@raishin/vanguard-frontier-agentic 1.1.0 → 1.3.0

package/skills/finops/finops-cloud-price-advisor/references/estimation-workflow.md

@@ -0,0 +1,145 @@
+# Estimation Workflow
+
+Two distinct modes: **live-environment** (current inventory → cost) and **prototype** (planned spec → cost).
+
+---
+
+## Mode 1 — Live Environment Cost Estimate
+
+Use when: the user wants to know what an existing deployed environment costs based on actual running resources.
+
+### Step 1 — Confirm scope
+
+Before fetching anything:
+- Cloud provider(s): AWS / Azure / OCI (or multi-cloud)
+- Region(s): confirm exact region; pricing varies
+- Resource scope: specific service, entire account/subscription/tenancy, or filtered subset
+- Time window: monthly (default) or annual
+- Currency: USD (default) or specified
+
+### Step 2 — Inventory
+
+Preferred: user provides a resource list (instance IDs, sizes, quantities).
+
+Fallback: ask user to share a sanitized inventory export:
+- AWS: `aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name]'`
+- Azure: `az resource list --query '[].{id:id,type:type,location:location}'`
+- OCI: `oci compute instance list --compartment-id <ocid> --all --query 'data[*].{id:id,"shape":shape,"state":"lifecycle-state"}'`
+
+Do not ask for raw API responses with secrets, billing account IDs, or customer-specific metadata.
+
+### Step 3 — Fetch live prices
+
+For each unique (resource-type, region) pair in the inventory:
+1. Load `references/pricing-apis.md`
+2. Call the appropriate public pricing API via WebFetch
+3. Record: unit price, unit of measure, effective date, currency (USD)
+
+### Step 4 — Calculate
+
+For each line item:
+```
+monthly_cost = unit_price_per_hour × hours_per_month × quantity
+hours_per_month = 730  (standard FinOps convention: 365 days × 24 hours / 12)
+```
+
+For storage (priced per GB-month):
+```
+monthly_cost = price_per_gb_month × total_gb × quantity
+```
+
+For data transfer (priced per GB):
+```
+monthly_cost = price_per_gb × estimated_monthly_gb_transferred
+```
+
+### Step 5 — Output
+
+Return the line-item table and totals. See SKILL.md "Response minimum" for format.
+
+---
+
+## Mode 2 — Prototype Cost Estimate
+
+Use when: the user wants to estimate cost for a planned architecture before provisioning.
+
+### Step 1 — Collect the spec
+
+Ask the user to describe the planned architecture. Minimum needed:
+- Resource types (e.g., EC2 m5.xlarge, Azure Standard_D4s_v3, OCI VM.Standard.E4.Flex)
+- Quantities (instance count, GB of storage, expected GB data transfer/month)
+- Region(s)
+- Operating system / license model (Linux / Windows; affects compute pricing)
+- Expected usage hours per month (default: 730 = always-on)
+
+For prototype mode, it is acceptable to use reasonable defaults when the user has not specified every detail. Clearly label every assumed value.
+
+### Step 2 — Decompose into billable components
+
+Typical components for a web application prototype:
+
+| Component | Billable units |
+|-----------|---------------|
+| Compute (VM / container) | CPU-hours |
+| OS / license (Windows, RHEL) | Additional per-hour |
+| Managed database | vCPU-hours + storage GB-month + backup storage |
+| Object storage | GB stored/month + GET/PUT requests + egress GB |
+| Load balancer | Per hour + LCU or data-processed GB |
+| Container orchestration | Cluster management fee + node hours |
+| Serverless functions | Invocations + GB-seconds |
+| Egress / data transfer | GB out to internet |
+| Monitoring / logging | GB ingested + GB stored |
+
+Only include components that are in the user's spec. Do not inflate with unused services.
+
+### Step 3 — Fetch live prices
+
+Same as Mode 1 Step 3.
+
+### Step 4 — Calculate
+
+Same as Mode 1 Step 4.
+
+Label every assumed value in the output with `[assumed]`.
+
+### Step 5 — Sensitivity summary
+
+For prototype estimates, include a brief sensitivity section:
+- What is the biggest cost driver?
+- What assumption has the most uncertainty?
+- What would change the estimate by >20% if revised?
+
+Example:
+```
+Biggest driver: RDS db.r6g.xlarge instance ($0.48/hr × 730 hr = $350/month, 42% of total)
+Highest uncertainty: data egress volume — assumed 100 GB/month; at 1 TB/month cost doubles
+```
+
+---
+
+## Multi-Cloud Comparison
+
+When comparing AWS vs Azure vs OCI for the same workload:
+
+1. Map resource types to equivalents across clouds:
+
+| Workload | AWS | Azure | OCI |
+|---------|-----|-------|-----|
+| 4 vCPU / 16 GB VM | m5.xlarge | Standard_D4s_v3 | VM.Standard.E4.Flex (4 OCPU, 16 GB) |
+| Managed PostgreSQL | RDS PostgreSQL db.t4g.medium | Azure Database for PostgreSQL Flexible | OCI MySQL Database / ADB-S |
+| Object storage | S3 Standard | Azure Blob Storage LRS | OCI Object Storage |
+| Container cluster | EKS | AKS | OKE |
+
+2. Fetch prices for each cloud in the user's preferred region(s).
+3. Present side-by-side comparison table, USD, monthly.
+4. Note: OCI often prices differently for Flex shapes (OCPU + memory separately); adjust comparison accordingly.
+
+---
+
+## Estimate Quality Labels
+
+Always label estimates with one of:
+- `live-price`: price fetched from API in this session with timestamp
+- `documentation-based`: price from official pricing page docs (may be weeks old)
+- `assumed`: value not provided by user and not fetched; based on typical pattern
+- `excluded`: component not included in estimate; state why

package/skills/finops/finops-cloud-price-advisor/references/official-sources.md

@@ -0,0 +1,64 @@
+# Official Sources
+
+Authoritative pricing documentation for each cloud provider. Use these as ground truth when live API results are ambiguous or unavailable.
+
+---
+
+## AWS
+
+| Resource | URL |
+|----------|-----|
+| Price List API overview | `https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/price-changes.html` |
+| Price List API reference | `https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-ppslong.html` |
+| EC2 pricing page | `https://aws.amazon.com/ec2/pricing/on-demand/` |
+| RDS pricing page | `https://aws.amazon.com/rds/pricing/` |
+| S3 pricing page | `https://aws.amazon.com/s3/pricing/` |
+| Lambda pricing page | `https://aws.amazon.com/lambda/pricing/` |
+| EKS pricing page | `https://aws.amazon.com/eks/pricing/` |
+| Fargate pricing page | `https://aws.amazon.com/fargate/pricing/` |
+| Data Transfer pricing | `https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer` |
+| Price List service index | `https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/index.json` |
+| AWS Pricing Calculator | `https://calculator.aws/pricing/2/home` |
+
+## Azure
+
+| Resource | URL |
+|----------|-----|
+| Retail Prices API docs | `https://learn.microsoft.com/en-us/rest/api/cost-management/retail-prices/azure-retail-prices` |
+| VM pricing page | `https://azure.microsoft.com/en-us/pricing/details/virtual-machines/linux/` |
+| AKS pricing page | `https://azure.microsoft.com/en-us/pricing/details/kubernetes-service/` |
+| Azure SQL pricing | `https://azure.microsoft.com/en-us/pricing/details/azure-sql-database/single/` |
+| Azure PostgreSQL Flexible | `https://azure.microsoft.com/en-us/pricing/details/postgresql/flexible-server/` |
+| Blob Storage pricing | `https://azure.microsoft.com/en-us/pricing/details/storage/blobs/` |
+| Bandwidth pricing | `https://azure.microsoft.com/en-us/pricing/details/bandwidth/` |
+| Azure Functions pricing | `https://azure.microsoft.com/en-us/pricing/details/functions/` |
+| Azure Pricing Calculator | `https://azure.microsoft.com/en-us/pricing/calculator/` |
+| Cost Management overview | `https://learn.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview` |
+
+## OCI
+
+| Resource | URL |
+|----------|-----|
+| OCI Price List (HTML) | `https://www.oracle.com/cloud/price-list.html` |
+| OCI Cost Analysis overview | `https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm` |
+| OCI Compute shapes | `https://docs.oracle.com/en-us/iaas/Content/Compute/References/computeshapes.htm` |
+| OCI Autonomous Database pricing | `https://www.oracle.com/autonomous-database/pricing/` |
+| OCI Object Storage pricing | `https://www.oracle.com/cloud/storage/object-storage/pricing/` |
+| OCI Networking / egress pricing | `https://www.oracle.com/cloud/networking/pricing/` |
+| OCI Cloud Estimator (calculator) | `https://cloudestimator.oracle.com` |
+| OCI Cost and Usage API | `https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/costanalysis_topic-create_report.htm` |
+
+## Exchange Rate Sources
+
+| Source | URL | Auth | Notes |
+|--------|-----|------|-------|
+| ExchangeRate-API (preferred) | `https://open.er-api.com/v6/latest/USD` | None | Major currencies; updated daily |
+| ECB daily reference rates (fallback) | `https://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml` | None | EUR-denominated; reliable but limited currency set |
+
+Do not use sources that require API keys (e.g., openexchangerates.org). The agent must not accept or store API keys.
+
+---
+
+## Grounding Rule
+
+When a live API fetch returns a price that differs significantly from the official pricing page, prefer the live API result (it is more current) but note the discrepancy. If the API result appears clearly wrong (e.g., $0.00 or orders-of-magnitude off), fall back to the official pricing page and label the estimate as `documentation-based`.

package/skills/finops/finops-cloud-price-advisor/references/pricing-apis.md

@@ -0,0 +1,271 @@
+# Pricing APIs
+
+Public, unauthenticated pricing endpoints for AWS, Azure, and OCI.
+
+---
+
+## AWS — Price List API
+
+**Base URL**: `https://pricing.us-east-1.amazonaws.com`
+
+No authentication. No API key. No AWS account needed.
+
+### Service index
+
+```
+GET https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/index.json
+```
+
+Returns a JSON map of all service codes and their per-service offer file paths.
+
+### Per-service, per-region offer file
+
+```
+GET https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/{serviceCode}/current/{regionCode}/index.json
+```
+
+Examples:
+```
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonEC2/current/us-east-1/index.json
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonRDS/current/us-east-1/index.json
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonS3/current/us-east-1/index.json
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonECS/current/us-east-1/index.json
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AWSLambda/current/us-east-1/index.json
+```
+
+⚠️ These files are very large (EC2 index is tens of MB). Use the CSV variant for scripting:
+```
+https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/{serviceCode}/current/{regionCode}/index.csv
+```
+
+### Key response fields (products + terms)
+
+```json
+{
+  "products": {
+    "<sku>": {
+      "sku": "...",
+      "productFamily": "Compute Instance",
+      "attributes": {
+        "instanceType": "m5.xlarge",
+        "vcpu": "4",
+        "memory": "16 GiB",
+        "operatingSystem": "Linux",
+        "tenancy": "Shared",
+        "location": "US East (N. Virginia)"
+      }
+    }
+  },
+  "terms": {
+    "OnDemand": {
+      "<sku>.<offerTermCode>": {
+        "priceDimensions": {
+          "<rateCode>": {
+            "unit": "Hrs",
+            "pricePerUnit": { "USD": "0.1920000000" },
+            "description": "$0.192 per On Demand Linux m5.xlarge Instance Hour"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### Common service codes
+
+| Service | Code |
+|---------|------|
+| EC2 | `AmazonEC2` |
+| RDS | `AmazonRDS` |
+| S3 | `AmazonS3` |
+| Lambda | `AWSLambda` |
+| ECS / Fargate | `AmazonECS` |
+| EKS | `AmazonEKS` |
+| ElastiCache | `AmazonElastiCache` |
+| CloudFront | `AmazonCloudFront` |
+| DynamoDB | `AmazonDynamoDB` |
+| Data Transfer | `AWSDataTransfer` |
+
+### AWS region codes (selected)
+
+| Region | Code |
+|--------|------|
+| US East (N. Virginia) | `us-east-1` |
+| US West (Oregon) | `us-west-2` |
+| EU (Ireland) | `eu-west-1` |
+| EU (Frankfurt) | `eu-central-1` |
+| AP (Singapore) | `ap-southeast-1` |
+| AP (Tokyo) | `ap-northeast-1` |
+
+---
+
+## Azure — Retail Prices API
+
+**Base URL**: `https://prices.azure.com/api/retail/prices`
+
+No authentication. No API key. No Azure subscription needed.
+
+### Basic request
+
+```
+GET https://prices.azure.com/api/retail/prices?api-version=2023-01-01-preview
+```
+
+### With OData filter
+
+```
+GET https://prices.azure.com/api/retail/prices?api-version=2023-01-01-preview&$filter={filter}
+```
+
+Filter examples:
+```
+armRegionName eq 'eastus' and skuName eq 'D2s v3' and priceType eq 'Consumption'
+armRegionName eq 'eastus' and serviceName eq 'Virtual Machines' and contains(skuName, 'D2s')
+armRegionName eq 'westeurope' and serviceName eq 'Azure Database for PostgreSQL'
+armRegionName eq 'eastus' and serviceName eq 'Azure Kubernetes Service'
+armRegionName eq 'eastus' and serviceName eq 'Storage' and skuName eq 'LRS Data Stored'
+```
+
+### Key response fields
+
+```json
+{
+  "Items": [
+    {
+      "currencyCode": "USD",
+      "tierMinimumUnits": 0.0,
+      "retailPrice": 0.096,
+      "unitPrice": 0.096,
+      "armRegionName": "eastus",
+      "location": "US East",
+      "effectiveStartDate": "2024-06-01T00:00:00Z",
+      "meterId": "...",
+      "meterName": "D2s v3",
+      "productId": "...",
+      "skuId": "...",
+      "productName": "Virtual Machines DSv3 Series",
+      "skuName": "D2s v3",
+      "serviceName": "Virtual Machines",
+      "serviceFamily": "Compute",
+      "unitOfMeasure": "1 Hour",
+      "type": "Consumption",
+      "isPrimaryMeterRegion": true,
+      "armSkuName": "Standard_D2s_v3"
+    }
+  ],
+  "NextPageLink": "...",
+  "Count": 1
+}
+```
+
+### Key filter fields
+
+| Field | Purpose | Example |
+|-------|---------|---------|
+| `armRegionName` | Azure region | `eastus`, `westeurope`, `southeastasia` |
+| `serviceName` | Service category | `Virtual Machines`, `Storage`, `Azure Kubernetes Service` |
+| `skuName` | SKU identifier | `D2s v3`, `P10`, `LRS Data Stored` |
+| `priceType` | Pricing model | `Consumption` (pay-as-you-go), `Reservation` |
+| `armSkuName` | ARM SKU name (exact) | `Standard_D2s_v3` |
+
+### Azure region codes (selected)
+
+| Region | `armRegionName` |
+|--------|----------------|
+| East US | `eastus` |
+| West US 2 | `westus2` |
+| West Europe | `westeurope` |
+| North Europe | `northeurope` |
+| Southeast Asia | `southeastasia` |
+| Japan East | `japaneast` |
+
+---
+
+## OCI — Public Pricing API
+
+**Base URL**: `https://apexapps.oracle.com/pls/apex/cloudestimator/r/api`
+
+No authentication required for public list prices.
+
+### All prices endpoint
+
+```
+GET https://apexapps.oracle.com/pls/apex/cloudestimator/r/api/prices
+```
+
+Returns a JSON array with all OCI service SKUs and their list prices.
+
+### Key response fields
+
+```json
+{
+  "items": [
+    {
+      "partNumber": "B88317",
+      "displayName": "VM.Standard.E4.Flex - OCPU",
+      "currencyCodeLocalizations": [
+        {
+          "currencyCode": "USD",
+          "prices": [
+            {
+              "model": "PAY_AS_YOU_GO",
+              "value": "0.025",
+              "unit": "OCPU Per Hour"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+
+### Alternative: Oracle Cloud Pricing page JSON
+
+```
+GET https://www.oracle.com/a/ocom/docs/cloud/oci-price-list.json
+```
+
+This is the machine-readable version of the Oracle Cloud Price List. Structure may vary by release.
+
+### Oracle pricing page (human-readable)
+
+```
+https://www.oracle.com/cloud/price-list.html
+```
+
+### OCI shape pricing pattern
+
+OCI Flex VMs charge separately per OCPU and per GB of memory:
+- Compute: OCPU-hour rate × number of OCPUs
+- Memory: GB-hour rate × number of GB RAM
+- Standard shapes (non-Flex): flat hourly rate per shape
+
+### OCI regions for pricing context
+
+OCI pricing is generally region-independent for compute (same price globally), but data egress and some services do vary. Always confirm whether the target workload has significant egress.
+
+---
+
+## Pricing API Comparison
+
+| Feature | AWS | Azure | OCI |
+|---------|-----|-------|-----|
+| Auth required | No | No | No |
+| Filter by region | Yes (URL path) | Yes (OData) | N/A (global) |
+| Filter by SKU | Via JSON parse | OData `skuName` | JSON parse |
+| Unit of measure | Per hour | Per hour | Per hour / OCPU |
+| Currency in response | USD only | USD (and others via `currencyCode`) | USD |
+| Real-time | Yes | Yes | Yes |
+| Notes | Large files; prefer region-scoped | Best developer experience; OData is powerful | Flat list; Flex shapes split OCPU + memory |
+
+---
+
+## WebFetch Usage Notes
+
+When calling these endpoints via WebFetch:
+- AWS EC2 `index.json` for a single region is very large. Fetch the CSV variant or use the JSON and filter in-context.
+- Azure API returns paginated results; follow `NextPageLink` if present.
+- OCI API returns a single large array; filter by `displayName` substring or `partNumber` after fetch.
+- If a fetch fails (network timeout, 403, 429), label the result as `fetch-failed` and fall back to documentation-based estimate with explicit uncertainty warning.

package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: fluxcd-kustomization-helmrelease-review
+description: Use this skill when reviewing FluxCD Kustomization, HelmRelease, GitRepository, HelmRepository, or OCIRepository resources. Trigger when the user asks whether a Flux configuration is safe for production, whether SOPS encryption is required, whether prune is safe on a given workload, whether commit signature verification is enabled, or whether a Flux multi-tenant setup uses least-privilege ServiceAccounts.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# FluxCD Kustomization and HelmRelease Review
+
+## Purpose
+
+Review FluxCD `Kustomization`, `HelmRelease`, `GitRepository`, `HelmRepository`, and `OCIRepository` resources for source trust guarantees, SOPS secret encryption, prune-enabled blast radius on stateful workloads, per-Kustomization ServiceAccount scoping, HelmRelease upgrade remediation safety, and health check completeness. FluxCD's default posture gives the `kustomize-controller` cluster-admin-equivalent reach — the security surface lives in per-Kustomization ServiceAccounts, commit signature verification, SOPS encryption at rest, and prune annotation guards.
+
+## Lean operating rules
+
+- Prefer user-provided sanitized resource YAML as primary evidence; official FluxCD docs are the authoritative fallback.
+- Treat unencrypted Kubernetes `Secret` manifests committed to any Git source as a CRITICAL finding — anyone with repo read access (CI, PR participants, auditors) has those secrets.
+- Treat `GitRepository.spec.ref.semver: ">=0.0.0"` or an unbound semver range in a production source as a HIGH finding — any tag push from a compromised upstream triggers a deploy.
+- Treat the absence of `spec.verify.secretRef` (commit GPG signature verification) on production `GitRepository` sources as a HIGH finding.
+- Treat `Kustomization.spec.serviceAccountName` not set as a HIGH finding — the kustomize-controller SA applies with cluster-admin-equivalent scope for all tenants.
+- Treat `spec.prune: true` on Kustomizations covering stateful workloads (StatefulSets, PVCs, CRDs) without `kustomize.toolkit.fluxcd.io/prune: disabled` annotations as a HIGH finding.
+- Treat `HelmRelease.spec.chart.spec.version: "*"` or an unbound version range as a HIGH finding — any upstream chart publish triggers an auto-upgrade.
+- Treat `HelmRelease.spec.upgrade.remediation.retries: -1` (infinite retry) as a MEDIUM finding — a broken release blocks other reconciliation loops indefinitely.
+- Keep the answer scoped: report what was reviewed, the evidence level, and the exact field path for each finding.
+
+## References
+
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md)
+
+## Response minimum
+
+- Scoped target (resource kind/name/namespace) and evidence level
+- Source trust verdict (commit verification, semver pinning, SOPS encryption)
+- Kustomization ServiceAccount scope assessment
+- Prune safety verdict for any stateful workloads
+- HelmRelease version pinning and upgrade remediation assessment
+- Health check completeness verdict
+- Safe next actions and open questions

package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json

@@ -0,0 +1,22 @@
+{
+  "id": "fluxcd-kustomization-helmrelease-review",
+  "name": "FluxCD Kustomization and HelmRelease Review",
+  "type": "skill",
+  "provider": "fluxcd",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Review FluxCD Kustomization, HelmRelease, GitRepository, HelmRepository, and OCIRepository resources for source trust, SOPS encryption, prune blast-radius, ServiceAccount scope, and upgrade remediation safety.",
+  "source_type": "original",
+  "official_docs": [
+    "https://fluxcd.io/flux/components/kustomize/kustomizations/",
+    "https://fluxcd.io/flux/components/helm/helmreleases/",
+    "https://fluxcd.io/flux/components/source/gitrepositories/",
+    "https://fluxcd.io/flux/guides/repository-structure/",
+    "https://fluxcd.io/flux/security/secrets-management/",
+    "https://fluxcd.io/flux/installation/configuration/multitenancy/"
+  ],
+  "security_notes": "Plaintext Kubernetes Secret manifests committed to a FluxCD Git source are exposed to anyone with repo read access — including CI systems, PR participants, and auditors. GitRepository sources without commit signature verification allow any commit (including injected ones) to deploy to production.",
+  "last_verified": "2026-05-02",
+  "path": "skills/fluxcd/fluxcd-kustomization-helmrelease-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}