@raishin/vanguard-frontier-agentic 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (715) hide show
  1. package/README.md +369 -322
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-maestro-agent/AGENT.md +55 -0
  28. package/agents/aws/aws-maestro-agent/harnesses/claude-code.agent.md +38 -0
  29. package/agents/aws/aws-maestro-agent/harnesses/codex.toml +34 -0
  30. package/agents/aws/aws-maestro-agent/harnesses/copilot.agent.md +51 -0
  31. package/agents/aws/aws-maestro-agent/harnesses/cursor.agent.md +40 -0
  32. package/agents/aws/aws-maestro-agent/harnesses/gemini.agent.md +39 -0
  33. package/agents/aws/aws-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  35. package/agents/aws/aws-maestro-agent/metadata.json +37 -0
  36. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  37. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  38. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  39. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  40. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  41. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  42. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  43. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  44. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  45. package/agents/azure/AGENTS.md +26 -0
  46. package/agents/azure/README.md +45 -0
  47. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  48. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  49. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  50. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  51. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  52. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  53. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  54. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  55. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  56. package/agents/azure/azure-live-aks-rollout-guard-agent/AGENT.md +57 -0
  57. package/agents/azure/azure-live-aks-rollout-guard-agent/PERMISSIONS.md +56 -0
  58. package/agents/azure/azure-live-aks-rollout-guard-agent/PREFLIGHT.md +48 -0
  59. package/agents/azure/azure-live-aks-rollout-guard-agent/ROLLBACK.md +36 -0
  60. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
  61. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/codex.toml +32 -0
  62. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
  63. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
  64. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
  65. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  66. package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  67. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +36 -0
  68. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/AGENT.md +57 -0
  69. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PERMISSIONS.md +43 -0
  70. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PREFLIGHT.md +50 -0
  71. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/ROLLBACK.md +46 -0
  72. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/claude-code.agent.md +40 -0
  73. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/codex.toml +32 -0
  74. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/copilot.agent.md +53 -0
  75. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/cursor.agent.md +40 -0
  76. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/gemini.agent.md +40 -0
  77. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  78. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  79. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +35 -0
  80. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/AGENT.md +57 -0
  81. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PERMISSIONS.md +88 -0
  82. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PREFLIGHT.md +48 -0
  83. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/ROLLBACK.md +48 -0
  84. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
  85. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/codex.toml +32 -0
  86. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/copilot.agent.md +53 -0
  87. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/cursor.agent.md +40 -0
  88. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/gemini.agent.md +40 -0
  89. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  90. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  91. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +36 -0
  92. package/agents/azure/azure-live-cost-budget-action-guard-agent/AGENT.md +57 -0
  93. package/agents/azure/azure-live-cost-budget-action-guard-agent/PERMISSIONS.md +93 -0
  94. package/agents/azure/azure-live-cost-budget-action-guard-agent/PREFLIGHT.md +44 -0
  95. package/agents/azure/azure-live-cost-budget-action-guard-agent/ROLLBACK.md +49 -0
  96. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/claude-code.agent.md +40 -0
  97. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/codex.toml +32 -0
  98. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/copilot.agent.md +53 -0
  99. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/cursor.agent.md +40 -0
  100. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/gemini.agent.md +40 -0
  101. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  102. package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  103. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +36 -0
  104. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  105. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  106. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  107. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  108. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  109. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  110. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  112. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  113. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/AGENT.md +57 -0
  114. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PERMISSIONS.md +68 -0
  115. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PREFLIGHT.md +46 -0
  116. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/ROLLBACK.md +44 -0
  117. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/claude-code.agent.md +40 -0
  118. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/codex.toml +32 -0
  119. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/copilot.agent.md +53 -0
  120. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/cursor.agent.md +40 -0
  121. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/gemini.agent.md +40 -0
  122. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  123. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  124. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +36 -0
  125. package/agents/azure/azure-live-pim-jit-activation-guard-agent/AGENT.md +57 -0
  126. package/agents/azure/azure-live-pim-jit-activation-guard-agent/PERMISSIONS.md +59 -0
  127. package/agents/azure/azure-live-pim-jit-activation-guard-agent/PREFLIGHT.md +41 -0
  128. package/agents/azure/azure-live-pim-jit-activation-guard-agent/ROLLBACK.md +48 -0
  129. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/claude-code.agent.md +40 -0
  130. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/codex.toml +32 -0
  131. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/copilot.agent.md +53 -0
  132. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/cursor.agent.md +40 -0
  133. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/gemini.agent.md +40 -0
  134. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  135. package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  136. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +36 -0
  137. package/agents/azure/azure-maestro-agent/AGENT.md +56 -0
  138. package/agents/azure/azure-maestro-agent/harnesses/claude-code.agent.md +39 -0
  139. package/agents/azure/azure-maestro-agent/harnesses/codex.toml +14 -0
  140. package/agents/azure/azure-maestro-agent/harnesses/copilot.agent.md +52 -0
  141. package/agents/azure/azure-maestro-agent/harnesses/cursor.agent.md +41 -0
  142. package/agents/azure/azure-maestro-agent/harnesses/gemini.agent.md +40 -0
  143. package/agents/azure/azure-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  144. package/agents/azure/azure-maestro-agent/harnesses/kiro-ide.agent.md +39 -0
  145. package/agents/azure/azure-maestro-agent/metadata.json +38 -0
  146. package/agents/backstage/README.md +36 -0
  147. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  148. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  149. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  150. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  151. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  152. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  153. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  154. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  155. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  156. package/agents/cert-manager/README.md +46 -0
  157. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  158. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  159. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  160. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  161. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  162. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  163. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  164. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  165. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  166. package/agents/cilium/README.md +46 -0
  167. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  168. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  169. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  170. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  171. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  172. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  173. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  174. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  175. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  176. package/agents/falco/README.md +36 -0
  177. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  178. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  179. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  180. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  181. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  182. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  183. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  185. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  186. package/agents/finops/AGENTS.md +36 -0
  187. package/agents/finops/README.md +27 -0
  188. package/agents/finops/finops-cloud-price-advisor-agent/AGENT.md +58 -0
  189. package/agents/finops/finops-cloud-price-advisor-agent/PERMISSIONS.md +112 -0
  190. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/claude-code.agent.md +40 -0
  191. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/codex.toml +33 -0
  192. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/copilot.agent.md +53 -0
  193. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/cursor.agent.md +40 -0
  194. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/gemini.agent.md +40 -0
  195. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-cli.agent.json +1 -0
  196. package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-ide.agent.md +40 -0
  197. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +38 -0
  198. package/agents/fluxcd/README.md +39 -0
  199. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  200. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  201. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  202. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  203. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  204. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  205. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  206. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  207. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  208. package/agents/istio/README.md +46 -0
  209. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  210. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  211. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  212. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  213. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  214. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  215. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  216. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  217. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  218. package/agents/kubernetes/README.md +143 -0
  219. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  220. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  221. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  222. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  223. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  224. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  225. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  226. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  227. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  228. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  229. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  230. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  231. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  232. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  233. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  234. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  235. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  236. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  237. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  238. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  239. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  240. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  241. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  242. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  243. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  244. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  245. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  246. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  247. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  248. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  249. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  250. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  251. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  252. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  253. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  254. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  255. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  256. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  257. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  258. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  259. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  260. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  261. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  262. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  263. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  264. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  265. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  267. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  268. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  269. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  270. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  273. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  274. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  275. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  276. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  277. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  278. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  279. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  280. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  281. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  282. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  283. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  284. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  285. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  286. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  287. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  288. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  289. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  290. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  291. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  292. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  293. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  294. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  295. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  296. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  297. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  298. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  299. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  300. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  301. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  302. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  303. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  304. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  305. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  306. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  307. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  308. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  309. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  310. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  311. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  312. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  313. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  314. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  315. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  316. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  317. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  318. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  319. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  320. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  321. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  322. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  323. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  324. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  325. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  326. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  327. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  328. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  329. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  330. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  331. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  332. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  333. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  334. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  335. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  336. package/agents/kyverno/README.md +46 -0
  337. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  338. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  339. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  340. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  341. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  342. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  343. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  344. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  345. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  346. package/agents/oci/AGENTS.md +28 -0
  347. package/agents/oci/README.md +45 -0
  348. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  349. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  350. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  351. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  352. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  353. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  354. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  355. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  356. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  357. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/AGENT.md +57 -0
  358. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PERMISSIONS.md +56 -0
  359. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PREFLIGHT.md +48 -0
  360. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/ROLLBACK.md +50 -0
  361. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/claude-code.agent.md +40 -0
  362. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/codex.toml +32 -0
  363. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/copilot.agent.md +53 -0
  364. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/cursor.agent.md +40 -0
  365. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/gemini.agent.md +40 -0
  366. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  367. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  368. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +36 -0
  369. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/AGENT.md +57 -0
  370. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PERMISSIONS.md +77 -0
  371. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PREFLIGHT.md +54 -0
  372. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/ROLLBACK.md +53 -0
  373. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/claude-code.agent.md +40 -0
  374. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/codex.toml +32 -0
  375. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/copilot.agent.md +53 -0
  376. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/cursor.agent.md +40 -0
  377. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/gemini.agent.md +40 -0
  378. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  379. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  380. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +36 -0
  381. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/AGENT.md +57 -0
  382. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PERMISSIONS.md +87 -0
  383. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PREFLIGHT.md +49 -0
  384. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/ROLLBACK.md +44 -0
  385. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/claude-code.agent.md +40 -0
  386. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/codex.toml +32 -0
  387. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/copilot.agent.md +53 -0
  388. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/cursor.agent.md +40 -0
  389. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/gemini.agent.md +40 -0
  390. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  391. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  392. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +36 -0
  393. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  394. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  395. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  396. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  397. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  398. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  399. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  400. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  401. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  402. package/agents/oci/oci-live-oke-rollout-guard-agent/AGENT.md +57 -0
  403. package/agents/oci/oci-live-oke-rollout-guard-agent/PERMISSIONS.md +92 -0
  404. package/agents/oci/oci-live-oke-rollout-guard-agent/PREFLIGHT.md +49 -0
  405. package/agents/oci/oci-live-oke-rollout-guard-agent/ROLLBACK.md +47 -0
  406. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
  407. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/codex.toml +32 -0
  408. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
  409. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
  410. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
  411. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  412. package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  413. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +36 -0
  414. package/agents/oci/oci-live-resource-manager-stack-guard-agent/AGENT.md +57 -0
  415. package/agents/oci/oci-live-resource-manager-stack-guard-agent/PERMISSIONS.md +80 -0
  416. package/agents/oci/oci-live-resource-manager-stack-guard-agent/PREFLIGHT.md +51 -0
  417. package/agents/oci/oci-live-resource-manager-stack-guard-agent/ROLLBACK.md +45 -0
  418. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
  419. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/codex.toml +32 -0
  420. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/copilot.agent.md +53 -0
  421. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/cursor.agent.md +40 -0
  422. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/gemini.agent.md +40 -0
  423. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  424. package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  425. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +36 -0
  426. package/agents/oci/oci-live-vault-key-destruction-guard-agent/AGENT.md +57 -0
  427. package/agents/oci/oci-live-vault-key-destruction-guard-agent/PERMISSIONS.md +57 -0
  428. package/agents/oci/oci-live-vault-key-destruction-guard-agent/PREFLIGHT.md +53 -0
  429. package/agents/oci/oci-live-vault-key-destruction-guard-agent/ROLLBACK.md +49 -0
  430. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/claude-code.agent.md +40 -0
  431. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/codex.toml +32 -0
  432. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/copilot.agent.md +53 -0
  433. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/cursor.agent.md +40 -0
  434. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/gemini.agent.md +40 -0
  435. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-cli.agent.json +1 -0
  436. package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-ide.agent.md +40 -0
  437. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +36 -0
  438. package/agents/oci/oci-maestro-agent/AGENT.md +58 -0
  439. package/agents/oci/oci-maestro-agent/harnesses/claude-code.agent.md +41 -0
  440. package/agents/oci/oci-maestro-agent/harnesses/codex.toml +14 -0
  441. package/agents/oci/oci-maestro-agent/harnesses/copilot.agent.md +54 -0
  442. package/agents/oci/oci-maestro-agent/harnesses/cursor.agent.md +43 -0
  443. package/agents/oci/oci-maestro-agent/harnesses/gemini.agent.md +42 -0
  444. package/agents/oci/oci-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  445. package/agents/oci/oci-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
  446. package/agents/oci/oci-maestro-agent/metadata.json +37 -0
  447. package/agents/opentelemetry/README.md +37 -0
  448. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  449. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  450. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  451. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  452. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  453. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  454. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  455. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  456. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  457. package/agents/prometheus/README.md +36 -0
  458. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  459. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  460. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  461. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  462. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  463. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  464. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  465. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  466. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  467. package/agents/sigstore/README.md +38 -0
  468. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  469. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  470. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  471. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  472. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  473. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  474. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  475. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  476. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  477. package/agents/terraform/README.md +29 -0
  478. package/agents/terraform/terraform-maestro-agent/AGENT.md +58 -0
  479. package/agents/terraform/terraform-maestro-agent/harnesses/claude-code.agent.md +41 -0
  480. package/agents/terraform/terraform-maestro-agent/harnesses/codex.toml +14 -0
  481. package/agents/terraform/terraform-maestro-agent/harnesses/copilot.agent.md +54 -0
  482. package/agents/terraform/terraform-maestro-agent/harnesses/cursor.agent.md +43 -0
  483. package/agents/terraform/terraform-maestro-agent/harnesses/gemini.agent.md +42 -0
  484. package/agents/terraform/terraform-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  485. package/agents/terraform/terraform-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
  486. package/agents/terraform/terraform-maestro-agent/metadata.json +38 -0
  487. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  488. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  489. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  490. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  491. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  492. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  493. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  494. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  495. package/agents/velero/README.md +41 -0
  496. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  497. package/catalog/agents.json +1347 -27
  498. package/catalog/install-roles.json +455 -0
  499. package/catalog/skill-manifest.json +1358 -62
  500. package/catalog/skills.json +1231 -25
  501. package/package.json +11 -1
  502. package/scripts/export-marketplace-agents.mjs +129 -10
  503. package/scripts/gen_azure_live_guards.py +1424 -0
  504. package/scripts/gen_oci_live_guards.py +1510 -0
  505. package/scripts/update-catalog-new-agents.py +88 -0
  506. package/skills/argocd/README.md +30 -0
  507. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  508. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  509. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  510. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  511. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  512. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  513. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  514. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  515. package/skills/aws/README.md +3 -1
  516. package/skills/aws/aws-maestro/SKILL.md +47 -0
  517. package/skills/aws/aws-maestro/metadata.json +28 -0
  518. package/skills/aws/aws-maestro/references/official-sources.md +24 -0
  519. package/skills/aws/aws-maestro/references/safety-checklist.md +42 -0
  520. package/skills/aws/aws-maestro/references/workflow-and-output.md +129 -0
  521. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  522. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  523. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  524. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  525. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  526. package/skills/azure/README.md +3 -1
  527. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  528. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  529. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  530. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +49 -0
  531. package/skills/azure/azure-live-aks-rollout-guard/metadata.json +27 -0
  532. package/skills/azure/azure-live-aks-rollout-guard/references/official-sources.md +19 -0
  533. package/skills/azure/azure-live-aks-rollout-guard/references/permission-model.md +54 -0
  534. package/skills/azure/azure-live-aks-rollout-guard/references/preflight-commands.md +55 -0
  535. package/skills/azure/azure-live-aks-rollout-guard/references/rollback-playbook.md +38 -0
  536. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +49 -0
  537. package/skills/azure/azure-live-app-service-slot-swap-guard/metadata.json +26 -0
  538. package/skills/azure/azure-live-app-service-slot-swap-guard/references/official-sources.md +12 -0
  539. package/skills/azure/azure-live-app-service-slot-swap-guard/references/permission-model.md +40 -0
  540. package/skills/azure/azure-live-app-service-slot-swap-guard/references/preflight-commands.md +46 -0
  541. package/skills/azure/azure-live-app-service-slot-swap-guard/references/rollback-playbook.md +46 -0
  542. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +49 -0
  543. package/skills/azure/azure-live-arm-deployment-stack-guard/metadata.json +27 -0
  544. package/skills/azure/azure-live-arm-deployment-stack-guard/references/official-sources.md +17 -0
  545. package/skills/azure/azure-live-arm-deployment-stack-guard/references/permission-model.md +68 -0
  546. package/skills/azure/azure-live-arm-deployment-stack-guard/references/preflight-commands.md +55 -0
  547. package/skills/azure/azure-live-arm-deployment-stack-guard/references/rollback-playbook.md +53 -0
  548. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +49 -0
  549. package/skills/azure/azure-live-cost-budget-action-guard/metadata.json +27 -0
  550. package/skills/azure/azure-live-cost-budget-action-guard/references/official-sources.md +17 -0
  551. package/skills/azure/azure-live-cost-budget-action-guard/references/permission-model.md +66 -0
  552. package/skills/azure/azure-live-cost-budget-action-guard/references/preflight-commands.md +48 -0
  553. package/skills/azure/azure-live-cost-budget-action-guard/references/rollback-playbook.md +40 -0
  554. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  555. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  556. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  557. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  558. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  559. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  560. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +49 -0
  561. package/skills/azure/azure-live-keyvault-rotation-purge-guard/metadata.json +27 -0
  562. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/official-sources.md +13 -0
  563. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/permission-model.md +64 -0
  564. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/preflight-commands.md +48 -0
  565. package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/rollback-playbook.md +44 -0
  566. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +49 -0
  567. package/skills/azure/azure-live-pim-jit-activation-guard/metadata.json +27 -0
  568. package/skills/azure/azure-live-pim-jit-activation-guard/references/official-sources.md +13 -0
  569. package/skills/azure/azure-live-pim-jit-activation-guard/references/permission-model.md +56 -0
  570. package/skills/azure/azure-live-pim-jit-activation-guard/references/preflight-commands.md +46 -0
  571. package/skills/azure/azure-live-pim-jit-activation-guard/references/rollback-playbook.md +45 -0
  572. package/skills/azure/azure-maestro/SKILL.md +140 -0
  573. package/skills/azure/azure-maestro/metadata.json +28 -0
  574. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  575. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  576. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  577. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  578. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  579. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  580. package/skills/cilium/README.md +30 -0
  581. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  582. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  583. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  584. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  585. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  586. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  587. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  588. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  589. package/skills/finops/README.md +30 -0
  590. package/skills/finops/finops-cloud-price-advisor/SKILL.md +60 -0
  591. package/skills/finops/finops-cloud-price-advisor/metadata.json +26 -0
  592. package/skills/finops/finops-cloud-price-advisor/references/currency-handling.md +100 -0
  593. package/skills/finops/finops-cloud-price-advisor/references/estimation-workflow.md +145 -0
  594. package/skills/finops/finops-cloud-price-advisor/references/official-sources.md +64 -0
  595. package/skills/finops/finops-cloud-price-advisor/references/pricing-apis.md +271 -0
  596. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  597. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  598. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  599. package/skills/istio/README.md +28 -0
  600. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  601. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  602. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  603. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  604. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  605. package/skills/kubernetes/README.md +30 -0
  606. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  607. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  608. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  609. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  610. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  611. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  612. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  613. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  614. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  615. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  616. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  617. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  618. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  619. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  620. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  621. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  622. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  623. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  624. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  625. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  626. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  627. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  628. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  629. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  630. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  631. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  632. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  633. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  634. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  635. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  636. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  637. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  638. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  639. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  640. package/skills/kyverno/README.md +30 -0
  641. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  642. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  643. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  644. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  645. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  646. package/skills/oci/README.md +63 -0
  647. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  648. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  649. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  650. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +49 -0
  651. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/metadata.json +27 -0
  652. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/official-sources.md +13 -0
  653. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/permission-model.md +49 -0
  654. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/preflight-commands.md +58 -0
  655. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/rollback-playbook.md +44 -0
  656. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +49 -0
  657. package/skills/oci/oci-live-cost-budget-runaway-guard/metadata.json +27 -0
  658. package/skills/oci/oci-live-cost-budget-runaway-guard/references/official-sources.md +17 -0
  659. package/skills/oci/oci-live-cost-budget-runaway-guard/references/permission-model.md +59 -0
  660. package/skills/oci/oci-live-cost-budget-runaway-guard/references/preflight-commands.md +42 -0
  661. package/skills/oci/oci-live-cost-budget-runaway-guard/references/rollback-playbook.md +44 -0
  662. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +49 -0
  663. package/skills/oci/oci-live-iam-policy-compartment-guard/metadata.json +27 -0
  664. package/skills/oci/oci-live-iam-policy-compartment-guard/references/official-sources.md +13 -0
  665. package/skills/oci/oci-live-iam-policy-compartment-guard/references/permission-model.md +71 -0
  666. package/skills/oci/oci-live-iam-policy-compartment-guard/references/preflight-commands.md +49 -0
  667. package/skills/oci/oci-live-iam-policy-compartment-guard/references/rollback-playbook.md +62 -0
  668. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  669. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  670. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  671. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  672. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  673. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  674. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +49 -0
  675. package/skills/oci/oci-live-oke-rollout-guard/metadata.json +27 -0
  676. package/skills/oci/oci-live-oke-rollout-guard/references/official-sources.md +18 -0
  677. package/skills/oci/oci-live-oke-rollout-guard/references/permission-model.md +80 -0
  678. package/skills/oci/oci-live-oke-rollout-guard/references/preflight-commands.md +55 -0
  679. package/skills/oci/oci-live-oke-rollout-guard/references/rollback-playbook.md +45 -0
  680. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +49 -0
  681. package/skills/oci/oci-live-resource-manager-stack-guard/metadata.json +27 -0
  682. package/skills/oci/oci-live-resource-manager-stack-guard/references/official-sources.md +12 -0
  683. package/skills/oci/oci-live-resource-manager-stack-guard/references/permission-model.md +70 -0
  684. package/skills/oci/oci-live-resource-manager-stack-guard/references/preflight-commands.md +57 -0
  685. package/skills/oci/oci-live-resource-manager-stack-guard/references/rollback-playbook.md +51 -0
  686. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +49 -0
  687. package/skills/oci/oci-live-vault-key-destruction-guard/metadata.json +27 -0
  688. package/skills/oci/oci-live-vault-key-destruction-guard/references/official-sources.md +13 -0
  689. package/skills/oci/oci-live-vault-key-destruction-guard/references/permission-model.md +55 -0
  690. package/skills/oci/oci-live-vault-key-destruction-guard/references/preflight-commands.md +62 -0
  691. package/skills/oci/oci-live-vault-key-destruction-guard/references/rollback-playbook.md +55 -0
  692. package/skills/oci/oci-maestro/SKILL.md +163 -0
  693. package/skills/oci/oci-maestro/metadata.json +27 -0
  694. package/skills/opentelemetry/README.md +31 -0
  695. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  696. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  697. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  698. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  699. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  700. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  701. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  702. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  703. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  704. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  705. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  706. package/skills/terraform/README.md +29 -0
  707. package/skills/terraform/terraform-maestro/SKILL.md +123 -0
  708. package/skills/terraform/terraform-maestro/metadata.json +30 -0
  709. package/skills/terraform/terraform-maestro/references/official-sources.md +59 -0
  710. package/skills/terraform/terraform-maestro/references/safety-checklist.md +53 -0
  711. package/skills/terraform/terraform-maestro/references/workflow-and-output.md +108 -0
  712. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  713. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  714. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  715. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
@@ -1,4 +1,63 @@
1
1
  [
2
+ {
3
+ "id": "argo-rollouts-progressive-delivery-review",
4
+ "name": "Argo Rollouts Progressive Delivery Review",
5
+ "type": "skill",
6
+ "provider": "argocd",
7
+ "harnesses": [
8
+ "codex",
9
+ "claude-code",
10
+ "cursor",
11
+ "gemini",
12
+ "kiro",
13
+ "other"
14
+ ],
15
+ "summary": "Review Argo Rollouts canary and blue-green strategy configuration, AnalysisTemplate success/failure conditions, traffic management provider alignment, canaryService isolation, PDB deadlock risk, and automated rollback posture for progressive delivery safety.",
16
+ "source_type": "original",
17
+ "official_docs": [
18
+ "https://argoproj.github.io/argo-rollouts/",
19
+ "https://argoproj.github.io/argo-rollouts/features/canary/",
20
+ "https://argoproj.github.io/argo-rollouts/features/analysis/",
21
+ "https://argoproj.github.io/argo-rollouts/features/traffic-management/",
22
+ "https://argoproj.github.io/argo-rollouts/features/bluegreen/",
23
+ "https://argoproj.github.io/argo-rollouts/generated/kubectl-argo-rollouts/kubectl-argo-rollouts_promote/"
24
+ ],
25
+ "security_notes": "AnalysisTemplates with always-true success conditions defeat automated rollback entirely. A canary that never fails analysis will silently promote a broken release to 100% production traffic.",
26
+ "last_verified": "2026-05-02",
27
+ "path": "skills/argocd/argo-rollouts-progressive-delivery-review",
28
+ "version": "0.1.0",
29
+ "author": "github: Raishin"
30
+ },
31
+ {
32
+ "id": "argocd-gitops-review",
33
+ "name": "Argo CD GitOps Review",
34
+ "type": "skill",
35
+ "provider": "argocd",
36
+ "harnesses": [
37
+ "codex",
38
+ "claude-code",
39
+ "cursor",
40
+ "gemini",
41
+ "kiro",
42
+ "other"
43
+ ],
44
+ "summary": "Review Argo CD Application, AppProject, ApplicationSet, sync windows, RBAC, sync impersonation, and Argo CD Agent multi-cluster topologies for blast radius, drift handling, and least-privilege sync identity.",
45
+ "source_type": "original",
46
+ "official_docs": [
47
+ "https://argo-cd.readthedocs.io/en/stable/",
48
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/",
49
+ "https://argo-cd.readthedocs.io/en/stable/user-guide/auto_sync/",
50
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/",
51
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
52
+ "https://argo-cd.readthedocs.io/en/stable/proposals/decouple-application-sync-user-using-impersonation/",
53
+ "https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm-yaml/"
54
+ ],
55
+ "security_notes": "Sync impersonation is disabled by default — controller runs as cluster-admin on every destination. AppProject sourceRepos and destinations wildcards remove blast-radius bounds. Automated prune+selfHeal on Git divergence is irreversible. ApplicationSet unbounded cluster generators auto-onboard misconfigured clusters.",
56
+ "last_verified": "2026-05-01",
57
+ "path": "skills/argocd/argocd-gitops-review",
58
+ "author": "github: Raishin",
59
+ "version": "0.1.0"
60
+ },
2
61
  {
3
62
  "id": "aws-agentcore",
4
63
  "name": "AWS AgentCore",
@@ -798,6 +857,34 @@
798
857
  "author": "github: Raishin",
799
858
  "version": "0.1.0"
800
859
  },
860
+ {
861
+ "id": "aws-maestro",
862
+ "name": "AWS Maestro",
863
+ "type": "skill",
864
+ "provider": "aws",
865
+ "harnesses": [
866
+ "codex",
867
+ "claude-code",
868
+ "cursor",
869
+ "gemini",
870
+ "kiro",
871
+ "other"
872
+ ],
873
+ "summary": "Route AWS tasks to the narrowest specialist or team of specialists from the 42-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
874
+ "source_type": "adapted",
875
+ "official_docs": [
876
+ "https://docs.aws.amazon.com/",
877
+ "https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html",
878
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html",
879
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/agentcore.html",
880
+ "https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html"
881
+ ],
882
+ "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
883
+ "last_verified": "2026-04-30",
884
+ "path": "skills/aws/aws-maestro",
885
+ "author": "github: Raishin",
886
+ "version": "0.1.0"
887
+ },
801
888
  {
802
889
  "id": "aws-migration-cutover-architect",
803
890
  "name": "AWS Migration Cutover Architect",
@@ -934,6 +1021,34 @@
934
1021
  "author": "github: Raishin",
935
1022
  "version": "0.1.0"
936
1023
  },
1024
+ {
1025
+ "id": "aws-private-ca-issuer-review",
1026
+ "name": "AWS Private CA Issuer Review",
1027
+ "type": "skill",
1028
+ "provider": "aws",
1029
+ "harnesses": [
1030
+ "codex",
1031
+ "claude-code",
1032
+ "cursor",
1033
+ "gemini",
1034
+ "kiro",
1035
+ "other"
1036
+ ],
1037
+ "summary": "Review AWS ACM Private Certificate Authority issuer configurations for cert-manager, covering CA hierarchy safety, certificate template ARN scope, IRSA permissions minimization, validity period alignment, CRL reachability, and cross-account PCA usage patterns.",
1038
+ "source_type": "original",
1039
+ "official_docs": [
1040
+ "https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html",
1041
+ "https://github.com/cert-manager/aws-privateca-issuer",
1042
+ "https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html",
1043
+ "https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html",
1044
+ "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
1045
+ ],
1046
+ "security_notes": "Using a Root CA ARN in AWSPCAIssuer exposes the root of trust directly to cert-manager. A SubordinateCACertificate template allows cert-manager to issue intermediate CAs, enabling an attacker with cert-manager IRSA access to create a shadow CA trusted by the entire corporate PKI. IRSA role must exclude acm-pca:DeleteCertificateAuthority and acm-pca:CreateCertificateAuthority.",
1047
+ "last_verified": "2026-05-02",
1048
+ "path": "skills/aws/aws-private-ca-issuer-review",
1049
+ "version": "0.1.0",
1050
+ "author": "github: Raishin"
1051
+ },
937
1052
  {
938
1053
  "id": "aws-rds-aurora-performance-investigator",
939
1054
  "name": "AWS RDS Aurora Performance Investigator",
@@ -1546,6 +1661,33 @@
1546
1661
  "author": "github: Raishin",
1547
1662
  "version": "0.1.0"
1548
1663
  },
1664
+ {
1665
+ "id": "azure-keyvault-certificate-issuer-review",
1666
+ "name": "Azure Key Vault Certificate Issuer Review",
1667
+ "type": "skill",
1668
+ "provider": "azure",
1669
+ "harnesses": [
1670
+ "codex",
1671
+ "claude-code",
1672
+ "cursor",
1673
+ "gemini",
1674
+ "kiro",
1675
+ "other"
1676
+ ],
1677
+ "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager, covering certificate policy alignment, Managed Identity authorization scope, exportability posture, private endpoint connectivity, integrated CA credential scoping, and cert-manager vs Key Vault auto-rotation race conditions.",
1678
+ "source_type": "original",
1679
+ "official_docs": [
1680
+ "https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates",
1681
+ "https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios",
1682
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security",
1683
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
1684
+ ],
1685
+ "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs — a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
1686
+ "last_verified": "2026-05-02",
1687
+ "path": "skills/azure/azure-keyvault-certificate-issuer-review",
1688
+ "version": "0.1.0",
1689
+ "author": "github: Raishin"
1690
+ },
1549
1691
  {
1550
1692
  "id": "azure-landing-zone-architect",
1551
1693
  "name": "Azure Landing Zone Architect",
@@ -1576,6 +1718,223 @@
1576
1718
  "author": "github: Raishin",
1577
1719
  "version": "0.1.0"
1578
1720
  },
1721
+ {
1722
+ "id": "azure-live-aks-rollout-guard",
1723
+ "name": "Azure Live AKS Rollout Guard",
1724
+ "type": "skill",
1725
+ "provider": "azure",
1726
+ "harnesses": [
1727
+ "codex",
1728
+ "claude-code",
1729
+ "cursor",
1730
+ "gemini",
1731
+ "kiro",
1732
+ "other"
1733
+ ],
1734
+ "summary": "Guard live AKS deployment rollouts with PDB audit, maxUnavailable/surge validation, rollout pause/undo gates, and post-rollout health verification.",
1735
+ "source_type": "original",
1736
+ "official_docs": [
1737
+ "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security",
1738
+ "https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads",
1739
+ "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment",
1740
+ "https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
1741
+ ],
1742
+ "security_notes": "Never advance an AKS rollout without PDB audit and replica health check. kubectl rollout undo is safe but must be confirmed before execution to avoid double-rollback churn.",
1743
+ "last_verified": "2026-04-30",
1744
+ "path": "skills/azure/azure-live-aks-rollout-guard",
1745
+ "author": "github: Raishin",
1746
+ "version": "0.1.0"
1747
+ },
1748
+ {
1749
+ "id": "azure-live-app-service-slot-swap-guard",
1750
+ "name": "Azure Live App Service Slot Swap Guard",
1751
+ "type": "skill",
1752
+ "provider": "azure",
1753
+ "harnesses": [
1754
+ "codex",
1755
+ "claude-code",
1756
+ "cursor",
1757
+ "gemini",
1758
+ "kiro",
1759
+ "other"
1760
+ ],
1761
+ "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.",
1762
+ "source_type": "original",
1763
+ "official_docs": [
1764
+ "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
1765
+ "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
1766
+ "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
1767
+ ],
1768
+ "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
1769
+ "last_verified": "2026-04-30",
1770
+ "path": "skills/azure/azure-live-app-service-slot-swap-guard",
1771
+ "author": "github: Raishin",
1772
+ "version": "0.1.0"
1773
+ },
1774
+ {
1775
+ "id": "azure-live-arm-deployment-stack-guard",
1776
+ "name": "Azure Live ARM Deployment Stack Guard",
1777
+ "type": "skill",
1778
+ "provider": "azure",
1779
+ "harnesses": [
1780
+ "codex",
1781
+ "claude-code",
1782
+ "cursor",
1783
+ "gemini",
1784
+ "kiro",
1785
+ "other"
1786
+ ],
1787
+ "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
1788
+ "source_type": "original",
1789
+ "official_docs": [
1790
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
1791
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
1792
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
1793
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
1794
+ ],
1795
+ "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
1796
+ "last_verified": "2026-04-30",
1797
+ "path": "skills/azure/azure-live-arm-deployment-stack-guard",
1798
+ "author": "github: Raishin",
1799
+ "version": "0.1.0"
1800
+ },
1801
+ {
1802
+ "id": "azure-live-cost-budget-action-guard",
1803
+ "name": "Azure Live Cost Budget Action Guard",
1804
+ "type": "skill",
1805
+ "provider": "azure",
1806
+ "harnesses": [
1807
+ "codex",
1808
+ "claude-code",
1809
+ "cursor",
1810
+ "gemini",
1811
+ "kiro",
1812
+ "other"
1813
+ ],
1814
+ "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
1815
+ "source_type": "original",
1816
+ "official_docs": [
1817
+ "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
1818
+ "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
1819
+ "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
1820
+ "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
1821
+ ],
1822
+ "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
1823
+ "last_verified": "2026-04-30",
1824
+ "path": "skills/azure/azure-live-cost-budget-action-guard",
1825
+ "author": "github: Raishin",
1826
+ "version": "0.1.0"
1827
+ },
1828
+ {
1829
+ "id": "azure-live-entra-role-assignment-guard",
1830
+ "name": "Azure Live Entra Role Assignment Guard",
1831
+ "type": "skill",
1832
+ "provider": "azure",
1833
+ "harnesses": [
1834
+ "codex",
1835
+ "claude-code",
1836
+ "cursor",
1837
+ "gemini",
1838
+ "kiro",
1839
+ "other"
1840
+ ],
1841
+ "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.",
1842
+ "source_type": "original",
1843
+ "official_docs": [
1844
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
1845
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
1846
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
1847
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-alert",
1848
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"
1849
+ ],
1850
+ "security_notes": "Never create Owner, Contributor, or UAA assignments at subscription or management-group scope without CISO-level justification. Always prefer PIM eligible assignment. Block Guest principal assignments without Director-level sign-off. Token caching means deletion may take up to 5 minutes to propagate.",
1851
+ "last_verified": "2026-05-01",
1852
+ "path": "skills/azure/azure-live-entra-role-assignment-guard",
1853
+ "author": "github: Raishin",
1854
+ "version": "0.1.0"
1855
+ },
1856
+ {
1857
+ "id": "azure-live-keyvault-rotation-purge-guard",
1858
+ "name": "Azure Live Key Vault Rotation Purge Guard",
1859
+ "type": "skill",
1860
+ "provider": "azure",
1861
+ "harnesses": [
1862
+ "codex",
1863
+ "claude-code",
1864
+ "cursor",
1865
+ "gemini",
1866
+ "kiro",
1867
+ "other"
1868
+ ],
1869
+ "summary": "Guard Key Vault key rotation, rotation policy changes, soft-delete enforcement, and purge-protection enablement with irreversibility warnings and rollback evidence.",
1870
+ "source_type": "original",
1871
+ "official_docs": [
1872
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
1873
+ "https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details",
1874
+ "https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
1875
+ "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices"
1876
+ ],
1877
+ "security_notes": "Purge-protection enable is irreversible. Soft-deleted keys can be recovered within the retention window. HSM-backed hard-purged keys cannot be recovered. Never grant purge rights to routine rotation operators.",
1878
+ "last_verified": "2026-04-30",
1879
+ "path": "skills/azure/azure-live-keyvault-rotation-purge-guard",
1880
+ "author": "github: Raishin",
1881
+ "version": "0.1.0"
1882
+ },
1883
+ {
1884
+ "id": "azure-live-pim-jit-activation-guard",
1885
+ "name": "Azure Live PIM JIT Activation Guard",
1886
+ "type": "skill",
1887
+ "provider": "azure",
1888
+ "harnesses": [
1889
+ "codex",
1890
+ "claude-code",
1891
+ "cursor",
1892
+ "gemini",
1893
+ "kiro",
1894
+ "other"
1895
+ ],
1896
+ "summary": "Gate Entra ID PIM eligible role activations with justification, MFA, ticket binding, time-bound scope, and approval workflow gates before any privileged Azure role becomes active.",
1897
+ "source_type": "original",
1898
+ "official_docs": [
1899
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan",
1900
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
1901
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
1902
+ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
1903
+ ],
1904
+ "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf — only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
1905
+ "last_verified": "2026-04-30",
1906
+ "path": "skills/azure/azure-live-pim-jit-activation-guard",
1907
+ "author": "github: Raishin",
1908
+ "version": "0.1.0"
1909
+ },
1910
+ {
1911
+ "id": "azure-maestro",
1912
+ "name": "Azure Maestro",
1913
+ "type": "skill",
1914
+ "provider": "azure",
1915
+ "harnesses": [
1916
+ "codex",
1917
+ "claude-code",
1918
+ "cursor",
1919
+ "gemini",
1920
+ "kiro",
1921
+ "other"
1922
+ ],
1923
+ "summary": "Route Azure tasks to the narrowest specialist or team of specialists from the 30-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
1924
+ "source_type": "adapted",
1925
+ "official_docs": [
1926
+ "https://learn.microsoft.com/en-us/azure/",
1927
+ "https://learn.microsoft.com/en-us/azure/architecture/",
1928
+ "https://learn.microsoft.com/en-us/azure/well-architected/",
1929
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
1930
+ "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview"
1931
+ ],
1932
+ "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
1933
+ "last_verified": "2026-04-30",
1934
+ "path": "skills/azure/azure-maestro",
1935
+ "author": "github: Raishin",
1936
+ "version": "0.1.0"
1937
+ },
1579
1938
  {
1580
1939
  "id": "azure-migrate-landing-zone-cutover",
1581
1940
  "name": "Azure Migrate Landing Zone Cutover",
@@ -1915,10 +2274,10 @@
1915
2274
  "version": "0.1.0"
1916
2275
  },
1917
2276
  {
1918
- "id": "oci-autonomous-database-architect",
1919
- "name": "OCI Autonomous Database Architect",
2277
+ "id": "backstage-scaffolder-template-review",
2278
+ "name": "Backstage Scaffolder Template Review",
1920
2279
  "type": "skill",
1921
- "provider": "oci",
2280
+ "provider": "backstage",
1922
2281
  "harnesses": [
1923
2282
  "codex",
1924
2283
  "claude-code",
@@ -1927,25 +2286,26 @@
1927
2286
  "kiro",
1928
2287
  "other"
1929
2288
  ],
1930
- "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
2289
+ "summary": "Review Backstage Scaffolder software templates for action blast-radius, input parameter injection, RBAC gate coverage, secret scope, catalog entity poisoning, and output exposure.",
1931
2290
  "source_type": "original",
1932
2291
  "official_docs": [
1933
- "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
1934
- "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
1935
- "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
1936
- "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
2292
+ "https://backstage.io/docs/features/software-templates/",
2293
+ "https://backstage.io/docs/features/software-templates/writing-templates",
2294
+ "https://backstage.io/docs/features/software-templates/builtin-actions",
2295
+ "https://backstage.io/docs/permissions/overview",
2296
+ "https://backstage.io/docs/integrations/github/github-apps"
1937
2297
  ],
1938
- "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
1939
- "last_verified": "2026-04-27",
1940
- "path": "skills/oci/oci-autonomous-database-architect",
1941
- "author": "github: Raishin",
1942
- "version": "0.1.0"
2298
+ "security_notes": "Backstage Scaffolder templates without RBAC gate and without input validation allow any developer to trigger infrastructure provisioning actions. Templates that provision cloud resources via Terraform or Crossplane CRDs effectively grant cloud-write to all Backstage users.",
2299
+ "last_verified": "2026-05-02",
2300
+ "path": "skills/backstage/backstage-scaffolder-template-review",
2301
+ "version": "0.1.0",
2302
+ "author": "github: Raishin"
1943
2303
  },
1944
2304
  {
1945
- "id": "oci-cloud-guard-responder",
1946
- "name": "OCI Cloud Guard Responder",
2305
+ "id": "cert-manager-issuer-trust-review",
2306
+ "name": "cert-manager Issuer Trust Review",
1947
2307
  "type": "skill",
1948
- "provider": "oci",
2308
+ "provider": "cert-manager",
1949
2309
  "harnesses": [
1950
2310
  "codex",
1951
2311
  "claude-code",
@@ -1954,17 +2314,500 @@
1954
2314
  "kiro",
1955
2315
  "other"
1956
2316
  ],
1957
- "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
1958
- "source_type": "adapted",
2317
+ "summary": "Review cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy (approver-policy) coverage, certificate SAN and duration risks, trust-manager bundle distribution, and cloud CA integration authentication for Kubernetes PKI posture.",
2318
+ "source_type": "original",
1959
2319
  "official_docs": [
1960
- "https://docs.oracle.com/en-us/iaas/Content/home.htm",
1961
- "https://www.oracle.com/cloud/"
2320
+ "https://cert-manager.io/docs/",
2321
+ "https://cert-manager.io/docs/concepts/certificate/",
2322
+ "https://cert-manager.io/docs/concepts/issuer/",
2323
+ "https://cert-manager.io/docs/projects/approver-policy/",
2324
+ "https://cert-manager.io/docs/projects/trust-manager/",
2325
+ "https://cert-manager.io/docs/configuration/"
1962
2326
  ],
1963
- "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
1964
- "last_verified": "2026-04-27",
1965
- "path": "skills/oci/oci-cloud-guard-responder",
1966
- "author": "github: Raishin",
1967
- "version": "0.1.0"
2327
+ "security_notes": "A ClusterIssuer backed by a corporate Private CA with no CertificateRequestPolicy means any namespace can issue certs for any DNS name trusted by the corporate CA, enabling MITM against internal mTLS services.",
2328
+ "last_verified": "2026-05-02",
2329
+ "path": "skills/cert-manager/cert-manager-issuer-trust-review",
2330
+ "version": "0.1.0",
2331
+ "author": "github: Raishin"
2332
+ },
2333
+ {
2334
+ "id": "cilium-network-policy-review",
2335
+ "name": "Cilium Network Policy Review",
2336
+ "type": "skill",
2337
+ "provider": "cilium",
2338
+ "harnesses": [
2339
+ "codex",
2340
+ "claude-code",
2341
+ "cursor",
2342
+ "gemini",
2343
+ "kiro",
2344
+ "other"
2345
+ ],
2346
+ "summary": "Review Cilium NetworkPolicy, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, CiliumEgressGatewayPolicy, and ClusterMesh policy-default-local-cluster behavior for zero-trust correctness, blast radius, L7 enforcement, and egress gateway IP correctness.",
2347
+ "source_type": "original",
2348
+ "official_docs": [
2349
+ "https://docs.cilium.io/en/stable/",
2350
+ "https://docs.cilium.io/en/stable/network/kubernetes/policy/",
2351
+ "https://docs.cilium.io/en/stable/security/policy/",
2352
+ "https://docs.cilium.io/en/stable/network/clustermesh/",
2353
+ "https://docs.cilium.io/en/stable/network/egress-gateway/egress-gateway/",
2354
+ "https://docs.cilium.io/en/stable/observability/hubble/",
2355
+ "https://docs.cilium.io/en/stable/cmdref/cilium_clustermesh_inspect-policy-default-local-cluster/"
2356
+ ],
2357
+ "security_notes": "Removal of default-deny NetworkPolicy collapses namespace isolation. Unrestricted egress (0.0.0.0/0) is a documented exfiltration path. ClusterMesh policy-default-local-cluster flag flip changes cross-cluster semantics for every existing policy globally. CiliumEgressGatewayPolicy IP collisions cause silent connection breakage.",
2358
+ "last_verified": "2026-05-01",
2359
+ "path": "skills/cilium/cilium-network-policy-review",
2360
+ "author": "github: Raishin",
2361
+ "version": "0.1.0"
2362
+ },
2363
+ {
2364
+ "id": "external-secrets-operator-review",
2365
+ "name": "External Secrets Operator Review",
2366
+ "type": "skill",
2367
+ "provider": "kubernetes",
2368
+ "harnesses": [
2369
+ "codex",
2370
+ "claude-code",
2371
+ "cursor",
2372
+ "gemini",
2373
+ "kiro",
2374
+ "other"
2375
+ ],
2376
+ "summary": "Review ESO SecretStore, ClusterSecretStore, ExternalSecret, and PushSecret for scope creep, auth anti-patterns, refresh interval risks, and dataFrom blast radius.",
2377
+ "source_type": "original",
2378
+ "official_docs": [
2379
+ "https://external-secrets.io/latest/introduction/overview/",
2380
+ "https://external-secrets.io/latest/api/secretstore/",
2381
+ "https://external-secrets.io/latest/api/externalsecret/",
2382
+ "https://external-secrets.io/latest/api/clustersecretstore/",
2383
+ "https://external-secrets.io/latest/provider/aws-secrets-manager/",
2384
+ "https://external-secrets.io/latest/provider/azure-key-vault/"
2385
+ ],
2386
+ "security_notes": "ClusterSecretStore with no namespace selector grants every namespace access to every external secret reachable by the store credentials. Static credentials in SecretStore auth create a credential-to-access-credentials chain where compromise of the K8s Secret gives full access to the external store.",
2387
+ "last_verified": "2026-05-02",
2388
+ "path": "skills/kubernetes/external-secrets-operator-review",
2389
+ "version": "0.1.0",
2390
+ "author": "github: Raishin"
2391
+ },
2392
+ {
2393
+ "id": "falco-runtime-threat-rules-review",
2394
+ "name": "Falco Runtime Threat Rules Review",
2395
+ "type": "skill",
2396
+ "provider": "falco",
2397
+ "harnesses": [
2398
+ "codex",
2399
+ "claude-code",
2400
+ "cursor",
2401
+ "gemini",
2402
+ "kiro",
2403
+ "other"
2404
+ ],
2405
+ "summary": "Review Falco rules for macro correctness, priority calibration, exception blast radius, sensitive-path coverage, and alert output routing.",
2406
+ "source_type": "original",
2407
+ "official_docs": [
2408
+ "https://falco.org/docs/rules/",
2409
+ "https://falco.org/docs/reference/rules/supported-syscalls/",
2410
+ "https://falco.org/docs/install-operate/third-party/falco-sidekick/",
2411
+ "https://falco.org/docs/reference/rules/exceptions/",
2412
+ "https://falco.org/docs/install-operate/deployment/",
2413
+ "https://github.com/falcosecurity/rules/tree/main/rules"
2414
+ ],
2415
+ "security_notes": "Falco with overly broad rule exceptions creates detection blind spots. A rule exception matching an entire process family (java, python, node) or a specific container name completely disables detection for that workload — attackers can exploit known exception patterns.",
2416
+ "last_verified": "2026-05-02",
2417
+ "path": "skills/falco/falco-runtime-threat-rules-review",
2418
+ "version": "0.1.0",
2419
+ "author": "github: Raishin"
2420
+ },
2421
+ {
2422
+ "id": "finops-cloud-price-advisor",
2423
+ "name": "FinOps Cloud Price Advisor",
2424
+ "type": "skill",
2425
+ "provider": "multi-cloud",
2426
+ "harnesses": [
2427
+ "codex",
2428
+ "claude-code",
2429
+ "cursor",
2430
+ "gemini",
2431
+ "kiro",
2432
+ "other"
2433
+ ],
2434
+ "summary": "Fetch live public prices and build cost estimates for AWS, Azure, and OCI using each cloud's public pricing API. Supports live-environment and prototype cost planning. Currency defaults to USD.",
2435
+ "source_type": "original",
2436
+ "official_docs": [
2437
+ "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/price-changes.html",
2438
+ "https://learn.microsoft.com/en-us/rest/api/cost-management/retail-prices/azure-retail-prices",
2439
+ "https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm"
2440
+ ],
2441
+ "security_notes": "All three public pricing APIs require no authentication. Never accept or request cloud credentials, billing account IDs, cost export access, or tenant-specific data to fetch list prices.",
2442
+ "last_verified": "2026-04-30",
2443
+ "path": "skills/finops/finops-cloud-price-advisor",
2444
+ "version": "0.1.0",
2445
+ "author": "github: Raishin"
2446
+ },
2447
+ {
2448
+ "id": "fluxcd-kustomization-helmrelease-review",
2449
+ "name": "FluxCD Kustomization and HelmRelease Review",
2450
+ "type": "skill",
2451
+ "provider": "fluxcd",
2452
+ "harnesses": [
2453
+ "codex",
2454
+ "claude-code",
2455
+ "cursor",
2456
+ "gemini",
2457
+ "kiro",
2458
+ "other"
2459
+ ],
2460
+ "summary": "Review FluxCD Kustomization, HelmRelease, GitRepository, HelmRepository, and OCIRepository resources for source trust, SOPS encryption, prune blast-radius, ServiceAccount scope, and upgrade remediation safety.",
2461
+ "source_type": "original",
2462
+ "official_docs": [
2463
+ "https://fluxcd.io/flux/components/kustomize/kustomizations/",
2464
+ "https://fluxcd.io/flux/components/helm/helmreleases/",
2465
+ "https://fluxcd.io/flux/components/source/gitrepositories/",
2466
+ "https://fluxcd.io/flux/guides/repository-structure/",
2467
+ "https://fluxcd.io/flux/security/secrets-management/",
2468
+ "https://fluxcd.io/flux/installation/configuration/multitenancy/"
2469
+ ],
2470
+ "security_notes": "Plaintext Kubernetes Secret manifests committed to a FluxCD Git source are exposed to anyone with repo read access — including CI systems, PR participants, and auditors. GitRepository sources without commit signature verification allow any commit (including injected ones) to deploy to production.",
2471
+ "last_verified": "2026-05-02",
2472
+ "path": "skills/fluxcd/fluxcd-kustomization-helmrelease-review",
2473
+ "version": "0.1.0",
2474
+ "author": "github: Raishin"
2475
+ },
2476
+ {
2477
+ "id": "istio-ambient-mesh-review",
2478
+ "name": "Istio Ambient Mesh Review",
2479
+ "type": "skill",
2480
+ "provider": "istio",
2481
+ "harnesses": [
2482
+ "codex",
2483
+ "claude-code",
2484
+ "cursor",
2485
+ "gemini",
2486
+ "kiro",
2487
+ "other"
2488
+ ],
2489
+ "summary": "Review Istio service mesh configuration across both sidecar mode and ambient mode (ztunnel + waypoint), with focus on the ambient L7 policy trap, PeerAuthentication mTLS posture, AuthorizationPolicy enforcement layer, and mesh-wide blast radius.",
2490
+ "source_type": "original",
2491
+ "official_docs": [
2492
+ "https://istio.io/latest/docs/",
2493
+ "https://istio.io/latest/docs/ambient/overview/",
2494
+ "https://istio.io/latest/docs/ambient/usage/l4-policy/",
2495
+ "https://istio.io/latest/docs/ambient/usage/waypoint/",
2496
+ "https://istio.io/latest/docs/overview/dataplane-modes/",
2497
+ "https://istio.io/latest/docs/reference/config/security/peer_authentication/",
2498
+ "https://istio.io/latest/docs/reference/config/security/authorization-policy/"
2499
+ ],
2500
+ "security_notes": "L7 AuthorizationPolicy rules in ambient mode are silently ignored when no waypoint is deployed — ztunnel only enforces L4. PeerAuthentication PERMISSIVE or DISABLE in production breaks mesh zero-trust. Mesh-wide root-namespace PeerAuthentication change has cluster-wide blast radius.",
2501
+ "last_verified": "2026-05-01",
2502
+ "path": "skills/istio/istio-ambient-mesh-review",
2503
+ "author": "github: Raishin",
2504
+ "version": "0.1.0"
2505
+ },
2506
+ {
2507
+ "id": "kubecost-chargeback-allocation-review",
2508
+ "name": "Kubecost Chargeback and Allocation Review",
2509
+ "type": "skill",
2510
+ "provider": "kubernetes",
2511
+ "harnesses": [
2512
+ "codex",
2513
+ "claude-code",
2514
+ "cursor",
2515
+ "gemini",
2516
+ "kiro",
2517
+ "other"
2518
+ ],
2519
+ "summary": "Review Kubecost and OpenCost cost allocation accuracy, label taxonomy completeness, shared cost model, idle cost attribution, budget alert coverage, API authentication, and savings recommendation hygiene for enterprise chargeback.",
2520
+ "source_type": "original",
2521
+ "official_docs": [
2522
+ "https://www.kubecost.com/kubernetes-cost-optimization/",
2523
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cost-allocation",
2524
+ "https://www.opencost.io/docs/",
2525
+ "https://docs.kubecost.com/install-and-configure/advanced-configuration/cost-model",
2526
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings",
2527
+ "https://docs.kubecost.com/apis/apis-overview"
2528
+ ],
2529
+ "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access — review whether the aggregation network path is private or exposed.",
2530
+ "last_verified": "2026-05-02",
2531
+ "path": "skills/kubernetes/kubecost-chargeback-allocation-review",
2532
+ "version": "0.1.0",
2533
+ "author": "github: Raishin"
2534
+ },
2535
+ {
2536
+ "id": "kubernetes-live-rbac-mutation-guard",
2537
+ "name": "Kubernetes Live RBAC Mutation Guard",
2538
+ "type": "skill",
2539
+ "provider": "kubernetes",
2540
+ "harnesses": [
2541
+ "codex",
2542
+ "claude-code",
2543
+ "cursor",
2544
+ "gemini",
2545
+ "kiro",
2546
+ "other"
2547
+ ],
2548
+ "summary": "Guard live kubectl apply/create/delete operations on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings with privilege-escalation verb detection, scope assessment, current-state diff, and explicit approval before write.",
2549
+ "source_type": "original",
2550
+ "official_docs": [
2551
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2552
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
2553
+ "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
2554
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
2555
+ ],
2556
+ "security_notes": "Capture current RBAC state before every mutation — no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry.",
2557
+ "last_verified": "2026-05-01",
2558
+ "path": "skills/kubernetes/kubernetes-live-rbac-mutation-guard",
2559
+ "author": "github: Raishin",
2560
+ "version": "0.1.0"
2561
+ },
2562
+ {
2563
+ "id": "kubernetes-maestro",
2564
+ "name": "Kubernetes Maestro",
2565
+ "type": "skill",
2566
+ "provider": "kubernetes",
2567
+ "summary": "Route Kubernetes tasks to the narrowest specialist or team of specialists. Classifies task domains across RBAC, admission security, network policy, mesh, GitOps, observability, and workload identity. Never auto-dispatches live-guard agents.",
2568
+ "path": "skills/kubernetes/kubernetes-maestro",
2569
+ "harnesses": [
2570
+ "codex",
2571
+ "claude-code",
2572
+ "cursor",
2573
+ "gemini",
2574
+ "kiro",
2575
+ "other"
2576
+ ],
2577
+ "last_verified": "2026-05-01",
2578
+ "official_docs": [
2579
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2580
+ "https://kubernetes.io/docs/concepts/security/pod-security-admission/",
2581
+ "https://kyverno.io/docs/",
2582
+ "https://istio.io/latest/docs/ambient/",
2583
+ "https://docs.cilium.io/en/stable/",
2584
+ "https://argo-cd.readthedocs.io/en/stable/"
2585
+ ],
2586
+ "security_notes": "Live-guard gate is non-negotiable: kubernetes-live-rbac-mutation-guard-agent, kubernetes-live-admission-policy-guard-agent, kubernetes-live-mesh-policy-guard-agent, kubernetes-live-argocd-sync-guard-agent, and kubernetes-live-network-policy-guard-agent must never be auto-dispatched.",
2587
+ "source_type": "original",
2588
+ "version": "0.1.0"
2589
+ },
2590
+ {
2591
+ "id": "kubernetes-pod-security-admission-review",
2592
+ "name": "Kubernetes Pod Security Admission Review",
2593
+ "type": "skill",
2594
+ "provider": "kubernetes",
2595
+ "harnesses": [
2596
+ "codex",
2597
+ "claude-code",
2598
+ "cursor",
2599
+ "gemini",
2600
+ "kiro",
2601
+ "other"
2602
+ ],
2603
+ "summary": "Review Kubernetes Pod Security Admission posture across namespace labels, the three profiles (privileged, baseline, restricted), enforce/audit/warn modes, version pinning, exemptions, and the migration from deprecated PodSecurityPolicy.",
2604
+ "source_type": "original",
2605
+ "official_docs": [
2606
+ "https://kubernetes.io/docs/concepts/security/pod-security-admission/",
2607
+ "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
2608
+ "https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",
2609
+ "https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/",
2610
+ "https://kubernetes.io/docs/concepts/security/security-checklist/"
2611
+ ],
2612
+ "security_notes": "A production namespace with no PSA label inherits cluster default which is privileged unless overridden. enforce-version latest changes semantics on every Kubernetes minor upgrade. audit and warn without enforce only log violations. PSP migration via kubectl-psp-to-psa shifts enforcement boundary; verify before disabling PSP webhooks.",
2613
+ "last_verified": "2026-05-01",
2614
+ "path": "skills/kubernetes/kubernetes-pod-security-admission-review",
2615
+ "author": "github: Raishin",
2616
+ "version": "0.1.0"
2617
+ },
2618
+ {
2619
+ "id": "kubernetes-pod-spec-review",
2620
+ "name": "Kubernetes Pod Spec Review",
2621
+ "type": "skill",
2622
+ "provider": "kubernetes",
2623
+ "harnesses": [
2624
+ "codex",
2625
+ "claude-code",
2626
+ "cursor",
2627
+ "gemini",
2628
+ "kiro",
2629
+ "other"
2630
+ ],
2631
+ "summary": "Review Kubernetes Pod, Deployment, and StatefulSet specs for probe correctness, resource QoS, securityContext posture, image pull policy, secret consumption patterns, topology spread, and termination grace period against CKAD-aligned production-readiness standards.",
2632
+ "source_type": "original",
2633
+ "official_docs": [
2634
+ "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/",
2635
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
2636
+ "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
2637
+ "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
2638
+ "https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/",
2639
+ "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
2640
+ ],
2641
+ "security_notes": "Secrets mounted as environment variables appear in kubectl describe pod output and in /proc/self/environ, accessible to any process in the container. Root containers can write to host paths if hostPath volumes are present. Missing runAsNonRoot allows container breakout to node if combined with hostPath or privileged mode.",
2642
+ "last_verified": "2026-05-02",
2643
+ "path": "skills/kubernetes/kubernetes-pod-spec-review",
2644
+ "version": "0.1.0",
2645
+ "author": "github: Raishin"
2646
+ },
2647
+ {
2648
+ "id": "kubernetes-rbac-review",
2649
+ "name": "Kubernetes RBAC Review",
2650
+ "type": "skill",
2651
+ "provider": "kubernetes",
2652
+ "harnesses": [
2653
+ "codex",
2654
+ "claude-code",
2655
+ "cursor",
2656
+ "gemini",
2657
+ "kiro",
2658
+ "other"
2659
+ ],
2660
+ "summary": "Review Kubernetes Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts for least-privilege, namespace-scope minimization, and workload identity safety.",
2661
+ "source_type": "original",
2662
+ "official_docs": [
2663
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2664
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
2665
+ "https://kubernetes.io/docs/reference/access-authn-authz/authorization/",
2666
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
2667
+ ],
2668
+ "security_notes": "Do not recommend ClusterAdmin or wildcard bindings unless explicitly justified. Prefer namespace-scoped Roles over ClusterRoles for workloads that do not need cluster-wide access. Do not auto-mount service account tokens unless the workload requires API server access.",
2669
+ "last_verified": "2026-05-01",
2670
+ "path": "skills/kubernetes/kubernetes-rbac-review",
2671
+ "author": "github: Raishin",
2672
+ "version": "0.1.0"
2673
+ },
2674
+ {
2675
+ "id": "kubernetes-workload-identity-review",
2676
+ "name": "Kubernetes Workload Identity Review",
2677
+ "type": "skill",
2678
+ "provider": "kubernetes",
2679
+ "harnesses": [
2680
+ "codex",
2681
+ "claude-code",
2682
+ "cursor",
2683
+ "gemini",
2684
+ "kiro",
2685
+ "other"
2686
+ ],
2687
+ "summary": "Review Kubernetes workload identity bindings across AWS IRSA, Azure Workload Identity, GCP Workload Identity Federation, and the underlying ServiceAccount projected token model with OIDC issuer trust scope and short-lived federation.",
2688
+ "source_type": "original",
2689
+ "official_docs": [
2690
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
2691
+ "https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/",
2692
+ "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html",
2693
+ "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
2694
+ "https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity",
2695
+ "https://openid.net/specs/openid-connect-core-1_0.html"
2696
+ ],
2697
+ "security_notes": "Workload identity OIDC trust policy with wildcard sub claim allows any ServiceAccount in the cluster to assume the role. Pods with both a workload-identity SA and a long-lived credential Secret typically fall back to the static credential. Tokens with audiences not pinned to the cloud target are reusable elsewhere.",
2698
+ "last_verified": "2026-05-01",
2699
+ "path": "skills/kubernetes/kubernetes-workload-identity-review",
2700
+ "author": "github: Raishin",
2701
+ "version": "0.1.0"
2702
+ },
2703
+ {
2704
+ "id": "kyverno-policy-review",
2705
+ "name": "Kyverno Policy Review",
2706
+ "type": "skill",
2707
+ "provider": "kyverno",
2708
+ "harnesses": [
2709
+ "codex",
2710
+ "claude-code",
2711
+ "cursor",
2712
+ "gemini",
2713
+ "kiro",
2714
+ "other"
2715
+ ],
2716
+ "summary": "Review Kyverno ValidatingPolicy, MutatingPolicy, GeneratingPolicy, DeletingPolicy, ImageValidatingPolicy, and PolicyException resources for admission correctness, failure mode, supply-chain integrity, and the Kyverno-vs-native-CEL architectural decision.",
2717
+ "source_type": "original",
2718
+ "official_docs": [
2719
+ "https://kyverno.io/docs/",
2720
+ "https://kyverno.io/docs/policy-types/overview/",
2721
+ "https://kyverno.io/docs/policy-types/cluster-policy/validate/",
2722
+ "https://kyverno.io/docs/policy-types/cluster-policy/verify-images/",
2723
+ "https://kyverno.io/docs/exceptions/",
2724
+ "https://kyverno.io/docs/installation/",
2725
+ "https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/"
2726
+ ],
2727
+ "security_notes": "Treat failureAction Audit on production policies as a critical finding. Every PolicyException is a documented bypass requiring an owner, reason, and expiry. ImageValidatingPolicy must verify signatures with mutateDigest true. Prefer native ValidatingAdmissionPolicy when CEL alone is sufficient.",
2728
+ "last_verified": "2026-05-01",
2729
+ "path": "skills/kyverno/kyverno-policy-review",
2730
+ "author": "github: Raishin",
2731
+ "version": "0.1.0"
2732
+ },
2733
+ {
2734
+ "id": "oci-autonomous-database-architect",
2735
+ "name": "OCI Autonomous Database Architect",
2736
+ "type": "skill",
2737
+ "provider": "oci",
2738
+ "harnesses": [
2739
+ "codex",
2740
+ "claude-code",
2741
+ "cursor",
2742
+ "gemini",
2743
+ "kiro",
2744
+ "other"
2745
+ ],
2746
+ "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
2747
+ "source_type": "original",
2748
+ "official_docs": [
2749
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
2750
+ "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
2751
+ "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
2752
+ "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
2753
+ ],
2754
+ "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
2755
+ "last_verified": "2026-04-27",
2756
+ "path": "skills/oci/oci-autonomous-database-architect",
2757
+ "author": "github: Raishin",
2758
+ "version": "0.1.0"
2759
+ },
2760
+ {
2761
+ "id": "oci-certificates-issuer-review",
2762
+ "name": "OCI Certificates Issuer Review",
2763
+ "type": "skill",
2764
+ "provider": "oci",
2765
+ "harnesses": [
2766
+ "codex",
2767
+ "claude-code",
2768
+ "cursor",
2769
+ "gemini",
2770
+ "kiro",
2771
+ "other"
2772
+ ],
2773
+ "summary": "Review OCI Certificates Service issuer configurations for cert-manager on OKE, covering CA hierarchy safety, issuance rule enforcement, OKE Workload Identity vs Instance Principal authentication, IAM policy scope minimization, OCSP reachability, and certificate version lifecycle management.",
2774
+ "source_type": "original",
2775
+ "official_docs": [
2776
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm",
2777
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/managing-certificate-authority.htm",
2778
+ "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
2779
+ "https://github.com/oracle/oci-native-ingress-controller"
2780
+ ],
2781
+ "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint — not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
2782
+ "last_verified": "2026-05-02",
2783
+ "path": "skills/oci/oci-certificates-issuer-review",
2784
+ "version": "0.1.0",
2785
+ "author": "github: Raishin"
2786
+ },
2787
+ {
2788
+ "id": "oci-cloud-guard-responder",
2789
+ "name": "OCI Cloud Guard Responder",
2790
+ "type": "skill",
2791
+ "provider": "oci",
2792
+ "harnesses": [
2793
+ "codex",
2794
+ "claude-code",
2795
+ "cursor",
2796
+ "gemini",
2797
+ "kiro",
2798
+ "other"
2799
+ ],
2800
+ "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
2801
+ "source_type": "adapted",
2802
+ "official_docs": [
2803
+ "https://docs.oracle.com/en-us/iaas/Content/home.htm",
2804
+ "https://www.oracle.com/cloud/"
2805
+ ],
2806
+ "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
2807
+ "last_verified": "2026-04-27",
2808
+ "path": "skills/oci/oci-cloud-guard-responder",
2809
+ "author": "github: Raishin",
2810
+ "version": "0.1.0"
1968
2811
  },
1969
2812
  {
1970
2813
  "id": "oci-compute-instance-agent-operator",
@@ -2294,6 +3137,196 @@
2294
3137
  "author": "github: Raishin",
2295
3138
  "version": "0.1.0"
2296
3139
  },
3140
+ {
3141
+ "id": "oci-live-autonomous-db-lifecycle-guard",
3142
+ "name": "OCI Live Autonomous DB Lifecycle Guard",
3143
+ "type": "skill",
3144
+ "provider": "oci",
3145
+ "harnesses": [
3146
+ "codex",
3147
+ "claude-code",
3148
+ "cursor",
3149
+ "gemini",
3150
+ "kiro",
3151
+ "other"
3152
+ ],
3153
+ "summary": "Guard Autonomous Database lifecycle changes — scale, start, stop, clone, terminate — with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
3154
+ "source_type": "original",
3155
+ "official_docs": [
3156
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
3157
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
3158
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
3159
+ "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
3160
+ ],
3161
+ "security_notes": "ADB termination is permanent — the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
3162
+ "last_verified": "2026-04-30",
3163
+ "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
3164
+ "author": "github: Raishin",
3165
+ "version": "0.1.0"
3166
+ },
3167
+ {
3168
+ "id": "oci-live-cost-budget-runaway-guard",
3169
+ "name": "OCI Live Cost Budget Runaway Guard",
3170
+ "type": "skill",
3171
+ "provider": "oci",
3172
+ "harnesses": [
3173
+ "codex",
3174
+ "claude-code",
3175
+ "cursor",
3176
+ "gemini",
3177
+ "kiro",
3178
+ "other"
3179
+ ],
3180
+ "summary": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
3181
+ "source_type": "original",
3182
+ "official_docs": [
3183
+ "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
3184
+ "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
3185
+ "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
3186
+ "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
3187
+ ],
3188
+ "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights — escalate if not held.",
3189
+ "last_verified": "2026-04-30",
3190
+ "path": "skills/oci/oci-live-cost-budget-runaway-guard",
3191
+ "author": "github: Raishin",
3192
+ "version": "0.1.0"
3193
+ },
3194
+ {
3195
+ "id": "oci-live-iam-policy-compartment-guard",
3196
+ "name": "OCI Live IAM Policy Compartment Guard",
3197
+ "type": "skill",
3198
+ "provider": "oci",
3199
+ "harnesses": [
3200
+ "codex",
3201
+ "claude-code",
3202
+ "cursor",
3203
+ "gemini",
3204
+ "kiro",
3205
+ "other"
3206
+ ],
3207
+ "summary": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
3208
+ "source_type": "original",
3209
+ "official_docs": [
3210
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
3211
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
3212
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
3213
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
3214
+ ],
3215
+ "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
3216
+ "last_verified": "2026-04-30",
3217
+ "path": "skills/oci/oci-live-iam-policy-compartment-guard",
3218
+ "author": "github: Raishin",
3219
+ "version": "0.1.0"
3220
+ },
3221
+ {
3222
+ "id": "oci-live-network-security-rule-guard",
3223
+ "name": "OCI Live Network Security Rule Guard",
3224
+ "type": "skill",
3225
+ "provider": "oci",
3226
+ "harnesses": [
3227
+ "codex",
3228
+ "claude-code",
3229
+ "cursor",
3230
+ "gemini",
3231
+ "kiro",
3232
+ "other"
3233
+ ],
3234
+ "summary": "Guard live OCI Security List and NSG rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress mutation.",
3235
+ "source_type": "original",
3236
+ "official_docs": [
3237
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm",
3238
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
3239
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm",
3240
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
3241
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
3242
+ ],
3243
+ "security_notes": "oci network security-list update is a full replace — always capture complete current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change. Prefer NSGs over Security Lists for database VNICs.",
3244
+ "last_verified": "2026-05-01",
3245
+ "path": "skills/oci/oci-live-network-security-rule-guard",
3246
+ "author": "github: Raishin",
3247
+ "version": "0.1.0"
3248
+ },
3249
+ {
3250
+ "id": "oci-live-oke-rollout-guard",
3251
+ "name": "OCI Live OKE Rollout Guard",
3252
+ "type": "skill",
3253
+ "provider": "oci",
3254
+ "harnesses": [
3255
+ "codex",
3256
+ "claude-code",
3257
+ "cursor",
3258
+ "gemini",
3259
+ "kiro",
3260
+ "other"
3261
+ ],
3262
+ "summary": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
3263
+ "source_type": "original",
3264
+ "official_docs": [
3265
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
3266
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
3267
+ "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
3268
+ "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
3269
+ ],
3270
+ "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact — confirm target revision before undo.",
3271
+ "last_verified": "2026-04-30",
3272
+ "path": "skills/oci/oci-live-oke-rollout-guard",
3273
+ "author": "github: Raishin",
3274
+ "version": "0.1.0"
3275
+ },
3276
+ {
3277
+ "id": "oci-live-resource-manager-stack-guard",
3278
+ "name": "OCI Live Resource Manager Stack Guard",
3279
+ "type": "skill",
3280
+ "provider": "oci",
3281
+ "harnesses": [
3282
+ "codex",
3283
+ "claude-code",
3284
+ "cursor",
3285
+ "gemini",
3286
+ "kiro",
3287
+ "other"
3288
+ ],
3289
+ "summary": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
3290
+ "source_type": "original",
3291
+ "official_docs": [
3292
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
3293
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
3294
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
3295
+ "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
3296
+ ],
3297
+ "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
3298
+ "last_verified": "2026-04-30",
3299
+ "path": "skills/oci/oci-live-resource-manager-stack-guard",
3300
+ "author": "github: Raishin",
3301
+ "version": "0.1.0"
3302
+ },
3303
+ {
3304
+ "id": "oci-live-vault-key-destruction-guard",
3305
+ "name": "OCI Live Vault Key Destruction Guard",
3306
+ "type": "skill",
3307
+ "provider": "oci",
3308
+ "harnesses": [
3309
+ "codex",
3310
+ "claude-code",
3311
+ "cursor",
3312
+ "gemini",
3313
+ "kiro",
3314
+ "other"
3315
+ ],
3316
+ "summary": "Guard Vault master encryption key scheduled-deletion and HSM rotation with data-association audits, key-usage reference checks, deletion-window enforcement, and cancellation playbooks.",
3317
+ "source_type": "original",
3318
+ "official_docs": [
3319
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
3320
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
3321
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
3322
+ "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm"
3323
+ ],
3324
+ "security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
3325
+ "last_verified": "2026-04-30",
3326
+ "path": "skills/oci/oci-live-vault-key-destruction-guard",
3327
+ "author": "github: Raishin",
3328
+ "version": "0.1.0"
3329
+ },
2297
3330
  {
2298
3331
  "id": "oci-load-balancer-traffic-engineer",
2299
3332
  "name": "OCI Load Balancer Traffic Engineer",
@@ -2319,6 +3352,33 @@
2319
3352
  "author": "github: Raishin",
2320
3353
  "version": "0.1.0"
2321
3354
  },
3355
+ {
3356
+ "id": "oci-maestro",
3357
+ "name": "OCI Maestro",
3358
+ "type": "skill",
3359
+ "provider": "oci",
3360
+ "harnesses": [
3361
+ "codex",
3362
+ "claude-code",
3363
+ "cursor",
3364
+ "gemini",
3365
+ "kiro",
3366
+ "other"
3367
+ ],
3368
+ "summary": "Route OCI tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
3369
+ "source_type": "adapted",
3370
+ "official_docs": [
3371
+ "https://docs.oracle.com/en-us/iaas/Content/home.htm",
3372
+ "https://www.oracle.com/cloud/",
3373
+ "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
3374
+ "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm"
3375
+ ],
3376
+ "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path. OCI vault key destruction and IAM policy deletion are irreversible.",
3377
+ "last_verified": "2026-04-30",
3378
+ "path": "skills/oci/oci-maestro",
3379
+ "author": "github: Raishin",
3380
+ "version": "0.1.0"
3381
+ },
2322
3382
  {
2323
3383
  "id": "oci-migration-cutover-architect",
2324
3384
  "name": "OCI Migration Cutover Architect",
@@ -2619,6 +3679,36 @@
2619
3679
  "author": "github: Raishin",
2620
3680
  "version": "0.1.0"
2621
3681
  },
3682
+ {
3683
+ "id": "opentelemetry-collector-config-review",
3684
+ "name": "OpenTelemetry Collector Config Review",
3685
+ "type": "skill",
3686
+ "provider": "opentelemetry",
3687
+ "harnesses": [
3688
+ "codex",
3689
+ "claude-code",
3690
+ "cursor",
3691
+ "gemini",
3692
+ "kiro",
3693
+ "other"
3694
+ ],
3695
+ "summary": "Review OpenTelemetry Operator OpenTelemetryCollector and Instrumentation resources for deployment-mode appropriateness, pipeline correctness, memory_limiter and k8sattributes presence, exporter security, and sampling integrity.",
3696
+ "source_type": "original",
3697
+ "official_docs": [
3698
+ "https://opentelemetry.io/docs/",
3699
+ "https://opentelemetry.io/docs/collector/",
3700
+ "https://opentelemetry.io/docs/collector/configuration/",
3701
+ "https://opentelemetry.io/docs/kubernetes/operator/",
3702
+ "https://opentelemetry.io/docs/kubernetes/operator/automatic/",
3703
+ "https://opentelemetry.io/docs/kubernetes/operator/target-allocator/",
3704
+ "https://github.com/open-telemetry/opentelemetry-operator"
3705
+ ],
3706
+ "security_notes": "Pipeline with no exporter silently drops telemetry. Missing memory_limiter causes collector OOM under burst. Missing k8sattributes drops Kubernetes context. Tail sampling changes are not retroactive. Removing Instrumentation CR stops auto-instrumentation on next pod restart.",
3707
+ "last_verified": "2026-05-01",
3708
+ "path": "skills/opentelemetry/opentelemetry-collector-config-review",
3709
+ "author": "github: Raishin",
3710
+ "version": "0.1.0"
3711
+ },
2622
3712
  {
2623
3713
  "id": "oracle-oci-mcp-grounded-advisor",
2624
3714
  "name": "Oracle and OCI MCP Grounded Advisor",
@@ -2644,5 +3734,121 @@
2644
3734
  "path": "skills/oci/oracle-oci-mcp-grounded-advisor",
2645
3735
  "author": "github: Raishin",
2646
3736
  "version": "0.1.0"
3737
+ },
3738
+ {
3739
+ "id": "prometheus-alerting-cardinality-review",
3740
+ "name": "Prometheus Alerting and Cardinality Review",
3741
+ "type": "skill",
3742
+ "provider": "prometheus",
3743
+ "harnesses": [
3744
+ "codex",
3745
+ "claude-code",
3746
+ "cursor",
3747
+ "gemini",
3748
+ "kiro",
3749
+ "other"
3750
+ ],
3751
+ "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
3752
+ "source_type": "original",
3753
+ "official_docs": [
3754
+ "https://prometheus.io/docs/prometheus/latest/querying/basics/",
3755
+ "https://prometheus.io/docs/practices/naming/",
3756
+ "https://prometheus.io/docs/practices/alerting/",
3757
+ "https://prometheus.io/docs/alerting/latest/alertmanager/",
3758
+ "https://prometheus.io/docs/prometheus/latest/storage/",
3759
+ "https://prometheus.io/docs/practices/remote_write/"
3760
+ ],
3761
+ "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
3762
+ "last_verified": "2026-05-02",
3763
+ "path": "skills/prometheus/prometheus-alerting-cardinality-review",
3764
+ "version": "0.1.0",
3765
+ "author": "github: Raishin"
3766
+ },
3767
+ {
3768
+ "id": "sigstore-cosign-supply-chain-review",
3769
+ "name": "Sigstore Cosign Supply Chain Review",
3770
+ "type": "skill",
3771
+ "provider": "sigstore",
3772
+ "harnesses": [
3773
+ "codex",
3774
+ "claude-code",
3775
+ "cursor",
3776
+ "gemini",
3777
+ "kiro",
3778
+ "other"
3779
+ ],
3780
+ "summary": "Review Sigstore Cosign image signing, Kyverno imageVerify policy, SBOM attestations, SLSA provenance, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain security.",
3781
+ "source_type": "original",
3782
+ "official_docs": [
3783
+ "https://docs.sigstore.dev/cosign/overview/",
3784
+ "https://docs.sigstore.dev/policy-controller/overview/",
3785
+ "https://slsa.dev/spec/v1.0/requirements",
3786
+ "https://kyverno.io/docs/writing-policies/verify-images/",
3787
+ "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
3788
+ "https://rekor.sigstore.dev/"
3789
+ ],
3790
+ "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
3791
+ "last_verified": "2026-05-02",
3792
+ "path": "skills/sigstore/sigstore-cosign-supply-chain-review",
3793
+ "version": "0.1.0",
3794
+ "author": "github: Raishin"
3795
+ },
3796
+ {
3797
+ "id": "terraform-maestro",
3798
+ "name": "Terraform Maestro",
3799
+ "type": "skill",
3800
+ "provider": "terraform",
3801
+ "harnesses": [
3802
+ "codex",
3803
+ "claude-code",
3804
+ "cursor",
3805
+ "gemini",
3806
+ "kiro",
3807
+ "other"
3808
+ ],
3809
+ "summary": "Route Terraform and IaC tasks to the right specialist from the cross-cloud IaC catalog. Classifies by domain (review, aws-iac, azure-iac, oci-iac, live-guard), dispatches single or parallel (max 4), and enforces live-guard gate for live apply, destroy, or stack mutations.",
3810
+ "source_type": "adapted",
3811
+ "official_docs": [
3812
+ "https://developer.hashicorp.com/terraform/docs",
3813
+ "https://developer.hashicorp.com/terraform/language",
3814
+ "https://developer.hashicorp.com/terraform/cli/commands/plan",
3815
+ "https://developer.hashicorp.com/terraform/cli/commands/apply",
3816
+ "https://registry.terraform.io/providers/hashicorp/aws/latest/docs",
3817
+ "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs",
3818
+ "https://registry.terraform.io/providers/oracle/oci/latest/docs"
3819
+ ],
3820
+ "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live apply, destroy, or stack mutation agents without explicit human confirmation, blast-radius assessment, and rollback path. Terraform destroy is irreversible without state backup.",
3821
+ "last_verified": "2026-04-30",
3822
+ "path": "skills/terraform/terraform-maestro",
3823
+ "author": "github: Raishin",
3824
+ "version": "0.1.0"
3825
+ },
3826
+ {
3827
+ "id": "velero-backup-restore-guard",
3828
+ "name": "Velero Backup/Restore Guard",
3829
+ "type": "skill",
3830
+ "provider": "velero",
3831
+ "harnesses": [
3832
+ "codex",
3833
+ "claude-code",
3834
+ "cursor",
3835
+ "gemini",
3836
+ "kiro",
3837
+ "other"
3838
+ ],
3839
+ "summary": "Live-guard skill for Velero backup schedules, restore operations, BackupStorageLocation changes, and volume snapshots — requiring explicit platform-team sign-off before any mutation.",
3840
+ "source_type": "original",
3841
+ "official_docs": [
3842
+ "https://velero.io/docs/latest/",
3843
+ "https://velero.io/docs/latest/restore-reference/",
3844
+ "https://velero.io/docs/latest/backup-reference/",
3845
+ "https://velero.io/docs/latest/locations/",
3846
+ "https://velero.io/docs/latest/hooks/"
3847
+ ],
3848
+ "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
3849
+ "last_verified": "2026-05-02",
3850
+ "path": "skills/velero/velero-backup-restore-guard",
3851
+ "version": "0.1.0",
3852
+ "author": "github: Raishin"
2647
3853
  }
2648
3854
  ]