@raishin/vanguard-frontier-agentic 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (442) hide show
  1. package/README.md +231 -113
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  308. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  314. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  315. package/agents/velero/README.md +41 -0
  316. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  317. package/catalog/agents.json +1452 -634
  318. package/catalog/install-roles.json +455 -0
  319. package/catalog/skill-manifest.json +757 -3
  320. package/catalog/skills.json +1298 -528
  321. package/package.json +11 -1
  322. package/scripts/export-marketplace-agents.mjs +100 -9
  323. package/scripts/update-catalog-new-agents.py +88 -0
  324. package/skills/argocd/README.md +30 -0
  325. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  326. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  327. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  328. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  329. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  330. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  331. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  332. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  333. package/skills/aws/README.md +3 -1
  334. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  335. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  336. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  337. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  338. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  339. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  340. package/skills/azure/README.md +3 -1
  341. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  342. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  343. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  344. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  345. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  346. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  347. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  348. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  349. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  350. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  351. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  352. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  353. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  354. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  355. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  356. package/skills/cilium/README.md +30 -0
  357. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  358. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  359. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  360. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  361. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  362. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  363. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  364. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  365. package/skills/finops/README.md +30 -0
  366. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  367. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  368. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  369. package/skills/istio/README.md +28 -0
  370. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  371. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  372. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  373. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  374. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  375. package/skills/kubernetes/README.md +30 -0
  376. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  377. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  378. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  379. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  380. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  381. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  382. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  383. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  384. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  385. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  386. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  387. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  388. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  389. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  390. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  391. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  392. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  393. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  394. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  395. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  396. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  397. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  398. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  399. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  400. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  401. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  402. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  403. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  404. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  405. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  406. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  407. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  408. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  409. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  410. package/skills/kyverno/README.md +30 -0
  411. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  412. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  413. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  414. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  415. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  416. package/skills/oci/README.md +63 -0
  417. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  418. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  419. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  420. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  421. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  422. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  423. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  424. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  425. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  426. package/skills/opentelemetry/README.md +31 -0
  427. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  428. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  429. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  430. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  431. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  432. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  433. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  434. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  435. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  436. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  437. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  438. package/skills/terraform/README.md +29 -0
  439. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  440. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  441. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  442. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@raishin/vanguard-frontier-agentic",
3
- "version": "1.2.0",
3
+ "version": "1.3.0",
4
4
  "description": "Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.",
5
5
  "license": "Apache-2.0",
6
6
  "type": "commonjs",
@@ -30,6 +30,16 @@
30
30
  "validate:links": "python3 tests/validate-links.py --offline",
31
31
  "validate": "npm run validate:catalog && npm run validate:aws && npm run manifest:check && npm run validate:links"
32
32
  },
33
+ "devDependencies": {
34
+ "semantic-release": "25.0.3",
35
+ "@semantic-release/changelog": "6.0.3",
36
+ "@semantic-release/git": "10.0.1",
37
+ "@semantic-release/npm": "13.1.5",
38
+ "@semantic-release/github": "12.0.6",
39
+ "@semantic-release/commit-analyzer": "13.0.1",
40
+ "@semantic-release/release-notes-generator": "14.1.0",
41
+ "conventional-changelog-conventionalcommits": "8.0.0"
42
+ },
33
43
  "publishConfig": {
34
44
  "access": "public"
35
45
  },
package/scripts/export-marketplace-agents.mjs CHANGED
@@ -49,15 +49,24 @@ Export selected marketplace agents into a consumer repository.
49
49
 
50
50
  Usage:
51
51
  vfa-export-agents --platform <platform> --agents <agent-id[,agent-id...]> [--repo <path>] [--force]
52
+ vfa-export-agents --platform <platform> --role <role-id> [--provider <provider>] [--repo <path>] [--force]
52
53
  vfa-export-agents --platform <platform> --all [--repo <path>] [--force]
53
54
  vfa-export-agents --list
55
+ vfa-export-agents --list-roles
54
56
 
55
57
  Platforms:
56
58
  codex, copilot, claude-code, cursor, gemini, kiro, kiro-ide, kiro-cli
57
59
 
60
+ Roles:
61
+ cloud-security-engineer, cloud-platform-engineer, cloud-dba,
62
+ cloud-finops-analyst, cloud-solutions-architect, cloud-devops-engineer
63
+
58
64
  Examples:
59
65
  vfa-export-agents --list
66
+ vfa-export-agents --list-roles
60
67
  vfa-export-agents --platform claude-code --agents azure-cosmosdb-platform-operator-agent
68
+ vfa-export-agents --platform claude-code --role cloud-security-engineer
69
+ vfa-export-agents --platform claude-code --role cloud-security-engineer --provider azure
61
70
  vfa-export-agents --platform kiro --agents azure-cosmosdb-platform-operator-agent --repo ../consumer-repo
62
71
  vfa-export-agents --platform copilot --all --repo /path/to/project --force
63
72
  `.trim();
@@ -70,9 +79,12 @@ function parseArgs(argv) {
70
79
  repo: process.cwd(),
71
80
  force: false,
72
81
  list: false,
82
+ listRoles: false,
73
83
  all: false,
74
84
  agents: [],
75
85
  platform: null,
86
+ role: null,
87
+ provider: null,
76
88
  };
77
89
 
78
90
  for (let i = 0; i < argv.length; i += 1) {
@@ -82,6 +94,10 @@ function parseArgs(argv) {
82
94
  args.list = true;
83
95
  continue;
84
96
  }
97
+ if (arg === "--list-roles") {
98
+ args.listRoles = true;
99
+ continue;
100
+ }
85
101
  if (arg === "--force") {
86
102
  args.force = true;
87
103
  continue;
@@ -105,6 +121,14 @@ function parseArgs(argv) {
105
121
  .filter(Boolean);
106
122
  continue;
107
123
  }
124
+ if (arg === "--role") {
125
+ args.role = argv[++i] ?? "";
126
+ continue;
127
+ }
128
+ if (arg === "--provider") {
129
+ args.provider = argv[++i] ?? "";
130
+ continue;
131
+ }
108
132
  usage(1);
109
133
  }
110
134
 
@@ -174,6 +198,10 @@ function assertWithin(parent, child, label) {
174
198
  }
175
199
 
176
200
  function copyFile(source, destination, force) {
201
+ const sourceStat = fs.lstatSync(source);
202
+ if (sourceStat.isSymbolicLink()) {
203
+ throw new Error(`Refusing to copy symbolic link as harness source: ${source}`);
204
+ }
177
205
  if (!force && fs.existsSync(destination)) {
178
206
  throw new Error(`Refusing to overwrite existing file without --force: ${destination}`);
179
207
  }
@@ -181,12 +209,28 @@ function copyFile(source, destination, force) {
181
209
  fs.copyFileSync(source, destination);
182
210
  }
183
211
 
212
+ function loadRoles() {
213
+ const rolesPath = path.join(repoRoot, "catalog", "install-roles.json");
214
+ if (!fs.existsSync(rolesPath)) {
215
+ throw new Error("catalog/install-roles.json not found. Ensure the package is correctly installed.");
216
+ }
217
+ return JSON.parse(fs.readFileSync(rolesPath, "utf8"));
218
+ }
219
+
184
220
  function listAgents(agents) {
185
221
  for (const agent of agents.sort((a, b) => a.id.localeCompare(b.id))) {
186
222
  console.log(`${agent.id}\t${agent.provider}\t${agent.name}`);
187
223
  }
188
224
  }
189
225
 
226
+ function listRoles(rolesData) {
227
+ for (const [roleId, role] of Object.entries(rolesData.roles)) {
228
+ const agentCount = role.agents.length;
229
+ const skillCount = (role.skills ?? []).length;
230
+ console.log(`${roleId}\t${role.label}\t${agentCount} agents, ${skillCount} skills`);
231
+ }
232
+ }
233
+
190
234
  function buildDestinations(agent, platform) {
191
235
  const config = PLATFORM_CONFIG[platform];
192
236
  const destinations = [];
@@ -222,6 +266,16 @@ function buildDestinations(agent, platform) {
222
266
 
223
267
  function main() {
224
268
  const args = parseArgs(process.argv.slice(2));
269
+
270
+ const cwd = process.cwd();
271
+ const cwdWithSep = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
272
+ if (args.repo !== cwd && !args.repo.startsWith(cwdWithSep)) {
273
+ process.stderr.write(
274
+ `[vfa] Warning: --repo '${args.repo}' is outside the current working directory.\n` +
275
+ `[vfa] Verify this is the intended target before continuing.\n`
276
+ );
277
+ }
278
+
225
279
  const { agents, byId } = loadAgents();
226
280
 
227
281
  if (args.list) {
@@ -229,19 +283,56 @@ function main() {
229
283
  return;
230
284
  }
231
285
 
286
+ if (args.listRoles) {
287
+ const rolesData = loadRoles();
288
+ listRoles(rolesData);
289
+ return;
290
+ }
291
+
232
292
  const platform = ensurePlatform(args.platform);
233
- const selectedAgents = args.all
234
- ? agents
235
- : args.agents.map((agentId) => {
236
- const agent = byId.get(agentId);
237
- if (!agent) {
238
- throw new Error(`Unknown agent id: ${agentId}`);
239
- }
240
- return agent;
293
+
294
+ let selectedAgents;
295
+ if (args.role) {
296
+ const rolesData = loadRoles();
297
+ const role = Object.hasOwn(rolesData.roles, args.role) ? rolesData.roles[args.role] : undefined;
298
+ if (!role) {
299
+ const validRoles = Object.keys(rolesData.roles).join(", ");
300
+ throw new Error(`Unknown role: ${args.role}. Valid roles: ${validRoles}`);
301
+ }
302
+ let roleAgentIds = role.agents;
303
+ if (args.provider) {
304
+ if (!/^[a-z0-9][a-z0-9-]*$/.test(args.provider)) {
305
+ throw new Error(`Invalid --provider value. Must match /^[a-z0-9][a-z0-9-]*$/.`);
306
+ }
307
+ roleAgentIds = roleAgentIds.filter((id) => {
308
+ const agent = byId.get(id);
309
+ return agent && agent.provider === args.provider;
241
310
  });
311
+ if (roleAgentIds.length === 0) {
312
+ throw new Error(`No agents found for role '${args.role}' with the requested provider.`);
313
+ }
314
+ }
315
+ selectedAgents = roleAgentIds.map((agentId) => {
316
+ const agent = byId.get(agentId);
317
+ if (!agent) {
318
+ throw new Error(`Role '${args.role}' references unknown agent id: ${agentId}. Run npm run validate to check catalog integrity.`);
319
+ }
320
+ return agent;
321
+ });
322
+ } else if (args.all) {
323
+ selectedAgents = agents;
324
+ } else {
325
+ selectedAgents = args.agents.map((agentId) => {
326
+ const agent = byId.get(agentId);
327
+ if (!agent) {
328
+ throw new Error(`Unknown agent id: ${agentId}`);
329
+ }
330
+ return agent;
331
+ });
332
+ }
242
333
 
243
334
  if (selectedAgents.length === 0) {
244
- throw new Error("No agents selected. Use --agents or --all.");
335
+ throw new Error("No agents selected. Use --agents, --role, or --all.");
245
336
  }
246
337
 
247
338
  const operations = [];
package/scripts/update-catalog-new-agents.py ADDED
@@ -0,0 +1,88 @@
1
+ #!/usr/bin/env python3
2
+ """Add all new agent and skill metadata.json entries to catalog JSON files."""
3
+
4
+ from __future__ import annotations
5
+
6
+ import json
7
+ from pathlib import Path
8
+
9
+ ROOT = Path(__file__).resolve().parents[1]
10
+
11
+ CATALOG_AGENTS = ROOT / "catalog" / "agents.json"
12
+ CATALOG_SKILLS = ROOT / "catalog" / "skills.json"
13
+
14
+ CATALOG_FIELDS_AGENT = {
15
+ "id", "name", "type", "provider", "summary", "path",
16
+ "harnesses", "last_verified", "official_docs", "security_notes",
17
+ "source_type", "version",
18
+ }
19
+ CATALOG_FIELDS_SKILL = CATALOG_FIELDS_AGENT | {"author"}
20
+
21
+
22
+ def metadata_to_catalog_entry(m: dict, kind: str) -> dict:
23
+ entry: dict = {}
24
+ for key in ("id", "name", "type", "provider", "harnesses", "summary",
25
+ "source_type", "official_docs", "security_notes",
26
+ "last_verified", "path", "version"):
27
+ if key in m:
28
+ entry[key] = m[key]
29
+ # Normalise path — strip trailing slash
30
+ if "path" in entry and isinstance(entry["path"], str):
31
+ entry["path"] = entry["path"].rstrip("/")
32
+ if kind == "skill" and "author" in m:
33
+ entry["author"] = m["author"]
34
+ return entry
35
+
36
+
37
+ def main() -> None:
38
+ agents_catalog: list[dict] = json.loads(CATALOG_AGENTS.read_text(encoding="utf-8"))
39
+ skills_catalog: list[dict] = json.loads(CATALOG_SKILLS.read_text(encoding="utf-8"))
40
+
41
+ existing_agent_ids = {e["id"] for e in agents_catalog}
42
+ existing_skill_ids = {e["id"] for e in skills_catalog}
43
+
44
+ new_agents: list[dict] = []
45
+ for meta_path in sorted(ROOT.glob("agents/**/metadata.json")):
46
+ m = json.loads(meta_path.read_text(encoding="utf-8"))
47
+ if m.get("type") != "agent":
48
+ continue
49
+ if m["id"] not in existing_agent_ids:
50
+ entry = metadata_to_catalog_entry(m, "agent")
51
+ new_agents.append(entry)
52
+ print(f" + agent: {entry['id']}")
53
+
54
+ new_skills: list[dict] = []
55
+ for meta_path in sorted(ROOT.glob("skills/**/metadata.json")):
56
+ m = json.loads(meta_path.read_text(encoding="utf-8"))
57
+ if m.get("type") != "skill":
58
+ continue
59
+ if m["id"] not in existing_skill_ids:
60
+ entry = metadata_to_catalog_entry(m, "skill")
61
+ new_skills.append(entry)
62
+ print(f" + skill: {entry['id']}")
63
+
64
+ if new_agents:
65
+ agents_catalog.extend(new_agents)
66
+ agents_catalog.sort(key=lambda x: x["id"])
67
+ CATALOG_AGENTS.write_text(
68
+ json.dumps(agents_catalog, indent=2, ensure_ascii=False) + "\n",
69
+ encoding="utf-8",
70
+ )
71
+ print(f"\nWrote {len(agents_catalog)} agents to {CATALOG_AGENTS.relative_to(ROOT)}")
72
+ else:
73
+ print("No new agents to add.")
74
+
75
+ if new_skills:
76
+ skills_catalog.extend(new_skills)
77
+ skills_catalog.sort(key=lambda x: x["id"])
78
+ CATALOG_SKILLS.write_text(
79
+ json.dumps(skills_catalog, indent=2, ensure_ascii=False) + "\n",
80
+ encoding="utf-8",
81
+ )
82
+ print(f"Wrote {len(skills_catalog)} skills to {CATALOG_SKILLS.relative_to(ROOT)}")
83
+ else:
84
+ print("No new skills to add.")
85
+
86
+
87
+ if __name__ == "__main__":
88
+ main()
package/skills/argocd/README.md ADDED
@@ -0,0 +1,30 @@
1
+ # 🚢 Argo CD Skills
2
+
3
+ <p align="center">
4
+ <!-- 🖼️ Add an Argo CD logo to assets/logos/cnative/argocd/ and update this path -->
5
+ <span style="font-size:3.5em">🚢</span>
6
+ </p>
7
+
8
+ This folder contains Argo CD-focused skills curated for this marketplace.
9
+
10
+ ## Local marketplace portfolio
11
+
12
+ This folder contains **1** local Argo CD skill:
13
+
14
+ - `argocd-gitops-review`
15
+
16
+ ## Portfolio posture
17
+
18
+ Argo CD skills for evidence-backed GitOps delivery review across `Application`, `AppProject`, `ApplicationSet`, sync windows, RBAC, sync impersonation, and multi-cluster (Argo CD Agent) topologies.
19
+
20
+ These skills are intentionally conservative:
21
+
22
+ - prefer `kubectl get applications,appprojects,applicationsets -n argocd -o yaml` and `argocd-cm` configmap state for live grounding before any review
23
+ - treat `application.sync.impersonation.enabled: false` in production as a critical finding — the controller's cluster-admin ServiceAccount is the sync identity
24
+ - treat `AppProject` with `sourceRepos: ['*']` and `destinations: ['*']` as a wide-blast-radius finding requiring explicit justification
25
+ - challenge `automated.prune: true` + `automated.selfHeal: true` on production Applications — Git divergence becomes irreversible deletion
26
+ - challenge `ApplicationSet` generators that include unbounded clusters or label selectors — one mis-labeled cluster joins the rollout
27
+ - prefer `destinationServiceAccounts` (per-Application impersonation) over the controller's default cluster-admin
28
+ - use official Argo CD documentation (argo-cd.readthedocs.io) for sync semantics, RBAC syntax, ApplicationSet strategies, and Argo CD Agent hub-and-spoke topology
29
+
30
+ Run `npm run validate` after changing cataloged Argo CD skills.
package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ name: argo-rollouts-progressive-delivery-review
3
+ description: Use this skill when reviewing Argo Rollouts progressive delivery configuration. Trigger when the user asks about canary or blue-green Rollout strategy correctness, AnalysisTemplate success/failure conditions, traffic weighting provider alignment, canaryService isolation, PDB deadlock risk with Rollout maxSurge settings, automated rollback posture, or manual vs automated promotion configuration.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Argo Rollouts Progressive Delivery Review
10
+
11
+ ## Purpose
12
+
13
+ Review Argo Rollouts canary and blue-green strategy configuration, AnalysisTemplate success and failure condition correctness, traffic management provider alignment, canaryService vs stableService isolation, PDB compatibility with Rollout surge settings, and automated rollback posture. Argo Rollouts' safety depends entirely on AnalysisTemplate conditions that actually fail — an always-true successCondition means automated rollback never fires, regardless of actual error rates.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Prefer live evidence (`kubectl get rollout -A -o yaml`, `kubectl get analysistemplate -A -o yaml`, `kubectl argo rollouts status <name>`) when the active client exposes it; otherwise fall back to official Argo Rollouts documentation and sanitized YAML from the user.
18
+ - Separate confirmed facts from inference. If AnalysisTemplate metric query results, traffic provider actual behavior, or PDB state was not directly queried, say so.
19
+ - Treat an AnalysisTemplate with a successCondition that always evaluates to true (e.g., `result >= 0`, `true`) as a critical finding — automated rollback can never fire.
20
+ - Treat a Rollout with no separate `canaryService` from `stableService` as a high finding — canary traffic isolation is broken.
21
+ - Treat a production Rollout using `pause: {}` (manual promotion) with no AnalysisTemplate as a high finding — there is no automated quality gate.
22
+ - Treat a traffic provider in `spec.strategy.canary.trafficRouting` that does not match the actual ingress controller installed in the cluster as a high finding — weight changes are silently ignored.
23
+ - Treat `failureLimit: 100` or higher on an error-rate metric as a medium finding — the analysis tolerates far too many errors before marking Degraded.
24
+ - Keep the answer scoped, evidence-labeled, and explicit about what was not queried.
25
+
26
+ ## References
27
+
28
+ Load these only when needed:
29
+ - [Workflow and output contract](references/workflow-and-output.md)
30
+
31
+ ## Response minimum
32
+
33
+ Return, at minimum:
34
+ - the scoped target (Rollout name, AnalysisTemplate name, or traffic provider config) and evidence level,
35
+ - the deployment strategy (canary with steps vs canary without steps, blue-green) and whether steps include AnalysisRun gates,
36
+ - AnalysisTemplate successCondition and failureCondition correctness,
37
+ - canaryService vs stableService isolation posture,
38
+ - traffic provider alignment with the actual cluster ingress,
39
+ - PDB compatibility with Rollout maxSurge/maxUnavailable,
40
+ - the safest next actions and any assumptions or blockers.
package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "argo-rollouts-progressive-delivery-review",
3
+ "name": "Argo Rollouts Progressive Delivery Review",
4
+ "type": "skill",
5
+ "provider": "argocd",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Argo Rollouts canary and blue-green strategy configuration, AnalysisTemplate success/failure conditions, traffic management provider alignment, canaryService isolation, PDB deadlock risk, and automated rollback posture for progressive delivery safety.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://argoproj.github.io/argo-rollouts/",
11
+ "https://argoproj.github.io/argo-rollouts/features/canary/",
12
+ "https://argoproj.github.io/argo-rollouts/features/analysis/",
13
+ "https://argoproj.github.io/argo-rollouts/features/traffic-management/",
14
+ "https://argoproj.github.io/argo-rollouts/features/bluegreen/",
15
+ "https://argoproj.github.io/argo-rollouts/generated/kubectl-argo-rollouts/kubectl-argo-rollouts_promote/"
16
+ ],
17
+ "security_notes": "AnalysisTemplates with always-true success conditions defeat automated rollback entirely. A canary that never fails analysis will silently promote a broken release to 100% production traffic.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/argocd/argo-rollouts-progressive-delivery-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,248 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify scope and collect raw evidence
6
+
7
+ 1. Confirm the review target: a specific Rollout resource, an AnalysisTemplate, a traffic provider configuration, or a PDB compatibility question.
8
+ 2. List all Rollouts and their strategies:
9
+ ```bash
10
+ kubectl get rollout -A -o yaml
11
+ ```
12
+ For each Rollout, note the strategy type (`canary` or `blueGreen`) and whether `spec.strategy.canary.steps` is non-empty.
13
+ 3. List all AnalysisTemplates:
14
+ ```bash
15
+ kubectl get analysistemplate -A -o yaml
16
+ kubectl get clusteranalysistemplate -o yaml 2>/dev/null
17
+ ```
18
+ 4. Check current Rollout status and any active AnalysisRuns:
19
+ ```bash
20
+ kubectl argo rollouts status <rollout-name> -n <namespace>
21
+ kubectl get analysisrun -A -o yaml
22
+ ```
23
+
24
+ ### Step 2 — Audit Rollout strategy and steps
25
+
26
+ A Rollout without steps behaves like a standard Deployment — no progressive traffic shifting occurs.
27
+
28
+ 1. Check whether `spec.strategy.canary.steps` is non-empty and includes analysis gates:
29
+ ```yaml
30
+ # CORRECT: canary with weight steps and analysis gate
31
+ strategy:
32
+ canary:
33
+ canaryService: my-app-canary
34
+ stableService: my-app-stable
35
+ trafficRouting:
36
+ nginx:
37
+ stableIngress: my-app-ingress
38
+ steps:
39
+ - setWeight: 10
40
+ - pause: {duration: 5m}
41
+ - analysis:
42
+ templates:
43
+ - templateName: error-rate-check
44
+ - setWeight: 50
45
+ - pause: {duration: 10m}
46
+ - analysis:
47
+ templates:
48
+ - templateName: error-rate-check
49
+
50
+ # RISKY: no steps — immediately shifts all traffic
51
+ strategy:
52
+ canary:
53
+ maxSurge: "100%"
54
+ maxUnavailable: 0
55
+ ```
56
+ 2. Flag as **HIGH** if `maxSurge: 100%` is set with no steps — 100% of replicas are replaced before any analysis runs.
57
+ 3. For blue-green Rollouts, check whether `autoPromotionEnabled` is set:
58
+ ```yaml
59
+ # Requires manual promotion
60
+ strategy:
61
+ blueGreen:
62
+ activeService: my-app-active
63
+ previewService: my-app-preview
64
+ autoPromotionEnabled: false
65
+ ```
66
+ `autoPromotionEnabled: true` in production without a `prePromotionAnalysis` is a high finding.
67
+
68
+ ### Step 3 — Audit AnalysisTemplate success and failure conditions
69
+
70
+ This is the most critical control — conditions that always evaluate true defeat automated rollback entirely.
71
+
72
+ 1. For each AnalysisTemplate metric, inspect:
73
+ - `spec.metrics[].successCondition` — when is the metric considered passing?
74
+ - `spec.metrics[].failureCondition` — when should it fail?
75
+ - `spec.metrics[].failureLimit` — how many failures are tolerated?
76
+ - `spec.metrics[].provider` — Prometheus, Datadog, web, job, etc.
77
+ 2. Example of a correctly configured error-rate AnalysisTemplate:
78
+ ```yaml
79
+ apiVersion: argoproj.io/v1alpha1
80
+ kind: AnalysisTemplate
81
+ metadata:
82
+ name: error-rate-check
83
+ spec:
84
+ metrics:
85
+ - name: error-rate
86
+ interval: 2m
87
+ count: 5
88
+ failureLimit: 0
89
+ provider:
90
+ prometheus:
91
+ address: http://prometheus.monitoring.svc.cluster.local:9090
92
+ query: |
93
+ sum(rate(http_requests_total{status=~"5..",deployment="{{args.deployment-name}}"}[2m]))
94
+ /
95
+ sum(rate(http_requests_total{deployment="{{args.deployment-name}}"}[2m]))
96
+ successCondition: result[0] < 0.01
97
+ failureCondition: result[0] >= 0.05
98
+ ```
99
+ 3. Flag as **CRITICAL** if `successCondition` evaluates true for all possible metric values:
100
+ - `result >= 0` (always true for any non-negative counter)
101
+ - `true` (literal boolean true)
102
+ - `result != "error"` (only fails on error, never on bad metric values)
103
+ 4. Flag as **HIGH** if `failureCondition` is absent — the metric can only succeed, never explicitly fail.
104
+ 5. Flag as **MEDIUM** if `failureLimit` is set to 100 or greater on an error-rate metric — 100 failures will be tolerated before marking Degraded.
105
+ 6. Flag as **HIGH** if the Prometheus query template references `{{args.deployment-name}}` but no `args` are passed in the Rollout's analysis step — the query evaluates against all deployments, returning misleading results.
106
+
107
+ ### Step 4 — Audit canaryService and stableService isolation
108
+
109
+ Without separate Services, canary pods receive the same traffic distribution as stable — canary traffic isolation does not exist.
110
+
111
+ 1. Check whether both `canaryService` and `stableService` are specified:
112
+ ```bash
113
+ kubectl get rollout <name> -o jsonpath='{.spec.strategy.canary.canaryService},{.spec.strategy.canary.stableService}'
114
+ ```
115
+ 2. Verify the Services exist and have the correct selector labels:
116
+ ```bash
117
+ kubectl get svc <canaryService> <stableService> -o yaml | grep -A 5 "selector"
118
+ ```
119
+ Argo Rollouts manages the `rollouts-pod-template-hash` selector on these Services automatically — verify neither has a hardcoded hash that bypasses Rollouts management.
120
+ 3. Flag as **HIGH** if `canaryService` is absent — all traffic hits the stable Service regardless of setWeight steps.
121
+
122
+ ### Step 5 — Audit traffic provider alignment
123
+
124
+ A misconfigured traffic provider silently ignores all weight changes.
125
+
126
+ 1. Check the traffic routing provider specified in the Rollout:
127
+ ```bash
128
+ kubectl get rollout <name> -o jsonpath='{.spec.strategy.canary.trafficRouting}'
129
+ ```
130
+ 2. Verify the specified provider is actually installed:
131
+ ```bash
132
+ # For Istio
133
+ kubectl get virtualservice -A | head -5
134
+ kubectl get destinationrule -A | head -5
135
+
136
+ # For Nginx
137
+ kubectl get ingressclass | grep nginx
138
+
139
+ # For AWS ALB
140
+ kubectl get ingressclass | grep alb
141
+
142
+ # For Traefik
143
+ kubectl get traefikservice -A 2>/dev/null | head -5
144
+ ```
145
+ 3. Common mismatches:
146
+ - Rollout specifies `trafficRouting.nginx` but the cluster uses AWS ALB Ingress Controller.
147
+ - Rollout specifies `trafficRouting.istio` but Istio is not installed or not managing the service's namespace.
148
+ 4. Flag as **HIGH** if the provider specified does not match installed ingress — weight steps are silently no-ops and all traffic remains on stable.
149
+
150
+ ### Step 6 — Audit PDB compatibility with Rollout surge settings
151
+
152
+ A PDB that prevents pod eviction can deadlock a canary rollout that requires replacing existing pods.
153
+
154
+ 1. Check PDBs in the same namespace as the Rollout:
155
+ ```bash
156
+ kubectl get pdb -n <namespace> -o yaml
157
+ ```
158
+ 2. Check Rollout maxUnavailable and maxSurge:
159
+ ```bash
160
+ kubectl get rollout <name> -o jsonpath='{.spec.strategy.canary.maxUnavailable},{.spec.strategy.canary.maxSurge}'
161
+ ```
162
+ 3. Identify deadlock conditions:
163
+ - `maxUnavailable: 0` in the Rollout means old pods cannot be removed until new pods are Ready.
164
+ - A PDB with `minAvailable: 100%` (or `maxUnavailable: 0`) means no pod can be evicted.
165
+ - Combined: new pods can never start because the cluster has no capacity, and old pods cannot be removed due to PDB — **deadlock**.
166
+ 4. Example of a safe PDB configuration alongside a canary Rollout:
167
+ ```yaml
168
+ # PDB: allow 1 unavailable pod during updates
169
+ apiVersion: policy/v1
170
+ kind: PodDisruptionBudget
171
+ metadata:
172
+ name: my-app-pdb
173
+ spec:
174
+ maxUnavailable: 1
175
+ selector:
176
+ matchLabels:
177
+ app: my-app
178
+
179
+ # Rollout: maxSurge allows creating new pods above desired count
180
+ strategy:
181
+ canary:
182
+ maxSurge: "25%"
183
+ maxUnavailable: 0
184
+ ```
185
+ 5. Flag as **HIGH** if `maxUnavailable: 0` in the Rollout and `maxUnavailable: 0` (or `minAvailable: 100%`) in a PDB matching the same pods.
186
+
187
+ ### Step 7 — Audit rollback posture and history
188
+
189
+ 1. Verify `revisionHistoryLimit` is set to retain enough history for a safe rollback:
190
+ ```bash
191
+ kubectl get rollout <name> -o jsonpath='{.spec.revisionHistoryLimit}'
192
+ ```
193
+ The default is 10. A limit of 1 means only one previous revision is retained — if the rollback target was already overwritten, rollback fails.
194
+ 2. Check `abortScaleDownDelaySeconds` for the canary:
195
+ ```bash
196
+ kubectl get rollout <name> -o jsonpath='{.spec.strategy.canary.abortScaleDownDelaySeconds}'
197
+ ```
198
+ Default is 30 seconds. Setting this to 0 means canary pods are immediately deleted on abort — useful for fast rollback but removes the ability to inspect the canary pods post-abort.
199
+ 3. To manually trigger a rollback:
200
+ ```bash
201
+ kubectl argo rollouts abort <rollout-name> -n <namespace>
202
+ kubectl argo rollouts undo <rollout-name> -n <namespace>
203
+ ```
204
+ 4. Verify automated abort is wired to the AnalysisRun:
205
+ ```bash
206
+ kubectl get analysisrun -A -o yaml | grep -A 5 "phase"
207
+ ```
208
+ An AnalysisRun in `Failed` phase should trigger the Rollout to transition to `Degraded` and initiate rollback automatically.
209
+
210
+ ### Step 8 — Verify Argo Rollouts controller health
211
+
212
+ A degraded or missing Argo Rollouts controller means all Rollout objects are frozen — no progression, no rollback, no weight changes.
213
+
214
+ 1. Check controller health:
215
+ ```bash
216
+ kubectl get pods -n argo-rollouts
217
+ kubectl describe deployment argo-rollouts -n argo-rollouts
218
+ ```
219
+ 2. Check for recent controller errors:
220
+ ```bash
221
+ kubectl logs -n argo-rollouts -l app.kubernetes.io/name=argo-rollouts --tail=50 | grep -i error
222
+ ```
223
+ 3. Flag as **HIGH** if the argo-rollouts controller has unavailable replicas and any Rollout is mid-canary — the canary will not progress or roll back automatically until the controller recovers.
224
+
225
+ ## Output
226
+
227
+ Return:
228
+
229
+ - **target**: Rollout name, namespace, and strategy type, with evidence source,
230
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
231
+ - **strategy correctness**: steps present/absent, analysis gates present/absent, blue-green autoPromotion setting,
232
+ - **AnalysisTemplate audit**: successCondition and failureCondition correctness, failureLimit values, Prometheus query argument wiring,
233
+ - **service isolation**: canaryService and stableService presence, selector management,
234
+ - **traffic provider alignment**: specified provider vs installed ingress controller,
235
+ - **PDB compatibility**: deadlock risk with Rollout maxSurge/maxUnavailable settings,
236
+ - **rollback posture**: revisionHistoryLimit, abortScaleDownDelaySeconds, automated abort wiring,
237
+ - **controller health**: argo-rollouts controller pod state,
238
+ - **risk findings** (with severity: critical / high / medium / low),
239
+ - **safest next actions** with sample YAML,
240
+ - **assumptions and missing facts**.
241
+
242
+ ## Security notes
243
+
244
+ - Never recommend bypassing AnalysisTemplate gates to force a canary promotion — fix the underlying metric or analysis query instead.
245
+ - Never recommend setting `successCondition: true` or equivalent always-passing conditions to unblock a stuck rollout.
246
+ - A Rollout with `autoPromotionEnabled: true` and no `prePromotionAnalysis` in production is equivalent to a standard Deployment — progressive delivery provides no safety gate.
247
+ - Always verify the AnalysisTemplate Prometheus query actually targets the canary deployment specifically, not the entire service or namespace — a query that averages stable and canary traffic can mask canary errors.
248
+ - Do not recommend increasing `failureLimit` as a fix for a legitimate analysis failure — investigate the root cause first.