@raishin/vanguard-frontier-agentic 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (442) hide show
  1. package/README.md +231 -113
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  308. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  314. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  315. package/agents/velero/README.md +41 -0
  316. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  317. package/catalog/agents.json +1452 -634
  318. package/catalog/install-roles.json +455 -0
  319. package/catalog/skill-manifest.json +757 -3
  320. package/catalog/skills.json +1298 -528
  321. package/package.json +11 -1
  322. package/scripts/export-marketplace-agents.mjs +100 -9
  323. package/scripts/update-catalog-new-agents.py +88 -0
  324. package/skills/argocd/README.md +30 -0
  325. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  326. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  327. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  328. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  329. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  330. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  331. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  332. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  333. package/skills/aws/README.md +3 -1
  334. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  335. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  336. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  337. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  338. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  339. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  340. package/skills/azure/README.md +3 -1
  341. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  342. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  343. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  344. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  345. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  346. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  347. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  348. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  349. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  350. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  351. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  352. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  353. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  354. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  355. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  356. package/skills/cilium/README.md +30 -0
  357. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  358. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  359. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  360. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  361. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  362. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  363. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  364. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  365. package/skills/finops/README.md +30 -0
  366. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  367. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  368. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  369. package/skills/istio/README.md +28 -0
  370. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  371. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  372. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  373. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  374. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  375. package/skills/kubernetes/README.md +30 -0
  376. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  377. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  378. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  379. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  380. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  381. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  382. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  383. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  384. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  385. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  386. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  387. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  388. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  389. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  390. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  391. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  392. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  393. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  394. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  395. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  396. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  397. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  398. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  399. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  400. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  401. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  402. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  403. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  404. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  405. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  406. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  407. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  408. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  409. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  410. package/skills/kyverno/README.md +30 -0
  411. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  412. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  413. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  414. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  415. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  416. package/skills/oci/README.md +63 -0
  417. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  418. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  419. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  420. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  421. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  422. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  423. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  424. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  425. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  426. package/skills/opentelemetry/README.md +31 -0
  427. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  428. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  429. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  430. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  431. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  432. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  433. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  434. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  435. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  436. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  437. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  438. package/skills/terraform/README.md +29 -0
  439. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  440. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  441. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  442. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,106 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify the policy and its scope
6
+
7
+ 1. Confirm the policy kind: `ValidatingPolicy`, `MutatingPolicy`, `GeneratingPolicy`, `DeletingPolicy`, `ImageValidatingPolicy` (stable `policies.kyverno.io/v1`), or legacy `ClusterPolicy` / `Policy`.
8
+ 2. Confirm the match scope: namespace-scoped (`Policy`) vs cluster-scoped (`ClusterPolicy` / new v1 kinds).
9
+ 3. Confirm the API version. The stable `policies.kyverno.io/v1` API is the recommended target — see the [Kyverno policy types overview](https://kyverno.io/docs/policy-types/overview/).
10
+ 4. Confirm match conditions in `spec.match` — kinds, names, namespaces, labels, annotations. Any `kinds: ['*']` with no further filter is high-blast-radius.
11
+
12
+ ### Step 2 — Identify the failure mode
13
+
14
+ 1. Locate `spec.rules[].validate.failureAction` (newer API) or `spec.validationFailureAction` (legacy).
15
+ 2. Two values exist: `Enforce` (admission denied on violation) and `Audit` (admission allowed, violation recorded in PolicyReport).
16
+ 3. **Critical finding**: any production-relevant policy with `failureAction: Audit` and no plan to migrate to `Enforce`. The policy is a logging shim, not a control.
17
+ 4. Also confirm `spec.background` — when `false`, the policy only evaluates at admission time; existing resources are not scanned.
18
+ 5. Reference: [Validate rules — failureAction semantics](https://kyverno.io/docs/policy-types/cluster-policy/validate/).
19
+
20
+ ### Step 3 — Challenge dangerous policy patterns
21
+
22
+ Flag the following as high-severity findings:
23
+
24
+ - **`failureAction: Audit` in production** — silent allow path; PolicyReports accumulate without enforcement.
25
+ - **`background: false` + match scope that does not match admission requests** — policy never runs; effectively dead code.
26
+ - **`match` with `kinds: ['*']` and no namespace selector** — cluster-wide blast radius; one mis-written CEL expression breaks every admission.
27
+ - **`exclude` clause that exempts entire `kube-system` or operator namespaces** — operators bypass policy that should still apply (e.g., image signing).
28
+ - **`failurePolicy: Ignore` on the underlying ValidatingWebhookConfiguration** — Kyverno controller failures silently allow. See the [Kubernetes admission webhook reference](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
29
+ - **CEL expressions referencing `request.userInfo` without a deny default** — easy to bypass with a service account named in an exception.
30
+
31
+ ### Step 4 — Audit every PolicyException
32
+
33
+ A PolicyException is a documented bypass. Treat every one as audit evidence requiring four facts:
34
+
35
+ 1. **Owner**: who created it and is on call for the exempted resources?
36
+ 2. **Reason**: why does this resource not meet the policy?
37
+ 3. **Expiry**: is there a date or condition under which this exception is removed? Kyverno does not enforce expiry — this must be a documented commitment.
38
+ 4. **Scope**: which resources, namespaces, and rules are exempted?
39
+
40
+ Reference: [Kyverno PolicyExceptions](https://kyverno.io/docs/exceptions/).
41
+
42
+ Stress-test exceptions:
43
+
44
+ - An exception with `match.any.resources.kinds: ['*']` exempts everything — almost always too broad.
45
+ - An exception that exempts the `default` ServiceAccount — effectively exempts every workload that hasn't bound an SA.
46
+ - An exception that exempts a `ClusterPolicy` with `failureAction: Enforce` quietly demotes the policy to `Audit` for the matched scope.
47
+
48
+ ### Step 5 — Audit ImageValidatingPolicy specifically
49
+
50
+ For `ImageValidatingPolicy` (and legacy `verifyImages` rules), confirm:
51
+
52
+ 1. **Public key or KMS key reference** is present and points to a real attestation root (Sigstore / Cosign / Notary / KMS-backed).
53
+ 2. **`mutateDigest: true`** — replaces the mutable image tag with the immutable digest at admission. Without this, the verified image can be replaced after admission.
54
+ 3. **`verifyDigest: true`** — re-checks the digest against the verified attestation chain.
55
+ 4. **`required: true`** on the verification rule — without this, missing signatures pass.
56
+ 5. **`match` covers all production registries**, not just public Docker Hub.
57
+ 6. **No `imageReferences: ['*']` with `skip: true`** — total signature bypass.
58
+
59
+ Reference: [Kyverno verify-images / ImageValidatingPolicy](https://kyverno.io/docs/policy-types/cluster-policy/verify-images/).
60
+
61
+ ### Step 6 — Evaluate Kyverno vs native ValidatingAdmissionPolicy (CEL)
62
+
63
+ Native `ValidatingAdmissionPolicy` (CEL) shipped stable in Kubernetes 1.30 ([reference](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/)). Kyverno can compile its own policies into native VAP — see [Kyverno docs on VAP generation](https://kyverno.io/docs/policy-types/cluster-policy/validate/).
64
+
65
+ Choose **native VAP** when:
66
+
67
+ - The policy is pure validation (no mutation, no generation, no image verification, no cleanup).
68
+ - The CEL expression alone is sufficient — no JMESPath, no API lookup, no `context.apiCall`, no foreach.
69
+ - You want fewer moving parts in the admission path (no Kyverno controller).
70
+
71
+ Stay with **Kyverno** when:
72
+
73
+ - You need mutation, generation, cleanup, or image verification.
74
+ - You need cross-resource lookups (`context.apiCall`).
75
+ - You need PolicyReports for compliance evidence.
76
+ - You need PolicyExceptions managed declaratively.
77
+
78
+ Recommend a path explicitly. "Could be native VAP" without a recommendation is incomplete review.
79
+
80
+ ### Step 7 — Stress-test operational hygiene
81
+
82
+ - Prefer policies authored with `policies.kyverno.io/v1` over legacy `kyverno.io/v1` — the new API is the long-term path.
83
+ - Prefer explicit `match.any.resources.kinds` lists over wildcards.
84
+ - Prefer policies with `background: true` so existing resources are scanned (catches drift).
85
+ - Prefer policies that emit clear `message` text — admission rejections show this string to the user, and a vague rejection message wastes engineer time.
86
+ - Reports Server should be installed when policy reports are needed at scale — etcd-backed PolicyReports do not scale beyond a few thousand violations. See [Kyverno installation](https://kyverno.io/docs/installation/).
87
+
88
+ ## Output
89
+
90
+ Return:
91
+
92
+ - **target**: policy kind, name, match scope, and API version,
93
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
94
+ - **failure mode**: `Enforce` vs `Audit`, with judgment on whether this matches production posture,
95
+ - **risk findings** (with severity: high / medium / low) — including PolicyException audit, image verification posture, wildcard match, and admission webhook failurePolicy,
96
+ - **architectural recommendation**: stay with Kyverno, migrate to native VAP, or hybrid — with reason,
97
+ - **safest next actions** with sample manifest changes,
98
+ - **rollback plan**: how to remove or revert the policy without breaking running workloads,
99
+ - **assumptions and missing facts**.
100
+
101
+ ## Security notes
102
+
103
+ - Never recommend `failureAction: Audit` for a production-tier policy unless there is a written rollout plan to `Enforce` with a date.
104
+ - Never recommend exempting `cluster-admin`, the controller's own ServiceAccount, or wildcards in PolicyExceptions.
105
+ - Never recommend disabling image signature verification "temporarily" without a tracked re-enable date.
106
+ - Do not print Cosign private keys, Rekor signature blobs, or registry credentials. Reference key names only.
package/skills/oci/README.md ADDED
@@ -0,0 +1,63 @@
1
+ # 🟥 OCI Skills
2
+
3
+ <p align="center">
4
+ <img src="../../assets/logos/cloud/oci/oracle-cloud-infrastructure.png" alt="Oracle Cloud Infrastructure logo" width="140" />
5
+ </p>
6
+
7
+ This folder contains OCI-focused skills curated for this marketplace.
8
+
9
+ ## Local marketplace portfolio
10
+
11
+ This folder contains **37** local OCI skills:
12
+
13
+ - `oci-autonomous-database-architect`
14
+ - `oci-cloud-guard-responder`
15
+ - `oci-compute-instance-agent-operator`
16
+ - `oci-compute-platform-operator`
17
+ - `oci-cost-finops-analyst`
18
+ - `oci-database-platform-dba`
19
+ - `oci-dbtools-sql-analyst`
20
+ - `oci-devops-container-platform-engineer`
21
+ - `oci-exadata-database-architect`
22
+ - `oci-exadata-platform-architect`
23
+ - `oci-fusion-apps-environment-operator`
24
+ - `oci-goldengate-replication-operator`
25
+ - `oci-identity-access-governor`
26
+ - `oci-iot-digital-twin-engineer`
27
+ - `oci-limits-capacity-planner`
28
+ - `oci-live-autonomous-db-lifecycle-guard`
29
+ - `oci-live-cost-budget-runaway-guard`
30
+ - `oci-live-iam-policy-compartment-guard`
31
+ - `oci-live-network-security-rule-guard`
32
+ - `oci-live-oke-rollout-guard`
33
+ - `oci-live-resource-manager-stack-guard`
34
+ - `oci-live-vault-key-destruction-guard`
35
+ - `oci-load-balancer-traffic-engineer`
36
+ - `oci-maestro`
37
+ - `oci-migration-cutover-architect`
38
+ - `oci-multi-cloud-architect`
39
+ - `oci-mysql-heatwave-ai-specialist`
40
+ - `oci-network-architect`
41
+ - `oci-observability-incident-responder`
42
+ - `oci-recovery-service-operator`
43
+ - `oci-registry-artifact-governor`
44
+ - `oci-resource-search-inventory-analyst`
45
+ - `oci-security-compliance-reviewer`
46
+ - `oci-solution-architect`
47
+ - `oci-storage-backup-steward`
48
+ - `oci-support-incident-coordinator`
49
+ - `oracle-oci-mcp-grounded-advisor`
50
+
51
+ ## Portfolio posture
52
+
53
+ Role-based OCI skills for evidence-backed architecture, database operations, security, networking, FinOps, identity governance, and guarded live-environment operations.
54
+
55
+ These skills are intentionally conservative:
56
+
57
+ - prefer `oracle-oci-mcp-grounded-advisor` via OCI MCP server when available for live OCI state grounding
58
+ - prefer read-only discovery before mutation
59
+ - require explicit OCID, compartment, tenancy confirmation, approval, rollback posture, and verification for guarded live actions
60
+ - challenge overly broad IAM policies, missing compartment isolation, public exposure, and unclear resource ownership
61
+ - use official OCI documentation and live CLI evidence when service behavior matters
62
+
63
+ Run `npm run validate` after changing cataloged OCI skills.
package/skills/oci/oci-certificates-issuer-review/SKILL.md ADDED
@@ -0,0 +1,37 @@
1
+ ---
2
+ name: oci-certificates-issuer-review
3
+ description: Use this skill when reviewing OCI Certificates Service issuer configurations for cert-manager on OKE. Trigger on any request to audit OCI CA hierarchy, issuance rules, OKE Workload Identity vs Instance Principal auth, IAM policy scope, OCSP reachability, or certificate version management.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # OCI Certificates Issuer Review
10
+
11
+ ## Purpose
12
+
13
+ Review Oracle Cloud Infrastructure (OCI) Certificates Service configurations used as cert-manager issuers on OKE (Oracle Kubernetes Engine). Identify CA hierarchy misconfigurations (root vs subordinate), missing issuance rules, overly broad IAM policies, Instance Principal authentication scope risks, OCSP reachability gaps, and certificate version accumulation. Output severity-labeled findings with evidence and remediation steps.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Flag any OCI issuer that references a ROOT CA directly as CRITICAL — only a SUBORDINATE CA should be used for cert-manager issuance. The ROOT CA must be offline (disabled after subordinate creation) or kept entirely out of the Certificates Service.
18
+ - Check whether OCI issuance rules are configured on the subordinate CA: flag missing validity caps (>90d) and missing key algorithm restrictions (RSA <2048 or EC <P-256) as MEDIUM.
19
+ - Identify the authentication method used by cert-manager to call OCI APIs: flag Instance Principal auth as HIGH — any pod on the OKE node can call the OCI Certificates API via instance metadata. Correct method is OKE Workload Identity (SA-bound, pod-level).
20
+ - Review the OCI IAM policy for cert-manager: flag `manage certificate-authorities` (grants delete/update CA) as HIGH. Minimum required: `use certificate-authorities` with `request.permission='CREATE_CERTIFICATE_REQUEST'`.
21
+ - Check OCSP reachability from OKE worker nodes to `ocsp.pki.oraclecloud.com`. Flag unreachable OCSP endpoint as MEDIUM (soft-fail revocation = revoked certs accepted by most TLS stacks).
22
+ - Review certificate version count; flag high version accumulation (> 10 versions per cert) as LOW (storage cost and management overhead).
23
+ - Label all findings as live evidence, documentation-based, or inference.
24
+
25
+ ## References
26
+
27
+ Load these only when needed:
28
+
29
+ - [Workflow and output contract](references/workflow-and-output.md)
30
+
31
+ ## Response minimum
32
+
33
+ - Severity-labeled findings list (CRITICAL / HIGH / MEDIUM / LOW)
34
+ - Evidence source for each finding
35
+ - Specific resource name, CA OCID, or IAM policy statement that caused the finding
36
+ - Recommended remediation with example OCI CLI command or IAM policy snippet
37
+ - Overall OCI PKI trust posture verdict
package/skills/oci/oci-certificates-issuer-review/metadata.json ADDED
@@ -0,0 +1,20 @@
1
+ {
2
+ "id": "oci-certificates-issuer-review",
3
+ "name": "OCI Certificates Issuer Review",
4
+ "type": "skill",
5
+ "provider": "oci",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review OCI Certificates Service issuer configurations for cert-manager on OKE, covering CA hierarchy safety, issuance rule enforcement, OKE Workload Identity vs Instance Principal authentication, IAM policy scope minimization, OCSP reachability, and certificate version lifecycle management.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm",
11
+ "https://docs.oracle.com/en-us/iaas/Content/certificates/managing-certificate-authority.htm",
12
+ "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
13
+ "https://github.com/oracle/oci-native-ingress-controller"
14
+ ],
15
+ "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint — not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
16
+ "last_verified": "2026-05-02",
17
+ "path": "skills/oci/oci-certificates-issuer-review",
18
+ "author": "github: Raishin",
19
+ "version": "0.1.0"
20
+ }
package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,207 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Review Workflow
4
+
5
+ ### Step 1 — Identify the CA and issuer configuration
6
+
7
+ Retrieve the OCI cert-manager issuer resource:
8
+
9
+ ```bash
10
+ kubectl get issuer -A -o yaml | grep -A20 "oci\|oracle"
11
+ kubectl get clusterissuer -o yaml | grep -A20 "oci\|oracle"
12
+ ```
13
+
14
+ Extract the CA OCID from the issuer spec. Then inspect the CA in OCI:
15
+
16
+ ```bash
17
+ oci certs-mgmt certificate-authority get \
18
+ --certificate-authority-id <ca-ocid>
19
+ ```
20
+
21
+ Key fields to check:
22
+ - `type` — must be `SUBORDINATE` (not `ROOT`)
23
+ - `lifecycleState` — must be `ACTIVE`
24
+ - `issuerCertificateAuthorityId` — should reference a ROOT CA that is itself INACTIVE or not used for direct issuance
25
+
26
+ ### Step 2 — Validate CA type (root vs subordinate)
27
+
28
+ ```bash
29
+ oci certs-mgmt certificate-authority get \
30
+ --certificate-authority-id <ca-ocid> \
31
+ --query data.config-type \
32
+ --raw-output
33
+ ```
34
+
35
+ Expected values:
36
+ - `SUBORDINATE_CA_ISSUED_BY_INTERNAL_CA` — correct for cert-manager usage
37
+ - `ROOT_CA_GENERATED_INTERNALLY` — CRITICAL finding; root directly exposed to cert-manager
38
+
39
+ Also check the issuer CA's status:
40
+ ```bash
41
+ oci certs-mgmt certificate-authority get \
42
+ --certificate-authority-id <ca-ocid> \
43
+ --query data.lifecycle-state \
44
+ --raw-output
45
+ ```
46
+
47
+ ### Step 3 — Review issuance rules
48
+
49
+ List issuance rules configured on the CA:
50
+
51
+ ```bash
52
+ oci certs-mgmt certificate-authority get \
53
+ --certificate-authority-id <ca-ocid> \
54
+ --query "data.certificate-authority-rules"
55
+ ```
56
+
57
+ Check for:
58
+
59
+ ```json
60
+ {
61
+ "ruleType": "CERTIFICATE_AUTHORITY_MAX_VALIDITY_RULE",
62
+ "certificateMaxValidityDuration": "P90D"
63
+ }
64
+ ```
65
+
66
+ And key algorithm restriction:
67
+
68
+ ```json
69
+ {
70
+ "ruleType": "CERTIFICATE_AUTHORITY_ISSUANCE_EXPIRY_RULE",
71
+ "leafCertificateMaxValidityDuration": "P90D",
72
+ "certificateAuthorityMaxValidityDuration": "P3650D"
73
+ }
74
+ ```
75
+
76
+ **Flags:**
77
+ - No issuance rules configured (no validity cap) — MEDIUM (cert-manager can issue 10-year workload certs)
78
+ - Max validity > 365d for leaf certificates — MEDIUM
79
+ - No key algorithm restriction — MEDIUM (RSA-1024 issuance possible)
80
+
81
+ ### Step 4 — Identify authentication method
82
+
83
+ Check the cert-manager configuration for OCI auth method:
84
+
85
+ ```bash
86
+ # Check if OKE Workload Identity is configured
87
+ kubectl get serviceaccount cert-manager -n cert-manager \
88
+ -o jsonpath='{.metadata.annotations}'
89
+ ```
90
+
91
+ For OKE Workload Identity, the ServiceAccount should have OCI annotations:
92
+
93
+ ```yaml
94
+ annotations:
95
+ oci.oraclecloud.com/role-binding: "<dynamic-group-name>"
96
+ ```
97
+
98
+ For Instance Principal auth, check if the cert-manager pod uses the instance metadata endpoint:
99
+
100
+ ```bash
101
+ # Check the cert-manager deployment for OCI config
102
+ kubectl get deployment cert-manager -n cert-manager -o yaml | grep -i "oci\|instance\|workload"
103
+ ```
104
+
105
+ **Auth method comparison:**
106
+
107
+ | Method | Scope | Risk |
108
+ |--------|-------|------|
109
+ | OKE Workload Identity | ServiceAccount-bound (pod-level) | Correct — minimum scope |
110
+ | Instance Principal | Node-level (all pods on node) | HIGH — any pod can issue certs |
111
+ | User auth (API key) | User credentials in secret | HIGH — credential rotation required |
112
+
113
+ ### Step 5 — Review IAM policy
114
+
115
+ Retrieve the IAM policy for cert-manager:
116
+
117
+ ```bash
118
+ oci iam policy list --compartment-id <compartment-id> --all \
119
+ --query "data[?contains(statements[0], 'certificate-authority')]"
120
+ ```
121
+
122
+ Minimum required policy statement:
123
+
124
+ ```
125
+ Allow dynamic-group CertManagerDynamicGroup to use certificate-authorities
126
+ in compartment <compartment-name>
127
+ where request.permission='CREATE_CERTIFICATE_REQUEST'
128
+ ```
129
+
130
+ **Flag as HIGH if the policy includes any of:**
131
+ - `manage certificate-authorities` (grants delete, update, disable, schedule-deletion)
132
+ - `manage certificates` without compartment scoping (affects all certs)
133
+ - Wildcard resources or compartment `tenancy` instead of scoped compartment
134
+
135
+ Additional permissions needed for cert-manager to retrieve issued certs:
136
+
137
+ ```
138
+ Allow dynamic-group CertManagerDynamicGroup to read certificates
139
+ in compartment <compartment-name>
140
+ ```
141
+
142
+ ### Step 6 — Check OCSP reachability
143
+
144
+ The OCI OCSP endpoint is `ocsp.pki.oraclecloud.com`. Verify reachability from OKE worker nodes:
145
+
146
+ ```bash
147
+ # From within an OKE node or debug pod
148
+ curl -sv https://ocsp.pki.oraclecloud.com/
149
+ ```
150
+
151
+ For OKE clusters with no internet gateway or restrictive security group rules:
152
+
153
+ ```bash
154
+ # Check security list / NSG rules for outbound HTTPS to OCI OCSP
155
+ oci network security-list list --vcn-id <vcn-id> \
156
+ --query "data[].egress-security-rules[]"
157
+ ```
158
+
159
+ OCI OCSP endpoints use HTTPS (443). Ensure the OKE worker node security group allows outbound TCP/443 to OCI service endpoints. Using a Service Gateway with the `OCI Services in Oracle Services Network` service covers OCI PKI endpoints.
160
+
161
+ **Flags:**
162
+ - No Service Gateway configured and no internet gateway (OCI OCSP unreachable) — MEDIUM
163
+ - Security group blocks TCP/443 outbound to OCI service network — MEDIUM
164
+
165
+ ### Step 7 — Review certificate version count
166
+
167
+ ```bash
168
+ oci certs-mgmt certificate list-certificate-versions \
169
+ --certificate-id <cert-ocid> \
170
+ --all \
171
+ --query "length(data)"
172
+ ```
173
+
174
+ Each cert rotation by cert-manager creates a new version. Old versions should be cleaned up to avoid high version counts.
175
+
176
+ **Flags:**
177
+ - Certificate version count > 10 — LOW (storage cost and management overhead)
178
+ - No automated cleanup of old versions configured — LOW
179
+
180
+ ---
181
+
182
+ ## Output Format
183
+
184
+ ### Finding: `<short title>`
185
+
186
+ | Field | Value |
187
+ |-------|-------|
188
+ | Severity | CRITICAL / HIGH / MEDIUM / LOW |
189
+ | Resource | CA OCID, IAM policy name, or cert name |
190
+ | Evidence | documentation-based / live evidence / inference |
191
+ | Description | What is wrong and its impact on PKI trust |
192
+ | Remediation | OCI CLI command, IAM policy statement, or configuration change |
193
+
194
+ ---
195
+
196
+ ### Overall OCI PKI Trust Posture
197
+
198
+ | Category | Status |
199
+ |----------|--------|
200
+ | CA hierarchy (subordinate only) | PASS / FAIL |
201
+ | Issuance rules (validity caps) | PASS / FAIL |
202
+ | Authentication method (Workload Identity) | PASS / FAIL |
203
+ | IAM policy scope (minimum permissions) | PASS / FAIL |
204
+ | OCSP reachability | PASS / FAIL |
205
+ | Certificate version lifecycle | PASS / FAIL |
206
+
207
+ **Verdict:** TRUSTED / UNTRUSTED / CONDITIONAL (list conditions)
package/skills/oci/oci-live-network-security-rule-guard/SKILL.md ADDED
@@ -0,0 +1,57 @@
1
+ ---
2
+ name: oci-live-network-security-rule-guard
3
+ description: Guard live OCI Security List and Network Security Group (NSG) rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress rule mutation. Use only when an intentional network rule change targets a confirmed VCN component.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # OCI Live Network Security Rule Guard
10
+
11
+ ## Purpose
12
+
13
+ Act as the guarded live OCI operator for oci-live-network-security-rule-guard work. Security List and NSG rule changes take effect immediately with no native rollback. A wrong ingress rule exposes databases or compute to the internet instantly; a wrong egress rule can black-hole traffic for entire subnets. Treat every rule mutation as irreversible until the previous state is explicitly captured and restoration is confirmed possible.
14
+
15
+ ## When to use
16
+
17
+ Use this skill when:
18
+
19
+ - an ingress or egress rule must be added, modified, or removed from an OCI Security List or NSG in a live VCN
20
+ - a network access audit finds over-broad CIDR blocks (`0.0.0.0/0`) or sensitive-port exposures that must be tightened
21
+ - a workload migration requires opening or closing ports and the blast radius must be confirmed before write
22
+
23
+ ## Lean operating rules
24
+
25
+ - Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
26
+ - Do not execute any Security List or NSG rule mutation until tenancy, compartment, VCN OCID, target Security List or NSG OCID, and exact rule change are all explicit.
27
+ - Capture the complete current rule set (`oci network security-list get` or `oci network nsg rules list`) as rollback evidence before any write.
28
+ - Flag the following as high-severity and require explicit justification before proceeding:
29
+ - Any ingress rule with source `0.0.0.0/0` (open to internet)
30
+ - Any egress rule with destination `0.0.0.0/0` and protocol `all` without restriction
31
+ - Rules permitting port 22 (SSH), 3389 (RDP), 1521/1522 (Oracle DB), 3306 (MySQL), 5432 (PostgreSQL) from `0.0.0.0/0`
32
+ - Stateless rules on subnets hosting databases or internal APIs (no connection tracking = asymmetric traffic risk)
33
+ - Changes to Security Lists attached to database subnets (Autonomous DB, Exadata, DB System)
34
+ - If the request skips current-state capture, CIDR scope confirmation, or subnet-criticality assessment, push back.
35
+ - Never print API signing keys, auth tokens, tenancy OCIDs, or instance credentials. Summarize sanitized evidence only.
36
+ - Load references only when needed.
37
+
38
+ ## References
39
+
40
+ Load these only when needed:
41
+
42
+ - [Preflight commands](references/preflight-commands.md) — OCI CLI commands to inspect current rules and capture rollback state before any mutation.
43
+ - [Rollback playbook](references/rollback-playbook.md) — how to restore a previous Security List or NSG rule set after a bad change.
44
+ - [Permission model](references/permission-model.md) — least-privilege IAM policy for network rule mutation and read-only audit.
45
+ - [Official sources](references/official-sources.md) — authoritative OCI documentation links.
46
+
47
+ ## Response minimum
48
+
49
+ Return, at minimum:
50
+
51
+ - confirmed tenancy, compartment, VCN, and target Security List or NSG OCID
52
+ - current rule set capture (rollback baseline)
53
+ - risk classification of the proposed rule (open-internet / sensitive-port / safe)
54
+ - stateful vs stateless assessment and subnet criticality
55
+ - approval status with explicit business justification
56
+ - rollback command to restore prior rule state
57
+ - post-change connectivity verification steps or refusal reason
package/skills/oci/oci-live-network-security-rule-guard/metadata.json ADDED
@@ -0,0 +1,28 @@
1
+ {
2
+ "id": "oci-live-network-security-rule-guard",
3
+ "name": "OCI Live Network Security Rule Guard",
4
+ "type": "skill",
5
+ "provider": "oci",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Guard live OCI Security List and NSG rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress mutation.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm",
18
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
19
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm",
20
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
21
+ "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
22
+ ],
23
+ "security_notes": "oci network security-list update is a full replace — always capture the complete current rule set before writing. Never approve 0.0.0.0/0 ingress rules on database subnets. Prefer NSGs over Security Lists for production database VNICs to minimize blast radius. Enable VCN Flow Logs before any rule change for forensic coverage.",
24
+ "last_verified": "2026-05-01",
25
+ "path": "skills/oci/oci-live-network-security-rule-guard",
26
+ "author": "github: Raishin",
27
+ "version": "0.1.0"
28
+ }
package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md ADDED
@@ -0,0 +1,21 @@
1
+ # Official Sources
2
+
3
+ Load these only when needed:
4
+
5
+ - [Security Lists](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm) — use for Security List model, ingress/egress rule structure, stateful vs stateless semantics, and maximum rule limits.
6
+ - [Network Security Groups](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm) — use for NSG model, VNIC-level vs subnet-level application, and NSG vs Security List trade-offs.
7
+ - [Managing NSG Security Rules](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm) — use for `oci network nsg rules add`, `update`, `remove`, and `list` CLI syntax.
8
+ - [Updating a Security List](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm) — use for `oci network security-list update` full-replace semantics and required parameters.
9
+ - [Network Path Analyzer](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm) — use for simulating end-to-end network paths through Security Lists, NSGs, route tables, and gateways before approving a rule change.
10
+ - [VCN Flow Logs](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/vcn-flow-logs.htm) — use when enabling forensic coverage for a subnet before or after a security rule change.
11
+ - [OCI IAM Policy Reference — Network](https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/networkpolicyreference.htm) — use for least-privilege IAM policy statements covering `security-lists`, `network-security-groups`, and `virtual-network-family`.
12
+
13
+ ## Grounded insights worth carrying into the skill
14
+
15
+ - `oci network security-list update` performs a **full replace** of the entire ingress or egress rule set — partial updates are not possible. Always pass the complete desired rule list including rules you want to keep.
16
+ - OCI Security Lists are **stateful by default** (`stateless: false`). Return traffic is automatically allowed. Stateless rules require explicit return rules and are a common source of asymmetric traffic failures.
17
+ - NSG rule IDs are required for deletion (`oci network nsg rules remove`). Capture rule IDs from `oci network nsg rules list` before any mutation.
18
+ - A Security List is attached to a subnet, not a VNIC. One change affects every instance in that subnet simultaneously — blast radius scales with subnet size.
19
+ - NSGs are attached to individual VNICs, giving finer-grained control but requiring per-VNIC management. Prefer NSGs for production database servers over Security Lists for reduced blast radius.
20
+ - VCN Flow Logs must be explicitly enabled per subnet — they are not on by default. Without them, there is no record of traffic through an accidentally opened rule.
21
+ - The `0.0.0.0/0` ingress source in OCI context still includes traffic from peered VCNs, DRG-attached networks, and FastConnect circuits if routing allows — it is never safe to assume it means "internet only."
package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md ADDED
@@ -0,0 +1,65 @@
1
+ # Permission Model: OCI Live Network Security Rule Guard
2
+
3
+ ## Least-privilege IAM policy for network rule read (preflight only)
4
+
5
+ ```
6
+ Allow group NetworkAuditors to read virtual-network-family in compartment <compartment>
7
+ Allow group NetworkAuditors to read vcns in compartment <compartment>
8
+ Allow group NetworkAuditors to read security-lists in compartment <compartment>
9
+ Allow group NetworkAuditors to read network-security-groups in compartment <compartment>
10
+ Allow group NetworkAuditors to read subnets in compartment <compartment>
11
+ Allow group NetworkAuditors to read db-systems in compartment <compartment>
12
+ Allow group NetworkAuditors to read autonomous-databases in compartment <compartment>
13
+ ```
14
+
15
+ Read-only audit: use `inspect` or `read` verbs only. Never `manage` for auditors.
16
+
17
+ ## Least-privilege IAM policy for network rule mutation (guarded operator only)
18
+
19
+ ```
20
+ Allow group NetworkOperators to manage security-lists in compartment <compartment>
21
+ Allow group NetworkOperators to manage network-security-groups in compartment <compartment>
22
+ Allow group NetworkOperators to read vcns in compartment <compartment>
23
+ Allow group NetworkOperators to read subnets in compartment <compartment>
24
+ ```
25
+
26
+ Do **not** grant `manage virtual-network-family` — that is broader than needed and includes VCN, route tables, internet gateways, and peering.
27
+
28
+ ## Risk classification by rule type
29
+
30
+ | Rule | Risk | Reason |
31
+ |---|---|---|
32
+ | Ingress `0.0.0.0/0` any protocol | Critical | Open internet access to entire subnet |
33
+ | Ingress `0.0.0.0/0` port 22 | Critical | SSH from internet — never acceptable in production |
34
+ | Ingress `0.0.0.0/0` port 3389 | Critical | RDP from internet — never acceptable in production |
35
+ | Ingress `0.0.0.0/0` port 1521/1522 | Critical | Oracle DB from internet — data exfiltration path |
36
+ | Ingress `0.0.0.0/0` port 3306/5432 | Critical | MySQL/PostgreSQL from internet |
37
+ | Ingress from VCN CIDR, specific port | Low | Internal only — verify VCN CIDR is not transit-routed |
38
+ | Egress `0.0.0.0/0` all | Medium | Standard but verify no data-loss risk for DB subnets |
39
+ | Stateless rule on DB subnet | High | No connection tracking — asymmetric TCP risk |
40
+
41
+ ## Stateful vs stateless
42
+
43
+ - **Stateful** (default, `stateless: false`): OCI tracks connection state and automatically allows return traffic. Use for all production workloads.
44
+ - **Stateless** (`stateless: true`): Higher performance, but return traffic requires an explicit rule in the opposite direction. A missing return rule silently drops responses. Only use when performance benchmarked at scale.
45
+
46
+ ## Subnet criticality classification
47
+
48
+ | Subnet pattern | Classification |
49
+ |---|---|
50
+ | Hosts Autonomous DB, DB System, Exadata | Database — highest protection |
51
+ | Hosts compute instances with public IP | Public compute — ingress rules must be minimal |
52
+ | Private subnet (`prohibit-public-ip: true`) | Internal — `0.0.0.0/0` still covers all VCN-routed traffic |
53
+ | Bastion subnet | Bastion — SSH/RDP ingress from known CIDRs only |
54
+
55
+ ## OCI Network Path Analyzer — preferred verification tool
56
+
57
+ Before approving a connectivity change, use Path Analyzer to simulate the traffic path:
58
+ ```bash
59
+ oci network path-analyzer-test create \
60
+ --compartment-id <COMPARTMENT_OCID> \
61
+ --protocol-parameters '{"type":"TCP","destinationPort":<PORT>}' \
62
+ --source-endpoint '{"type":"COMPUTE_INSTANCE","instanceId":"<INSTANCE_OCID>"}' \
63
+ --destination-endpoint '{"type":"IP_ADDRESS","address":"<DEST_IP>"}'
64
+ ```
65
+ Path Analyzer respects Security Lists, NSGs, route tables, and service gateways — use it as the final approval gate for any rule change.