
|
|
143
|
+
# REMEDIATE: configuration drift (non-security)
|
|
144
|
+
echo "REMEDIATE"
|
|
145
|
+
}
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
## Correlating Drift with Cloud Audit Logs
|
|
149
|
+
|
|
150
|
+
```bash
|
|
151
|
+
# AWS CloudTrail: who changed the drifted resource?
|
|
152
|
+
aws cloudtrail lookup-events \
|
|
153
|
+
--lookup-attributes AttributeKey=ResourceName,AttributeValue=<resource-id> \
|
|
154
|
+
--start-time $(date -d '-24 hours' --iso-8601) \
|
|
155
|
+
--query 'Events[*].{User: Username, Time: EventTime, Event: EventName}' \
|
|
156
|
+
--output table
|
|
157
|
+
|
|
158
|
+
# GCP Audit Logs
|
|
159
|
+
gcloud logging read \
|
|
160
|
+
'resource.type="gce_instance" AND protoPayload.methodName:"compute.instances"' \
|
|
161
|
+
--freshness=24h \
|
|
162
|
+
--format='table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.methodName)'
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
## Drift Suppression (accepted exceptions)
|
|
166
|
+
|
|
167
|
+
```hcl
|
|
168
|
+
# lifecycle ignore_changes for intentionally managed-outside-TF fields
|
|
169
|
+
resource "aws_autoscaling_group" "workers" {
|
|
170
|
+
# ...
|
|
171
|
+
lifecycle {
|
|
172
|
+
ignore_changes = [
|
|
173
|
+
desired_capacity, # managed by cluster autoscaler, not TF
|
|
174
|
+
min_size,
|
|
175
|
+
]
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
```
|