@raishin/vanguard-frontier-agentic 1.1.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +369 -322
- package/agents/AGENTS.md +263 -21
- package/agents/argocd/README.md +46 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
- package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
- package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
- package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
- package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-maestro-agent/AGENT.md +55 -0
- package/agents/aws/aws-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/aws/aws-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/aws/aws-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/aws/aws-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/aws/aws-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/aws/aws-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/aws/aws-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/aws/aws-maestro-agent/metadata.json +37 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
- package/agents/azure/AGENTS.md +26 -0
- package/agents/azure/README.md +45 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/PERMISSIONS.md +56 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/PREFLIGHT.md +48 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/ROLLBACK.md +36 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +36 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PERMISSIONS.md +43 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/PREFLIGHT.md +50 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/ROLLBACK.md +46 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +35 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PERMISSIONS.md +88 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/PREFLIGHT.md +48 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/ROLLBACK.md +48 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +36 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/PERMISSIONS.md +93 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/PREFLIGHT.md +44 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/ROLLBACK.md +49 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +36 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PERMISSIONS.md +68 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/PREFLIGHT.md +46 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/ROLLBACK.md +44 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +36 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/AGENT.md +57 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/PERMISSIONS.md +59 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/PREFLIGHT.md +41 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/ROLLBACK.md +48 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/codex.toml +32 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +36 -0
- package/agents/azure/azure-maestro-agent/AGENT.md +56 -0
- package/agents/azure/azure-maestro-agent/harnesses/claude-code.agent.md +39 -0
- package/agents/azure/azure-maestro-agent/harnesses/codex.toml +14 -0
- package/agents/azure/azure-maestro-agent/harnesses/copilot.agent.md +52 -0
- package/agents/azure/azure-maestro-agent/harnesses/cursor.agent.md +41 -0
- package/agents/azure/azure-maestro-agent/harnesses/gemini.agent.md +40 -0
- package/agents/azure/azure-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/azure/azure-maestro-agent/harnesses/kiro-ide.agent.md +39 -0
- package/agents/azure/azure-maestro-agent/metadata.json +38 -0
- package/agents/backstage/README.md +36 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
- package/agents/cert-manager/README.md +46 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
- package/agents/cilium/README.md +46 -0
- package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
- package/agents/falco/README.md +36 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
- package/agents/finops/AGENTS.md +36 -0
- package/agents/finops/README.md +27 -0
- package/agents/finops/finops-cloud-price-advisor-agent/AGENT.md +58 -0
- package/agents/finops/finops-cloud-price-advisor-agent/PERMISSIONS.md +112 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/codex.toml +33 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/copilot.agent.md +53 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/cursor.agent.md +40 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/gemini.agent.md +40 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/finops/finops-cloud-price-advisor-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +38 -0
- package/agents/fluxcd/README.md +39 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
- package/agents/istio/README.md +46 -0
- package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
- package/agents/kubernetes/README.md +143 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
- package/agents/kyverno/README.md +46 -0
- package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
- package/agents/oci/AGENTS.md +28 -0
- package/agents/oci/README.md +45 -0
- package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PERMISSIONS.md +56 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/PREFLIGHT.md +48 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/ROLLBACK.md +50 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PERMISSIONS.md +77 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/PREFLIGHT.md +54 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/ROLLBACK.md +53 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PERMISSIONS.md +87 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/PREFLIGHT.md +49 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/ROLLBACK.md +44 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/PERMISSIONS.md +92 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/PREFLIGHT.md +49 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/ROLLBACK.md +47 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/PERMISSIONS.md +80 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/PREFLIGHT.md +51 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/ROLLBACK.md +45 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/AGENT.md +57 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/PERMISSIONS.md +57 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/PREFLIGHT.md +53 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/ROLLBACK.md +49 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/claude-code.agent.md +40 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/codex.toml +32 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/copilot.agent.md +53 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/cursor.agent.md +40 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/gemini.agent.md +40 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/harnesses/kiro-ide.agent.md +40 -0
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +36 -0
- package/agents/oci/oci-maestro-agent/AGENT.md +58 -0
- package/agents/oci/oci-maestro-agent/harnesses/claude-code.agent.md +41 -0
- package/agents/oci/oci-maestro-agent/harnesses/codex.toml +14 -0
- package/agents/oci/oci-maestro-agent/harnesses/copilot.agent.md +54 -0
- package/agents/oci/oci-maestro-agent/harnesses/cursor.agent.md +43 -0
- package/agents/oci/oci-maestro-agent/harnesses/gemini.agent.md +42 -0
- package/agents/oci/oci-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/oci/oci-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
- package/agents/oci/oci-maestro-agent/metadata.json +37 -0
- package/agents/opentelemetry/README.md +37 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
- package/agents/prometheus/README.md +36 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
- package/agents/sigstore/README.md +38 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
- package/agents/terraform/README.md +29 -0
- package/agents/terraform/terraform-maestro-agent/AGENT.md +58 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/claude-code.agent.md +41 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/codex.toml +14 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/copilot.agent.md +54 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/cursor.agent.md +43 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/gemini.agent.md +42 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/terraform/terraform-maestro-agent/harnesses/kiro-ide.agent.md +41 -0
- package/agents/terraform/terraform-maestro-agent/metadata.json +38 -0
- package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
- package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
- package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
- package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
- package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
- package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
- package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
- package/agents/terraform/terraform-reviewer/metadata.json +10 -1
- package/agents/velero/README.md +41 -0
- package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
- package/catalog/agents.json +1347 -27
- package/catalog/install-roles.json +455 -0
- package/catalog/skill-manifest.json +1358 -62
- package/catalog/skills.json +1231 -25
- package/package.json +11 -1
- package/scripts/export-marketplace-agents.mjs +129 -10
- package/scripts/gen_azure_live_guards.py +1424 -0
- package/scripts/gen_oci_live_guards.py +1510 -0
- package/scripts/update-catalog-new-agents.py +88 -0
- package/skills/argocd/README.md +30 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
- package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
- package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
- package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
- package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
- package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
- package/skills/aws/README.md +3 -1
- package/skills/aws/aws-maestro/SKILL.md +47 -0
- package/skills/aws/aws-maestro/metadata.json +28 -0
- package/skills/aws/aws-maestro/references/official-sources.md +24 -0
- package/skills/aws/aws-maestro/references/safety-checklist.md +42 -0
- package/skills/aws/aws-maestro/references/workflow-and-output.md +129 -0
- package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
- package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
- package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
- package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
- package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
- package/skills/azure/README.md +3 -1
- package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
- package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
- package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
- package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-aks-rollout-guard/metadata.json +27 -0
- package/skills/azure/azure-live-aks-rollout-guard/references/official-sources.md +19 -0
- package/skills/azure/azure-live-aks-rollout-guard/references/permission-model.md +54 -0
- package/skills/azure/azure-live-aks-rollout-guard/references/preflight-commands.md +55 -0
- package/skills/azure/azure-live-aks-rollout-guard/references/rollback-playbook.md +38 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/metadata.json +26 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/references/official-sources.md +12 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/references/permission-model.md +40 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/references/preflight-commands.md +46 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/references/rollback-playbook.md +46 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/metadata.json +27 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/references/official-sources.md +17 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/references/permission-model.md +68 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/references/preflight-commands.md +55 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/references/rollback-playbook.md +53 -0
- package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-cost-budget-action-guard/metadata.json +27 -0
- package/skills/azure/azure-live-cost-budget-action-guard/references/official-sources.md +17 -0
- package/skills/azure/azure-live-cost-budget-action-guard/references/permission-model.md +66 -0
- package/skills/azure/azure-live-cost-budget-action-guard/references/preflight-commands.md +48 -0
- package/skills/azure/azure-live-cost-budget-action-guard/references/rollback-playbook.md +40 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/metadata.json +27 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/official-sources.md +13 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/permission-model.md +64 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/preflight-commands.md +48 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/references/rollback-playbook.md +44 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +49 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/metadata.json +27 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/references/official-sources.md +13 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/references/permission-model.md +56 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/references/preflight-commands.md +46 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/references/rollback-playbook.md +45 -0
- package/skills/azure/azure-maestro/SKILL.md +140 -0
- package/skills/azure/azure-maestro/metadata.json +28 -0
- package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
- package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
- package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
- package/skills/cilium/README.md +30 -0
- package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
- package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
- package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
- package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
- package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
- package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
- package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
- package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
- package/skills/finops/README.md +30 -0
- package/skills/finops/finops-cloud-price-advisor/SKILL.md +60 -0
- package/skills/finops/finops-cloud-price-advisor/metadata.json +26 -0
- package/skills/finops/finops-cloud-price-advisor/references/currency-handling.md +100 -0
- package/skills/finops/finops-cloud-price-advisor/references/estimation-workflow.md +145 -0
- package/skills/finops/finops-cloud-price-advisor/references/official-sources.md +64 -0
- package/skills/finops/finops-cloud-price-advisor/references/pricing-apis.md +271 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
- package/skills/istio/README.md +28 -0
- package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
- package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
- package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
- package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
- package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
- package/skills/kubernetes/README.md +30 -0
- package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
- package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
- package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
- package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
- package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
- package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
- package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
- package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
- package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
- package/skills/kyverno/README.md +30 -0
- package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
- package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
- package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
- package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
- package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
- package/skills/oci/README.md +63 -0
- package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
- package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
- package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/metadata.json +27 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/official-sources.md +13 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/permission-model.md +49 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/preflight-commands.md +58 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/rollback-playbook.md +44 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/metadata.json +27 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/references/official-sources.md +17 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/references/permission-model.md +59 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/references/preflight-commands.md +42 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/references/rollback-playbook.md +44 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/metadata.json +27 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/references/official-sources.md +13 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/references/permission-model.md +71 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/references/preflight-commands.md +49 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/references/rollback-playbook.md +62 -0
- package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
- package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
- package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-oke-rollout-guard/metadata.json +27 -0
- package/skills/oci/oci-live-oke-rollout-guard/references/official-sources.md +18 -0
- package/skills/oci/oci-live-oke-rollout-guard/references/permission-model.md +80 -0
- package/skills/oci/oci-live-oke-rollout-guard/references/preflight-commands.md +55 -0
- package/skills/oci/oci-live-oke-rollout-guard/references/rollback-playbook.md +45 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/metadata.json +27 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/references/official-sources.md +12 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/references/permission-model.md +70 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/references/preflight-commands.md +57 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/references/rollback-playbook.md +51 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +49 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/metadata.json +27 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/references/official-sources.md +13 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/references/permission-model.md +55 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/references/preflight-commands.md +62 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/references/rollback-playbook.md +55 -0
- package/skills/oci/oci-maestro/SKILL.md +163 -0
- package/skills/oci/oci-maestro/metadata.json +27 -0
- package/skills/opentelemetry/README.md +31 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
- package/skills/terraform/README.md +29 -0
- package/skills/terraform/terraform-maestro/SKILL.md +123 -0
- package/skills/terraform/terraform-maestro/metadata.json +30 -0
- package/skills/terraform/terraform-maestro/references/official-sources.md +59 -0
- package/skills/terraform/terraform-maestro/references/safety-checklist.md +53 -0
- package/skills/terraform/terraform-maestro/references/workflow-and-output.md +108 -0
- package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
- package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
- package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
- package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
|
@@ -0,0 +1,1510 @@
|
|
|
1
|
+
#!/usr/bin/env python3
|
|
2
|
+
"""Generator: 6 OCI live-guard agents + 6 paired skills."""
|
|
3
|
+
import os, json, textwrap
|
|
4
|
+
|
|
5
|
+
ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
|
6
|
+
DATE = "2026-04-30"
|
|
7
|
+
|
|
8
|
+
AGENTS = [
|
|
9
|
+
{
|
|
10
|
+
"id": "oci-live-resource-manager-stack-guard",
|
|
11
|
+
"name": "OCI Live Resource Manager Stack Guard",
|
|
12
|
+
"summary": "Guard OCI Resource Manager plan, apply, and destroy jobs with drift detection evidence, state-version audit, and stack-lock awareness before any mutation.",
|
|
13
|
+
"focus": "Guard OCI Resource Manager stack plan/apply/destroy jobs by enforcing drift detection evidence, plan-job output review, state-version audit, and explicit approval before any apply or destroy.",
|
|
14
|
+
"codex_role": "resource-manager-stack live operator",
|
|
15
|
+
"skill_desc": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
|
|
16
|
+
"skill_when": [
|
|
17
|
+
"an OCI Resource Manager stack apply or destroy job must be run against a live environment",
|
|
18
|
+
"drift has been detected on a stack and resolution requires an apply job with human approval",
|
|
19
|
+
"a Resource Manager stack state must be inspected, imported, or rolled back after a partial apply",
|
|
20
|
+
],
|
|
21
|
+
"response_shape": [
|
|
22
|
+
"OCI tenancy and compartment confirmation (oci iam region list + stack OCID evidence)",
|
|
23
|
+
"Drift detection output (oci resource-manager stack detect-drift result)",
|
|
24
|
+
"Plan job output review (create-plan-job logs before approve)",
|
|
25
|
+
"Stack auto-lock status (only one job at a time — Resource Manager enforces this)",
|
|
26
|
+
"Approval status for apply or destroy",
|
|
27
|
+
"Proposed or executed Resource Manager job action",
|
|
28
|
+
"Post-job state verification and open risks (state-version rollback path if apply fails)",
|
|
29
|
+
],
|
|
30
|
+
"official_docs": [
|
|
31
|
+
"https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
|
|
32
|
+
"https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
|
|
33
|
+
"https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
|
|
34
|
+
"https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm",
|
|
35
|
+
],
|
|
36
|
+
"security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
|
|
37
|
+
"permissions_body": textwrap.dedent("""\
|
|
38
|
+
# OCI IAM policy guidance for Resource Manager stack guard
|
|
39
|
+
|
|
40
|
+
## Identity model preference
|
|
41
|
+
|
|
42
|
+
1. Named group in target compartment — never `any-user` or `any-group`
|
|
43
|
+
2. Dynamic group matching the CI/CD runner instance by compartment and tag
|
|
44
|
+
3. Short-lived session token via Instance Principal for automation
|
|
45
|
+
4. Never grant `manage all-resources in tenancy`
|
|
46
|
+
|
|
47
|
+
## OCI IAM verb hierarchy reminder
|
|
48
|
+
|
|
49
|
+
`inspect` ⊂ `read` ⊂ `use` ⊂ `manage`
|
|
50
|
+
|
|
51
|
+
- `inspect` — list-only (no content details)
|
|
52
|
+
- `read` — get + list (read details, no mutation)
|
|
53
|
+
- `use` — limited mutation (no create/terminate)
|
|
54
|
+
- `manage` — full CRUD (create, update, delete)
|
|
55
|
+
|
|
56
|
+
## Baseline read policy (auditors — no mutation rights)
|
|
57
|
+
|
|
58
|
+
```
|
|
59
|
+
Allow group <rms-auditors> to inspect orm-stacks in compartment <prod-compartment>
|
|
60
|
+
Allow group <rms-auditors> to read orm-stacks in compartment <prod-compartment>
|
|
61
|
+
Allow group <rms-auditors> to inspect orm-jobs in compartment <prod-compartment>
|
|
62
|
+
Allow group <rms-auditors> to read orm-jobs in compartment <prod-compartment>
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
## Plan-only policy (can create plan jobs, cannot apply or destroy)
|
|
66
|
+
|
|
67
|
+
```
|
|
68
|
+
Allow group <rms-planners> to use orm-stacks in compartment <prod-compartment>
|
|
69
|
+
Allow group <rms-planners> to use orm-jobs in compartment <prod-compartment>
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Full operator policy (apply + destroy — gate with approval workflow)
|
|
73
|
+
|
|
74
|
+
```
|
|
75
|
+
Allow group <rms-operators> to manage orm-stacks in compartment <prod-compartment>
|
|
76
|
+
Allow group <rms-operators> to manage orm-jobs in compartment <prod-compartment>
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
## Dynamic group for CI/CD instance principal
|
|
80
|
+
|
|
81
|
+
```
|
|
82
|
+
Any {instance.compartment.id = '<compartment_ocid>', tag.Operations.Role.value = 'rms-runner'}
|
|
83
|
+
|
|
84
|
+
Allow dynamic-group <rms-runners> to manage orm-stacks in compartment <prod-compartment>
|
|
85
|
+
Allow dynamic-group <rms-runners> to manage orm-jobs in compartment <prod-compartment>
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
## Service-principal policies (Resource Manager service itself)
|
|
89
|
+
|
|
90
|
+
OCI is policy-based IAM: managed services must hold explicit `Allow service ...`
|
|
91
|
+
grants to act on your tenancy. Without these, stack jobs fail with `NotAuthorized`
|
|
92
|
+
even when the human operator is correctly scoped.
|
|
93
|
+
|
|
94
|
+
```
|
|
95
|
+
Allow service ResourceManager to manage orm-stacks in compartment <prod-compartment>
|
|
96
|
+
Allow service ResourceManager to read secret-family in compartment <prod-compartment>
|
|
97
|
+
Allow service ResourceManager to use tag-namespaces in tenancy
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
Add resource-type rights for whatever the stack provisions, e.g.
|
|
101
|
+
`Allow service ResourceManager to manage instance-family in compartment <X>`
|
|
102
|
+
for stacks that create compute. Do not grant `manage all-resources` even to the
|
|
103
|
+
service principal — scope by resource family.
|
|
104
|
+
|
|
105
|
+
## Do not use
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
# FORBIDDEN
|
|
109
|
+
Allow any-user to manage all-resources in tenancy
|
|
110
|
+
Allow group <rms-operators> to manage all-resources in compartment prod
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
Stack auto-lock: Resource Manager allows **only one running job at a time per stack**.
|
|
114
|
+
This is platform-enforced — no additional concurrency control needed.
|
|
115
|
+
"""),
|
|
116
|
+
"preflight_body": textwrap.dedent("""\
|
|
117
|
+
# Resource Manager Stack — Preflight Commands
|
|
118
|
+
|
|
119
|
+
## 1. Confirm identity and region
|
|
120
|
+
|
|
121
|
+
```bash
|
|
122
|
+
oci iam region list --output table
|
|
123
|
+
oci iam user get --user-id <OPERATOR_OCID> --query 'data.name'
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
## 2. Inspect current stack state
|
|
127
|
+
|
|
128
|
+
```bash
|
|
129
|
+
oci resource-manager stack get \\
|
|
130
|
+
--stack-id <STACK_OCID> \\
|
|
131
|
+
--query 'data.{state:"lifecycle-state", updated:"time-updated", terraform:"terraform-version", compartment:"compartment-id"}'
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
## 3. Detect drift (always before apply or destroy)
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
oci resource-manager stack detect-drift \\
|
|
138
|
+
--stack-id <STACK_OCID>
|
|
139
|
+
|
|
140
|
+
# List drift details once job completes
|
|
141
|
+
oci resource-manager stack list-resource-drift-details \\
|
|
142
|
+
--stack-id <STACK_OCID>
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
## 4. Create a plan job and review output before any apply
|
|
146
|
+
|
|
147
|
+
```bash
|
|
148
|
+
oci resource-manager job create-plan-job \\
|
|
149
|
+
--stack-id <STACK_OCID> \\
|
|
150
|
+
--display-name "preflight-plan-$(date +%Y%m%dT%H%M%S)"
|
|
151
|
+
|
|
152
|
+
# Retrieve plan logs
|
|
153
|
+
oci resource-manager job get-job-logs \\
|
|
154
|
+
--job-id <PLAN_JOB_OCID> --all
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
Stop and escalate if plan output shows unexpected resource deletions or replacements.
|
|
158
|
+
|
|
159
|
+
## 5. Verify no other job is currently running
|
|
160
|
+
|
|
161
|
+
```bash
|
|
162
|
+
oci resource-manager job list \\
|
|
163
|
+
--compartment-id <COMPARTMENT_OCID> \\
|
|
164
|
+
--stack-id <STACK_OCID> \\
|
|
165
|
+
--lifecycle-state IN_PROGRESS \\
|
|
166
|
+
--query 'data[].{id:id, op:"operation", started:"time-created"}'
|
|
167
|
+
```
|
|
168
|
+
"""),
|
|
169
|
+
"rollback_body": textwrap.dedent("""\
|
|
170
|
+
# Resource Manager Stack — Rollback Playbook
|
|
171
|
+
|
|
172
|
+
Resource Manager auto-locks the stack during jobs — concurrent apply/destroy is
|
|
173
|
+
physically prevented. Rollback options depend on how far the failed apply progressed.
|
|
174
|
+
|
|
175
|
+
## Option 1: Apply previous configuration (re-upload prior config zip)
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
oci resource-manager stack update \\
|
|
179
|
+
--stack-id <STACK_OCID> \\
|
|
180
|
+
--config-source-zip-file previous-config.zip
|
|
181
|
+
|
|
182
|
+
oci resource-manager job create-apply-job \\
|
|
183
|
+
--stack-id <STACK_OCID> \\
|
|
184
|
+
--execution-plan-strategy FROM_PLAN_JOB_ID \\
|
|
185
|
+
--execution-plan-job-id <PRIOR_PLAN_JOB_OCID> \\
|
|
186
|
+
--display-name "rollback-apply-$(date +%Y%m%dT%H%M%S)"
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
## Option 2: Import a known-good Terraform state file
|
|
190
|
+
|
|
191
|
+
```bash
|
|
192
|
+
oci resource-manager job create-import-tf-state-job \\
|
|
193
|
+
--stack-id <STACK_OCID> \\
|
|
194
|
+
--tf-state-base64 "$(base64 -i previous.tfstate)"
|
|
195
|
+
```
|
|
196
|
+
|
|
197
|
+
## Option 3: Targeted destroy of newly-created resources only
|
|
198
|
+
|
|
199
|
+
```bash
|
|
200
|
+
oci resource-manager job create-destroy-job \\
|
|
201
|
+
--stack-id <STACK_OCID> \\
|
|
202
|
+
--execution-plan-strategy AUTO_APPROVED \\
|
|
203
|
+
--display-name "targeted-destroy-$(date +%Y%m%dT%H%M%S)"
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
Only use AUTO_APPROVED if human has already reviewed the destroy plan separately.
|
|
207
|
+
|
|
208
|
+
## Monitor rollback job
|
|
209
|
+
|
|
210
|
+
```bash
|
|
211
|
+
oci resource-manager job get \\
|
|
212
|
+
--job-id <JOB_OCID> \\
|
|
213
|
+
--query 'data."lifecycle-state"'
|
|
214
|
+
```
|
|
215
|
+
"""),
|
|
216
|
+
},
|
|
217
|
+
{
|
|
218
|
+
"id": "oci-live-iam-policy-compartment-guard",
|
|
219
|
+
"name": "OCI Live IAM Policy Compartment Guard",
|
|
220
|
+
"summary": "Guard OCI IAM policy changes and dynamic group mutations using verb-hierarchy audit and tag-condition review before write.",
|
|
221
|
+
"focus": "Guard OCI IAM policy changes and dynamic group mutations by auditing verb-hierarchy (inspect < read < use < manage), compartment scope, and tag conditions before any policy write.",
|
|
222
|
+
"codex_role": "iam-policy-compartment live operator",
|
|
223
|
+
"skill_desc": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
|
|
224
|
+
"skill_when": [
|
|
225
|
+
"an OCI IAM policy must be created or modified in a compartment or at tenancy root",
|
|
226
|
+
"a dynamic group rule must be changed and blast-radius must be audited before write",
|
|
227
|
+
"an IAM audit finds overly broad policies that must be narrowed with least-privilege verb selection",
|
|
228
|
+
],
|
|
229
|
+
"response_shape": [
|
|
230
|
+
"Compartment and tenancy identity confirmation",
|
|
231
|
+
"Current policy statement inventory (oci iam policy list)",
|
|
232
|
+
"Dynamic group rule audit and matching-instance check",
|
|
233
|
+
"Verb-hierarchy assessment of proposed change (inspect/read/use/manage)",
|
|
234
|
+
"Approval status and anti-pattern scan result (any-user/any-group flag)",
|
|
235
|
+
"Proposed or executed policy write action",
|
|
236
|
+
"Post-write policy verification and open risks",
|
|
237
|
+
],
|
|
238
|
+
"official_docs": [
|
|
239
|
+
"https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
|
|
240
|
+
"https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
|
|
241
|
+
"https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
|
|
242
|
+
"https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm",
|
|
243
|
+
],
|
|
244
|
+
"security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
|
|
245
|
+
"permissions_body": textwrap.dedent("""\
|
|
246
|
+
# OCI IAM policy for IAM policy compartment guard
|
|
247
|
+
|
|
248
|
+
## Identity model preference
|
|
249
|
+
|
|
250
|
+
1. Named IAM-admin group scoped to an IAM-management compartment
|
|
251
|
+
2. Dual-approval for tenancy-root policy changes (separate writer and approver)
|
|
252
|
+
3. Never use `any-user` or `any-group` for policy management
|
|
253
|
+
4. Tenancy-root policy changes require separate security-team sign-off
|
|
254
|
+
|
|
255
|
+
## Verb hierarchy reference
|
|
256
|
+
|
|
257
|
+
```
|
|
258
|
+
inspect = ListXxx APIs only. No resource content.
|
|
259
|
+
read = GetXxx + inspect. Can see resource details.
|
|
260
|
+
use = read + limited mutation (no create/terminate).
|
|
261
|
+
manage = full CRUD. Always scope to compartment, never tenancy for broad resources.
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
## Audit-only policy
|
|
265
|
+
|
|
266
|
+
```
|
|
267
|
+
Allow group <iam-auditors> to inspect policies in tenancy
|
|
268
|
+
Allow group <iam-auditors> to read policies in tenancy
|
|
269
|
+
Allow group <iam-auditors> to inspect dynamic-groups in tenancy
|
|
270
|
+
Allow group <iam-auditors> to read dynamic-groups in tenancy
|
|
271
|
+
Allow group <iam-auditors> to inspect groups in tenancy
|
|
272
|
+
Allow group <iam-auditors> to read users in tenancy
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
## Policy operator (compartment-scoped write, never tenancy root)
|
|
276
|
+
|
|
277
|
+
```
|
|
278
|
+
Allow group <iam-operators> to manage policies in compartment <iam-compartment>
|
|
279
|
+
where target.policy.name = /iam-managed-*/
|
|
280
|
+
Allow group <iam-operators> to manage dynamic-groups in tenancy
|
|
281
|
+
where target.dynamicGroup.name = /iam-managed-*/
|
|
282
|
+
```
|
|
283
|
+
|
|
284
|
+
`dynamic-groups` are tenancy-scoped in OCI — they cannot be compartment-scoped.
|
|
285
|
+
This is the minimum necessary `manage` at tenancy scope. The `where` name-pattern
|
|
286
|
+
condition restricts which dynamic groups this role can create or modify, preventing
|
|
287
|
+
privilege escalation through creation of an unrestricted dynamic group.
|
|
288
|
+
|
|
289
|
+
**Critical syntax note**: OCI IAM uses **forward-slash regex pattern syntax** `= /pattern*/`
|
|
290
|
+
for wildcard matching, **not** `= 'pattern-*'` (which is exact-string match for the
|
|
291
|
+
literal `pattern-*`). Quoted-string equality in a `where` clause is a no-op security
|
|
292
|
+
control if the operator can choose any name not matching the literal exact value.
|
|
293
|
+
See [Oracle policy conditions docs](https://docs.oracle.com/en-us/iaas/Content/Identity/policysyntax/conditions.htm).
|
|
294
|
+
|
|
295
|
+
## Tag-condition for policy name pattern restriction
|
|
296
|
+
|
|
297
|
+
```
|
|
298
|
+
Allow group <iam-operators> to manage policies in compartment <iam-compartment>
|
|
299
|
+
where target.policy.name = /iam-managed-*/
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
## Tenancy-root admin (third tier — break-glass only)
|
|
303
|
+
|
|
304
|
+
OCI policy-based IAM separates compartment-scoped operators from tenancy-root
|
|
305
|
+
admins. The tenancy-root admin is a **break-glass** identity activated only for
|
|
306
|
+
incidents that require touching tenancy-level policies (e.g., when an
|
|
307
|
+
operator-managed policy would create a cycle or escalation path).
|
|
308
|
+
|
|
309
|
+
```
|
|
310
|
+
Allow group <iam-tenancy-admins> to manage policies in tenancy
|
|
311
|
+
where request.user.mfaTotpVerified = 'true'
|
|
312
|
+
Allow group <iam-tenancy-admins> to manage groups in tenancy
|
|
313
|
+
where target.group.name != 'Administrators'
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
- MFA-TOTP gate enforced at policy-evaluation time (not just login).
|
|
317
|
+
- Cannot modify the `Administrators` group from this role — that requires the
|
|
318
|
+
bootstrap tenancy admin (no automation, no service principal).
|
|
319
|
+
- Membership in `<iam-tenancy-admins>` should be empty by default; add only for
|
|
320
|
+
the duration of an approved change window, then remove.
|
|
321
|
+
|
|
322
|
+
## Do not use
|
|
323
|
+
|
|
324
|
+
```
|
|
325
|
+
# FORBIDDEN
|
|
326
|
+
Allow any-group to manage policies in tenancy
|
|
327
|
+
Allow group <iam-operators> to manage policies in tenancy
|
|
328
|
+
Allow any-user to inspect all-resources in tenancy
|
|
329
|
+
```
|
|
330
|
+
"""),
|
|
331
|
+
"preflight_body": textwrap.dedent("""\
|
|
332
|
+
# IAM Policy Compartment — Preflight Commands
|
|
333
|
+
|
|
334
|
+
## 1. List all policies in target compartment
|
|
335
|
+
|
|
336
|
+
```bash
|
|
337
|
+
oci iam policy list \\
|
|
338
|
+
--compartment-id <COMPARTMENT_OCID> \\
|
|
339
|
+
--all \\
|
|
340
|
+
--query 'data[].{id:id, name:name, statements:statements}' \\
|
|
341
|
+
--output json
|
|
342
|
+
```
|
|
343
|
+
|
|
344
|
+
## 2. Scan for any-user / any-group policies (red-flag detector)
|
|
345
|
+
|
|
346
|
+
```bash
|
|
347
|
+
oci iam policy list \\
|
|
348
|
+
--compartment-id <TENANCY_OCID> \\
|
|
349
|
+
--all \\
|
|
350
|
+
--query 'data[].statements[]' \\
|
|
351
|
+
--output json | grep -i 'any-user\|any-group'
|
|
352
|
+
```
|
|
353
|
+
|
|
354
|
+
Zero results expected. Any hit is a required review item before proceeding.
|
|
355
|
+
|
|
356
|
+
## 3. List dynamic groups and current matching rules
|
|
357
|
+
|
|
358
|
+
```bash
|
|
359
|
+
oci iam dynamic-group list \\
|
|
360
|
+
--compartment-id <TENANCY_OCID> \\
|
|
361
|
+
--all \\
|
|
362
|
+
--query 'data[].{name:name, rule:"matching-rule", id:id}'
|
|
363
|
+
```
|
|
364
|
+
|
|
365
|
+
## 4. Review the specific policy to be changed
|
|
366
|
+
|
|
367
|
+
```bash
|
|
368
|
+
oci iam policy get \\
|
|
369
|
+
--policy-id <POLICY_OCID> \\
|
|
370
|
+
--query 'data.{name:name, statements:statements, version:"version-date"}'
|
|
371
|
+
```
|
|
372
|
+
|
|
373
|
+
## 5. Export current statements as rollback backup (ALWAYS before write)
|
|
374
|
+
|
|
375
|
+
```bash
|
|
376
|
+
oci iam policy get \\
|
|
377
|
+
--policy-id <POLICY_OCID> \\
|
|
378
|
+
--query 'data.statements' > /tmp/policy-backup-$(date +%Y%m%dT%H%M%S).json
|
|
379
|
+
echo "Backup saved. Proceed only after confirming backup is complete."
|
|
380
|
+
```
|
|
381
|
+
"""),
|
|
382
|
+
"rollback_body": textwrap.dedent("""\
|
|
383
|
+
# IAM Policy Compartment — Rollback Playbook
|
|
384
|
+
|
|
385
|
+
## Restore previous policy statements
|
|
386
|
+
|
|
387
|
+
```bash
|
|
388
|
+
# Read backup statements from file saved in preflight step
|
|
389
|
+
PREV_STATEMENTS=$(cat /tmp/policy-backup-<TIMESTAMP>.json)
|
|
390
|
+
|
|
391
|
+
oci iam policy update \\
|
|
392
|
+
--policy-id <POLICY_OCID> \\
|
|
393
|
+
--statements "${PREV_STATEMENTS}" \\
|
|
394
|
+
--version-date $(date +%Y-%m-%d) \\
|
|
395
|
+
--force
|
|
396
|
+
```
|
|
397
|
+
|
|
398
|
+
## Verify policy restored correctly
|
|
399
|
+
|
|
400
|
+
```bash
|
|
401
|
+
oci iam policy get \\
|
|
402
|
+
--policy-id <POLICY_OCID> \\
|
|
403
|
+
--query 'data.{name:name, statements:statements, version:"version-date"}'
|
|
404
|
+
```
|
|
405
|
+
|
|
406
|
+
## Delete a newly-created incorrect policy immediately
|
|
407
|
+
|
|
408
|
+
```bash
|
|
409
|
+
oci iam policy delete \\
|
|
410
|
+
--policy-id <POLICY_OCID> \\
|
|
411
|
+
--force
|
|
412
|
+
```
|
|
413
|
+
|
|
414
|
+
WARNING: policy delete is **immediate and total** — all access granted by the policy
|
|
415
|
+
is revoked the moment the delete completes. This can cause service outages if the policy
|
|
416
|
+
granted runtime access to compute or database resources. Confirm blast radius before delete.
|
|
417
|
+
|
|
418
|
+
## Disable a dynamic group (remove matching rule to prevent new matches)
|
|
419
|
+
|
|
420
|
+
```bash
|
|
421
|
+
oci iam dynamic-group update \\
|
|
422
|
+
--dynamic-group-id <DG_OCID> \\
|
|
423
|
+
--matching-rule "None {instance.id = 'ocid1.instance.oc1.PLACEHOLDER'}"
|
|
424
|
+
```
|
|
425
|
+
|
|
426
|
+
This effectively empties the group without deleting it.
|
|
427
|
+
"""),
|
|
428
|
+
},
|
|
429
|
+
{
|
|
430
|
+
"id": "oci-live-oke-rollout-guard",
|
|
431
|
+
"name": "OCI Live OKE Rollout Guard",
|
|
432
|
+
"summary": "Guard OKE deployment rollouts through DevOps Service pipeline approval stages with blue-green and canary evidence, and kubectl rollout pause or undo gate.",
|
|
433
|
+
"focus": "Guard OCI Kubernetes Engine deployment rollouts through DevOps Service pipeline approval stages, enforcing blue-green or canary evidence, kubectl rollout health checks, and explicit undo or advance decision.",
|
|
434
|
+
"codex_role": "oke-rollout live operator",
|
|
435
|
+
"skill_desc": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
|
|
436
|
+
"skill_when": [
|
|
437
|
+
"an OKE deployment rollout must advance through a DevOps Service pipeline approval stage",
|
|
438
|
+
"a blue-green or canary OKE deployment is in flight and the operator must decide to promote or rollback",
|
|
439
|
+
"a kubectl rollout is paused on a live OKE cluster and an undo or resume decision is required",
|
|
440
|
+
],
|
|
441
|
+
"response_shape": [
|
|
442
|
+
"OKE cluster identity and DevOps pipeline confirmation",
|
|
443
|
+
"Current rollout status and PDB health (kubectl rollout status + get pdb)",
|
|
444
|
+
"DevOps pipeline stage and approval gate status",
|
|
445
|
+
"Blue-green or canary traffic split evidence",
|
|
446
|
+
"Approval status for advance, pause, or undo",
|
|
447
|
+
"Proposed or executed rollout action",
|
|
448
|
+
"Post-rollout pod health and service endpoint verification",
|
|
449
|
+
],
|
|
450
|
+
"official_docs": [
|
|
451
|
+
"https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
|
|
452
|
+
"https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
|
|
453
|
+
"https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
|
|
454
|
+
"https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm",
|
|
455
|
+
],
|
|
456
|
+
"security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact — confirm target revision before undo.",
|
|
457
|
+
"permissions_body": textwrap.dedent("""\
|
|
458
|
+
# OCI IAM policy for OKE rollout guard
|
|
459
|
+
|
|
460
|
+
## Identity model preference
|
|
461
|
+
|
|
462
|
+
1. DevOps Service pipeline with explicit approval stage — human must approve before deploy
|
|
463
|
+
2. OKE cluster RBAC (Kubernetes-native) for in-cluster operations, not IAM only
|
|
464
|
+
3. Separate read-only and deploy-operator groups at compartment scope
|
|
465
|
+
|
|
466
|
+
## OKE cluster read (no deploy rights)
|
|
467
|
+
|
|
468
|
+
```
|
|
469
|
+
Allow group <oke-auditors> to read clusters in compartment <prod-compartment>
|
|
470
|
+
Allow group <oke-auditors> to read cluster-node-pools in compartment <prod-compartment>
|
|
471
|
+
```
|
|
472
|
+
|
|
473
|
+
## DevOps pipeline read + deployment use
|
|
474
|
+
|
|
475
|
+
```
|
|
476
|
+
Allow group <oke-operators> to read devops-pipelines in compartment <prod-compartment>
|
|
477
|
+
Allow group <oke-operators> to read devops-deployments in compartment <prod-compartment>
|
|
478
|
+
Allow group <oke-operators> to use devops-deployments in compartment <prod-compartment>
|
|
479
|
+
```
|
|
480
|
+
|
|
481
|
+
## OKE admin for rollback (use, NOT manage — cannot delete clusters)
|
|
482
|
+
|
|
483
|
+
```
|
|
484
|
+
Allow group <oke-admins> to use clusters in compartment <prod-compartment>
|
|
485
|
+
Allow group <oke-admins> to manage cluster-node-pools in compartment <prod-compartment>
|
|
486
|
+
```
|
|
487
|
+
|
|
488
|
+
## DevOps service dynamic group (pipeline automation)
|
|
489
|
+
|
|
490
|
+
```
|
|
491
|
+
Allow dynamic-group <devops-pipeline-runners> to use cluster in compartment <prod-compartment>
|
|
492
|
+
Allow dynamic-group <devops-pipeline-runners> to manage cluster-node-pools in compartment <prod-compartment>
|
|
493
|
+
```
|
|
494
|
+
|
|
495
|
+
`use cluster` (not `manage cluster`) for the pipeline dynamic group: `manage` grants
|
|
496
|
+
cluster termination rights, which must never be automated. Node pool management
|
|
497
|
+
(`manage cluster-node-pools`) covers rolling updates, scaling, and version upgrades
|
|
498
|
+
without exposing cluster deletion.
|
|
499
|
+
|
|
500
|
+
## Service-principal policies (OKE + DevOps services)
|
|
501
|
+
|
|
502
|
+
OCI is policy-based IAM: the OKE control plane and the DevOps pipeline service
|
|
503
|
+
each need their own `Allow service ...` grants. Without these, node pool scaling
|
|
504
|
+
and pipeline execution fail with `NotAuthorized` even when human operators are
|
|
505
|
+
correctly scoped.
|
|
506
|
+
|
|
507
|
+
```
|
|
508
|
+
Allow service OKE to manage cluster-node-pools in compartment <prod-compartment>
|
|
509
|
+
Allow service OKE to use virtual-network-family in compartment <prod-compartment>
|
|
510
|
+
Allow service OKE to manage instance-family in compartment <prod-compartment>
|
|
511
|
+
where target.resource.tag.Operations.OkeManaged.value = 'true'
|
|
512
|
+
|
|
513
|
+
Allow service devops to use ons-topics in compartment <prod-compartment>
|
|
514
|
+
Allow service devops to manage repos in compartment <prod-compartment>
|
|
515
|
+
Allow service devops to read secret-family in compartment <prod-compartment>
|
|
516
|
+
```
|
|
517
|
+
|
|
518
|
+
The `OkeManaged = 'true'` tag condition prevents OKE from acting on instances
|
|
519
|
+
that are not part of a managed node pool — an extra least-privilege guard on
|
|
520
|
+
the service principal itself.
|
|
521
|
+
|
|
522
|
+
## Do not use
|
|
523
|
+
|
|
524
|
+
```
|
|
525
|
+
# FORBIDDEN
|
|
526
|
+
Allow group <oke-operators> to manage clusters in compartment prod
|
|
527
|
+
# "manage" allows cluster termination — use "use" for operators
|
|
528
|
+
Allow dynamic-group <all-instances> to manage all-resources in compartment prod
|
|
529
|
+
```
|
|
530
|
+
|
|
531
|
+
## Kubernetes RBAC (in-cluster)
|
|
532
|
+
|
|
533
|
+
Bind the OKE operator's OCID to a namespace-scoped Role, not ClusterRole:
|
|
534
|
+
|
|
535
|
+
```yaml
|
|
536
|
+
rules:
|
|
537
|
+
- apiGroups: ["apps"]
|
|
538
|
+
resources: ["deployments", "replicasets"]
|
|
539
|
+
verbs: ["get", "list", "watch", "patch", "update"]
|
|
540
|
+
- apiGroups: [""]
|
|
541
|
+
resources: ["pods", "pods/log", "services"]
|
|
542
|
+
verbs: ["get", "list", "watch"]
|
|
543
|
+
- apiGroups: ["policy"]
|
|
544
|
+
resources: ["poddisruptionbudgets"]
|
|
545
|
+
verbs: ["get", "list"]
|
|
546
|
+
```
|
|
547
|
+
"""),
|
|
548
|
+
"preflight_body": textwrap.dedent("""\
|
|
549
|
+
# OKE Rollout — Preflight Commands
|
|
550
|
+
|
|
551
|
+
## 1. Confirm OKE cluster state
|
|
552
|
+
|
|
553
|
+
```bash
|
|
554
|
+
oci ce cluster get \\
|
|
555
|
+
--cluster-id <CLUSTER_OCID> \\
|
|
556
|
+
--query 'data.{name:name, state:"lifecycle-state", version:"kubernetes-version", endpoint:endpoints}'
|
|
557
|
+
```
|
|
558
|
+
|
|
559
|
+
## 2. Check DevOps pipeline status
|
|
560
|
+
|
|
561
|
+
```bash
|
|
562
|
+
oci devops deploy-pipeline get \\
|
|
563
|
+
--pipeline-id <PIPELINE_OCID> \\
|
|
564
|
+
--query 'data.{name:name, state:"lifecycle-state"}'
|
|
565
|
+
|
|
566
|
+
# List deployment stages with types
|
|
567
|
+
oci devops deploy-stage list \\
|
|
568
|
+
--pipeline-id <PIPELINE_OCID> \\
|
|
569
|
+
--query 'data.items[].{name:"display-name", type:"deploy-stage-type", id:id}'
|
|
570
|
+
```
|
|
571
|
+
|
|
572
|
+
## 3. Fetch kubeconfig and confirm context
|
|
573
|
+
|
|
574
|
+
```bash
|
|
575
|
+
oci ce cluster create-kubeconfig \\
|
|
576
|
+
--cluster-id <CLUSTER_OCID> \\
|
|
577
|
+
--file $HOME/.kube/oci-prod-config \\
|
|
578
|
+
--region <REGION> \\
|
|
579
|
+
--token-version 2.0.0
|
|
580
|
+
export KUBECONFIG=$HOME/.kube/oci-prod-config
|
|
581
|
+
kubectl config current-context
|
|
582
|
+
```
|
|
583
|
+
|
|
584
|
+
## 4. Audit rollout strategy and PDB
|
|
585
|
+
|
|
586
|
+
```bash
|
|
587
|
+
kubectl rollout status deployment/<DEPLOY_NAME> -n <NAMESPACE> --timeout=30s || true
|
|
588
|
+
kubectl get pdb -n <NAMESPACE> -o wide
|
|
589
|
+
kubectl describe deployment <DEPLOY_NAME> -n <NAMESPACE> | grep -A 5 "RollingUpdateStrategy"
|
|
590
|
+
```
|
|
591
|
+
|
|
592
|
+
## 5. Blue-green: confirm stable service selector before swap
|
|
593
|
+
|
|
594
|
+
```bash
|
|
595
|
+
kubectl get svc <SERVICE_NAME> -n <NAMESPACE> \\
|
|
596
|
+
-o jsonpath='{.spec.selector}' | python3 -m json.tool
|
|
597
|
+
```
|
|
598
|
+
"""),
|
|
599
|
+
"rollback_body": textwrap.dedent("""\
|
|
600
|
+
# OKE Rollout — Rollback Playbook
|
|
601
|
+
|
|
602
|
+
## Option 1: kubectl rollback (in-cluster, immediate)
|
|
603
|
+
|
|
604
|
+
```bash
|
|
605
|
+
kubectl rollout undo deployment/<DEPLOY_NAME> -n <NAMESPACE>
|
|
606
|
+
kubectl rollout status deployment/<DEPLOY_NAME> -n <NAMESPACE>
|
|
607
|
+
```
|
|
608
|
+
|
|
609
|
+
## Option 2: Blue-green — switch service selector back to stable
|
|
610
|
+
|
|
611
|
+
```bash
|
|
612
|
+
kubectl patch service <SERVICE_NAME> -n <NAMESPACE> \\
|
|
613
|
+
-p '{"spec":{"selector":{"version":"<STABLE_VERSION>"}}}'
|
|
614
|
+
|
|
615
|
+
# Confirm traffic is on stable
|
|
616
|
+
kubectl get svc <SERVICE_NAME> -n <NAMESPACE> -o jsonpath='{.spec.selector}'
|
|
617
|
+
```
|
|
618
|
+
|
|
619
|
+
## Option 3: OCI DevOps — re-run previous successful deployment
|
|
620
|
+
|
|
621
|
+
```bash
|
|
622
|
+
# Find last successful deployment
|
|
623
|
+
oci devops deployment list \\
|
|
624
|
+
--pipeline-id <PIPELINE_OCID> \\
|
|
625
|
+
--query 'data.items[?contains("lifecycle-state", `SUCCEEDED`)][0].id'
|
|
626
|
+
|
|
627
|
+
oci devops deployment create-single-deploy-stage-deployment \\
|
|
628
|
+
--deploy-pipeline-id <PIPELINE_OCID> \\
|
|
629
|
+
--deploy-stage-id <STABLE_STAGE_OCID> \\
|
|
630
|
+
--display-name "rollback-$(date +%Y%m%dT%H%M%S)"
|
|
631
|
+
```
|
|
632
|
+
|
|
633
|
+
## Option 4: Node pool scale-down (if node-level instability is the root cause)
|
|
634
|
+
|
|
635
|
+
```bash
|
|
636
|
+
oci ce node-pool update \\
|
|
637
|
+
--node-pool-id <NODE_POOL_OCID> \\
|
|
638
|
+
--node-config-details '{"size": <PREVIOUS_SIZE>}'
|
|
639
|
+
```
|
|
640
|
+
|
|
641
|
+
## Verify
|
|
642
|
+
|
|
643
|
+
```bash
|
|
644
|
+
kubectl get pods -n <NAMESPACE> -l app=<APP_LABEL>
|
|
645
|
+
kubectl top pods -n <NAMESPACE>
|
|
646
|
+
```
|
|
647
|
+
"""),
|
|
648
|
+
},
|
|
649
|
+
{
|
|
650
|
+
"id": "oci-live-autonomous-db-lifecycle-guard",
|
|
651
|
+
"name": "OCI Live Autonomous DB Lifecycle Guard",
|
|
652
|
+
"summary": "Guard Autonomous Database scale, start, stop, clone, and terminate operations with protection-tag check, wallet backup, and connection-string audit before any lifecycle mutation.",
|
|
653
|
+
"focus": "Guard OCI Autonomous Database lifecycle operations (scale, start, stop, clone, terminate) by verifying protection tags, wallet and backup state, and connection-string impact before any mutation.",
|
|
654
|
+
"codex_role": "autonomous-db-lifecycle live operator",
|
|
655
|
+
"skill_desc": "Guard Autonomous Database lifecycle changes — scale, start, stop, clone, terminate — with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
|
|
656
|
+
"skill_when": [
|
|
657
|
+
"an Autonomous Database must be scaled, started, stopped, cloned, or terminated against a live OCI environment",
|
|
658
|
+
"a protection tag must be audited before a lifecycle operation that could cause data loss or outage",
|
|
659
|
+
"an Autonomous Database backup or wallet must be confirmed before a scale or clone operation",
|
|
660
|
+
],
|
|
661
|
+
"response_shape": [
|
|
662
|
+
"Autonomous Database identity and current lifecycle state",
|
|
663
|
+
"Protection tag audit (defined tags and freeform tags for deletion guard)",
|
|
664
|
+
"Backup inventory and most recent completed backup timestamp",
|
|
665
|
+
"Connection string and consumer group impact assessment",
|
|
666
|
+
"Approval status for the requested lifecycle operation",
|
|
667
|
+
"Proposed or executed lifecycle action",
|
|
668
|
+
"Post-operation state verification and open risks (non-reversible operations listed)",
|
|
669
|
+
],
|
|
670
|
+
"official_docs": [
|
|
671
|
+
"https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
|
|
672
|
+
"https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
|
|
673
|
+
"https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
|
|
674
|
+
"https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm",
|
|
675
|
+
],
|
|
676
|
+
"security_notes": "ADB termination is permanent — the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
|
|
677
|
+
"permissions_body": textwrap.dedent("""\
|
|
678
|
+
# OCI IAM policy for Autonomous DB lifecycle guard
|
|
679
|
+
|
|
680
|
+
## Identity model preference
|
|
681
|
+
|
|
682
|
+
1. Separate groups for readers, operators (start/stop/scale), and admins (clone/terminate)
|
|
683
|
+
2. `use` verb for operators — prevents terminate and clone
|
|
684
|
+
3. `manage` with tag condition for admins — allows terminate only when protection tag is absent
|
|
685
|
+
4. Defined-tag namespace for protection tagging (use a protected namespace, not freeform)
|
|
686
|
+
|
|
687
|
+
## Baseline read (no mutation)
|
|
688
|
+
|
|
689
|
+
```
|
|
690
|
+
Allow group <adb-auditors> to inspect autonomous-databases in compartment <prod-db-compartment>
|
|
691
|
+
Allow group <adb-auditors> to read autonomous-databases in compartment <prod-db-compartment>
|
|
692
|
+
Allow group <adb-auditors> to read autonomous-database-backups in compartment <prod-db-compartment>
|
|
693
|
+
```
|
|
694
|
+
|
|
695
|
+
## Operations — start, stop, scale (use verb, no terminate/clone)
|
|
696
|
+
|
|
697
|
+
```
|
|
698
|
+
Allow group <adb-operators> to use autonomous-databases in compartment <prod-db-compartment>
|
|
699
|
+
```
|
|
700
|
+
|
|
701
|
+
With `use` the operator can: start, stop, scale CPU/storage, generate wallet.
|
|
702
|
+
The operator CANNOT: terminate, clone to new, change network-access type.
|
|
703
|
+
|
|
704
|
+
## Admin — clone and terminate (manage + tag condition)
|
|
705
|
+
|
|
706
|
+
```
|
|
707
|
+
Allow group <adb-admins> to manage autonomous-databases in compartment <prod-db-compartment>
|
|
708
|
+
where target.resource.tag.Operations.Lifecycle.value != 'protected'
|
|
709
|
+
```
|
|
710
|
+
|
|
711
|
+
Tag condition: `manage` verbs only succeed if the ADB's defined tag
|
|
712
|
+
`Operations.Lifecycle` is NOT set to `protected`. Set this tag on all production ADBs
|
|
713
|
+
in a protected tag namespace (so only tag-namespace admins can remove it).
|
|
714
|
+
|
|
715
|
+
> **IRREVERSIBILITY WARNING — read before granting `manage`:**
|
|
716
|
+
>
|
|
717
|
+
> - **Termination** is permanent. OCI does not recover terminated ADB instances.
|
|
718
|
+
> The 60-day automatic backup retention window expires; after that, no recovery path exists.
|
|
719
|
+
> - **Storage scale-up** (`ocpuCount` or `dataStorageSizeInTBs` increase) cannot be reversed.
|
|
720
|
+
> You can scale CPU down, but storage can only grow — never shrink.
|
|
721
|
+
> - Both operations must require dual-sign-off and a confirmed maintenance window
|
|
722
|
+
> before this role is used. The tag-condition gate is a necessary but insufficient control.
|
|
723
|
+
|
|
724
|
+
## Do not use
|
|
725
|
+
|
|
726
|
+
```
|
|
727
|
+
# FORBIDDEN
|
|
728
|
+
Allow group <adb-operators> to manage autonomous-databases in tenancy
|
|
729
|
+
Allow any-user to use autonomous-databases in compartment prod-db
|
|
730
|
+
```
|
|
731
|
+
"""),
|
|
732
|
+
"preflight_body": textwrap.dedent("""\
|
|
733
|
+
# Autonomous DB Lifecycle — Preflight Commands
|
|
734
|
+
|
|
735
|
+
## 1. Get ADB state and confirm target
|
|
736
|
+
|
|
737
|
+
```bash
|
|
738
|
+
oci db autonomous-database get \\
|
|
739
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
740
|
+
--query 'data.{name:"display-name", state:"lifecycle-state", cpu:"cpu-core-count", storage:"data-storage-size-in-tbs", version:"db-version", workload:"db-workload"}'
|
|
741
|
+
```
|
|
742
|
+
|
|
743
|
+
## 2. Audit protection tags (CRITICAL — check before any lifecycle op)
|
|
744
|
+
|
|
745
|
+
```bash
|
|
746
|
+
oci db autonomous-database get \\
|
|
747
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
748
|
+
--query 'data.{definedTags:"defined-tags", freeformTags:"freeform-tags"}'
|
|
749
|
+
```
|
|
750
|
+
|
|
751
|
+
Stop if `Operations.Lifecycle = protected` is set on a defined-tag namespace.
|
|
752
|
+
Do not proceed with terminate or clone without explicit tag-removal approval.
|
|
753
|
+
|
|
754
|
+
## 3. Confirm recent backup exists
|
|
755
|
+
|
|
756
|
+
```bash
|
|
757
|
+
oci db autonomous-database-backup list \\
|
|
758
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
759
|
+
--all \\
|
|
760
|
+
--query 'data[0:5].{id:id, type:type, state:"lifecycle-state", ended:"time-ended"}' \\
|
|
761
|
+
--output table
|
|
762
|
+
```
|
|
763
|
+
|
|
764
|
+
Fail-fast if no ACTIVE backup exists within RPO window before scale or stop operations.
|
|
765
|
+
|
|
766
|
+
## 4. Audit connection strings and consumer groups
|
|
767
|
+
|
|
768
|
+
```bash
|
|
769
|
+
oci db autonomous-database get \\
|
|
770
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
771
|
+
--query 'data."connection-strings".{high:high, medium:medium, low:low}'
|
|
772
|
+
```
|
|
773
|
+
|
|
774
|
+
## 5. Check data guard and APEX linkage (termination blockers)
|
|
775
|
+
|
|
776
|
+
```bash
|
|
777
|
+
oci db autonomous-database get \\
|
|
778
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
779
|
+
--query 'data.{dataGuard:"is-data-guard-enabled", autoScaling:"is-auto-scaling-enabled", apex:"apex-details"}'
|
|
780
|
+
```
|
|
781
|
+
"""),
|
|
782
|
+
"rollback_body": textwrap.dedent("""\
|
|
783
|
+
# Autonomous DB Lifecycle — Rollback Playbook
|
|
784
|
+
|
|
785
|
+
## Start a stopped ADB (fastest recovery from accidental stop)
|
|
786
|
+
|
|
787
|
+
```bash
|
|
788
|
+
oci db autonomous-database start \\
|
|
789
|
+
--autonomous-database-id <ADB_OCID>
|
|
790
|
+
|
|
791
|
+
# Wait for AVAILABLE state
|
|
792
|
+
oci db autonomous-database get \\
|
|
793
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
794
|
+
--query 'data."lifecycle-state"'
|
|
795
|
+
```
|
|
796
|
+
|
|
797
|
+
## Scale CPU back to previous count (scale-down is supported)
|
|
798
|
+
|
|
799
|
+
```bash
|
|
800
|
+
oci db autonomous-database update \\
|
|
801
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
802
|
+
--cpu-core-count <PREVIOUS_CPU_COUNT>
|
|
803
|
+
```
|
|
804
|
+
|
|
805
|
+
WARNING: **Storage scale-up cannot be reversed on ADB.** Verify storage size before
|
|
806
|
+
scaling up — there is no reduce path once committed.
|
|
807
|
+
|
|
808
|
+
## Restore from backup after data-level issue
|
|
809
|
+
|
|
810
|
+
```bash
|
|
811
|
+
# Point-in-time recovery
|
|
812
|
+
oci db autonomous-database restore \\
|
|
813
|
+
--autonomous-database-id <ADB_OCID> \\
|
|
814
|
+
--timestamp "2026-04-29T10:00:00.000Z"
|
|
815
|
+
```
|
|
816
|
+
|
|
817
|
+
## Clone-to-new for investigation (non-destructive)
|
|
818
|
+
|
|
819
|
+
```bash
|
|
820
|
+
oci db autonomous-database create-from-clone \\
|
|
821
|
+
--compartment-id <COMPARTMENT_OCID> \\
|
|
822
|
+
--db-name "<CLONE_NAME>" \\
|
|
823
|
+
--source-id <ADB_OCID> \\
|
|
824
|
+
--clone-type FULL
|
|
825
|
+
```
|
|
826
|
+
|
|
827
|
+
## CANNOT ROLL BACK
|
|
828
|
+
|
|
829
|
+
- **Terminated ADB**: database and all backups are permanently deleted.
|
|
830
|
+
No OCI Support recovery path exists.
|
|
831
|
+
- **Storage scale-up**: ADB storage can only grow, never shrink.
|
|
832
|
+
- **Prevention**: always verify `Operations.Lifecycle = protected` tag is set on prod ADBs.
|
|
833
|
+
"""),
|
|
834
|
+
},
|
|
835
|
+
{
|
|
836
|
+
"id": "oci-live-vault-key-destruction-guard",
|
|
837
|
+
"name": "OCI Live Vault Key Destruction Guard",
|
|
838
|
+
"summary": "Guard OCI Vault master encryption key scheduled-deletion and HSM key rotation, refusing deletion without reviewing data associations and confirming the destruction window.",
|
|
839
|
+
"focus": "Guard OCI Vault master encryption key scheduled-deletion and HSM rotation by auditing all data associations, key-usage references, and confirming the deletion window before any destruction scheduling.",
|
|
840
|
+
"codex_role": "vault-key-destruction live operator",
|
|
841
|
+
"skill_desc": "Guard Vault master encryption key scheduled-deletion and HSM rotation with data-association audits, key-usage reference checks, deletion-window enforcement, and cancellation playbooks.",
|
|
842
|
+
"skill_when": [
|
|
843
|
+
"an OCI Vault master encryption key must be scheduled for deletion or rotated to a new version",
|
|
844
|
+
"a key scheduled for deletion must be cancelled before the destruction window expires",
|
|
845
|
+
"an HSM-backed key usage must be audited before any key version lifecycle change",
|
|
846
|
+
],
|
|
847
|
+
"response_shape": [
|
|
848
|
+
"Vault and key identity confirmation (protection mode: HSM vs SOFTWARE)",
|
|
849
|
+
"Key version inventory and current active version",
|
|
850
|
+
"Data association audit (resources encrypted by this key version)",
|
|
851
|
+
"Deletion window confirmation (minimum 7 days, default 30 days)",
|
|
852
|
+
"Approval status for key rotation or deletion scheduling",
|
|
853
|
+
"Proposed or executed vault key action",
|
|
854
|
+
"Post-action state and irreversibility warning (point-of-no-return explicitly stated)",
|
|
855
|
+
],
|
|
856
|
+
"official_docs": [
|
|
857
|
+
"https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
|
|
858
|
+
"https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
|
|
859
|
+
"https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
|
|
860
|
+
"https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm",
|
|
861
|
+
],
|
|
862
|
+
"security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
|
|
863
|
+
"permissions_body": textwrap.dedent("""\
|
|
864
|
+
# OCI IAM policy for Vault key destruction guard
|
|
865
|
+
|
|
866
|
+
## Identity model preference
|
|
867
|
+
|
|
868
|
+
1. Separate groups for key auditors, key rotation operators, and key destruction admins
|
|
869
|
+
2. `use` verb for rotation operators — creates new key versions, cannot schedule deletion
|
|
870
|
+
3. `manage` for key destruction admins, restricted by tag condition (deletable tag required)
|
|
871
|
+
4. Dual-control: key deletion requires a second approver group confirmation
|
|
872
|
+
|
|
873
|
+
## Key audit policy (read only, no mutation)
|
|
874
|
+
|
|
875
|
+
```
|
|
876
|
+
Allow group <vault-auditors> to inspect vaults in compartment <prod-vault-compartment>
|
|
877
|
+
Allow group <vault-auditors> to read vaults in compartment <prod-vault-compartment>
|
|
878
|
+
Allow group <vault-auditors> to read keys in compartment <prod-vault-compartment>
|
|
879
|
+
Allow group <vault-auditors> to inspect key-versions in compartment <prod-vault-compartment>
|
|
880
|
+
```
|
|
881
|
+
|
|
882
|
+
## Key rotation (use verb — new versions only, no deletion scheduling)
|
|
883
|
+
|
|
884
|
+
```
|
|
885
|
+
Allow group <vault-key-operators> to use keys in compartment <prod-vault-compartment>
|
|
886
|
+
Allow group <vault-key-operators> to use key-delegate in compartment <prod-vault-compartment>
|
|
887
|
+
```
|
|
888
|
+
|
|
889
|
+
With `use` the operator can: create new key versions, enable/disable key versions.
|
|
890
|
+
The operator CANNOT: schedule key deletion, delete the key, import key material.
|
|
891
|
+
|
|
892
|
+
## Key destruction (manage + tag condition — only for approved-deletable keys)
|
|
893
|
+
|
|
894
|
+
```
|
|
895
|
+
Allow group <vault-key-admins> to manage keys in compartment <prod-vault-compartment>
|
|
896
|
+
where target.resource.tag.Lifecycle.Deletable.value = 'approved'
|
|
897
|
+
```
|
|
898
|
+
|
|
899
|
+
The `Lifecycle.Deletable = approved` tag must be set in a protected tag namespace.
|
|
900
|
+
Production keys should never have this tag set unless they are actively being retired.
|
|
901
|
+
|
|
902
|
+
## CRITICAL timing note
|
|
903
|
+
|
|
904
|
+
```
|
|
905
|
+
Minimum deletion window: 7 days
|
|
906
|
+
Recommended deletion window: 30 days
|
|
907
|
+
Cancel deadline: any time BEFORE time-of-deletion passes
|
|
908
|
+
After deletion: PERMANENT. No recovery. No OCI Support escalation path.
|
|
909
|
+
```
|
|
910
|
+
|
|
911
|
+
## Do not use
|
|
912
|
+
|
|
913
|
+
```
|
|
914
|
+
# FORBIDDEN
|
|
915
|
+
Allow group <vault-operators> to manage all-resources in compartment prod-vault
|
|
916
|
+
Allow any-user to manage keys in tenancy
|
|
917
|
+
```
|
|
918
|
+
"""),
|
|
919
|
+
"preflight_body": textwrap.dedent("""\
|
|
920
|
+
# Vault Key Destruction — Preflight Commands
|
|
921
|
+
|
|
922
|
+
## 1. Get key metadata and protection mode
|
|
923
|
+
|
|
924
|
+
```bash
|
|
925
|
+
oci kms management key get \\
|
|
926
|
+
--key-id <KEY_OCID> \\
|
|
927
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT> \\
|
|
928
|
+
--query 'data.{name:"display-name", state:"lifecycle-state", protection:"protection-mode", algo:"key-shape".algorithm, scheduledDeletion:"time-of-deletion"}'
|
|
929
|
+
```
|
|
930
|
+
|
|
931
|
+
**STOP** if `protection-mode = HSM` — HSM key destruction is irreversible.
|
|
932
|
+
SOFTWARE keys can be re-imported; HSM keys cannot be recovered after destruction.
|
|
933
|
+
|
|
934
|
+
## 2. List all key versions (identify active and retired)
|
|
935
|
+
|
|
936
|
+
```bash
|
|
937
|
+
oci kms management key-version list \\
|
|
938
|
+
--key-id <KEY_OCID> \\
|
|
939
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT> \\
|
|
940
|
+
--all \\
|
|
941
|
+
--query 'data[].{version:"key-version-id", state:"lifecycle-state", created:"time-created"}' \\
|
|
942
|
+
--output table
|
|
943
|
+
```
|
|
944
|
+
|
|
945
|
+
## 3. Audit data associations (resources encrypted by this key)
|
|
946
|
+
|
|
947
|
+
```bash
|
|
948
|
+
# Note: OCI does not always provide a complete list via API.
|
|
949
|
+
# Supplement with a resource search:
|
|
950
|
+
oci resource search search-resources \\
|
|
951
|
+
--query-text 'query all resources where freeformTags.EncryptionKeyId = '"'"'<KEY_OCID>'"'"'' \\
|
|
952
|
+
--query 'data.items[].{type:"resource-type", name:"display-name", compartment:"compartment-id"}'
|
|
953
|
+
```
|
|
954
|
+
|
|
955
|
+
If the association list is incomplete, perform a manual audit via tags before proceeding.
|
|
956
|
+
|
|
957
|
+
## 4. Check vault type (Virtual Private vs Shared HSM)
|
|
958
|
+
|
|
959
|
+
```bash
|
|
960
|
+
oci kms vault get \\
|
|
961
|
+
--vault-id <VAULT_OCID> \\
|
|
962
|
+
--query 'data.{type:"vault-type", state:"lifecycle-state", endpoint:"management-endpoint"}'
|
|
963
|
+
```
|
|
964
|
+
|
|
965
|
+
## 5. Confirm the Lifecycle.Deletable tag is set (required by our IAM policy)
|
|
966
|
+
|
|
967
|
+
```bash
|
|
968
|
+
oci kms management key get \\
|
|
969
|
+
--key-id <KEY_OCID> \\
|
|
970
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT> \\
|
|
971
|
+
--query 'data."defined-tags"'
|
|
972
|
+
```
|
|
973
|
+
"""),
|
|
974
|
+
"rollback_body": textwrap.dedent("""\
|
|
975
|
+
# Vault Key Destruction — Rollback Playbook
|
|
976
|
+
|
|
977
|
+
## Cancel a scheduled key deletion (before time-of-deletion)
|
|
978
|
+
|
|
979
|
+
```bash
|
|
980
|
+
oci kms management key cancel-key-deletion \\
|
|
981
|
+
--key-id <KEY_OCID> \\
|
|
982
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT>
|
|
983
|
+
|
|
984
|
+
# Verify cancellation
|
|
985
|
+
oci kms management key get \\
|
|
986
|
+
--key-id <KEY_OCID> \\
|
|
987
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT> \\
|
|
988
|
+
--query 'data.{state:"lifecycle-state", scheduledDeletion:"time-of-deletion"}'
|
|
989
|
+
```
|
|
990
|
+
|
|
991
|
+
## Re-enable the key after cancellation
|
|
992
|
+
|
|
993
|
+
```bash
|
|
994
|
+
oci kms management key enable \\
|
|
995
|
+
--key-id <KEY_OCID> \\
|
|
996
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT>
|
|
997
|
+
```
|
|
998
|
+
|
|
999
|
+
## Rotate to a new key version (non-destructive — old version remains available for decrypt)
|
|
1000
|
+
|
|
1001
|
+
```bash
|
|
1002
|
+
oci kms management key create-key-version \\
|
|
1003
|
+
--key-id <KEY_OCID> \\
|
|
1004
|
+
--endpoint <VAULT_MANAGEMENT_ENDPOINT>
|
|
1005
|
+
```
|
|
1006
|
+
|
|
1007
|
+
Old key versions remain ENABLED until explicitly disabled, allowing decryption of
|
|
1008
|
+
data encrypted by prior versions. This is the safe rotation pattern.
|
|
1009
|
+
|
|
1010
|
+
## POINT OF NO RETURN
|
|
1011
|
+
|
|
1012
|
+
After `time-of-deletion` passes:
|
|
1013
|
+
|
|
1014
|
+
- HSM key: cryptographic material is wiped from the HSM. **Permanent. No recovery.**
|
|
1015
|
+
- All data encrypted exclusively by this key version is **unrecoverable**.
|
|
1016
|
+
- OCI Support Recovery SLA: **NONE**.
|
|
1017
|
+
- Immediate escalation: open a P1 SR with OCI Support the moment accidental deletion is suspected.
|
|
1018
|
+
|
|
1019
|
+
Prevention checklist before scheduling deletion:
|
|
1020
|
+
- [ ] All data encrypted by this key has been re-encrypted with the new key version
|
|
1021
|
+
- [ ] All services using this key version have been updated to the new version
|
|
1022
|
+
- [ ] A 30-day (not 7-day) deletion window was selected
|
|
1023
|
+
- [ ] A second approver has confirmed the data-association audit
|
|
1024
|
+
"""),
|
|
1025
|
+
},
|
|
1026
|
+
{
|
|
1027
|
+
"id": "oci-live-cost-budget-runaway-guard",
|
|
1028
|
+
"name": "OCI Live Cost Budget Runaway Guard",
|
|
1029
|
+
"summary": "Gate OCI budget rule mutations, cost-tracking tag changes, and GPU or HPC shape provisioning against compartment spend limits before any cost-impacting mutation.",
|
|
1030
|
+
"focus": "Gate OCI budget rule mutations, cost-tracking tag changes, and GPU/HPC shape provisioning (BM.GPU4.8, A100, BM.HPC2.36) against compartment spend limits and approved quotas.",
|
|
1031
|
+
"codex_role": "cost-budget-runaway live operator",
|
|
1032
|
+
"skill_desc": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
|
|
1033
|
+
"skill_when": [
|
|
1034
|
+
"an OCI budget rule threshold or alert must be modified for a tenancy or compartment",
|
|
1035
|
+
"a GPU or HPC shape provisioning request requires spend-limit approval before creating",
|
|
1036
|
+
"a runaway GPU cost event is detected and emergency quota reduction or instance stop is needed",
|
|
1037
|
+
],
|
|
1038
|
+
"response_shape": [
|
|
1039
|
+
"Tenancy and compartment identity confirmation",
|
|
1040
|
+
"Active budget inventory and current spend vs threshold (oci budgets budget list)",
|
|
1041
|
+
"GPU/HPC shape quota usage and running instance inventory",
|
|
1042
|
+
"Cost-tracking tag namespace audit",
|
|
1043
|
+
"Approval status for budget change or GPU/HPC provisioning",
|
|
1044
|
+
"Proposed or executed cost-governance action",
|
|
1045
|
+
"Post-change budget alert confirmation and monitoring state",
|
|
1046
|
+
],
|
|
1047
|
+
"official_docs": [
|
|
1048
|
+
"https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
|
|
1049
|
+
"https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
|
|
1050
|
+
"https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
|
|
1051
|
+
"https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm",
|
|
1052
|
+
],
|
|
1053
|
+
"security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights — escalate if not held.",
|
|
1054
|
+
"permissions_body": textwrap.dedent("""\
|
|
1055
|
+
# OCI IAM policy for cost budget runaway guard
|
|
1056
|
+
|
|
1057
|
+
## Identity model preference
|
|
1058
|
+
|
|
1059
|
+
1. Named cost-governance group with tenancy-scoped budget management
|
|
1060
|
+
2. Separate cost-auditors (inspect/read only) from cost-admins (manage)
|
|
1061
|
+
3. GPU provisioning gates via compartment quota policies — not IAM `manage`
|
|
1062
|
+
4. Never grant `manage compute-instances in tenancy` to the cost-guard role
|
|
1063
|
+
|
|
1064
|
+
## Budget read (audit, no mutation)
|
|
1065
|
+
|
|
1066
|
+
```
|
|
1067
|
+
Allow group <cost-auditors> to inspect usage-budgets in tenancy
|
|
1068
|
+
Allow group <cost-auditors> to read usage-budgets in tenancy
|
|
1069
|
+
Allow group <cost-auditors> to inspect costs in tenancy
|
|
1070
|
+
Allow group <cost-auditors> to read costs in tenancy
|
|
1071
|
+
```
|
|
1072
|
+
|
|
1073
|
+
## Budget write (manage — budgets are tenancy-scoped resources)
|
|
1074
|
+
|
|
1075
|
+
```
|
|
1076
|
+
Allow group <cost-admins> to manage usage-budgets in tenancy
|
|
1077
|
+
```
|
|
1078
|
+
|
|
1079
|
+
## Quota inspection and resource search
|
|
1080
|
+
|
|
1081
|
+
```
|
|
1082
|
+
Allow group <cost-admins> to inspect quota in tenancy
|
|
1083
|
+
Allow group <cost-admins> to read quota in tenancy
|
|
1084
|
+
Allow group <cost-admins> to use resource-search in tenancy
|
|
1085
|
+
```
|
|
1086
|
+
|
|
1087
|
+
## Cost operators (middle tier — adjust budgets, cannot delete)
|
|
1088
|
+
|
|
1089
|
+
OCI policy-based IAM supports tier separation by verb. Cost operators can
|
|
1090
|
+
re-tune budget thresholds and notification rules without holding `manage`
|
|
1091
|
+
delete rights:
|
|
1092
|
+
|
|
1093
|
+
```
|
|
1094
|
+
Allow group <cost-operators> to use usage-budgets in tenancy
|
|
1095
|
+
Allow group <cost-operators> to read costs in tenancy
|
|
1096
|
+
Allow group <cost-operators> to use ons-topics in compartment <cost-alerts-compartment>
|
|
1097
|
+
```
|
|
1098
|
+
|
|
1099
|
+
`use usage-budgets` permits update + alert rule changes; it does NOT permit
|
|
1100
|
+
budget creation or deletion — those remain with `<cost-admins>`.
|
|
1101
|
+
|
|
1102
|
+
## Cost-tracking tag namespace management
|
|
1103
|
+
|
|
1104
|
+
```
|
|
1105
|
+
Allow group <cost-admins> to manage tag-namespaces in compartment <cost-tracking-compartment>
|
|
1106
|
+
Allow group <cost-admins> to use tag-namespaces in tenancy
|
|
1107
|
+
```
|
|
1108
|
+
|
|
1109
|
+
## GPU/HPC shape gate via compartment quota (strongest control)
|
|
1110
|
+
|
|
1111
|
+
Set a compartment-level quota to prevent GPU provisioning without explicit increase:
|
|
1112
|
+
|
|
1113
|
+
```
|
|
1114
|
+
set compute-core-count quota gpu-vm-count to 0 in compartment <default-compute>
|
|
1115
|
+
```
|
|
1116
|
+
|
|
1117
|
+
This physically prevents any GPU shape from being provisioned without a quota
|
|
1118
|
+
increase request — a harder gate than IAM deny policies.
|
|
1119
|
+
|
|
1120
|
+
## Do not use
|
|
1121
|
+
|
|
1122
|
+
```
|
|
1123
|
+
# FORBIDDEN
|
|
1124
|
+
Allow group <cost-admins> to manage all-resources in tenancy
|
|
1125
|
+
Allow any-group to manage compute-instances in tenancy
|
|
1126
|
+
Allow group <cost-admins> to manage compute-instances in tenancy
|
|
1127
|
+
# Cost guard should not have VM create/stop rights — escalate to compute operator
|
|
1128
|
+
```
|
|
1129
|
+
"""),
|
|
1130
|
+
"preflight_body": textwrap.dedent("""\
|
|
1131
|
+
# Cost Budget Runaway — Preflight Commands
|
|
1132
|
+
|
|
1133
|
+
## 1. List all budgets and current utilization
|
|
1134
|
+
|
|
1135
|
+
```bash
|
|
1136
|
+
oci budgets budget list \\
|
|
1137
|
+
--compartment-id <TENANCY_OCID> \\
|
|
1138
|
+
--all \\
|
|
1139
|
+
--query 'data[].{name:"display-name", amount:amount, spent:"actual-spend", forecast:"forecasted-spend", reset:"reset-period"}' \\
|
|
1140
|
+
--output table
|
|
1141
|
+
```
|
|
1142
|
+
|
|
1143
|
+
## 2. Check compute GPU/HPC service limits
|
|
1144
|
+
|
|
1145
|
+
```bash
|
|
1146
|
+
oci limits value list \\
|
|
1147
|
+
--compartment-id <TENANCY_OCID> \\
|
|
1148
|
+
--service-name compute \\
|
|
1149
|
+
--all \\
|
|
1150
|
+
--query 'data[?contains(name, `gpu`) || contains(name, `hpc`)].{name:name, value:value, scope:"scope-type"}' \\
|
|
1151
|
+
--output table
|
|
1152
|
+
```
|
|
1153
|
+
|
|
1154
|
+
## 3. Search for running GPU/HPC instances across tenancy
|
|
1155
|
+
|
|
1156
|
+
```bash
|
|
1157
|
+
oci resource search search-resources \\
|
|
1158
|
+
--query-text 'query instance resources where
|
|
1159
|
+
(shape = '"'"'BM.GPU4.8'"'"' ||
|
|
1160
|
+
shape = '"'"'VM.GPU3.1'"'"' ||
|
|
1161
|
+
shape = '"'"'BM.HPC2.36'"'"' ||
|
|
1162
|
+
shape = '"'"'BM.GPU.H100.8'"'"') &&
|
|
1163
|
+
lifecycleState = '"'"'RUNNING'"'"'' \\
|
|
1164
|
+
--query 'data.items[].{id:"identifier", name:"display-name", compartment:"compartment-id"}'
|
|
1165
|
+
```
|
|
1166
|
+
|
|
1167
|
+
## 4. Audit cost-tracking tag namespaces
|
|
1168
|
+
|
|
1169
|
+
```bash
|
|
1170
|
+
oci iam tag-namespace list \\
|
|
1171
|
+
--compartment-id <TENANCY_OCID> \\
|
|
1172
|
+
--all \\
|
|
1173
|
+
--query 'data[].{name:name, state:"lifecycle-state", isRetired:"is-retired"}' \\
|
|
1174
|
+
--output table
|
|
1175
|
+
```
|
|
1176
|
+
|
|
1177
|
+
## 5. Check active budget alerts
|
|
1178
|
+
|
|
1179
|
+
```bash
|
|
1180
|
+
oci budgets alert list \\
|
|
1181
|
+
--compartment-id <TENANCY_OCID> \\
|
|
1182
|
+
--all \\
|
|
1183
|
+
--query 'data[].{budgetId:"budget-id", threshold:threshold, triggered:"time-first-triggered"}'
|
|
1184
|
+
```
|
|
1185
|
+
"""),
|
|
1186
|
+
"rollback_body": textwrap.dedent("""\
|
|
1187
|
+
# Cost Budget Runaway — Rollback Playbook
|
|
1188
|
+
|
|
1189
|
+
## Restore a raised budget threshold to previous value
|
|
1190
|
+
|
|
1191
|
+
```bash
|
|
1192
|
+
oci budgets budget update \\
|
|
1193
|
+
--budget-id <BUDGET_OCID> \\
|
|
1194
|
+
--amount <PREVIOUS_AMOUNT>
|
|
1195
|
+
|
|
1196
|
+
# Verify
|
|
1197
|
+
oci budgets budget get \\
|
|
1198
|
+
--budget-id <BUDGET_OCID> \\
|
|
1199
|
+
--query 'data.{amount:amount, reset:"reset-period", spent:"actual-spend"}'
|
|
1200
|
+
```
|
|
1201
|
+
|
|
1202
|
+
## Emergency: stop a runaway GPU instance (requires Compute operator — escalate if needed)
|
|
1203
|
+
|
|
1204
|
+
```bash
|
|
1205
|
+
# Soft stop (OCPU billing continues for stopped-but-preserved VMs until termination)
|
|
1206
|
+
oci compute instance action \\
|
|
1207
|
+
--instance-id <INSTANCE_OCID> \\
|
|
1208
|
+
--action STOP
|
|
1209
|
+
|
|
1210
|
+
# For bare metal GPU (BM.GPU4.8) — billing stops only on TERMINATE
|
|
1211
|
+
# Escalate to Compute operator with appropriate compartment manage rights
|
|
1212
|
+
```
|
|
1213
|
+
|
|
1214
|
+
## Lower a compartment GPU quota to prevent further provisioning
|
|
1215
|
+
|
|
1216
|
+
```bash
|
|
1217
|
+
oci limits quota create \\
|
|
1218
|
+
--compartment-id <COMPARTMENT_OCID> \\
|
|
1219
|
+
--name "emergency-gpu-cap-$(date +%Y%m%d)" \\
|
|
1220
|
+
--statements '["set compute-core-count quota gpu-count to 0 in compartment <COMPARTMENT>"]'
|
|
1221
|
+
```
|
|
1222
|
+
|
|
1223
|
+
## Revert a budget alert threshold change
|
|
1224
|
+
|
|
1225
|
+
```bash
|
|
1226
|
+
oci budgets alert update \\
|
|
1227
|
+
--budget-id <BUDGET_OCID> \\
|
|
1228
|
+
--alert-id <ALERT_OCID> \\
|
|
1229
|
+
--threshold <PREVIOUS_THRESHOLD> \\
|
|
1230
|
+
--threshold-type ABSOLUTE
|
|
1231
|
+
```
|
|
1232
|
+
|
|
1233
|
+
## Verify budget enforcement is restored
|
|
1234
|
+
|
|
1235
|
+
```bash
|
|
1236
|
+
oci budgets budget get \\
|
|
1237
|
+
--budget-id <BUDGET_OCID> \\
|
|
1238
|
+
--query 'data.{amount:amount, alerts:alerts[*].threshold}'
|
|
1239
|
+
```
|
|
1240
|
+
"""),
|
|
1241
|
+
},
|
|
1242
|
+
]
|
|
1243
|
+
|
|
1244
|
+
|
|
1245
|
+
HARNESS_TEMPLATE_COPILOT = """\
|
|
1246
|
+
---
|
|
1247
|
+
description: "{summary}"
|
|
1248
|
+
name: "{name}"
|
|
1249
|
+
tools:
|
|
1250
|
+
- "read"
|
|
1251
|
+
- "search"
|
|
1252
|
+
- "search/codebase"
|
|
1253
|
+
- "web/githubRepo"
|
|
1254
|
+
- "web/fetch"
|
|
1255
|
+
- "read/problems"
|
|
1256
|
+
- "execute/runInTerminal"
|
|
1257
|
+
- "execute/getTerminalOutput"
|
|
1258
|
+
- "read/terminalLastCommand"
|
|
1259
|
+
- "read/terminalSelection"
|
|
1260
|
+
disable-model-invocation: false
|
|
1261
|
+
user-invocable: true
|
|
1262
|
+
---
|
|
1263
|
+
|
|
1264
|
+
{body}
|
|
1265
|
+
"""
|
|
1266
|
+
|
|
1267
|
+
|
|
1268
|
+
def harness_body(agent):
|
|
1269
|
+
lines = [
|
|
1270
|
+
f"# {agent['name']}",
|
|
1271
|
+
"",
|
|
1272
|
+
f"Use this canonical agent only for `{agent['id']}` work.",
|
|
1273
|
+
"",
|
|
1274
|
+
"## Required Skill",
|
|
1275
|
+
"",
|
|
1276
|
+
"Before answering, read and follow:",
|
|
1277
|
+
"",
|
|
1278
|
+
f"- `skills/oci/{agent['id']}/SKILL.md`",
|
|
1279
|
+
"",
|
|
1280
|
+
f"Load files under `skills/oci/{agent['id']}/references/` only when the task needs that reference. Do not dump reference text into the response.",
|
|
1281
|
+
"",
|
|
1282
|
+
"## Focus",
|
|
1283
|
+
"",
|
|
1284
|
+
agent["focus"],
|
|
1285
|
+
"",
|
|
1286
|
+
"## Operating Rules",
|
|
1287
|
+
"",
|
|
1288
|
+
"- Load and follow the bound OCI skill first; do not drift into generic cloud advice.",
|
|
1289
|
+
"- This role is for repos or sessions that may be connected to live OCI credentials, CLI profiles, or real environments.",
|
|
1290
|
+
"- Before any live OCI mutation, confirm tenancy, compartment, active principal, exact target resource, expected impact, and explicit human approval.",
|
|
1291
|
+
"- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before mutation.",
|
|
1292
|
+
"- If the target, approval state, or rollback posture is ambiguous, stop and say so.",
|
|
1293
|
+
"- Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.",
|
|
1294
|
+
"- Never ask for secrets, credentials, private keys, tenancy OCIDs, or raw config dumps unless already sanitized and required.",
|
|
1295
|
+
"",
|
|
1296
|
+
"## Response Shape",
|
|
1297
|
+
"",
|
|
1298
|
+
]
|
|
1299
|
+
for i, step in enumerate(agent["response_shape"], 1):
|
|
1300
|
+
lines.append(f"{i}. {step}")
|
|
1301
|
+
return "\n".join(lines)
|
|
1302
|
+
|
|
1303
|
+
|
|
1304
|
+
def write(path, content):
|
|
1305
|
+
os.makedirs(os.path.dirname(path), exist_ok=True)
|
|
1306
|
+
with open(path, "w") as f:
|
|
1307
|
+
f.write(content)
|
|
1308
|
+
print(f" wrote {path.replace(ROOT+'/', '')}")
|
|
1309
|
+
|
|
1310
|
+
|
|
1311
|
+
def agent_md(agent):
|
|
1312
|
+
body = harness_body(agent)
|
|
1313
|
+
return f"""---
|
|
1314
|
+
metadata:
|
|
1315
|
+
author: "github: Raishin"
|
|
1316
|
+
version: "0.1.0"
|
|
1317
|
+
---
|
|
1318
|
+
|
|
1319
|
+
# {agent['name']}
|
|
1320
|
+
|
|
1321
|
+
> Agent for `{agent['id']}`. {agent['summary']}
|
|
1322
|
+
|
|
1323
|
+
## Harness Variants
|
|
1324
|
+
|
|
1325
|
+
- `harnesses/codex.toml` — Codex native agent configuration.
|
|
1326
|
+
- `harnesses/copilot.agent.md` — GitHub Copilot / VS Code custom agent definition.
|
|
1327
|
+
- `harnesses/claude-code.agent.md` — Claude Code Markdown-family adapter.
|
|
1328
|
+
- `harnesses/cursor.agent.md` — Cursor Markdown-family adapter.
|
|
1329
|
+
- `harnesses/gemini.agent.md` — Gemini CLI Markdown-family adapter.
|
|
1330
|
+
- `harnesses/kiro-ide.agent.md` — Kiro IDE Markdown-family adapter.
|
|
1331
|
+
- `harnesses/kiro-cli.agent.json` — Kiro CLI JSON adapter.
|
|
1332
|
+
|
|
1333
|
+
## Canonical Contract
|
|
1334
|
+
|
|
1335
|
+
{body}
|
|
1336
|
+
"""
|
|
1337
|
+
|
|
1338
|
+
|
|
1339
|
+
def codex_toml(agent):
|
|
1340
|
+
rules = "\n".join([
|
|
1341
|
+
"- Load and follow the bound OCI skill first; do not drift into generic cloud advice.",
|
|
1342
|
+
"- This role is for repos or sessions that may be connected to live OCI credentials, CLI profiles, or real environments.",
|
|
1343
|
+
"- Before any live OCI mutation, confirm tenancy, compartment, active principal, exact target resource, expected impact, and explicit human approval.",
|
|
1344
|
+
"- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before mutation.",
|
|
1345
|
+
"- If approval, identity, target, or rollback posture is ambiguous, stop and explain the blocker.",
|
|
1346
|
+
"- Never ask for secrets, credentials, private keys, tenancy OCIDs, or raw config dumps unless already sanitized and required.",
|
|
1347
|
+
"- Label facts as live evidence, user-provided sanitized evidence, documentation-based, or inference.",
|
|
1348
|
+
])
|
|
1349
|
+
return f"""name = "{agent['id']}_agent"
|
|
1350
|
+
description = "Specialized subagent for {agent['id']}. {agent['summary']}"
|
|
1351
|
+
model = "gpt-5.4"
|
|
1352
|
+
model_reasoning_effort = "high"
|
|
1353
|
+
sandbox_mode = "workspace-write"
|
|
1354
|
+
|
|
1355
|
+
developer_instructions = \"\"\"
|
|
1356
|
+
Load and follow the bound `{agent['id']}` skill first. This agent exists only for that guarded live-OCI role; do not drift into generic cloud advice.
|
|
1357
|
+
|
|
1358
|
+
Token discipline:
|
|
1359
|
+
- Read only SKILL.md first; load references only when the task requires them.
|
|
1360
|
+
- Keep answers compact: target, approval status, evidence, action, rollback, verification, open risks.
|
|
1361
|
+
- Do not paste long docs, raw tool inventories, raw credential output, or full environment dumps.
|
|
1362
|
+
|
|
1363
|
+
Role focus: {agent['focus']}
|
|
1364
|
+
|
|
1365
|
+
Safety contract:
|
|
1366
|
+
{rules}
|
|
1367
|
+
\"\"\"
|
|
1368
|
+
|
|
1369
|
+
[[skills.config]]
|
|
1370
|
+
path = "skills/oci/{agent['id']}/SKILL.md"
|
|
1371
|
+
enabled = true
|
|
1372
|
+
|
|
1373
|
+
[metadata]
|
|
1374
|
+
author = "github: Raishin"
|
|
1375
|
+
"""
|
|
1376
|
+
|
|
1377
|
+
|
|
1378
|
+
def kiro_cli_json(agent):
|
|
1379
|
+
body = harness_body(agent)
|
|
1380
|
+
prompt = body.replace("\\", "\\\\").replace('"', '\\"').replace("\n", "\\n")
|
|
1381
|
+
return f'{{"name": "{agent["name"]}", "description": "{agent["summary"]}", "prompt": "{prompt}"}}\n'
|
|
1382
|
+
|
|
1383
|
+
|
|
1384
|
+
def metadata_json(agent):
|
|
1385
|
+
return json.dumps({
|
|
1386
|
+
"id": f"{agent['id']}-agent",
|
|
1387
|
+
"name": agent["name"],
|
|
1388
|
+
"type": "agent",
|
|
1389
|
+
"provider": "oci",
|
|
1390
|
+
"harnesses": ["codex", "copilot", "claude-code", "cursor", "gemini", "kiro"],
|
|
1391
|
+
"summary": agent["summary"],
|
|
1392
|
+
"source_type": "original",
|
|
1393
|
+
"official_docs": agent["official_docs"],
|
|
1394
|
+
"security_notes": agent["security_notes"],
|
|
1395
|
+
"last_verified": DATE,
|
|
1396
|
+
"path": f"agents/oci/{agent['id']}-agent",
|
|
1397
|
+
"author": "github: Raishin",
|
|
1398
|
+
"version": "0.1.0",
|
|
1399
|
+
}, indent=2) + "\n"
|
|
1400
|
+
|
|
1401
|
+
|
|
1402
|
+
def skill_md(agent):
|
|
1403
|
+
when_items = "\n".join(f"- {w}" for w in agent["skill_when"])
|
|
1404
|
+
return f"""---
|
|
1405
|
+
name: {agent['id']}
|
|
1406
|
+
description: {agent['skill_desc']}
|
|
1407
|
+
metadata:
|
|
1408
|
+
author: "github: Raishin"
|
|
1409
|
+
version: "0.1.0"
|
|
1410
|
+
---
|
|
1411
|
+
|
|
1412
|
+
# {agent['name']}
|
|
1413
|
+
|
|
1414
|
+
## Purpose
|
|
1415
|
+
|
|
1416
|
+
Act as the guarded live OCI operator for {agent['id']} work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
|
|
1417
|
+
|
|
1418
|
+
## When to use
|
|
1419
|
+
|
|
1420
|
+
Use this skill when:
|
|
1421
|
+
|
|
1422
|
+
{when_items}
|
|
1423
|
+
|
|
1424
|
+
## Lean operating rules
|
|
1425
|
+
|
|
1426
|
+
- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
|
|
1427
|
+
- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
|
|
1428
|
+
- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
|
|
1429
|
+
- If the request skips preview or rollback design, push back.
|
|
1430
|
+
- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
|
|
1431
|
+
- Load references only when needed.
|
|
1432
|
+
|
|
1433
|
+
## References
|
|
1434
|
+
|
|
1435
|
+
Load these only when needed:
|
|
1436
|
+
|
|
1437
|
+
- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
|
|
1438
|
+
- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
|
|
1439
|
+
- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
|
|
1440
|
+
- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
|
|
1441
|
+
|
|
1442
|
+
## Response minimum
|
|
1443
|
+
|
|
1444
|
+
Return, at minimum:
|
|
1445
|
+
|
|
1446
|
+
- confirmed tenancy, compartment, and active principal
|
|
1447
|
+
- preflight evidence (plan output, drift result, inspect/read, health check)
|
|
1448
|
+
- approval status for the proposed mutation
|
|
1449
|
+
- rollback posture or explicit statement of what cannot be rolled back
|
|
1450
|
+
- post-action verification steps or refusal reason
|
|
1451
|
+
"""
|
|
1452
|
+
|
|
1453
|
+
|
|
1454
|
+
def skill_metadata_json(agent):
|
|
1455
|
+
return json.dumps({
|
|
1456
|
+
"id": agent["id"],
|
|
1457
|
+
"name": agent["name"],
|
|
1458
|
+
"type": "skill",
|
|
1459
|
+
"provider": "oci",
|
|
1460
|
+
"harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
|
|
1461
|
+
"summary": agent["skill_desc"],
|
|
1462
|
+
"source_type": "original",
|
|
1463
|
+
"official_docs": agent["official_docs"],
|
|
1464
|
+
"security_notes": agent["security_notes"],
|
|
1465
|
+
"last_verified": DATE,
|
|
1466
|
+
"path": f"skills/oci/{agent['id']}",
|
|
1467
|
+
"author": "github: Raishin",
|
|
1468
|
+
"version": "0.1.0",
|
|
1469
|
+
}, indent=2) + "\n"
|
|
1470
|
+
|
|
1471
|
+
|
|
1472
|
+
def build():
|
|
1473
|
+
for ag in AGENTS:
|
|
1474
|
+
aid = ag["id"]
|
|
1475
|
+
adir = os.path.join(ROOT, "agents", "oci", f"{aid}-agent")
|
|
1476
|
+
hdir = os.path.join(adir, "harnesses")
|
|
1477
|
+
sdir = os.path.join(ROOT, "skills", "oci", aid)
|
|
1478
|
+
rdir = os.path.join(sdir, "references")
|
|
1479
|
+
os.makedirs(hdir, exist_ok=True)
|
|
1480
|
+
os.makedirs(rdir, exist_ok=True)
|
|
1481
|
+
|
|
1482
|
+
print(f"\n[{aid}]")
|
|
1483
|
+
body = harness_body(ag)
|
|
1484
|
+
|
|
1485
|
+
write(os.path.join(adir, "AGENT.md"), agent_md(ag))
|
|
1486
|
+
write(os.path.join(adir, "PERMISSIONS.md"), f"# Permissions: {ag['name']}\n\n{ag['permissions_body']}\n")
|
|
1487
|
+
write(os.path.join(adir, "PREFLIGHT.md"), ag["preflight_body"])
|
|
1488
|
+
write(os.path.join(adir, "ROLLBACK.md"), ag["rollback_body"])
|
|
1489
|
+
write(os.path.join(adir, "metadata.json"), metadata_json(ag))
|
|
1490
|
+
|
|
1491
|
+
write(os.path.join(hdir, "claude-code.agent.md"), f"---\nname: \"{ag['name']}\"\ndescription: \"{ag['summary']}\"\n---\n\n{body}\n")
|
|
1492
|
+
write(os.path.join(hdir, "cursor.agent.md"), f"---\nname: \"{ag['name']}\"\ndescription: \"{ag['summary']}\"\n---\n\n{body}\n")
|
|
1493
|
+
write(os.path.join(hdir, "gemini.agent.md"), f"---\nname: \"{ag['name']}\"\ndescription: \"{ag['summary']}\"\n---\n\n{body}\n")
|
|
1494
|
+
write(os.path.join(hdir, "kiro-ide.agent.md"), f"---\nname: \"{ag['name']}\"\ndescription: \"{ag['summary']}\"\n---\n\n{body}\n")
|
|
1495
|
+
write(os.path.join(hdir, "copilot.agent.md"), HARNESS_TEMPLATE_COPILOT.format(name=ag["name"], summary=ag["summary"], body=body))
|
|
1496
|
+
write(os.path.join(hdir, "codex.toml"), codex_toml(ag))
|
|
1497
|
+
write(os.path.join(hdir, "kiro-cli.agent.json"), kiro_cli_json(ag))
|
|
1498
|
+
|
|
1499
|
+
write(os.path.join(sdir, "SKILL.md"), skill_md(ag))
|
|
1500
|
+
write(os.path.join(sdir, "metadata.json"), skill_metadata_json(ag))
|
|
1501
|
+
write(os.path.join(rdir, "preflight-commands.md"), f"# Preflight Commands\n\nSee `../../PREFLIGHT.md` in the agent directory for executable commands.\n")
|
|
1502
|
+
write(os.path.join(rdir, "rollback-playbook.md"), f"# Rollback Playbook\n\nSee `../../ROLLBACK.md` in the agent directory for the full rollback playbook.\n")
|
|
1503
|
+
write(os.path.join(rdir, "permission-model.md"), f"# Permission Model\n\nSee `../../PERMISSIONS.md` in the agent directory for OCI IAM policy statements and dynamic group guidance.\n")
|
|
1504
|
+
write(os.path.join(rdir, "official-sources.md"), f"# Official Sources\n\n" + "\n".join(f"- {u}" for u in ag["official_docs"]) + "\n")
|
|
1505
|
+
|
|
1506
|
+
print("\nOCI live-guard agents + skills generated.")
|
|
1507
|
+
|
|
1508
|
+
|
|
1509
|
+
if __name__ == "__main__":
|
|
1510
|
+
build()
|