@jetrabbits/agentic 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +143 -0
- package/README.md +154 -0
- package/agentic +1615 -0
- package/areas/devops/ci-cd/AGENTS.md +48 -0
- package/areas/devops/ci-cd/PROMPTS.md +7 -0
- package/areas/devops/ci-cd/prompts/onboard-repo.md +97 -0
- package/areas/devops/ci-cd/prompts/pipeline-debug.md +103 -0
- package/areas/devops/ci-cd/prompts/release-pipeline.md +115 -0
- package/areas/devops/ci-cd/rules/pipeline-standards.md +33 -0
- package/areas/devops/ci-cd/rules/quality-gates.md +24 -0
- package/areas/devops/ci-cd/rules/supply-chain-security.md +34 -0
- package/areas/devops/ci-cd/skills/artifact-management/SKILL.md +157 -0
- package/areas/devops/ci-cd/skills/build-optimization/SKILL.md +168 -0
- package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md +190 -0
- package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md +169 -0
- package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md +161 -0
- package/areas/devops/ci-cd/workflows/onboard-repo.md +73 -0
- package/areas/devops/ci-cd/workflows/pipeline-debug.md +66 -0
- package/areas/devops/ci-cd/workflows/release-pipeline.md +115 -0
- package/areas/devops/database-ops/AGENTS.md +47 -0
- package/areas/devops/database-ops/prompts/backup-verify.md +83 -0
- package/areas/devops/database-ops/prompts/db-incident.md +127 -0
- package/areas/devops/database-ops/rules/access-control.md +20 -0
- package/areas/devops/database-ops/rules/backup-policy.md +33 -0
- package/areas/devops/database-ops/rules/migration-runbook.md +32 -0
- package/areas/devops/database-ops/skills/backup-restore/SKILL.md +226 -0
- package/areas/devops/database-ops/skills/db-performance/SKILL.md +205 -0
- package/areas/devops/database-ops/skills/migration-safety/SKILL.md +155 -0
- package/areas/devops/database-ops/skills/postgres-operations/SKILL.md +156 -0
- package/areas/devops/database-ops/skills/redis-operations/SKILL.md +174 -0
- package/areas/devops/database-ops/workflows/backup-verify.md +107 -0
- package/areas/devops/database-ops/workflows/db-incident.md +86 -0
- package/areas/devops/devsecops/AGENTS.md +47 -0
- package/areas/devops/devsecops/prompts/policy-onboard.md +79 -0
- package/areas/devops/devsecops/prompts/security-scan-pipeline.md +131 -0
- package/areas/devops/devsecops/rules/container-security.md +22 -0
- package/areas/devops/devsecops/rules/policy-as-code.md +37 -0
- package/areas/devops/devsecops/rules/shift-left-policy.md +26 -0
- package/areas/devops/devsecops/skills/container-hardening/SKILL.md +146 -0
- package/areas/devops/devsecops/skills/opa-policies/SKILL.md +188 -0
- package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md +165 -0
- package/areas/devops/devsecops/skills/secret-detection/SKILL.md +190 -0
- package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md +184 -0
- package/areas/devops/devsecops/workflows/policy-onboard.md +104 -0
- package/areas/devops/devsecops/workflows/security-scan-pipeline.md +155 -0
- package/areas/devops/infrastructure/AGENTS.md +50 -0
- package/areas/devops/infrastructure/prompts/destroy-environment.md +81 -0
- package/areas/devops/infrastructure/prompts/drift-remediation.md +71 -0
- package/areas/devops/infrastructure/prompts/module-development.md +69 -0
- package/areas/devops/infrastructure/prompts/provision-environment.md +121 -0
- package/areas/devops/infrastructure/rules/iac-standards.md +80 -0
- package/areas/devops/infrastructure/rules/immutability.md +28 -0
- package/areas/devops/infrastructure/rules/secret-hygiene.md +53 -0
- package/areas/devops/infrastructure/rules/state-management.md +47 -0
- package/areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md +174 -0
- package/areas/devops/infrastructure/skills/cost-optimization/SKILL.md +177 -0
- package/areas/devops/infrastructure/skills/drift-detection/SKILL.md +178 -0
- package/areas/devops/infrastructure/skills/state-management/SKILL.md +159 -0
- package/areas/devops/infrastructure/skills/terraform-modules/SKILL.md +169 -0
- package/areas/devops/infrastructure/workflows/destroy-environment.md +96 -0
- package/areas/devops/infrastructure/workflows/drift-remediation.md +66 -0
- package/areas/devops/infrastructure/workflows/module-development.md +101 -0
- package/areas/devops/infrastructure/workflows/provision-environment.md +96 -0
- package/areas/devops/kubernetes/AGENTS.md +57 -0
- package/areas/devops/kubernetes/PROMPTS.md +9 -0
- package/areas/devops/kubernetes/prompts/cluster-bootstrap.md +67 -0
- package/areas/devops/kubernetes/prompts/debug-workload.md +91 -0
- package/areas/devops/kubernetes/prompts/onboard-service.md +101 -0
- package/areas/devops/kubernetes/prompts/upgrade-cluster.md +63 -0
- package/areas/devops/kubernetes/rules/cluster-standards.md +51 -0
- package/areas/devops/kubernetes/rules/resource-governance.md +80 -0
- package/areas/devops/kubernetes/rules/upgrade-policy.md +52 -0
- package/areas/devops/kubernetes/rules/workload-security.md +64 -0
- package/areas/devops/kubernetes/skills/cluster-operations/SKILL.md +136 -0
- package/areas/devops/kubernetes/skills/helm-charts/SKILL.md +152 -0
- package/areas/devops/kubernetes/skills/network-policies/SKILL.md +169 -0
- package/areas/devops/kubernetes/skills/pod-troubleshooting/SKILL.md +129 -0
- package/areas/devops/kubernetes/skills/rbac-design/SKILL.md +148 -0
- package/areas/devops/kubernetes/skills/resource-tuning/SKILL.md +156 -0
- package/areas/devops/kubernetes/workflows/cluster-bootstrap.md +194 -0
- package/areas/devops/kubernetes/workflows/debug-workload.md +108 -0
- package/areas/devops/kubernetes/workflows/onboard-service.md +124 -0
- package/areas/devops/kubernetes/workflows/upgrade-cluster.md +165 -0
- package/areas/devops/networking/AGENTS.md +47 -0
- package/areas/devops/networking/prompts/onboard-ingress.md +119 -0
- package/areas/devops/networking/prompts/service-mesh-onboard.md +77 -0
- package/areas/devops/networking/rules/ingress-standards.md +17 -0
- package/areas/devops/networking/rules/network-segmentation.md +24 -0
- package/areas/devops/networking/rules/tls-policy.md +32 -0
- package/areas/devops/networking/skills/dns-management/SKILL.md +169 -0
- package/areas/devops/networking/skills/ingress-patterns/SKILL.md +165 -0
- package/areas/devops/networking/skills/service-mesh/SKILL.md +206 -0
- package/areas/devops/networking/skills/tls-termination/SKILL.md +198 -0
- package/areas/devops/networking/skills/vpc-design/SKILL.md +132 -0
- package/areas/devops/networking/workflows/onboard-ingress.md +64 -0
- package/areas/devops/networking/workflows/service-mesh-onboard.md +122 -0
- package/areas/devops/observability/AGENTS.md +48 -0
- package/areas/devops/observability/prompts/alert-investigation.md +117 -0
- package/areas/devops/observability/prompts/observability-stack-setup.md +99 -0
- package/areas/devops/observability/prompts/onboard-service-monitoring.md +79 -0
- package/areas/devops/observability/rules/alerting-standards.md +36 -0
- package/areas/devops/observability/rules/data-retention.md +19 -0
- package/areas/devops/observability/rules/golden-signals.md +28 -0
- package/areas/devops/observability/skills/distributed-tracing/SKILL.md +149 -0
- package/areas/devops/observability/skills/grafana-dashboards/SKILL.md +201 -0
- package/areas/devops/observability/skills/log-aggregation/SKILL.md +159 -0
- package/areas/devops/observability/skills/prometheus-alertmanager/SKILL.md +188 -0
- package/areas/devops/observability/skills/slo-implementation/SKILL.md +189 -0
- package/areas/devops/observability/workflows/alert-investigation.md +98 -0
- package/areas/devops/observability/workflows/observability-stack-setup.md +156 -0
- package/areas/devops/observability/workflows/onboard-service-monitoring.md +83 -0
- package/areas/devops/sre/AGENTS.md +48 -0
- package/areas/devops/sre/prompts/incident-response.md +129 -0
- package/areas/devops/sre/prompts/postmortem.md +101 -0
- package/areas/devops/sre/prompts/slo-review.md +125 -0
- package/areas/devops/sre/rules/error-budget-policy.md +25 -0
- package/areas/devops/sre/rules/on-call-standards.md +25 -0
- package/areas/devops/sre/rules/slo-policy.md +31 -0
- package/areas/devops/sre/skills/capacity-planning/SKILL.md +162 -0
- package/areas/devops/sre/skills/chaos-engineering/SKILL.md +186 -0
- package/areas/devops/sre/skills/incident-command/SKILL.md +119 -0
- package/areas/devops/sre/skills/postmortem-analysis/SKILL.md +104 -0
- package/areas/devops/sre/skills/slo-sli-design/SKILL.md +145 -0
- package/areas/devops/sre/workflows/incident-response.md +66 -0
- package/areas/devops/sre/workflows/postmortem.md +90 -0
- package/areas/devops/sre/workflows/slo-review.md +95 -0
- package/areas/software/backend/AGENTS.md +59 -0
- package/areas/software/backend/PROMPTS.md +50 -0
- package/areas/software/backend/README.md +48 -0
- package/areas/software/backend/prompts/add-migration.md +93 -0
- package/areas/software/backend/prompts/create-endpoint.md +97 -0
- package/areas/software/backend/prompts/debug-issue.md +87 -0
- package/areas/software/backend/prompts/develop-epic.md +83 -0
- package/areas/software/backend/prompts/develop-feature.md +91 -0
- package/areas/software/backend/prompts/refactor-module.md +79 -0
- package/areas/software/backend/prompts/test-feature.md +89 -0
- package/areas/software/backend/rules/architecture.md +20 -0
- package/areas/software/backend/rules/data_access.md +20 -0
- package/areas/software/backend/rules/security.md +20 -0
- package/areas/software/backend/rules/testing.md +19 -0
- package/areas/software/backend/skills/api-design/SKILL.md +170 -0
- package/areas/software/backend/skills/async-processing/SKILL.md +152 -0
- package/areas/software/backend/skills/database-modeling/SKILL.md +173 -0
- package/areas/software/backend/skills/observability/SKILL.md +162 -0
- package/areas/software/backend/skills/troubleshooting/SKILL.md +139 -0
- package/areas/software/backend/workflows/add-migration.md +79 -0
- package/areas/software/backend/workflows/create-endpoint.md +89 -0
- package/areas/software/backend/workflows/debug-issue.md +77 -0
- package/areas/software/backend/workflows/develop-epic.md +78 -0
- package/areas/software/backend/workflows/develop-feature.md +98 -0
- package/areas/software/backend/workflows/refactor-module.md +73 -0
- package/areas/software/backend/workflows/test-feature.md +67 -0
- package/areas/software/data-engineering/AGENTS.md +59 -0
- package/areas/software/data-engineering/PROMPTS.md +32 -0
- package/areas/software/data-engineering/prompts/backfill-data.md +107 -0
- package/areas/software/data-engineering/prompts/data-quality-incident.md +109 -0
- package/areas/software/data-engineering/prompts/lineage-trace.md +121 -0
- package/areas/software/data-engineering/prompts/new-model.md +117 -0
- package/areas/software/data-engineering/prompts/schema-migration.md +111 -0
- package/areas/software/data-engineering/rules/data-governance.md +11 -0
- package/areas/software/data-engineering/rules/pii-handling.md +19 -0
- package/areas/software/data-engineering/rules/pipeline-integrity.md +11 -0
- package/areas/software/data-engineering/rules/schema-management.md +21 -0
- package/areas/software/data-engineering/skills/data-modeling/SKILL.md +49 -0
- package/areas/software/data-engineering/skills/dbt-patterns/SKILL.md +43 -0
- package/areas/software/data-engineering/skills/lineage-governance/SKILL.md +38 -0
- package/areas/software/data-engineering/skills/orchestration/SKILL.md +35 -0
- package/areas/software/data-engineering/skills/quality-checks/SKILL.md +50 -0
- package/areas/software/data-engineering/skills/sql-optimization/SKILL.md +47 -0
- package/areas/software/data-engineering/skills/streaming-patterns/SKILL.md +48 -0
- package/areas/software/data-engineering/workflows/backfill-data.md +59 -0
- package/areas/software/data-engineering/workflows/data-quality-incident.md +64 -0
- package/areas/software/data-engineering/workflows/lineage-trace.md +56 -0
- package/areas/software/data-engineering/workflows/new-model.md +71 -0
- package/areas/software/data-engineering/workflows/schema-migration.md +67 -0
- package/areas/software/frontend/AGENTS.md +60 -0
- package/areas/software/frontend/PROMPTS.md +32 -0
- package/areas/software/frontend/prompts/a11y-fix.md +75 -0
- package/areas/software/frontend/prompts/bundle-analyze.md +75 -0
- package/areas/software/frontend/prompts/release-prep.md +83 -0
- package/areas/software/frontend/prompts/scaffold-component.md +69 -0
- package/areas/software/frontend/prompts/visual-regression.md +73 -0
- package/areas/software/frontend/rules/accessibility.md +16 -0
- package/areas/software/frontend/rules/architecture.md +29 -0
- package/areas/software/frontend/rules/performance.md +23 -0
- package/areas/software/frontend/rules/quality.md +12 -0
- package/areas/software/frontend/skills/a11y-audit/SKILL.md +61 -0
- package/areas/software/frontend/skills/api-integration/SKILL.md +58 -0
- package/areas/software/frontend/skills/component-design/SKILL.md +171 -0
- package/areas/software/frontend/skills/css-architecture/SKILL.md +146 -0
- package/areas/software/frontend/skills/error-handling/SKILL.md +55 -0
- package/areas/software/frontend/skills/performance-tuning/SKILL.md +58 -0
- package/areas/software/frontend/skills/state-management/SKILL.md +54 -0
- package/areas/software/frontend/skills/testing-patterns/SKILL.md +69 -0
- package/areas/software/frontend/workflows/a11y-fix.md +63 -0
- package/areas/software/frontend/workflows/bundle-analyze.md +56 -0
- package/areas/software/frontend/workflows/release-prep.md +66 -0
- package/areas/software/frontend/workflows/scaffold-component.md +67 -0
- package/areas/software/frontend/workflows/visual-regression.md +65 -0
- package/areas/software/full-stack/AGENTS.md +72 -0
- package/areas/software/full-stack/PROMPTS.md +66 -0
- package/areas/software/full-stack/prompts/backend-project-full-cycle.md +141 -0
- package/areas/software/full-stack/prompts/debug-issue.md +115 -0
- package/areas/software/full-stack/prompts/develop-feature.md +119 -0
- package/areas/software/full-stack/prompts/feature-implementation-flow.md +137 -0
- package/areas/software/full-stack/prompts/testing-ci-pipeline.md +119 -0
- package/areas/software/full-stack/rules/api-design-guide.md +24 -0
- package/areas/software/full-stack/rules/async-concurrency-guide.md +21 -0
- package/areas/software/full-stack/rules/backend-architecture-rule.md +41 -0
- package/areas/software/full-stack/rules/background-jobs-guide.md +20 -0
- package/areas/software/full-stack/rules/code-quality-guide.md +22 -0
- package/areas/software/full-stack/rules/database-access-guide.md +24 -0
- package/areas/software/full-stack/rules/database-migrations-guide.md +24 -0
- package/areas/software/full-stack/rules/domain-models-guide.md +28 -0
- package/areas/software/full-stack/rules/e2e-test-guide.md +18 -0
- package/areas/software/full-stack/rules/env-settings-guide.md +34 -0
- package/areas/software/full-stack/rules/error-handling-guide.md +20 -0
- package/areas/software/full-stack/rules/logging-observability-guide.md +22 -0
- package/areas/software/full-stack/rules/project-guide.md +34 -0
- package/areas/software/full-stack/rules/python-venv-guide.md +23 -0
- package/areas/software/full-stack/rules/security-guide.md +22 -0
- package/areas/software/full-stack/rules/svt-test-guide.md +17 -0
- package/areas/software/full-stack/rules/testing-ci-guide.md +25 -0
- package/areas/software/full-stack/skills/api-design-principles/SKILL.md +125 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/areas/software/full-stack/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/areas/software/full-stack/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/areas/software/full-stack/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/areas/software/full-stack/skills/api-patterns/SKILL.md +81 -0
- package/areas/software/full-stack/skills/api-patterns/api-style.md +42 -0
- package/areas/software/full-stack/skills/api-patterns/auth.md +24 -0
- package/areas/software/full-stack/skills/api-patterns/documentation.md +26 -0
- package/areas/software/full-stack/skills/api-patterns/graphql.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/rate-limiting.md +31 -0
- package/areas/software/full-stack/skills/api-patterns/response.md +37 -0
- package/areas/software/full-stack/skills/api-patterns/rest.md +40 -0
- package/areas/software/full-stack/skills/api-patterns/scripts/api_validator.py +211 -0
- package/areas/software/full-stack/skills/api-patterns/security-testing.md +122 -0
- package/areas/software/full-stack/skills/api-patterns/trpc.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/versioning.md +22 -0
- package/areas/software/full-stack/skills/app-builder/SKILL.md +135 -0
- package/areas/software/full-stack/skills/app-builder/agent-coordination.md +71 -0
- package/areas/software/full-stack/skills/app-builder/feature-building.md +53 -0
- package/areas/software/full-stack/skills/app-builder/project-detection.md +34 -0
- package/areas/software/full-stack/skills/app-builder/scaffolding.md +118 -0
- package/areas/software/full-stack/skills/app-builder/tech-stack.md +40 -0
- package/areas/software/full-stack/skills/app-builder/templates/SKILL.md +39 -0
- package/areas/software/full-stack/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
- package/areas/software/full-stack/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
- package/areas/software/full-stack/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +82 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +100 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-static/TEMPLATE.md +106 -0
- package/areas/software/full-stack/skills/app-builder/templates/nuxt-app/TEMPLATE.md +101 -0
- package/areas/software/full-stack/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/react-native-app/TEMPLATE.md +93 -0
- package/areas/software/full-stack/skills/backend-developer/SKILL.md +58 -0
- package/areas/software/full-stack/skills/bash-pro/SKILL.md +310 -0
- package/areas/software/full-stack/skills/blackbox-test/SKILL.md +84 -0
- package/areas/software/full-stack/skills/prompt-project-planner/SKILL.md +130 -0
- package/areas/software/full-stack/skills/prompt-project-planner/output.schema.md +68 -0
- package/areas/software/full-stack/skills/prompt-project-planner/questions.md +80 -0
- package/areas/software/full-stack/skills/python-pro/SKILL.md +158 -0
- package/areas/software/full-stack/skills/skill-creator/LICENSE.txt +202 -0
- package/areas/software/full-stack/skills/skill-creator/SKILL.md +356 -0
- package/areas/software/full-stack/skills/skill-creator/references/output-patterns.md +82 -0
- package/areas/software/full-stack/skills/skill-creator/references/workflows.md +28 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/init_skill.py +303 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/package_skill.py +110 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/quick_validate.py +95 -0
- package/areas/software/full-stack/workflows/backend-project-full-cycle.md +132 -0
- package/areas/software/full-stack/workflows/debug-issue.md +70 -0
- package/areas/software/full-stack/workflows/develop-feature.md +85 -0
- package/areas/software/full-stack/workflows/feature-implementation-flow.md +78 -0
- package/areas/software/full-stack/workflows/testing-ci-pipeline.md +65 -0
- package/areas/software/general/AGENTS.md +68 -0
- package/areas/software/general/prompts/code-review-workflow.md +87 -0
- package/areas/software/general/prompts/development-cycle-workflow.md +83 -0
- package/areas/software/general/prompts/project-setup-workflow.md +93 -0
- package/areas/software/general/rules/code-style-guide.md +31 -0
- package/areas/software/general/rules/docker-compose-guide.md +27 -0
- package/areas/software/general/rules/git-workflow-guide.md +27 -0
- package/areas/software/general/rules/github-workflow-guide.md +27 -0
- package/areas/software/general/rules/gitlab-ci-guide.md +27 -0
- package/areas/software/general/rules/lint-format-guide.md +29 -0
- package/areas/software/general/rules/makefile-guide.md +34 -0
- package/areas/software/general/rules/readme-sync-guide.md +40 -0
- package/areas/software/general/rules/sdlc-methodology-guide.md +27 -0
- package/areas/software/general/rules/sdlc-role-responsibilities.md +108 -0
- package/areas/software/general/skills/general-dev-tools/SKILL.md +324 -0
- package/areas/software/general/workflows/code-review-workflow.md +84 -0
- package/areas/software/general/workflows/development-cycle-workflow.md +85 -0
- package/areas/software/general/workflows/project-setup-workflow.md +94 -0
- package/areas/software/mlops/AGENTS.md +57 -0
- package/areas/software/mlops/PROMPTS.md +32 -0
- package/areas/software/mlops/prompts/champion-challenger.md +87 -0
- package/areas/software/mlops/prompts/deploy-endpoint.md +91 -0
- package/areas/software/mlops/prompts/evaluate-model.md +87 -0
- package/areas/software/mlops/prompts/model-incident.md +87 -0
- package/areas/software/mlops/prompts/train-experiment.md +83 -0
- package/areas/software/mlops/rules/data-integrity.md +9 -0
- package/areas/software/mlops/rules/model-governance.md +9 -0
- package/areas/software/mlops/rules/production-safety.md +9 -0
- package/areas/software/mlops/rules/reproducibility.md +9 -0
- package/areas/software/mlops/skills/experiment-tracking/SKILL.md +29 -0
- package/areas/software/mlops/skills/feature-engineering/SKILL.md +44 -0
- package/areas/software/mlops/skills/inference-serving/SKILL.md +35 -0
- package/areas/software/mlops/skills/model-evaluation/SKILL.md +40 -0
- package/areas/software/mlops/skills/model-monitoring/SKILL.md +32 -0
- package/areas/software/mlops/workflows/champion-challenger.md +65 -0
- package/areas/software/mlops/workflows/deploy-endpoint.md +70 -0
- package/areas/software/mlops/workflows/evaluate-model.md +63 -0
- package/areas/software/mlops/workflows/model-incident.md +64 -0
- package/areas/software/mlops/workflows/train-experiment.md +56 -0
- package/areas/software/mobile/AGENTS.md +58 -0
- package/areas/software/mobile/PROMPTS.md +32 -0
- package/areas/software/mobile/prompts/crash-triage.md +63 -0
- package/areas/software/mobile/prompts/device-testing.md +83 -0
- package/areas/software/mobile/prompts/ota-update.md +75 -0
- package/areas/software/mobile/prompts/release-build.md +67 -0
- package/areas/software/mobile/prompts/store-submission.md +79 -0
- package/areas/software/mobile/rules/offline-first.md +10 -0
- package/areas/software/mobile/rules/performance-budget.md +20 -0
- package/areas/software/mobile/rules/platform-compliance.md +17 -0
- package/areas/software/mobile/rules/security-mobile.md +9 -0
- package/areas/software/mobile/skills/app-store-prep/SKILL.md +27 -0
- package/areas/software/mobile/skills/mobile-testing/SKILL.md +36 -0
- package/areas/software/mobile/skills/native-modules/SKILL.md +38 -0
- package/areas/software/mobile/skills/navigation-patterns/SKILL.md +49 -0
- package/areas/software/mobile/skills/push-notifications/SKILL.md +40 -0
- package/areas/software/mobile/skills/state-sync/SKILL.md +48 -0
- package/areas/software/mobile/workflows/crash-triage.md +63 -0
- package/areas/software/mobile/workflows/device-testing.md +54 -0
- package/areas/software/mobile/workflows/ota-update.md +54 -0
- package/areas/software/mobile/workflows/release-build.md +67 -0
- package/areas/software/mobile/workflows/store-submission.md +63 -0
- package/areas/software/platform/AGENTS.md +67 -0
- package/areas/software/platform/PROMPTS.md +32 -0
- package/areas/software/platform/prompts/cost-audit.md +117 -0
- package/areas/software/platform/prompts/deploy-production.md +109 -0
- package/areas/software/platform/prompts/drift-check.md +107 -0
- package/areas/software/platform/prompts/incident-response.md +121 -0
- package/areas/software/platform/prompts/provision-env.md +113 -0
- package/areas/software/platform/rules/cost-governance.md +11 -0
- package/areas/software/platform/rules/immutability.md +17 -0
- package/areas/software/platform/rules/reliability.md +19 -0
- package/areas/software/platform/rules/security-posture.md +12 -0
- package/areas/software/platform/skills/ci-cd-pipelines/SKILL.md +58 -0
- package/areas/software/platform/skills/incident-response/SKILL.md +41 -0
- package/areas/software/platform/skills/k8s-manifests/SKILL.md +56 -0
- package/areas/software/platform/skills/networking/SKILL.md +44 -0
- package/areas/software/platform/skills/observability-setup/SKILL.md +49 -0
- package/areas/software/platform/skills/secrets-management/SKILL.md +43 -0
- package/areas/software/platform/skills/terraform-patterns/SKILL.md +75 -0
- package/areas/software/platform/workflows/cost-audit.md +61 -0
- package/areas/software/platform/workflows/deploy-production.md +67 -0
- package/areas/software/platform/workflows/drift-check.md +61 -0
- package/areas/software/platform/workflows/incident-response.md +69 -0
- package/areas/software/platform/workflows/provision-env.md +77 -0
- package/areas/software/qa/AGENTS.md +58 -0
- package/areas/software/qa/PROMPTS.md +32 -0
- package/areas/software/qa/prompts/flakiness-investigation.md +61 -0
- package/areas/software/qa/prompts/performance-audit.md +65 -0
- package/areas/software/qa/prompts/regression-suite.md +61 -0
- package/areas/software/qa/prompts/smoke-test.md +65 -0
- package/areas/software/qa/prompts/test-coverage-report.md +61 -0
- package/areas/software/qa/rules/flakiness-policy.md +12 -0
- package/areas/software/qa/rules/quality-gates.md +28 -0
- package/areas/software/qa/rules/test-data.md +9 -0
- package/areas/software/qa/rules/test-strategy.md +11 -0
- package/areas/software/qa/skills/accessibility-testing/SKILL.md +139 -0
- package/areas/software/qa/skills/api-testing/SKILL.md +140 -0
- package/areas/software/qa/skills/e2e-patterns/SKILL.md +152 -0
- package/areas/software/qa/skills/performance-testing/SKILL.md +177 -0
- package/areas/software/qa/skills/test-data-management/SKILL.md +161 -0
- package/areas/software/qa/skills/test-pyramid/SKILL.md +127 -0
- package/areas/software/qa/workflows/flakiness-investigation.md +63 -0
- package/areas/software/qa/workflows/performance-audit.md +59 -0
- package/areas/software/qa/workflows/regression-suite.md +59 -0
- package/areas/software/qa/workflows/smoke-test.md +64 -0
- package/areas/software/qa/workflows/test-coverage-report.md +57 -0
- package/areas/software/security/AGENTS.md +58 -0
- package/areas/software/security/PROMPTS.md +32 -0
- package/areas/software/security/prompts/compliance-report.md +113 -0
- package/areas/software/security/prompts/pen-test-sim.md +113 -0
- package/areas/software/security/prompts/secret-rotation.md +115 -0
- package/areas/software/security/prompts/security-scan.md +91 -0
- package/areas/software/security/prompts/threat-model-review.md +105 -0
- package/areas/software/security/rules/compliance-baseline.md +23 -0
- package/areas/software/security/rules/dependency-policy.md +12 -0
- package/areas/software/security/rules/secrets-policy.md +22 -0
- package/areas/software/security/rules/secure-coding.md +22 -0
- package/areas/software/security/skills/auth-patterns/SKILL.md +42 -0
- package/areas/software/security/skills/crypto-standards/SKILL.md +42 -0
- package/areas/software/security/skills/dependency-audit/SKILL.md +29 -0
- package/areas/software/security/skills/sast-dast-interpretation/SKILL.md +33 -0
- package/areas/software/security/skills/security-headers/SKILL.md +29 -0
- package/areas/software/security/skills/threat-modeling/SKILL.md +36 -0
- package/areas/software/security/workflows/compliance-report.md +57 -0
- package/areas/software/security/workflows/pen-test-sim.md +63 -0
- package/areas/software/security/workflows/secret-rotation.md +67 -0
- package/areas/software/security/workflows/security-scan.md +64 -0
- package/areas/software/security/workflows/threat-model-review.md +62 -0
- package/areas/template/AGENTS-area.tmpl.md +61 -0
- package/areas/template/AGENTS.tmpl.md +67 -0
- package/areas/template/GUIDE.md +102 -0
- package/areas/template/PROMPTS.tmpl.md +29 -0
- package/areas/template/README.md +57 -0
- package/areas/template/README.tmpl.md +51 -0
- package/areas/template/prompt.tmpl.md +101 -0
- package/areas/template/rule.tmpl.md +71 -0
- package/areas/template/skill.tmpl.md +108 -0
- package/areas/template/workflow.tmpl.md +104 -0
- package/bin/agentic.js +24 -0
- package/extensions/antigravity/GEMINI.md +10 -0
- package/extensions/claude/CLAUDE.md +10 -0
- package/extensions/codex/AGENTS.override.md +93 -0
- package/extensions/gemini/GEMINI.md +10 -0
- package/extensions/opencode/agents/designer.md +65 -0
- package/extensions/opencode/agents/developer.md +63 -0
- package/extensions/opencode/agents/devops-engineer.md +69 -0
- package/extensions/opencode/agents/pm.md +61 -0
- package/extensions/opencode/agents/product-owner.md +76 -0
- package/extensions/opencode/agents/qa.md +66 -0
- package/extensions/opencode/agents/team-lead.md +67 -0
- package/extensions/opencode/commands/feature.md +75 -0
- package/extensions/opencode/opencode.json +93 -0
- package/extensions/opencode/plugins/model-checker.json +14 -0
- package/extensions/opencode/plugins/model-checker.ts +279 -0
- package/extensions/opencode/plugins/sound-notification.ts +13 -0
- package/extensions/opencode/plugins/telegram-notification.ts +86 -0
- package/extensions/opencode/skills/code_review_expert/SKILL.md +144 -0
- package/extensions/opencode/skills/design_expert/SKILL.md +42 -0
- package/extensions/opencode/skills/qa_expert/SKILL.md +116 -0
- package/package.json +19 -0
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Kubernetes — guidance index
|
|
2
|
+
|
|
3
|
+
## What this area covers
|
|
4
|
+
|
|
5
|
+
Self-hosted and managed Kubernetes cluster operations: cluster bootstrap, workload onboarding, RBAC design, network policies, resource governance, upgrade management, and pod-level debugging.
|
|
6
|
+
|
|
7
|
+
## Guidance chain
|
|
8
|
+
|
|
9
|
+
1. Project `.agent/` baseline (`AGENTS.md` + `.agent/*`)
|
|
10
|
+
2. `kubernetes/rules/*` — load all
|
|
11
|
+
3. `kubernetes/skills/*/SKILL.md` — load only the skill matching the current task
|
|
12
|
+
4. `kubernetes/workflows/*` — load the workflow matching the triggered command
|
|
13
|
+
|
|
14
|
+
## Inherited from devops area
|
|
15
|
+
|
|
16
|
+
- Infrastructure-as-Code immutability principle — no manual kubectl edits in production.
|
|
17
|
+
- Git-based change management — all manifests version-controlled.
|
|
18
|
+
- Incident response severity classification from `sre/` area.
|
|
19
|
+
|
|
20
|
+
## Kubernetes-specific constraints
|
|
21
|
+
|
|
22
|
+
- All workloads require resource requests and limits before admission.
|
|
23
|
+
- Network policies must be explicit — no implicit allow-all in non-development namespaces.
|
|
24
|
+
- RBAC follows least-privilege; no cluster-admin bindings without documented justification.
|
|
25
|
+
- Cluster upgrades follow the approved version-skew window; no skip-version upgrades.
|
|
26
|
+
|
|
27
|
+
## Spec map
|
|
28
|
+
|
|
29
|
+
```text
|
|
30
|
+
kubernetes/
|
|
31
|
+
├── rules/
|
|
32
|
+
│ ├── cluster-standards.md ← node sizing, OS, CRI, CNI constraints
|
|
33
|
+
│ ├── workload-security.md ← PSA levels, RBAC defaults, network policy baselines
|
|
34
|
+
│ ├── resource-governance.md ← requests/limits, LimitRange, QoS class targets
|
|
35
|
+
│ └── upgrade-policy.md ← version skew rules, upgrade cadence, pre-checks
|
|
36
|
+
├── skills/
|
|
37
|
+
│ ├── helm-charts/SKILL.md ← chart authoring, values design, release management
|
|
38
|
+
│ ├── rbac-design/SKILL.md ← role/binding patterns, least-privilege recipes
|
|
39
|
+
│ ├── network-policies/SKILL.md ← ingress/egress policies, namespace isolation
|
|
40
|
+
│ ├── resource-tuning/SKILL.md ← VPA/HPA, right-sizing, QoS optimization
|
|
41
|
+
│ ├── pod-troubleshooting/SKILL.md ← crash loops, OOM, pending pods, exec debugging
|
|
42
|
+
│ └── cluster-operations/SKILL.md ← etcd, control plane, node drain/cordon
|
|
43
|
+
├── workflows/
|
|
44
|
+
│ ├── onboard-service.md ← /onboard-service
|
|
45
|
+
│ ├── upgrade-cluster.md ← /upgrade-cluster
|
|
46
|
+
│ ├── debug-workload.md ← /debug-workload
|
|
47
|
+
│ └── cluster-bootstrap.md ← /cluster-bootstrap
|
|
48
|
+
└── prompts/
|
|
49
|
+
└── *.md
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
## Discovery patterns
|
|
53
|
+
|
|
54
|
+
- `rules/*.md`
|
|
55
|
+
- `skills/*/SKILL.md`
|
|
56
|
+
- `workflows/*.md`
|
|
57
|
+
- `prompts/*.md`
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
# PROMPTS: kubernetes
|
|
2
|
+
|
|
3
|
+
| Prompt | Use when |
|
|
4
|
+
|:---|:---|
|
|
5
|
+
| `/debug-workload` | Pod not Running, service unreachable, deployment stuck |
|
|
6
|
+
| `/onboard-service` | Deploying new application to K8s for the first time |
|
|
7
|
+
| `/upgrade-cluster` | Upgrading K8s control plane and worker nodes |
|
|
8
|
+
| `/cluster-bootstrap` | Provisioning new bare-metal K8s cluster from scratch |
|
|
9
|
+
| `/rbac-audit` | Auditing RBAC permissions before compliance review |
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: cluster-bootstrap
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/cluster-bootstrap`
|
|
6
|
+
|
|
7
|
+
Use when: provisioning a new self-hosted Kubernetes cluster from bare-metal.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Production HA cluster (kubeadm)
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/cluster-bootstrap
|
|
16
|
+
|
|
17
|
+
Cluster: prod-cluster-eu
|
|
18
|
+
Nodes: CP [cp-01/02/03: 192.168.10.10-12], Workers [w-01..06: 192.168.10.20-25]
|
|
19
|
+
HA VIP: 192.168.10.5 (keepalived + haproxy)
|
|
20
|
+
OS: Ubuntu 22.04 LTS / K8s: 1.31.x
|
|
21
|
+
Pod CIDR: 10.244.0.0/16 / Service CIDR: 10.96.0.0/12
|
|
22
|
+
CNI: Cilium + Hubble / Storage: Longhorn / LB: MetalLB (pool: .100-.150)
|
|
23
|
+
Core add-ons: ArgoCD, cert-manager, External Secrets → Vault, kube-prometheus-stack, OPA Gatekeeper
|
|
24
|
+
Security: etcd encryption at rest (AES-CBC), PSA restricted on production namespaces
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
**RU:**
|
|
28
|
+
```
|
|
29
|
+
/cluster-bootstrap
|
|
30
|
+
|
|
31
|
+
Кластер: prod-cluster-eu
|
|
32
|
+
Ноды: CP [cp-01/02/03: 192.168.10.10-12], Workers [w-01..06: 192.168.10.20-25]
|
|
33
|
+
HA VIP: 192.168.10.5 (keepalived + haproxy)
|
|
34
|
+
ОС: Ubuntu 22.04 LTS / K8s: 1.31.x
|
|
35
|
+
Pod CIDR: 10.244.0.0/16 / Service CIDR: 10.96.0.0/12
|
|
36
|
+
CNI: Cilium + Hubble / Хранилище: Longhorn / LB: MetalLB (pool: .100-.150)
|
|
37
|
+
Основные компоненты: ArgoCD, cert-manager, External Secrets → Vault, kube-prometheus-stack, OPA Gatekeeper
|
|
38
|
+
Безопасность: шифрование etcd at rest (AES-CBC), PSA restricted в production namespaces
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## Example 2 — Lightweight lab cluster (k3s)
|
|
44
|
+
|
|
45
|
+
**EN:**
|
|
46
|
+
```
|
|
47
|
+
/cluster-bootstrap
|
|
48
|
+
|
|
49
|
+
Cluster: lab-01 / Distribution: k3s
|
|
50
|
+
Nodes: [lab-01: 192.168.1.10 server+agent, lab-02/03: 192.168.1.11-12 agents]
|
|
51
|
+
OS: Rocky Linux 9 / K8s: latest k3s stable
|
|
52
|
+
CNI: Flannel (default) / Storage: local-path / LB: none (port-forward)
|
|
53
|
+
Required: kubeconfig on workstation, helm + kubectl configured
|
|
54
|
+
Skip: HA, etcd encryption, OPA policies, PDB (lab environment)
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
**RU:**
|
|
58
|
+
```
|
|
59
|
+
/cluster-bootstrap
|
|
60
|
+
|
|
61
|
+
Кластер: lab-01 / Дистрибутив: k3s
|
|
62
|
+
Ноды: [lab-01: 192.168.1.10 server+agent, lab-02/03: 192.168.1.11-12 agents]
|
|
63
|
+
ОС: Rocky Linux 9 / K8s: последний стабильный k3s
|
|
64
|
+
CNI: Flannel (по умолчанию) / Хранилище: local-path / LB: нет (port-forward)
|
|
65
|
+
Требуется: kubeconfig на рабочей станции, настроены helm + kubectl
|
|
66
|
+
Пропустить: HA, шифрование etcd, OPA политики, PDB (lab окружение)
|
|
67
|
+
```
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: debug-workload
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/debug-workload`
|
|
6
|
+
|
|
7
|
+
Use when: a pod is not Running, a service is unreachable, or a deployment is stuck.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — CrashLoopBackOff diagnosis
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/debug-workload
|
|
16
|
+
|
|
17
|
+
Service: payment-service
|
|
18
|
+
Namespace: production
|
|
19
|
+
Symptom: CrashLoopBackOff — pod restarts every 30s since v2.3.1 deploy at 14:22 UTC
|
|
20
|
+
Last known good version: v2.3.0
|
|
21
|
+
What to check: exit code from describe, previous logs, image digest diff, recent ConfigMap/Secret changes
|
|
22
|
+
Output: root cause + fix as Helm values change (not kubectl edit)
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
**RU:**
|
|
26
|
+
```
|
|
27
|
+
/debug-workload
|
|
28
|
+
|
|
29
|
+
Сервис: payment-service
|
|
30
|
+
Namespace: production
|
|
31
|
+
Симптом: CrashLoopBackOff — перезапуск каждые 30с с деплоя v2.3.1 в 14:22 UTC
|
|
32
|
+
Последняя рабочая версия: v2.3.0
|
|
33
|
+
Что проверить: код выхода через describe, логи --previous, diff image digest, изменения ConfigMap/Secret
|
|
34
|
+
Результат: корневая причина + исправление как Helm values (не kubectl edit)
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
## Example 2 — Service unreachable (empty endpoints)
|
|
40
|
+
|
|
41
|
+
**EN:**
|
|
42
|
+
```
|
|
43
|
+
/debug-workload
|
|
44
|
+
|
|
45
|
+
Service: order-service / Namespace: production
|
|
46
|
+
Symptom: HTTP 503 from Ingress; endpoints empty despite 3/3 pods Running
|
|
47
|
+
Investigate: pod labels vs Service selector, ReadinessProbe status, NetworkPolicy blocking kubelet health check
|
|
48
|
+
Port mapping: container 8080, service 80 → targetPort 8080
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
**RU:**
|
|
52
|
+
```
|
|
53
|
+
/debug-workload
|
|
54
|
+
|
|
55
|
+
Сервис: order-service / Namespace: production
|
|
56
|
+
Симптом: HTTP 503 от Ingress; endpoints пустые хотя 3/3 поды Running
|
|
57
|
+
Расследовать: labels подов vs selector сервиса, статус ReadinessProbe, NetworkPolicy блокирующий kubelet health check
|
|
58
|
+
Маппинг портов: container 8080, service 80 → targetPort 8080
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
## Example 3 — OOMKilled + right-size
|
|
64
|
+
|
|
65
|
+
**EN:**
|
|
66
|
+
```
|
|
67
|
+
/debug-workload
|
|
68
|
+
|
|
69
|
+
Service: ml-inference-worker / Namespace: ml-prod
|
|
70
|
+
Symptom: OOMKilled (exit 137), 12 restarts in last hour; current limit: 512Mi
|
|
71
|
+
Task:
|
|
72
|
+
1. Confirm OOMKill via describe + exit code
|
|
73
|
+
2. Query Prometheus p99 memory over 7 days
|
|
74
|
+
3. Calculate new limit = p99 × 1.3
|
|
75
|
+
4. Update Helm values; do NOT patch production directly
|
|
76
|
+
5. Check VPA recommendation if available
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
**RU:**
|
|
80
|
+
```
|
|
81
|
+
/debug-workload
|
|
82
|
+
|
|
83
|
+
Сервис: ml-inference-worker / Namespace: ml-prod
|
|
84
|
+
Симптом: OOMKilled (exit 137), 12 перезапусков за час; текущий лимит: 512Mi
|
|
85
|
+
Задача:
|
|
86
|
+
1. Подтвердить OOMKill через describe + код выхода
|
|
87
|
+
2. Запросить Prometheus p99 памяти за 7 дней
|
|
88
|
+
3. Рассчитать новый лимит = p99 × 1.3
|
|
89
|
+
4. Обновить Helm values; НЕ патчить production напрямую
|
|
90
|
+
5. Проверить рекомендацию VPA если доступен
|
|
91
|
+
```
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: onboard-service
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/onboard-service`
|
|
6
|
+
|
|
7
|
+
Use when: deploying a new application to Kubernetes with namespace, workload, and least-privilege access defined together.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Internal backend service
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/onboard-service
|
|
16
|
+
|
|
17
|
+
Service: notification-service / Team: platform-team / Env: production
|
|
18
|
+
Image: registry.internal/notification-service:v1.0.0 / Port: 8080
|
|
19
|
+
Health: /health/ready, /health/live
|
|
20
|
+
Resource profile: small (100m CPU / 128Mi memory requests)
|
|
21
|
+
Calls: smtp-relay.infra:25, redis.cache:6379
|
|
22
|
+
Called by: order-service (namespace: production)
|
|
23
|
+
External: no
|
|
24
|
+
Required: namespace, ServiceAccount, RBAC, NetworkPolicy, Helm chart, ArgoCD app, HPA (min 2 max 8), ServiceMonitor
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
**RU:**
|
|
28
|
+
```
|
|
29
|
+
/onboard-service
|
|
30
|
+
|
|
31
|
+
Сервис: notification-service / Команда: platform-team / Окружение: production
|
|
32
|
+
Image: registry.internal/notification-service:v1.0.0 / Порт: 8080
|
|
33
|
+
Health: /health/ready, /health/live
|
|
34
|
+
Профиль ресурсов: small (100m CPU / 128Mi memory requests)
|
|
35
|
+
Вызывает: smtp-relay.infra:25, redis.cache:6379
|
|
36
|
+
Вызывается: order-service (namespace: production)
|
|
37
|
+
Внешний доступ: нет
|
|
38
|
+
Требуется: namespace, ServiceAccount, RBAC, NetworkPolicy, Helm chart, ArgoCD app, HPA (min 2 max 8), ServiceMonitor
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## Example 2 — Externally exposed service with TLS
|
|
44
|
+
|
|
45
|
+
**EN:**
|
|
46
|
+
```
|
|
47
|
+
/onboard-service
|
|
48
|
+
|
|
49
|
+
Service: api-gateway / Team: backend-team / Env: staging
|
|
50
|
+
Image: registry.internal/api-gateway:v0.9.0 / Port: 8080
|
|
51
|
+
External: yes — NGINX Ingress at api.staging.example.com, TLS via cert-manager (Let's Encrypt)
|
|
52
|
+
Resource profile: medium (250m CPU / 256Mi memory)
|
|
53
|
+
Auth: mTLS between internal services
|
|
54
|
+
PDB: minAvailable 1 (staging has >= 2 replicas)
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
**RU:**
|
|
58
|
+
```
|
|
59
|
+
/onboard-service
|
|
60
|
+
|
|
61
|
+
Сервис: api-gateway / Команда: backend-team / Окружение: staging
|
|
62
|
+
Image: registry.internal/api-gateway:v0.9.0 / Порт: 8080
|
|
63
|
+
Внешний доступ: да — NGINX Ingress на api.staging.example.com, TLS через cert-manager (Let's Encrypt)
|
|
64
|
+
Профиль ресурсов: medium (250m CPU / 256Mi memory)
|
|
65
|
+
Auth: mTLS между внутренними сервисами
|
|
66
|
+
PDB: minAvailable 1 (в staging минимум 2 реплики)
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
---
|
|
70
|
+
|
|
71
|
+
## Example 3 — Pre-compliance namespace audit
|
|
72
|
+
|
|
73
|
+
**EN:**
|
|
74
|
+
```
|
|
75
|
+
/onboard-service
|
|
76
|
+
|
|
77
|
+
Target: namespace production
|
|
78
|
+
Goal: identify overprivileged accounts before SOC 2 review
|
|
79
|
+
Checks:
|
|
80
|
+
- ServiceAccounts with automountServiceAccountToken: true
|
|
81
|
+
- Bindings referencing cluster-admin or wildcard verbs/resources
|
|
82
|
+
- Orphaned ServiceAccounts (no workload)
|
|
83
|
+
- SA with cross-namespace ClusterRoleBindings
|
|
84
|
+
- CI/CD SA (github-actions-sa) permissions vs required minimum
|
|
85
|
+
Output: findings table (SA / bound role / verdict: OK|REDUCE|REMOVE) + fix manifests
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
**RU:**
|
|
89
|
+
```
|
|
90
|
+
/onboard-service
|
|
91
|
+
|
|
92
|
+
Цель: namespace production
|
|
93
|
+
Задача: выявить привилегированные аккаунты перед SOC 2 ревью
|
|
94
|
+
Проверки:
|
|
95
|
+
- ServiceAccount с automountServiceAccountToken: true
|
|
96
|
+
- Bindings ссылающиеся на cluster-admin или wildcard verbs/resources
|
|
97
|
+
- Orphaned ServiceAccount (без workload)
|
|
98
|
+
- SA с межnamespace ClusterRoleBinding
|
|
99
|
+
- Права CI/CD SA (github-actions-sa) vs необходимый минимум
|
|
100
|
+
Результат: таблица находок (SA / роль / вердикт: OK|REDUCE|REMOVE) + fix манифесты
|
|
101
|
+
```
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: upgrade-cluster
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/upgrade-cluster`
|
|
6
|
+
|
|
7
|
+
Use when: upgrading Kubernetes control plane and worker nodes to a new minor or patch version.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Minor version upgrade (production, zero downtime)
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/upgrade-cluster
|
|
16
|
+
|
|
17
|
+
Cluster: prod-cluster-01 / Current: 1.29.8 / Target: 1.30.4
|
|
18
|
+
Nodes: 3 control plane (cp-01/02/03) + 6 workers (worker-01..06)
|
|
19
|
+
Constraints: zero downtime, upgrade window Sat 02:00–06:00 UTC
|
|
20
|
+
Staging: already on 1.30.4, healthy 72h
|
|
21
|
+
Pre-checks: kubent deprecated API scan, ArgoCD/cert-manager/ingress-nginx compat check, etcd backup
|
|
22
|
+
Rollback plan: required in upgrade PR before merge
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
**RU:**
|
|
26
|
+
```
|
|
27
|
+
/upgrade-cluster
|
|
28
|
+
|
|
29
|
+
Кластер: prod-cluster-01 / Текущая: 1.29.8 / Целевая: 1.30.4
|
|
30
|
+
Ноды: 3 control plane (cp-01/02/03) + 6 workers (worker-01..06)
|
|
31
|
+
Ограничения: zero downtime, окно обновления сб 02:00–06:00 UTC
|
|
32
|
+
Staging: уже на 1.30.4, стабильно 72ч
|
|
33
|
+
Пред-проверки: сканирование deprecated API через kubent, проверка совместимости ArgoCD/cert-manager/ingress-nginx, бэкап etcd
|
|
34
|
+
План отката: обязателен в PR до merge
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
## Example 2 — Security patch (fast-track, staging)
|
|
40
|
+
|
|
41
|
+
**EN:**
|
|
42
|
+
```
|
|
43
|
+
/upgrade-cluster
|
|
44
|
+
|
|
45
|
+
Cluster: staging-cluster-01 / Current: 1.30.2 / Target: 1.30.4
|
|
46
|
+
Reason: CVE-2024-XXXXX security patch — apply within 48h per policy
|
|
47
|
+
Nodes: 1 control plane + 3 workers
|
|
48
|
+
Staging: downtime < 5 min acceptable
|
|
49
|
+
Required: etcd backup + verify, control plane upgrade, rolling node upgrade
|
|
50
|
+
Skip: full 48h staging validation (this IS the staging cluster)
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
**RU:**
|
|
54
|
+
```
|
|
55
|
+
/upgrade-cluster
|
|
56
|
+
|
|
57
|
+
Кластер: staging-cluster-01 / Текущая: 1.30.2 / Целевая: 1.30.4
|
|
58
|
+
Причина: патч безопасности CVE-2024-XXXXX — применить в течение 48ч согласно политике
|
|
59
|
+
Ноды: 1 control plane + 3 workers
|
|
60
|
+
Staging: простой < 5 мин допустим
|
|
61
|
+
Требуется: бэкап etcd + верификация, обновление control plane, rolling обновление нод
|
|
62
|
+
Пропустить: полную 48ч валидацию staging (это и есть staging кластер)
|
|
63
|
+
```
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# Rule: Cluster Standards
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Non-compliant clusters are blocked from receiving production workloads.
|
|
4
|
+
|
|
5
|
+
## Control Plane
|
|
6
|
+
|
|
7
|
+
1. **High availability required for production**
|
|
8
|
+
- Minimum 3 control plane nodes across 3 failure domains (separate physical hosts or AZs).
|
|
9
|
+
- Single-node control plane allowed only in dev/lab; explicitly labelled `env=dev`.
|
|
10
|
+
- etcd must run on dedicated nodes or co-located on control plane nodes — never on workers.
|
|
11
|
+
|
|
12
|
+
2. **Supported distributions**
|
|
13
|
+
- Bare-metal: kubeadm, k3s (single-node / small clusters), RKE2, Talos Linux.
|
|
14
|
+
- Cloud: EKS, GKE, AKS — managed control plane only; node pools follow these same rules.
|
|
15
|
+
- Custom distros require architecture review sign-off before production use.
|
|
16
|
+
|
|
17
|
+
3. **Kubernetes version policy**
|
|
18
|
+
- Production clusters must run a version within **2 minor releases** of the latest stable.
|
|
19
|
+
- No cluster older than N-3 in any environment.
|
|
20
|
+
- Patch updates applied within 30 days of release.
|
|
21
|
+
|
|
22
|
+
## Node Standards
|
|
23
|
+
|
|
24
|
+
4. **Operating system**
|
|
25
|
+
- Preferred: Ubuntu 22.04 LTS or Rocky Linux 9 (immutable image preferred).
|
|
26
|
+
- All nodes run the same OS and kernel version within a node group.
|
|
27
|
+
- `unattended-upgrades` / `dnf-automatic` enabled for security patches only (not kernel).
|
|
28
|
+
|
|
29
|
+
5. **Container runtime**
|
|
30
|
+
- **containerd** is the standard CRI. Docker Engine as CRI is forbidden.
|
|
31
|
+
- `runc` is the default OCI runtime. `gVisor` / `kata-containers` for sensitive workloads.
|
|
32
|
+
|
|
33
|
+
6. **Node labelling (mandatory)**
|
|
34
|
+
```
|
|
35
|
+
node-role.kubernetes.io/worker=
|
|
36
|
+
topology.kubernetes.io/zone=<zone>
|
|
37
|
+
topology.kubernetes.io/region=<region>
|
|
38
|
+
node.kubernetes.io/instance-type=<type>
|
|
39
|
+
environment=<prod|staging|dev>
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## Networking
|
|
43
|
+
|
|
44
|
+
7. **CNI**
|
|
45
|
+
- Cilium is the standard for new clusters (eBPF, NetworkPolicy, Hubble observability).
|
|
46
|
+
- Calico accepted for existing clusters. Flannel only in dev/lab — no NetworkPolicy support.
|
|
47
|
+
- Pod CIDR and Service CIDR must not overlap and must not conflict with datacenter routing.
|
|
48
|
+
|
|
49
|
+
8. **No NodePort in production**
|
|
50
|
+
- Services exposed via `LoadBalancer` (MetalLB for bare-metal) or `Ingress` only.
|
|
51
|
+
- `NodePort` allowed in dev/lab environments only.
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# Rule: Resource Governance
|
|
2
|
+
|
|
3
|
+
**Priority**: P1 — Missing resource contracts fail pre-deploy quality gate.
|
|
4
|
+
|
|
5
|
+
## Mandatory Resource Contracts
|
|
6
|
+
|
|
7
|
+
1. **Every container must specify requests AND limits**
|
|
8
|
+
```yaml
|
|
9
|
+
resources:
|
|
10
|
+
requests:
|
|
11
|
+
cpu: 100m # guaranteed CPU
|
|
12
|
+
memory: 128Mi # guaranteed memory
|
|
13
|
+
limits:
|
|
14
|
+
cpu: 500m # burst cap
|
|
15
|
+
memory: 512Mi # OOM kill threshold
|
|
16
|
+
```
|
|
17
|
+
- Containers without `resources` block are rejected by OPA/Gatekeeper policy.
|
|
18
|
+
- `limits.cpu` may be omitted only if the workload is explicitly classified as CPU-unbounded with team-lead approval.
|
|
19
|
+
|
|
20
|
+
2. **QoS class targets**
|
|
21
|
+
- `Guaranteed` (requests == limits): required for stateful workloads and Tier 1 services.
|
|
22
|
+
- `Burstable` (requests < limits): acceptable for Tier 2 services.
|
|
23
|
+
- `BestEffort` (no resources): forbidden in production; allowed in dev/lab only.
|
|
24
|
+
|
|
25
|
+
## Namespace LimitRange
|
|
26
|
+
|
|
27
|
+
3. **Every production namespace has a LimitRange**
|
|
28
|
+
```yaml
|
|
29
|
+
apiVersion: v1
|
|
30
|
+
kind: LimitRange
|
|
31
|
+
metadata:
|
|
32
|
+
name: default-limits
|
|
33
|
+
spec:
|
|
34
|
+
limits:
|
|
35
|
+
- type: Container
|
|
36
|
+
default: { cpu: 200m, memory: 256Mi } # applied when limits absent
|
|
37
|
+
defaultRequest:{ cpu: 50m, memory: 64Mi } # applied when requests absent
|
|
38
|
+
max: { cpu: 4, memory: 4Gi } # hard ceiling per container
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
## Autoscaling
|
|
42
|
+
|
|
43
|
+
4. **HPA required for all Tier 1 stateless workloads**
|
|
44
|
+
```yaml
|
|
45
|
+
spec:
|
|
46
|
+
minReplicas: 2
|
|
47
|
+
maxReplicas: 20
|
|
48
|
+
metrics:
|
|
49
|
+
- type: Resource
|
|
50
|
+
resource:
|
|
51
|
+
name: cpu
|
|
52
|
+
target: { type: Utilization, averageUtilization: 70 }
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
5. **PodDisruptionBudget (PDB) required for Tier 1**
|
|
56
|
+
```yaml
|
|
57
|
+
spec:
|
|
58
|
+
minAvailable: 1 # or maxUnavailable: 1 — choose one
|
|
59
|
+
selector:
|
|
60
|
+
matchLabels:
|
|
61
|
+
app: my-service
|
|
62
|
+
```
|
|
63
|
+
- Tier 1 services must tolerate voluntary disruption (node drain) without outage.
|
|
64
|
+
|
|
65
|
+
## Topology & Scheduling
|
|
66
|
+
|
|
67
|
+
6. **TopologySpreadConstraints for Tier 1**
|
|
68
|
+
```yaml
|
|
69
|
+
topologySpreadConstraints:
|
|
70
|
+
- maxSkew: 1
|
|
71
|
+
topologyKey: topology.kubernetes.io/zone
|
|
72
|
+
whenUnsatisfiable: DoNotSchedule
|
|
73
|
+
labelSelector:
|
|
74
|
+
matchLabels: { app: my-service }
|
|
75
|
+
```
|
|
76
|
+
- Prevents all replicas landing on one zone during rolling update.
|
|
77
|
+
|
|
78
|
+
7. **ResourceQuota on every production namespace**
|
|
79
|
+
- Prevents resource exhaustion from runaway deployments.
|
|
80
|
+
- Values set per team capacity plan; reviewed quarterly.
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
# Rule: Cluster Upgrade Policy
|
|
2
|
+
|
|
3
|
+
**Priority**: P1 — Skipping upgrade gates puts the cluster out of support and blocks security patches.
|
|
4
|
+
|
|
5
|
+
## Version Skew Policy
|
|
6
|
+
|
|
7
|
+
1. **Supported version range**
|
|
8
|
+
- Production clusters must run within **2 minor versions** of the latest stable Kubernetes release.
|
|
9
|
+
- Example: if latest is 1.31 → minimum allowed in prod is 1.29.
|
|
10
|
+
- Clusters at N-3 or older are placed in mandatory upgrade sprint within 30 days.
|
|
11
|
+
|
|
12
|
+
2. **Control plane ↔ node version skew**
|
|
13
|
+
- Nodes may run **at most 2 minor versions behind** the control plane.
|
|
14
|
+
- kube-apiserver must be upgraded **before** kubelet on any node.
|
|
15
|
+
- Never upgrade kubelet ahead of kube-apiserver.
|
|
16
|
+
|
|
17
|
+
3. **Component version alignment**
|
|
18
|
+
- `kubectl` client: must be within ±1 minor of the server.
|
|
19
|
+
- Helm: latest stable; chart API version must match cluster API version.
|
|
20
|
+
- All Kubernetes-aware tooling (ArgoCD, Cert-Manager, Ingress controller) must list the target K8s version in their compatibility matrix before upgrade.
|
|
21
|
+
|
|
22
|
+
## Upgrade Cadence
|
|
23
|
+
|
|
24
|
+
4. **Patch updates**: applied within **30 days** of release on all clusters.
|
|
25
|
+
5. **Minor version upgrades**:
|
|
26
|
+
- Dev/staging: upgrade within 30 days of release.
|
|
27
|
+
- Production: upgrade within 60 days of staging validation.
|
|
28
|
+
- One minor version at a time (1.29 → 1.30 → 1.31; never skip).
|
|
29
|
+
|
|
30
|
+
## Upgrade Safety Gates
|
|
31
|
+
|
|
32
|
+
6. **Pre-upgrade checklist (automated in upgrade workflow)**
|
|
33
|
+
- All nodes in `Ready` state; no `NotReady` or `SchedulingDisabled`.
|
|
34
|
+
- No active P0/P1 incidents.
|
|
35
|
+
- Full etcd backup completed and verified within 1 hour of upgrade start.
|
|
36
|
+
- PodDisruptionBudgets reviewed — no PDB that would block node drain.
|
|
37
|
+
- Deprecated API usage audit: `kubectl get --show-labels` + `kubent` (kube-no-trouble) run.
|
|
38
|
+
|
|
39
|
+
7. **Control plane upgrade order**
|
|
40
|
+
```
|
|
41
|
+
1. etcd backup
|
|
42
|
+
2. Upgrade kube-apiserver (one node at a time for HA)
|
|
43
|
+
3. Upgrade kube-controller-manager
|
|
44
|
+
4. Upgrade kube-scheduler
|
|
45
|
+
5. Validate control plane health
|
|
46
|
+
6. Upgrade worker nodes (cordon → drain → upgrade → uncordon)
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
8. **Rollback plan required before every upgrade**
|
|
50
|
+
- etcd snapshot = point-in-time rollback for control plane.
|
|
51
|
+
- Node rollback = reprovision from last known good OS image.
|
|
52
|
+
- Document rollback steps in upgrade PR before merge.
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Rule: Workload Security
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Security violations block deployment to production namespaces.
|
|
4
|
+
|
|
5
|
+
## Pod Security Admission (PSA)
|
|
6
|
+
|
|
7
|
+
1. **Namespace-level enforcement**
|
|
8
|
+
- `production` namespaces: `pod-security.kubernetes.io/enforce: restricted`
|
|
9
|
+
- `staging` namespaces: `pod-security.kubernetes.io/enforce: baseline`
|
|
10
|
+
- `dev` / `system` namespaces: `pod-security.kubernetes.io/warn: baseline`
|
|
11
|
+
- Never use `privileged` profile in production without explicit exemption + runbook.
|
|
12
|
+
|
|
13
|
+
2. **Restricted profile requirements (enforced)**
|
|
14
|
+
```yaml
|
|
15
|
+
securityContext:
|
|
16
|
+
runAsNonRoot: true
|
|
17
|
+
runAsUser: 1000 # non-zero UID
|
|
18
|
+
readOnlyRootFilesystem: true
|
|
19
|
+
allowPrivilegeEscalation: false
|
|
20
|
+
capabilities:
|
|
21
|
+
drop: ["ALL"]
|
|
22
|
+
seccompProfile:
|
|
23
|
+
type: RuntimeDefault
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
## RBAC
|
|
27
|
+
|
|
28
|
+
3. **Service account principle of least privilege**
|
|
29
|
+
- Every workload gets a dedicated `ServiceAccount` — never use `default`.
|
|
30
|
+
- `automountServiceAccountToken: false` unless the pod explicitly needs API access.
|
|
31
|
+
- `ClusterRole` only when cross-namespace access is architecturally justified.
|
|
32
|
+
|
|
33
|
+
4. **Forbidden bindings**
|
|
34
|
+
- `cluster-admin` ClusterRoleBinding for non-system service accounts: **BLOCKED**.
|
|
35
|
+
- Binding `system:masters` group to application identities: **BLOCKED**.
|
|
36
|
+
- Wildcard verbs (`*`) in production Role/ClusterRole without documented exception.
|
|
37
|
+
|
|
38
|
+
## Network Policy
|
|
39
|
+
|
|
40
|
+
5. **Default-deny posture**
|
|
41
|
+
- Every namespace must have a default-deny-all NetworkPolicy at creation.
|
|
42
|
+
- Ingress and egress explicitly whitelisted per workload.
|
|
43
|
+
|
|
44
|
+
```yaml
|
|
45
|
+
# Default deny-all (apply to every new namespace)
|
|
46
|
+
apiVersion: networking.k8s.io/v1
|
|
47
|
+
kind: NetworkPolicy
|
|
48
|
+
metadata:
|
|
49
|
+
name: default-deny-all
|
|
50
|
+
spec:
|
|
51
|
+
podSelector: {}
|
|
52
|
+
policyTypes: [Ingress, Egress]
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
6. **Inter-namespace traffic**
|
|
56
|
+
- Namespaces are isolated by default; cross-namespace communication requires explicit policy.
|
|
57
|
+
- System namespaces (`kube-system`, `monitoring`) may egress to all; ingress restricted to operators.
|
|
58
|
+
|
|
59
|
+
## Secrets
|
|
60
|
+
|
|
61
|
+
7. **Secret hygiene**
|
|
62
|
+
- Secrets never stored in ConfigMaps or environment variable literals in pod spec.
|
|
63
|
+
- Use External Secrets Operator (ESO) to sync from Vault / AWS Secrets Manager / etc.
|
|
64
|
+
- `etcd` encryption at rest mandatory (`EncryptionConfiguration` with `aescbc` or KMS provider).
|