@nuvlore/extension-bds 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (109) hide show
  1. package/LICENSE +202 -0
  2. package/README.md +3 -0
  3. package/agents/bds-airflow-job-status-readonly.yaml +123 -0
  4. package/agents/bds-disk-investigator.yaml +112 -0
  5. package/agents/bds-inventory-readonly.yaml +60 -0
  6. package/agents/bds-oncall-reporter.yaml +113 -0
  7. package/agents/bds-prism-service-proxy-timeout-readonly.yaml +105 -0
  8. package/agents/bds-scylla-tenant-bucket-readonly.yaml +104 -0
  9. package/agents/bds-tenant-data-operation-log-readonly.yaml +98 -0
  10. package/agents/bds-yarn-app-health-readonly.yaml +114 -0
  11. package/agents/pharos-alert-investigator.yaml +81 -0
  12. package/package.json +60 -0
  13. package/skills/bds-airflow-job-status-investigation/SKILL.md +104 -0
  14. package/skills/bds-airflow-job-status-investigation/references/airflow-access-runbook.md +35 -0
  15. package/skills/bds-airflow-job-status-investigation/references/airflow-bas-dr-runbook.md +42 -0
  16. package/skills/bds-airflow-job-status-investigation/references/airflow-copy-and-migration-runbook.md +63 -0
  17. package/skills/bds-airflow-job-status-investigation/references/airflow-job-status-runbook.md +15 -0
  18. package/skills/bds-airflow-job-status-investigation/references/airflow-output-runbook.md +28 -0
  19. package/skills/bds-airflow-job-status-investigation/references/airflow-snapshot-runbook.md +38 -0
  20. package/skills/bds-disk-io-alert-investigation/SKILL.md +116 -0
  21. package/skills/bds-hadoop-review/SKILL.md +66 -0
  22. package/skills/bds-machine-inventory/SKILL.md +48 -0
  23. package/skills/bds-oncall-followup/SKILL.md +71 -0
  24. package/skills/bds-oncall-followup/references/oncall-followup-runbook.md +58 -0
  25. package/skills/bds-prism-service-proxy-timeout-investigation/SKILL.md +73 -0
  26. package/skills/bds-prism-service-proxy-timeout-investigation/references/service-proxy-timeout-runbook.md +48 -0
  27. package/skills/bds-scylla-tenant-bucket-investigation/SKILL.md +73 -0
  28. package/skills/bds-scylla-tenant-bucket-investigation/references/tenant-bucket-runbook.md +91 -0
  29. package/skills/bds-tenant-data-operation-log-investigation/SKILL.md +89 -0
  30. package/skills/bds-yarn-app-health-investigation/SKILL.md +77 -0
  31. package/skills/bds-yarn-app-health-investigation/references/yarn-app-health-runbook.md +53 -0
  32. package/skills/pharos-alert-investigation/SKILL.md +80 -0
  33. package/src/bds-atomic-log-tools.mjs +300 -0
  34. package/src/bds-team-membership-claude-output.mjs +36 -0
  35. package/src/bds-team-membership-quality.mjs +90 -0
  36. package/tools/bds_airflow_dag_log_read.mjs +24 -0
  37. package/tools/bds_airflow_job_status_command_pack.mjs +587 -0
  38. package/tools/bds_bas_log_read.mjs +23 -0
  39. package/tools/bds_bdm_httpd_log_read.mjs +24 -0
  40. package/tools/bds_chef_client_log_read.mjs +23 -0
  41. package/tools/bds_dashboard_links.mjs +178 -0
  42. package/tools/bds_dashboard_query_knowledge.mjs +258 -0
  43. package/tools/bds_dashboard_query_read.mjs +120 -0
  44. package/tools/bds_disk_io_alert_command_pack.mjs +287 -0
  45. package/tools/bds_environment_host_lookup.mjs +741 -0
  46. package/tools/bds_hdfs_datanode_log_read.mjs +23 -0
  47. package/tools/bds_hdfs_journalnode_log_read.mjs +23 -0
  48. package/tools/bds_hdfs_namenode_log_read.mjs +23 -0
  49. package/tools/bds_hdfs_path_knowledge.mjs +324 -0
  50. package/tools/bds_information_source_knowledge.mjs +356 -0
  51. package/tools/bds_kms_log_read.mjs +23 -0
  52. package/tools/bds_log_path_knowledge.mjs +267 -0
  53. package/tools/bds_machine_inventory.mjs +434 -0
  54. package/tools/bds_mapreduce_historyserver_log_read.mjs +23 -0
  55. package/tools/bds_migration_service_operation_command_pack.mjs +233 -0
  56. package/tools/bds_oncall_followup_payload_draft.mjs +285 -0
  57. package/tools/bds_pharos_query_pack.mjs +218 -0
  58. package/tools/bds_portal_operation_knowledge.mjs +212 -0
  59. package/tools/bds_prism_clone_status_links.mjs +129 -0
  60. package/tools/bds_prism_service_proxy_timeout_query_pack.mjs +224 -0
  61. package/tools/bds_public_cloud_pod_log_read.mjs +18 -0
  62. package/tools/bds_scylla_tenant_bucket_command_pack.mjs +323 -0
  63. package/tools/bds_service_proxy_log_read.mjs +23 -0
  64. package/tools/bds_spark_historyserver_log_read.mjs +32 -0
  65. package/tools/bds_spas_mt_log_read.mjs +23 -0
  66. package/tools/bds_tenant_data_operation_log_command_pack.mjs +321 -0
  67. package/tools/bds_yarn_app_health_command_pack.mjs +529 -0
  68. package/tools/bds_yarn_nodemanager_log_read.mjs +23 -0
  69. package/tools/bds_yarn_resourcemanager_log_read.mjs +23 -0
  70. package/tools/bds_zookeeper_log_read.mjs +23 -0
  71. package/tools/confluence_handoff_page_draft.mjs +173 -0
  72. package/vendor/dashboard/src/grafana-dashboard-query.mjs +61 -0
  73. package/vendor/extension-read-only-toolkit/LICENSE +202 -0
  74. package/vendor/extension-read-only-toolkit/README.md +29 -0
  75. package/vendor/extension-read-only-toolkit/package.json +46 -0
  76. package/vendor/extension-read-only-toolkit/src/devops-data-paths.mjs +222 -0
  77. package/vendor/extension-read-only-toolkit/src/devops-diagnostics.mjs +440 -0
  78. package/vendor/extension-read-only-toolkit/src/enterprise-api-read.mjs +180 -0
  79. package/vendor/extension-read-only-toolkit/src/read-only-command-pack.mjs +1 -0
  80. package/vendor/extension-read-only-toolkit/src/read-only-plan.mjs +45 -0
  81. package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.d.mts +26 -0
  82. package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.mjs +170 -0
  83. package/vendor/extension-workday-infra-access/LICENSE +202 -0
  84. package/vendor/extension-workday-infra-access/README.md +3 -0
  85. package/vendor/extension-workday-infra-access/agents/workday-infra-access-readonly.yaml +183 -0
  86. package/vendor/extension-workday-infra-access/package.json +49 -0
  87. package/vendor/extension-workday-infra-access/skills/workday-infra-access/SKILL.md +102 -0
  88. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-boundary-runbook.md +43 -0
  89. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-runbook.md +15 -0
  90. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-scylla-cloud-runbook.md +39 -0
  91. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-spc-argo-runbook.md +99 -0
  92. package/vendor/extension-workday-infra-access/src/workday-access-profiles.mjs +194 -0
  93. package/vendor/extension-workday-infra-access/tools/aws_cust_federated_readonly_command_pack.mjs +234 -0
  94. package/vendor/extension-workday-infra-access/tools/gcp_readonly_command_pack.mjs +167 -0
  95. package/vendor/extension-workday-infra-access/tools/public_cloud_access_status.mjs +48 -0
  96. package/vendor/extension-workday-infra-access/tools/workday_boundary_login.mjs +460 -0
  97. package/vendor/extension-workday-infra-access/tools/workday_private_cloud_sudo_readonly_command.mjs +386 -0
  98. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_environment_map.mjs +189 -0
  99. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_kubernetes_read.mjs +297 -0
  100. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_spc_login.mjs +505 -0
  101. package/vendor/extension-workday-infra-access/tools/workday_spc_argo_readonly_command_pack.mjs +215 -0
  102. package/vendor/extension-workday-infra-access/workflows/public-cloud-readonly-investigation.js +99 -0
  103. package/workflows/bds-airflow-job-status-investigation.js +168 -0
  104. package/workflows/bds-disk-io-alert-investigation.js +173 -0
  105. package/workflows/bds-oncall-followup.js +112 -0
  106. package/workflows/bds-prism-service-proxy-timeout-investigation.js +69 -0
  107. package/workflows/bds-scylla-tenant-bucket-investigation.js +139 -0
  108. package/workflows/bds-tenant-data-operation-log-investigation.js +189 -0
  109. package/workflows/bds-yarn-app-health-investigation.js +217 -0
@@ -0,0 +1,73 @@
1
+ ---
2
+ name: bds-prism-service-proxy-timeout-investigation
3
+ description: Use for Prism Spark on K8s driver BdsCipherClient generateKey/decrypt read timeouts against BDS bds-service-proxy, especially PRISM Delta commit failures with SocketTimeoutException or KMSClientException.
4
+ allowed-tools:
5
+ - Read
6
+ - Glob
7
+ - Grep
8
+ - mcp__devops_tool__bds_prism_service_proxy_timeout_query_pack
9
+ - mcp__devops_tool__jira_api_read
10
+ - mcp__devops_tool__kubernetes_status_snapshot
11
+ - mcp__devops_tool__remote_readonly_command
12
+ ---
13
+
14
+ # BDS Prism Service-Proxy Timeout Investigation
15
+
16
+ Use this skill when a Prism ticket, Slack thread, or Chiron attachment shows
17
+ Prism Spark on K8s failing with `BdsCipherClient.generateKey`,
18
+ `BdsCipherClient.decrypt`, `java.net.SocketTimeoutException`,
19
+ `KMSClientException: Read timed out`, or Delta commit aborts while calling BDS
20
+ `bds-service-proxy`.
21
+
22
+ ## System Boundary
23
+
24
+ The normal request path is:
25
+
26
+ `Prism Spark on K8s driver -> BdsCipherClient -> bds-service-proxy -> tenant key/decrypt backend`
27
+
28
+ A Prism driver `SocketTimeoutException` proves the client waited too long for a
29
+ response. It does not by itself prove `bds-service-proxy` was down or slow.
30
+ Correlate it with service-proxy logs before assigning BDS service impact.
31
+
32
+ Load `references/service-proxy-timeout-runbook.md` only for SPC/Jira access,
33
+ historical log retention, Prism/OMS RBAC, and output-table details.
34
+
35
+ ## Rules
36
+
37
+ - Stay read-only. Do not mutate Jira, Kubernetes, pods, services, tenant state,
38
+ bucket data, or local cluster files.
39
+ - This skill defines the flow; the atomic helper tool only emits validated read-only
40
+ Jira/Kubernetes query inputs.
41
+ - Use Jira GET only and never print Jira tokens or Keychain payloads.
42
+ - For customer SPC sessions, use the plan/runbook path, verify Kubernetes
43
+ context, `auth whoami`, and namespace `auth can-i` before reading evidence.
44
+ - Do not rely on `kubectl logs` as negative evidence until the first returned
45
+ timestamp proves it covers the incident window.
46
+ - If Kubernetes logs start after the incident window, use the runbook's bounded
47
+ pod-local rotated-log reads. Do not copy logs out or write files.
48
+ - Separate client-side Prism timeout, service-side errors, same-tenant
49
+ traffic, and Prism/OMS wrapper errors.
50
+
51
+ ## Workflow
52
+
53
+ 1. Parse Jira key, cluster, tenant, CID, Spark appId, Prism pod label, activity
54
+ id, and incident UTC from Slack/Jira/Chiron.
55
+ 2. Generate validated read-only query inputs with the atomic helper tool.
56
+ 3. Read Jira issue metadata, comments, and bounded Chiron attachment snippets.
57
+ 4. Connect through SPC and verify Kubernetes context/RBAC.
58
+ 5. Check `bds-service-proxy` deployment, pods, endpoints, image, restarts, and
59
+ which pod covers the incident window.
60
+ 6. Check `kubectl logs` retention; use pod-local rotated logs when needed.
61
+ 7. Grep the incident minute for tenant, CID/appId where available,
62
+ `generatedek`, `generateKey`, `decrypt`, `SocketTimeout`, `KMSClientException`,
63
+ `503`, `ERROR`, and `WARN`.
64
+ 8. Check Prism/OMS RBAC before trying to read Prism pod logs or OMS dump files.
65
+ 9. Draft the Slack response. State whether BDS logs show service-side errors or
66
+ successful same-tenant traffic, then ask Prism to inspect Spark
67
+ driver/network/socket timeout behavior when BDS-side evidence is clean.
68
+
69
+ ## Output Standard
70
+
71
+ Return Markdown with incident context, the system boundary, evidence table,
72
+ timeline, conclusion, suggested Slack reply, and evidence gaps. The conclusion
73
+ must distinguish client-side timeout evidence from service-side outage evidence.
@@ -0,0 +1,48 @@
1
+ # BDS Prism Service-Proxy Timeout Runbook
2
+
3
+ This reference holds detailed access and log rules for
4
+ `bds-prism-service-proxy-timeout-investigation/SKILL.md`.
5
+
6
+ ## Access Details
7
+
8
+ - Use Jira GET only. If the default Jira Keychain route is absent, the legacy
9
+ Jira Keychain alias emitted by the plan may be used as a secret source. Never
10
+ print the token.
11
+ - For customer SPC sessions, use `AWS_PROFILE=sso-cust`. If `spc connect` fails
12
+ before connecting with `ExpiredToken`, refresh with
13
+ `sso-cli aws --force --profile sso-cust`.
14
+ - Use `AWS_PROFILE=sso-cust spc connect cust <cluster>`, then verify
15
+ `kubectl --kubeconfig=$HOME/.kube/spc-config config current-context`,
16
+ `auth whoami`, and namespace `auth can-i` before reading evidence.
17
+ - Prefer `kubectl --kubeconfig=$HOME/.kube/spc-config -n bds ...` explicit
18
+ commands when `kcsb` is unavailable.
19
+
20
+ ## Historical Logs And RBAC
21
+
22
+ - If Kubernetes logs start after the incident window, inspect pod-local rotated
23
+ logs inside the long-running `bds-service-proxy` pod:
24
+ `/opt/bds-service-proxy/log/bds-service-proxy.log` and
25
+ `/opt/bds-service-proxy/log/bds-service-proxy-audit.log`.
26
+ - Use bounded pod exec reads only: `ls`, `grep`, `head`, `tail`, `sed -n`. Do
27
+ not copy logs out or write files.
28
+ - Match timestamps using the file format. Pod-local service-proxy logs use ISO
29
+ timestamps such as `2026-06-05T15:38:02.028Z`, while Prism attachments may use
30
+ `2026-06-05 15:38:02,937`.
31
+ - For Prism/OMS dump references such as
32
+ `/usr/local/workday-oms/logs/dumps/<id>.dump`, first check RBAC for `prism`
33
+ and `oms` namespaces. If RBAC denies access, say direct dump inspection is
34
+ blocked and rely only on the Jira attachment excerpt.
35
+
36
+ ## Output Details
37
+
38
+ - Jira/Chiron metadata: Delta commit path, manifest file, Spark appId, activity
39
+ id, OMS dump path, tenant, CID, and incident UTC.
40
+ - SPC/RBAC: current context, identity, `bds`, `prism`, and `oms` namespace
41
+ access checks.
42
+ - Service-proxy state: deployment, pods, endpoints, image, restart count, and
43
+ which pod covers the incident window.
44
+ - Service logs: Kubernetes retention boundary, pod-local log file checked,
45
+ tenant/CID/appId grep terms, service-side errors, successful same-tenant
46
+ traffic, and downstream wrapper errors.
47
+ - Conclusion should distinguish Prism Spark driver client-side timeout evidence
48
+ from BDS service-proxy service-side outage evidence.
@@ -0,0 +1,73 @@
1
+ ---
2
+ name: bds-scylla-tenant-bucket-investigation
3
+ description: Use for Scylla BDS tenant health alerts and read-only tenant bucket checks where BDM pods, bucketdetails-config, and hadoop fs S3A inspection are needed.
4
+ allowed-tools:
5
+ - Read
6
+ - Glob
7
+ - Grep
8
+ - mcp__devops_tool__bds_scylla_tenant_bucket_command_pack
9
+ - mcp__devops_tool__bitbucket_api_read
10
+ - mcp__devops_tool__git_repo_read
11
+ - mcp__devops_tool__repo_text_index
12
+ - mcp__devops_tool__kubernetes_status_snapshot
13
+ - mcp__devops_tool__remote_readonly_command
14
+ - mcp__devops_tool__pharos_alert_read
15
+ - mcp__devops_tool__bds_dashboard_links
16
+ ---
17
+
18
+ # BDS Scylla Tenant Bucket Investigation
19
+
20
+ Use this skill for Scylla BDS tenant health alerts, tenant bucket path checks,
21
+ missing tenant data questions, or BDM / bds-service-proxy image behavior after
22
+ HDFS CLI removal.
23
+
24
+ Load `references/tenant-bucket-runbook.md` only after generating the plan and
25
+ identifying the incident type.
26
+
27
+ ## Hard Rules
28
+
29
+ - Stay read-only. Do not mutate Kubernetes resources, bucket objects, local pod
30
+ files, tenant state, or BDS service state.
31
+ - This skill defines the investigation flow. Use
32
+ `mcp__devops_tool__bds_scylla_tenant_bucket_command_pack` only to normalize
33
+ fields and produce validated read-only source/Kubernetes/S3A command inputs.
34
+ - Treat BDM source code as the first source of truth for tenant-health meaning.
35
+ Prefer `mcp__devops_tool__bitbucket_api_read` against
36
+ `https://bitbucket.workday.com/projects/BDS/repos/sirius/browse`; use
37
+ `git_repo_read`, `repo_text_index`, and local read-only grep only for a
38
+ human-reviewed cache.
39
+ - Build and verify the SPC/Kubernetes connection before remote checks. If
40
+ `kcsb` is unavailable, use the explicit read-only
41
+ `kubectl --kubeconfig=$HOME/.kube/spc-config -n bds ...` equivalent.
42
+ - Use the BDM pod and `hadoop fs` for S3A reads. Do not use `hdfs`, `aws s3`,
43
+ KDC pods, or `hadoop fs -get` for this workflow.
44
+ - Do not print tenant key material or decrypted tenant file contents unless the
45
+ operator explicitly asks and confirms the sensitivity boundary.
46
+ - Before claiming SIR, Galahad, OMS, or ORS pods/logs are down or missing,
47
+ verify namespace RBAC with `kubectl auth can-i`.
48
+
49
+ ## Evidence Order
50
+
51
+ 1. Parse alert name, cluster, source, environment, tenant, severity, and firing
52
+ or resolved time from Slack, PagerDuty, Solas, or Pharos context.
53
+ 2. Confirm the operator already connected to the target Scylla environment; do
54
+ not run login retry loops.
55
+ 3. Generate the validated read-only command pack.
56
+ 4. Read BDM `BDS/sirius` source and record exact tenant-health file paths,
57
+ functions/classes, and predicates before interpreting bucket data.
58
+ 5. Collect cluster context with `kcsb get pod` and
59
+ `kcsb get cm bucketdetails-config -o yaml`.
60
+ 6. Count active BDS tenants separately from bucket tenant folders.
61
+ 7. Map each source predicate to S3A evidence from `hadoop fs` read commands.
62
+ 8. For decrypt/SIR failures, correlate BDM logs, bds-service-proxy logs,
63
+ front-door reachability, and backend namespace RBAC.
64
+ 9. Compare with another active healthy tenant when available.
65
+ 10. Return a concise RCA/current-state summary with evidence gaps and read-only
66
+ follow-ups.
67
+
68
+ ## Output
69
+
70
+ Return alert context, source logic, evidence table, active-tenant versus
71
+ bucket-folder census, code-to-data comparison, key/decrypt logs, SIR/Galahad/OMS
72
+ boundary, healthy comparison, bucket path checked, confidence, and read-only next
73
+ checks. Separate direct command evidence from inference.
@@ -0,0 +1,91 @@
1
+ # BDS Scylla Tenant Bucket Runbook
2
+
3
+ This reference holds scenario details for
4
+ `bds-scylla-tenant-bucket-investigation/SKILL.md`.
5
+
6
+ ## Source And Tenant Health Logic
7
+
8
+ - Search BDM source for `tenant health`, `TenantHealth`, `tenant_health`,
9
+ `unhealthy`, `brokenDsInfo`, `consistency_check`, and `operationsLog`; record
10
+ exact file paths, functions/classes, and predicates before interpreting data.
11
+ - Distinguish active BDS tenant count from tenant folders in the bucket. Bucket
12
+ folders can be stale, disabled, or test leftovers; active tenant evidence
13
+ should come from BDM metrics such as `bds_stats_tenant_*{isActiveTenant="true"}`
14
+ or from BDM/EMS active-tenant health-check behavior.
15
+ - For alerts on envops/test tenants, do not downplay the alert if the
16
+ environment is tier-0/customer-like. State both facts: environment criticality
17
+ and whether any real customer BDS tenant data impact was observed.
18
+
19
+ ## Kubernetes And Bucket Evidence
20
+
21
+ - Use `kcsb get pod` and `kcsb get cm bucketdetails-config -o yaml` to anchor
22
+ pod names and bucket name before checking S3A paths.
23
+ - Tenant folders are discoverable by the rule
24
+ `data/tenants/<ENV_NAME>.<tenantName>`, for example
25
+ `data/tenants/WD504-IMPL.schellman1`.
26
+ - A normally discoverable tenant folder can contain `operationsLog.csv`, `ted`,
27
+ and `tmp`; use those as path-shape evidence, not as health proof.
28
+ - Inside the BDM pod, use only read commands such as `hadoop fs -ls`,
29
+ `hadoop fs -cat`, `hadoop fs -head`, `hadoop fs -du`, `hadoop fs -count`,
30
+ `hadoop fs -stat`, `hadoop fs -test`, and `hadoop fs -text`.
31
+ - Prefer status-only read/decrypt probes such as redirecting `hadoop fs -cat` to
32
+ `/dev/null` and reporting only exit status and sanitized errors.
33
+ - Do not use `aws s3` inside BDM or bds-service-proxy pods; observed behavior is
34
+ `NoCredentials`.
35
+ - Do not assume `hdfs` exists in BDM or bds-service-proxy pods. New images may
36
+ remove it; use `hadoop fs`.
37
+ - Do not use `hadoop fs -get` for listing or debugging. It downloads to local
38
+ disk and can fail with local mkdir errors.
39
+ - Do not use KDC pods as the default S3A inspection point. They may have `hdfs`
40
+ but lack `org.apache.hadoop.fs.s3a.S3AFileSystem`.
41
+
42
+ ## Key Fetch And SIR Boundary
43
+
44
+ - For read/decrypt failures, correlate BDM logs with bds-service-proxy logs:
45
+ look for the SIR key endpoint, `Response code 503`, `Response status: 503`,
46
+ `BdsCipherClient Error in decrypt`, and `KMSClientException`.
47
+ - For SIR key-fetch 503 cases, separate front-door reachability from the real
48
+ authenticated business request. From a `bds-service-proxy` pod, verify DNS and
49
+ HTTP reachability to the SIR service such as `sir-<env>.sir:11710`.
50
+ - Treat manual unauthenticated 401 responses as reachability/auth-boundary
51
+ evidence only, not as the BDS business-flow result.
52
+ - Use `curl -k` only for HTTPS; the observed in-cluster SIR endpoint is HTTP.
53
+ - For SIR key-fetch 503, run bds-service-proxy-side reachability probes and RBAC
54
+ checks for `sir`, `galahad`, `ors`, and `oms`. If RBAC denies access, mark
55
+ direct backend inspection as blocked and route the tenant-specific 503 to the
56
+ owning channel.
57
+
58
+ ## Interpretation
59
+
60
+ - Map each source-code predicate to concrete S3A evidence: object existence,
61
+ timestamp, content, empty/non-empty state, parse result, or missing path.
62
+ - Compare with at least one other active tenant when available. A successful
63
+ predefined-file read and `Tenant [...] is healthy` log on another tenant is
64
+ evidence against a cluster-wide BDM/bucket/service-proxy outage.
65
+ - Correlate with Pharos alert state and BDS dashboard links when the question is
66
+ alert-driven.
67
+
68
+ ## Output Details
69
+
70
+ - Alert context: cluster, environment, tenant, source, severity, firing/resolved
71
+ window.
72
+ - Source logic: repo URL, commit/ref when known, file path, function/class, and
73
+ exact unhealthy predicates.
74
+ - Evidence table: command, target, result, interpretation.
75
+ - Tenant census: active BDS tenants versus bucket tenant folders, clearly
76
+ labeled with the source of each count.
77
+ - Code-to-data comparison: one row per predicate from source with matching S3A
78
+ evidence.
79
+ - Key/decrypt logs: concrete timestamped lines for the BDM read failure,
80
+ bds-service-proxy authenticated SIR key-fetch failure, decrypt failure, and
81
+ downstream 500/KMS error when present.
82
+ - SIR/Galahad/OMS boundary: SIR front-door DNS/HTTP reachability from
83
+ bds-service-proxy, manual unauthenticated probe result labeled as such, and
84
+ RBAC status for direct backend namespace inspection.
85
+ - Healthy comparison: another active tenant passing the same read/decrypt path
86
+ when available.
87
+ - Bucket path checked: bucket source, data root, tenant path, and consistency
88
+ file path when used.
89
+ - Cause or current hypothesis, with confidence.
90
+ - Read-only next checks and manual remediation notes, clearly marked as not
91
+ executed.
@@ -0,0 +1,89 @@
1
+ ---
2
+ name: bds-tenant-data-operation-log-investigation
3
+ description: Use for read-only BDS tenant data operation log checks where TSS/OMS tenant state must be separated from PRISM/BDS HDFS data readiness.
4
+ allowed-tools:
5
+ - Read
6
+ - Glob
7
+ - Grep
8
+ - mcp__devops_tool__bds_tenant_data_operation_log_command_pack
9
+ - mcp__devops_tool__bitbucket_api_read
10
+ - mcp__devops_tool__git_repo_read
11
+ - mcp__devops_tool__repo_text_index
12
+ - mcp__devops_tool__bds_environment_host_lookup
13
+ - mcp__devops_tool__bds_machine_inventory
14
+ - mcp__devops_tool__remote_readonly_command
15
+ - mcp__devops_tool__workday_boundary_login
16
+ ---
17
+
18
+ # BDS Tenant Data Operation Log Investigation
19
+
20
+ Use this skill to check tenant BDS data, `operationsLog.csv`, PRISM
21
+ enable/clone history, or release-state versus BDS HDFS data mismatch.
22
+
23
+ ## Rules
24
+
25
+ - Stay read-only. Do not mutate tenant state, HDFS paths, crypto zones, BDM,
26
+ Kubernetes, local files, or Keychain.
27
+ - This skill defines the flow. Use
28
+ `mcp__devops_tool__bds_tenant_data_operation_log_command_pack` only for validated
29
+ read-only HDFS/source command inputs.
30
+ - Keep state domains separate: TSS/OMS state comes from tenant status APIs;
31
+ BDS/PRISM data state comes from HDFS tenant paths and `operationsLog.csv`.
32
+ - Never conclude BDS/PRISM data is ready only because TSS says
33
+ `RELEASED` / `health: OK`.
34
+ - Operation log path: `data/tenants/<ENV_NAME>.<tenantName>/operationsLog.csv`.
35
+ Normal BDS tenant paths commonly contain `operationsLog.csv`, `ted`, and
36
+ `tmp`; missing `operationsLog.csv` or `tmp` is important evidence.
37
+ - Read Sirius BDM source when endpoint or path semantics are unclear. Search
38
+ for `operationLog`, `operationLogPath`,
39
+ `getOperationLogRaw`, `/api/v3/bds/log`, `/v2/bds/log`, and
40
+ `TenantDataManager`.
41
+ - If BDM HTTP log routes return 403 from a jump host, verify the direct HDFS
42
+ `operationsLog.csv` path from an authorized datanode or BDM pod before
43
+ drawing conclusions.
44
+ - Before Boundary login or remote HDFS commands, resolve and confirm the
45
+ concrete datanode or BDM evidence host with
46
+ `mcp__devops_tool__bds_environment_host_lookup`. If a datanode host is
47
+ provided, confirm it belongs to the target cluster; if not, resolve
48
+ `datanode`, `bdm`, or `namenode` roles and choose the narrowest host that can
49
+ perform read-only HDFS checks.
50
+ - Do not invent host tools such as `workday_host_info`, `host_info`,
51
+ `host_query`, or `bds_enterprise_host_lookup`. Do not use local `grep`, `ls`,
52
+ `Read`, `Glob`, repository search, local `/hadoop` paths, local `hdfs`, or
53
+ local `curl` as a substitute for host lookup. If host lookup fails, stop and
54
+ report the exact tool/access gap.
55
+ - Keychain LDAP entries may be JSON. Extract only the top-level `token` field
56
+ locally and pass it through stdin. Never print passwords, tokens, raw
57
+ Keychain payloads, or sudo stdin.
58
+ - Use `sudo su -` and `kinit-workdayadmin` only when explicitly approved by the
59
+ operator and only for read commands.
60
+ - Allowed HDFS reads: `hdfs crypto -listZones`, `hdfs dfs -ls`, `-du`, `-cat`,
61
+ `-tail`, `-test`, `-count`, and `-stat`.
62
+ - Do not run `hdfs dfs -rm`, `-put`, `-get`, `-cp`, `-mv`, `-mkdir`, `-touchz`,
63
+ `-chmod`, or `-chown`.
64
+
65
+ ## Workflow
66
+
67
+ 1. Parse environment, tenant, target BDS cluster, datanode host, HDFS authority,
68
+ and related comparison tenants from the request.
69
+ 2. Generate validated read-only command inputs with the atomic helper tool.
70
+ 3. If source semantics are unclear, read Sirius BDM source and confirm the
71
+ operation log route and HDFS path construction.
72
+ 4. Read TSS/OMS tenant state only as state-domain evidence.
73
+ 5. Resolve and confirm the datanode or BDM evidence host with
74
+ `bds_environment_host_lookup`.
75
+ 6. Establish datanode access and Kerberos/root context only through approved
76
+ credential handling.
77
+ 7. Check crypto zones for the target and related tenants.
78
+ 8. List the exact tenant data path and test for `operationsLog.csv`.
79
+ 9. Tail `operationsLog.csv` only when it exists; otherwise report the missing
80
+ file as direct evidence.
81
+ 10. Compare with related preview, gold, or numbered tenants when provided.
82
+ 11. Separate direct HDFS evidence from inference.
83
+
84
+ ## Output Standard
85
+
86
+ Return Markdown with scope, separated state domains, evidence table, path-shape
87
+ comparison, operation log timeline with exact `prism,Enable` / `prism,Clone`
88
+ rows when present, direct-evidence conclusion, inference confidence, and
89
+ read-only next checks. Remediation must be manual and human-reviewed.
@@ -0,0 +1,77 @@
1
+ ---
2
+ name: bds-yarn-app-health-investigation
3
+ description: Read-only BDS YARN application host health workflow for Prism timeout requests, aggregated log host discovery, NodeManager health, and HDFS DataNode cross-checks.
4
+ allowed-tools:
5
+ - Read
6
+ - Glob
7
+ - Grep
8
+ - mcp__devops_tool__bds_yarn_app_health_command_pack
9
+ - mcp__devops_tool__bds_environment_host_lookup
10
+ - mcp__devops_tool__bds_machine_inventory
11
+ - mcp__devops_tool__remote_readonly_command
12
+ - mcp__devops_tool__workday_boundary_login
13
+ ---
14
+
15
+ # BDS YARN App Health Investigation
16
+
17
+ Use this skill to cross-check YARN application host health, especially Prism
18
+ timeout cases with an app ID such as `application_1778917335863_0195`, a BDS
19
+ cluster, driver host, tenant, and incident UTC window.
20
+
21
+ Load `references/yarn-app-health-runbook.md` only for historical-window,
22
+ ResourceManager, aggregated-log, and output-detail rules.
23
+
24
+ ## Hard Rules
25
+
26
+ - Strictly read-only. Do not kill YARN apps, decommission nodes, delete HDFS
27
+ files, copy/download full logs, restart services, edit configs, or mutate host
28
+ state.
29
+ - This skill defines the investigation flow. Use `bds_yarn_app_health_command_pack`
30
+ only to normalize inputs and produce bounded read-only command inputs.
31
+ - Before Boundary login or remote commands, resolve and confirm the concrete
32
+ driver/control host with `mcp__devops_tool__bds_environment_host_lookup`.
33
+ If a driver host is provided, confirm it belongs to the requested cluster. If
34
+ not, resolve a ResourceManager/NameNode/NodeManager/DataNode host suitable for
35
+ read-only YARN/HDFS status commands.
36
+ - Check Boundary/DC readiness with `workday_boundary_login action=status` when
37
+ host access is needed. Run `action=login` only after explicit operator
38
+ approval to use LDAP PROD from Keychain.
39
+ - Never ask for or print LDAP passwords, Keychain JSON, tokens, keytabs, or
40
+ sudo stdin.
41
+ - Use MCP-safe single-command inputs from the plan. Do not combine commands with
42
+ semicolons, `&&`, command substitution, sudo, shell redirection, or local
43
+ writes.
44
+ - Do not invent host tools such as `workday_host_info`, `host_info`,
45
+ `host_query`, or `bds_enterprise_host_lookup`. Do not pivot to disk alerts,
46
+ Jira, Bamboo, Pharos, local repository search, dashboards, local `yarn`, local
47
+ `hdfs`, or local `/hadoop` paths when host lookup or access is blocked.
48
+ Report the exact evidence gap.
49
+
50
+ ## Evidence Order
51
+
52
+ 1. Parse BDS cluster, driver host, app ID, tenant, prid/cid, and incident UTC
53
+ window.
54
+ 2. Resolve and confirm the driver/control host with
55
+ `bds_environment_host_lookup`.
56
+ 3. Check Boundary/DC readiness; login only with explicit approval.
57
+ 4. Generate the validated read-only command pack with
58
+ `bds_yarn_app_health_command_pack`.
59
+ 5. Confirm driver host identity, UTC time, and available `yarn`, `hdfs`, and
60
+ `kinit` commands.
61
+ 6. Run Kerberos initialization from the existing keytab using `kinit -kt`.
62
+ 7. Check `yarn application -status <appId>`.
63
+ 8. Prefer `yarn logs -show_application_log_info` before any full `yarn logs`
64
+ read.
65
+ 9. Use HDFS aggregated log file names as the app host list.
66
+ 10. Cross-check each app host with `yarn node -status <host>:45454`.
67
+ 11. Use `hdfs dfsadmin -report` for HDFS counters and to identify which app
68
+ hosts are also DataNodes.
69
+ 12. If incident UTC is available, check the historical window with read-only
70
+ kernel, NodeManager, DataNode, and long-GC log filters.
71
+
72
+ ## Output
73
+
74
+ Return app host list, current YARN NodeManager health, HDFS cluster counters,
75
+ DataNode matches, historical-window findings when checked, and evidence gaps.
76
+ If only current state was checked, clearly say current health is not proof of
77
+ historical health at the incident timestamp.
@@ -0,0 +1,53 @@
1
+ # BDS YARN App Health Runbook
2
+
3
+ This reference holds detailed rules for
4
+ `bds-yarn-app-health-investigation/SKILL.md`.
5
+
6
+ ## Application State And Aggregated Logs
7
+
8
+ - Treat RM/Timeline not-found separately from HDFS aggregated log availability.
9
+ - Historical apps may be removed from RM/Timeline state. If
10
+ `yarn application -status` cannot find an old app, parse ResourceManager
11
+ `ApplicationSummary` logs instead of treating the app as absent.
12
+ - For ResourceManager failed-app spikes, filter `ApplicationSummary` lines in
13
+ the incident UTC window to `applicationType=SPARK`, `finalStatus=FAILED`, and
14
+ diagnostics containing `exitCode: 0`; return `finishTimeUtc`, `appId`, `name`,
15
+ `user`, `queue`, `finalStatus`, and `appMasterHost`.
16
+ - If owner or suffix is unknown, search only the YARN aggregated log root with
17
+ `hdfs dfs -find <logRoot> -name '*<appId>*'`.
18
+ - List and size the resolved app log directory with `hdfs dfs -ls` and
19
+ `hdfs dfs -du -h`.
20
+ - The tenant in Prism logs may be `WD1-PROD.<tenant>`, but the YARN app owner
21
+ can be a service account such as `wd1-prod_prism`.
22
+ - Aggregated logs may use `bucket-logs-tfile/<last4>/<applicationId>` rather
23
+ than `<owner>/logs/<applicationId>`.
24
+ - For `application_1778917335863_0195`, the bucket segment is `0195`.
25
+ - A host log file around tens of GB is a driver-log outlier and can explain
26
+ slow full `yarn logs` reads.
27
+
28
+ ## Historical Incident Window
29
+
30
+ - If the requester asks whether checks were current-state or around the log
31
+ time, run a historical incident-window check before answering.
32
+ - Historical checks must be read-only host log reads: `journalctl -k` for the
33
+ exact UTC window plus bounded `grep`/`zgrep` over NodeManager and DataNode
34
+ logs.
35
+ - Filter routine noise such as `DFSUtil.*duration=0`, block deletion INFO,
36
+ `DataNode.clienttrace`, short GC pauses, and `PacketResponder terminating`.
37
+ - Do not include minor unrelated WARNs in requester-facing replies unless they
38
+ are in the incident window and plausibly tied to the HDFS/DataNode path.
39
+ - If a broad historical scan drops SSH, retry only incomplete hosts with
40
+ narrower file targets and no SSH multiplexing before marking the result
41
+ complete.
42
+
43
+ ## Output Details
44
+
45
+ - App host list.
46
+ - Current YARN NodeManager state and health report summary for those hosts.
47
+ - Current HDFS cluster counters: live DataNodes, under-replicated blocks,
48
+ missing blocks, low-redundancy block groups, and corrupt replicas if present.
49
+ - Which app hosts also appear as HDFS DataNodes, with decommission status and
50
+ last contact when available.
51
+ - If historical logs were checked, say so explicitly and summarize whether
52
+ kernel / YARN NodeManager / HDFS DataNode health errors, disk/network errors,
53
+ DataNode unhealthy signals, or long GC pauses were found in that window.
@@ -0,0 +1,80 @@
1
+ ---
2
+ name: pharos-alert-investigation
3
+ description: Read Pharos firing alerts, alert rules, active silences, and BDS observability links for alert detail investigation.
4
+ allowed-tools:
5
+ - Read
6
+ - Glob
7
+ - Grep
8
+ - mcp__devops_tool__bds_pharos_query_pack
9
+ - mcp__devops_tool__pharos_alert_read
10
+ - mcp__devops_tool__pharos_prometheus_read
11
+ - mcp__devops_tool__bds_dashboard_links
12
+ - mcp__devops_tool__bds_dashboard_query_knowledge
13
+ - mcp__devops_tool__bds_dashboard_query_read
14
+ - mcp__devops_tool__dashboard_query_knowledge
15
+ - mcp__devops_tool__bds_scylla_tenant_bucket_command_pack
16
+ - mcp__devops_tool__bds_disk_io_alert_command_pack
17
+ ---
18
+
19
+ # Pharos Alert Investigation
20
+
21
+ Use this skill when an operator asks what BDS alerts are firing, wants Pharos
22
+ alert details, asks whether an alert is silenced, or needs BDS dashboard links
23
+ for a firing alert. Also use it for natural-language BDS Pharos questions such
24
+ as disk IO, YARN alerts, NameNode latency, or visible BDS clusters.
25
+
26
+ ## Rules
27
+
28
+ - Use our own `mcp__devops_tool__pharos_alert_read` tool. Do not shell out to
29
+ `pharos_alerts_cli.py` for read workflows.
30
+ - Treat Pharos reads as read-only. Never create, delete, or update silences,
31
+ routes, rules, dashboards, or alertmanager config from this skill.
32
+ - Credentials must come from env or Keychain. Never ask for or print
33
+ `PHAROS_CLIENT_SECRET`.
34
+ - Use exact label filters from the alert when available:
35
+ `alertname`, `source`, `bds_cluster`, `severity`, and `wd_env_physical`.
36
+ - For natural-language requests, call `mcp__devops_tool__bds_pharos_query_pack`
37
+ first, then execute read-only steps until direct Pharos evidence is sufficient.
38
+ - Use `mcp__devops_tool__pharos_prometheus_read` for arbitrary BDS metric reads:
39
+ instant PromQL, range PromQL, label values, or series discovery.
40
+ - Use `mcp__devops_tool__bds_dashboard_links` for Grafana, Pharos alerting,
41
+ silence, and Solas links.
42
+ - Use `mcp__devops_tool__bds_dashboard_query_read` when the user asks what a
43
+ dashboard panel checks.
44
+ - Use `mcp__devops_tool__bds_dashboard_query_knowledge` to learn BDS metric
45
+ families from source-controlled dashboards; use generic
46
+ `mcp__devops_tool__dashboard_query_knowledge` for non-BDS dashboard repos.
47
+ - For `bds_bdm_tenant_tenant_health_status_alert` or Scylla tenant unhealthy
48
+ alerts, use `mcp__devops_tool__bds_scylla_tenant_bucket_command_pack` before
49
+ bucket drill-down. Inspect BDM source predicates, then map them to BDM pod plus
50
+ `hadoop fs` S3A reads. Do not use `aws s3`, `hdfs`, or `hadoop fs -get`.
51
+ - For DataNode failed-volume or BDS storage alerts, use Pharos only to confirm
52
+ alert/rule/metric context. Then hand the drill-down to
53
+ `bds-disk-io-alert-investigation` and its disk command pack, because the first
54
+ evidence boundary is the source host storage state.
55
+
56
+ ## Workflow
57
+
58
+ 1. Parse environment, namespace, alert name, source host, cluster, severity,
59
+ time range, and intent.
60
+ 2. Call `bds_pharos_query_pack` unless the user already supplied an exact tool
61
+ action and PromQL query.
62
+ 3. Read `firing_alerts` first with narrow filters when the request is alert-like.
63
+ 4. Read `active_silences` with the same filters to identify suppression state.
64
+ 5. Read `alert_rules` by `alertName` when the user asks why the alert fires or
65
+ needs expression/details.
66
+ 6. Run `pharos_prometheus_read` when the request is metric-like or exploratory.
67
+ 7. Generate BDS dashboard links from the same labels.
68
+ 8. Return a compact summary with direct evidence, missing data, and next
69
+ read-only drill-down.
70
+
71
+ ## Output Standard
72
+
73
+ Return concise Markdown:
74
+
75
+ - Alert: name, state, severity, source, cluster, activeAt.
76
+ - Rule: expression, duration, labels, annotations when requested or relevant.
77
+ - Silence: active silence id, matcher scope, createdBy, endsAt, comment.
78
+ - Links: BDS dashboard, alert rule search, active silence query, Solas.
79
+ - Metrics: PromQL used, result count, top values or trend summary.
80
+ - Evidence gaps: explicitly state what was not found or not read.