@raishin/vanguard-frontier-agentic 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (442) hide show
  1. package/README.md +231 -113
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  308. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  314. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  315. package/agents/velero/README.md +41 -0
  316. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  317. package/catalog/agents.json +1452 -634
  318. package/catalog/install-roles.json +455 -0
  319. package/catalog/skill-manifest.json +757 -3
  320. package/catalog/skills.json +1298 -528
  321. package/package.json +11 -1
  322. package/scripts/export-marketplace-agents.mjs +100 -9
  323. package/scripts/update-catalog-new-agents.py +88 -0
  324. package/skills/argocd/README.md +30 -0
  325. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  326. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  327. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  328. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  329. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  330. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  331. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  332. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  333. package/skills/aws/README.md +3 -1
  334. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  335. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  336. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  337. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  338. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  339. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  340. package/skills/azure/README.md +3 -1
  341. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  342. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  343. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  344. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  345. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  346. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  347. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  348. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  349. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  350. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  351. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  352. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  353. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  354. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  355. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  356. package/skills/cilium/README.md +30 -0
  357. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  358. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  359. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  360. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  361. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  362. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  363. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  364. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  365. package/skills/finops/README.md +30 -0
  366. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  367. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  368. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  369. package/skills/istio/README.md +28 -0
  370. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  371. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  372. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  373. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  374. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  375. package/skills/kubernetes/README.md +30 -0
  376. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  377. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  378. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  379. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  380. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  381. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  382. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  383. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  384. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  385. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  386. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  387. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  388. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  389. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  390. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  391. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  392. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  393. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  394. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  395. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  396. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  397. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  398. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  399. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  400. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  401. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  402. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  403. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  404. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  405. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  406. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  407. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  408. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  409. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  410. package/skills/kyverno/README.md +30 -0
  411. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  412. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  413. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  414. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  415. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  416. package/skills/oci/README.md +63 -0
  417. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  418. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  419. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  420. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  421. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  422. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  423. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  424. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  425. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  426. package/skills/opentelemetry/README.md +31 -0
  427. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  428. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  429. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  430. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  431. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  432. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  433. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  434. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  435. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  436. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  437. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  438. package/skills/terraform/README.md +29 -0
  439. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  440. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  441. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  442. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md ADDED
@@ -0,0 +1,69 @@
1
+ # Preflight Commands: OCI Live Network Security Rule Guard
2
+
3
+ Run all of these before adding, modifying, or removing any Security List or NSG rule.
4
+
5
+ ## 1. Confirm active OCI profile and tenancy
6
+
7
+ ```bash
8
+ oci iam region list --output table # confirms CLI auth works
9
+ oci iam tenancy get --tenancy-id $(oci iam user get --user-id $(oci iam user list --query 'data[0].id' --raw-output) --query 'data."compartment-id"' --raw-output) 2>/dev/null || echo "Use: oci iam user list --all"
10
+ ```
11
+
12
+ Simpler identity check:
13
+ ```bash
14
+ oci iam user list --all --query 'data[0].{name:name, description:description}' --output table
15
+ ```
16
+
17
+ ## 2. Capture current Security List rules (CRITICAL — save as rollback baseline)
18
+
19
+ ```bash
20
+ # Get current ingress and egress rules — save this output BEFORE any mutation
21
+ oci network security-list get \
22
+ --security-list-id <SECURITY_LIST_OCID> \
23
+ --query 'data.{"display-name":"display-name", "ingress-security-rules":"ingress-security-rules", "egress-security-rules":"egress-security-rules"}'
24
+ ```
25
+
26
+ ## 3. Capture current NSG rules (CRITICAL — save as rollback baseline)
27
+
28
+ ```bash
29
+ oci network nsg rules list \
30
+ --nsg-id <NSG_OCID> \
31
+ --all \
32
+ --query 'data[].{id:id, direction:direction, protocol:protocol, source:source, destination:destination, "source-type":"source-type", "tcp-options":"tcp-options", "udp-options":"udp-options", stateless:stateless}'
33
+ ```
34
+
35
+ ## 4. List Security Lists in a VCN to identify the target
36
+
37
+ ```bash
38
+ oci network security-list list \
39
+ --compartment-id <COMPARTMENT_OCID> \
40
+ --vcn-id <VCN_OCID> \
41
+ --query 'data[].{"display-name":"display-name", id:id, "lifecycle-state":"lifecycle-state"}'
42
+ ```
43
+
44
+ ## 5. Identify subnets attached to the Security List (blast radius)
45
+
46
+ ```bash
47
+ oci network subnet list \
48
+ --compartment-id <COMPARTMENT_OCID> \
49
+ --vcn-id <VCN_OCID> \
50
+ --query 'data[].{"display-name":"display-name", "cidr-block":"cidr-block", "security-list-ids":"security-list-ids", "prohibit-public-ip-on-vnic":"prohibit-public-ip-on-vnic"}'
51
+ ```
52
+
53
+ `prohibit-public-ip-on-vnic: true` = private subnet. Ingress from 0.0.0.0/0 on a private subnet still allows internal CIDR access — confirm VCN CIDR scope.
54
+
55
+ ## 6. Check if DB System or Autonomous DB is in the affected subnet
56
+
57
+ ```bash
58
+ # List DB systems in compartment
59
+ oci db system list \
60
+ --compartment-id <COMPARTMENT_OCID> \
61
+ --query 'data[].{"display-name":"display-name", "subnet-id":"subnet-id", "lifecycle-state":"lifecycle-state"}'
62
+
63
+ # List Autonomous DBs
64
+ oci db autonomous-database list \
65
+ --compartment-id <COMPARTMENT_OCID> \
66
+ --query 'data[].{"db-name":"db-name", "subnet-id":"subnet-id", "lifecycle-state":"lifecycle-state"}'
67
+ ```
68
+
69
+ If the affected subnet hosts a DB workload, classify the change as **critical** and require explicit DBA approval.
package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md ADDED
@@ -0,0 +1,79 @@
1
+ # Rollback Playbook: OCI Live Network Security Rule Guard
2
+
3
+ OCI Security List and NSG rule changes take effect immediately with no native undo operation. The only rollback path is restoring the previous rule set from a captured baseline. **Capture current rules before every mutation — no exceptions.**
4
+
5
+ ## Pre-mutation capture (mandatory)
6
+
7
+ ```bash
8
+ # Security List — save to file before any change
9
+ oci network security-list get \
10
+ --security-list-id <SECURITY_LIST_OCID> \
11
+ --query 'data.{"ingress-security-rules":"ingress-security-rules","egress-security-rules":"egress-security-rules"}' \
12
+ > securitylist-backup-$(date +%Y%m%d-%H%M%S).json
13
+
14
+ # NSG — save to file before any change
15
+ oci network nsg rules list \
16
+ --nsg-id <NSG_OCID> --all \
17
+ > nsg-backup-$(date +%Y%m%d-%H%M%S).json
18
+ ```
19
+
20
+ ## Restore Security List rules from backup
21
+
22
+ Security List update is a **full replace** — the update command overwrites the entire rule set. Pass the exact previous rules from the backup file.
23
+
24
+ ```bash
25
+ # Restore ingress rules
26
+ INGRESS=$(cat securitylist-backup-<TIMESTAMP>.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d['ingress-security-rules']))")
27
+ oci network security-list update \
28
+ --security-list-id <SECURITY_LIST_OCID> \
29
+ --ingress-security-rules "$INGRESS" \
30
+ --force
31
+
32
+ # Restore egress rules (same file, egress key)
33
+ EGRESS=$(cat securitylist-backup-<TIMESTAMP>.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d['egress-security-rules']))")
34
+ oci network security-list update \
35
+ --security-list-id <SECURITY_LIST_OCID> \
36
+ --egress-security-rules "$EGRESS" \
37
+ --force
38
+ ```
39
+
40
+ ## Restore NSG rules from backup
41
+
42
+ NSG rule updates require rule IDs. To restore, remove new rules and re-add the old ones.
43
+
44
+ ```bash
45
+ # List current rule IDs to identify added rules
46
+ oci network nsg rules list --nsg-id <NSG_OCID> --all --query 'data[].id'
47
+
48
+ # Remove a specific rule that was incorrectly added
49
+ oci network nsg rules remove \
50
+ --nsg-id <NSG_OCID> \
51
+ --security-rule-ids '["<RULE_ID_TO_REMOVE>"]'
52
+ ```
53
+
54
+ ## Verify restoration
55
+
56
+ ```bash
57
+ # Confirm rules match the backup
58
+ oci network security-list get \
59
+ --security-list-id <SECURITY_LIST_OCID> \
60
+ --query 'data.{"ingress-security-rules":"ingress-security-rules","egress-security-rules":"egress-security-rules"}'
61
+ ```
62
+
63
+ ## Connectivity verification after rollback
64
+
65
+ ```bash
66
+ # Check if affected instance can still reach expected endpoints
67
+ # (Run from inside the VCN or use OCI Network Path Analyzer)
68
+ oci network path-analyzer-test create \
69
+ --compartment-id <COMPARTMENT_OCID> \
70
+ --protocol-parameters '{"type":"TCP","destinationPort":<PORT>}' \
71
+ --source-endpoint '{"type":"COMPUTE_INSTANCE","instanceId":"<INSTANCE_OCID>"}' \
72
+ --destination-endpoint '{"type":"IP_ADDRESS","address":"<DEST_IP>"}'
73
+ ```
74
+
75
+ ## What cannot be rolled back
76
+
77
+ - Traffic that flowed through an incorrectly open rule during the window cannot be recalled.
78
+ - Data exfiltrated or connections established during the exposure window must be investigated separately via VCN Flow Logs.
79
+ - Enable Flow Logs on affected subnets before and after any security rule change for forensic coverage.
package/skills/opentelemetry/README.md ADDED
@@ -0,0 +1,31 @@
1
+ # 🔭 OpenTelemetry Skills
2
+
3
+ <p align="center">
4
+ <!-- 🖼️ Add an OpenTelemetry logo to assets/logos/cnative/opentelemetry/ and update this path -->
5
+ <span style="font-size:3.5em">🔭</span>
6
+ </p>
7
+
8
+ This folder contains OpenTelemetry-focused skills curated for this marketplace.
9
+
10
+ ## Local marketplace portfolio
11
+
12
+ This folder contains **1** local OpenTelemetry skill:
13
+
14
+ - `opentelemetry-collector-config-review`
15
+
16
+ ## Portfolio posture
17
+
18
+ OpenTelemetry skills for evidence-backed observability pipeline review covering the four `OpenTelemetryCollector` deployment modes (`deployment`, `statefulset`, `daemonset`, `sidecar`), the `Instrumentation` CR for auto-instrumentation across Java/Node/Python/.NET/Go, the Target Allocator for distributed Prometheus scraping, and exporter/processor/receiver pipeline correctness.
19
+
20
+ These skills are intentionally conservative:
21
+
22
+ - prefer `kubectl get opentelemetrycollectors,instrumentations -A -o yaml` for live collector state grounding before any review
23
+ - treat **collector pipeline with no exporter** as a critical finding — telemetry is silently dropped at collector boundary
24
+ - treat **removal of `memory_limiter` processor** as a critical finding — collector OOMs and loses spans/metrics
25
+ - challenge tail sampling rule changes — past spans are not re-evaluated, sampling drift is permanent for already-collected windows
26
+ - challenge `Instrumentation` CR removal from a running namespace — auto-instrumented pods stop emitting telemetry on next restart
27
+ - challenge collector `service.pipelines` lacking the `k8sattributes` processor — telemetry loses Kubernetes context (namespace, pod, deployment)
28
+ - challenge TLS `insecure: true` on production exporters — telemetry data flows in plaintext, often containing PII
29
+ - use official OpenTelemetry documentation (opentelemetry.io, opentelemetry-operator) for Collector/Instrumentation CRD syntax, processor pipelines, and Target Allocator semantics
30
+
31
+ Run `npm run validate` after changing cataloged OpenTelemetry skills.
package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md ADDED
@@ -0,0 +1,44 @@
1
+ ---
2
+ name: opentelemetry-collector-config-review
3
+ description: Use this skill for OpenTelemetry Operator review covering OpenTelemetryCollector deployment modes (Deployment, StatefulSet, DaemonSet, Sidecar), Instrumentation CR auto-instrumentation across Java/Node/Python/.NET/Go, Target Allocator for distributed Prometheus scraping, and pipeline correctness across receivers, processors, and exporters. Trigger when the user asks whether a collector configuration will lose telemetry, whether the right deployment mode is used, whether memory_limiter and batch are present, whether tail_sampling is safe to change, or whether auto-instrumentation will cover a workload after restart.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # OpenTelemetry Collector Config Review
10
+
11
+ ## Purpose
12
+
13
+ Review OpenTelemetry Operator-managed `OpenTelemetryCollector` and `Instrumentation` resources against pipeline correctness, deployment-mode appropriateness, memory safety, sampling integrity, exporter security, and Kubernetes-attribute enrichment. Telemetry pipelines fail silently — a misconfigured exporter drops every span; a missing `memory_limiter` OOMs the collector; a deleted `Instrumentation` resource stops auto-instrumentation on next pod restart.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Prefer live cluster evidence (`kubectl get opentelemetrycollectors,instrumentations -A -o yaml` plus collector logs and metrics) when the active client exposes it; otherwise fall back to official OpenTelemetry documentation (opentelemetry.io, opentelemetry-operator) and sanitized YAML.
18
+ - Separate confirmed facts from inference. If collector pipeline state, exporter health, or `Instrumentation` propagation was not queried, say so.
19
+ - Treat **a pipeline with no exporter** (or with only `debug` exporter in production) as a critical finding — telemetry is dropped at the collector.
20
+ - Treat **removal of the `memory_limiter` processor** as a critical finding — collector OOMs and loses spans/metrics on burst traffic.
21
+ - Treat **removal of the `k8sattributes` processor** as a high finding — telemetry loses `k8s.namespace.name`, `k8s.pod.name`, `k8s.deployment.name`, and SLO dashboards lose context.
22
+ - Challenge tail sampling rule changes — past spans are not re-evaluated; sampling drift is permanent for already-collected windows.
23
+ - Challenge `Instrumentation` CR removal in a running namespace — auto-instrumented pods stop emitting telemetry after their next restart.
24
+ - Challenge collector exporters with `tls.insecure: true` in production — telemetry data flows in plaintext, often containing PII/PHI.
25
+ - Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
26
+
27
+ ## References
28
+
29
+ Load these only when needed:
30
+
31
+ - [Evidence path and tooling](references/mcp-and-evidence.md) — use when choosing live evidence, confirming Operator version and Collector pipeline state, or switching to documentation mode.
32
+ - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, applying stress checks per deployment mode, or formatting the final answer.
33
+ - [Official sources](references/official-sources.md) — use when you need the detailed OpenTelemetry documentation list, processor pipeline references, and grounded insights.
34
+
35
+ ## Response minimum
36
+
37
+ Return, at minimum:
38
+
39
+ - the scoped target (`OpenTelemetryCollector` of which mode, `Instrumentation` CR, or pipeline element) and evidence level,
40
+ - the deployment-mode appropriateness (Deployment / StatefulSet / DaemonSet / Sidecar) for the use case,
41
+ - the pipeline correctness (receivers, processors, exporters all present and ordered safely),
42
+ - the failure mode if exporter is unreachable or downstream is full (queue, drop, retry semantics),
43
+ - the safest next actions and rollback plan,
44
+ - the assumptions or blockers that prevent stronger conclusions.
package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json ADDED
@@ -0,0 +1,30 @@
1
+ {
2
+ "id": "opentelemetry-collector-config-review",
3
+ "name": "OpenTelemetry Collector Config Review",
4
+ "type": "skill",
5
+ "provider": "opentelemetry",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Review OpenTelemetry Operator OpenTelemetryCollector and Instrumentation resources for deployment-mode appropriateness, pipeline correctness, memory_limiter and k8sattributes presence, exporter security, and sampling integrity.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://opentelemetry.io/docs/",
18
+ "https://opentelemetry.io/docs/collector/",
19
+ "https://opentelemetry.io/docs/collector/configuration/",
20
+ "https://opentelemetry.io/docs/kubernetes/operator/",
21
+ "https://opentelemetry.io/docs/kubernetes/operator/automatic/",
22
+ "https://opentelemetry.io/docs/kubernetes/operator/target-allocator/",
23
+ "https://github.com/open-telemetry/opentelemetry-operator"
24
+ ],
25
+ "security_notes": "Pipeline with no exporter silently drops telemetry. Missing memory_limiter causes collector OOM under burst. Missing k8sattributes drops Kubernetes context. Tail sampling changes are not retroactive. Removing Instrumentation CR stops auto-instrumentation on next pod restart.",
26
+ "last_verified": "2026-05-01",
27
+ "path": "skills/opentelemetry/opentelemetry-collector-config-review",
28
+ "author": "github: Raishin",
29
+ "version": "0.1.0"
30
+ }
package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md ADDED
@@ -0,0 +1,49 @@
1
+ # Evidence Path and Tooling
2
+
3
+ ## Evidence path
4
+
5
+ 1. Prefer live cluster evidence when a Kubernetes MCP server, `kubectl`, and access to the OpenTelemetry Operator namespace are available.
6
+ 2. Fall back to official OpenTelemetry documentation (opentelemetry.io, opentelemetry-operator GitHub) when live inspection is unavailable.
7
+ 3. Ask only for sanitized `OpenTelemetryCollector` / `Instrumentation` YAML, collector logs, and target backend reachability evidence when current-state proof matters.
8
+ 4. Label conclusions as `live evidence`, `documentation-based`, `sanitized user evidence`, or `inference`.
9
+
10
+ ## Useful live-evidence commands
11
+
12
+ ```shell
13
+ # All Collectors and Instrumentation CRs across the cluster
14
+ kubectl get opentelemetrycollectors,instrumentations -A -o yaml
15
+
16
+ # Detailed Collector status — replicas, mode, generated config map
17
+ kubectl -n <ns> get opentelemetrycollector <name> -o yaml
18
+ kubectl -n <ns> get configmap <collector-name>-collector -o yaml
19
+
20
+ # Operator state
21
+ kubectl -n opentelemetry-operator-system get deploy,svc,validatingwebhookconfiguration
22
+
23
+ # Collector pod logs — confirm pipeline is processing data
24
+ kubectl -n <ns> logs deploy/<collector-name>-collector --tail=200 -f
25
+
26
+ # Collector internal metrics (Prometheus on :8888 by default)
27
+ kubectl -n <ns> port-forward svc/<collector-name>-collector 8888:8888
28
+ curl http://localhost:8888/metrics | grep otelcol_
29
+
30
+ # Auto-instrumentation propagation — which pods received the init container?
31
+ kubectl get pods -A -o jsonpath='{range .items[?(@.metadata.annotations.instrumentation\.opentelemetry\.io/inject-java=="true")]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}'
32
+
33
+ # Verify exporter reachability from within the collector pod
34
+ kubectl -n <ns> exec -it deploy/<collector-name>-collector -- nc -zv <exporter-host> <exporter-port>
35
+ ```
36
+
37
+ ## Operator and Collector state to confirm before review
38
+
39
+ - Operator version (`kubectl -n opentelemetry-operator-system get deploy opentelemetry-operator-controller-manager -o jsonpath='{.spec.template.spec.containers[*].image}'`) — `OpenTelemetryCollector` API has evolved; `v1beta1` is the current stable.
40
+ - Collector image and version — different versions support different receivers/processors/exporters. The contrib distribution has a much wider set than the core distribution.
41
+ - Whether Target Allocator is deployed — required for `mode: statefulset` Prometheus scraping at scale.
42
+ - Whether `Instrumentation` CRs exist and which language images are pinned (Java, Node, Python, .NET, Go) — version drift between auto-instrumentation images and application runtimes is a common silent failure mode.
43
+ - Backend reachability — the actual telemetry destination (vendor SaaS, Tempo, Jaeger, Prometheus remote write, Loki) must accept the collector's data; check from inside the pod.
44
+
45
+ ## Sanitization rules
46
+
47
+ - Never request kubeconfig contents, vendor API keys, OTLP bearer tokens, or backend authentication secrets.
48
+ - Replace identifiable backend hostnames, vendor URLs, and tenant IDs with placeholders unless the user provides them.
49
+ - Do not print the collector's `Authorization` header values; reference them by configuration key only.
package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md ADDED
@@ -0,0 +1,31 @@
1
+ # Official Sources
2
+
3
+ Load these only when needed:
4
+
5
+ - [OpenTelemetry documentation home](https://opentelemetry.io/docs/) — use as the entry point for any OTEL question.
6
+ - [Collector overview](https://opentelemetry.io/docs/collector/) — use for collector architecture, distributions (core vs contrib), and component model.
7
+ - [Collector configuration](https://opentelemetry.io/docs/collector/configuration/) — use for receivers, processors, exporters, extensions, and `service.pipelines` syntax.
8
+ - [Operator overview](https://opentelemetry.io/docs/kubernetes/operator/) — use for `OpenTelemetryCollector` CRD, deployment modes, and Operator behavior.
9
+ - [Operator automatic instrumentation](https://opentelemetry.io/docs/kubernetes/operator/automatic/) — use for `Instrumentation` CR, language-specific init containers, annotation-based pod injection.
10
+ - [Target Allocator](https://opentelemetry.io/docs/kubernetes/operator/target-allocator/) — use for sharding Prometheus scrape jobs across collector replicas.
11
+ - [opentelemetry-operator GitHub](https://github.com/open-telemetry/opentelemetry-operator) — use for CRD source, examples, and recent feature notes.
12
+ - [opentelemetry-collector-contrib processors](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor) — use for `k8sattributes`, `resourcedetection`, `tail_sampling`, `transform`, `filter`, `routing` processor configs.
13
+ - [opentelemetry-collector-contrib receivers](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver) — use for `kubeletstats`, `k8s_cluster`, `prometheus`, `filelog` receiver configs.
14
+ - [opentelemetry-collector-contrib exporters](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter) — use for vendor exporters and queue/retry semantics.
15
+ - [Sampling guide](https://opentelemetry.io/docs/concepts/sampling/) — use when designing tail sampling vs probabilistic sampling vs head sampling.
16
+ - [Semantic conventions for Kubernetes](https://opentelemetry.io/docs/specs/semconv/resource/k8s/) — use for the canonical `k8s.*` attribute names that `k8sattributes` populates.
17
+ - [Collector internal observability](https://opentelemetry.io/docs/collector/internal-telemetry/) — use for `otelcol_*` self-metrics that diagnose collector health.
18
+
19
+ ## Grounded insights worth carrying into the skill
20
+
21
+ - The OpenTelemetry Operator manages `OpenTelemetryCollector` and `Instrumentation` CRs and supports four deployment modes: `deployment`, `statefulset`, `daemonset`, and `sidecar`. Each is appropriate for a different use case and the wrong mode silently produces incomplete or duplicate data.
22
+ - A pipeline with **no exporter** is valid YAML and silently drops every span/metric/log. The collector emits an internal warning at startup but otherwise behaves as if data is being processed.
23
+ - `memory_limiter` is the only protection against OOM under burst load. Without it, the collector consumes memory until the kernel kills the pod and loses everything in flight. It is recommended as the **first processor** in every pipeline.
24
+ - `batch` is recommended **last before exporters** because batching drops in-flight individual signals into batched export calls. Without it, every span is a separate export, which destroys throughput at any meaningful volume.
25
+ - `k8sattributes` enriches signals with Kubernetes object names. Without it, traces and metrics cannot be grouped by namespace/pod/deployment, breaking SLO dashboards and alerting. It requires RBAC: `pods/get,list,watch`, `namespaces/get,list,watch`, `replicasets/get,list,watch`.
26
+ - `tail_sampling` is the most common production sampling mode because it samples on complete trace properties (root span attributes, total duration). The critical caveat: **changes are not retroactive** — already-collected windows do not re-sample, so a sampling change creates a discontinuity in observed trace counts.
27
+ - `Instrumentation` CR removal is invisible to running pods; the next pod restart silently starts without auto-instrumentation. Many silent SLO regressions trace back to an `Instrumentation` CR being removed during a "cleanup".
28
+ - The Target Allocator is required for any `mode: statefulset` Prometheus collector serving more than a handful of scrape targets. Without it, every replica scrapes every target and the data is duplicated.
29
+ - Auto-instrumentation images are pinned per language (Java, Node.js, Python, .NET, Go). When the application's runtime version moves ahead of the instrumentation image, instrumentation can fail to load silently. Treat the auto-instrumentation image versions as a cataloged dependency.
30
+ - The collector exposes its own metrics on `:8888/metrics`. The most useful Prometheus series for diagnosing pipeline health: `otelcol_exporter_send_failed_spans`, `otelcol_processor_dropped_spans`, `otelcol_receiver_refused_spans`, `otelcol_processor_batch_send_size`. Any non-zero value on the failure counters is a finding.
31
+ - The `debug` exporter (formerly `logging` exporter) prints to the collector's stdout and is meant for development. It is a frequent silent failure mode in production when someone replaced a real exporter with `debug` for debugging and forgot to restore it.
package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,155 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify the deployment mode
6
+
7
+ `OpenTelemetryCollector` supports four deployment modes, each appropriate for different use cases:
8
+
9
+ 1. **`mode: deployment`** — collector runs as a stateless `Deployment`, multiple replicas. Use for OTLP gateway / aggregation; NOT for hostmetrics.
10
+ 2. **`mode: statefulset`** — ordered, stable identity. Required for Target Allocator (sharding Prometheus scrape jobs across collectors).
11
+ 3. **`mode: daemonset`** — one collector per node. Use for hostmetrics, filelog (node-local logs), and per-node OTLP receiver.
12
+ 4. **`mode: sidecar`** — injected into application pods via annotation `sidecar.opentelemetry.io/inject: <name>`. Use for short-lived workloads or when application cannot reach a cluster-wide collector.
13
+
14
+ Common mismatches that are findings:
15
+
16
+ - `mode: deployment` with `hostmetrics` receiver — only one replica gets host data; data is incomplete.
17
+ - `mode: daemonset` with HTTP receiver bound to `0.0.0.0:4318` — every node opens a port; verify network policy.
18
+ - `mode: statefulset` without Target Allocator — wastes the ordered identity.
19
+ - `mode: sidecar` for high-volume workloads — every pod runs a collector; CPU/memory cost multiplies.
20
+
21
+ Reference: [Operator Modes](https://opentelemetry.io/docs/kubernetes/operator/) and the operator README in [open-telemetry/opentelemetry-operator](https://github.com/open-telemetry/opentelemetry-operator).
22
+
23
+ ### Step 2 — Audit the receivers
24
+
25
+ Receivers ingest telemetry. Common patterns:
26
+
27
+ - **`otlp`** — gRPC (`:4317`) and HTTP (`:4318`). Standard. Verify both protocols are needed; otherwise narrow.
28
+ - **`prometheus`** — scrapes Prometheus endpoints. Pair with Target Allocator at scale.
29
+ - **`hostmetrics`** — node CPU, memory, disk, network. Requires `hostNetwork` or volume mounts (`/hostfs`).
30
+ - **`filelog`** — reads pod/container logs. Requires `/var/log/pods` mount.
31
+ - **`k8s_cluster`** — cluster-level metrics (deployment status, node conditions). Requires RBAC.
32
+ - **`kubeletstats`** — kubelet per-node stats. Requires kubelet TLS configuration.
33
+
34
+ Findings to flag:
35
+
36
+ - `otlp` receiver with `tls.insecure: true` and inbound traffic from untrusted networks — telemetry can be tampered.
37
+ - `prometheus` receiver scraping endpoints with secrets in the response (rare; some vendor exporters do this) — sensitive data flows into the pipeline.
38
+ - `filelog` without a `multiline` config for stack traces — multi-line logs split into single-line entries.
39
+
40
+ ### Step 3 — Audit the processors (the safety net)
41
+
42
+ Processors transform data between receiver and exporter. **Two are essentially mandatory in production**:
43
+
44
+ 1. **`memory_limiter`** — drops data when collector memory exceeds a threshold. Without it, collector OOMs under load and loses everything in flight. Recommended position: **first** in the pipeline.
45
+ 2. **`batch`** — batches data before export. Without it, every span/metric is a separate export call; backend rate limits or network overhead destroy throughput. Recommended position: **last** before export.
46
+
47
+ Other commonly required processors:
48
+
49
+ - **`k8sattributes`** — enriches data with `k8s.namespace.name`, `k8s.pod.name`, `k8s.deployment.name`, `k8s.node.name`. Without it, dashboards and SLOs cannot group by Kubernetes object.
50
+ - **`resource`** — sets static resource attributes (e.g., `cluster.name`, `deployment.environment`).
51
+ - **`resourcedetection`** — auto-detects from environment, system, docker, kubernetes, GCP, AWS, Azure metadata services.
52
+ - **`tail_sampling`** — keeps a sample of complete traces. **Critical caveat: changes are not retroactive — already-collected windows do not get re-sampled.**
53
+ - **`filter`** — drops spans/metrics by attribute. Risk: a typo can drop everything.
54
+ - **`transform`** — modifies attribute values via OTTL. Risk: a bad OTTL expression can corrupt every signal.
55
+ - **`probabilistic_sampler`** — randomly samples a percentage. Simpler than tail sampling but loses correlated traces.
56
+
57
+ Stress-tests:
58
+
59
+ - Pipeline with no `memory_limiter` and high-volume traces — collector OOMs on burst, loses everything.
60
+ - Pipeline with `memory_limiter` placed **after** other processors — those processors run on data that should have been dropped, wasting CPU.
61
+ - Pipeline with `batch` placed **before** `tail_sampling` — sampling decisions are made per-batch, breaking trace coherence.
62
+ - Pipeline with `k8sattributes` `auth_type: serviceAccount` but no RBAC granting `pods/get,list,watch` — enrichment fails silently.
63
+
64
+ Reference: [Collector configuration](https://opentelemetry.io/docs/collector/configuration/) and [Collector processors](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor).
65
+
66
+ ### Step 4 — Audit the exporters
67
+
68
+ Exporters send data to backends. Findings:
69
+
70
+ - **No exporter on a pipeline** — the pipeline silently drops everything. Confirm at least one non-`debug` exporter per pipeline.
71
+ - **Only `debug` exporter** in production — data prints to collector logs and is not sent anywhere. Useful for testing only.
72
+ - **`tls.insecure: true`** on a production exporter — telemetry flows in plaintext. PII/PHI leak path.
73
+ - **Missing `sending_queue`** — exporter blocks the pipeline when backend is slow; backpressure cascades.
74
+ - **`sending_queue.enabled: false`** explicitly — telemetry is lost on any backend hiccup.
75
+ - **`retry_on_failure.enabled: false`** — temporary network failures lose data.
76
+ - **`prometheusremotewrite` exporter without `external_labels`** — multiple collectors write to the same Prometheus, time series collide.
77
+
78
+ Reference: [Exporter configuration patterns](https://opentelemetry.io/docs/collector/configuration/#exporters).
79
+
80
+ ### Step 5 — Audit the `service.pipelines` ordering
81
+
82
+ Three signal pipelines (`traces`, `metrics`, `logs`) compose receivers → processors → exporters. Order in the `processors` list **matters** — it is the execution order.
83
+
84
+ Recommended order for a traces pipeline:
85
+
86
+ ```yaml
87
+ service:
88
+ pipelines:
89
+ traces:
90
+ receivers: [otlp]
91
+ processors:
92
+ - memory_limiter # 1. drop early under pressure
93
+ - resourcedetection # 2. detect environment
94
+ - k8sattributes # 3. enrich with K8s context
95
+ - resource # 4. add static attributes
96
+ - tail_sampling # 5. sample after enrichment
97
+ - batch # 6. batch last
98
+ exporters: [otlp, debug]
99
+ ```
100
+
101
+ Common findings: `batch` not last, `memory_limiter` not first, `k8sattributes` after `tail_sampling` (sampling on un-enriched data, then enriching what survived = wasted).
102
+
103
+ ### Step 6 — Audit the `Instrumentation` CR
104
+
105
+ The `Instrumentation` CR (`opentelemetry.io/v1alpha1`) drives auto-instrumentation. Pods are instrumented when they have one of the annotations: `instrumentation.opentelemetry.io/inject-java`, `inject-nodejs`, `inject-python`, `inject-dotnet`, `inject-go`, or `inject-sdk`.
106
+
107
+ Critical concerns:
108
+
109
+ - **Removing an `Instrumentation` CR while pods reference it** — running pods continue working, but on next restart the init container injection fails, and the pod starts without instrumentation. Telemetry stops silently.
110
+ - **Image tag drift** — auto-instrumentation images are pinned per language. If the application moves to a newer runtime (e.g., Java 21) but the auto-instrumentation image hasn't been updated, instrumentation may not load.
111
+ - **`exporter.endpoint` pointing to a collector that no longer exists** — telemetry calls fail; application logs may show OTLP export errors.
112
+ - **`sampler.type: parentbased_traceidratio` with `argument: "0.0"`** — samples nothing.
113
+ - **Missing `propagators`** — distributed traces don't link across services.
114
+ - **`resource.resourceAttributes.deployment.environment` not set** — every environment looks the same in dashboards.
115
+
116
+ Reference: [Operator auto-instrumentation](https://opentelemetry.io/docs/kubernetes/operator/automatic/).
117
+
118
+ ### Step 7 — Audit the Target Allocator (StatefulSet mode)
119
+
120
+ When `targetAllocator.enabled: true`, Prometheus scrape jobs are sharded across the StatefulSet replicas. Findings:
121
+
122
+ - `targetAllocator.allocationStrategy: least-weighted` (default) is good for even distribution; `consistent-hashing` is better for re-shard stability.
123
+ - `targetAllocator.prometheusCR.enabled: true` requires `ServiceMonitor`/`PodMonitor` selectors. An empty selector matches everything; a too-narrow selector matches nothing.
124
+ - Missing RBAC for the Target Allocator — it cannot list ServiceMonitors and silently scrapes nothing.
125
+
126
+ Reference: [Target Allocator](https://opentelemetry.io/docs/kubernetes/operator/target-allocator/).
127
+
128
+ ### Step 8 — Stress-test operational hygiene
129
+
130
+ - Prefer `v1beta1` `OpenTelemetryCollector` over `v1alpha1` — current stable.
131
+ - Prefer named pipelines that match the source data shape (`traces/api`, `metrics/host`, `logs/app`) when one collector handles multiple streams.
132
+ - Prefer `debug` exporter only in non-production.
133
+ - Prefer `OTEL_RESOURCE_ATTRIBUTES` env propagation in `Instrumentation` over hardcoded values — makes the CR portable across environments.
134
+ - Test pipeline changes by sending synthetic OTLP and watching the collector's `otelcol_` self-metrics — `otelcol_exporter_send_failed_spans` should be zero.
135
+
136
+ ## Output
137
+
138
+ Return:
139
+
140
+ - **target**: which `OpenTelemetryCollector` (and mode) or `Instrumentation` CR,
141
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
142
+ - **deployment-mode appropriateness** for the use case,
143
+ - **pipeline correctness**: receivers, processors (with explicit `memory_limiter` and `batch` audit), exporters,
144
+ - **failure mode**: what happens when backend is unreachable or backed up,
145
+ - **risk findings** (with severity: high / medium / low),
146
+ - **safest next actions** with sample manifest changes and self-metric expectations,
147
+ - **rollback plan**: how to revert without losing the in-flight buffer,
148
+ - **assumptions and missing facts**.
149
+
150
+ ## Security notes
151
+
152
+ - Never recommend removing `memory_limiter` from a production pipeline.
153
+ - Never recommend `tls.insecure: true` on a production exporter shipping data outside the cluster.
154
+ - Never recommend deleting an `Instrumentation` CR without first confirming no running deployments reference it via annotation.
155
+ - Do not print collector authentication tokens or vendor API keys; reference them by configuration key only.
package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md ADDED
@@ -0,0 +1,38 @@
1
+ ---
2
+ name: prometheus-alerting-cardinality-review
3
+ description: Use this skill when reviewing Prometheus or AlertManager configuration for cardinality, alerting correctness, scrape security, remote_write safety, or retention adequacy. Trigger when a user provides prometheus.yml, alertmanager.yml, recording rules YAML, alerting rules YAML, or asks whether their Prometheus setup is production-ready.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Prometheus Alerting and Cardinality Review
10
+
11
+ ## Purpose
12
+ This skill reviews Prometheus and AlertManager configuration for cardinality explosion risks, recording rule adequacy, alert expression correctness, routing tree safety, scrape configuration security, and retention posture. Cardinality explosion is the leading cause of Prometheus OOM crashes in production, and flapping alerts from missing `for:` durations erode on-call trust faster than any other alerting defect.
13
+
14
+ ## Lean operating rules
15
+ - Flag any label dimension that is unbounded at the application level (e.g., `user_id`, `request_id`, `session_id`, `url_path`, `pod_hash`) — these cause cardinality explosion and must be moved off the label set or aggregated away.
16
+ - Treat `prometheus_tsdb_head_series` exceeding 5 million as a cardinality warning threshold; note it if the user reports series counts or if the config makes it likely.
17
+ - Treat any alert rule with `for: 0m`, `for: 0s`, or no `for:` field as HIGH — bare threshold alerts flap on every scrape jitter.
18
+ - Treat `honor_labels: true` on any scrape target that is not a trusted federation endpoint as HIGH — it allows the scraped workload to override `job` and `instance` labels.
19
+ - Treat any scrape config with a non-cluster HTTP scheme (`http://external-host`) as a potential SSRF candidate and flag it.
20
+ - Recording rules are required for any PromQL expression used in dashboards or SLO burn-rate calculations; flag their absence as MEDIUM.
21
+ - Multi-window multi-burn-rate (MWMB) alerting is the correct pattern for SLO breach detection; flag single-window SLO alerts as MEDIUM.
22
+ - Flag `remote_write` configs where `write_relabel_configs` drop non-`__` metric labels — data loss is silent.
23
+ - Flag retention under 30 days with no `remote_write` or Thanos/Cortex integration as MEDIUM compliance risk.
24
+ - Do not recommend disabling any existing alert or recording rule without stating the specific reason and risk trade-off.
25
+
26
+ ## References
27
+ Load these only when needed:
28
+ - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
29
+
30
+ ## Response minimum
31
+ Return, at minimum:
32
+ - Cardinality risk assessment (label audit findings)
33
+ - Alert expression correctness findings (for: duration, absent() misuse, MWMB posture)
34
+ - AlertManager routing and inhibition findings
35
+ - Scrape config security findings
36
+ - Retention and remote_write findings
37
+ - Severity-labelled finding list (critical / high / medium / low)
38
+ - Safe next actions
package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "prometheus-alerting-cardinality-review",
3
+ "name": "Prometheus Alerting and Cardinality Review",
4
+ "type": "skill",
5
+ "provider": "prometheus",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://prometheus.io/docs/prometheus/latest/querying/basics/",
11
+ "https://prometheus.io/docs/practices/naming/",
12
+ "https://prometheus.io/docs/practices/alerting/",
13
+ "https://prometheus.io/docs/alerting/latest/alertmanager/",
14
+ "https://prometheus.io/docs/prometheus/latest/storage/",
15
+ "https://prometheus.io/docs/practices/remote_write/"
16
+ ],
17
+ "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/prometheus/prometheus-alerting-cardinality-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }