@jetrabbits/agentic 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +143 -0
- package/README.md +154 -0
- package/agentic +1615 -0
- package/areas/devops/ci-cd/AGENTS.md +48 -0
- package/areas/devops/ci-cd/PROMPTS.md +7 -0
- package/areas/devops/ci-cd/prompts/onboard-repo.md +97 -0
- package/areas/devops/ci-cd/prompts/pipeline-debug.md +103 -0
- package/areas/devops/ci-cd/prompts/release-pipeline.md +115 -0
- package/areas/devops/ci-cd/rules/pipeline-standards.md +33 -0
- package/areas/devops/ci-cd/rules/quality-gates.md +24 -0
- package/areas/devops/ci-cd/rules/supply-chain-security.md +34 -0
- package/areas/devops/ci-cd/skills/artifact-management/SKILL.md +157 -0
- package/areas/devops/ci-cd/skills/build-optimization/SKILL.md +168 -0
- package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md +190 -0
- package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md +169 -0
- package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md +161 -0
- package/areas/devops/ci-cd/workflows/onboard-repo.md +73 -0
- package/areas/devops/ci-cd/workflows/pipeline-debug.md +66 -0
- package/areas/devops/ci-cd/workflows/release-pipeline.md +115 -0
- package/areas/devops/database-ops/AGENTS.md +47 -0
- package/areas/devops/database-ops/prompts/backup-verify.md +83 -0
- package/areas/devops/database-ops/prompts/db-incident.md +127 -0
- package/areas/devops/database-ops/rules/access-control.md +20 -0
- package/areas/devops/database-ops/rules/backup-policy.md +33 -0
- package/areas/devops/database-ops/rules/migration-runbook.md +32 -0
- package/areas/devops/database-ops/skills/backup-restore/SKILL.md +226 -0
- package/areas/devops/database-ops/skills/db-performance/SKILL.md +205 -0
- package/areas/devops/database-ops/skills/migration-safety/SKILL.md +155 -0
- package/areas/devops/database-ops/skills/postgres-operations/SKILL.md +156 -0
- package/areas/devops/database-ops/skills/redis-operations/SKILL.md +174 -0
- package/areas/devops/database-ops/workflows/backup-verify.md +107 -0
- package/areas/devops/database-ops/workflows/db-incident.md +86 -0
- package/areas/devops/devsecops/AGENTS.md +47 -0
- package/areas/devops/devsecops/prompts/policy-onboard.md +79 -0
- package/areas/devops/devsecops/prompts/security-scan-pipeline.md +131 -0
- package/areas/devops/devsecops/rules/container-security.md +22 -0
- package/areas/devops/devsecops/rules/policy-as-code.md +37 -0
- package/areas/devops/devsecops/rules/shift-left-policy.md +26 -0
- package/areas/devops/devsecops/skills/container-hardening/SKILL.md +146 -0
- package/areas/devops/devsecops/skills/opa-policies/SKILL.md +188 -0
- package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md +165 -0
- package/areas/devops/devsecops/skills/secret-detection/SKILL.md +190 -0
- package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md +184 -0
- package/areas/devops/devsecops/workflows/policy-onboard.md +104 -0
- package/areas/devops/devsecops/workflows/security-scan-pipeline.md +155 -0
- package/areas/devops/infrastructure/AGENTS.md +50 -0
- package/areas/devops/infrastructure/prompts/destroy-environment.md +81 -0
- package/areas/devops/infrastructure/prompts/drift-remediation.md +71 -0
- package/areas/devops/infrastructure/prompts/module-development.md +69 -0
- package/areas/devops/infrastructure/prompts/provision-environment.md +121 -0
- package/areas/devops/infrastructure/rules/iac-standards.md +80 -0
- package/areas/devops/infrastructure/rules/immutability.md +28 -0
- package/areas/devops/infrastructure/rules/secret-hygiene.md +53 -0
- package/areas/devops/infrastructure/rules/state-management.md +47 -0
- package/areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md +174 -0
- package/areas/devops/infrastructure/skills/cost-optimization/SKILL.md +177 -0
- package/areas/devops/infrastructure/skills/drift-detection/SKILL.md +178 -0
- package/areas/devops/infrastructure/skills/state-management/SKILL.md +159 -0
- package/areas/devops/infrastructure/skills/terraform-modules/SKILL.md +169 -0
- package/areas/devops/infrastructure/workflows/destroy-environment.md +96 -0
- package/areas/devops/infrastructure/workflows/drift-remediation.md +66 -0
- package/areas/devops/infrastructure/workflows/module-development.md +101 -0
- package/areas/devops/infrastructure/workflows/provision-environment.md +96 -0
- package/areas/devops/kubernetes/AGENTS.md +57 -0
- package/areas/devops/kubernetes/PROMPTS.md +9 -0
- package/areas/devops/kubernetes/prompts/cluster-bootstrap.md +67 -0
- package/areas/devops/kubernetes/prompts/debug-workload.md +91 -0
- package/areas/devops/kubernetes/prompts/onboard-service.md +101 -0
- package/areas/devops/kubernetes/prompts/upgrade-cluster.md +63 -0
- package/areas/devops/kubernetes/rules/cluster-standards.md +51 -0
- package/areas/devops/kubernetes/rules/resource-governance.md +80 -0
- package/areas/devops/kubernetes/rules/upgrade-policy.md +52 -0
- package/areas/devops/kubernetes/rules/workload-security.md +64 -0
- package/areas/devops/kubernetes/skills/cluster-operations/SKILL.md +136 -0
- package/areas/devops/kubernetes/skills/helm-charts/SKILL.md +152 -0
- package/areas/devops/kubernetes/skills/network-policies/SKILL.md +169 -0
- package/areas/devops/kubernetes/skills/pod-troubleshooting/SKILL.md +129 -0
- package/areas/devops/kubernetes/skills/rbac-design/SKILL.md +148 -0
- package/areas/devops/kubernetes/skills/resource-tuning/SKILL.md +156 -0
- package/areas/devops/kubernetes/workflows/cluster-bootstrap.md +194 -0
- package/areas/devops/kubernetes/workflows/debug-workload.md +108 -0
- package/areas/devops/kubernetes/workflows/onboard-service.md +124 -0
- package/areas/devops/kubernetes/workflows/upgrade-cluster.md +165 -0
- package/areas/devops/networking/AGENTS.md +47 -0
- package/areas/devops/networking/prompts/onboard-ingress.md +119 -0
- package/areas/devops/networking/prompts/service-mesh-onboard.md +77 -0
- package/areas/devops/networking/rules/ingress-standards.md +17 -0
- package/areas/devops/networking/rules/network-segmentation.md +24 -0
- package/areas/devops/networking/rules/tls-policy.md +32 -0
- package/areas/devops/networking/skills/dns-management/SKILL.md +169 -0
- package/areas/devops/networking/skills/ingress-patterns/SKILL.md +165 -0
- package/areas/devops/networking/skills/service-mesh/SKILL.md +206 -0
- package/areas/devops/networking/skills/tls-termination/SKILL.md +198 -0
- package/areas/devops/networking/skills/vpc-design/SKILL.md +132 -0
- package/areas/devops/networking/workflows/onboard-ingress.md +64 -0
- package/areas/devops/networking/workflows/service-mesh-onboard.md +122 -0
- package/areas/devops/observability/AGENTS.md +48 -0
- package/areas/devops/observability/prompts/alert-investigation.md +117 -0
- package/areas/devops/observability/prompts/observability-stack-setup.md +99 -0
- package/areas/devops/observability/prompts/onboard-service-monitoring.md +79 -0
- package/areas/devops/observability/rules/alerting-standards.md +36 -0
- package/areas/devops/observability/rules/data-retention.md +19 -0
- package/areas/devops/observability/rules/golden-signals.md +28 -0
- package/areas/devops/observability/skills/distributed-tracing/SKILL.md +149 -0
- package/areas/devops/observability/skills/grafana-dashboards/SKILL.md +201 -0
- package/areas/devops/observability/skills/log-aggregation/SKILL.md +159 -0
- package/areas/devops/observability/skills/prometheus-alertmanager/SKILL.md +188 -0
- package/areas/devops/observability/skills/slo-implementation/SKILL.md +189 -0
- package/areas/devops/observability/workflows/alert-investigation.md +98 -0
- package/areas/devops/observability/workflows/observability-stack-setup.md +156 -0
- package/areas/devops/observability/workflows/onboard-service-monitoring.md +83 -0
- package/areas/devops/sre/AGENTS.md +48 -0
- package/areas/devops/sre/prompts/incident-response.md +129 -0
- package/areas/devops/sre/prompts/postmortem.md +101 -0
- package/areas/devops/sre/prompts/slo-review.md +125 -0
- package/areas/devops/sre/rules/error-budget-policy.md +25 -0
- package/areas/devops/sre/rules/on-call-standards.md +25 -0
- package/areas/devops/sre/rules/slo-policy.md +31 -0
- package/areas/devops/sre/skills/capacity-planning/SKILL.md +162 -0
- package/areas/devops/sre/skills/chaos-engineering/SKILL.md +186 -0
- package/areas/devops/sre/skills/incident-command/SKILL.md +119 -0
- package/areas/devops/sre/skills/postmortem-analysis/SKILL.md +104 -0
- package/areas/devops/sre/skills/slo-sli-design/SKILL.md +145 -0
- package/areas/devops/sre/workflows/incident-response.md +66 -0
- package/areas/devops/sre/workflows/postmortem.md +90 -0
- package/areas/devops/sre/workflows/slo-review.md +95 -0
- package/areas/software/backend/AGENTS.md +59 -0
- package/areas/software/backend/PROMPTS.md +50 -0
- package/areas/software/backend/README.md +48 -0
- package/areas/software/backend/prompts/add-migration.md +93 -0
- package/areas/software/backend/prompts/create-endpoint.md +97 -0
- package/areas/software/backend/prompts/debug-issue.md +87 -0
- package/areas/software/backend/prompts/develop-epic.md +83 -0
- package/areas/software/backend/prompts/develop-feature.md +91 -0
- package/areas/software/backend/prompts/refactor-module.md +79 -0
- package/areas/software/backend/prompts/test-feature.md +89 -0
- package/areas/software/backend/rules/architecture.md +20 -0
- package/areas/software/backend/rules/data_access.md +20 -0
- package/areas/software/backend/rules/security.md +20 -0
- package/areas/software/backend/rules/testing.md +19 -0
- package/areas/software/backend/skills/api-design/SKILL.md +170 -0
- package/areas/software/backend/skills/async-processing/SKILL.md +152 -0
- package/areas/software/backend/skills/database-modeling/SKILL.md +173 -0
- package/areas/software/backend/skills/observability/SKILL.md +162 -0
- package/areas/software/backend/skills/troubleshooting/SKILL.md +139 -0
- package/areas/software/backend/workflows/add-migration.md +79 -0
- package/areas/software/backend/workflows/create-endpoint.md +89 -0
- package/areas/software/backend/workflows/debug-issue.md +77 -0
- package/areas/software/backend/workflows/develop-epic.md +78 -0
- package/areas/software/backend/workflows/develop-feature.md +98 -0
- package/areas/software/backend/workflows/refactor-module.md +73 -0
- package/areas/software/backend/workflows/test-feature.md +67 -0
- package/areas/software/data-engineering/AGENTS.md +59 -0
- package/areas/software/data-engineering/PROMPTS.md +32 -0
- package/areas/software/data-engineering/prompts/backfill-data.md +107 -0
- package/areas/software/data-engineering/prompts/data-quality-incident.md +109 -0
- package/areas/software/data-engineering/prompts/lineage-trace.md +121 -0
- package/areas/software/data-engineering/prompts/new-model.md +117 -0
- package/areas/software/data-engineering/prompts/schema-migration.md +111 -0
- package/areas/software/data-engineering/rules/data-governance.md +11 -0
- package/areas/software/data-engineering/rules/pii-handling.md +19 -0
- package/areas/software/data-engineering/rules/pipeline-integrity.md +11 -0
- package/areas/software/data-engineering/rules/schema-management.md +21 -0
- package/areas/software/data-engineering/skills/data-modeling/SKILL.md +49 -0
- package/areas/software/data-engineering/skills/dbt-patterns/SKILL.md +43 -0
- package/areas/software/data-engineering/skills/lineage-governance/SKILL.md +38 -0
- package/areas/software/data-engineering/skills/orchestration/SKILL.md +35 -0
- package/areas/software/data-engineering/skills/quality-checks/SKILL.md +50 -0
- package/areas/software/data-engineering/skills/sql-optimization/SKILL.md +47 -0
- package/areas/software/data-engineering/skills/streaming-patterns/SKILL.md +48 -0
- package/areas/software/data-engineering/workflows/backfill-data.md +59 -0
- package/areas/software/data-engineering/workflows/data-quality-incident.md +64 -0
- package/areas/software/data-engineering/workflows/lineage-trace.md +56 -0
- package/areas/software/data-engineering/workflows/new-model.md +71 -0
- package/areas/software/data-engineering/workflows/schema-migration.md +67 -0
- package/areas/software/frontend/AGENTS.md +60 -0
- package/areas/software/frontend/PROMPTS.md +32 -0
- package/areas/software/frontend/prompts/a11y-fix.md +75 -0
- package/areas/software/frontend/prompts/bundle-analyze.md +75 -0
- package/areas/software/frontend/prompts/release-prep.md +83 -0
- package/areas/software/frontend/prompts/scaffold-component.md +69 -0
- package/areas/software/frontend/prompts/visual-regression.md +73 -0
- package/areas/software/frontend/rules/accessibility.md +16 -0
- package/areas/software/frontend/rules/architecture.md +29 -0
- package/areas/software/frontend/rules/performance.md +23 -0
- package/areas/software/frontend/rules/quality.md +12 -0
- package/areas/software/frontend/skills/a11y-audit/SKILL.md +61 -0
- package/areas/software/frontend/skills/api-integration/SKILL.md +58 -0
- package/areas/software/frontend/skills/component-design/SKILL.md +171 -0
- package/areas/software/frontend/skills/css-architecture/SKILL.md +146 -0
- package/areas/software/frontend/skills/error-handling/SKILL.md +55 -0
- package/areas/software/frontend/skills/performance-tuning/SKILL.md +58 -0
- package/areas/software/frontend/skills/state-management/SKILL.md +54 -0
- package/areas/software/frontend/skills/testing-patterns/SKILL.md +69 -0
- package/areas/software/frontend/workflows/a11y-fix.md +63 -0
- package/areas/software/frontend/workflows/bundle-analyze.md +56 -0
- package/areas/software/frontend/workflows/release-prep.md +66 -0
- package/areas/software/frontend/workflows/scaffold-component.md +67 -0
- package/areas/software/frontend/workflows/visual-regression.md +65 -0
- package/areas/software/full-stack/AGENTS.md +72 -0
- package/areas/software/full-stack/PROMPTS.md +66 -0
- package/areas/software/full-stack/prompts/backend-project-full-cycle.md +141 -0
- package/areas/software/full-stack/prompts/debug-issue.md +115 -0
- package/areas/software/full-stack/prompts/develop-feature.md +119 -0
- package/areas/software/full-stack/prompts/feature-implementation-flow.md +137 -0
- package/areas/software/full-stack/prompts/testing-ci-pipeline.md +119 -0
- package/areas/software/full-stack/rules/api-design-guide.md +24 -0
- package/areas/software/full-stack/rules/async-concurrency-guide.md +21 -0
- package/areas/software/full-stack/rules/backend-architecture-rule.md +41 -0
- package/areas/software/full-stack/rules/background-jobs-guide.md +20 -0
- package/areas/software/full-stack/rules/code-quality-guide.md +22 -0
- package/areas/software/full-stack/rules/database-access-guide.md +24 -0
- package/areas/software/full-stack/rules/database-migrations-guide.md +24 -0
- package/areas/software/full-stack/rules/domain-models-guide.md +28 -0
- package/areas/software/full-stack/rules/e2e-test-guide.md +18 -0
- package/areas/software/full-stack/rules/env-settings-guide.md +34 -0
- package/areas/software/full-stack/rules/error-handling-guide.md +20 -0
- package/areas/software/full-stack/rules/logging-observability-guide.md +22 -0
- package/areas/software/full-stack/rules/project-guide.md +34 -0
- package/areas/software/full-stack/rules/python-venv-guide.md +23 -0
- package/areas/software/full-stack/rules/security-guide.md +22 -0
- package/areas/software/full-stack/rules/svt-test-guide.md +17 -0
- package/areas/software/full-stack/rules/testing-ci-guide.md +25 -0
- package/areas/software/full-stack/skills/api-design-principles/SKILL.md +125 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/areas/software/full-stack/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/areas/software/full-stack/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/areas/software/full-stack/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/areas/software/full-stack/skills/api-patterns/SKILL.md +81 -0
- package/areas/software/full-stack/skills/api-patterns/api-style.md +42 -0
- package/areas/software/full-stack/skills/api-patterns/auth.md +24 -0
- package/areas/software/full-stack/skills/api-patterns/documentation.md +26 -0
- package/areas/software/full-stack/skills/api-patterns/graphql.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/rate-limiting.md +31 -0
- package/areas/software/full-stack/skills/api-patterns/response.md +37 -0
- package/areas/software/full-stack/skills/api-patterns/rest.md +40 -0
- package/areas/software/full-stack/skills/api-patterns/scripts/api_validator.py +211 -0
- package/areas/software/full-stack/skills/api-patterns/security-testing.md +122 -0
- package/areas/software/full-stack/skills/api-patterns/trpc.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/versioning.md +22 -0
- package/areas/software/full-stack/skills/app-builder/SKILL.md +135 -0
- package/areas/software/full-stack/skills/app-builder/agent-coordination.md +71 -0
- package/areas/software/full-stack/skills/app-builder/feature-building.md +53 -0
- package/areas/software/full-stack/skills/app-builder/project-detection.md +34 -0
- package/areas/software/full-stack/skills/app-builder/scaffolding.md +118 -0
- package/areas/software/full-stack/skills/app-builder/tech-stack.md +40 -0
- package/areas/software/full-stack/skills/app-builder/templates/SKILL.md +39 -0
- package/areas/software/full-stack/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
- package/areas/software/full-stack/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
- package/areas/software/full-stack/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +82 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +100 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-static/TEMPLATE.md +106 -0
- package/areas/software/full-stack/skills/app-builder/templates/nuxt-app/TEMPLATE.md +101 -0
- package/areas/software/full-stack/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/react-native-app/TEMPLATE.md +93 -0
- package/areas/software/full-stack/skills/backend-developer/SKILL.md +58 -0
- package/areas/software/full-stack/skills/bash-pro/SKILL.md +310 -0
- package/areas/software/full-stack/skills/blackbox-test/SKILL.md +84 -0
- package/areas/software/full-stack/skills/prompt-project-planner/SKILL.md +130 -0
- package/areas/software/full-stack/skills/prompt-project-planner/output.schema.md +68 -0
- package/areas/software/full-stack/skills/prompt-project-planner/questions.md +80 -0
- package/areas/software/full-stack/skills/python-pro/SKILL.md +158 -0
- package/areas/software/full-stack/skills/skill-creator/LICENSE.txt +202 -0
- package/areas/software/full-stack/skills/skill-creator/SKILL.md +356 -0
- package/areas/software/full-stack/skills/skill-creator/references/output-patterns.md +82 -0
- package/areas/software/full-stack/skills/skill-creator/references/workflows.md +28 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/init_skill.py +303 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/package_skill.py +110 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/quick_validate.py +95 -0
- package/areas/software/full-stack/workflows/backend-project-full-cycle.md +132 -0
- package/areas/software/full-stack/workflows/debug-issue.md +70 -0
- package/areas/software/full-stack/workflows/develop-feature.md +85 -0
- package/areas/software/full-stack/workflows/feature-implementation-flow.md +78 -0
- package/areas/software/full-stack/workflows/testing-ci-pipeline.md +65 -0
- package/areas/software/general/AGENTS.md +68 -0
- package/areas/software/general/prompts/code-review-workflow.md +87 -0
- package/areas/software/general/prompts/development-cycle-workflow.md +83 -0
- package/areas/software/general/prompts/project-setup-workflow.md +93 -0
- package/areas/software/general/rules/code-style-guide.md +31 -0
- package/areas/software/general/rules/docker-compose-guide.md +27 -0
- package/areas/software/general/rules/git-workflow-guide.md +27 -0
- package/areas/software/general/rules/github-workflow-guide.md +27 -0
- package/areas/software/general/rules/gitlab-ci-guide.md +27 -0
- package/areas/software/general/rules/lint-format-guide.md +29 -0
- package/areas/software/general/rules/makefile-guide.md +34 -0
- package/areas/software/general/rules/readme-sync-guide.md +40 -0
- package/areas/software/general/rules/sdlc-methodology-guide.md +27 -0
- package/areas/software/general/rules/sdlc-role-responsibilities.md +108 -0
- package/areas/software/general/skills/general-dev-tools/SKILL.md +324 -0
- package/areas/software/general/workflows/code-review-workflow.md +84 -0
- package/areas/software/general/workflows/development-cycle-workflow.md +85 -0
- package/areas/software/general/workflows/project-setup-workflow.md +94 -0
- package/areas/software/mlops/AGENTS.md +57 -0
- package/areas/software/mlops/PROMPTS.md +32 -0
- package/areas/software/mlops/prompts/champion-challenger.md +87 -0
- package/areas/software/mlops/prompts/deploy-endpoint.md +91 -0
- package/areas/software/mlops/prompts/evaluate-model.md +87 -0
- package/areas/software/mlops/prompts/model-incident.md +87 -0
- package/areas/software/mlops/prompts/train-experiment.md +83 -0
- package/areas/software/mlops/rules/data-integrity.md +9 -0
- package/areas/software/mlops/rules/model-governance.md +9 -0
- package/areas/software/mlops/rules/production-safety.md +9 -0
- package/areas/software/mlops/rules/reproducibility.md +9 -0
- package/areas/software/mlops/skills/experiment-tracking/SKILL.md +29 -0
- package/areas/software/mlops/skills/feature-engineering/SKILL.md +44 -0
- package/areas/software/mlops/skills/inference-serving/SKILL.md +35 -0
- package/areas/software/mlops/skills/model-evaluation/SKILL.md +40 -0
- package/areas/software/mlops/skills/model-monitoring/SKILL.md +32 -0
- package/areas/software/mlops/workflows/champion-challenger.md +65 -0
- package/areas/software/mlops/workflows/deploy-endpoint.md +70 -0
- package/areas/software/mlops/workflows/evaluate-model.md +63 -0
- package/areas/software/mlops/workflows/model-incident.md +64 -0
- package/areas/software/mlops/workflows/train-experiment.md +56 -0
- package/areas/software/mobile/AGENTS.md +58 -0
- package/areas/software/mobile/PROMPTS.md +32 -0
- package/areas/software/mobile/prompts/crash-triage.md +63 -0
- package/areas/software/mobile/prompts/device-testing.md +83 -0
- package/areas/software/mobile/prompts/ota-update.md +75 -0
- package/areas/software/mobile/prompts/release-build.md +67 -0
- package/areas/software/mobile/prompts/store-submission.md +79 -0
- package/areas/software/mobile/rules/offline-first.md +10 -0
- package/areas/software/mobile/rules/performance-budget.md +20 -0
- package/areas/software/mobile/rules/platform-compliance.md +17 -0
- package/areas/software/mobile/rules/security-mobile.md +9 -0
- package/areas/software/mobile/skills/app-store-prep/SKILL.md +27 -0
- package/areas/software/mobile/skills/mobile-testing/SKILL.md +36 -0
- package/areas/software/mobile/skills/native-modules/SKILL.md +38 -0
- package/areas/software/mobile/skills/navigation-patterns/SKILL.md +49 -0
- package/areas/software/mobile/skills/push-notifications/SKILL.md +40 -0
- package/areas/software/mobile/skills/state-sync/SKILL.md +48 -0
- package/areas/software/mobile/workflows/crash-triage.md +63 -0
- package/areas/software/mobile/workflows/device-testing.md +54 -0
- package/areas/software/mobile/workflows/ota-update.md +54 -0
- package/areas/software/mobile/workflows/release-build.md +67 -0
- package/areas/software/mobile/workflows/store-submission.md +63 -0
- package/areas/software/platform/AGENTS.md +67 -0
- package/areas/software/platform/PROMPTS.md +32 -0
- package/areas/software/platform/prompts/cost-audit.md +117 -0
- package/areas/software/platform/prompts/deploy-production.md +109 -0
- package/areas/software/platform/prompts/drift-check.md +107 -0
- package/areas/software/platform/prompts/incident-response.md +121 -0
- package/areas/software/platform/prompts/provision-env.md +113 -0
- package/areas/software/platform/rules/cost-governance.md +11 -0
- package/areas/software/platform/rules/immutability.md +17 -0
- package/areas/software/platform/rules/reliability.md +19 -0
- package/areas/software/platform/rules/security-posture.md +12 -0
- package/areas/software/platform/skills/ci-cd-pipelines/SKILL.md +58 -0
- package/areas/software/platform/skills/incident-response/SKILL.md +41 -0
- package/areas/software/platform/skills/k8s-manifests/SKILL.md +56 -0
- package/areas/software/platform/skills/networking/SKILL.md +44 -0
- package/areas/software/platform/skills/observability-setup/SKILL.md +49 -0
- package/areas/software/platform/skills/secrets-management/SKILL.md +43 -0
- package/areas/software/platform/skills/terraform-patterns/SKILL.md +75 -0
- package/areas/software/platform/workflows/cost-audit.md +61 -0
- package/areas/software/platform/workflows/deploy-production.md +67 -0
- package/areas/software/platform/workflows/drift-check.md +61 -0
- package/areas/software/platform/workflows/incident-response.md +69 -0
- package/areas/software/platform/workflows/provision-env.md +77 -0
- package/areas/software/qa/AGENTS.md +58 -0
- package/areas/software/qa/PROMPTS.md +32 -0
- package/areas/software/qa/prompts/flakiness-investigation.md +61 -0
- package/areas/software/qa/prompts/performance-audit.md +65 -0
- package/areas/software/qa/prompts/regression-suite.md +61 -0
- package/areas/software/qa/prompts/smoke-test.md +65 -0
- package/areas/software/qa/prompts/test-coverage-report.md +61 -0
- package/areas/software/qa/rules/flakiness-policy.md +12 -0
- package/areas/software/qa/rules/quality-gates.md +28 -0
- package/areas/software/qa/rules/test-data.md +9 -0
- package/areas/software/qa/rules/test-strategy.md +11 -0
- package/areas/software/qa/skills/accessibility-testing/SKILL.md +139 -0
- package/areas/software/qa/skills/api-testing/SKILL.md +140 -0
- package/areas/software/qa/skills/e2e-patterns/SKILL.md +152 -0
- package/areas/software/qa/skills/performance-testing/SKILL.md +177 -0
- package/areas/software/qa/skills/test-data-management/SKILL.md +161 -0
- package/areas/software/qa/skills/test-pyramid/SKILL.md +127 -0
- package/areas/software/qa/workflows/flakiness-investigation.md +63 -0
- package/areas/software/qa/workflows/performance-audit.md +59 -0
- package/areas/software/qa/workflows/regression-suite.md +59 -0
- package/areas/software/qa/workflows/smoke-test.md +64 -0
- package/areas/software/qa/workflows/test-coverage-report.md +57 -0
- package/areas/software/security/AGENTS.md +58 -0
- package/areas/software/security/PROMPTS.md +32 -0
- package/areas/software/security/prompts/compliance-report.md +113 -0
- package/areas/software/security/prompts/pen-test-sim.md +113 -0
- package/areas/software/security/prompts/secret-rotation.md +115 -0
- package/areas/software/security/prompts/security-scan.md +91 -0
- package/areas/software/security/prompts/threat-model-review.md +105 -0
- package/areas/software/security/rules/compliance-baseline.md +23 -0
- package/areas/software/security/rules/dependency-policy.md +12 -0
- package/areas/software/security/rules/secrets-policy.md +22 -0
- package/areas/software/security/rules/secure-coding.md +22 -0
- package/areas/software/security/skills/auth-patterns/SKILL.md +42 -0
- package/areas/software/security/skills/crypto-standards/SKILL.md +42 -0
- package/areas/software/security/skills/dependency-audit/SKILL.md +29 -0
- package/areas/software/security/skills/sast-dast-interpretation/SKILL.md +33 -0
- package/areas/software/security/skills/security-headers/SKILL.md +29 -0
- package/areas/software/security/skills/threat-modeling/SKILL.md +36 -0
- package/areas/software/security/workflows/compliance-report.md +57 -0
- package/areas/software/security/workflows/pen-test-sim.md +63 -0
- package/areas/software/security/workflows/secret-rotation.md +67 -0
- package/areas/software/security/workflows/security-scan.md +64 -0
- package/areas/software/security/workflows/threat-model-review.md +62 -0
- package/areas/template/AGENTS-area.tmpl.md +61 -0
- package/areas/template/AGENTS.tmpl.md +67 -0
- package/areas/template/GUIDE.md +102 -0
- package/areas/template/PROMPTS.tmpl.md +29 -0
- package/areas/template/README.md +57 -0
- package/areas/template/README.tmpl.md +51 -0
- package/areas/template/prompt.tmpl.md +101 -0
- package/areas/template/rule.tmpl.md +71 -0
- package/areas/template/skill.tmpl.md +108 -0
- package/areas/template/workflow.tmpl.md +104 -0
- package/bin/agentic.js +24 -0
- package/extensions/antigravity/GEMINI.md +10 -0
- package/extensions/claude/CLAUDE.md +10 -0
- package/extensions/codex/AGENTS.override.md +93 -0
- package/extensions/gemini/GEMINI.md +10 -0
- package/extensions/opencode/agents/designer.md +65 -0
- package/extensions/opencode/agents/developer.md +63 -0
- package/extensions/opencode/agents/devops-engineer.md +69 -0
- package/extensions/opencode/agents/pm.md +61 -0
- package/extensions/opencode/agents/product-owner.md +76 -0
- package/extensions/opencode/agents/qa.md +66 -0
- package/extensions/opencode/agents/team-lead.md +67 -0
- package/extensions/opencode/commands/feature.md +75 -0
- package/extensions/opencode/opencode.json +93 -0
- package/extensions/opencode/plugins/model-checker.json +14 -0
- package/extensions/opencode/plugins/model-checker.ts +279 -0
- package/extensions/opencode/plugins/sound-notification.ts +13 -0
- package/extensions/opencode/plugins/telegram-notification.ts +86 -0
- package/extensions/opencode/skills/code_review_expert/SKILL.md +144 -0
- package/extensions/opencode/skills/design_expert/SKILL.md +42 -0
- package/extensions/opencode/skills/qa_expert/SKILL.md +116 -0
- package/package.json +19 -0
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: onboard-service
|
|
3
|
+
type: workflow
|
|
4
|
+
trigger: /onboard-service
|
|
5
|
+
description: Onboard a new application to Kubernetes — namespace, RBAC, NetworkPolicy, Helm chart, ArgoCD app, HPA, and monitoring.
|
|
6
|
+
inputs:
|
|
7
|
+
- service_name
|
|
8
|
+
- team_name
|
|
9
|
+
- environment
|
|
10
|
+
- resource_profile (small|medium|large)
|
|
11
|
+
outputs:
|
|
12
|
+
- running_service
|
|
13
|
+
- argocd_app
|
|
14
|
+
- monitoring_dashboard
|
|
15
|
+
roles:
|
|
16
|
+
- devops-engineer
|
|
17
|
+
- developer
|
|
18
|
+
- team-lead
|
|
19
|
+
execution:
|
|
20
|
+
initiator: developer
|
|
21
|
+
related-rules:
|
|
22
|
+
- cluster-standards.md
|
|
23
|
+
- workload-security.md
|
|
24
|
+
- resource-governance.md
|
|
25
|
+
uses-skills:
|
|
26
|
+
- helm-charts
|
|
27
|
+
- rbac-design
|
|
28
|
+
- network-policies
|
|
29
|
+
- resource-tuning
|
|
30
|
+
quality-gates:
|
|
31
|
+
- all manifests pass `kubectl apply --dry-run=server`
|
|
32
|
+
- helm lint passes with no warnings
|
|
33
|
+
- service reachable via health endpoint after deploy
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Steps
|
|
37
|
+
|
|
38
|
+
### 1. Namespace Setup — `@devops-engineer`
|
|
39
|
+
- **Input:** service_name, team_name, environment
|
|
40
|
+
- **Actions:**
|
|
41
|
+
```bash
|
|
42
|
+
# Create namespace with required labels
|
|
43
|
+
kubectl create namespace ${SERVICE}-${ENV}
|
|
44
|
+
kubectl label namespace ${SERVICE}-${ENV} \
|
|
45
|
+
team=${TEAM} \
|
|
46
|
+
environment=${ENV} \
|
|
47
|
+
kubernetes.io/metadata.name=${SERVICE}-${ENV} \
|
|
48
|
+
pod-security.kubernetes.io/enforce=restricted
|
|
49
|
+
|
|
50
|
+
# Apply default LimitRange and ResourceQuota from team profile
|
|
51
|
+
kubectl apply -f infra/namespaces/templates/${RESOURCE_PROFILE}/ \
|
|
52
|
+
-n ${SERVICE}-${ENV}
|
|
53
|
+
```
|
|
54
|
+
- **Output:** namespace created with labels, LimitRange, ResourceQuota
|
|
55
|
+
- **Done when:** `kubectl get ns ${SERVICE}-${ENV}` shows Active
|
|
56
|
+
|
|
57
|
+
### 2. RBAC Setup — `@devops-engineer`
|
|
58
|
+
- **Input:** service_name, team_name
|
|
59
|
+
- **Actions:**
|
|
60
|
+
- Create dedicated ServiceAccount for the workload
|
|
61
|
+
- Create Role with minimum permissions (ConfigMap read, own Secret read)
|
|
62
|
+
- Create RoleBinding
|
|
63
|
+
- Create developer RoleBinding (group → `edit` ClusterRole in namespace)
|
|
64
|
+
- Create CI/CD RoleBinding (ci-deployer ClusterRole → namespace)
|
|
65
|
+
- **Output:** ServiceAccount + Role + RoleBindings committed to `infra/rbac/` and applied
|
|
66
|
+
- **Done when:** `kubectl auth can-i list pods --as=system:serviceaccount:${NS}:${SA}` returns yes
|
|
67
|
+
|
|
68
|
+
### 3. Network Policies — `@devops-engineer`
|
|
69
|
+
- **Input:** service dependencies (which services it calls / which call it)
|
|
70
|
+
- **Actions:**
|
|
71
|
+
- Apply default-deny-all + allow-dns templates
|
|
72
|
+
- For each upstream dependency: add egress policy to target namespace:port
|
|
73
|
+
- For each downstream caller: add ingress policy from source namespace
|
|
74
|
+
- Add Prometheus scrape allow policy
|
|
75
|
+
- **Output:** NetworkPolicy manifests in `infra/netpol/${SERVICE}/` applied
|
|
76
|
+
- **Done when:** `kubectl get networkpolicy -n ${NS}` shows all 3+ policies
|
|
77
|
+
|
|
78
|
+
### 4. Helm Chart — `@developer` + `@devops-engineer`
|
|
79
|
+
- **Input:** service container image, port, health endpoints, env vars
|
|
80
|
+
- **Actions:**
|
|
81
|
+
- Scaffold chart: `helm create charts/${SERVICE}`
|
|
82
|
+
- Update `values.yaml` with resource profile defaults
|
|
83
|
+
- Add security context (runAsNonRoot, readOnlyRootFilesystem, drop ALL caps)
|
|
84
|
+
- Add HPA, PDB manifests
|
|
85
|
+
- Add Ingress if service is externally exposed
|
|
86
|
+
- Run: `helm lint charts/${SERVICE}/ -f values-${ENV}.yaml`
|
|
87
|
+
- Run: `helm template ... | kubectl apply --dry-run=server -f -`
|
|
88
|
+
- **Output:** chart in `charts/${SERVICE}/` with passing lint and dry-run
|
|
89
|
+
- **Done when:** zero lint warnings; dry-run applies cleanly
|
|
90
|
+
|
|
91
|
+
### 5. ArgoCD Application — `@devops-engineer`
|
|
92
|
+
- **Input:** chart path, namespace, environment
|
|
93
|
+
- **Actions:**
|
|
94
|
+
- Create `argocd/apps/${SERVICE}-${ENV}.yaml` Application manifest
|
|
95
|
+
- Set `automated.prune=true`, `automated.selfHeal=true`
|
|
96
|
+
- Set `syncPolicy.syncOptions: ServerSideApply=true`
|
|
97
|
+
- Commit and push; ArgoCD auto-syncs
|
|
98
|
+
- **Output:** ArgoCD Application showing Synced + Healthy
|
|
99
|
+
- **Done when:** ArgoCD UI shows green; pod Running in cluster
|
|
100
|
+
|
|
101
|
+
### 6. Validate & Smoke Test — `@developer`
|
|
102
|
+
- **Input:** running service
|
|
103
|
+
- **Actions:**
|
|
104
|
+
```bash
|
|
105
|
+
kubectl rollout status deployment/${SERVICE} -n ${NS}
|
|
106
|
+
kubectl get pods -n ${NS} -l app=${SERVICE}
|
|
107
|
+
# Health check
|
|
108
|
+
kubectl port-forward svc/${SERVICE} 8080:8080 -n ${NS} &
|
|
109
|
+
curl -f http://localhost:8080/health
|
|
110
|
+
```
|
|
111
|
+
- **Output:** service health endpoint returns 200
|
|
112
|
+
- **Done when:** health check passes; no pod restarts in 5 minutes
|
|
113
|
+
|
|
114
|
+
### 7. Monitoring — `@devops-engineer`
|
|
115
|
+
- **Input:** running service
|
|
116
|
+
- **Actions:**
|
|
117
|
+
- Add `ServiceMonitor` for Prometheus scraping
|
|
118
|
+
- Import standard dashboard from `infra/dashboards/service-overview.json` into Grafana
|
|
119
|
+
- Set up basic alerts: HighErrorRate, HighLatency, PodRestarting
|
|
120
|
+
- **Output:** metrics visible in Grafana; alerts configured
|
|
121
|
+
- **Done when:** Grafana dashboard shows service metrics
|
|
122
|
+
|
|
123
|
+
## Exit
|
|
124
|
+
Pod Running + health check passing + ArgoCD Healthy + metrics visible = service onboarded.
|
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: upgrade-cluster
|
|
3
|
+
type: workflow
|
|
4
|
+
trigger: /upgrade-cluster
|
|
5
|
+
description: Zero-downtime Kubernetes cluster upgrade — control plane first, then workers, with rollback plan.
|
|
6
|
+
inputs:
|
|
7
|
+
- current_version
|
|
8
|
+
- target_version
|
|
9
|
+
- cluster_name
|
|
10
|
+
outputs:
|
|
11
|
+
- upgraded_cluster
|
|
12
|
+
- upgrade_report
|
|
13
|
+
roles:
|
|
14
|
+
- devops-engineer
|
|
15
|
+
- team-lead
|
|
16
|
+
execution:
|
|
17
|
+
initiator: developer
|
|
18
|
+
related-rules:
|
|
19
|
+
- upgrade-policy.md
|
|
20
|
+
- cluster-standards.md
|
|
21
|
+
uses-skills:
|
|
22
|
+
- cluster-operations
|
|
23
|
+
quality-gates:
|
|
24
|
+
- etcd backup verified before upgrade starts
|
|
25
|
+
- no active P0/P1 incidents
|
|
26
|
+
- deprecated API audit shows zero blocking deprecations
|
|
27
|
+
- staging upgraded and healthy for ≥ 48h before production
|
|
28
|
+
---
|
|
29
|
+
|
|
30
|
+
## Pre-Upgrade Checklist — `@devops-engineer` (1–2 days before)
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
# 1. Audit deprecated APIs (kubent = kube-no-trouble)
|
|
34
|
+
kubent --target-version <target>
|
|
35
|
+
|
|
36
|
+
# 2. Check component compatibility matrix
|
|
37
|
+
# Verify: ArgoCD, Cert-Manager, Ingress Controller, Prometheus Operator
|
|
38
|
+
# support target K8s version — check each project's release notes
|
|
39
|
+
|
|
40
|
+
# 3. Verify all nodes are Ready and no pending workloads
|
|
41
|
+
kubectl get nodes
|
|
42
|
+
kubectl get pods -A | grep -v Running | grep -v Completed
|
|
43
|
+
|
|
44
|
+
# 4. Check PodDisruptionBudgets won't block drain
|
|
45
|
+
kubectl get pdb -A
|
|
46
|
+
|
|
47
|
+
# 5. Review CHANGELOG for breaking changes between versions
|
|
48
|
+
# https://kubernetes.io/releases/
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
## Steps
|
|
52
|
+
|
|
53
|
+
### 1. etcd Backup — `@devops-engineer`
|
|
54
|
+
- **Input:** cluster_name, target_version
|
|
55
|
+
- **Actions:**
|
|
56
|
+
```bash
|
|
57
|
+
ETCDCTL_API=3 etcdctl snapshot save \
|
|
58
|
+
/backup/etcd-pre-upgrade-$(date +%Y%m%d-%H%M%S).db \
|
|
59
|
+
--endpoints=https://127.0.0.1:2379 \
|
|
60
|
+
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
|
|
61
|
+
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
|
|
62
|
+
--key=/etc/kubernetes/pki/etcd/healthcheck-client.key
|
|
63
|
+
|
|
64
|
+
# Verify backup integrity
|
|
65
|
+
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-pre-upgrade-*.db \
|
|
66
|
+
--write-out=table
|
|
67
|
+
```
|
|
68
|
+
- **Done when:** backup file exists, status shows correct revision and hash
|
|
69
|
+
|
|
70
|
+
### 2. Upgrade Control Plane (kubeadm) — `@devops-engineer`
|
|
71
|
+
- **Input:** target_version
|
|
72
|
+
- **Actions (on first control plane node):**
|
|
73
|
+
```bash
|
|
74
|
+
# Update kubeadm
|
|
75
|
+
apt-get update && apt-get install -y kubeadm=<target>
|
|
76
|
+
|
|
77
|
+
# Dry-run first
|
|
78
|
+
kubeadm upgrade plan
|
|
79
|
+
kubeadm upgrade apply v<target> --dry-run
|
|
80
|
+
|
|
81
|
+
# Apply upgrade
|
|
82
|
+
kubeadm upgrade apply v<target>
|
|
83
|
+
|
|
84
|
+
# Upgrade kubelet and kubectl on control plane node
|
|
85
|
+
apt-get install -y kubelet=<target> kubectl=<target>
|
|
86
|
+
systemctl daemon-reload && systemctl restart kubelet
|
|
87
|
+
```
|
|
88
|
+
- **Actions (remaining control plane nodes):**
|
|
89
|
+
```bash
|
|
90
|
+
kubeadm upgrade node # (not apply — only 'node' for additional CP nodes)
|
|
91
|
+
apt-get install -y kubelet=<target> kubectl=<target>
|
|
92
|
+
systemctl daemon-reload && systemctl restart kubelet
|
|
93
|
+
```
|
|
94
|
+
- **Done when:** `kubectl version` shows new server version; all CP pods Running
|
|
95
|
+
|
|
96
|
+
### 3. Validate Control Plane — `@devops-engineer`
|
|
97
|
+
- **Input:** upgraded control plane
|
|
98
|
+
- **Actions:**
|
|
99
|
+
```bash
|
|
100
|
+
kubectl get nodes # CP nodes show new version
|
|
101
|
+
kubectl get pods -n kube-system
|
|
102
|
+
kubectl get cs # componentstatuses
|
|
103
|
+
# Run a quick API smoke test
|
|
104
|
+
kubectl run test --image=nginx --restart=Never -n default
|
|
105
|
+
kubectl delete pod test -n default
|
|
106
|
+
```
|
|
107
|
+
- **Done when:** all system pods Running; API server responsive
|
|
108
|
+
|
|
109
|
+
### 4. Upgrade Worker Nodes (rolling) — `@devops-engineer`
|
|
110
|
+
- **Input:** validated control plane
|
|
111
|
+
- **Actions (for each worker node, one at a time):**
|
|
112
|
+
```bash
|
|
113
|
+
# Cordon + drain
|
|
114
|
+
kubectl cordon <node>
|
|
115
|
+
kubectl drain <node> \
|
|
116
|
+
--ignore-daemonsets \
|
|
117
|
+
--delete-emptydir-data \
|
|
118
|
+
--grace-period=60 \
|
|
119
|
+
--timeout=300s
|
|
120
|
+
|
|
121
|
+
# Upgrade node (run on the node itself)
|
|
122
|
+
apt-get update && apt-get install -y kubeadm=<target>
|
|
123
|
+
kubeadm upgrade node
|
|
124
|
+
apt-get install -y kubelet=<target> kubectl=<target>
|
|
125
|
+
systemctl daemon-reload && systemctl restart kubelet
|
|
126
|
+
|
|
127
|
+
# Return to service
|
|
128
|
+
kubectl uncordon <node>
|
|
129
|
+
|
|
130
|
+
# Wait for node Ready + all pods rescheduled before next node
|
|
131
|
+
kubectl wait --for=condition=Ready node/<node> --timeout=5m
|
|
132
|
+
sleep 60 # let pods stabilise
|
|
133
|
+
```
|
|
134
|
+
- **Done when:** all nodes show new version in `kubectl get nodes`
|
|
135
|
+
|
|
136
|
+
### 5. Post-Upgrade Validation — `@devops-engineer` + `@team-lead`
|
|
137
|
+
- **Actions:**
|
|
138
|
+
```bash
|
|
139
|
+
kubectl get nodes -o wide
|
|
140
|
+
kubectl get pods -A | grep -v Running | grep -v Completed
|
|
141
|
+
kubectl top nodes
|
|
142
|
+
```
|
|
143
|
+
- Run smoke tests against all Tier 1 services
|
|
144
|
+
- Verify ArgoCD, Cert-Manager, Prometheus Operator pods healthy
|
|
145
|
+
- Check monitoring dashboards for anomalies
|
|
146
|
+
- **Output:** `upgrade_report.md` — versions before/after, issues found, time taken
|
|
147
|
+
- **Done when:** all Tier 1 services healthy; no unexpected pod restarts
|
|
148
|
+
|
|
149
|
+
## Rollback Plan
|
|
150
|
+
|
|
151
|
+
```bash
|
|
152
|
+
# Control plane rollback (if upgrade apply fails — only within same session)
|
|
153
|
+
kubeadm upgrade apply v<previous-version>
|
|
154
|
+
|
|
155
|
+
# Full disaster recovery (if cluster is broken)
|
|
156
|
+
# 1. Stop kube-apiserver
|
|
157
|
+
# 2. Restore etcd from backup:
|
|
158
|
+
ETCDCTL_API=3 etcdctl snapshot restore /backup/etcd-pre-upgrade.db \
|
|
159
|
+
--data-dir=/var/lib/etcd-restored
|
|
160
|
+
# 3. Update etcd static pod manifest to new data-dir
|
|
161
|
+
# 4. Restart control plane
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
## Exit
|
|
165
|
+
All nodes on target version + Tier 1 services healthy + upgrade report committed = upgrade complete.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# Networking — guidance index
|
|
2
|
+
|
|
3
|
+
## What this area covers
|
|
4
|
+
|
|
5
|
+
Platform networking: Kubernetes ingress design, TLS termination, service mesh onboarding, DNS management, VPC design, and network segmentation. Networking changes are high-blast-radius — this area enforces a plan-review-apply discipline.
|
|
6
|
+
|
|
7
|
+
## Guidance chain
|
|
8
|
+
|
|
9
|
+
1. Project `.agent/` baseline
|
|
10
|
+
2. `networking/rules/*` — load all
|
|
11
|
+
3. `networking/skills/*/SKILL.md` — load only the skill matching the current task
|
|
12
|
+
4. `networking/workflows/*` — load the workflow matching the triggered command
|
|
13
|
+
|
|
14
|
+
## Cross-cutting constraints
|
|
15
|
+
|
|
16
|
+
- **TLS everywhere** — plaintext traffic is forbidden between services and at ingress, without exception.
|
|
17
|
+
- **Network segmentation by default** — all services start with deny-all; allow only documented traffic.
|
|
18
|
+
- **DNS changes have TTL awareness** — all DNS modifications account for TTL propagation before declaring success.
|
|
19
|
+
- **No routing changes without rollback** — every networking change includes a verified rollback procedure.
|
|
20
|
+
|
|
21
|
+
## Spec map
|
|
22
|
+
|
|
23
|
+
```text
|
|
24
|
+
networking/
|
|
25
|
+
├── rules/
|
|
26
|
+
│ ├── tls-policy.md ← minimum TLS version, cert rotation, mTLS requirements
|
|
27
|
+
│ ├── ingress-standards.md ← ingress class, annotations, rate limiting, WAF baseline
|
|
28
|
+
│ └── network-segmentation.md ← namespace isolation, egress controls, VPC peering rules
|
|
29
|
+
├── skills/
|
|
30
|
+
│ ├── ingress-patterns/SKILL.md ← NGINX / Traefik / Gateway API patterns
|
|
31
|
+
│ ├── tls-termination/SKILL.md ← cert-manager, Let's Encrypt, mTLS between services
|
|
32
|
+
│ ├── service-mesh/SKILL.md ← Istio / Linkerd traffic management, observability
|
|
33
|
+
│ ├── dns-management/SKILL.md ← external-dns, split-horizon, TTL strategy
|
|
34
|
+
│ └── vpc-design/SKILL.md ← subnet strategy, NAT, VPC peering, PrivateLink
|
|
35
|
+
├── workflows/
|
|
36
|
+
│ ├── onboard-ingress.md ← /onboard-ingress
|
|
37
|
+
│ └── service-mesh-onboard.md ← /service-mesh-onboard
|
|
38
|
+
└── prompts/
|
|
39
|
+
└── *.md
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## Discovery patterns
|
|
43
|
+
|
|
44
|
+
- `rules/*.md`
|
|
45
|
+
- `skills/*/SKILL.md`
|
|
46
|
+
- `workflows/*.md`
|
|
47
|
+
- `prompts/*.md`
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: onboard-ingress
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/onboard-ingress`
|
|
6
|
+
|
|
7
|
+
Use when: exposing a service through Kubernetes ingress, including TLS issuance, DNS wiring, and production traffic controls.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Public API with TLS (Let's Encrypt)
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/onboard-ingress
|
|
16
|
+
|
|
17
|
+
Service: api-gateway / Namespace: production
|
|
18
|
+
Expose at: api.example.com
|
|
19
|
+
Backend: api-gateway service, port 8080
|
|
20
|
+
TLS: Let's Encrypt via cert-manager (cluster-issuer: letsencrypt-prod)
|
|
21
|
+
Requirements:
|
|
22
|
+
- HTTP → HTTPS redirect
|
|
23
|
+
- HSTS header (max-age 1 year)
|
|
24
|
+
- Rate limit: 200 RPS, max 50 connections per IP
|
|
25
|
+
- Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff
|
|
26
|
+
- CORS: allow origin https://app.example.com only
|
|
27
|
+
- Timeouts: connect 10s, read 60s
|
|
28
|
+
Bare-metal: MetalLB in L2 mode, IP pool already configured
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**RU:**
|
|
32
|
+
```
|
|
33
|
+
/onboard-ingress
|
|
34
|
+
|
|
35
|
+
Сервис: api-gateway / Namespace: production
|
|
36
|
+
Публикуем по адресу: api.example.com
|
|
37
|
+
Backend: сервис api-gateway, порт 8080
|
|
38
|
+
TLS: Let's Encrypt через cert-manager (cluster-issuer: letsencrypt-prod)
|
|
39
|
+
Требования:
|
|
40
|
+
- Редирект HTTP → HTTPS
|
|
41
|
+
- HSTS заголовок (max-age 1 год)
|
|
42
|
+
- Rate limit: 200 RPS, макс 50 соединений с одного IP
|
|
43
|
+
- Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff
|
|
44
|
+
- CORS: разрешить только origin https://app.example.com
|
|
45
|
+
- Таймауты: connect 10s, read 60s
|
|
46
|
+
Bare-metal: MetalLB в режиме L2, IP pool уже настроен
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
## Example 2 — Internal service with canary routing
|
|
52
|
+
|
|
53
|
+
**EN:**
|
|
54
|
+
```
|
|
55
|
+
/onboard-ingress
|
|
56
|
+
|
|
57
|
+
Service: payment-service / Namespace: production
|
|
58
|
+
Expose at: payments.internal.example.com (internal DNS only, not public)
|
|
59
|
+
TLS: internal CA via cert-manager (cluster-issuer: vault-pki)
|
|
60
|
+
Canary: 10% traffic to payment-service-v2 (new version being tested)
|
|
61
|
+
Canary header: X-Canary: true → 100% to v2 (for QA testing)
|
|
62
|
+
No CORS needed (internal service-to-service only)
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
**RU:**
|
|
66
|
+
```
|
|
67
|
+
/onboard-ingress
|
|
68
|
+
|
|
69
|
+
Сервис: payment-service / Namespace: production
|
|
70
|
+
Публикуем по адресу: payments.internal.example.com (только внутренний DNS, не публичный)
|
|
71
|
+
TLS: внутренний CA через cert-manager (cluster-issuer: vault-pki)
|
|
72
|
+
Canary: 10% трафика на payment-service-v2 (новая версия тестируется)
|
|
73
|
+
Canary header: X-Canary: true → 100% на v2 (для тестирования QA)
|
|
74
|
+
CORS не нужен (только внутренний service-to-service)
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
## Example 3 — cert-manager certificate stuck in Pending
|
|
80
|
+
|
|
81
|
+
**EN:**
|
|
82
|
+
```
|
|
83
|
+
/onboard-ingress
|
|
84
|
+
|
|
85
|
+
Tool: cert-manager / Issuer: letsencrypt-prod (ClusterIssuer)
|
|
86
|
+
Certificate: api-example-com-tls in namespace production
|
|
87
|
+
Status: kubectl get certificate → "False / Issuing" for > 10 min
|
|
88
|
+
Ingress host: api.example.com
|
|
89
|
+
Debug workflow:
|
|
90
|
+
1. kubectl describe certificate api-example-com-tls -n production
|
|
91
|
+
2. kubectl describe certificaterequest -n production (find matching CR)
|
|
92
|
+
3. kubectl describe order -n production (ACME order status)
|
|
93
|
+
4. kubectl describe challenge -n production (HTTP-01 or DNS-01 challenge status)
|
|
94
|
+
5. Common failure modes:
|
|
95
|
+
- HTTP-01: Ingress not serving /.well-known/acme-challenge/ (check ingress annotations)
|
|
96
|
+
- HTTP-01: firewall blocking port 80 from Let's Encrypt IPs
|
|
97
|
+
- DNS-01: wrong Route53 permissions or wrong hosted zone
|
|
98
|
+
- Rate limit: too many failed attempts (check cert-manager logs)
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
**RU:**
|
|
102
|
+
```
|
|
103
|
+
/onboard-ingress
|
|
104
|
+
|
|
105
|
+
Инструмент: cert-manager / Issuer: letsencrypt-prod (ClusterIssuer)
|
|
106
|
+
Сертификат: api-example-com-tls в namespace production
|
|
107
|
+
Статус: kubectl get certificate → "False / Issuing" уже > 10 мин
|
|
108
|
+
Хост Ingress: api.example.com
|
|
109
|
+
Процесс отладки:
|
|
110
|
+
1. kubectl describe certificate api-example-com-tls -n production
|
|
111
|
+
2. kubectl describe certificaterequest -n production (найти соответствующий CR)
|
|
112
|
+
3. kubectl describe order -n production (статус ACME order)
|
|
113
|
+
4. kubectl describe challenge -n production (статус HTTP-01 или DNS-01 challenge)
|
|
114
|
+
5. Типичные причины отказа:
|
|
115
|
+
- HTTP-01: Ingress не обслуживает /.well-known/acme-challenge/ (проверить аннотации ingress)
|
|
116
|
+
- HTTP-01: firewall блокирует порт 80 от IP Let's Encrypt
|
|
117
|
+
- DNS-01: неверные права Route53 или неверный hosted zone
|
|
118
|
+
- Rate limit: слишком много неудачных попыток (проверить логи cert-manager)
|
|
119
|
+
```
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: service-mesh-onboard
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/service-mesh-onboard`
|
|
6
|
+
|
|
7
|
+
Use when: onboarding a service to Istio/Linkerd, configuring mTLS, traffic policies, or debugging mesh issues.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Onboard service to Istio with mTLS
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/service-mesh-onboard
|
|
16
|
+
|
|
17
|
+
Mesh: Istio (installed cluster-wide, sidecar injection enabled per namespace)
|
|
18
|
+
Service: payment-service / Namespace: production
|
|
19
|
+
Task: onboard to Istio mesh with strict mTLS and traffic policies
|
|
20
|
+
Requirements:
|
|
21
|
+
1. Enable sidecar injection for production namespace
|
|
22
|
+
2. PeerAuthentication: STRICT mTLS for payment-service (no plaintext)
|
|
23
|
+
3. AuthorizationPolicy: payment-service only accepts traffic from checkout-service and api-gateway
|
|
24
|
+
4. DestinationRule: circuit breaker (5 consecutive 5xx → eject upstream for 30s)
|
|
25
|
+
5. VirtualService: retries (3×, 500ms interval) for 503/504; timeout 5s
|
|
26
|
+
6. Verify: kiali graph shows mTLS lock icons on all connections
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
**RU:**
|
|
30
|
+
```
|
|
31
|
+
/service-mesh-onboard
|
|
32
|
+
|
|
33
|
+
Меш: Istio (установлен на весь кластер, инжекция sidecar включена по namespace)
|
|
34
|
+
Сервис: payment-service / Namespace: production
|
|
35
|
+
Задача: подключение к Istio меш с strict mTLS и traffic policies
|
|
36
|
+
Требования:
|
|
37
|
+
1. Включить инжекцию sidecar для namespace production
|
|
38
|
+
2. PeerAuthentication: STRICT mTLS для payment-service (без plaintext)
|
|
39
|
+
3. AuthorizationPolicy: payment-service принимает трафик только от checkout-service и api-gateway
|
|
40
|
+
4. DestinationRule: circuit breaker (5 последовательных 5xx → исключить upstream на 30с)
|
|
41
|
+
5. VirtualService: retries (3×, интервал 500мс) для 503/504; timeout 5с
|
|
42
|
+
6. Проверить: граф kiali показывает значки mTLS на всех соединениях
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## Example 2 — Debug: mTLS handshake failures
|
|
48
|
+
|
|
49
|
+
**EN:**
|
|
50
|
+
```
|
|
51
|
+
/service-mesh-onboard
|
|
52
|
+
|
|
53
|
+
Mesh: Istio / Symptom: order-service → payment-service returning "connection refused" or TLS handshake errors
|
|
54
|
+
Error in envoy log: "upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error"
|
|
55
|
+
Checklist:
|
|
56
|
+
1. Check PeerAuthentication mode (STRICT vs PERMISSIVE) on both namespaces
|
|
57
|
+
2. Check certificate validity: istioctl proxy-config secret <pod>
|
|
58
|
+
3. Check AuthorizationPolicy on payment-service (may be blocking order-service)
|
|
59
|
+
4. Verify both pods have sidecar injected (check annotations)
|
|
60
|
+
5. Test with PERMISSIVE mode temporarily to isolate mTLS vs auth issue
|
|
61
|
+
Output: root cause + YAML fix
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
**RU:**
|
|
65
|
+
```
|
|
66
|
+
/service-mesh-onboard
|
|
67
|
+
|
|
68
|
+
Меш: Istio / Симптом: order-service → payment-service возвращает "connection refused" или ошибки TLS handshake
|
|
69
|
+
Ошибка в envoy log: "upstream connect error or disconnect/reset before headers..."
|
|
70
|
+
Чеклист:
|
|
71
|
+
1. Проверить режим PeerAuthentication (STRICT vs PERMISSIVE) в обоих namespace
|
|
72
|
+
2. Проверить действительность сертификата: istioctl proxy-config secret <pod>
|
|
73
|
+
3. Проверить AuthorizationPolicy на payment-service (может блокировать order-service)
|
|
74
|
+
4. Убедиться что оба пода имеют инжектированный sidecar (проверить аннотации)
|
|
75
|
+
5. Временно проверить режим PERMISSIVE для разграничения проблем mTLS vs auth
|
|
76
|
+
Результат: корневая причина + YAML исправление
|
|
77
|
+
```
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# Rule: Ingress Standards
|
|
2
|
+
|
|
3
|
+
**Priority**: P1 — Non-compliant ingress configs are rejected in review.
|
|
4
|
+
|
|
5
|
+
## NGINX Ingress Standards
|
|
6
|
+
|
|
7
|
+
1. **One IngressClass per environment** — `nginx` for production, `nginx-staging` for staging.
|
|
8
|
+
2. **TLS required** on all production Ingress — no HTTP-only production routes.
|
|
9
|
+
3. **HTTP → HTTPS redirect** enforced via annotation.
|
|
10
|
+
4. **Rate limiting** on all public-facing Ingress:
|
|
11
|
+
```yaml
|
|
12
|
+
nginx.ingress.kubernetes.io/limit-rps: "100"
|
|
13
|
+
nginx.ingress.kubernetes.io/limit-connections: "20"
|
|
14
|
+
```
|
|
15
|
+
5. **Request size limit**: `nginx.ingress.kubernetes.io/proxy-body-size: "10m"` (override with justification).
|
|
16
|
+
6. **Timeouts defined**: `proxy-connect-timeout: "10"`, `proxy-read-timeout: "60"`.
|
|
17
|
+
7. **CORS** configured explicitly — no wildcard `*` origins in production.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Rule: Network Segmentation
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Flat networks are forbidden in production.
|
|
4
|
+
|
|
5
|
+
## Kubernetes Network Segmentation
|
|
6
|
+
|
|
7
|
+
1. **Default-deny-all NetworkPolicy** on every production namespace — see kubernetes/rules/workload-security.md.
|
|
8
|
+
2. **Namespace = trust boundary** — inter-namespace communication explicitly allowed only.
|
|
9
|
+
3. **Node network isolation** — control plane nodes in separate subnet; workers in private subnet; no public IPs on nodes.
|
|
10
|
+
|
|
11
|
+
## Bare-Metal / Cloud Network Zones
|
|
12
|
+
|
|
13
|
+
| Zone | Contents | Inbound | Outbound |
|
|
14
|
+
|:---|:---|:---|:---|
|
|
15
|
+
| Public | Load balancers, ingress controllers | Internet | Internal only |
|
|
16
|
+
| Application | K8s worker nodes, app servers | From public zone | Internet via NAT |
|
|
17
|
+
| Data | Databases, object storage, message queues | From application zone | None |
|
|
18
|
+
| Management | Jump hosts, CI runners, monitoring | VPN/MFA only | All zones |
|
|
19
|
+
|
|
20
|
+
4. **Data zone has no outbound internet** — no NAT gateway for DB subnets.
|
|
21
|
+
5. **Jump host or VPN for SSH** — direct SSH from internet to worker nodes is forbidden.
|
|
22
|
+
|
|
23
|
+
## Service Mesh (when applicable)
|
|
24
|
+
6. **mTLS between all services** when service mesh (Istio/Linkerd) is deployed — no plaintext service-to-service.
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# Rule: TLS Policy
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Plaintext in production is a critical violation.
|
|
4
|
+
|
|
5
|
+
## TLS Requirements
|
|
6
|
+
|
|
7
|
+
1. **TLS 1.2 minimum** everywhere. TLS 1.0 and 1.1 disabled.
|
|
8
|
+
2. **TLS 1.3 preferred** — configure cipher suites for TLS 1.3 first.
|
|
9
|
+
3. **Certificate rotation** — certificates renewed at 60 days remaining (before 90-day cert expiry).
|
|
10
|
+
4. **cert-manager handles rotation automatically** — no manual certificate management.
|
|
11
|
+
5. **HSTS** — HTTP Strict Transport Security header on all public-facing services (max-age ≥ 1 year).
|
|
12
|
+
6. **Internal mTLS** — service-to-service traffic uses mutual TLS when service mesh is present.
|
|
13
|
+
|
|
14
|
+
## Ingress TLS (cert-manager)
|
|
15
|
+
|
|
16
|
+
```yaml
|
|
17
|
+
# TLS with Let's Encrypt (public)
|
|
18
|
+
annotations:
|
|
19
|
+
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
|
20
|
+
spec:
|
|
21
|
+
tls:
|
|
22
|
+
- hosts: [api.example.com]
|
|
23
|
+
secretName: api-example-com-tls
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
## Certificate Sources
|
|
27
|
+
|
|
28
|
+
| Use case | Source |
|
|
29
|
+
|:---|:---|
|
|
30
|
+
| Public-facing services | Let's Encrypt (cert-manager ACME) |
|
|
31
|
+
| Internal services | Internal CA (cert-manager with Vault PKI) |
|
|
32
|
+
| Wildcard certs | Let's Encrypt DNS-01 challenge |
|