@jetrabbits/agentic 0.0.2 → 0.0.4

package/AGENTS.md

@@ -61,6 +61,12 @@ Cross-cutting practices that apply to every project regardless of area.
 - Document requirements before implementation — "we'll figure it out" is not a requirement.
 - Conduct design reviews for any change with architectural, security, or data model impact.
 
+### Documentation of Behavior Changes
+
+- Any behavior change captured in Markdown artifacts must be documented under the project `docs/` directory.
+- Use documentation paths that match the change type, for example `docs/<feature>/README.md` for feature behavior and `docs/incidents/<date>-<workload>-root-cause.md` for incident root cause reports.
+- Create or update the relevant `docs/` artifact in the same change set; do not leave behavior changes documented only in workflow outputs, tickets, or PR comments.
+
 ### Code Style
 
 - Write self-documenting code with meaningful names — comments explain why, not what.

package/README.md

@@ -8,6 +8,7 @@ and prompts into any project — and run a full SDLC agent team out of the box.
 - [Website](https://sawrus.github.io/agent-guides/)
 - [Coverage scorecard](https://claude.ai/public/artifacts/8177bc3d-3b2f-48a6-8232-47c5b02b20f3)
 - [CLI usage guide](docs/agentic-usage.md)
+- [NPM package](https://www.npmjs.com/package/@jetrabbits/agentic)
 
 ## Coverage snapshot
 
@@ -83,6 +84,7 @@ agent-guides/
 │   ├── codex/                 # Codex custom agents and override configs
 │   │   └── agents/            # 7 SDLC agents for .codex/agents/
 │   └── gemini/                # Gemini-specific configs
+│   │   └── agents/            # 7 SDLC agents for .gemini/agents/
 ├── areas/template/            # Authoring templates — start here for new content
 ├── docs/                      # Setup and usage guides
 ├── AGENTS.md                  # Root agent guidance (loaded into every project)
@@ -133,7 +135,8 @@ guidance bundle.
 
 ## SDLC Agent team
 
-The same 7-agent team works across **Claude Code**, **OpenCode**, **Codex**, and any tool that supports agent or subagent files.
+The same 7-agent team works across **Claude Code**, **OpenCode**, **Codex**, and any tool that supports agent or
+subagent files.
 
 | Agent             | Role                                           | Invoke when                                   |
 |:------------------|:-----------------------------------------------|:----------------------------------------------|
@@ -148,13 +151,12 @@ The same 7-agent team works across **Claude Code**, **OpenCode**, **Codex**, and
 Each agent has a `vibe` (one-line personality), `Identity`, `Communication Style`, `Success Metrics`, and explicit
 `Boundaries` — so roles never overlap and handoffs are always documented.
 
-| Platform | Agent path | Format | Guide |
-|:---------|:-----------|:-------|:------|
-| Claude Code | `project/.claude/agents/*.md` | Markdown with YAML frontmatter | [Claude Code subagents](https://docs.claude.com/en/api/agent-sdk/subagents) |
-| OpenCode | `project/.opencode/agents/*.md` | Markdown with frontmatter | [OpenCode agents](https://opencode.ai/docs/agents/) · [repo setup note](docs/opencode_setup.md) |
-| Codex | `project/.codex/agents/*.toml` | TOML custom agents | [Codex subagents](https://developers.openai.com/codex/subagents) |
-
-Codex installs both `.codex/agents/*.toml` custom agents and `.codex/AGENTS.override.md`.
+| Platform    | Agent path                      | Format                         | Guide                                                                                           |
+|:------------|:--------------------------------|:-------------------------------|:------------------------------------------------------------------------------------------------|
+| Claude Code | `project/.claude/agents/*.md`   | Markdown with YAML frontmatter | [Claude Code subagents](https://docs.claude.com/en/api/agent-sdk/subagents)                     |
+| OpenCode    | `project/.opencode/agents/*.md` | Markdown with frontmatter      | [OpenCode agents](https://opencode.ai/docs/agents/) · [repo setup note](docs/opencode_setup.md) |
+| Codex       | `project/.codex/agents/*.toml`  | TOML custom agents             | [Codex subagents](https://developers.openai.com/codex/subagents)                                |
+| Gemini      | `project/.gemini/agents/*.toml` | Markdown with YAML frontmatter | [Gemini subagents](https://geminicli.com/docs/core/subagents)                                   |
 
 ---
 

package/areas/devops/ci-cd/prompts/release-pipeline.md

@@ -4,112 +4,102 @@ workflow: release-pipeline
 
 # Prompt: `/release-pipeline`
 
-Use when: designing or running a production release pipeline with versioning, supply-chain controls, and deployment gates.
+Use when: designing or executing a production release pipeline with strong supply-chain guarantees, safe database rollout, and progressive delivery controls.
 
 ---
 
-## Example 1 — Semantic versioning + automated changelog
+## Example 1 — High-risk release with schema change + feature flags
 
 **EN:**
 ```
 /release-pipeline
 
-Repo: github.com/myorg/api-service
-Release strategy: semantic versioning (semver) via git tags
-Changelog: auto-generated from conventional commits (feat/fix/breaking)
-Trigger: manual tag push (v1.2.3) → full release pipeline
-Pipeline steps:
-  1. Validate: all CI gates pass on tagged commit
-  2. Build: image with tag=v1.2.3 AND digest; push to ghcr.io
-  3. Sign: cosign sign + SBOM attach
-  4. Release: GitHub Release with changelog + image digest in description
-  5. Deploy staging: Helm upgrade --set image.tag=v1.2.3 --atomic
-  6. Smoke test staging: automated; gate before production
-  7. Deploy production: manual approval; canary 10% → 100%
+Service: payments-api
+Version: v3.8.0
+Risk level: high
+Change type:
+  - New payment routing engine behind feature flag `routing_v2`
+  - Database migration (expand phase only) adding nullable columns + backfill job
+Requirements:
+  1. Build immutable image digest and sign keylessly with cosign
+  2. Generate SLSA provenance + CycloneDX SBOM
+  3. Verify identity-constrained signature and attestation before deploy
+  4. Staging gate: 15 min soak + critical path integration tests
+  5. Production canary: 5% (10m) -> 25% (15m) -> 50% (15m) -> 100%
+  6. Rollback criteria:
+     - 5xx > 1% for 5 min
+     - p99 latency > 20% regression for 10 min
+     - fast burn-rate alert fires
+  7. Feature flag rollout by cohorts after service-level stability
+Output:
+  - Full CI/CD workflow YAML
+  - Migration safety checklist
+  - Rollback runbook
 ```
 
 **RU:**
 ```
 /release-pipeline
 
-Репо: github.com/myorg/api-service
-Стратегия релизов: semantic versioning (semver) через git теги
-Changelog: авто-генерация из conventional commits (feat/fix/breaking)
-Триггер: ручной push тега (v1.2.3) → полный pipeline релиза
-Шаги pipeline:
-  1. Validate: все CI gates проходят на тегированном коммите
-  2. Build: образ с tag=v1.2.3 И digest; push в ghcr.io
-  3. Sign: cosign sign + SBOM attach
-  4. Release: GitHub Release с changelog + image digest в описании
-  5. Deploy staging: Helm upgrade --set image.tag=v1.2.3 --atomic
-  6. Smoke test staging: автоматический; gate перед production
-  7. Deploy production: ручное подтверждение; canary 10% → 100%
+Сервис: payments-api
+Версия: v3.8.0
+Уровень риска: high
+Тип изменений:
+  - Новый роутинг платежей под feature flag `routing_v2`
+  - Миграция БД (только expand-фаза): новые nullable-колонки + backfill job
+Требования:
+  1. Собрать immutable digest и подписать keyless через cosign
+  2. Сгенерировать SLSA provenance + CycloneDX SBOM
+  3. Выполнить verify подписи/attestation с identity constraints перед деплоем
+  4. Staging gate: 15 минут наблюдения + интеграционные критичные тесты
+  5. Canary в production: 5% (10м) -> 25% (15м) -> 50% (15м) -> 100%
+  6. Критерии отката:
+     - 5xx > 1% в течение 5 минут
+     - p99 latency хуже baseline на >20% в течение 10 минут
+     - сработал fast burn-rate alert
+  7. Раскатка feature flag по когортам после стабилизации сервиса
+Результат:
+  - Полный CI/CD workflow YAML
+  - Чеклист безопасности миграции
+  - Runbook отката
 ```
 
 ---
 
-## Example 2 — Emergency hotfix release
+## Example 2 — Compliance-grade supply chain hardening
 
 **EN:**
 ```
 /release-pipeline
 
-Context: critical bug in v2.1.0 (CVE exploited in production); hotfix needed in < 2 hours
-Branch: hotfix/cve-2024-payment from tag v2.1.0 (NOT from main — main has unreleased features)
-Version: v2.1.1
-Speed optimizations allowed:
-  - Skip: integration tests (replace with targeted regression test for the fix)
-  - Skip: changelog automation (write manually)
-  - Keep: security scan (mandatory), smoke test (mandatory), canary deploy (mandatory)
-Rollback plan: v2.1.0 image already in registry — Helm rollback in < 2 min if needed
+Context: move existing GitHub Actions pipeline to compliance-grade release controls
+Current state: tests + image build only
+Target:
+  - OIDC federation for cloud auth (remove static secrets)
+  - Keyless cosign signing of container digest
+  - SLSA provenance attestation generation and verification
+  - SBOM attach and retention policy >= 1 year
+  - Admission policy in production namespace: signed + attested + digest-only images
+Provide:
+  - Updated release workflow
+  - Example Kyverno/Gatekeeper policies
+  - Failure-mode behavior (fail closed)
 ```
 
 **RU:**
 ```
 /release-pipeline
 
-Контекст: критический баг в v2.1.0 (CVE эксплуатируется в production); hotfix нужен за < 2 часа
-Ветка: hotfix/cve-2024-payment от тега v2.1.0 (НЕ от main — там незарелиженные фичи)
-Версия: v2.1.1
-Допустимые оптимизации скорости:
-  - Пропустить: интеграционные тесты (заменить целевым регрессионным тестом для исправления)
-  - Пропустить: автоматизацию changelog (написать вручную)
-  - Оставить: security scan (обязательно), smoke test (обязательно), canary deploy (обязательно)
-План отката: образ v2.1.0 уже в реестре — Helm rollback за < 2 мин при необходимости
-```
-
----
-
-## Example 3 — Add full supply chain to existing pipeline
-
-**EN:**
-```
-/release-pipeline
-
-Service: checkout-service / CI: GitHub Actions
-Current state: images built and pushed, no signing, no SBOM
-Required:
-  1. SBOM: generate CycloneDX SBOM with Syft during build; attach to image with cosign
-  2. Signing: sign image with cosign using GitHub OIDC (keyless) after push
-  3. Provenance: enable SLSA level 2 via docker/build-push-action (provenance: true)
-  4. Verification: add cosign verify step in CD pipeline before every deploy
-  5. Policy: Kyverno ClusterPolicy — block unsigned images in production namespace
-  6. Dependency pinning: base image must reference @sha256 digest, not tag
-Show full updated GitHub Actions workflow + Kyverno policy
-```
-
-**RU:**
-```
-/release-pipeline
-
-Сервис: checkout-service / CI: GitHub Actions
-Текущее состояние: образы собираются и пушатся, без подписи, без SBOM
-Требуется:
-  1. SBOM: генерация CycloneDX SBOM через Syft при сборке; прикрепление к образу через cosign
-  2. Подпись: подпись образа через cosign с GitHub OIDC (keyless) после push
-  3. Provenance: SLSA level 2 через docker/build-push-action (provenance: true)
-  4. Верификация: добавить шаг cosign verify в CD pipeline перед каждым деплоем
-  5. Политика: Kyverno ClusterPolicy — блокировка неподписанных образов в production namespace
-  6. Pinning зависимостей: base image должен ссылаться на @sha256 digest, не тег
-Показать полный обновлённый workflow GitHub Actions + Kyverno политику
+Контекст: перевести существующий GitHub Actions pipeline на compliance-grade контроль релизов
+Текущее состояние: только тесты + сборка образа
+Цель:
+  - OIDC federation для cloud auth (убрать static secrets)
+  - Keyless cosign-подпись digest контейнера
+  - Генерация и проверка SLSA provenance attestation
+  - Прикрепление SBOM и политика хранения >= 1 года
+  - Admission policy в production: только signed + attested + digest-only образы
+Нужно выдать:
+  - Обновлённый workflow релиза
+  - Примеры политик Kyverno/Gatekeeper
+  - Поведение при сбоях (fail closed)
 ```

package/areas/devops/ci-cd/rules/supply-chain-security.md

@@ -1,34 +1,54 @@
 # Rule: Supply Chain Security
 
-**Priority**: P0 — Unsigned or unverified artifacts are blocked from production.
+**Priority**: P0 — Artifacts without verified identity, provenance, and policy compliance are blocked from production.
 
-## SBOM (Software Bill of Materials)
+## Baseline (mandatory)
 
-1. Every container image build generates an SBOM (Syft / Trivy).
-2. SBOM attached to image in OCI registry (cosign attach sbom).
-3. SBOM stored for minimum 1 year per compliance requirements.
+1. **Keyless signing by default**: use Sigstore keyless (`cosign` + OIDC/Fulcio/Rekor) for CI-produced artifacts.
+2. **Immutable references only**: deploy by digest (`@sha256:...`), never mutable tags (`latest`, `stable`).
+3. **Provenance required**: generate SLSA-compatible provenance attestations for every production build.
+4. **SBOM required**: generate CycloneDX or SPDX SBOM and attach/store with the exact artifact digest.
+5. **Admission policy enforcement**: clusters must verify signature + provenance + digest pinning before workload admission.
 
-## Image Signing (Sigstore/cosign)
+## Signing and Verification
 
 ```bash
-# Sign image after build
-cosign sign --key env://COSIGN_PRIVATE_KEY \
-  registry.example.com/my-service@sha256:<digest>
+# Keyless signing (preferred)
+cosign sign --yes registry.example.com/my-service@sha256:<digest>
 
-# Verify before deploy (in CD pipeline)
-cosign verify --key env://COSIGN_PUBLIC_KEY \
+# Verification with issuer/identity constraints (required in CD)
+cosign verify \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp 'https://github.com/myorg/myrepo/\.github/workflows/.+@refs/tags/v.+' \
   registry.example.com/my-service@sha256:<digest>
 ```
 
-4. Unsigned images are blocked from production namespaces via OPA/Kyverno policy.
+6. **Key-pair signing is fallback only**: if keyless is unavailable, keys must be in KMS/HSM and rotated at least quarterly.
+7. **Transparency log evidence**: verification must include Rekor entry checks when supported.
+
+## Provenance and Build Integrity
+
+8. Production builds run only on trusted CI and produce attestations bound to exact commit SHA.
+9. Build provenance must include: repository, workflow identity, source revision, build parameters, and builder identity.
+10. Reproducibility target: deterministic builds for critical services; if not feasible, document non-deterministic inputs.
+
+## Dependency and Base Image Controls
+
+11. Pin direct dependencies and commit lockfiles (`package-lock.json`, `poetry.lock`, `go.sum`, etc.).
+12. Base images pinned by digest in Dockerfile; floating tags are forbidden.
+13. Package managers must verify checksums/hashes where available.
+14. External CI actions/plugins must be pinned to immutable commit SHA.
 
-## Dependency Pinning
+## Policy Enforcement (Kubernetes / CD)
 
-5. All `package.json`, `requirements.txt`, `go.sum` must pin exact versions.
-6. `pip install requests` (unpinned) is forbidden in CI — use `requirements.txt` with hashes.
-7. Base images pinned to digest in Dockerfile: `FROM python:3.12-slim@sha256:...`
+15. Admission controllers (Kyverno/Gatekeeper) must enforce:
+   - signed image verification;
+   - digest-only image references;
+   - required provenance attestation for production namespaces.
+16. Deploy pipeline fails closed if verification services are unavailable (no silent bypass).
+17. Exceptions require documented risk acceptance with owner + expiry date (max 14 days).
 
-## Audit Trail
+## Audit Trail and Retention
 
-8. Every build records: git commit, build timestamp, base image digest, all dependency versions.
-9. Provenance attestation (SLSA level 2+) generated for production releases.
+18. Keep artifact metadata for at least 1 year: commit SHA, SBOM digest, provenance digest, signer identity, scan results.
+19. Every release record must be traceable from ticket/PR → commit → artifact digest → deployment event.

package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: github-actions-patterns
 type: skill
-description: Production-grade GitHub Actions workflows — reusable workflows, OIDC auth, caching, matrix builds, environment protection.
+description: "Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization."
 related-rules:
   - pipeline-standards.md
   - quality-gates.md
@@ -152,6 +152,11 @@ jobs:
             --set image.digest=${{ inputs.image-digest }} \
             --namespace ${{ inputs.environment }} \
             --atomic --timeout 5m
+
+      - name: Verify deployment health
+        run: |
+          kubectl rollout status deployment/my-service -n ${{ inputs.environment }} --timeout=120s
+          curl -sf http://my-service.${{ inputs.environment }}.svc.cluster.local/health || exit 1
 ```
 
 ## OIDC Cloud Authentication (no long-lived keys)

package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: pipeline-security
 type: skill
-description: Secure CI/CD pipelines — OIDC auth, secret scanning, dependency review, SLSA provenance, and runner hardening.
+description: Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
 related-rules:
   - supply-chain-security.md
   - pipeline-standards.md
@@ -10,152 +10,87 @@ allowed-tools: Read, Write, Edit
 
 # Skill: Pipeline Security
 
-> **Expertise:** OIDC cloud auth, GitHub Actions security hardening, secret scanning (trufflehog/gitleaks), SLSA provenance, dependency review.
+> **Expertise:** OIDC cloud auth, least-privilege workflow permissions, secret scanning, keyless artifact signing, SLSA provenance, and admission policy checks.
 
 ## When to load
 
-When setting up secure CI credentials, adding secret scanning, implementing SLSA provenance, or hardening runner permissions.
+When designing or hardening CI/CD pipelines for production deployments, especially where compliance or high-risk workloads are involved.
 
-## OIDC Authentication (no long-lived secrets)
+## Security Outcomes (definition of done)
+
+- Pipeline uses **OIDC federation** (no long-lived cloud keys in CI secrets).
+- Artifacts are **signed keylessly** and verified with identity constraints.
+- **Provenance + SBOM** are generated and validated before deploy.
+- Workflows use **minimal GitHub/GitLab permissions**.
+- Runtime admission policies block unsigned/unattested artifacts.
+
+## OIDC Authentication (no long-lived credentials)
 
 ```yaml
-# GitHub Actions → AWS (no AWS_ACCESS_KEY_ID needed)
 jobs:
   deploy:
     permissions:
-      id-token: write     # required for OIDC
+      id-token: write
       contents: read
     steps:
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@<pinned-sha>
         with:
           role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
-          aws-region: eu-west-1
-          role-session-name: github-${{ github.run_id }}
-
-# AWS IAM trust policy (configure once)
-# {
-#   "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"},
-#   "Condition": {
-#     "StringEquals": {"token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:ref:refs/heads/main"}
-#   }
-# }
+          aws-region: us-east-1
 ```
 
-```yaml
-# GitHub Actions → GCP
-- uses: google-github-actions/auth@v2
-  with:
-    workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/github/providers/github
-    service_account: github-actions@my-project.iam.gserviceaccount.com
-
-# GitHub Actions → K8s (via kubeconfig secret — use when OIDC not available)
-- name: Set up kubeconfig
-  run: |
-    echo "${{ secrets.KUBECONFIG_B64 }}" | base64 -d > /tmp/kubeconfig
-    chmod 600 /tmp/kubeconfig
-  env:
-    KUBECONFIG: /tmp/kubeconfig
-```
+- Constrain trust policy by repo, ref, and workflow identity.
+- Prefer short session duration and environment-scoped roles.
 
-## Minimal Permissions (principle of least privilege)
+## Minimal Permissions Model
 
 ```yaml
-# Always declare permissions explicitly; defaults are too broad
-jobs:
-  build:
-    permissions:
-      contents: read        # checkout only
-      packages: write       # push to ghcr.io
-      id-token: write       # OIDC for cloud/registry auth
-      security-events: write # upload SARIF to Security tab
-
-  deploy:
-    permissions:
-      contents: read
-      id-token: write       # OIDC for cloud auth
-      # NOT: actions:write, administration:write, etc.
+permissions:
+  contents: read
+  id-token: write
+  packages: write
 ```
 
-## Secret Scanning
+- Deny by default; explicitly request only required scopes.
+- Split build and deploy into separate jobs with separate permissions.
 
-```yaml
-# trufflehog — detect secrets in git history and current diff
-- name: Scan for secrets (trufflehog)
-  uses: trufflesecurity/trufflehog@main
-  with:
-    path: ./
-    base: ${{ github.event.repository.default_branch }}
-    head: HEAD
-    extra_args: --only-verified   # reduce noise — only verified secrets
-
-# gitleaks — alternative (faster, configurable)
-- name: Scan for secrets (gitleaks)
-  uses: gitleaks/gitleaks-action@v2
-  env:
-    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+## Keyless Signing + Verification
+
+```bash
+# Sign immutable artifact digest
+cosign sign --yes registry.example.com/team/service@sha256:<digest>
+
+# Verify identity and issuer in deploy gate
+cosign verify \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp 'https://github.com/myorg/myrepo/\.github/workflows/.+@refs/tags/v.+' \
+  registry.example.com/team/service@sha256:<digest>
 ```
 
-## Dependency Review (GitHub)
+## Provenance + SBOM Requirements
 
-```yaml
-# Block PRs that introduce vulnerable dependencies
-- name: Dependency Review
-  uses: actions/dependency-review-action@v4
-  with:
-    fail-on-severity: high          # block on High and Critical
-    allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
-    deny-licenses: GPL-3.0, AGPL-3.0  # copyleft licenses blocked
-```
+- Generate SLSA provenance attestation for each release artifact.
+- Generate CycloneDX/SPDX SBOM for exact artifact digest.
+- Store attestation/SBOM references in release metadata.
+- Block deploy if attestation/SBOM is missing or invalid.
 
-## SLSA Provenance (Supply chain Level 2)
+## Secret and Dependency Controls
 
-```yaml
-# Generate SLSA L2 provenance attestation with sigstore
-- name: Generate SLSA provenance
-  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
-  with:
-    image: registry.example.com/myorg/order-service
-    digest: ${{ steps.build.outputs.digest }}
-    registry-username: ${{ github.actor }}
-    registry-password: ${{ secrets.GITHUB_TOKEN }}
-```
+- Run secret scanning (trufflehog/gitleaks) on PR and main.
+- Run dependency review with severity threshold and license policy.
+- Fail pipeline on critical policy violations; do not “warn-only” for production paths.
 
 ## Runner Hardening
 
-```yaml
-# Pin action versions to SHA (not tag — tags are mutable)
-# ✅ Safe
-- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
-# ❌ Unsafe (tag can be moved by attacker)
-- uses: actions/checkout@v4
-
-# Restrict third-party actions to verified/trusted
-# In GitHub org settings: only allow selected actions + GitHub Actions
-```
-
-```bash
-# Self-hosted runner hardening
-# - Run as non-root dedicated user (no sudo)
-# - Ephemeral runners (fresh VM per job) — preferred
-# - Network: egress to required registries only; no inbound
-# - No persistent credentials on runner filesystem
-# - Use actions/runner-container-hooks for K8s ephemeral runners
-```
+- Ephemeral runners preferred (one job per VM/pod).
+- No privileged mode unless explicitly justified.
+- Restrict network egress to required registries/APIs.
+- Never persist cloud credentials or kubeconfig on runner disk.
 
-## Audit: What Your Pipeline Can Access
+## Policy-as-Code Integration
 
-```bash
-# Check what secrets are available to a workflow
-# In GitHub: Settings → Secrets → Actions
-# Rule: each secret should only be available to the environment that needs it
-
-# Prevent secret leakage in logs
-- name: No secret echo
-  run: |
-    # ❌ BAD: leaks secret to logs
-    echo "DB_PASS=$DB_PASS"
-    env  # dumps all env vars including secrets
-
-    # ✅ Use secret only where needed; never echo
-    helm upgrade ... --set db.password="$DB_PASS" > /dev/null
-```
+- Enforce cluster admission checks for:
+  - signed image;
+  - digest-only reference;
+  - valid provenance for production namespaces.
+- Keep exception path explicit: owner + expiry + compensating controls.