@jetrabbits/agentic 0.0.1

package/areas/devops/ci-cd/skills/build-optimization/SKILL.md

@@ -0,0 +1,168 @@
+---
+name: build-optimization
+type: skill
+description: Optimize CI build speed — Docker layer caching, dependency caching, multi-stage builds, parallelism, and build matrix strategies.
+related-rules:
+  - pipeline-standards.md
+allowed-tools: Read, Write, Edit
+---
+
+# Skill: Build Optimization
+
+> **Expertise:** Docker BuildKit cache mounts, GitHub Actions/GitLab CI caching, parallelization, selective test runs.
+
+## When to load
+
+When a pipeline takes > 5 minutes, Docker builds are slow, or you need to reduce CI costs.
+
+## Docker Layer Cache Strategy
+
+```dockerfile
+# ✅ Order layers by change frequency (least → most)
+FROM python:3.12-slim AS builder
+
+# 1. System deps (changes rarely → cache long)
+RUN apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev
+
+# 2. Python deps (changes on lockfile update → medium cache)
+WORKDIR /app
+COPY requirements.txt .
+RUN pip install --user --no-cache-dir -r requirements.txt
+
+# 3. App code (changes every commit → no cache benefit here)
+COPY src/ ./src/
+```
+
+## BuildKit Cache Mounts (Docker 18.09+)
+
+```dockerfile
+# Cache pip downloads across builds (never invalidated by lockfile change)
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install --user -r requirements.txt
+
+# Cache npm across builds
+RUN --mount=type=cache,target=/root/.npm \
+    npm ci --cache /root/.npm
+
+# Cache Go modules
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go build ./...
+```
+
+## GitHub Actions Cache
+
+```yaml
+# Python: built-in setup-python cache
+- uses: actions/setup-python@v5
+  with:
+    python-version: "3.12"
+    cache: pip                      # hashes requirements*.txt automatically
+
+# Node: built-in setup-node cache
+- uses: actions/setup-node@v4
+  with:
+    node-version: "20"
+    cache: npm
+
+# Go: manual cache
+- uses: actions/cache@v4
+  with:
+    path: |
+      ~/.cache/go-build
+      ~/go/pkg/mod
+    key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
+    restore-keys: go-${{ runner.os }}-
+
+# Docker layer cache via GHA cache backend (BuildKit)
+- uses: docker/build-push-action@v6
+  with:
+    cache-from: type=gha
+    cache-to: type=gha,mode=max
+```
+
+## GitLab CI Cache
+
+```yaml
+# Global cache shared across jobs (same branch)
+cache:
+  key: ${CI_COMMIT_REF_SLUG}
+  paths: [.cache/pip, node_modules/]
+
+# Per-job cache with fallback
+test:
+  cache:
+    key:
+      files: [requirements.txt]     # invalidate only when lockfile changes
+    paths: [.cache/pip]
+    fallback_keys:
+      - ${CI_COMMIT_REF_SLUG}-pip
+      - pip
+```
+
+## Parallelization Strategies
+
+```yaml
+# GitHub Actions: parallel jobs
+jobs:
+  test-unit:
+    runs-on: ubuntu-latest
+    steps: [... run pytest tests/unit ...]
+
+  test-integration:
+    runs-on: ubuntu-latest
+    steps: [... run pytest tests/integration ...]
+
+  lint:
+    runs-on: ubuntu-latest
+    steps: [... ruff + mypy ...]
+
+  # Only after all three pass:
+  build:
+    needs: [test-unit, test-integration, lint]
+```
+
+```yaml
+# Matrix builds: test multiple versions in parallel
+strategy:
+  matrix:
+    python-version: ["3.11", "3.12"]
+    os: [ubuntu-latest, windows-latest]
+  fail-fast: false    # don't cancel other matrix jobs on first failure
+```
+
+## Selective Test Runs (path filtering)
+
+```yaml
+# GitHub Actions: only run relevant tests based on changed files
+jobs:
+  changes:
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      frontend: ${{ steps.filter.outputs.frontend }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            backend: ['src/backend/**', 'requirements.txt']
+            frontend: ['src/frontend/**', 'package.json']
+
+  test-backend:
+    needs: changes
+    if: needs.changes.outputs.backend == 'true'
+    steps: [... pytest src/backend ...]
+
+  test-frontend:
+    needs: changes
+    if: needs.changes.outputs.frontend == 'true'
+    steps: [... jest src/frontend ...]
+```
+
+## Build Time Benchmarks (targets)
+
+| Stage | Good | Acceptable | Fix needed |
+|:---|:---|:---|:---|
+| Dependency install (cached) | < 30s | < 90s | > 90s |
+| Docker build (layer cache hit) | < 60s | < 3m | > 3m |
+| Unit tests | < 2m | < 5m | > 5m |
+| Full pipeline (PR) | < 5m | < 10m | > 10m |

package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md

@@ -0,0 +1,190 @@
+---
+name: github-actions-patterns
+type: skill
+description: Production-grade GitHub Actions workflows — reusable workflows, OIDC auth, caching, matrix builds, environment protection.
+related-rules:
+  - pipeline-standards.md
+  - quality-gates.md
+  - supply-chain-security.md
+allowed-tools: Read, Write, Edit
+---
+
+# Skill: GitHub Actions Patterns
+
+> **Expertise:** Reusable workflows, composite actions, OIDC cloud auth, build caching, deployment gates, self-hosted runners.
+
+## When to load
+
+When creating or reviewing GitHub Actions workflows for CI, CD, or infrastructure automation.
+
+## Standard CI Workflow
+
+```yaml
+# .github/workflows/ci.yml
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true   # cancel outdated runs on new push
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip               # built-in pip caching
+
+      - name: Install deps
+        run: pip install -r requirements.txt -r requirements-dev.txt
+
+      - name: Lint
+        run: ruff check src/ tests/
+
+      - name: Type check
+        run: mypy src/ --strict
+
+      - name: Test with coverage
+        run: |
+          pytest tests/ \
+            --cov=src \
+            --cov-report=xml \
+            --cov-fail-under=80
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+
+  build:
+    needs: validate
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write            # for OIDC
+    outputs:
+      image-digest: ${{ steps.build.outputs.digest }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry (OIDC — no long-lived secret)
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name == 'push' }}
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true         # SLSA provenance attestation
+          sbom: true               # generate SBOM
+
+  security-scan:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Scan image for CVEs
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 1            # fail pipeline on Critical/High
+
+      - name: Upload SARIF to Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+```
+
+## Reusable Workflow Pattern
+
+```yaml
+# .github/workflows/_deploy.yml (reusable — called by others)
+name: Deploy (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      image-digest:
+        required: true
+        type: string
+    secrets:
+      KUBECONFIG_B64:
+        required: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}   # GitHub Environment with protection rules
+    steps:
+      - name: Deploy via Helm
+        env:
+          KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }}
+        run: |
+          echo "$KUBECONFIG_B64" | base64 -d > /tmp/kubeconfig
+          helm upgrade --install my-service charts/my-service \
+            --set image.digest=${{ inputs.image-digest }} \
+            --namespace ${{ inputs.environment }} \
+            --atomic --timeout 5m
+```
+
+## OIDC Cloud Authentication (no long-lived keys)
+
+```yaml
+# AWS via OIDC (no AWS_ACCESS_KEY_ID needed)
+- name: Configure AWS credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    role-to-assume: arn:aws:iam::123456789:role/github-actions-deploy
+    aws-region: us-east-1
+
+# GCP via OIDC
+- name: Authenticate to Google Cloud
+  uses: google-github-actions/auth@v2
+  with:
+    workload_identity_provider: projects/123/locations/global/workloadIdentityPools/...
+    service_account: github-actions@my-project.iam.gserviceaccount.com
+```
+
+## Self-Hosted Runner (bare-metal K8s)
+
+```yaml
+# Use self-hosted runner for internal registry / VPN-required builds
+jobs:
+  build-internal:
+    runs-on: [self-hosted, linux, k8s-runner]
+    steps:
+      - ...
+```
+
+## Environment Protection Rules
+
+Configure in GitHub → Settings → Environments:
+- `production`: require manual approval from `@devops-team` + `@team-lead`; restrict to `main` branch only
+- `staging`: auto-deploy; restrict to `main` branch

package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md

@@ -0,0 +1,169 @@
+---
+name: gitlab-ci-patterns
+type: skill
+description: GitLab CI/CD pipelines — include templates, environments, OIDC auth, caching, protected runners, deployment gates.
+related-rules:
+  - pipeline-standards.md
+  - quality-gates.md
+allowed-tools: Read, Write, Edit
+---
+
+# Skill: GitLab CI Patterns
+
+> **Expertise:** GitLab CI YAML, include/extends, environments, DAST, protected runners, Kubernetes deploy.
+
+## When to load
+
+When creating or reviewing `.gitlab-ci.yml` files for build, test, or deployment pipelines.
+
+## Standard Pipeline Structure
+
+```yaml
+# .gitlab-ci.yml
+stages:
+  - validate
+  - build
+  - scan
+  - deploy-staging
+  - smoke-test
+  - deploy-production
+
+variables:
+  IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+  DOCKER_BUILDKIT: "1"
+
+# ── Validate ───────────────────────────────────────────
+lint:
+  stage: validate
+  image: python:3.12-slim
+  cache:
+    key: pip-$CI_COMMIT_REF_SLUG
+    paths: [.cache/pip]
+  script:
+    - pip install ruff mypy --cache-dir .cache/pip
+    - ruff check src/ tests/
+    - mypy src/ --strict
+
+test:
+  stage: validate
+  image: python:3.12-slim
+  cache:
+    key: pip-$CI_COMMIT_REF_SLUG
+    paths: [.cache/pip]
+  script:
+    - pip install -r requirements.txt -r requirements-dev.txt --cache-dir .cache/pip
+    - pytest tests/ --cov=src --cov-report=xml --cov-fail-under=80
+  coverage: '/TOTAL.*\s+(\d+%)$/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+# ── Build ──────────────────────────────────────────────
+build-image:
+  stage: build
+  image: docker:24
+  services: [docker:24-dind]
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - docker build --cache-from $CI_REGISTRY_IMAGE:cache
+        --build-arg BUILDKIT_INLINE_CACHE=1
+        -t $IMAGE_NAME
+        -t $CI_REGISTRY_IMAGE:cache .
+    - docker push $IMAGE_NAME
+    - docker push $CI_REGISTRY_IMAGE:cache
+  only: [main, tags]
+
+# ── Scan ───────────────────────────────────────────────
+container-scan:
+  stage: scan
+  image:
+    name: aquasec/trivy:latest
+    entrypoint: [""]
+  script:
+    - trivy image --exit-code 1 --severity CRITICAL,HIGH $IMAGE_NAME
+  needs: [build-image]
+
+sast:
+  stage: scan
+  include:
+    - template: Security/SAST.gitlab-ci.yml
+
+# ── Deploy Staging ─────────────────────────────────────
+deploy-staging:
+  stage: deploy-staging
+  environment:
+    name: staging
+    url: https://staging.example.com
+  script:
+    - helm upgrade --install my-service charts/my-service
+        --set image.tag=$CI_COMMIT_SHA
+        --namespace staging
+        --atomic --timeout 5m
+  only: [main]
+
+# ── Smoke Test ─────────────────────────────────────────
+smoke-staging:
+  stage: smoke-test
+  script:
+    - curl -f https://staging.example.com/health
+  needs: [deploy-staging]
+  only: [main]
+
+# ── Deploy Production ──────────────────────────────────
+deploy-production:
+  stage: deploy-production
+  environment:
+    name: production
+    url: https://app.example.com
+  when: manual                         # manual approval gate
+  allow_failure: false
+  script:
+    - helm upgrade --install my-service charts/my-service
+        --set image.tag=$CI_COMMIT_SHA
+        --namespace production
+        --atomic --timeout 5m
+  only: [main]
+  needs: [smoke-staging]
+```
+
+## Include & Extends (DRY pipelines)
+
+```yaml
+# Shared templates in infra repo
+include:
+  - project: 'infra/ci-templates'
+    file: '/templates/docker-build.yml'
+    ref: v1.2.0
+  - template: Security/SAST.gitlab-ci.yml
+
+# Extend base job
+.base-deploy:
+  image: bitnami/helm:3
+  before_script:
+    - echo $KUBECONFIG_B64 | base64 -d > /tmp/kubeconfig
+    - export KUBECONFIG=/tmp/kubeconfig
+
+deploy-staging:
+  extends: .base-deploy
+  environment: staging
+  script: helm upgrade --install ...
+```
+
+## Protected Runners (bare-metal / internal registry)
+
+```yaml
+# Tag jobs to run on specific runners
+build-internal:
+  tags:
+    - self-hosted
+    - bare-metal
+    - docker
+  script: ...
+```
+
+Configure in GitLab → Settings → CI/CD → Runners:
+- Protected runners only run on protected branches (main, tags)
+- Untagged jobs run on shared runners only

package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md

@@ -0,0 +1,161 @@
+---
+name: pipeline-security
+type: skill
+description: Secure CI/CD pipelines — OIDC auth, secret scanning, dependency review, SLSA provenance, and runner hardening.
+related-rules:
+  - supply-chain-security.md
+  - pipeline-standards.md
+allowed-tools: Read, Write, Edit
+---
+
+# Skill: Pipeline Security
+
+> **Expertise:** OIDC cloud auth, GitHub Actions security hardening, secret scanning (trufflehog/gitleaks), SLSA provenance, dependency review.
+
+## When to load
+
+When setting up secure CI credentials, adding secret scanning, implementing SLSA provenance, or hardening runner permissions.
+
+## OIDC Authentication (no long-lived secrets)
+
+```yaml
+# GitHub Actions → AWS (no AWS_ACCESS_KEY_ID needed)
+jobs:
+  deploy:
+    permissions:
+      id-token: write     # required for OIDC
+      contents: read
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
+          aws-region: eu-west-1
+          role-session-name: github-${{ github.run_id }}
+
+# AWS IAM trust policy (configure once)
+# {
+#   "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"},
+#   "Condition": {
+#     "StringEquals": {"token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:ref:refs/heads/main"}
+#   }
+# }
+```
+
+```yaml
+# GitHub Actions → GCP
+- uses: google-github-actions/auth@v2
+  with:
+    workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/github/providers/github
+    service_account: github-actions@my-project.iam.gserviceaccount.com
+
+# GitHub Actions → K8s (via kubeconfig secret — use when OIDC not available)
+- name: Set up kubeconfig
+  run: |
+    echo "${{ secrets.KUBECONFIG_B64 }}" | base64 -d > /tmp/kubeconfig
+    chmod 600 /tmp/kubeconfig
+  env:
+    KUBECONFIG: /tmp/kubeconfig
+```
+
+## Minimal Permissions (principle of least privilege)
+
+```yaml
+# Always declare permissions explicitly; defaults are too broad
+jobs:
+  build:
+    permissions:
+      contents: read        # checkout only
+      packages: write       # push to ghcr.io
+      id-token: write       # OIDC for cloud/registry auth
+      security-events: write # upload SARIF to Security tab
+
+  deploy:
+    permissions:
+      contents: read
+      id-token: write       # OIDC for cloud auth
+      # NOT: actions:write, administration:write, etc.
+```
+
+## Secret Scanning
+
+```yaml
+# trufflehog — detect secrets in git history and current diff
+- name: Scan for secrets (trufflehog)
+  uses: trufflesecurity/trufflehog@main
+  with:
+    path: ./
+    base: ${{ github.event.repository.default_branch }}
+    head: HEAD
+    extra_args: --only-verified   # reduce noise — only verified secrets
+
+# gitleaks — alternative (faster, configurable)
+- name: Scan for secrets (gitleaks)
+  uses: gitleaks/gitleaks-action@v2
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
+
+## Dependency Review (GitHub)
+
+```yaml
+# Block PRs that introduce vulnerable dependencies
+- name: Dependency Review
+  uses: actions/dependency-review-action@v4
+  with:
+    fail-on-severity: high          # block on High and Critical
+    allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
+    deny-licenses: GPL-3.0, AGPL-3.0  # copyleft licenses blocked
+```
+
+## SLSA Provenance (Supply chain Level 2)
+
+```yaml
+# Generate SLSA L2 provenance attestation with sigstore
+- name: Generate SLSA provenance
+  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
+  with:
+    image: registry.example.com/myorg/order-service
+    digest: ${{ steps.build.outputs.digest }}
+    registry-username: ${{ github.actor }}
+    registry-password: ${{ secrets.GITHUB_TOKEN }}
+```
+
+## Runner Hardening
+
+```yaml
+# Pin action versions to SHA (not tag — tags are mutable)
+# ✅ Safe
+- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+# ❌ Unsafe (tag can be moved by attacker)
+- uses: actions/checkout@v4
+
+# Restrict third-party actions to verified/trusted
+# In GitHub org settings: only allow selected actions + GitHub Actions
+```
+
+```bash
+# Self-hosted runner hardening
+# - Run as non-root dedicated user (no sudo)
+# - Ephemeral runners (fresh VM per job) — preferred
+# - Network: egress to required registries only; no inbound
+# - No persistent credentials on runner filesystem
+# - Use actions/runner-container-hooks for K8s ephemeral runners
+```
+
+## Audit: What Your Pipeline Can Access
+
+```bash
+# Check what secrets are available to a workflow
+# In GitHub: Settings → Secrets → Actions
+# Rule: each secret should only be available to the environment that needs it
+
+# Prevent secret leakage in logs
+- name: No secret echo
+  run: |
+    # ❌ BAD: leaks secret to logs
+    echo "DB_PASS=$DB_PASS"
+    env  # dumps all env vars including secrets
+
+    # ✅ Use secret only where needed; never echo
+    helm upgrade ... --set db.password="$DB_PASS" > /dev/null
+```