@raishin/vanguard-frontier-agentic 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (715) hide show
  1. package/README.md +369 -322
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-maestro-agent/AGENT.md +55 -0
  28. package/agents/aws/aws-maestro-agent/harnesses/claude-code.agent.md +38 -0
  29. package/agents/aws/aws-maestro-agent/harnesses/codex.toml +34 -0
  30. package/agents/aws/aws-maestro-agent/harnesses/copilot.agent.md +51 -0
  31. package/agents/aws/aws-maestro-agent/harnesses/cursor.agent.md +40 -0
  32. package/agents/aws/aws-maestro-agent/harnesses/gemini.agent.md +39 -0
  33. package/agents/aws/aws-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  35. package/agents/aws/aws-maestro-agent/metadata.json +37 -0
  36. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  37. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  38. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  39. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  40. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  41. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  42. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  43. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  44. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  45. package/agents/azure/AGENTS.md +26 -0
  46. package/agents/azure/README.md +45 -0
  47. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  48. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  49. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  50. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  51. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  52. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  53. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  54. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  55. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  56. package/agents/azure/azure-live-aks-rollout-guard-agent/AGENT.md +57 -0
  57. package/agents/azure/azure-live-aks-rollout-guard-agent/PERMISSIONS.md +56 -0
  58. package/agents/azure/azure-live-aks-rollout-guard-agent/PREFLIGHT.md +48 -0
  59. package/agents/azure/azure-live-aks-rollout-guard-agent/ROLLBACK.md +36 -0
  60. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
  61. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/codex.toml +32 -0
  62. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
  63. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
  64. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
  65. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  66. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  67. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +36 -0
  68. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/AGENT.md +57 -0
  69. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PERMISSIONS.md +43 -0
  70. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PREFLIGHT.md +50 -0
  71. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/ROLLBACK.md +46 -0
  72. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/claude-code.agent.md +40 -0
  73. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/codex.toml +32 -0
  74. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/copilot.agent.md +53 -0
  75. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/cursor.agent.md +40 -0
  76. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/gemini.agent.md +40 -0
  77. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  78. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  79. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +35 -0
  80. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/AGENT.md +57 -0
  81. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PERMISSIONS.md +88 -0
  82. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PREFLIGHT.md +48 -0
  83. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/ROLLBACK.md +48 -0
  84. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
  85. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/codex.toml +32 -0
  86. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/copilot.agent.md +53 -0
  87. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/cursor.agent.md +40 -0
  88. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/gemini.agent.md +40 -0
  89. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  90. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  91. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +36 -0
  92. package/agents/azure/azure-live-cost-budget-action-guard-agent/AGENT.md +57 -0
  93. package/agents/azure/azure-live-cost-budget-action-guard-agent/PERMISSIONS.md +93 -0
  94. package/agents/azure/azure-live-cost-budget-action-guard-agent/PREFLIGHT.md +44 -0
  95. package/agents/azure/azure-live-cost-budget-action-guard-agent/ROLLBACK.md +49 -0
  96. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/claude-code.agent.md +40 -0
  97. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/codex.toml +32 -0
  98. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/copilot.agent.md +53 -0
  99. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/cursor.agent.md +40 -0
  100. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/gemini.agent.md +40 -0
  101. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  102. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  103. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +36 -0
  104. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  105. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  106. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  107. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  108. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  109. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  110. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  112. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  113. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/AGENT.md +57 -0
  114. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PERMISSIONS.md +68 -0
  115. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PREFLIGHT.md +46 -0
  116. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/ROLLBACK.md +44 -0
  117. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/claude-code.agent.md +40 -0
  118. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/codex.toml +32 -0
  119. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/copilot.agent.md +53 -0
  120. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/cursor.agent.md +40 -0
  121. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/gemini.agent.md +40 -0
  122. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  123. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  124. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +36 -0
  125. package/agents/azure/azure-live-pim-jit-activation-guard-agent/AGENT.md +57 -0
  126. package/agents/azure/azure-live-pim-jit-activation-guard-agent/PERMISSIONS.md +59 -0
  127. package/agents/azure/azure-live-pim-jit-activation-guard-agent/PREFLIGHT.md +41 -0
  128. package/agents/azure/azure-live-pim-jit-activation-guard-agent/ROLLBACK.md +48 -0
  129. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/claude-code.agent.md +40 -0
  130. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/codex.toml +32 -0
  131. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/copilot.agent.md +53 -0
  132. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/cursor.agent.md +40 -0
  133. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/gemini.agent.md +40 -0
  134. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  135. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  136. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +36 -0
  137. package/agents/azure/azure-maestro-agent/AGENT.md +56 -0
  138. package/agents/azure/azure-maestro-agent/harnesses/claude-code.agent.md +39 -0
  139. package/agents/azure/azure-maestro-agent/harnesses/codex.toml +14 -0
  140. package/agents/azure/azure-maestro-agent/harnesses/copilot.agent.md +52 -0
  141. package/agents/azure/azure-maestro-agent/harnesses/cursor.agent.md +41 -0
  142. package/agents/azure/azure-maestro-agent/harnesses/gemini.agent.md +40 -0
  143. package/agents/azure/azure-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  144. package/agents/azure/azure-maestro-agent/harnesses/kiro-ide.agent.md +39 -0
  145. package/agents/azure/azure-maestro-agent/metadata.json +38 -0
  146. package/agents/backstage/README.md +36 -0
  147. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  148. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  149. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  150. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  151. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  152. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  153. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  154. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  155. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  156. package/agents/cert-manager/README.md +46 -0
  157. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  158. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  159. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  160. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  161. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  162. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  163. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  164. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  165. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  166. package/agents/cilium/README.md +46 -0
  167. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  168. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  169. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  170. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  171. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  172. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  173. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  174. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  175. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  176. package/agents/falco/README.md +36 -0
  177. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  178. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  179. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  180. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  181. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  182. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  183. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  185. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  186. package/agents/finops/AGENTS.md +36 -0
  187. package/agents/finops/README.md +27 -0
  188. package/agents/finops/finops-cloud-price-advisor-agent/AGENT.md +58 -0
  189. package/agents/finops/finops-cloud-price-advisor-agent/PERMISSIONS.md +112 -0
  190. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/claude-code.agent.md +40 -0
  191. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/codex.toml +33 -0
  192. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/copilot.agent.md +53 -0
  193. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/cursor.agent.md +40 -0
  194. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/gemini.agent.md +40 -0
  195. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-cli.agent.json +1 -0
  196. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-ide.agent.md +40 -0
  197. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +38 -0
  198. package/agents/fluxcd/README.md +39 -0
  199. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  200. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  201. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  202. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  203. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  204. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  205. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  206. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  207. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  208. package/agents/istio/README.md +46 -0
  209. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  210. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  211. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  212. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  213. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  214. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  215. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  216. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  217. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  218. package/agents/kubernetes/README.md +143 -0
  219. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  220. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  221. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  222. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  223. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  224. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  225. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  226. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  227. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  228. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  229. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  230. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  231. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  232. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  233. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  234. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  235. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  236. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  237. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  238. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  239. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  240. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  241. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  242. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  243. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  244. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  245. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  246. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  247. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  248. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  249. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  250. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  251. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  252. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  253. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  254. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  255. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  256. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  257. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  258. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  259. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  260. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  261. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  262. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  263. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  264. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  265. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  267. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  268. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  269. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  270. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  273. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  274. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  275. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  276. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  277. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  278. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  279. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  280. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  281. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  282. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  283. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  284. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  285. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  286. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  287. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  288. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  289. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  290. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  291. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  292. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  293. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  294. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  295. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  296. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  297. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  298. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  299. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  300. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  301. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  302. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  303. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  304. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  305. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  306. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  307. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  308. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  309. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  310. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  311. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  312. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  313. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  314. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  315. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  316. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  317. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  318. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  319. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  320. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  321. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  322. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  323. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  324. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  325. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  326. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  327. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  328. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  329. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  330. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  331. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  332. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  333. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  334. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  335. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  336. package/agents/kyverno/README.md +46 -0
  337. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  338. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  339. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  340. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  341. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  342. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  343. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  344. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  345. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  346. package/agents/oci/AGENTS.md +28 -0
  347. package/agents/oci/README.md +45 -0
  348. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  349. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  350. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  351. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  352. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  353. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  354. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  355. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  356. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  357. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/AGENT.md +57 -0
  358. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PERMISSIONS.md +56 -0
  359. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PREFLIGHT.md +48 -0
  360. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/ROLLBACK.md +50 -0
  361. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/claude-code.agent.md +40 -0
  362. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/codex.toml +32 -0
  363. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/copilot.agent.md +53 -0
  364. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/cursor.agent.md +40 -0
  365. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/gemini.agent.md +40 -0
  366. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  367. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  368. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +36 -0
  369. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/AGENT.md +57 -0
  370. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PERMISSIONS.md +77 -0
  371. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PREFLIGHT.md +54 -0
  372. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/ROLLBACK.md +53 -0
  373. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/claude-code.agent.md +40 -0
  374. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/codex.toml +32 -0
  375. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/copilot.agent.md +53 -0
  376. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/cursor.agent.md +40 -0
  377. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/gemini.agent.md +40 -0
  378. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  379. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  380. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +36 -0
  381. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/AGENT.md +57 -0
  382. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PERMISSIONS.md +87 -0
  383. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PREFLIGHT.md +49 -0
  384. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/ROLLBACK.md +44 -0
  385. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/claude-code.agent.md +40 -0
  386. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/codex.toml +32 -0
  387. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/copilot.agent.md +53 -0
  388. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/cursor.agent.md +40 -0
  389. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/gemini.agent.md +40 -0
  390. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  391. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  392. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +36 -0
  393. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  394. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  395. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  396. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  397. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  398. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  399. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  400. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  401. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  402. package/agents/oci/oci-live-oke-rollout-guard-agent/AGENT.md +57 -0
  403. package/agents/oci/oci-live-oke-rollout-guard-agent/PERMISSIONS.md +92 -0
  404. package/agents/oci/oci-live-oke-rollout-guard-agent/PREFLIGHT.md +49 -0
  405. package/agents/oci/oci-live-oke-rollout-guard-agent/ROLLBACK.md +47 -0
  406. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
  407. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/codex.toml +32 -0
  408. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
  409. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
  410. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
  411. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  412. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  413. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +36 -0
  414. package/agents/oci/oci-live-resource-manager-stack-guard-agent/AGENT.md +57 -0
  415. package/agents/oci/oci-live-resource-manager-stack-guard-agent/PERMISSIONS.md +80 -0
  416. package/agents/oci/oci-live-resource-manager-stack-guard-agent/PREFLIGHT.md +51 -0
  417. package/agents/oci/oci-live-resource-manager-stack-guard-agent/ROLLBACK.md +45 -0
  418. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
  419. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/codex.toml +32 -0
  420. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/copilot.agent.md +53 -0
  421. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/cursor.agent.md +40 -0
  422. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/gemini.agent.md +40 -0
  423. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  424. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  425. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +36 -0
  426. package/agents/oci/oci-live-vault-key-destruction-guard-agent/AGENT.md +57 -0
  427. package/agents/oci/oci-live-vault-key-destruction-guard-agent/PERMISSIONS.md +57 -0
  428. package/agents/oci/oci-live-vault-key-destruction-guard-agent/PREFLIGHT.md +53 -0
  429. package/agents/oci/oci-live-vault-key-destruction-guard-agent/ROLLBACK.md +49 -0
  430. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/claude-code.agent.md +40 -0
  431. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/codex.toml +32 -0
  432. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/copilot.agent.md +53 -0
  433. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/cursor.agent.md +40 -0
  434. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/gemini.agent.md +40 -0
  435. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  436. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  437. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +36 -0
  438. package/agents/oci/oci-maestro-agent/AGENT.md +58 -0
  439. package/agents/oci/oci-maestro-agent/harnesses/claude-code.agent.md +41 -0
  440. package/agents/oci/oci-maestro-agent/harnesses/codex.toml +14 -0
  441. package/agents/oci/oci-maestro-agent/harnesses/copilot.agent.md +54 -0
  442. package/agents/oci/oci-maestro-agent/harnesses/cursor.agent.md +43 -0
  443. package/agents/oci/oci-maestro-agent/harnesses/gemini.agent.md +42 -0
  444. package/agents/oci/oci-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  445. package/agents/oci/oci-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
  446. package/agents/oci/oci-maestro-agent/metadata.json +37 -0
  447. package/agents/opentelemetry/README.md +37 -0
  448. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  449. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  450. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  451. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  452. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  453. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  454. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  455. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  456. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  457. package/agents/prometheus/README.md +36 -0
  458. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  459. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  460. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  461. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  462. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  463. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  464. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  465. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  466. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  467. package/agents/sigstore/README.md +38 -0
  468. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  469. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  470. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  471. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  472. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  473. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  474. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  475. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  476. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  477. package/agents/terraform/README.md +29 -0
  478. package/agents/terraform/terraform-maestro-agent/AGENT.md +58 -0
  479. package/agents/terraform/terraform-maestro-agent/harnesses/claude-code.agent.md +41 -0
  480. package/agents/terraform/terraform-maestro-agent/harnesses/codex.toml +14 -0
  481. package/agents/terraform/terraform-maestro-agent/harnesses/copilot.agent.md +54 -0
  482. package/agents/terraform/terraform-maestro-agent/harnesses/cursor.agent.md +43 -0
  483. package/agents/terraform/terraform-maestro-agent/harnesses/gemini.agent.md +42 -0
  484. package/agents/terraform/terraform-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  485. package/agents/terraform/terraform-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
  486. package/agents/terraform/terraform-maestro-agent/metadata.json +38 -0
  487. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  488. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  489. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  490. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  491. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  492. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  493. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  494. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  495. package/agents/velero/README.md +41 -0
  496. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  497. package/catalog/agents.json +1347 -27
  498. package/catalog/install-roles.json +455 -0
  499. package/catalog/skill-manifest.json +1358 -62
  500. package/catalog/skills.json +1231 -25
  501. package/package.json +11 -1
  502. package/scripts/export-marketplace-agents.mjs +129 -10
  503. package/scripts/gen_azure_live_guards.py +1424 -0
  504. package/scripts/gen_oci_live_guards.py +1510 -0
  505. package/scripts/update-catalog-new-agents.py +88 -0
  506. package/skills/argocd/README.md +30 -0
  507. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  508. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  509. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  510. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  511. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  512. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  513. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  514. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  515. package/skills/aws/README.md +3 -1
  516. package/skills/aws/aws-maestro/SKILL.md +47 -0
  517. package/skills/aws/aws-maestro/metadata.json +28 -0
  518. package/skills/aws/aws-maestro/references/official-sources.md +24 -0
  519. package/skills/aws/aws-maestro/references/safety-checklist.md +42 -0
  520. package/skills/aws/aws-maestro/references/workflow-and-output.md +129 -0
  521. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  522. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  523. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  524. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  525. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  526. package/skills/azure/README.md +3 -1
  527. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  528. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  529. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  530. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +49 -0
  531. package/skills/azure/azure-live-aks-rollout-guard/metadata.json +27 -0
  532. package/skills/azure/azure-live-aks-rollout-guard/references/official-sources.md +19 -0
  533. package/skills/azure/azure-live-aks-rollout-guard/references/permission-model.md +54 -0
  534. package/skills/azure/azure-live-aks-rollout-guard/references/preflight-commands.md +55 -0
  535. package/skills/azure/azure-live-aks-rollout-guard/references/rollback-playbook.md +38 -0
  536. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +49 -0
  537. package/skills/azure/azure-live-app-service-slot-swap-guard/metadata.json +26 -0
  538. package/skills/azure/azure-live-app-service-slot-swap-guard/references/official-sources.md +12 -0
  539. package/skills/azure/azure-live-app-service-slot-swap-guard/references/permission-model.md +40 -0
  540. package/skills/azure/azure-live-app-service-slot-swap-guard/references/preflight-commands.md +46 -0
  541. package/skills/azure/azure-live-app-service-slot-swap-guard/references/rollback-playbook.md +46 -0
  542. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +49 -0
  543. package/skills/azure/azure-live-arm-deployment-stack-guard/metadata.json +27 -0
  544. package/skills/azure/azure-live-arm-deployment-stack-guard/references/official-sources.md +17 -0
  545. package/skills/azure/azure-live-arm-deployment-stack-guard/references/permission-model.md +68 -0
  546. package/skills/azure/azure-live-arm-deployment-stack-guard/references/preflight-commands.md +55 -0
  547. package/skills/azure/azure-live-arm-deployment-stack-guard/references/rollback-playbook.md +53 -0
  548. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +49 -0
  549. package/skills/azure/azure-live-cost-budget-action-guard/metadata.json +27 -0
  550. package/skills/azure/azure-live-cost-budget-action-guard/references/official-sources.md +17 -0
  551. package/skills/azure/azure-live-cost-budget-action-guard/references/permission-model.md +66 -0
  552. package/skills/azure/azure-live-cost-budget-action-guard/references/preflight-commands.md +48 -0
  553. package/skills/azure/azure-live-cost-budget-action-guard/references/rollback-playbook.md +40 -0
  554. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  555. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  556. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  557. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  558. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  559. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  560. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +49 -0
  561. package/skills/azure/azure-live-keyvault-rotation-purge-guard/metadata.json +27 -0
  562. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/official-sources.md +13 -0
  563. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/permission-model.md +64 -0
  564. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/preflight-commands.md +48 -0
  565. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/rollback-playbook.md +44 -0
  566. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +49 -0
  567. package/skills/azure/azure-live-pim-jit-activation-guard/metadata.json +27 -0
  568. package/skills/azure/azure-live-pim-jit-activation-guard/references/official-sources.md +13 -0
  569. package/skills/azure/azure-live-pim-jit-activation-guard/references/permission-model.md +56 -0
  570. package/skills/azure/azure-live-pim-jit-activation-guard/references/preflight-commands.md +46 -0
  571. package/skills/azure/azure-live-pim-jit-activation-guard/references/rollback-playbook.md +45 -0
  572. package/skills/azure/azure-maestro/SKILL.md +140 -0
  573. package/skills/azure/azure-maestro/metadata.json +28 -0
  574. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  575. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  576. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  577. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  578. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  579. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  580. package/skills/cilium/README.md +30 -0
  581. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  582. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  583. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  584. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  585. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  586. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  587. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  588. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  589. package/skills/finops/README.md +30 -0
  590. package/skills/finops/finops-cloud-price-advisor/SKILL.md +60 -0
  591. package/skills/finops/finops-cloud-price-advisor/metadata.json +26 -0
  592. package/skills/finops/finops-cloud-price-advisor/references/currency-handling.md +100 -0
  593. package/skills/finops/finops-cloud-price-advisor/references/estimation-workflow.md +145 -0
  594. package/skills/finops/finops-cloud-price-advisor/references/official-sources.md +64 -0
  595. package/skills/finops/finops-cloud-price-advisor/references/pricing-apis.md +271 -0
  596. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  597. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  598. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  599. package/skills/istio/README.md +28 -0
  600. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  601. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  602. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  603. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  604. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  605. package/skills/kubernetes/README.md +30 -0
  606. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  607. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  608. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  609. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  610. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  611. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  612. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  613. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  614. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  615. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  616. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  617. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  618. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  619. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  620. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  621. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  622. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  623. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  624. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  625. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  626. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  627. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  628. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  629. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  630. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  631. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  632. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  633. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  634. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  635. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  636. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  637. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  638. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  639. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  640. package/skills/kyverno/README.md +30 -0
  641. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  642. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  643. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  644. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  645. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  646. package/skills/oci/README.md +63 -0
  647. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  648. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  649. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  650. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +49 -0
  651. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/metadata.json +27 -0
  652. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/official-sources.md +13 -0
  653. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/permission-model.md +49 -0
  654. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/preflight-commands.md +58 -0
  655. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/rollback-playbook.md +44 -0
  656. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +49 -0
  657. package/skills/oci/oci-live-cost-budget-runaway-guard/metadata.json +27 -0
  658. package/skills/oci/oci-live-cost-budget-runaway-guard/references/official-sources.md +17 -0
  659. package/skills/oci/oci-live-cost-budget-runaway-guard/references/permission-model.md +59 -0
  660. package/skills/oci/oci-live-cost-budget-runaway-guard/references/preflight-commands.md +42 -0
  661. package/skills/oci/oci-live-cost-budget-runaway-guard/references/rollback-playbook.md +44 -0
  662. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +49 -0
  663. package/skills/oci/oci-live-iam-policy-compartment-guard/metadata.json +27 -0
  664. package/skills/oci/oci-live-iam-policy-compartment-guard/references/official-sources.md +13 -0
  665. package/skills/oci/oci-live-iam-policy-compartment-guard/references/permission-model.md +71 -0
  666. package/skills/oci/oci-live-iam-policy-compartment-guard/references/preflight-commands.md +49 -0
  667. package/skills/oci/oci-live-iam-policy-compartment-guard/references/rollback-playbook.md +62 -0
  668. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  669. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  670. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  671. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  672. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  673. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  674. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +49 -0
  675. package/skills/oci/oci-live-oke-rollout-guard/metadata.json +27 -0
  676. package/skills/oci/oci-live-oke-rollout-guard/references/official-sources.md +18 -0
  677. package/skills/oci/oci-live-oke-rollout-guard/references/permission-model.md +80 -0
  678. package/skills/oci/oci-live-oke-rollout-guard/references/preflight-commands.md +55 -0
  679. package/skills/oci/oci-live-oke-rollout-guard/references/rollback-playbook.md +45 -0
  680. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +49 -0
  681. package/skills/oci/oci-live-resource-manager-stack-guard/metadata.json +27 -0
  682. package/skills/oci/oci-live-resource-manager-stack-guard/references/official-sources.md +12 -0
  683. package/skills/oci/oci-live-resource-manager-stack-guard/references/permission-model.md +70 -0
  684. package/skills/oci/oci-live-resource-manager-stack-guard/references/preflight-commands.md +57 -0
  685. package/skills/oci/oci-live-resource-manager-stack-guard/references/rollback-playbook.md +51 -0
  686. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +49 -0
  687. package/skills/oci/oci-live-vault-key-destruction-guard/metadata.json +27 -0
  688. package/skills/oci/oci-live-vault-key-destruction-guard/references/official-sources.md +13 -0
  689. package/skills/oci/oci-live-vault-key-destruction-guard/references/permission-model.md +55 -0
  690. package/skills/oci/oci-live-vault-key-destruction-guard/references/preflight-commands.md +62 -0
  691. package/skills/oci/oci-live-vault-key-destruction-guard/references/rollback-playbook.md +55 -0
  692. package/skills/oci/oci-maestro/SKILL.md +163 -0
  693. package/skills/oci/oci-maestro/metadata.json +27 -0
  694. package/skills/opentelemetry/README.md +31 -0
  695. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  696. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  697. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  698. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  699. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  700. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  701. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  702. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  703. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  704. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  705. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  706. package/skills/terraform/README.md +29 -0
  707. package/skills/terraform/terraform-maestro/SKILL.md +123 -0
  708. package/skills/terraform/terraform-maestro/metadata.json +30 -0
  709. package/skills/terraform/terraform-maestro/references/official-sources.md +59 -0
  710. package/skills/terraform/terraform-maestro/references/safety-checklist.md +53 -0
  711. package/skills/terraform/terraform-maestro/references/workflow-and-output.md +108 -0
  712. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  713. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  714. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  715. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
@@ -1,4 +1,59 @@
1
1
  [
2
+ {
3
+ "id": "argo-rollouts-progressive-delivery-review-agent",
4
+ "name": "Argo Rollouts Progressive Delivery Review",
5
+ "type": "agent",
6
+ "provider": "argocd",
7
+ "harnesses": [
8
+ "codex",
9
+ "copilot",
10
+ "claude-code",
11
+ "cursor",
12
+ "gemini",
13
+ "kiro"
14
+ ],
15
+ "summary": "Review Argo Rollouts canary and blue-green strategy configuration, AnalysisTemplate success and failure conditions, traffic management provider alignment, canaryService isolation, PDB deadlock risk, and automated rollback posture for progressive delivery safety.",
16
+ "source_type": "original",
17
+ "official_docs": [
18
+ "https://argoproj.github.io/argo-rollouts/",
19
+ "https://argoproj.github.io/argo-rollouts/features/canary/",
20
+ "https://argoproj.github.io/argo-rollouts/features/analysis/",
21
+ "https://argoproj.github.io/argo-rollouts/features/traffic-management/",
22
+ "https://argoproj.github.io/argo-rollouts/features/bluegreen/",
23
+ "https://argoproj.github.io/argo-rollouts/generated/kubectl-argo-rollouts/kubectl-argo-rollouts_promote/"
24
+ ],
25
+ "security_notes": "AnalysisTemplates with always-true success conditions defeat automated rollback entirely. A canary that silently passes all analysis checks will promote a broken release to 100% production traffic without any automated abort.",
26
+ "last_verified": "2026-05-02",
27
+ "path": "agents/argocd/argo-rollouts-progressive-delivery-review-agent",
28
+ "version": "0.1.0"
29
+ },
30
+ {
31
+ "id": "argocd-gitops-review-agent",
32
+ "name": "Argo CD GitOps Review",
33
+ "type": "agent",
34
+ "provider": "argocd",
35
+ "summary": "Review Argo CD Application, AppProject, ApplicationSet, sync-window, RBAC, and sync impersonation configuration for blast-radius containment, least-privilege sync identity, and safe rollout posture.",
36
+ "path": "agents/argocd/argocd-gitops-review-agent",
37
+ "harnesses": [
38
+ "codex",
39
+ "copilot",
40
+ "claude-code",
41
+ "cursor",
42
+ "gemini",
43
+ "kiro"
44
+ ],
45
+ "last_verified": "2026-05-01",
46
+ "official_docs": [
47
+ "https://argo-cd.readthedocs.io/en/stable/",
48
+ "https://argo-cd.readthedocs.io/en/stable/user-guide/projects/",
49
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/",
50
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
51
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/sync-impersonation/"
52
+ ],
53
+ "security_notes": "application.sync.impersonation.enabled false (default) means every sync runs as cluster-admin. AppProject clusterResourceWhitelist with ['*/*'] grants full cluster write. ApplicationSet cluster generator with empty selector auto-onboards every registered cluster.",
54
+ "source_type": "original",
55
+ "version": "0.1.0"
56
+ },
2
57
  {
3
58
  "id": "aws-agentcore-agent",
4
59
  "name": "AWS AgentCore",
@@ -798,6 +853,43 @@
798
853
  "author": "github: Raishin",
799
854
  "version": "0.2.0"
800
855
  },
856
+ {
857
+ "id": "aws-maestro-agent",
858
+ "name": "AWS Maestro",
859
+ "type": "agent",
860
+ "provider": "aws",
861
+ "harnesses": [
862
+ "codex",
863
+ "copilot",
864
+ "claude-code",
865
+ "cursor",
866
+ "gemini",
867
+ "kiro"
868
+ ],
869
+ "summary": "Per-cloud router that classifies the user's task, selects the narrowest AWS specialist or the right team of specialists from the catalog, and dispatches in parallel when the task spans multiple domains. Never auto-dispatches live-guard agents.",
870
+ "source_type": "adapted",
871
+ "official_docs": [
872
+ "https://docs.aws.amazon.com/",
873
+ "https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html",
874
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html",
875
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/agentcore.html",
876
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html"
877
+ ],
878
+ "security_notes": "Live-guard gate is non-negotiable: aws-live-deployment-guarded-operator-agent, aws-live-ecs-rollout-guard-agent, aws-live-iac-change-guard-agent, aws-live-pipeline-approval-operator-agent, and aws-live-serverless-release-guard-agent must never be auto-dispatched. Always surface blast-radius assessment and rollback path and require explicit written human confirmation before routing to any live-guard agent.",
879
+ "last_verified": "2026-04-30",
880
+ "path": "agents/aws/aws-maestro-agent",
881
+ "harness_variants": {
882
+ "codex": "agents/aws/aws-maestro-agent/harnesses/codex.toml",
883
+ "copilot": "agents/aws/aws-maestro-agent/harnesses/copilot.agent.md",
884
+ "claude-code": "agents/aws/aws-maestro-agent/harnesses/claude-code.agent.md",
885
+ "cursor": "agents/aws/aws-maestro-agent/harnesses/cursor.agent.md",
886
+ "gemini": "agents/aws/aws-maestro-agent/harnesses/gemini.agent.md",
887
+ "kiro-ide": "agents/aws/aws-maestro-agent/harnesses/kiro-ide.agent.md",
888
+ "kiro-cli": "agents/aws/aws-maestro-agent/harnesses/kiro-cli.agent.json"
889
+ },
890
+ "author": "github: Raishin",
891
+ "version": "0.1.0"
892
+ },
801
893
  {
802
894
  "id": "aws-migration-cutover-architect-agent",
803
895
  "name": "AWS Migration Cutover Architect",
@@ -934,6 +1026,33 @@
934
1026
  "author": "github: Raishin",
935
1027
  "version": "0.2.0"
936
1028
  },
1029
+ {
1030
+ "id": "aws-private-ca-issuer-review-agent",
1031
+ "name": "AWS Private CA Issuer Review",
1032
+ "type": "agent",
1033
+ "provider": "aws",
1034
+ "harnesses": [
1035
+ "codex",
1036
+ "copilot",
1037
+ "claude-code",
1038
+ "cursor",
1039
+ "gemini",
1040
+ "kiro"
1041
+ ],
1042
+ "summary": "Review AWS ACM Private Certificate Authority issuer configurations for cert-manager, covering CA hierarchy safety, certificate template ARN scope, IRSA permissions minimization, validity period alignment, CRL reachability, and cross-account PCA usage patterns.",
1043
+ "source_type": "original",
1044
+ "official_docs": [
1045
+ "https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html",
1046
+ "https://github.com/cert-manager/aws-privateca-issuer",
1047
+ "https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html",
1048
+ "https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html",
1049
+ "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
1050
+ ],
1051
+ "security_notes": "Using a Root CA ARN in AWSPCAIssuer exposes the root of trust directly to cert-manager. A SubordinateCACertificate template allows cert-manager to issue intermediate CAs, enabling an attacker with cert-manager IRSA access to create a shadow CA trusted by the entire corporate PKI. IRSA role must exclude acm-pca:DeleteCertificateAuthority and acm-pca:CreateCertificateAuthority.",
1052
+ "last_verified": "2026-05-02",
1053
+ "path": "agents/aws/aws-private-ca-issuer-review-agent",
1054
+ "version": "0.1.0"
1055
+ },
937
1056
  {
938
1057
  "id": "aws-rds-aurora-performance-investigator-agent",
939
1058
  "name": "AWS RDS Aurora Performance Investigator",
@@ -1562,6 +1681,32 @@
1562
1681
  "author": "github: Raishin",
1563
1682
  "version": "0.2.0"
1564
1683
  },
1684
+ {
1685
+ "id": "azure-keyvault-certificate-issuer-review-agent",
1686
+ "name": "Azure Key Vault Certificate Issuer Review",
1687
+ "type": "agent",
1688
+ "provider": "azure",
1689
+ "harnesses": [
1690
+ "codex",
1691
+ "copilot",
1692
+ "claude-code",
1693
+ "cursor",
1694
+ "gemini",
1695
+ "kiro"
1696
+ ],
1697
+ "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager, covering certificate policy alignment, Managed Identity authorization scope, exportability posture, private endpoint connectivity, integrated CA credential scoping, and cert-manager vs Key Vault auto-rotation race conditions.",
1698
+ "source_type": "original",
1699
+ "official_docs": [
1700
+ "https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates",
1701
+ "https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios",
1702
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security",
1703
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
1704
+ ],
1705
+ "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs — a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
1706
+ "last_verified": "2026-05-02",
1707
+ "path": "agents/azure/azure-keyvault-certificate-issuer-review-agent",
1708
+ "version": "0.1.0"
1709
+ },
1565
1710
  {
1566
1711
  "id": "azure-landing-zone-architect-agent",
1567
1712
  "name": "Azure Landing Zone Architect",
@@ -1595,6 +1740,233 @@
1595
1740
  "author": "github: Raishin",
1596
1741
  "version": "0.2.0"
1597
1742
  },
1743
+ {
1744
+ "id": "azure-live-aks-rollout-guard-agent",
1745
+ "name": "Azure Live AKS Rollout Guard",
1746
+ "type": "agent",
1747
+ "provider": "azure",
1748
+ "harnesses": [
1749
+ "codex",
1750
+ "copilot",
1751
+ "claude-code",
1752
+ "cursor",
1753
+ "gemini",
1754
+ "kiro"
1755
+ ],
1756
+ "summary": "Guard AKS deployment rollouts with PDB audit, maxUnavailable and surge check, and explicit pause-before-proceed or undo gate before advancing.",
1757
+ "source_type": "original",
1758
+ "official_docs": [
1759
+ "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security",
1760
+ "https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads",
1761
+ "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment",
1762
+ "https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
1763
+ ],
1764
+ "security_notes": "Never advance an AKS rollout without PDB audit and replica health check. kubectl rollout undo is safe but must be confirmed before execution to avoid double-rollback churn.",
1765
+ "last_verified": "2026-04-30",
1766
+ "path": "agents/azure/azure-live-aks-rollout-guard-agent",
1767
+ "author": "github: Raishin",
1768
+ "version": "0.1.0"
1769
+ },
1770
+ {
1771
+ "id": "azure-live-app-service-slot-swap-guard-agent",
1772
+ "name": "Azure Live App Service Slot Swap Guard",
1773
+ "type": "agent",
1774
+ "provider": "azure",
1775
+ "harnesses": [
1776
+ "codex",
1777
+ "copilot",
1778
+ "claude-code",
1779
+ "cursor",
1780
+ "gemini",
1781
+ "kiro"
1782
+ ],
1783
+ "summary": "Guard App Service slot swaps by auditing sticky settings, warmup probe readiness, and swap-with-preview evidence before final swap commit.",
1784
+ "source_type": "original",
1785
+ "official_docs": [
1786
+ "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
1787
+ "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
1788
+ "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
1789
+ ],
1790
+ "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
1791
+ "last_verified": "2026-04-30",
1792
+ "path": "agents/azure/azure-live-app-service-slot-swap-guard-agent",
1793
+ "author": "github: Raishin",
1794
+ "version": "0.1.0"
1795
+ },
1796
+ {
1797
+ "id": "azure-live-arm-deployment-stack-guard-agent",
1798
+ "name": "Azure Live ARM Deployment Stack Guard",
1799
+ "type": "agent",
1800
+ "provider": "azure",
1801
+ "harnesses": [
1802
+ "codex",
1803
+ "copilot",
1804
+ "claude-code",
1805
+ "cursor",
1806
+ "gemini",
1807
+ "kiro"
1808
+ ],
1809
+ "summary": "Guard ARM template and Deployment Stack changes with what-if evidence, denySettings review, and explicit approval before execute.",
1810
+ "source_type": "original",
1811
+ "official_docs": [
1812
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
1813
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
1814
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
1815
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
1816
+ ],
1817
+ "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
1818
+ "last_verified": "2026-04-30",
1819
+ "path": "agents/azure/azure-live-arm-deployment-stack-guard-agent",
1820
+ "author": "github: Raishin",
1821
+ "version": "0.1.0"
1822
+ },
1823
+ {
1824
+ "id": "azure-live-cost-budget-action-guard-agent",
1825
+ "name": "Azure Live Cost Budget Action Guard",
1826
+ "type": "agent",
1827
+ "provider": "azure",
1828
+ "harnesses": [
1829
+ "codex",
1830
+ "copilot",
1831
+ "claude-code",
1832
+ "cursor",
1833
+ "gemini",
1834
+ "kiro"
1835
+ ],
1836
+ "summary": "Gate subscription and management-group budget action changes and GPU or HPC SKU scale-up against approved spend thresholds before any cost-impacting mutation.",
1837
+ "source_type": "original",
1838
+ "official_docs": [
1839
+ "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
1840
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
1841
+ "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
1842
+ "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
1843
+ ],
1844
+ "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
1845
+ "last_verified": "2026-04-30",
1846
+ "path": "agents/azure/azure-live-cost-budget-action-guard-agent",
1847
+ "author": "github: Raishin",
1848
+ "version": "0.1.0"
1849
+ },
1850
+ {
1851
+ "id": "azure-live-entra-role-assignment-guard-agent",
1852
+ "name": "Azure Live Entra Role Assignment Guard",
1853
+ "type": "agent",
1854
+ "provider": "azure",
1855
+ "harnesses": [
1856
+ "codex",
1857
+ "copilot",
1858
+ "claude-code",
1859
+ "cursor",
1860
+ "gemini",
1861
+ "kiro"
1862
+ ],
1863
+ "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.",
1864
+ "source_type": "original",
1865
+ "official_docs": [
1866
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
1867
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
1868
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
1869
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-alert",
1870
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"
1871
+ ],
1872
+ "security_notes": "Never create Owner, Contributor, or UAA assignments at subscription or management-group scope without CISO-level justification. Always prefer PIM eligible assignment. Block Guest principal assignments without Director-level sign-off.",
1873
+ "last_verified": "2026-05-01",
1874
+ "path": "agents/azure/azure-live-entra-role-assignment-guard-agent",
1875
+ "author": "github: Raishin",
1876
+ "version": "0.1.0"
1877
+ },
1878
+ {
1879
+ "id": "azure-live-keyvault-rotation-purge-guard-agent",
1880
+ "name": "Azure Live Key Vault Rotation Purge Guard",
1881
+ "type": "agent",
1882
+ "provider": "azure",
1883
+ "harnesses": [
1884
+ "codex",
1885
+ "copilot",
1886
+ "claude-code",
1887
+ "cursor",
1888
+ "gemini",
1889
+ "kiro"
1890
+ ],
1891
+ "summary": "Guard Key Vault key and secret rotation, soft-delete enforcement, and purge-protection changes, with explicit irreversibility warning before any purge-protection enable.",
1892
+ "source_type": "original",
1893
+ "official_docs": [
1894
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
1895
+ "https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details",
1896
+ "https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
1897
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices"
1898
+ ],
1899
+ "security_notes": "Purge-protection enable is irreversible. Soft-deleted keys can be recovered within the retention window. HSM-backed hard-purged keys cannot be recovered. Never grant purge rights to routine rotation operators.",
1900
+ "last_verified": "2026-04-30",
1901
+ "path": "agents/azure/azure-live-keyvault-rotation-purge-guard-agent",
1902
+ "author": "github: Raishin",
1903
+ "version": "0.1.0"
1904
+ },
1905
+ {
1906
+ "id": "azure-live-pim-jit-activation-guard-agent",
1907
+ "name": "Azure Live PIM JIT Activation Guard",
1908
+ "type": "agent",
1909
+ "provider": "azure",
1910
+ "harnesses": [
1911
+ "codex",
1912
+ "copilot",
1913
+ "claude-code",
1914
+ "cursor",
1915
+ "gemini",
1916
+ "kiro"
1917
+ ],
1918
+ "summary": "Gate PIM eligible role activations with justification, ticket binding, MFA verification, and time-bound scope before approval submission.",
1919
+ "source_type": "original",
1920
+ "official_docs": [
1921
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan",
1922
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
1923
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
1924
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
1925
+ ],
1926
+ "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf — only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
1927
+ "last_verified": "2026-04-30",
1928
+ "path": "agents/azure/azure-live-pim-jit-activation-guard-agent",
1929
+ "author": "github: Raishin",
1930
+ "version": "0.1.0"
1931
+ },
1932
+ {
1933
+ "id": "azure-maestro-agent",
1934
+ "name": "Azure Maestro",
1935
+ "type": "agent",
1936
+ "provider": "azure",
1937
+ "harnesses": [
1938
+ "codex",
1939
+ "copilot",
1940
+ "claude-code",
1941
+ "cursor",
1942
+ "gemini",
1943
+ "kiro"
1944
+ ],
1945
+ "summary": "Per-cloud router agent for Azure. Classifies the user's task, selects the narrowest Azure specialist or the right team of specialists from the catalog, and dispatches in parallel when the task spans multiple domains. Never auto-dispatches live-guard agents.",
1946
+ "source_type": "adapted",
1947
+ "official_docs": [
1948
+ "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/",
1949
+ "https://learn.microsoft.com/en-us/azure/architecture/",
1950
+ "https://learn.microsoft.com/en-us/azure/well-architected/",
1951
+ "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
1952
+ "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
1953
+ "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts"
1954
+ ],
1955
+ "security_notes": "Live-guard agents (azure-live-aks-rollout-guard-agent, azure-live-app-service-slot-swap-guard-agent, azure-live-arm-deployment-stack-guard-agent, azure-live-cost-budget-action-guard-agent, azure-live-keyvault-rotation-purge-guard-agent, azure-live-pim-jit-activation-guard-agent) must NEVER be auto-dispatched. All six require explicit human confirmation, blast-radius assessment, and a confirmed rollback path before dispatch. Do not ask for secrets, credentials, tenant IDs, subscription IDs, or any customer-specific identifiers.",
1956
+ "last_verified": "2026-04-30",
1957
+ "path": "agents/azure/azure-maestro-agent",
1958
+ "harness_variants": {
1959
+ "codex": "agents/azure/azure-maestro-agent/harnesses/codex.toml",
1960
+ "copilot": "agents/azure/azure-maestro-agent/harnesses/copilot.agent.md",
1961
+ "claude-code": "agents/azure/azure-maestro-agent/harnesses/claude-code.agent.md",
1962
+ "cursor": "agents/azure/azure-maestro-agent/harnesses/cursor.agent.md",
1963
+ "gemini": "agents/azure/azure-maestro-agent/harnesses/gemini.agent.md",
1964
+ "kiro-ide": "agents/azure/azure-maestro-agent/harnesses/kiro-ide.agent.md",
1965
+ "kiro-cli": "agents/azure/azure-maestro-agent/harnesses/kiro-cli.agent.json"
1966
+ },
1967
+ "author": "github: Raishin",
1968
+ "version": "0.1.0"
1969
+ },
1598
1970
  {
1599
1971
  "id": "azure-migrate-landing-zone-cutover-agent",
1600
1972
  "name": "Azure Migrate Landing Zone Cutover",
@@ -1958,10 +2330,10 @@
1958
2330
  "version": "0.2.0"
1959
2331
  },
1960
2332
  {
1961
- "id": "oci-autonomous-database-architect-agent",
1962
- "name": "OCI Autonomous Database Architect",
2333
+ "id": "backstage-scaffolder-template-review-agent",
2334
+ "name": "Backstage Scaffolder Template Review",
1963
2335
  "type": "agent",
1964
- "provider": "oci",
2336
+ "provider": "backstage",
1965
2337
  "harnesses": [
1966
2338
  "codex",
1967
2339
  "copilot",
@@ -1970,23 +2342,25 @@
1970
2342
  "gemini",
1971
2343
  "kiro"
1972
2344
  ],
1973
- "summary": "Agent for oci-autonomous-database-architect. OCI Architect and operate Autonomous Database and Autonomous AI Database across serverless, dedicated Exadata, Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS contexts.",
1974
- "source_type": "adapted",
2345
+ "summary": "Agent for backstage-scaffolder-template-review. Review Backstage Scaffolder software templates for action blast-radius, input parameter injection, RBAC gate coverage, secret scope, catalog entity poisoning, and output exposure.",
2346
+ "source_type": "original",
1975
2347
  "official_docs": [
1976
- "https://docs.oracle.com/en-us/iaas/Content/home.htm",
1977
- "https://www.oracle.com/cloud/"
2348
+ "https://backstage.io/docs/features/software-templates/",
2349
+ "https://backstage.io/docs/features/software-templates/writing-templates",
2350
+ "https://backstage.io/docs/features/software-templates/builtin-actions",
2351
+ "https://backstage.io/docs/permissions/overview",
2352
+ "https://backstage.io/docs/integrations/github/github-apps"
1978
2353
  ],
1979
- "security_notes": "OCI agents can inspect or guide changes to cloud resources. Use least-privilege access, read-only discovery first, and explicit approval for mutations.",
1980
- "last_verified": "2026-04-27",
1981
- "path": "agents/oci/oci-autonomous-database-architect-agent",
1982
- "author": "github: Raishin",
1983
- "version": "0.2.0"
2354
+ "security_notes": "Backstage Scaffolder templates without RBAC gate and without input validation allow any developer to trigger infrastructure provisioning actions. Templates that provision cloud resources via Terraform or Crossplane CRDs effectively grant cloud-write to all Backstage users.",
2355
+ "last_verified": "2026-05-02",
2356
+ "path": "agents/backstage/backstage-scaffolder-template-review-agent",
2357
+ "version": "0.1.0"
1984
2358
  },
1985
2359
  {
1986
- "id": "oci-cloud-guard-responder-agent",
1987
- "name": "OCI Cloud Guard Responder",
2360
+ "id": "cert-manager-issuer-trust-review-agent",
2361
+ "name": "cert-manager Issuer Trust Review",
1988
2362
  "type": "agent",
1989
- "provider": "oci",
2363
+ "provider": "cert-manager",
1990
2364
  "harnesses": [
1991
2365
  "codex",
1992
2366
  "copilot",
@@ -1995,23 +2369,621 @@
1995
2369
  "gemini",
1996
2370
  "kiro"
1997
2371
  ],
1998
- "summary": "Agent for oci-cloud-guard-responder. Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely.",
1999
- "source_type": "adapted",
2372
+ "summary": "Review cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy coverage, certificate SAN and duration risks, trust-manager bundle distribution blast radius, and cloud CA integration authentication for Kubernetes PKI posture.",
2373
+ "source_type": "original",
2000
2374
  "official_docs": [
2001
- "https://docs.oracle.com/en-us/iaas/Content/home.htm",
2002
- "https://www.oracle.com/cloud/"
2375
+ "https://cert-manager.io/docs/",
2376
+ "https://cert-manager.io/docs/concepts/certificate/",
2377
+ "https://cert-manager.io/docs/concepts/issuer/",
2378
+ "https://cert-manager.io/docs/projects/approver-policy/",
2379
+ "https://cert-manager.io/docs/projects/trust-manager/",
2380
+ "https://cert-manager.io/docs/configuration/"
2003
2381
  ],
2004
- "security_notes": "OCI agents can inspect or guide changes to cloud resources. Use least-privilege access, read-only discovery first, and explicit approval for mutations.",
2005
- "last_verified": "2026-04-27",
2006
- "path": "agents/oci/oci-cloud-guard-responder-agent",
2007
- "author": "github: Raishin",
2008
- "version": "0.2.0"
2382
+ "security_notes": "A ClusterIssuer backed by a corporate Private CA with no CertificateRequestPolicy means any namespace can issue certs for any DNS name trusted by the corporate CA, enabling a compromised workload to perform mTLS MITM against internal services.",
2383
+ "last_verified": "2026-05-02",
2384
+ "path": "agents/cert-manager/cert-manager-issuer-trust-review-agent",
2385
+ "version": "0.1.0"
2009
2386
  },
2010
2387
  {
2011
- "id": "oci-compute-instance-agent-operator-agent",
2012
- "name": "OCI Compute Instance Agent Operator",
2388
+ "id": "cilium-network-policy-review-agent",
2389
+ "name": "Cilium Network Policy Review",
2013
2390
  "type": "agent",
2014
- "provider": "oci",
2391
+ "provider": "cilium",
2392
+ "summary": "Review Cilium CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, standard NetworkPolicy, ClusterMesh cross-cluster policy semantics, and egress gateway configuration for default-deny posture, L7 enforcement requirements, and exfiltration risk.",
2393
+ "path": "agents/cilium/cilium-network-policy-review-agent",
2394
+ "harnesses": [
2395
+ "codex",
2396
+ "copilot",
2397
+ "claude-code",
2398
+ "cursor",
2399
+ "gemini",
2400
+ "kiro"
2401
+ ],
2402
+ "last_verified": "2026-05-01",
2403
+ "official_docs": [
2404
+ "https://docs.cilium.io/en/stable/network/kubernetes/policy/",
2405
+ "https://docs.cilium.io/en/stable/network/clustermesh/policy/",
2406
+ "https://docs.cilium.io/en/stable/network/egress-gateway/",
2407
+ "https://docs.cilium.io/en/stable/observability/hubble/",
2408
+ "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
2409
+ ],
2410
+ "security_notes": "policy-default-local-cluster flag change affects cross-cluster semantics of EVERY existing CiliumNetworkPolicy globally. toCIDRSet 0.0.0.0/0 without excluding the cloud metadata endpoint (169.254.169.254) is the Capital One breach path.",
2411
+ "source_type": "original",
2412
+ "version": "0.1.0"
2413
+ },
2414
+ {
2415
+ "id": "external-secrets-operator-review-agent",
2416
+ "name": "External Secrets Operator Review Agent",
2417
+ "type": "agent",
2418
+ "provider": "kubernetes",
2419
+ "harnesses": [
2420
+ "codex",
2421
+ "copilot",
2422
+ "claude-code",
2423
+ "cursor",
2424
+ "gemini",
2425
+ "kiro"
2426
+ ],
2427
+ "summary": "Review ESO SecretStore, ClusterSecretStore, ExternalSecret, and PushSecret for scope creep, auth anti-patterns, refresh interval risks, and dataFrom blast radius.",
2428
+ "source_type": "original",
2429
+ "official_docs": [
2430
+ "https://external-secrets.io/latest/introduction/overview/",
2431
+ "https://external-secrets.io/latest/api/secretstore/",
2432
+ "https://external-secrets.io/latest/api/externalsecret/",
2433
+ "https://external-secrets.io/latest/api/clustersecretstore/",
2434
+ "https://external-secrets.io/latest/provider/aws-secrets-manager/",
2435
+ "https://external-secrets.io/latest/provider/azure-key-vault/"
2436
+ ],
2437
+ "security_notes": "ClusterSecretStore with no namespace selector grants every namespace access to every external secret reachable by the store credentials. Static credentials in SecretStore auth create a credential-to-access-credentials chain where compromise of the K8s Secret gives full access to the external store.",
2438
+ "last_verified": "2026-05-02",
2439
+ "path": "agents/kubernetes/external-secrets-operator-review-agent",
2440
+ "version": "0.1.0"
2441
+ },
2442
+ {
2443
+ "id": "falco-runtime-threat-rules-review-agent",
2444
+ "name": "Falco Runtime Threat Rules Review Agent",
2445
+ "type": "agent",
2446
+ "provider": "falco",
2447
+ "harnesses": [
2448
+ "codex",
2449
+ "copilot",
2450
+ "claude-code",
2451
+ "cursor",
2452
+ "gemini",
2453
+ "kiro"
2454
+ ],
2455
+ "summary": "Review Falco rules for macro correctness, exception blast radius, sensitive-path coverage, K8s audit gaps, and alert output routing.",
2456
+ "source_type": "original",
2457
+ "official_docs": [
2458
+ "https://falco.org/docs/rules/",
2459
+ "https://falco.org/docs/reference/rules/supported-syscalls/",
2460
+ "https://falco.org/docs/install-operate/third-party/falco-sidekick/",
2461
+ "https://falco.org/docs/reference/rules/exceptions/",
2462
+ "https://falco.org/docs/install-operate/deployment/",
2463
+ "https://github.com/falcosecurity/rules/tree/main/rules"
2464
+ ],
2465
+ "security_notes": "Falco with overly broad rule exceptions creates detection blind spots. A rule exception matching an entire process family (java, python, node) or a specific container name completely disables detection for that workload — attackers can exploit known exception patterns.",
2466
+ "last_verified": "2026-05-02",
2467
+ "path": "agents/falco/falco-runtime-threat-rules-review-agent",
2468
+ "version": "0.1.0"
2469
+ },
2470
+ {
2471
+ "id": "finops-cloud-price-advisor-agent",
2472
+ "name": "FinOps Cloud Price Advisor",
2473
+ "type": "agent",
2474
+ "provider": "multi-cloud",
2475
+ "harnesses": [
2476
+ "codex",
2477
+ "copilot",
2478
+ "claude-code",
2479
+ "cursor",
2480
+ "gemini",
2481
+ "kiro"
2482
+ ],
2483
+ "summary": "Fetch live public prices from AWS, Azure, and OCI pricing APIs and produce cost estimates for live environments or planned prototypes. Currency defaults to USD; other currencies on request. No cloud credentials required.",
2484
+ "source_type": "original",
2485
+ "official_docs": [
2486
+ "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/price-changes.html",
2487
+ "https://learn.microsoft.com/en-us/rest/api/cost-management/retail-prices/azure-retail-prices",
2488
+ "https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm",
2489
+ "https://aws.amazon.com/pricing/",
2490
+ "https://azure.microsoft.com/en-us/pricing/calculator/",
2491
+ "https://www.oracle.com/cloud/price-list.html"
2492
+ ],
2493
+ "security_notes": "All three pricing APIs are public and unauthenticated. Never request or accept cloud credentials, billing account IDs, cost export access, or tenant-specific data. Inventory enumeration for live-environment mode requires only read-only cloud permissions.",
2494
+ "last_verified": "2026-04-30",
2495
+ "path": "agents/finops/finops-cloud-price-advisor-agent",
2496
+ "author": "github: Raishin",
2497
+ "version": "0.1.0"
2498
+ },
2499
+ {
2500
+ "id": "fluxcd-kustomization-helmrelease-review-agent",
2501
+ "name": "FluxCD Kustomization and HelmRelease Review",
2502
+ "type": "agent",
2503
+ "provider": "fluxcd",
2504
+ "harnesses": [
2505
+ "codex",
2506
+ "copilot",
2507
+ "claude-code",
2508
+ "cursor",
2509
+ "gemini",
2510
+ "kiro"
2511
+ ],
2512
+ "summary": "Agent for fluxcd-kustomization-helmrelease-review. Review FluxCD Kustomization, HelmRelease, and source resources for SOPS encryption, source trust, ServiceAccount scoping, prune safety, and HelmRelease upgrade remediation.",
2513
+ "source_type": "original",
2514
+ "official_docs": [
2515
+ "https://fluxcd.io/flux/components/kustomize/kustomizations/",
2516
+ "https://fluxcd.io/flux/components/helm/helmreleases/",
2517
+ "https://fluxcd.io/flux/components/source/gitrepositories/",
2518
+ "https://fluxcd.io/flux/guides/repository-structure/",
2519
+ "https://fluxcd.io/flux/security/secrets-management/",
2520
+ "https://fluxcd.io/flux/installation/configuration/multitenancy/"
2521
+ ],
2522
+ "security_notes": "Plaintext Kubernetes Secret manifests committed to a FluxCD Git source are exposed to anyone with repo read access — including CI systems, PR participants, and auditors. GitRepository sources without commit signature verification allow any commit (including injected ones) to deploy to production.",
2523
+ "last_verified": "2026-05-02",
2524
+ "path": "agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent",
2525
+ "version": "0.1.0"
2526
+ },
2527
+ {
2528
+ "id": "istio-ambient-mesh-review-agent",
2529
+ "name": "Istio Ambient Mesh Review",
2530
+ "type": "agent",
2531
+ "provider": "istio",
2532
+ "summary": "Review Istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope, PeerAuthentication mTLS mode, RequestAuthentication JWKs, and gateway configuration for service mesh security posture.",
2533
+ "path": "agents/istio/istio-ambient-mesh-review-agent",
2534
+ "harnesses": [
2535
+ "codex",
2536
+ "copilot",
2537
+ "claude-code",
2538
+ "cursor",
2539
+ "gemini",
2540
+ "kiro"
2541
+ ],
2542
+ "last_verified": "2026-05-01",
2543
+ "official_docs": [
2544
+ "https://istio.io/latest/docs/ambient/",
2545
+ "https://istio.io/latest/docs/reference/config/security/authorization-policy/",
2546
+ "https://istio.io/latest/docs/reference/config/security/peer_authentication/",
2547
+ "https://istio.io/latest/docs/ops/diagnostic-tools/istioctl-analyze/",
2548
+ "https://istio.io/latest/docs/tasks/security/authorization/"
2549
+ ],
2550
+ "security_notes": "L7 AuthorizationPolicy in ambient mode without a waypoint is silently bypassed — ztunnel only enforces L4. PERMISSIVE PeerAuthentication in a production namespace is a critical finding.",
2551
+ "source_type": "original",
2552
+ "version": "0.1.0"
2553
+ },
2554
+ {
2555
+ "id": "kubecost-chargeback-allocation-review-agent",
2556
+ "name": "Kubecost Chargeback and Allocation Review",
2557
+ "type": "agent",
2558
+ "provider": "kubernetes",
2559
+ "harnesses": [
2560
+ "codex",
2561
+ "copilot",
2562
+ "claude-code",
2563
+ "cursor",
2564
+ "gemini",
2565
+ "kiro"
2566
+ ],
2567
+ "summary": "Agent for kubecost-chargeback-allocation-review. Review Kubecost and OpenCost deployments for cost allocation accuracy, label taxonomy completeness, shared cost model, idle attribution, budget alerts, API authentication, and savings recommendation hygiene.",
2568
+ "source_type": "original",
2569
+ "official_docs": [
2570
+ "https://www.kubecost.com/kubernetes-cost-optimization/",
2571
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cost-allocation",
2572
+ "https://www.opencost.io/docs/",
2573
+ "https://docs.kubecost.com/install-and-configure/advanced-configuration/cost-model",
2574
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings",
2575
+ "https://docs.kubecost.com/apis/apis-overview"
2576
+ ],
2577
+ "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access — review whether the aggregation network path is private or exposed.",
2578
+ "last_verified": "2026-05-02",
2579
+ "path": "agents/kubernetes/kubecost-chargeback-allocation-review-agent",
2580
+ "version": "0.1.0"
2581
+ },
2582
+ {
2583
+ "id": "kubernetes-live-admission-policy-guard-agent",
2584
+ "name": "Kubernetes Live Admission Policy Guard",
2585
+ "type": "agent",
2586
+ "provider": "kubernetes",
2587
+ "summary": "Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources. Requires current-state capture, failureAction impact assessment, and explicit approval before any write.",
2588
+ "path": "agents/kubernetes/kubernetes-live-admission-policy-guard-agent",
2589
+ "harnesses": [
2590
+ "codex",
2591
+ "copilot",
2592
+ "claude-code",
2593
+ "cursor",
2594
+ "gemini",
2595
+ "kiro"
2596
+ ],
2597
+ "last_verified": "2026-05-01",
2598
+ "official_docs": [
2599
+ "https://kyverno.io/docs/",
2600
+ "https://kyverno.io/docs/writing-policies/validate/",
2601
+ "https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/",
2602
+ "https://kubernetes.io/docs/concepts/security/pod-security-admission/"
2603
+ ],
2604
+ "security_notes": "Changing failureAction from Enforce to Audit in production silently unblocks violations. Deleting a ClusterPolicy removes admission control for ALL namespaces simultaneously. PolicyException without expiry is permanent.",
2605
+ "source_type": "original",
2606
+ "version": "0.1.0"
2607
+ },
2608
+ {
2609
+ "id": "kubernetes-live-argocd-sync-guard-agent",
2610
+ "name": "Kubernetes Live Argo CD Sync Guard",
2611
+ "type": "agent",
2612
+ "provider": "kubernetes",
2613
+ "summary": "Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject, and ApplicationSet resources, and sync-window modifications. Requires AppProject blast-radius assessment, sync identity review, and explicit approval before any production sync, AppProject mutation, or sync-window deletion.",
2614
+ "path": "agents/kubernetes/kubernetes-live-argocd-sync-guard-agent",
2615
+ "harnesses": [
2616
+ "codex",
2617
+ "copilot",
2618
+ "claude-code",
2619
+ "cursor",
2620
+ "gemini",
2621
+ "kiro"
2622
+ ],
2623
+ "last_verified": "2026-05-01",
2624
+ "official_docs": [
2625
+ "https://argo-cd.readthedocs.io/en/stable/",
2626
+ "https://argo-cd.readthedocs.io/en/stable/user-guide/projects/",
2627
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/sync-windows/",
2628
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/sync-impersonation/"
2629
+ ],
2630
+ "security_notes": "Deleting or disabling a sync-window removes the last gate blocking unreviewed changes to production. Expanding AppProject clusterResourceWhitelist to ['*/*'] grants full cluster write. RollingSync requires auto-sync disabled.",
2631
+ "source_type": "original",
2632
+ "version": "0.1.0"
2633
+ },
2634
+ {
2635
+ "id": "kubernetes-live-mesh-policy-guard-agent",
2636
+ "name": "Kubernetes Live Mesh Policy Guard",
2637
+ "type": "agent",
2638
+ "provider": "kubernetes",
2639
+ "summary": "Guard live kubectl apply/delete operations on Istio AuthorizationPolicy, PeerAuthentication, RequestAuthentication, Gateway, and VirtualService resources. Requires current mTLS posture assessment, waypoint enrollment check for L7 rules, and explicit approval before any write.",
2640
+ "path": "agents/kubernetes/kubernetes-live-mesh-policy-guard-agent",
2641
+ "harnesses": [
2642
+ "codex",
2643
+ "copilot",
2644
+ "claude-code",
2645
+ "cursor",
2646
+ "gemini",
2647
+ "kiro"
2648
+ ],
2649
+ "last_verified": "2026-05-01",
2650
+ "official_docs": [
2651
+ "https://istio.io/latest/docs/ambient/",
2652
+ "https://istio.io/latest/docs/reference/config/security/authorization-policy/",
2653
+ "https://istio.io/latest/docs/reference/config/security/peer_authentication/",
2654
+ "https://istio.io/latest/docs/ops/diagnostic-tools/istioctl-analyze/"
2655
+ ],
2656
+ "security_notes": "Changing PeerAuthentication from STRICT to PERMISSIVE disables mTLS for all traffic to matched workloads. Deleting the only DENY AuthorizationPolicy removes the default-deny posture. L7 AuthorizationPolicy in ambient without waypoint is silently bypassed.",
2657
+ "source_type": "original",
2658
+ "version": "0.1.0"
2659
+ },
2660
+ {
2661
+ "id": "kubernetes-live-network-policy-guard-agent",
2662
+ "name": "Kubernetes Live Network Policy Guard",
2663
+ "type": "agent",
2664
+ "provider": "kubernetes",
2665
+ "summary": "Guard live kubectl apply/delete operations on CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, NetworkPolicy, and CiliumEgressGatewayPolicy resources. Requires default-deny posture assessment, egress blast-radius evaluation, and explicit approval before any write.",
2666
+ "path": "agents/kubernetes/kubernetes-live-network-policy-guard-agent",
2667
+ "harnesses": [
2668
+ "codex",
2669
+ "copilot",
2670
+ "claude-code",
2671
+ "cursor",
2672
+ "gemini",
2673
+ "kiro"
2674
+ ],
2675
+ "last_verified": "2026-05-01",
2676
+ "official_docs": [
2677
+ "https://docs.cilium.io/en/stable/network/kubernetes/policy/",
2678
+ "https://docs.cilium.io/en/stable/network/egress-gateway/",
2679
+ "https://docs.cilium.io/en/stable/observability/hubble/",
2680
+ "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
2681
+ ],
2682
+ "security_notes": "Deleting a default-deny CiliumNetworkPolicy removes all ingress/egress restrictions for matched workloads. toCIDRSet change to include 0.0.0.0/0 without excluding 169.254.169.254/32 opens the cloud metadata service. CiliumClusterwideNetworkPolicy changes affect all namespaces simultaneously.",
2683
+ "source_type": "original",
2684
+ "version": "0.1.0"
2685
+ },
2686
+ {
2687
+ "id": "kubernetes-live-rbac-mutation-guard-agent",
2688
+ "name": "Kubernetes Live RBAC Mutation Guard",
2689
+ "type": "agent",
2690
+ "provider": "kubernetes",
2691
+ "harnesses": [
2692
+ "codex",
2693
+ "copilot",
2694
+ "claude-code",
2695
+ "cursor",
2696
+ "gemini",
2697
+ "kiro"
2698
+ ],
2699
+ "summary": "Guard live kubectl apply/create/delete operations on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings with privilege-escalation verb detection, scope assessment, current-state diff, and explicit approval before write.",
2700
+ "source_type": "original",
2701
+ "official_docs": [
2702
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2703
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
2704
+ "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
2705
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
2706
+ ],
2707
+ "security_notes": "Capture current RBAC state before every mutation — no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry.",
2708
+ "last_verified": "2026-05-01",
2709
+ "path": "agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent",
2710
+ "author": "github: Raishin",
2711
+ "version": "0.1.0"
2712
+ },
2713
+ {
2714
+ "id": "kubernetes-live-velero-restore-guard-agent",
2715
+ "name": "Kubernetes Live Velero Restore Guard",
2716
+ "type": "agent",
2717
+ "provider": "kubernetes",
2718
+ "harnesses": [
2719
+ "codex",
2720
+ "copilot",
2721
+ "claude-code",
2722
+ "cursor",
2723
+ "gemini",
2724
+ "kiro"
2725
+ ],
2726
+ "summary": "Live-guard agent for Velero backup/restore operations on Kubernetes clusters — enforcing cluster context confirmation, restore scope review, dry-run gating, current-state capture, and explicit platform-team sign-off before any mutation.",
2727
+ "source_type": "original",
2728
+ "official_docs": [
2729
+ "https://velero.io/docs/latest/",
2730
+ "https://velero.io/docs/latest/restore-reference/",
2731
+ "https://velero.io/docs/latest/backup-reference/",
2732
+ "https://velero.io/docs/latest/locations/",
2733
+ "https://velero.io/docs/latest/hooks/"
2734
+ ],
2735
+ "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
2736
+ "last_verified": "2026-05-02",
2737
+ "path": "agents/kubernetes/kubernetes-live-velero-restore-guard-agent",
2738
+ "version": "0.1.0"
2739
+ },
2740
+ {
2741
+ "id": "kubernetes-maestro-agent",
2742
+ "name": "Kubernetes Maestro",
2743
+ "type": "agent",
2744
+ "provider": "kubernetes",
2745
+ "summary": "Per-platform router for Kubernetes. Classifies the user's task, selects the narrowest specialist or the right team of specialists from the catalog, and dispatches in parallel when the task spans multiple domains. Never auto-dispatches live-guard agents.",
2746
+ "path": "agents/kubernetes/kubernetes-maestro-agent",
2747
+ "harnesses": [
2748
+ "codex",
2749
+ "copilot",
2750
+ "claude-code",
2751
+ "cursor",
2752
+ "gemini",
2753
+ "kiro"
2754
+ ],
2755
+ "last_verified": "2026-05-01",
2756
+ "official_docs": [
2757
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2758
+ "https://kubernetes.io/docs/concepts/security/pod-security-admission/",
2759
+ "https://kyverno.io/docs/",
2760
+ "https://istio.io/latest/docs/ambient/",
2761
+ "https://docs.cilium.io/en/stable/",
2762
+ "https://argo-cd.readthedocs.io/en/stable/",
2763
+ "https://opentelemetry.io/docs/kubernetes/",
2764
+ "https://kubernetes.io/docs/concepts/workloads/pods/service-accounts/"
2765
+ ],
2766
+ "security_notes": "Live-guard gate is non-negotiable: kubernetes-live-rbac-mutation-guard-agent, kubernetes-live-admission-policy-guard-agent, kubernetes-live-mesh-policy-guard-agent, kubernetes-live-argocd-sync-guard-agent, and kubernetes-live-network-policy-guard-agent must never be auto-dispatched.",
2767
+ "source_type": "original",
2768
+ "version": "0.1.0"
2769
+ },
2770
+ {
2771
+ "id": "kubernetes-pod-spec-review-agent",
2772
+ "name": "Kubernetes Pod Spec Review",
2773
+ "type": "agent",
2774
+ "provider": "kubernetes",
2775
+ "harnesses": [
2776
+ "codex",
2777
+ "copilot",
2778
+ "claude-code",
2779
+ "cursor",
2780
+ "gemini",
2781
+ "kiro"
2782
+ ],
2783
+ "summary": "Review Kubernetes Pod, Deployment, and StatefulSet specs for probe correctness, resource QoS, securityContext posture, image pull policy, secret consumption patterns, topology spread, and termination grace period against CKAD-aligned production-readiness standards.",
2784
+ "source_type": "original",
2785
+ "official_docs": [
2786
+ "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/",
2787
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
2788
+ "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
2789
+ "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
2790
+ "https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/",
2791
+ "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
2792
+ ],
2793
+ "security_notes": "Secrets mounted as environment variables appear in kubectl describe pod output and in /proc/self/environ, accessible to any process in the container. Root containers can write to host paths if hostPath volumes are present. Missing runAsNonRoot allows container breakout to node if combined with hostPath or privileged mode.",
2794
+ "last_verified": "2026-05-02",
2795
+ "path": "agents/kubernetes/kubernetes-pod-spec-review-agent",
2796
+ "version": "0.1.0"
2797
+ },
2798
+ {
2799
+ "id": "kubernetes-psa-review-agent",
2800
+ "name": "Kubernetes Pod Security Admission Review",
2801
+ "type": "agent",
2802
+ "provider": "kubernetes",
2803
+ "summary": "Review Kubernetes Pod Security Admission namespace labels — enforce/audit/warn modes, privileged/baseline/restricted profiles, version pinning, cluster AdmissionConfiguration defaults, and migration from deprecated PodSecurityPolicy.",
2804
+ "path": "agents/kubernetes/kubernetes-psa-review-agent",
2805
+ "harnesses": [
2806
+ "codex",
2807
+ "copilot",
2808
+ "claude-code",
2809
+ "cursor",
2810
+ "gemini",
2811
+ "kiro"
2812
+ ],
2813
+ "last_verified": "2026-05-01",
2814
+ "official_docs": [
2815
+ "https://kubernetes.io/docs/concepts/security/pod-security-admission/",
2816
+ "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
2817
+ "https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",
2818
+ "https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/",
2819
+ "https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/"
2820
+ ],
2821
+ "security_notes": "A production namespace with no PSA label inherits cluster default which is privileged unless overridden — treat as critical finding. enforce-version latest changes profile semantics on every Kubernetes minor upgrade.",
2822
+ "source_type": "original",
2823
+ "version": "0.1.0"
2824
+ },
2825
+ {
2826
+ "id": "kubernetes-rbac-review-agent",
2827
+ "name": "Kubernetes RBAC Review",
2828
+ "type": "agent",
2829
+ "provider": "kubernetes",
2830
+ "harnesses": [
2831
+ "codex",
2832
+ "copilot",
2833
+ "claude-code",
2834
+ "cursor",
2835
+ "gemini",
2836
+ "kiro"
2837
+ ],
2838
+ "summary": "Agent for kubernetes-rbac-review. Review Kubernetes Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts for least-privilege, namespace-scope minimization, and workload identity safety.",
2839
+ "source_type": "original",
2840
+ "official_docs": [
2841
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2842
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
2843
+ "https://kubernetes.io/docs/reference/access-authn-authz/authorization/",
2844
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
2845
+ ],
2846
+ "security_notes": "Prefer read-only inspection. Do not recommend cluster-admin bindings, wildcard grants, or shared ServiceAccounts without explicit justification. Always prefer namespace-scoped Roles before ClusterRoles for workloads that do not need cluster-wide access.",
2847
+ "last_verified": "2026-05-01",
2848
+ "path": "agents/kubernetes/kubernetes-rbac-review-agent",
2849
+ "author": "github: Raishin",
2850
+ "version": "0.1.0"
2851
+ },
2852
+ {
2853
+ "id": "kubernetes-workload-identity-review-agent",
2854
+ "name": "Kubernetes Workload Identity Review",
2855
+ "type": "agent",
2856
+ "provider": "kubernetes",
2857
+ "summary": "Review Kubernetes workload identity configuration — IRSA, Azure Workload Identity, GKE Workload Identity, and generic OIDC projected token bindings — for trust policy scope, static credential fallback risk, token audience validation, and cross-account reuse.",
2858
+ "path": "agents/kubernetes/kubernetes-workload-identity-review-agent",
2859
+ "harnesses": [
2860
+ "codex",
2861
+ "copilot",
2862
+ "claude-code",
2863
+ "cursor",
2864
+ "gemini",
2865
+ "kiro"
2866
+ ],
2867
+ "last_verified": "2026-05-01",
2868
+ "official_docs": [
2869
+ "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html",
2870
+ "https://azure.github.io/azure-workload-identity/docs/",
2871
+ "https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity",
2872
+ "https://kubernetes.io/docs/concepts/workloads/pods/service-accounts/",
2873
+ "https://openid.net/specs/openid-connect-core-1_0.html"
2874
+ ],
2875
+ "security_notes": "OIDC trust policy with wildcard sub allows any pod in the cluster to assume the role. Static credentials in environment variables defeat workload identity migration — cloud SDKs search the credential chain in order and a leftover env var always wins.",
2876
+ "source_type": "original",
2877
+ "version": "0.1.0"
2878
+ },
2879
+ {
2880
+ "id": "kyverno-policy-review-agent",
2881
+ "name": "Kyverno Policy Review",
2882
+ "type": "agent",
2883
+ "provider": "kyverno",
2884
+ "summary": "Review Kyverno ClusterPolicy and Policy resources for failureAction, background scanning, PolicyException audit, mutate/generate rules, and Kyverno-vs-native ValidatingAdmissionPolicy decision.",
2885
+ "path": "agents/kyverno/kyverno-policy-review-agent",
2886
+ "harnesses": [
2887
+ "codex",
2888
+ "copilot",
2889
+ "claude-code",
2890
+ "cursor",
2891
+ "gemini",
2892
+ "kiro"
2893
+ ],
2894
+ "last_verified": "2026-05-01",
2895
+ "official_docs": [
2896
+ "https://kyverno.io/docs/",
2897
+ "https://kyverno.io/docs/policy-reports/",
2898
+ "https://kyverno.io/docs/writing-policies/",
2899
+ "https://kyverno.io/docs/policy-exceptions/",
2900
+ "https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/"
2901
+ ],
2902
+ "security_notes": "failureAction: Audit in production is a critical finding — violations are logged but workloads are not blocked. PolicyException without expiry is an infinite escape hatch.",
2903
+ "source_type": "original",
2904
+ "version": "0.1.0"
2905
+ },
2906
+ {
2907
+ "id": "oci-autonomous-database-architect-agent",
2908
+ "name": "OCI Autonomous Database Architect",
2909
+ "type": "agent",
2910
+ "provider": "oci",
2911
+ "harnesses": [
2912
+ "codex",
2913
+ "copilot",
2914
+ "claude-code",
2915
+ "cursor",
2916
+ "gemini",
2917
+ "kiro"
2918
+ ],
2919
+ "summary": "Agent for oci-autonomous-database-architect. OCI Architect and operate Autonomous Database and Autonomous AI Database across serverless, dedicated Exadata, Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS contexts.",
2920
+ "source_type": "adapted",
2921
+ "official_docs": [
2922
+ "https://docs.oracle.com/en-us/iaas/Content/home.htm",
2923
+ "https://www.oracle.com/cloud/"
2924
+ ],
2925
+ "security_notes": "OCI agents can inspect or guide changes to cloud resources. Use least-privilege access, read-only discovery first, and explicit approval for mutations.",
2926
+ "last_verified": "2026-04-27",
2927
+ "path": "agents/oci/oci-autonomous-database-architect-agent",
2928
+ "author": "github: Raishin",
2929
+ "version": "0.2.0"
2930
+ },
2931
+ {
2932
+ "id": "oci-certificates-issuer-review-agent",
2933
+ "name": "OCI Certificates Issuer Review",
2934
+ "type": "agent",
2935
+ "provider": "oci",
2936
+ "harnesses": [
2937
+ "codex",
2938
+ "copilot",
2939
+ "claude-code",
2940
+ "cursor",
2941
+ "gemini",
2942
+ "kiro"
2943
+ ],
2944
+ "summary": "Review OCI Certificates Service issuer configurations for cert-manager on OKE, covering CA hierarchy safety, issuance rule enforcement, OKE Workload Identity vs Instance Principal authentication, IAM policy scope minimization, OCSP reachability, and certificate version lifecycle management.",
2945
+ "source_type": "original",
2946
+ "official_docs": [
2947
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm",
2948
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/managing-certificate-authority.htm",
2949
+ "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
2950
+ "https://github.com/oracle/oci-native-ingress-controller"
2951
+ ],
2952
+ "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint — not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
2953
+ "last_verified": "2026-05-02",
2954
+ "path": "agents/oci/oci-certificates-issuer-review-agent",
2955
+ "version": "0.1.0"
2956
+ },
2957
+ {
2958
+ "id": "oci-cloud-guard-responder-agent",
2959
+ "name": "OCI Cloud Guard Responder",
2960
+ "type": "agent",
2961
+ "provider": "oci",
2962
+ "harnesses": [
2963
+ "codex",
2964
+ "copilot",
2965
+ "claude-code",
2966
+ "cursor",
2967
+ "gemini",
2968
+ "kiro"
2969
+ ],
2970
+ "summary": "Agent for oci-cloud-guard-responder. Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely.",
2971
+ "source_type": "adapted",
2972
+ "official_docs": [
2973
+ "https://docs.oracle.com/en-us/iaas/Content/home.htm",
2974
+ "https://www.oracle.com/cloud/"
2975
+ ],
2976
+ "security_notes": "OCI agents can inspect or guide changes to cloud resources. Use least-privilege access, read-only discovery first, and explicit approval for mutations.",
2977
+ "last_verified": "2026-04-27",
2978
+ "path": "agents/oci/oci-cloud-guard-responder-agent",
2979
+ "author": "github: Raishin",
2980
+ "version": "0.2.0"
2981
+ },
2982
+ {
2983
+ "id": "oci-compute-instance-agent-operator-agent",
2984
+ "name": "OCI Compute Instance Agent Operator",
2985
+ "type": "agent",
2986
+ "provider": "oci",
2015
2987
  "harnesses": [
2016
2988
  "codex",
2017
2989
  "copilot",
@@ -2307,6 +3279,196 @@
2307
3279
  "author": "github: Raishin",
2308
3280
  "version": "0.2.0"
2309
3281
  },
3282
+ {
3283
+ "id": "oci-live-autonomous-db-lifecycle-guard-agent",
3284
+ "name": "OCI Live Autonomous DB Lifecycle Guard",
3285
+ "type": "agent",
3286
+ "provider": "oci",
3287
+ "harnesses": [
3288
+ "codex",
3289
+ "copilot",
3290
+ "claude-code",
3291
+ "cursor",
3292
+ "gemini",
3293
+ "kiro"
3294
+ ],
3295
+ "summary": "Guard Autonomous Database scale, start, stop, clone, and terminate operations with protection-tag check, wallet backup, and connection-string audit before any lifecycle mutation.",
3296
+ "source_type": "original",
3297
+ "official_docs": [
3298
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
3299
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
3300
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
3301
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
3302
+ ],
3303
+ "security_notes": "ADB termination is permanent — the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
3304
+ "last_verified": "2026-04-30",
3305
+ "path": "agents/oci/oci-live-autonomous-db-lifecycle-guard-agent",
3306
+ "author": "github: Raishin",
3307
+ "version": "0.1.0"
3308
+ },
3309
+ {
3310
+ "id": "oci-live-cost-budget-runaway-guard-agent",
3311
+ "name": "OCI Live Cost Budget Runaway Guard",
3312
+ "type": "agent",
3313
+ "provider": "oci",
3314
+ "harnesses": [
3315
+ "codex",
3316
+ "copilot",
3317
+ "claude-code",
3318
+ "cursor",
3319
+ "gemini",
3320
+ "kiro"
3321
+ ],
3322
+ "summary": "Gate OCI budget rule mutations, cost-tracking tag changes, and GPU or HPC shape provisioning against compartment spend limits before any cost-impacting mutation.",
3323
+ "source_type": "original",
3324
+ "official_docs": [
3325
+ "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
3326
+ "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
3327
+ "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
3328
+ "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
3329
+ ],
3330
+ "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights — escalate if not held.",
3331
+ "last_verified": "2026-04-30",
3332
+ "path": "agents/oci/oci-live-cost-budget-runaway-guard-agent",
3333
+ "author": "github: Raishin",
3334
+ "version": "0.1.0"
3335
+ },
3336
+ {
3337
+ "id": "oci-live-iam-policy-compartment-guard-agent",
3338
+ "name": "OCI Live IAM Policy Compartment Guard",
3339
+ "type": "agent",
3340
+ "provider": "oci",
3341
+ "harnesses": [
3342
+ "codex",
3343
+ "copilot",
3344
+ "claude-code",
3345
+ "cursor",
3346
+ "gemini",
3347
+ "kiro"
3348
+ ],
3349
+ "summary": "Guard OCI IAM policy changes and dynamic group mutations using verb-hierarchy audit and tag-condition review before write.",
3350
+ "source_type": "original",
3351
+ "official_docs": [
3352
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
3353
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
3354
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
3355
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
3356
+ ],
3357
+ "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
3358
+ "last_verified": "2026-04-30",
3359
+ "path": "agents/oci/oci-live-iam-policy-compartment-guard-agent",
3360
+ "author": "github: Raishin",
3361
+ "version": "0.1.0"
3362
+ },
3363
+ {
3364
+ "id": "oci-live-network-security-rule-guard-agent",
3365
+ "name": "OCI Live Network Security Rule Guard",
3366
+ "type": "agent",
3367
+ "provider": "oci",
3368
+ "harnesses": [
3369
+ "codex",
3370
+ "copilot",
3371
+ "claude-code",
3372
+ "cursor",
3373
+ "gemini",
3374
+ "kiro"
3375
+ ],
3376
+ "summary": "Guard live OCI Security List and NSG rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress mutation.",
3377
+ "source_type": "original",
3378
+ "official_docs": [
3379
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm",
3380
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
3381
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm",
3382
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
3383
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
3384
+ ],
3385
+ "security_notes": "oci network security-list update is a full replace — always capture current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change.",
3386
+ "last_verified": "2026-05-01",
3387
+ "path": "agents/oci/oci-live-network-security-rule-guard-agent",
3388
+ "author": "github: Raishin",
3389
+ "version": "0.1.0"
3390
+ },
3391
+ {
3392
+ "id": "oci-live-oke-rollout-guard-agent",
3393
+ "name": "OCI Live OKE Rollout Guard",
3394
+ "type": "agent",
3395
+ "provider": "oci",
3396
+ "harnesses": [
3397
+ "codex",
3398
+ "copilot",
3399
+ "claude-code",
3400
+ "cursor",
3401
+ "gemini",
3402
+ "kiro"
3403
+ ],
3404
+ "summary": "Guard OKE deployment rollouts through DevOps Service pipeline approval stages with blue-green and canary evidence, and kubectl rollout pause or undo gate.",
3405
+ "source_type": "original",
3406
+ "official_docs": [
3407
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
3408
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
3409
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
3410
+ "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
3411
+ ],
3412
+ "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact — confirm target revision before undo.",
3413
+ "last_verified": "2026-04-30",
3414
+ "path": "agents/oci/oci-live-oke-rollout-guard-agent",
3415
+ "author": "github: Raishin",
3416
+ "version": "0.1.0"
3417
+ },
3418
+ {
3419
+ "id": "oci-live-resource-manager-stack-guard-agent",
3420
+ "name": "OCI Live Resource Manager Stack Guard",
3421
+ "type": "agent",
3422
+ "provider": "oci",
3423
+ "harnesses": [
3424
+ "codex",
3425
+ "copilot",
3426
+ "claude-code",
3427
+ "cursor",
3428
+ "gemini",
3429
+ "kiro"
3430
+ ],
3431
+ "summary": "Guard OCI Resource Manager plan, apply, and destroy jobs with drift detection evidence, state-version audit, and stack-lock awareness before any mutation.",
3432
+ "source_type": "original",
3433
+ "official_docs": [
3434
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
3435
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
3436
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
3437
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
3438
+ ],
3439
+ "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
3440
+ "last_verified": "2026-04-30",
3441
+ "path": "agents/oci/oci-live-resource-manager-stack-guard-agent",
3442
+ "author": "github: Raishin",
3443
+ "version": "0.1.0"
3444
+ },
3445
+ {
3446
+ "id": "oci-live-vault-key-destruction-guard-agent",
3447
+ "name": "OCI Live Vault Key Destruction Guard",
3448
+ "type": "agent",
3449
+ "provider": "oci",
3450
+ "harnesses": [
3451
+ "codex",
3452
+ "copilot",
3453
+ "claude-code",
3454
+ "cursor",
3455
+ "gemini",
3456
+ "kiro"
3457
+ ],
3458
+ "summary": "Guard OCI Vault master encryption key scheduled-deletion and HSM key rotation, refusing deletion without reviewing data associations and confirming the destruction window.",
3459
+ "source_type": "original",
3460
+ "official_docs": [
3461
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
3462
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
3463
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
3464
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm"
3465
+ ],
3466
+ "security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
3467
+ "last_verified": "2026-04-30",
3468
+ "path": "agents/oci/oci-live-vault-key-destruction-guard-agent",
3469
+ "author": "github: Raishin",
3470
+ "version": "0.1.0"
3471
+ },
2310
3472
  {
2311
3473
  "id": "oci-load-balancer-traffic-engineer-agent",
2312
3474
  "name": "OCI Load Balancer Traffic Engineer",
@@ -2332,6 +3494,43 @@
2332
3494
  "author": "github: Raishin",
2333
3495
  "version": "0.2.0"
2334
3496
  },
3497
+ {
3498
+ "id": "oci-maestro-agent",
3499
+ "name": "OCI Maestro",
3500
+ "type": "agent",
3501
+ "provider": "oci",
3502
+ "harnesses": [
3503
+ "codex",
3504
+ "copilot",
3505
+ "claude-code",
3506
+ "cursor",
3507
+ "gemini",
3508
+ "kiro"
3509
+ ],
3510
+ "summary": "Per-cloud router agent for OCI. Classifies the user's task, selects the narrowest OCI specialist agent or the right team of specialists from the catalog, and dispatches them — single specialist for focused tasks, parallel team (max 4) for multi-domain tasks. Never auto-dispatches live-guard agents.",
3511
+ "source_type": "adapted",
3512
+ "official_docs": [
3513
+ "https://docs.oracle.com/en-us/iaas/Content/home.htm",
3514
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
3515
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
3516
+ "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_guide.htm",
3517
+ "https://docs.oracle.com/en-us/iaas/Content/GSG/Concepts/baremetalintro.htm"
3518
+ ],
3519
+ "security_notes": "Live-guard gate is non-negotiable. The 6 live-guard agents (oci-live-autonomous-db-lifecycle-guard-agent, oci-live-cost-budget-runaway-guard-agent, oci-live-iam-policy-compartment-guard-agent, oci-live-oke-rollout-guard-agent, oci-live-resource-manager-stack-guard-agent, oci-live-vault-key-destruction-guard-agent) must never be auto-dispatched. OCI IAM policy deletion at the tenancy root has tenancy-wide blast radius and cannot be undone by the agent. Vault key destruction is irreversible — all data encrypted with the destroyed key becomes permanently unrecoverable. Both require explicit human confirmation, blast-radius assessment, and a documented rollback path before dispatch.",
3520
+ "last_verified": "2026-04-30",
3521
+ "path": "agents/oci/oci-maestro-agent",
3522
+ "harness_variants": {
3523
+ "codex": "agents/oci/oci-maestro-agent/harnesses/codex.toml",
3524
+ "copilot": "agents/oci/oci-maestro-agent/harnesses/copilot.agent.md",
3525
+ "claude-code": "agents/oci/oci-maestro-agent/harnesses/claude-code.agent.md",
3526
+ "cursor": "agents/oci/oci-maestro-agent/harnesses/cursor.agent.md",
3527
+ "gemini": "agents/oci/oci-maestro-agent/harnesses/gemini.agent.md",
3528
+ "kiro-ide": "agents/oci/oci-maestro-agent/harnesses/kiro-ide.agent.md",
3529
+ "kiro-cli": "agents/oci/oci-maestro-agent/harnesses/kiro-cli.agent.json"
3530
+ },
3531
+ "author": "github: Raishin",
3532
+ "version": "0.1.0"
3533
+ },
2335
3534
  {
2336
3535
  "id": "oci-migration-cutover-architect-agent",
2337
3536
  "name": "OCI Migration Cutover Architect",
@@ -2632,6 +3831,127 @@
2632
3831
  "author": "github: Raishin",
2633
3832
  "version": "0.2.0"
2634
3833
  },
3834
+ {
3835
+ "id": "opentelemetry-collector-config-review-agent",
3836
+ "name": "OpenTelemetry Collector Config Review",
3837
+ "type": "agent",
3838
+ "provider": "opentelemetry",
3839
+ "summary": "Review OpenTelemetry Collector pipeline configuration — receiver/processor/exporter ordering, memory_limiter placement, batch processor tuning, exporter backend validation, Operator CRDs, and pipeline health metrics.",
3840
+ "path": "agents/opentelemetry/opentelemetry-collector-config-review-agent",
3841
+ "harnesses": [
3842
+ "codex",
3843
+ "copilot",
3844
+ "claude-code",
3845
+ "cursor",
3846
+ "gemini",
3847
+ "kiro"
3848
+ ],
3849
+ "last_verified": "2026-05-01",
3850
+ "official_docs": [
3851
+ "https://opentelemetry.io/docs/collector/",
3852
+ "https://opentelemetry.io/docs/collector/configuration/",
3853
+ "https://opentelemetry.io/docs/collector/deployment/",
3854
+ "https://opentelemetry.io/docs/kubernetes/operator/",
3855
+ "https://opentelemetry.io/docs/collector/internal-telemetry/"
3856
+ ],
3857
+ "security_notes": "Pipeline with a receiver and processor but no exporter silently drops all telemetry. memory_limiter must be the first processor — placing it after batch processor means the collector OOMs under burst load.",
3858
+ "source_type": "original",
3859
+ "version": "0.1.0"
3860
+ },
3861
+ {
3862
+ "id": "prometheus-alerting-cardinality-review-agent",
3863
+ "name": "Prometheus Alerting and Cardinality Review Agent",
3864
+ "type": "agent",
3865
+ "provider": "prometheus",
3866
+ "harnesses": [
3867
+ "codex",
3868
+ "copilot",
3869
+ "claude-code",
3870
+ "cursor",
3871
+ "gemini",
3872
+ "kiro"
3873
+ ],
3874
+ "summary": "Review Prometheus and AlertManager configuration for cardinality risks, alert correctness, scrape security, routing safety, and retention adequacy.",
3875
+ "source_type": "original",
3876
+ "official_docs": [
3877
+ "https://prometheus.io/docs/prometheus/latest/querying/basics/",
3878
+ "https://prometheus.io/docs/practices/naming/",
3879
+ "https://prometheus.io/docs/practices/alerting/",
3880
+ "https://prometheus.io/docs/alerting/latest/alertmanager/",
3881
+ "https://prometheus.io/docs/prometheus/latest/storage/",
3882
+ "https://prometheus.io/docs/practices/remote_write/"
3883
+ ],
3884
+ "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
3885
+ "last_verified": "2026-05-02",
3886
+ "path": "agents/prometheus/prometheus-alerting-cardinality-review-agent",
3887
+ "version": "0.1.0"
3888
+ },
3889
+ {
3890
+ "id": "sigstore-cosign-supply-chain-review-agent",
3891
+ "name": "Sigstore Cosign Supply Chain Review",
3892
+ "type": "agent",
3893
+ "provider": "sigstore",
3894
+ "harnesses": [
3895
+ "codex",
3896
+ "copilot",
3897
+ "claude-code",
3898
+ "cursor",
3899
+ "gemini",
3900
+ "kiro"
3901
+ ],
3902
+ "summary": "Review Cosign image signing, Kyverno imageVerify policy identity constraints, SBOM and SLSA provenance attestations, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain integrity.",
3903
+ "source_type": "original",
3904
+ "official_docs": [
3905
+ "https://docs.sigstore.dev/cosign/overview/",
3906
+ "https://docs.sigstore.dev/policy-controller/overview/",
3907
+ "https://slsa.dev/spec/v1.0/requirements",
3908
+ "https://kyverno.io/docs/writing-policies/verify-images/",
3909
+ "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
3910
+ "https://rekor.sigstore.dev/"
3911
+ ],
3912
+ "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
3913
+ "last_verified": "2026-05-02",
3914
+ "path": "agents/sigstore/sigstore-cosign-supply-chain-review-agent",
3915
+ "version": "0.1.0"
3916
+ },
3917
+ {
3918
+ "id": "terraform-maestro-agent",
3919
+ "name": "Terraform Maestro",
3920
+ "type": "agent",
3921
+ "provider": "terraform",
3922
+ "harnesses": [
3923
+ "codex",
3924
+ "copilot",
3925
+ "claude-code",
3926
+ "cursor",
3927
+ "gemini",
3928
+ "kiro"
3929
+ ],
3930
+ "summary": "Agent for terraform-maestro. Classify the user's IaC task, select the right Terraform/IaC specialist or team from the cross-cloud catalog, and dispatch in parallel when the task spans multiple domains. Never auto-dispatch live-guard agents.",
3931
+ "source_type": "adapted",
3932
+ "official_docs": [
3933
+ "https://developer.hashicorp.com/terraform/docs",
3934
+ "https://developer.hashicorp.com/terraform/language",
3935
+ "https://developer.hashicorp.com/terraform/cli/commands/plan",
3936
+ "https://registry.terraform.io/providers/hashicorp/aws/latest/docs",
3937
+ "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs",
3938
+ "https://registry.terraform.io/providers/oracle/oci/latest/docs"
3939
+ ],
3940
+ "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch aws-live-iac-change-guard-agent, azure-live-arm-deployment-stack-guard-agent, or oci-live-resource-manager-stack-guard-agent without explicit human confirmation, blast-radius assessment, and rollback path. Terraform destroy is irreversible without state backup.",
3941
+ "last_verified": "2026-04-30",
3942
+ "path": "agents/terraform/terraform-maestro-agent",
3943
+ "harness_variants": {
3944
+ "codex": "agents/terraform/terraform-maestro-agent/harnesses/codex.toml",
3945
+ "copilot": "agents/terraform/terraform-maestro-agent/harnesses/copilot.agent.md",
3946
+ "claude-code": "agents/terraform/terraform-maestro-agent/harnesses/claude-code.agent.md",
3947
+ "cursor": "agents/terraform/terraform-maestro-agent/harnesses/cursor.agent.md",
3948
+ "gemini": "agents/terraform/terraform-maestro-agent/harnesses/gemini.agent.md",
3949
+ "kiro-ide": "agents/terraform/terraform-maestro-agent/harnesses/kiro-ide.agent.md",
3950
+ "kiro-cli": "agents/terraform/terraform-maestro-agent/harnesses/kiro-cli.agent.json"
3951
+ },
3952
+ "author": "github: Raishin",
3953
+ "version": "0.1.0"
3954
+ },
2635
3955
  {
2636
3956
  "id": "terraform-reviewer",
2637
3957
  "name": "Terraform Reviewer",