@nuvlore/extension-bds 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/README.md +3 -0
- package/agents/bds-airflow-job-status-readonly.yaml +123 -0
- package/agents/bds-disk-investigator.yaml +112 -0
- package/agents/bds-inventory-readonly.yaml +60 -0
- package/agents/bds-oncall-reporter.yaml +113 -0
- package/agents/bds-prism-service-proxy-timeout-readonly.yaml +105 -0
- package/agents/bds-scylla-tenant-bucket-readonly.yaml +104 -0
- package/agents/bds-tenant-data-operation-log-readonly.yaml +98 -0
- package/agents/bds-yarn-app-health-readonly.yaml +114 -0
- package/agents/pharos-alert-investigator.yaml +81 -0
- package/package.json +60 -0
- package/skills/bds-airflow-job-status-investigation/SKILL.md +104 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-access-runbook.md +35 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-bas-dr-runbook.md +42 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-copy-and-migration-runbook.md +63 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-job-status-runbook.md +15 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-output-runbook.md +28 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-snapshot-runbook.md +38 -0
- package/skills/bds-disk-io-alert-investigation/SKILL.md +116 -0
- package/skills/bds-hadoop-review/SKILL.md +66 -0
- package/skills/bds-machine-inventory/SKILL.md +48 -0
- package/skills/bds-oncall-followup/SKILL.md +71 -0
- package/skills/bds-oncall-followup/references/oncall-followup-runbook.md +58 -0
- package/skills/bds-prism-service-proxy-timeout-investigation/SKILL.md +73 -0
- package/skills/bds-prism-service-proxy-timeout-investigation/references/service-proxy-timeout-runbook.md +48 -0
- package/skills/bds-scylla-tenant-bucket-investigation/SKILL.md +73 -0
- package/skills/bds-scylla-tenant-bucket-investigation/references/tenant-bucket-runbook.md +91 -0
- package/skills/bds-tenant-data-operation-log-investigation/SKILL.md +89 -0
- package/skills/bds-yarn-app-health-investigation/SKILL.md +77 -0
- package/skills/bds-yarn-app-health-investigation/references/yarn-app-health-runbook.md +53 -0
- package/skills/pharos-alert-investigation/SKILL.md +80 -0
- package/src/bds-atomic-log-tools.mjs +300 -0
- package/src/bds-team-membership-claude-output.mjs +36 -0
- package/src/bds-team-membership-quality.mjs +90 -0
- package/tools/bds_airflow_dag_log_read.mjs +24 -0
- package/tools/bds_airflow_job_status_command_pack.mjs +587 -0
- package/tools/bds_bas_log_read.mjs +23 -0
- package/tools/bds_bdm_httpd_log_read.mjs +24 -0
- package/tools/bds_chef_client_log_read.mjs +23 -0
- package/tools/bds_dashboard_links.mjs +178 -0
- package/tools/bds_dashboard_query_knowledge.mjs +258 -0
- package/tools/bds_dashboard_query_read.mjs +120 -0
- package/tools/bds_disk_io_alert_command_pack.mjs +287 -0
- package/tools/bds_environment_host_lookup.mjs +741 -0
- package/tools/bds_hdfs_datanode_log_read.mjs +23 -0
- package/tools/bds_hdfs_journalnode_log_read.mjs +23 -0
- package/tools/bds_hdfs_namenode_log_read.mjs +23 -0
- package/tools/bds_hdfs_path_knowledge.mjs +324 -0
- package/tools/bds_information_source_knowledge.mjs +356 -0
- package/tools/bds_kms_log_read.mjs +23 -0
- package/tools/bds_log_path_knowledge.mjs +267 -0
- package/tools/bds_machine_inventory.mjs +434 -0
- package/tools/bds_mapreduce_historyserver_log_read.mjs +23 -0
- package/tools/bds_migration_service_operation_command_pack.mjs +233 -0
- package/tools/bds_oncall_followup_payload_draft.mjs +285 -0
- package/tools/bds_pharos_query_pack.mjs +218 -0
- package/tools/bds_portal_operation_knowledge.mjs +212 -0
- package/tools/bds_prism_clone_status_links.mjs +129 -0
- package/tools/bds_prism_service_proxy_timeout_query_pack.mjs +224 -0
- package/tools/bds_public_cloud_pod_log_read.mjs +18 -0
- package/tools/bds_scylla_tenant_bucket_command_pack.mjs +323 -0
- package/tools/bds_service_proxy_log_read.mjs +23 -0
- package/tools/bds_spark_historyserver_log_read.mjs +32 -0
- package/tools/bds_spas_mt_log_read.mjs +23 -0
- package/tools/bds_tenant_data_operation_log_command_pack.mjs +321 -0
- package/tools/bds_yarn_app_health_command_pack.mjs +529 -0
- package/tools/bds_yarn_nodemanager_log_read.mjs +23 -0
- package/tools/bds_yarn_resourcemanager_log_read.mjs +23 -0
- package/tools/bds_zookeeper_log_read.mjs +23 -0
- package/tools/confluence_handoff_page_draft.mjs +173 -0
- package/vendor/dashboard/src/grafana-dashboard-query.mjs +61 -0
- package/vendor/extension-read-only-toolkit/LICENSE +202 -0
- package/vendor/extension-read-only-toolkit/README.md +29 -0
- package/vendor/extension-read-only-toolkit/package.json +46 -0
- package/vendor/extension-read-only-toolkit/src/devops-data-paths.mjs +222 -0
- package/vendor/extension-read-only-toolkit/src/devops-diagnostics.mjs +440 -0
- package/vendor/extension-read-only-toolkit/src/enterprise-api-read.mjs +180 -0
- package/vendor/extension-read-only-toolkit/src/read-only-command-pack.mjs +1 -0
- package/vendor/extension-read-only-toolkit/src/read-only-plan.mjs +45 -0
- package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.d.mts +26 -0
- package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.mjs +170 -0
- package/vendor/extension-workday-infra-access/LICENSE +202 -0
- package/vendor/extension-workday-infra-access/README.md +3 -0
- package/vendor/extension-workday-infra-access/agents/workday-infra-access-readonly.yaml +183 -0
- package/vendor/extension-workday-infra-access/package.json +49 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/SKILL.md +102 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-boundary-runbook.md +43 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-runbook.md +15 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-scylla-cloud-runbook.md +39 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-spc-argo-runbook.md +99 -0
- package/vendor/extension-workday-infra-access/src/workday-access-profiles.mjs +194 -0
- package/vendor/extension-workday-infra-access/tools/aws_cust_federated_readonly_command_pack.mjs +234 -0
- package/vendor/extension-workday-infra-access/tools/gcp_readonly_command_pack.mjs +167 -0
- package/vendor/extension-workday-infra-access/tools/public_cloud_access_status.mjs +48 -0
- package/vendor/extension-workday-infra-access/tools/workday_boundary_login.mjs +460 -0
- package/vendor/extension-workday-infra-access/tools/workday_private_cloud_sudo_readonly_command.mjs +386 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_environment_map.mjs +189 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_kubernetes_read.mjs +297 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_spc_login.mjs +505 -0
- package/vendor/extension-workday-infra-access/tools/workday_spc_argo_readonly_command_pack.mjs +215 -0
- package/vendor/extension-workday-infra-access/workflows/public-cloud-readonly-investigation.js +99 -0
- package/workflows/bds-airflow-job-status-investigation.js +168 -0
- package/workflows/bds-disk-io-alert-investigation.js +173 -0
- package/workflows/bds-oncall-followup.js +112 -0
- package/workflows/bds-prism-service-proxy-timeout-investigation.js +69 -0
- package/workflows/bds-scylla-tenant-bucket-investigation.js +139 -0
- package/workflows/bds-tenant-data-operation-log-investigation.js +189 -0
- package/workflows/bds-yarn-app-health-investigation.js +217 -0
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
export const meta = {
|
|
2
|
+
name: "bds-oncall-followup",
|
|
3
|
+
description: "Prepare and verify BDS on-call Confluence handoff rows and BDS follow-up Jira drafts for BDS-owned issues.",
|
|
4
|
+
whenToUse: "Use when a BDS on-call issue should be added to the current handoff page, especially when follow-up Jira tracking is needed.",
|
|
5
|
+
phases: ["Plan", "Evidence", "Draft", "Verify"],
|
|
6
|
+
};
|
|
7
|
+
|
|
8
|
+
phase("Plan");
|
|
9
|
+
const plan = await agent(
|
|
10
|
+
[
|
|
11
|
+
"Extract BDS-owned summary, description, evidence links, RCA, impact, follow-up need, existing follow-up Jira, and short code pointer.",
|
|
12
|
+
"If source is a Slack incident thread, keep the Slack thread as source/narrative anchor; do not turn the main Jira into the Issue title unless Jira is the source.",
|
|
13
|
+
"Call bds_oncall_followup_payload_draft first. It computes the two-week report range, standard report title, Confluence row draft, and BDS Jira draft.",
|
|
14
|
+
"Keep BDS-only; exclude DB, MTP, TAR, rsync, or customer workflow detail unless it explains a BDS code/workflow gap.",
|
|
15
|
+
"Preserve paragraph intent: split timeline, evidence, RCA, recovery, impact, and links when available.",
|
|
16
|
+
"If the issue came from an alert, include concrete tenant, cluster, alert name, and source keywords so the Evidence phase can search for existing Jira follow-ups.",
|
|
17
|
+
"For bas_dr_sla_miss or DR copy SLA, extract affected tenants, stale mirror snapshot time, bad worker, zombie/node runtime evidence, approved actions, verification snapshot, BAS lag below 3600s, immediate Jira, and DC follow-up Jira.",
|
|
18
|
+
"Requester-facing Confluence or Jira content must not mention Codex or internal thread/source names.",
|
|
19
|
+
"Do not create or update Confluence or Jira in this phase.",
|
|
20
|
+
].join("\n"),
|
|
21
|
+
{
|
|
22
|
+
label: "bds-oncall-followup-plan",
|
|
23
|
+
phase: "Plan",
|
|
24
|
+
tools: "mcp__devops_tool__bds_oncall_followup_payload_draft",
|
|
25
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
26
|
+
},
|
|
27
|
+
);
|
|
28
|
+
|
|
29
|
+
phase("Evidence");
|
|
30
|
+
const evidence = await agent(
|
|
31
|
+
[
|
|
32
|
+
"Find and read the current BDS on-call Confluence handoff page from the title and page ids in the plan.",
|
|
33
|
+
"If an existing follow-up Jira key or URL is present, read it before deciding whether another Jira is needed.",
|
|
34
|
+
"If a main Jira key is present, read its summary, status, and issuelinks. Prefer a linked monitor/product follow-up Jira for the Follow-up Jira field instead of using the main incident Jira.",
|
|
35
|
+
"Search Jira for existing follow-ups using tenant, cluster, alert, and issue keywords before drafting or creating a new ticket.",
|
|
36
|
+
"Classify rows as exact match, partial/mixed issue row, or unrelated row. Preserve unrelated rows and identify mixed rows that must be split.",
|
|
37
|
+
"If the page or Jira cannot be read, report the exact evidence gap and continue with draft-only output.",
|
|
38
|
+
"",
|
|
39
|
+
"Plan:",
|
|
40
|
+
plan,
|
|
41
|
+
].join("\n"),
|
|
42
|
+
{
|
|
43
|
+
label: "bds-oncall-followup-evidence",
|
|
44
|
+
phase: "Evidence",
|
|
45
|
+
tools: "mcp__devops_tool__confluence_search_read,mcp__devops_tool__confluence_content_read,mcp__devops_tool__jira_api_read",
|
|
46
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
47
|
+
},
|
|
48
|
+
);
|
|
49
|
+
|
|
50
|
+
phase("Draft");
|
|
51
|
+
const draft = await agent(
|
|
52
|
+
[
|
|
53
|
+
"Prepare the final BDS-only Confluence row text and Jira-ready ticket fields from the plan and evidence.",
|
|
54
|
+
"If evidence shows an existing matching Jira, use that Jira as the follow-up link and prepare a comment/update instead of a duplicate Jira draft.",
|
|
55
|
+
"If evidence shows Slack thread plus main Jira plus linked follow-up Jira, put Slack in Issue/Slack-Jira refs, main Jira as context, and linked follow-up Jira in Follow-up Jira.",
|
|
56
|
+
"For mixed rows, preserve the old issue as its own row and add/update the new issue separately.",
|
|
57
|
+
"For bas_dr_sla_miss, separate read-only evidence from approved operator actions: cordon, force-delete stale pods, healthy-worker replacements, BAS recovery, and bad node remaining cordoned pending DC follow-up.",
|
|
58
|
+
"Render every Confluence issue row in paragraph format. Do not emit dense one-paragraph table cells for description, RCA, impact, or links.",
|
|
59
|
+
"Use neutral wording such as Discussion for references; generated content must not mention Codex or internal assistant/thread provenance.",
|
|
60
|
+
"Use confluence_handoff_page_draft only for handoff page body drafting.",
|
|
61
|
+
"Use jira_ticket_draft only for Jira-ready local text.",
|
|
62
|
+
"Do not over-specify implementation; point to current code/workflow problems and leave the fix to the assignee.",
|
|
63
|
+
"Do not include Mermaid sequence diagrams or unsupported Jira formatting.",
|
|
64
|
+
"",
|
|
65
|
+
"Plan:",
|
|
66
|
+
plan,
|
|
67
|
+
"",
|
|
68
|
+
"Evidence:",
|
|
69
|
+
evidence,
|
|
70
|
+
].join("\n"),
|
|
71
|
+
{
|
|
72
|
+
label: "bds-oncall-followup-draft",
|
|
73
|
+
phase: "Draft",
|
|
74
|
+
tools: "mcp__devops_tool__confluence_handoff_page_draft,mcp__devops_tool__jira_ticket_draft",
|
|
75
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
76
|
+
},
|
|
77
|
+
);
|
|
78
|
+
|
|
79
|
+
phase("Verify");
|
|
80
|
+
const verify = await agent(
|
|
81
|
+
[
|
|
82
|
+
"If Confluence or Jira writes have already happened through an approved external path, read back the updated page and ticket.",
|
|
83
|
+
"Confirm the on-call row contains the issue and follow-up Jira link when one exists.",
|
|
84
|
+
"For Slack-sourced incidents, confirm the row contains the Slack thread URL, the main Jira reference, and the linked follow-up monitor/product Jira when present.",
|
|
85
|
+
"Confirm the Confluence page version advanced after an approved write path.",
|
|
86
|
+
"Confirm unrelated Confluence rows and issue titles that existed before the update are still present; do not accept a result that accidentally removed an earlier issue.",
|
|
87
|
+
"Confirm each issue row uses paragraph-formatted cells for description, RCA/evidence, impact, and links.",
|
|
88
|
+
"Confirm requester-facing page and Jira text do not contain Codex or internal provenance wording.",
|
|
89
|
+
"For bas_dr_sla_miss rows, confirm affected tenants, zombie/node runtime evidence, DC follow-up Jira, verification snapshot/success marker, and BAS lag below 3600s; Slack/PagerDuty clear alone is not recovery evidence.",
|
|
90
|
+
"Confirm the Jira is in BDS, uses a BDS-owned scope, and does not contain non-BDS implementation detail or Mermaid diagrams.",
|
|
91
|
+
"If no approved write path was used, return the draft-only result and the exact manual verification checklist.",
|
|
92
|
+
"",
|
|
93
|
+
"Plan:",
|
|
94
|
+
plan,
|
|
95
|
+
"",
|
|
96
|
+
"Draft:",
|
|
97
|
+
draft,
|
|
98
|
+
].join("\n"),
|
|
99
|
+
{
|
|
100
|
+
label: "bds-oncall-followup-verify",
|
|
101
|
+
phase: "Verify",
|
|
102
|
+
tools: "mcp__devops_tool__confluence_content_read,mcp__devops_tool__jira_api_read",
|
|
103
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
104
|
+
},
|
|
105
|
+
);
|
|
106
|
+
|
|
107
|
+
return {
|
|
108
|
+
plan,
|
|
109
|
+
evidence,
|
|
110
|
+
draft,
|
|
111
|
+
verify,
|
|
112
|
+
};
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
export const meta = {
|
|
2
|
+
name: "bds-prism-service-proxy-timeout-investigation",
|
|
3
|
+
description: "Investigate Prism Spark on K8s BdsCipherClient read timeouts against BDS bds-service-proxy with read-only Jira and Kubernetes evidence.",
|
|
4
|
+
whenToUse: "Use when PRISM/Chiron/Slack shows BdsCipherClient.generateKey, SocketTimeoutException, KMSClientException: Read timed out, or Delta commit aborts while calling bds-service-proxy.",
|
|
5
|
+
phases: ["Plan", "Evidence", "Reply"],
|
|
6
|
+
};
|
|
7
|
+
|
|
8
|
+
phase("Plan");
|
|
9
|
+
const plan = await agent(
|
|
10
|
+
[
|
|
11
|
+
"Extract Jira key, cluster, tenant, CID, Spark appId, Prism pod label, activity id, and incident UTC.",
|
|
12
|
+
"Use the skill flow as the procedure; call only mcp__devops_tool__bds_prism_service_proxy_timeout_query_pack to normalize fields and produce read-only Jira/Kubernetes query inputs.",
|
|
13
|
+
"Do not use Bash, browser access, WebFetch, WebSearch, or any mutating tool in this phase.",
|
|
14
|
+
"Return parsed fields, query/command-pack output, and missing fields.",
|
|
15
|
+
].join("\n"),
|
|
16
|
+
{
|
|
17
|
+
label: "bds-prism-service-proxy-timeout-plan",
|
|
18
|
+
phase: "Plan",
|
|
19
|
+
tools: "mcp__devops_tool__bds_prism_service_proxy_timeout_query_pack",
|
|
20
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
21
|
+
},
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
phase("Evidence");
|
|
25
|
+
const evidence = await agent(
|
|
26
|
+
[
|
|
27
|
+
"Collect read-only evidence from Jira and the target Kubernetes cluster.",
|
|
28
|
+
"Use jira_api_read to read issue metadata, comments, and bounded Chiron attachment snippets. If Jira auth is missing, report the missing secret route and stop; never print credentials.",
|
|
29
|
+
"Use kubernetes_status_snapshot and remote_readonly_command only for explicit read-only kubectl/spc evidence after operator connection or allowed path.",
|
|
30
|
+
"Verify AWS_PROFILE=sso-cust SPC context, kubectl current-context, auth whoami, and auth can-i before reading pod evidence.",
|
|
31
|
+
"For bds-service-proxy, read deployment/pod/service/endpoints state, restart count, kubectl log retention, and pod-local /opt/bds-service-proxy/log/*.log when Kubernetes logs do not cover the incident window.",
|
|
32
|
+
"Check Prism/OMS namespace RBAC before trying to inspect Prism pod logs or OMS dump files. If RBAC denies access, mark direct Prism/OMS inspection blocked.",
|
|
33
|
+
"Do not run mutating kubectl commands, copy logs, download files, or write local artifacts.",
|
|
34
|
+
"",
|
|
35
|
+
"Plan:",
|
|
36
|
+
plan,
|
|
37
|
+
].join("\n"),
|
|
38
|
+
{
|
|
39
|
+
label: "bds-prism-service-proxy-timeout-evidence",
|
|
40
|
+
phase: "Evidence",
|
|
41
|
+
tools: "mcp__devops_tool__jira_api_read,mcp__devops_tool__kubernetes_status_snapshot,mcp__devops_tool__remote_readonly_command",
|
|
42
|
+
disallowedTools: "WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
43
|
+
},
|
|
44
|
+
);
|
|
45
|
+
|
|
46
|
+
phase("Reply");
|
|
47
|
+
const reply = await agent(
|
|
48
|
+
[
|
|
49
|
+
"Draft a concise Slack-ready response from the evidence only.",
|
|
50
|
+
"State the system boundary as Prism Spark on K8s driver -> BdsCipherClient -> BDS bds-service-proxy.",
|
|
51
|
+
"Separate Prism driver timeout evidence from BDS service-proxy service-side errors or clean same-window traffic.",
|
|
52
|
+
"If BDS service-proxy logs are clean, ask Prism to inspect why the Spark driver timed out waiting for the bds-service-proxy response, especially driver/network/socket timeout behavior during Delta commit.",
|
|
53
|
+
"Mention any RBAC or log-retention gaps briefly.",
|
|
54
|
+
"",
|
|
55
|
+
"Plan:",
|
|
56
|
+
plan,
|
|
57
|
+
"",
|
|
58
|
+
"Evidence:",
|
|
59
|
+
evidence,
|
|
60
|
+
].join("\n"),
|
|
61
|
+
{
|
|
62
|
+
label: "bds-prism-service-proxy-timeout-reply",
|
|
63
|
+
phase: "Reply",
|
|
64
|
+
tools: "",
|
|
65
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
66
|
+
},
|
|
67
|
+
);
|
|
68
|
+
|
|
69
|
+
return reply;
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
export const meta = {
|
|
2
|
+
name: "bds-scylla-tenant-bucket-investigation",
|
|
3
|
+
description: "Investigate Scylla BDS tenant health and tenant bucket state with read-only kcsb, bucketdetails-config, BDM pod, and hadoop fs S3A evidence.",
|
|
4
|
+
whenToUse: "Use when Slack/PagerDuty reports bds_bdm_tenant_tenant_health_status_alert, a Scylla tenant is unhealthy, or BDM tenant bucket paths need read-only verification.",
|
|
5
|
+
phases: ["Plan", "Source", "Cluster", "Bucket", "RCA"],
|
|
6
|
+
};
|
|
7
|
+
|
|
8
|
+
phase("Plan");
|
|
9
|
+
const plan = await agent(
|
|
10
|
+
[
|
|
11
|
+
"Extract alertName, cluster, namespace, source pod, environment, tenant, severity, and alert time.",
|
|
12
|
+
"Use the skill flow as the procedure; call only mcp__devops_tool__bds_scylla_tenant_bucket_command_pack to normalize fields and produce read-only source/Kubernetes/S3A command inputs.",
|
|
13
|
+
"No Bash, browser, WebFetch, local reproduction, hdfs, aws s3, hadoop fs -get, or mutating commands.",
|
|
14
|
+
"Return parsed alert fields, command-pack output, and missing fields.",
|
|
15
|
+
].join("\n"),
|
|
16
|
+
{
|
|
17
|
+
label: "bds-scylla-tenant-plan",
|
|
18
|
+
phase: "Plan",
|
|
19
|
+
tools: "mcp__devops_tool__bds_scylla_tenant_bucket_command_pack",
|
|
20
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
21
|
+
},
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
phase("Source");
|
|
25
|
+
const source = await agent(
|
|
26
|
+
[
|
|
27
|
+
"Read BDM tenant-health source code before interpreting bucket data.",
|
|
28
|
+
"Use bitbucket_api_read against https://bitbucket.workday.com/projects/BDS/repos/sirius/browse or the equivalent /rest/api/latest/projects/BDS/repos/sirius endpoints.",
|
|
29
|
+
"For deeper grep, use a human-reviewed local cache clone/pull outside this workflow, then git_repo_read and repo_text_index only.",
|
|
30
|
+
"Search for tenant health, TenantHealth, tenant_health, unhealthy, brokenDsInfo, consistency_check, and operationsLog.",
|
|
31
|
+
"Return source paths, function/class names, predicates, and expected data paths/object content.",
|
|
32
|
+
"Do not infer unhealthy status from directory shape until source predicates are known.",
|
|
33
|
+
"",
|
|
34
|
+
"Plan:",
|
|
35
|
+
plan,
|
|
36
|
+
].join("\n"),
|
|
37
|
+
{
|
|
38
|
+
label: "bds-scylla-tenant-source",
|
|
39
|
+
phase: "Source",
|
|
40
|
+
tools: "mcp__devops_tool__bitbucket_api_read,mcp__devops_tool__git_repo_read,mcp__devops_tool__repo_text_index",
|
|
41
|
+
disallowedTools: "Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
42
|
+
},
|
|
43
|
+
);
|
|
44
|
+
|
|
45
|
+
phase("Cluster");
|
|
46
|
+
const cluster = await agent(
|
|
47
|
+
[
|
|
48
|
+
"Collect read-only Kubernetes context after operator login and SPC connect.",
|
|
49
|
+
"Use kubernetes_status_snapshot for pod context; remote_readonly_command only for kcsb get pod, kcsb get cm bucketdetails-config -o yaml, or kubeconfig-backed kubectl reads.",
|
|
50
|
+
"Do not retry login flows. If auth is missing, report that operator login is required.",
|
|
51
|
+
"Never run kubectl or kcsb apply, delete, patch, edit, scale, set, rollout restart, or exec commands in this phase.",
|
|
52
|
+
"",
|
|
53
|
+
"Plan:",
|
|
54
|
+
plan,
|
|
55
|
+
"",
|
|
56
|
+
"Source:",
|
|
57
|
+
source,
|
|
58
|
+
].join("\n"),
|
|
59
|
+
{
|
|
60
|
+
label: "bds-scylla-tenant-cluster",
|
|
61
|
+
phase: "Cluster",
|
|
62
|
+
tools: "mcp__devops_tool__kubernetes_status_snapshot,mcp__devops_tool__remote_readonly_command",
|
|
63
|
+
disallowedTools: "WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
64
|
+
},
|
|
65
|
+
);
|
|
66
|
+
|
|
67
|
+
phase("Bucket");
|
|
68
|
+
const bucket = await agent(
|
|
69
|
+
[
|
|
70
|
+
"Collect only read-only S3A bucket evidence from a BDM pod.",
|
|
71
|
+
"Use the tenant folder rule data/tenants/<ENV_NAME>.<tenantName>; expected path-shape children can include operationsLog.csv, ted, and tmp.",
|
|
72
|
+
"Count active BDS tenants separately from bucket tenant folders. Prefer BDM metrics with isActiveTenant=\"true\" for active tenant evidence; treat bucket folder count as path inventory only.",
|
|
73
|
+
"Use remote_readonly_command against the Kubernetes BDM pod only for hadoop fs read commands: -ls, -cat, -head, -du, -count, -stat, -test, or -text.",
|
|
74
|
+
"For decrypt failures, capture timestamped BDM read errors and bds-service-proxy authenticated SIR key-fetch/decrypt errors. Look for Response code 503, Response status: 503, BdsCipherClient Error in decrypt, and KMSClientException.",
|
|
75
|
+
"For SIR key-fetch 503, verify SIR front-door DNS/HTTP reachability from bds-service-proxy; label unauthenticated curl 401 as reachability/auth-boundary only and note curl -k applies only to HTTPS.",
|
|
76
|
+
"Check kubectl auth can-i before trying to inspect sir, galahad, ors, or oms namespaces. If RBAC denies access, report backend pod/log inspection as blocked rather than making an availability claim.",
|
|
77
|
+
"When available, compare with another active tenant that successfully reads the same predefined file path.",
|
|
78
|
+
"Use hadoop fs, not hdfs. Do not use aws s3 inside BDS pods.",
|
|
79
|
+
"Never run hadoop fs -get, -put, -rm, -mkdir, -touchz, -mv, -cp, -chmod, -chown, or local redirection, except status-only redirection to /dev/null when explicitly used to avoid printing decrypted contents.",
|
|
80
|
+
"Return raw observations, command labels, path checked, and timestamps. Mark failures as evidence gaps.",
|
|
81
|
+
"",
|
|
82
|
+
"Plan:",
|
|
83
|
+
plan,
|
|
84
|
+
"",
|
|
85
|
+
"Source:",
|
|
86
|
+
source,
|
|
87
|
+
"",
|
|
88
|
+
"Cluster:",
|
|
89
|
+
cluster,
|
|
90
|
+
].join("\n"),
|
|
91
|
+
{
|
|
92
|
+
label: "bds-scylla-tenant-bucket",
|
|
93
|
+
phase: "Bucket",
|
|
94
|
+
tools: "mcp__devops_tool__remote_readonly_command",
|
|
95
|
+
disallowedTools: "WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
96
|
+
},
|
|
97
|
+
);
|
|
98
|
+
|
|
99
|
+
phase("RCA");
|
|
100
|
+
const rca = await agent(
|
|
101
|
+
[
|
|
102
|
+
"Draft a concise Markdown RCA from the collected evidence only.",
|
|
103
|
+
"Include Summary, Evidence table, Timeline, Current State, and Next Read-Only Checks.",
|
|
104
|
+
"State root cause or hypothesis with confidence and distinguish evidence from inference.",
|
|
105
|
+
"Include a Code-to-Data Comparison table mapping each source predicate to S3A evidence and pass/fail/unknown status.",
|
|
106
|
+
"Include active BDS tenant count separately from bucket folder count; state envops/test versus customer tenants based only on evidence.",
|
|
107
|
+
"Include concrete error log lines for key/decrypt failures, not just summarized errors.",
|
|
108
|
+
"Keep SIR front-door reachability separate from authenticated key-fetch 503; state whether Galahad/OMS/ORS inspection was RBAC-blocked.",
|
|
109
|
+
"If the environment is customer-like but only envops/test BDS tenants are observed, state both facts and do not claim direct customer data impact without evidence.",
|
|
110
|
+
"Include bucket ConfigMap source, BDM pod, hadoop fs path, tenant path, and consistency-check file result when available.",
|
|
111
|
+
"List remediation only as manual human-reviewed recommendations, not executed actions.",
|
|
112
|
+
"",
|
|
113
|
+
"Plan:",
|
|
114
|
+
plan,
|
|
115
|
+
"",
|
|
116
|
+
"Source:",
|
|
117
|
+
source,
|
|
118
|
+
"",
|
|
119
|
+
"Cluster:",
|
|
120
|
+
cluster,
|
|
121
|
+
"",
|
|
122
|
+
"Bucket:",
|
|
123
|
+
bucket,
|
|
124
|
+
].join("\n"),
|
|
125
|
+
{
|
|
126
|
+
label: "bds-scylla-tenant-rca",
|
|
127
|
+
phase: "RCA",
|
|
128
|
+
tools: "",
|
|
129
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
130
|
+
},
|
|
131
|
+
);
|
|
132
|
+
|
|
133
|
+
return {
|
|
134
|
+
plan,
|
|
135
|
+
source,
|
|
136
|
+
cluster,
|
|
137
|
+
bucket,
|
|
138
|
+
rca,
|
|
139
|
+
};
|
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
export const meta = {
|
|
2
|
+
name: "bds-tenant-data-operation-log-investigation",
|
|
3
|
+
description: "Investigate BDS tenant data operation logs and PRISM path shape with read-only TSS, source, and HDFS evidence.",
|
|
4
|
+
whenToUse: "Use when a tenant is released but BDS/PRISM data or operationsLog.csv may be missing, incomplete, or inconsistent with preview/gold tenants.",
|
|
5
|
+
phases: ["Plan", "Source", "State", "ResolveHost", "Access", "HDFS", "RCA"],
|
|
6
|
+
};
|
|
7
|
+
|
|
8
|
+
phase("Plan");
|
|
9
|
+
const plan = await agent(
|
|
10
|
+
[
|
|
11
|
+
"Extract cluster, datanode, HDFS authority, environment, tenant, and comparison tenants.",
|
|
12
|
+
"Use the skill flow as the procedure; call only mcp__devops_tool__bds_tenant_data_operation_log_command_pack to normalize fields and produce read-only HDFS/source command inputs.",
|
|
13
|
+
"Do not use Bash, browser access, WebFetch, local reproduction, HDFS writes, Keychain reads, or sudo in this phase.",
|
|
14
|
+
"Return parsed fields, command-pack output, and missing fields.",
|
|
15
|
+
].join("\n"),
|
|
16
|
+
{
|
|
17
|
+
label: "bds-tenant-data-operation-log-plan",
|
|
18
|
+
phase: "Plan",
|
|
19
|
+
tools: "mcp__devops_tool__bds_tenant_data_operation_log_command_pack",
|
|
20
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
21
|
+
},
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
phase("Source");
|
|
25
|
+
const source = await agent(
|
|
26
|
+
[
|
|
27
|
+
"Confirm operation-log semantics from Sirius BDM source when needed.",
|
|
28
|
+
"Use bitbucket_api_read against https://bitbucket.workday.com/projects/BDS/repos/sirius/browse or equivalent /rest/api/latest/projects/BDS/repos/sirius endpoints.",
|
|
29
|
+
"For deeper grep, use a human-reviewed local cache clone/pull outside this workflow, then git_repo_read and repo_text_index only.",
|
|
30
|
+
"Search for operationLog, operationLogPath, getOperationLogRaw, /api/v3/bds/log, /v2/bds/log, and TenantDataManager.",
|
|
31
|
+
"Return source paths, functions/classes, and path rules.",
|
|
32
|
+
"",
|
|
33
|
+
"Plan:",
|
|
34
|
+
plan,
|
|
35
|
+
].join("\n"),
|
|
36
|
+
{
|
|
37
|
+
label: "bds-tenant-data-operation-log-source",
|
|
38
|
+
phase: "Source",
|
|
39
|
+
tools: "mcp__devops_tool__bitbucket_api_read,mcp__devops_tool__git_repo_read,mcp__devops_tool__repo_text_index",
|
|
40
|
+
disallowedTools: "Bash,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
41
|
+
},
|
|
42
|
+
);
|
|
43
|
+
|
|
44
|
+
phase("State");
|
|
45
|
+
const state = await agent(
|
|
46
|
+
[
|
|
47
|
+
"Collect tenant TSS/OMS state only as a separate evidence domain.",
|
|
48
|
+
"Use available read-only HTTP/API tools, or report that tenant status API must be checked manually.",
|
|
49
|
+
"Do not infer BDS or PRISM data readiness from RELEASED/OK.",
|
|
50
|
+
"",
|
|
51
|
+
"Plan:",
|
|
52
|
+
plan,
|
|
53
|
+
"",
|
|
54
|
+
"Source:",
|
|
55
|
+
source,
|
|
56
|
+
].join("\n"),
|
|
57
|
+
{
|
|
58
|
+
label: "bds-tenant-data-operation-log-state",
|
|
59
|
+
phase: "State",
|
|
60
|
+
tools: "mcp__devops_tool__remote_readonly_command",
|
|
61
|
+
disallowedTools: "WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
62
|
+
},
|
|
63
|
+
);
|
|
64
|
+
|
|
65
|
+
phase("ResolveHost");
|
|
66
|
+
const resolvedHost = await agent(
|
|
67
|
+
[
|
|
68
|
+
"Resolve the concrete BDS host for HDFS read-only evidence before Boundary login or remote commands.",
|
|
69
|
+
"If the plan includes a datanodeHost, confirm it against BDS host lookup/inventory for the cluster instead of assuming it is current.",
|
|
70
|
+
"If no datanodeHost is provided, use mcp__devops_tool__bds_environment_host_lookup with roles=[\"datanode\",\"bdm\",\"namenode\"] and choose the narrowest host that can read the HDFS tenant path.",
|
|
71
|
+
"Keep datanodeHost, BDM host, cluster, HDFS authority, environmentName, tenantName, and comparison tenants as separate fields.",
|
|
72
|
+
"Do not invent host tools such as workday_host_info, host_info, host_query, or bds_enterprise_host_lookup.",
|
|
73
|
+
"Do not use grep, ls, Read, Glob, repository search, local /hadoop paths, local hdfs, or local curl as a substitute for host lookup.",
|
|
74
|
+
"If the exact host lookup MCP tool is unavailable or fails, stop and report the exact tool error as a tooling/access gap.",
|
|
75
|
+
"Return hdfsEvidenceHost, host role, cluster, lookup evidence, stale host exclusions, and ambiguity.",
|
|
76
|
+
"",
|
|
77
|
+
"Plan:",
|
|
78
|
+
plan,
|
|
79
|
+
"",
|
|
80
|
+
"State:",
|
|
81
|
+
state,
|
|
82
|
+
].join("\n"),
|
|
83
|
+
{
|
|
84
|
+
label: "bds-tenant-data-operation-log-resolve-host",
|
|
85
|
+
phase: "ResolveHost",
|
|
86
|
+
tools: "mcp__devops_tool__bds_environment_host_lookup,mcp__devops_tool__bds_machine_inventory",
|
|
87
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion,mcp__devops_tool__workday_boundary_login,mcp__devops_tool__remote_readonly_command",
|
|
88
|
+
},
|
|
89
|
+
);
|
|
90
|
+
|
|
91
|
+
phase("Access");
|
|
92
|
+
const access = await agent(
|
|
93
|
+
[
|
|
94
|
+
"Check Boundary/DC readiness for the resolved hdfsEvidenceHost; use workday_boundary_login action=status unless login was explicitly approved.",
|
|
95
|
+
"Private cloud uses bauth init plus ordinary ssh to the explicit host.",
|
|
96
|
+
"Confirm hostname, UTC clock, user, command -v hdfs, and Kerberos cache state with remote_readonly_command.",
|
|
97
|
+
"If sudo/root HDFS access is required, use only mcp__devops_tool__workday_private_cloud_sudo_readonly_command; never ask for, print, or directly read LDAP password or Keychain JSON.",
|
|
98
|
+
"If remote_readonly_command is denied or unavailable, report the exact evidence gap and do not pivot to local HDFS, repo search, or guessed host metadata.",
|
|
99
|
+
"",
|
|
100
|
+
"Plan:",
|
|
101
|
+
plan,
|
|
102
|
+
"",
|
|
103
|
+
"ResolvedHost:",
|
|
104
|
+
resolvedHost,
|
|
105
|
+
].join("\n"),
|
|
106
|
+
{
|
|
107
|
+
label: "bds-tenant-data-operation-log-access",
|
|
108
|
+
phase: "Access",
|
|
109
|
+
tools: "mcp__devops_tool__workday_boundary_login,mcp__devops_tool__remote_readonly_command",
|
|
110
|
+
disallowedTools: "Agent,Task,TaskCreate,Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
111
|
+
},
|
|
112
|
+
);
|
|
113
|
+
|
|
114
|
+
phase("HDFS");
|
|
115
|
+
const hdfs = await agent(
|
|
116
|
+
[
|
|
117
|
+
"Collect read-only HDFS evidence from the resolved hdfsEvidenceHost, approved datanode, or BDM pod.",
|
|
118
|
+
"Use remote_readonly_command only for single read commands that are already allowed: hostname, id, command -v hdfs, klist, hdfs crypto -listZones, hdfs dfs -ls, -du, -test, -tail, -cat, -count, or -stat.",
|
|
119
|
+
"Credential setup through Keychain/sudo must be operator-approved and must never print passwords, tokens, raw JSON, or sudo stdin.",
|
|
120
|
+
"Check data/tenants/<ENV_NAME>.<tenantName>/operationsLog.csv and provided preview/gold/numbered tenants.",
|
|
121
|
+
"Never run hdfs dfs -get, -put, -rm, -mkdir, -touchz, -cp, -mv, -chmod, or -chown.",
|
|
122
|
+
"Return observations, command labels, checked path, and timestamps. Mark missing files as evidence, not tool failure.",
|
|
123
|
+
"",
|
|
124
|
+
"Plan:",
|
|
125
|
+
plan,
|
|
126
|
+
"",
|
|
127
|
+
"Source:",
|
|
128
|
+
source,
|
|
129
|
+
"",
|
|
130
|
+
"State:",
|
|
131
|
+
state,
|
|
132
|
+
"",
|
|
133
|
+
"ResolvedHost:",
|
|
134
|
+
resolvedHost,
|
|
135
|
+
"",
|
|
136
|
+
"Access:",
|
|
137
|
+
access,
|
|
138
|
+
].join("\n"),
|
|
139
|
+
{
|
|
140
|
+
label: "bds-tenant-data-operation-log-hdfs",
|
|
141
|
+
phase: "HDFS",
|
|
142
|
+
tools: "mcp__devops_tool__remote_readonly_command",
|
|
143
|
+
disallowedTools: "WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
144
|
+
},
|
|
145
|
+
);
|
|
146
|
+
|
|
147
|
+
phase("RCA");
|
|
148
|
+
const rca = await agent(
|
|
149
|
+
[
|
|
150
|
+
"Draft a concise Markdown RCA from collected evidence only.",
|
|
151
|
+
"Include Scope, State Domains, Evidence table, Path-shape comparison, Operation log timeline, Conclusion, and Next Read-Only Checks.",
|
|
152
|
+
"Separate direct evidence from inference. State confidence explicitly.",
|
|
153
|
+
"Manual remediation notes are allowed only as recommendations and must be marked not executed.",
|
|
154
|
+
"",
|
|
155
|
+
"Plan:",
|
|
156
|
+
plan,
|
|
157
|
+
"",
|
|
158
|
+
"Source:",
|
|
159
|
+
source,
|
|
160
|
+
"",
|
|
161
|
+
"State:",
|
|
162
|
+
state,
|
|
163
|
+
"",
|
|
164
|
+
"ResolvedHost:",
|
|
165
|
+
resolvedHost,
|
|
166
|
+
"",
|
|
167
|
+
"Access:",
|
|
168
|
+
access,
|
|
169
|
+
"",
|
|
170
|
+
"HDFS:",
|
|
171
|
+
hdfs,
|
|
172
|
+
].join("\n"),
|
|
173
|
+
{
|
|
174
|
+
label: "bds-tenant-data-operation-log-rca",
|
|
175
|
+
phase: "RCA",
|
|
176
|
+
tools: "",
|
|
177
|
+
disallowedTools: "Bash,Read,Glob,Grep,WebFetch,WebSearch,Write,Edit,NotebookEdit,AskUserQuestion",
|
|
178
|
+
},
|
|
179
|
+
);
|
|
180
|
+
|
|
181
|
+
return {
|
|
182
|
+
plan,
|
|
183
|
+
source,
|
|
184
|
+
state,
|
|
185
|
+
resolvedHost,
|
|
186
|
+
access,
|
|
187
|
+
hdfs,
|
|
188
|
+
rca,
|
|
189
|
+
};
|