@raishin/vanguard-frontier-agentic 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (442) hide show
  1. package/README.md +231 -113
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  308. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  314. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  315. package/agents/velero/README.md +41 -0
  316. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  317. package/catalog/agents.json +1452 -634
  318. package/catalog/install-roles.json +455 -0
  319. package/catalog/skill-manifest.json +757 -3
  320. package/catalog/skills.json +1298 -528
  321. package/package.json +11 -1
  322. package/scripts/export-marketplace-agents.mjs +100 -9
  323. package/scripts/update-catalog-new-agents.py +88 -0
  324. package/skills/argocd/README.md +30 -0
  325. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  326. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  327. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  328. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  329. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  330. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  331. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  332. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  333. package/skills/aws/README.md +3 -1
  334. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  335. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  336. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  337. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  338. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  339. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  340. package/skills/azure/README.md +3 -1
  341. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  342. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  343. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  344. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  345. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  346. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  347. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  348. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  349. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  350. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  351. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  352. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  353. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  354. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  355. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  356. package/skills/cilium/README.md +30 -0
  357. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  358. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  359. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  360. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  361. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  362. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  363. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  364. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  365. package/skills/finops/README.md +30 -0
  366. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  367. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  368. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  369. package/skills/istio/README.md +28 -0
  370. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  371. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  372. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  373. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  374. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  375. package/skills/kubernetes/README.md +30 -0
  376. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  377. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  378. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  379. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  380. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  381. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  382. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  383. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  384. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  385. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  386. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  387. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  388. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  389. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  390. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  391. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  392. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  393. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  394. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  395. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  396. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  397. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  398. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  399. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  400. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  401. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  402. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  403. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  404. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  405. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  406. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  407. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  408. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  409. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  410. package/skills/kyverno/README.md +30 -0
  411. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  412. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  413. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  414. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  415. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  416. package/skills/oci/README.md +63 -0
  417. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  418. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  419. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  420. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  421. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  422. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  423. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  424. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  425. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  426. package/skills/opentelemetry/README.md +31 -0
  427. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  428. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  429. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  430. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  431. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  432. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  433. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  434. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  435. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  436. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  437. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  438. package/skills/terraform/README.md +29 -0
  439. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  440. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  441. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  442. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/kubernetes/external-secrets-operator-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "external-secrets-operator-review",
3
+ "name": "External Secrets Operator Review",
4
+ "type": "skill",
5
+ "provider": "kubernetes",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review ESO SecretStore, ClusterSecretStore, ExternalSecret, and PushSecret for scope creep, auth anti-patterns, refresh interval risks, and dataFrom blast radius.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://external-secrets.io/latest/introduction/overview/",
11
+ "https://external-secrets.io/latest/api/secretstore/",
12
+ "https://external-secrets.io/latest/api/externalsecret/",
13
+ "https://external-secrets.io/latest/api/clustersecretstore/",
14
+ "https://external-secrets.io/latest/provider/aws-secrets-manager/",
15
+ "https://external-secrets.io/latest/provider/azure-key-vault/"
16
+ ],
17
+ "security_notes": "ClusterSecretStore with no namespace selector grants every namespace access to every external secret reachable by the store credentials. Static credentials in SecretStore auth create a credential-to-access-credentials chain where compromise of the K8s Secret gives full access to the external store.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/kubernetes/external-secrets-operator-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,280 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Collect inputs
6
+
7
+ Ask the user to provide one or more of the following as sanitized YAML snippets (no real ARNs with account IDs, no actual secret values, no real tenant IDs or vault addresses that identify their environment):
8
+ - `SecretStore` or `ClusterSecretStore` manifest(s)
9
+ - `ExternalSecret` manifest(s)
10
+ - `PushSecret` manifest(s), if any
11
+ - Optional: ESO operator deployment manifest (to check version and RBAC permissions)
12
+ - Optional: description of the external store provider (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, 1Password Connect) and the auth method in use
13
+
14
+ If the user provides only a partial set, note which resources are absent and scope findings accordingly.
15
+
16
+ ### Step 2 — SecretStore vs ClusterSecretStore scope audit
17
+
18
+ For every `ClusterSecretStore` resource:
19
+ - Check whether `spec.conditions[].namespaceSelector` or `spec.conditions[].namespaces` is set
20
+ - If absent: flag as HIGH — every namespace can reference this store
21
+
22
+ ```yaml
23
+ # HIGH — no namespace selector; any ExternalSecret in any namespace can use this store
24
+ apiVersion: external-secrets.io/v1beta1
25
+ kind: ClusterSecretStore
26
+ metadata:
27
+ name: aws-global
28
+ spec:
29
+ provider:
30
+ aws:
31
+ service: SecretsManager
32
+ region: us-east-1
33
+ auth:
34
+ jwt:
35
+ serviceAccountRef:
36
+ name: eso-sa
37
+ namespace: external-secrets
38
+
39
+ # CORRECT — restrict to specific namespaces
40
+ apiVersion: external-secrets.io/v1beta1
41
+ kind: ClusterSecretStore
42
+ metadata:
43
+ name: aws-payments
44
+ spec:
45
+ conditions:
46
+ - namespaces:
47
+ - payments
48
+ - payments-staging
49
+ provider:
50
+ aws:
51
+ service: SecretsManager
52
+ region: us-east-1
53
+ auth:
54
+ jwt:
55
+ serviceAccountRef:
56
+ name: eso-payments-sa
57
+ namespace: external-secrets
58
+ ```
59
+
60
+ For `SecretStore` resources: verify the namespace matches the namespace of the ExternalSecrets that reference it. A SecretStore in namespace A cannot be referenced by an ExternalSecret in namespace B.
61
+
62
+ ### Step 3 — Authentication method audit
63
+
64
+ For every store, identify the auth method:
65
+
66
+ | Auth method | Risk level | Notes |
67
+ |-------------|-----------|-------|
68
+ | IRSA (AWS) | Low | Preferred for EKS |
69
+ | Azure Workload Identity | Low | Preferred for AKS |
70
+ | GCP Workload Identity | Low | Preferred for GKE |
71
+ | Vault Kubernetes auth | Low | Preferred for Vault |
72
+ | Static credentials via `secretRef` | HIGH | Credential-in-credential anti-pattern |
73
+ | Static credentials inline in manifest | CRITICAL | Never acceptable |
74
+
75
+ **Static credentials pattern to flag:**
76
+ ```yaml
77
+ # HIGH — K8s Secret holds AWS access key for the external store
78
+ spec:
79
+ provider:
80
+ aws:
81
+ service: SecretsManager
82
+ auth:
83
+ secretRef:
84
+ accessKeyIDSecretRef:
85
+ name: aws-creds
86
+ key: access-key-id
87
+ secretAccessKeySecretRef:
88
+ name: aws-creds
89
+ key: secret-access-key
90
+ ```
91
+
92
+ The K8s Secret `aws-creds` is itself a credential. Anyone who can read that Secret (namespace admin, over-privileged pod) gains full access to the AWS Secrets Manager path the store covers.
93
+
94
+ **Correct IRSA pattern:**
95
+ ```yaml
96
+ # CORRECT — pod identity; no static credentials
97
+ spec:
98
+ provider:
99
+ aws:
100
+ service: SecretsManager
101
+ region: us-east-1
102
+ auth:
103
+ jwt:
104
+ serviceAccountRef:
105
+ name: eso-payments-sa
106
+ namespace: external-secrets
107
+ ```
108
+
109
+ ### Step 4 — dataFrom scope audit
110
+
111
+ Review every `ExternalSecret.spec.dataFrom` stanza:
112
+
113
+ **4a. `dataFrom.extract`**
114
+ Fetches all key-value pairs from a specific secret path. Review that the path is as narrow as possible.
115
+ ```yaml
116
+ # ACCEPTABLE — extracts all keys from a single named secret
117
+ dataFrom:
118
+ - extract:
119
+ key: my-app/production/database
120
+ ```
121
+
122
+ **4b. `dataFrom.find`**
123
+ Fetches multiple secrets matching a regex or tag filter. HIGH blast-radius risk.
124
+ ```yaml
125
+ # HIGH — fetches ALL secrets in the store matching any name
126
+ dataFrom:
127
+ - find:
128
+ name:
129
+ regexp: ".*"
130
+
131
+ # HIGH — fetches every secret under the /production/ path prefix
132
+ dataFrom:
133
+ - find:
134
+ path: /production/
135
+
136
+ # ACCEPTABLE — narrow regex scoped to a single application prefix
137
+ dataFrom:
138
+ - find:
139
+ name:
140
+ regexp: "^my-app/production/[a-z-]+$"
141
+ tags:
142
+ app: my-app
143
+ ```
144
+
145
+ Flag any `find` with a broad regex (`.*`, `^/`, or no regex at all) as HIGH — all matching secrets are merged into a single K8s Secret, and any pod that mounts it gets access to all of them.
146
+
147
+ ### Step 5 — Refresh interval compliance audit
148
+
149
+ For every `ExternalSecret`, check `spec.refreshInterval`.
150
+
151
+ Default is `1h`. Review against the rotation policy of the external credential:
152
+
153
+ | Credential type | Typical rotation window | Recommended refreshInterval |
154
+ |----------------|------------------------|------------------------------|
155
+ | Database password (RDS IAM auth) | 15 minutes | `5m` or `10m` |
156
+ | API key with 24h rotation | 24 hours | `1h` |
157
+ | Long-lived service account key | 90 days | `1h` (acceptable) |
158
+ | TLS certificate (Let's Encrypt) | 90 days | `12h` |
159
+
160
+ ```yaml
161
+ # MEDIUM — 48h refresh on a DB password that rotates every 15 minutes
162
+ spec:
163
+ refreshInterval: 48h
164
+ secretStoreRef:
165
+ name: aws-store
166
+ kind: ClusterSecretStore
167
+ target:
168
+ name: db-password
169
+ data:
170
+ - secretKey: password
171
+ remoteRef:
172
+ key: my-app/production/db
173
+ property: password
174
+ ```
175
+
176
+ Flag `refreshInterval: 0` as a separate risk — it disables automatic refresh; secrets only update on ExternalSecret resource changes.
177
+
178
+ ### Step 6 — Target creation policy and template audit
179
+
180
+ **6a. creationPolicy**
181
+ ```yaml
182
+ # MEDIUM — Owner means ESO owns the Secret lifecycle
183
+ target:
184
+ name: my-app-secret
185
+ creationPolicy: Owner
186
+ ```
187
+ If the ExternalSecret is deleted (by a botched `helm uninstall`, namespace teardown, or GitOps drift), the managed K8s Secret is deleted immediately. Workloads using it crash. Recommend documenting this in runbooks and implementing deletion protection on critical ExternalSecrets.
188
+
189
+ Alternative `creationPolicy: Merge` — ESO writes keys into an existing Secret but does not own its lifecycle. Review that the existing Secret exists and has the correct structure.
190
+
191
+ **6b. Template correctness**
192
+ ```yaml
193
+ # RISKY — template that silently omits a key if the remote key name changes
194
+ target:
195
+ template:
196
+ data:
197
+ DB_PASS: "{{ .db_pass }}"
198
+ DB_HOST: "{{ .db_host }}"
199
+ # If the remote secret loses a key, the template renders as empty string, not an error
200
+ ```
201
+
202
+ Recommend including `engineVersion: v2` and verifying that all template references have a corresponding remote key. Flag templates with no explicit key mapping verification as LOW (template drift risk).
203
+
204
+ ### Step 7 — PushSecret audit
205
+
206
+ If `PushSecret` resources are present:
207
+
208
+ **7a. Auth scope**
209
+ PushSecret writes K8s Secret values into the external store. The auth principal for PushSecret needs write permission to the external store path. Review that:
210
+ - The IAM role / service principal / Vault policy grants write only to the specific path, not `secretsmanager:PutSecretValue` on `*`
211
+ - The auth principal is separate from the read-path principal (PushSecret auth should not be reused for ExternalSecret auth)
212
+
213
+ **7b. Selector scope**
214
+ ```yaml
215
+ # HIGH — pushes ALL secrets from the namespace into the external store
216
+ spec:
217
+ selector:
218
+ secret:
219
+ name: "" # empty = all secrets
220
+ ```
221
+
222
+ Flag any PushSecret with an empty or wildcard selector as HIGH — it exfiltrates all K8s Secrets from the namespace into the external store.
223
+
224
+ ### Step 8 — ESO operator RBAC audit (if manifest provided)
225
+
226
+ Review the ClusterRole bound to the ESO operator ServiceAccount:
227
+ - ESO needs `get`, `list`, `watch` on Secrets (to read SecretStore auth credentials)
228
+ - ESO needs `create`, `update`, `patch`, `delete` on Secrets (to manage target Secrets)
229
+ - ESO does NOT need `get` on all Secrets cluster-wide unless ClusterSecretStore is used
230
+ - Flag `resources: ["secrets"]` with no `resourceNames` restriction on a ClusterRole as MEDIUM
231
+
232
+ ### Step 9 — Produce the output
233
+
234
+ Format findings using the Output section below.
235
+
236
+ ---
237
+
238
+ ## Output
239
+
240
+ Return findings in this structure:
241
+
242
+ ```
243
+ ## Verdict
244
+ <one sentence summary: pass / needs work / critical issues found>
245
+
246
+ ## Evidence level
247
+ <live evidence | user-provided sanitized config | documentation-based | inference>
248
+
249
+ ## Findings
250
+
251
+ ### CRITICAL
252
+ - [C1] <finding title>: <description> — <remediation>
253
+
254
+ ### HIGH
255
+ - [H1] <finding title>: <description> — <remediation>
256
+
257
+ ### MEDIUM
258
+ - [M1] <finding title>: <description> — <remediation>
259
+
260
+ ### LOW
261
+ - [L1] <finding title>: <description> — <remediation>
262
+
263
+ ## Safe next actions
264
+ 1. <action>
265
+ 2. <action>
266
+ ...
267
+
268
+ ## Open questions
269
+ - <question requiring user clarification>
270
+ ```
271
+
272
+ ---
273
+
274
+ ## Security notes
275
+
276
+ - Never recommend using static credentials (`secretRef` pointing to a K8s Secret holding cloud credentials) as a permanent solution — always direct toward workload identity (IRSA, Azure Workload Identity, GCP Workload Identity, Vault Kubernetes auth).
277
+ - Treat any `ClusterSecretStore` with no `namespaceSelector` as a cross-namespace trust boundary violation — flag it regardless of whether the user considers it intentional.
278
+ - Do not recommend setting `refreshInterval: 0` on any ExternalSecret for a credential that participates in a rotation policy — zero disables automatic refresh.
279
+ - Flag the absence of monitoring on ExternalSecret sync status (`externalsecret_sync_calls_total`, `externalsecret_status_condition`) — a failing sync that goes unalerted means the cluster silently uses a stale or deleted credential.
280
+ - Treat `dataFrom.find` with a broad regex as equivalent to "grant this pod access to every secret in your vault that matches the regex" — make the blast radius explicit in the finding description.
package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ name: kubecost-chargeback-allocation-review
3
+ description: Use this skill when reviewing a Kubecost or OpenCost installation for enterprise chargeback readiness. Trigger when the user asks whether cost allocation is accurate, whether label taxonomy is complete enough for chargeback, whether idle cost is properly attributed, whether the cost API is secured, or whether savings recommendations are being actioned.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Kubecost Chargeback and Allocation Review
10
+
11
+ ## Purpose
12
+
13
+ Review a Kubecost (or OpenCost) deployment for cost allocation accuracy, label taxonomy completeness, shared cost model selection, idle cost attribution policy, budget alert coverage, cost API authentication posture, and savings recommendation hygiene. Enterprise chargeback requires that every dollar spent can be attributed to a team, cost center, or product — gaps in label coverage, authentication, or idle allocation produce inaccurate charge-backs and hide engineering waste.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Prefer user-provided Kubecost allocation API output, Helm values, and `kubectl` label query results as primary evidence; official Kubecost and OpenCost docs are the authoritative fallback.
18
+ - Treat the Kubecost cost allocation API or frontend exposed without SSO/ingress authentication as a HIGH finding — any pod in the cluster can enumerate other teams' spend.
19
+ - Treat more than 20% of pod costs appearing in the "uncategorized" or "__unallocated__" bucket as a HIGH finding — chargeback to business units is impossible for that spend.
20
+ - Treat idle cost absorbed centrally (not attributed to namespace owners) as a MEDIUM finding — it hides waste from the engineering teams responsible for right-sizing.
21
+ - Treat PV (persistent volume) costs excluded from allocation as a MEDIUM finding — stateful teams face an invisible blind spot in their bill.
22
+ - Treat no budget alerts configured for any namespace or team as a MEDIUM finding — teams have no cost signal until the end-of-month invoice.
23
+ - Treat HIGH-priority savings recommendations unactioned for more than 30 days as a HIGH finding — direct, measurable cash waste with a documented fix path.
24
+ - Distinguish OpenCost (no multi-cluster single-pane, no team RBAC) from Kubecost Enterprise (multi-cluster, RBAC, advanced savings) when scope matters for the use case.
25
+
26
+ ## References
27
+
28
+ Load these only when needed:
29
+ - [Workflow and output contract](references/workflow-and-output.md)
30
+
31
+ ## Response minimum
32
+
33
+ - Scoped target (cluster name, Kubecost version, OpenCost vs Kubecost) and evidence level
34
+ - Cost allocation accuracy verdict (all cost components enabled or missing)
35
+ - Label taxonomy completeness (% uncategorized, missing labels)
36
+ - Shared cost model and idle cost attribution policy
37
+ - Budget alert coverage (configured / absent / threshold)
38
+ - Cost API authentication posture
39
+ - Top savings recommendations status
40
+ - Safe next actions and open questions
package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "kubecost-chargeback-allocation-review",
3
+ "name": "Kubecost Chargeback and Allocation Review",
4
+ "type": "skill",
5
+ "provider": "kubernetes",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Kubecost and OpenCost cost allocation accuracy, label taxonomy completeness, shared cost model, idle cost attribution, budget alert coverage, API authentication, and savings recommendation hygiene for enterprise chargeback.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://www.kubecost.com/kubernetes-cost-optimization/",
11
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cost-allocation",
12
+ "https://www.opencost.io/docs/",
13
+ "https://docs.kubecost.com/install-and-configure/advanced-configuration/cost-model",
14
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings",
15
+ "https://docs.kubecost.com/apis/apis-overview"
16
+ ],
17
+ "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access — review whether the aggregation network path is private or exposed.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/kubernetes/kubecost-chargeback-allocation-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,215 @@
1
+ # Workflow and output contract
2
+
3
+ Use this reference only when performing a full Kubecost or OpenCost chargeback readiness review, producing FinOps implementation guidance, triaging a cost allocation discrepancy, or completing a cost governance production-readiness pass.
4
+
5
+ ## Review domains
6
+
7
+ Check these areas before giving a verdict:
8
+
9
+ - Kubecost vs OpenCost distinction and version
10
+ - Cost allocation accuracy: all cost components enabled (compute, storage, network)
11
+ - Label taxonomy completeness: uncategorized cost percentage, missing label coverage
12
+ - Shared cost model: even split, proportional, or weighted — and whether it matches the chargeback agreement
13
+ - Idle cost attribution: absorbed centrally or allocated to namespace owners
14
+ - Budget alert configuration: thresholds, routing, and coverage
15
+ - Cost API and frontend authentication posture
16
+ - Savings recommendations status: HIGH-priority items and days unactioned
17
+
18
+ ## Safe workflow
19
+
20
+ 1. **Frame scope**
21
+ - Cluster name and cloud provider:
22
+ - Kubecost version (`helm list -n kubecost` or `kubectl get deployment -n kubecost -o json | jq '.items[].spec.template.spec.containers[].image'`):
23
+ - OpenCost or Kubecost (free tier / Business / Enterprise):
24
+ - Number of clusters in scope:
25
+ - Required outcome of this review:
26
+ - Explicit non-goals:
27
+
28
+ 2. **Collect evidence**
29
+ - Prefer Kubecost allocation API output, Helm values, and `kubectl` label query results as primary evidence.
30
+ - Supplement with Kubecost UI screenshots and savings recommendations export if available.
31
+ - Label each finding as `live evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
32
+
33
+ 3. **Verify all cost components are captured**
34
+ Query the allocation API to confirm compute, storage, and network are all present:
35
+ ```bash
36
+ # Allocation API — last 7 days by namespace
37
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=namespace&includeIdle=true"
38
+
39
+ # Check whether network costs are enabled in Helm values
40
+ helm get values kubecost -n kubecost | grep -A5 'networkCosts'
41
+
42
+ # Check whether PV costs are included
43
+ helm get values kubecost -n kubecost | grep -A5 'persistentVolumes'
44
+ ```
45
+ If `networkCosts.enabled: false` or PV costs are missing from the allocation response,
46
+ flag as MEDIUM — stateful or egress-heavy teams face invisible costs.
47
+
48
+ 4. **Assess label taxonomy completeness**
49
+ Run a label audit to quantify unlabeled pods:
50
+ ```bash
51
+ # Count pods missing the cost-center label
52
+ kubectl get pods -A --show-labels | grep -v 'cost-center=' | grep -v 'NAME' | wc -l
53
+
54
+ # Count pods missing the team label
55
+ kubectl get pods -A --show-labels | grep -v 'app.kubernetes.io/team=' | grep -v 'NAME' | wc -l
56
+
57
+ # Query Kubecost for uncategorized spend share
58
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=label:cost-center" | \
59
+ jq '.data[0]["__unallocated__"].totalCost / (.data[0] | to_entries | map(.value.totalCost) | add)'
60
+ ```
61
+ If the `__unallocated__` or `__idle__` bucket represents more than 20% of total cost,
62
+ label taxonomy is insufficient for chargeback — flag as HIGH.
63
+
64
+ 5. **Check shared cost model configuration**
65
+ Kubecost shared cost models in `values.yaml`:
66
+ ```yaml
67
+ # Option 1: even split (each tenant pays equal share of shared infra)
68
+ kubecostModel:
69
+ sharedCostConfiguration:
70
+ shareIdle: false
71
+ sharedNamespaces: "monitoring,ingress-nginx,cert-manager"
72
+ shareByLabel: ""
73
+ shareType: "even" # even | weighted | proportional
74
+
75
+ # Option 2: proportional (tenant pays proportional to their usage)
76
+ shareType: "proportional"
77
+
78
+ # Option 3: weighted (explicit percentage per tenant)
79
+ shareType: "weighted"
80
+ ```
81
+ If the shared cost model does not match the documented business chargeback agreement, flag as MEDIUM.
82
+ If no shared namespace is configured, monitoring and ingress costs are silently excluded from bills.
83
+
84
+ 6. **Verify idle cost attribution**
85
+ ```bash
86
+ # Check idle allocation setting
87
+ helm get values kubecost -n kubecost | grep -A3 'idle'
88
+
89
+ # Idle cost API
90
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=namespace&includeIdle=true" | \
91
+ jq '.data[0].__idle__'
92
+ ```
93
+ If `shareIdle: false` and the `__idle__` bucket is large (>15% of total), idle waste is hidden
94
+ from engineering teams. Allocating idle to namespaces creates incentive to right-size.
95
+ Flag as MEDIUM if idle cost is absorbed centrally without a documented policy decision.
96
+
97
+ 7. **Audit budget alert configuration**
98
+ ```bash
99
+ # Check for configured budget alerts via Kubecost API
100
+ curl "http://localhost:9090/model/budget"
101
+
102
+ # Check Kubecost alert configuration in values
103
+ helm get values kubecost -n kubecost | grep -A20 'alerts'
104
+ ```
105
+ A well-configured alert:
106
+ ```yaml
107
+ alerts:
108
+ - type: budget
109
+ threshold: 80 # alert at 80% — not 100%
110
+ window: monthly
111
+ aggregation: namespace
112
+ filter: "namespace=team-a"
113
+ slackWebhookUrl: https://hooks.slack.com/services/...
114
+ ```
115
+ No budget alerts configured for any namespace is a MEDIUM finding.
116
+ Alert threshold at 100% (no early warning) is a MEDIUM finding.
117
+ Alert routing to a central ops black hole (not the owning team) is a MEDIUM finding.
118
+
119
+ 8. **Check cost API and frontend authentication**
120
+ ```bash
121
+ # Test whether the cost API is publicly accessible without credentials
122
+ curl -o /dev/null -s -w "%{http_code}" http://<kubecost-service>:9090/model/allocation?window=1d
123
+
124
+ # Check ingress auth annotation
125
+ kubectl get ingress -n kubecost -o yaml | grep -A5 'annotations'
126
+ ```
127
+ Expected annotations for SSO-gated ingress:
128
+ ```yaml
129
+ annotations:
130
+ nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy/oauth2/auth"
131
+ nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy/oauth2/start"
132
+ ```
133
+ A 200 response from the allocation API without auth headers means any cluster pod can enumerate
134
+ other teams' spend data — flag as HIGH.
135
+
136
+ 9. **Savings recommendations review**
137
+ ```bash
138
+ # Get rightsizing recommendations
139
+ curl "http://localhost:9090/model/savings/requestSizingV2"
140
+
141
+ # Get abandoned workload recommendations
142
+ curl "http://localhost:9090/model/savings/abandonedWorkloads"
143
+
144
+ # Get orphaned PV recommendations
145
+ curl "http://localhost:9090/model/savings/orphanedResources"
146
+ ```
147
+ Review the top 10 recommendations by estimated monthly savings. For each HIGH-priority item,
148
+ confirm whether it has been reviewed. Items unactioned for more than 30 days represent
149
+ measurable cash waste with a documented fix path — flag as HIGH.
150
+
151
+ ## Output contract
152
+
153
+ Return this structure:
154
+
155
+ ```markdown
156
+ # Kubecost Chargeback and Allocation Review: <cluster-name>
157
+
158
+ ## Executive verdict
159
+ - Status: CHARGEBACK READY / PARTIALLY READY / NOT READY / NEEDS EVIDENCE
160
+ - Biggest risk:
161
+ - Evidence level:
162
+
163
+ ## Scope and assumptions
164
+ - Cluster name and cloud provider:
165
+ - Kubecost version and tier:
166
+ - Review window:
167
+ - Confirmed:
168
+ - Unknown:
169
+ - Out of scope:
170
+
171
+ ## Findings
172
+
173
+ | Severity | Area | Finding | Evidence | Why it matters | Minimum safe action |
174
+ |---|---|---|---|---|---|
175
+
176
+ ## Cost component coverage
177
+
178
+ | Component | Enabled | Notes |
179
+ |---|---|---|
180
+ | Compute (CPU/RAM) | | |
181
+ | Persistent volume storage | | |
182
+ | Network egress (cross-AZ) | | |
183
+ | Network egress (cross-region) | | |
184
+ | GPU | | |
185
+
186
+ ## Label taxonomy summary
187
+ - Total pod count:
188
+ - Pods missing `cost-center` label:
189
+ - Estimated uncategorized cost %:
190
+
191
+ ## Shared cost and idle model
192
+ - Shared namespaces:
193
+ - Share type:
194
+ - Idle allocation policy:
195
+
196
+ ## Budget alert coverage
197
+ - Namespaces with budget alerts:
198
+ - Earliest warning threshold:
199
+ - Alert routing:
200
+
201
+ ## Top savings opportunities
202
+
203
+ | Recommendation | Est. monthly savings | Days open | Action |
204
+ |---|---|---|---|
205
+
206
+ ## Recommended actions
207
+ 1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
208
+
209
+ ## Validation
210
+ - Commands or checks:
211
+ - Expected result:
212
+
213
+ ## Residual risk
214
+ - <risk or explicit none>
215
+ ```
package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md ADDED
@@ -0,0 +1,57 @@
1
+ ---
2
+ name: kubernetes-live-rbac-mutation-guard
3
+ description: Guard live kubectl apply, create, or delete operations on Kubernetes RBAC objects — Roles, ClusterRoles, RoleBindings, ClusterRoleBindings — with privilege-escalation verb detection, scope assessment, current-state diff, and explicit approval before any write. Use only when an intentional RBAC mutation is requested against a confirmed cluster target.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Kubernetes Live RBAC Mutation Guard
10
+
11
+ ## Purpose
12
+
13
+ Act as the guarded live Kubernetes operator for kubernetes-live-rbac-mutation-guard work. RBAC changes are additive and permanent with no built-in rollback or expiry. A mistaken ClusterRoleBinding cannot be auto-reverted. Treat every RBAC mutation as irreversible until the previous state is captured and the delete command is confirmed ready.
14
+
15
+ ## When to use
16
+
17
+ Use this skill when:
18
+
19
+ - a Role, ClusterRole, RoleBinding, or ClusterRoleBinding must be created, modified, or deleted in a live cluster
20
+ - a workload identity request requires binding a ServiceAccount to an existing or new role and blast radius must be confirmed before kubectl apply
21
+ - an RBAC audit finds dangerous bindings that must be removed and rollback impact on dependent workloads must be assessed
22
+
23
+ ## Lean operating rules
24
+
25
+ - Prefer live cluster evidence from `kubectl` when available; fall back to official Kubernetes documentation and sanitized YAML provided by the user.
26
+ - Do not execute any RBAC mutation until cluster context, namespace (if applicable), target object name, principal, and exact permission delta are all explicit.
27
+ - Capture the current state of the target object (`kubectl get ... -o yaml`) as rollback evidence before any write.
28
+ - Flag the following as high-severity and require explicit justification before proceeding:
29
+ - Any Role or ClusterRole granting `escalate`, `bind`, or `impersonate` verbs — privilege escalation vectors that bypass Kubernetes' own controls
30
+ - Any ClusterRoleBinding to `cluster-admin` for a non-infrastructure ServiceAccount
31
+ - Any wildcard verb (`*`) or wildcard resource (`*`) in any Role or ClusterRole
32
+ - Any binding to the `default` ServiceAccount in any namespace — shared blast radius
33
+ - Deletion of a ClusterRoleBinding without confirming which workloads depend on it
34
+ - If the request skips cluster-context confirmation, object diff, or rollback readiness, push back.
35
+ - Never print kubeconfig contents, bearer tokens, service account JWT tokens, or raw cluster credentials. Summarize sanitized evidence only.
36
+ - Load references only when needed.
37
+
38
+ ## References
39
+
40
+ Load these only when needed:
41
+
42
+ - [Preflight commands](references/preflight-commands.md) — kubectl commands to inspect cluster context, current RBAC state, and capture rollback baseline before any mutation.
43
+ - [Rollback playbook](references/rollback-playbook.md) — how to undo an RBAC mutation and verify dependent workloads are not broken.
44
+ - [Permission model](references/permission-model.md) — least-privilege patterns for common workload identity scenarios and dangerous verb/resource combinations.
45
+ - [Official sources](references/official-sources.md) — authoritative Kubernetes documentation links.
46
+
47
+ ## Response minimum
48
+
49
+ Return, at minimum:
50
+
51
+ - confirmed cluster context (cluster name, namespace, active user or service account)
52
+ - current state of the target RBAC object (diff baseline)
53
+ - privilege-escalation verb and high-severity resource assessment of the proposed change
54
+ - scope assessment: namespace-scoped Role vs cluster-scoped ClusterRole necessity
55
+ - approval status with explicit justification
56
+ - rollback command (`kubectl delete` or `kubectl apply -f <previous-state>`)
57
+ - post-mutation verification steps (`kubectl auth can-i` checks) or refusal reason
package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json ADDED
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "kubernetes-live-rbac-mutation-guard",
3
+ "name": "Kubernetes Live RBAC Mutation Guard",
4
+ "type": "skill",
5
+ "provider": "kubernetes",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Guard live kubectl apply/create/delete operations on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings with privilege-escalation verb detection, scope assessment, current-state diff, and explicit approval before write.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
18
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
19
+ "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
20
+ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
21
+ ],
22
+ "security_notes": "Capture current RBAC object state before every mutation — there is no built-in rollback. Block escalate, bind, and impersonate verbs without explicit platform-team approval. Never approve wildcard verb or resource grants. Deleting a ClusterRoleBinding does not immediately revoke cached service account tokens.",
23
+ "last_verified": "2026-05-01",
24
+ "path": "skills/kubernetes/kubernetes-live-rbac-mutation-guard",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }