@raishin/vanguard-frontier-agentic 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (442) hide show
  1. package/README.md +231 -113
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +36 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +36 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +36 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +36 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +37 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +37 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  308. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  314. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  315. package/agents/velero/README.md +41 -0
  316. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  317. package/catalog/agents.json +1452 -634
  318. package/catalog/install-roles.json +455 -0
  319. package/catalog/skill-manifest.json +757 -3
  320. package/catalog/skills.json +1298 -528
  321. package/package.json +11 -1
  322. package/scripts/export-marketplace-agents.mjs +100 -9
  323. package/scripts/update-catalog-new-agents.py +88 -0
  324. package/skills/argocd/README.md +30 -0
  325. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +40 -0
  326. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  327. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  328. package/skills/argocd/argocd-gitops-review/SKILL.md +43 -0
  329. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  330. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  331. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  332. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  333. package/skills/aws/README.md +3 -1
  334. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  335. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +39 -0
  336. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  337. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  338. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  339. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  340. package/skills/azure/README.md +3 -1
  341. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +37 -0
  342. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  343. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  344. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +56 -0
  345. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  346. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  347. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  348. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  349. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  350. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +39 -0
  351. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  352. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  353. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +40 -0
  354. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  355. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  356. package/skills/cilium/README.md +30 -0
  357. package/skills/cilium/cilium-network-policy-review/SKILL.md +43 -0
  358. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  359. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  360. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  361. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  362. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +37 -0
  363. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  364. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  365. package/skills/finops/README.md +30 -0
  366. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +40 -0
  367. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  368. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  369. package/skills/istio/README.md +28 -0
  370. package/skills/istio/istio-ambient-mesh-review/SKILL.md +43 -0
  371. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  372. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  373. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  374. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  375. package/skills/kubernetes/README.md +30 -0
  376. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +37 -0
  377. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  378. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  379. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +40 -0
  380. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  381. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  382. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +57 -0
  383. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  384. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  385. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  386. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  387. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  388. package/skills/kubernetes/kubernetes-maestro/SKILL.md +45 -0
  389. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  390. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  391. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  392. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +43 -0
  393. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  394. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  395. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  396. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  397. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +38 -0
  398. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  399. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  400. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +38 -0
  401. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  402. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  403. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  404. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  405. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +43 -0
  406. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  407. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  408. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  409. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  410. package/skills/kyverno/README.md +30 -0
  411. package/skills/kyverno/kyverno-policy-review/SKILL.md +43 -0
  412. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  413. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  414. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  415. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  416. package/skills/oci/README.md +63 -0
  417. package/skills/oci/oci-certificates-issuer-review/SKILL.md +37 -0
  418. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  419. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  420. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +57 -0
  421. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  422. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  423. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  424. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  425. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  426. package/skills/opentelemetry/README.md +31 -0
  427. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +44 -0
  428. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  429. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  430. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  431. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  432. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +38 -0
  433. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  434. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  435. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +39 -0
  436. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  437. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  438. package/skills/terraform/README.md +29 -0
  439. package/skills/velero/velero-backup-restore-guard/SKILL.md +41 -0
  440. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  441. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  442. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,221 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Collect inputs
6
+
7
+ Ask the user to provide one or more of the following as sanitized YAML snippets (no real endpoints, no auth tokens):
8
+ - `prometheus.yml` (global, scrape_configs, rule_files, remote_write, alerting)
9
+ - Alerting rules YAML (`groups[].rules[]` with `alert:`, `expr:`, `for:`, `labels:`, `annotations:`)
10
+ - Recording rules YAML (`groups[].rules[]` with `record:`, `expr:`)
11
+ - `alertmanager.yml` (route, inhibit_rules, receivers)
12
+ - Optional: current `prometheus_tsdb_head_series` metric value or approximate series count
13
+
14
+ If the user provides only a partial config, note which sections are absent and limit findings to the provided scope.
15
+
16
+ ### Step 2 — Cardinality audit
17
+
18
+ Scan every `scrape_configs` job and every metric label dimension referenced in alerting and recording rules.
19
+
20
+ Check for:
21
+ - Labels sourced from high-cardinality application dimensions:
22
+ - `user_id`, `request_id`, `session_id`, `transaction_id`, `trace_id`
23
+ - `url_path`, `uri`, `endpoint` (unless aggressively normalized)
24
+ - `pod` or `container` labels used as primary grouping in `sum by()` without aggregation
25
+ - Use of `__` internal labels in user-facing metric names
26
+
27
+ Example cardinality risk:
28
+ ```yaml
29
+ # HIGH — request_id is unbounded; this creates one series per request
30
+ http_requests_total{method="GET", path="/api/v1/items", request_id="abc-123"} 1
31
+ ```
32
+
33
+ Correct pattern:
34
+ ```yaml
35
+ # CORRECT — drop high-cardinality label before exposition
36
+ http_requests_total{method="GET", path="/api/v1/items"} 1
37
+ ```
38
+
39
+ Note the `prometheus_tsdb_head_series` threshold: above 5 million series, TSDB memory pressure becomes significant. Above 10 million, OOM risk is high without explicit memory tuning (`--storage.tsdb.max-block-duration`, chunk encoding).
40
+
41
+ ### Step 3 — Recording rules audit
42
+
43
+ Check whether recording rules exist for:
44
+ - SLO error-rate expressions that appear in alerting rules
45
+ - High-cardinality aggregation queries used in Grafana dashboards
46
+ - Any `rate()` or `increase()` expression over a window longer than 5 minutes that is queried at sub-minute dashboard refresh
47
+
48
+ Flag absence of recording rules for any expression that appears more than once across rules files as MEDIUM.
49
+
50
+ Example correct recording rule:
51
+ ```yaml
52
+ groups:
53
+ - name: slo_recordings
54
+ rules:
55
+ - record: job:http_requests_total:rate5m
56
+ expr: sum(rate(http_requests_total[5m])) by (job)
57
+ ```
58
+
59
+ ### Step 4 — Alert expression correctness audit
60
+
61
+ For every `alert:` rule, check:
62
+
63
+ **4a. `for:` duration**
64
+ - Missing `for:` or `for: 0m` → HIGH (bare threshold, flapping)
65
+ - `for:` less than two scrape intervals → flag as LOW (alert may still flap)
66
+ - Recommended minimum: `for: 5m` for infrastructure alerts, `for: 1m` for latency SLOs
67
+
68
+ ```yaml
69
+ # HIGH — missing for:
70
+ - alert: HighErrorRate
71
+ expr: rate(http_errors_total[5m]) > 0.05
72
+
73
+ # CORRECT
74
+ - alert: HighErrorRate
75
+ expr: rate(http_errors_total[5m]) > 0.05
76
+ for: 5m
77
+ ```
78
+
79
+ **4b. `absent()` usage**
80
+ - `absent(some_metric)` fires if `some_metric` was never scraped — review whether the metric is always expected to exist
81
+ - If the metric only appears when the condition is active (e.g., an error counter), `absent()` fires in the absence of errors, which is a false positive
82
+
83
+ **4c. SLO alerting pattern**
84
+ - MWMB (multi-window multi-burn-rate) is the Google SRE-recommended SLO alerting pattern
85
+ - Single-window SLO alerts miss slow burns → MEDIUM finding
86
+
87
+ Example MWMB pattern:
88
+ ```yaml
89
+ # MWMB — fast burn (1h + 5m windows) and slow burn (6h + 30m windows)
90
+ - alert: SLOFastBurn
91
+ expr: >
92
+ (
93
+ job:slo_error_rate:rate1h > (14.4 * 0.001)
94
+ and
95
+ job:slo_error_rate:rate5m > (14.4 * 0.001)
96
+ )
97
+ for: 1m
98
+ labels:
99
+ severity: page
100
+ ```
101
+
102
+ ### Step 5 — AlertManager routing audit
103
+
104
+ Parse the `route:` tree and check:
105
+
106
+ **5a. Duplicate alert routing**
107
+ - Routes that lack `continue: false` on a catch-all receiver may send alerts to multiple receivers unexpectedly
108
+ - Verify whether `continue: true` on intermediate routes is intentional
109
+
110
+ **5b. Inhibition rules**
111
+ - `inhibit_rules[].source_matchers` and `target_matchers` must reference labels that actually appear on alerts
112
+ - Overly broad inhibition (e.g., `source_matchers: [severity="critical"]` without namespace scope) can suppress alerts across unrelated services
113
+
114
+ Example inhibition rule review:
115
+ ```yaml
116
+ # RISKY — inhibits all warnings when any critical fires, across all namespaces
117
+ inhibit_rules:
118
+ - source_matchers: [severity="critical"]
119
+ target_matchers: [severity="warning"]
120
+ equal: [alertname]
121
+ ```
122
+
123
+ **5c. Receiver configuration**
124
+ - Slack/PagerDuty receivers must have `api_url` or `routing_key` from environment variables or Kubernetes secrets — never hardcoded in the YAML
125
+ - Check for hardcoded webhook URLs or tokens as a CRITICAL security finding
126
+
127
+ ### Step 6 — Scrape config security audit
128
+
129
+ For every `scrape_configs` entry check:
130
+
131
+ **6a. `honor_labels`**
132
+ ```yaml
133
+ # HIGH — untrusted workload can override job/instance labels
134
+ scrape_configs:
135
+ - job_name: user-app
136
+ honor_labels: true
137
+ ```
138
+ Only `honor_labels: true` on trusted federation endpoints is acceptable.
139
+
140
+ **6b. External HTTP targets**
141
+ - Any target with a scheme pointing outside the cluster (e.g., `http://api.external.com`) is an SSRF candidate
142
+ - Flag all non-cluster targets for review
143
+
144
+ **6c. `job_name` uniqueness**
145
+ - Duplicate `job_name` values cause target label collisions — flag as HIGH
146
+
147
+ ### Step 7 — remote_write and retention audit
148
+
149
+ **7a. remote_write queue memory**
150
+ ```yaml
151
+ remote_write:
152
+ - url: https://metrics.example.com/api/v1/write
153
+ queue_config:
154
+ capacity: 100000 # HIGH memory if series count is large
155
+ max_samples_per_send: 10000
156
+ ```
157
+ Flag `capacity` values above 10,000 combined with high series counts as a memory risk.
158
+
159
+ **7b. write_relabel_configs label drops**
160
+ ```yaml
161
+ # MEDIUM — silently drops 'region' label before remote_write; data loss
162
+ write_relabel_configs:
163
+ - source_labels: [region]
164
+ action: labeldrop
165
+ ```
166
+ Flag any `labeldrop` or `labelmap` action that targets non-`__` labels without explicit justification.
167
+
168
+ **7c. Retention**
169
+ - Default Prometheus retention is 15 days (`--storage.tsdb.retention.time=15d`)
170
+ - No remote_write + retention < 30d → MEDIUM (compliance gap for most regulated environments)
171
+ - Recommend Thanos, Cortex, or Grafana Mimir for long-term storage
172
+
173
+ ### Step 8 — Produce the output
174
+
175
+ Format findings using the Output section below.
176
+
177
+ ---
178
+
179
+ ## Output
180
+
181
+ Return findings in this structure:
182
+
183
+ ```
184
+ ## Verdict
185
+ <one sentence summary: pass / needs work / critical issues found>
186
+
187
+ ## Evidence level
188
+ <live evidence | user-provided sanitized config | documentation-based | inference>
189
+
190
+ ## Findings
191
+
192
+ ### CRITICAL
193
+ - [C1] <finding title>: <description> — <remediation>
194
+
195
+ ### HIGH
196
+ - [H1] <finding title>: <description> — <remediation>
197
+
198
+ ### MEDIUM
199
+ - [M1] <finding title>: <description> — <remediation>
200
+
201
+ ### LOW
202
+ - [L1] <finding title>: <description> — <remediation>
203
+
204
+ ## Safe next actions
205
+ 1. <action>
206
+ 2. <action>
207
+ ...
208
+
209
+ ## Open questions
210
+ - <question requiring user clarification>
211
+ ```
212
+
213
+ ---
214
+
215
+ ## Security notes
216
+
217
+ - Never recommend setting `honor_labels: true` on any scrape target unless the user explicitly confirms it is a trusted Prometheus federation endpoint.
218
+ - Treat hardcoded webhook URLs, API keys, or tokens in `alertmanager.yml` receivers as CRITICAL — they must be moved to Kubernetes Secrets or environment variable references.
219
+ - Do not recommend disabling scrape TLS verification (`tls_config.insecure_skip_verify: true`) without flagging it as a security regression.
220
+ - Treat any recording rule or alert rule that references a metric with unbounded label cardinality as HIGH, even if the immediate symptom (OOM) has not yet occurred.
221
+ - Flag the absence of alerting on `prometheus_tsdb_head_series` itself — teams often have no alert for their own Prometheus health.
package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md ADDED
@@ -0,0 +1,39 @@
1
+ ---
2
+ name: sigstore-cosign-supply-chain-review
3
+ description: Use this skill when reviewing Sigstore Cosign supply chain security for Kubernetes workloads. Trigger when the user asks whether images are properly signed, whether Kyverno imageVerify policy is correctly scoped, whether SLSA provenance attestations exist, whether SBOM attestations are present, whether keyless signing is in use, or whether Rekor transparency log posture is appropriate for private images.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Sigstore Cosign Supply Chain Review
10
+
11
+ ## Purpose
12
+
13
+ Review Cosign image signing verification, Kyverno imageVerify admission policy, SBOM and SLSA provenance attestations, Rekor transparency log posture, and keyless vs key-based signing configuration against supply chain integrity, SLSA level claims, and Kubernetes admission-time enforcement. Sigstore's security model depends entirely on the identity constraints baked into admission policy — an imageVerify rule with no issuer or subject constraint is functionally equivalent to no verification at all.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Prefer live evidence (`cosign verify`, `kubectl get clusterpolicies`, `cosign verify-attestation`) when the active client exposes it; otherwise fall back to official Sigstore documentation and sanitized YAML from the user.
18
+ - Separate confirmed facts from inference. If Kyverno policy state, Rekor log inclusion, or provenance attestation presence was not directly queried, say so.
19
+ - Treat a Kyverno imageVerify policy missing both `issuer` and `subject` constraints as a critical finding — any Sigstore-signed image from any identity passes.
20
+ - Treat `exclude` rules in imageVerify that match broad glob patterns (`*` or `registry.io/*`) as a high finding — third-party images bypass verification.
21
+ - Treat SLSA L2+ claimed but no SLSA provenance attestation verifiable via `slsa-verifier` as a high finding.
22
+ - Treat long-lived Cosign keypairs stored as CI secrets as a high finding — keyless OIDC Workload Identity is the preferred pattern.
23
+ - Treat `COSIGN_NO_TLOG=1` on non-private-Rekor setups as a medium finding — public transparency is disabled without a private transparency alternative.
24
+ - Keep the answer scoped, evidence-labeled, and explicit about what was not queried.
25
+
26
+ ## References
27
+
28
+ Load these only when needed:
29
+ - [Workflow and output contract](references/workflow-and-output.md)
30
+
31
+ ## Response minimum
32
+
33
+ Return, at minimum:
34
+ - the scoped target (image, imageVerify policy, CI pipeline signing step, or SLSA level claim) and evidence level,
35
+ - the signing identity (keyless OIDC via Fulcio, long-lived key, or unverified),
36
+ - the admission enforcement posture (Kyverno imageVerify, policy-controller, or none),
37
+ - the attestation inventory (SBOM present/absent, SLSA provenance present/absent),
38
+ - the Rekor transparency posture (public log, private log, or disabled),
39
+ - the safest next actions and any assumptions or blockers.
package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "sigstore-cosign-supply-chain-review",
3
+ "name": "Sigstore Cosign Supply Chain Review",
4
+ "type": "skill",
5
+ "provider": "sigstore",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Sigstore Cosign image signing, Kyverno imageVerify policy, SBOM attestations, SLSA provenance, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain security.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://docs.sigstore.dev/cosign/overview/",
11
+ "https://docs.sigstore.dev/policy-controller/overview/",
12
+ "https://slsa.dev/spec/v1.0/requirements",
13
+ "https://kyverno.io/docs/writing-policies/verify-images/",
14
+ "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
15
+ "https://rekor.sigstore.dev/"
16
+ ],
17
+ "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/sigstore/sigstore-cosign-supply-chain-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,196 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify the scope and collect raw evidence
6
+
7
+ 1. Confirm the review target: a specific container image, a Kyverno ClusterPolicy/Policy, a CI pipeline signing step, or a SLSA level claim.
8
+ 2. For image signing evidence, run:
9
+ ```bash
10
+ cosign verify \
11
+ --certificate-identity-regexp "https://github.com/<org>/<repo>/.github/workflows/" \
12
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
13
+ <registry>/<image>:<tag>
14
+ ```
15
+ A successful exit means a valid keyless signature exists for that identity + issuer pair. An exit code 1 means no matching signature.
16
+ 3. For Kyverno admission policy evidence, run:
17
+ ```bash
18
+ kubectl get clusterpolicy,policy -A -o yaml | grep -A 30 "verifyImages"
19
+ ```
20
+ Collect every `verifyImages` block. Note whether `attestors.entries.keyless.subject` and `attestors.entries.keyless.issuer` are set.
21
+ 4. If Cosign policy-controller is in use instead of Kyverno, collect:
22
+ ```bash
23
+ kubectl get clusterimagepolicy -o yaml
24
+ ```
25
+ Inspect `spec.authorities[].keyless.identities[].issuer` and `.subject` fields.
26
+
27
+ ### Step 2 — Audit the imageVerify / ClusterImagePolicy identity constraints
28
+
29
+ The most critical control is whether the admission policy constrains **who** signed the image, not just **that** it was signed.
30
+
31
+ Check each policy rule for:
32
+
33
+ 1. **`issuer`** — the OIDC token issuer (e.g., `https://token.actions.githubusercontent.com` for GitHub Actions). Without this, any OIDC provider's identity can satisfy the check.
34
+ 2. **`subject`** — the specific identity within the issuer (e.g., `https://github.com/org/repo/.github/workflows/release.yml@refs/heads/main`). Without this, any identity at that issuer passes.
35
+ 3. **`glob` vs exact match** — subject globs like `https://github.com/org/*` allow any workflow in the org to satisfy the check.
36
+
37
+ Example of a correctly scoped Kyverno imageVerify rule:
38
+ ```yaml
39
+ verifyImages:
40
+ - imageReferences:
41
+ - "registry.internal.company.com/*"
42
+ attestors:
43
+ - entries:
44
+ - keyless:
45
+ subject: "https://github.com/org/repo/.github/workflows/release.yml@refs/heads/main"
46
+ issuer: "https://token.actions.githubusercontent.com"
47
+ rekor:
48
+ url: https://rekor.sigstore.dev
49
+ ```
50
+
51
+ Flag as **CRITICAL** if both `subject` and `issuer` are absent — the policy accepts any Sigstore-signed image regardless of signer.
52
+
53
+ Flag as **HIGH** if `issuer` is set but `subject` is absent — any identity at that issuer passes (e.g., any GitHub Actions workflow anywhere on GitHub).
54
+
55
+ ### Step 3 — Audit `exclude` rules and policy coverage
56
+
57
+ 1. List all `exclude` blocks in every imageVerify policy:
58
+ ```bash
59
+ kubectl get clusterpolicy -o yaml | grep -A 10 "exclude"
60
+ ```
61
+ 2. Flag as **HIGH** any exclude that matches:
62
+ - A broad registry glob (`docker.io/*`, `*`)
63
+ - A namespace containing workloads with access to sensitive data
64
+ 3. Confirm whether ALL namespace-resident Deployments, StatefulSets, DaemonSets, and Jobs are subject to the policy. Kyverno policies with no `matchResources.namespaceSelector` apply cluster-wide — verify this is intentional.
65
+
66
+ Example of a dangerous broad exclusion:
67
+ ```yaml
68
+ exclude:
69
+ resources:
70
+ images:
71
+ - "docker.io/*" # All Docker Hub images skip verification
72
+ ```
73
+
74
+ ### Step 4 — Audit SLSA provenance attestations
75
+
76
+ 1. Check whether a SLSA provenance attestation exists:
77
+ ```bash
78
+ cosign verify-attestation \
79
+ --type slsaprovenance \
80
+ --certificate-identity-regexp "https://github.com/<org>/<repo>/" \
81
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
82
+ <registry>/<image>:<tag>
83
+ ```
84
+ 2. For images claiming SLSA L2+, verify with slsa-verifier:
85
+ ```bash
86
+ slsa-verifier verify-image \
87
+ --source-uri github.com/<org>/<repo> \
88
+ --source-branch main \
89
+ <registry>/<image>:<tag>
90
+ ```
91
+ 3. Check whether the build was ephemeral (GitHub Actions or Tekton Chains) — SLSA L3 requires an ephemeral, isolated build environment. Builds on persistent, developer-accessible runners cannot claim L3.
92
+
93
+ Flag as **HIGH** if SLSA L2 is claimed but `slsa-verifier verify-image` fails or returns no matching attestation.
94
+
95
+ ### Step 5 — Audit SBOM attestations
96
+
97
+ 1. Verify SBOM attestation presence:
98
+ ```bash
99
+ cosign verify-attestation \
100
+ --type spdxjson \
101
+ --certificate-identity-regexp "https://github.com/<org>/<repo>/" \
102
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
103
+ <registry>/<image>:<tag>
104
+ ```
105
+ 2. For CycloneDX SBOM format:
106
+ ```bash
107
+ cosign verify-attestation \
108
+ --type cyclonedx \
109
+ <image>
110
+ ```
111
+ 3. Check whether the SBOM was generated at build time (accurate) or at image scan time (less reliable — may miss build-time artifacts).
112
+ 4. For workloads handling PII or financial data, flag as **MEDIUM** if no SBOM attestation is present — without an SBOM, dependency vulnerability provenance cannot be confirmed.
113
+
114
+ ### Step 6 — Audit Cosign key management (keyless vs key-based)
115
+
116
+ 1. Check CI pipeline signing steps for evidence of keyless OIDC flow:
117
+ ```yaml
118
+ # Correct keyless pattern in GitHub Actions
119
+ - name: Sign image
120
+ env:
121
+ COSIGN_EXPERIMENTAL: "1" # Enables keyless (OIDC Workload Identity)
122
+ run: |
123
+ cosign sign --yes ${{ env.IMAGE_REF }}
124
+ ```
125
+ 2. Flag as **HIGH** if the CI pipeline uses `cosign sign --key cosign.key` or references a `COSIGN_PRIVATE_KEY` secret — long-lived key material in CI secrets is a secret sprawl risk.
126
+ 3. Verify that keyless signing uses the correct OIDC token source:
127
+ - GitHub Actions: `id-token: write` permission must be set in the workflow.
128
+ - Tekton Chains: `CHAINS-GCP-SERVICE-ACCOUNT` or equivalent OIDC binding must be configured.
129
+
130
+ Example correct GitHub Actions OIDC signing permission:
131
+ ```yaml
132
+ permissions:
133
+ id-token: write
134
+ contents: read
135
+ packages: write
136
+ ```
137
+
138
+ Flag as **HIGH** if `id-token: write` is absent from the workflow — keyless signing will silently fail or fall back to anonymous signing.
139
+
140
+ ### Step 7 — Audit Rekor transparency log posture
141
+
142
+ 1. Check whether public Rekor logging is active (default) or disabled:
143
+ ```bash
144
+ # Default: public Rekor is used
145
+ cosign sign --yes <image>
146
+
147
+ # Disabled: no transparency log entry created
148
+ COSIGN_NO_TLOG=1 cosign sign --yes <image>
149
+ ```
150
+ 2. Flag as **MEDIUM** if `COSIGN_NO_TLOG=1` is set without a private Rekor instance configured — disabling transparency logging removes third-party verifiability and auditability.
151
+ 3. For images containing internal service references, infrastructure hostnames, or internal artifact paths, flag public Rekor logging as a **MEDIUM** information disclosure risk. These images should use a private Rekor instance.
152
+ 4. To verify a signature was logged to Rekor:
153
+ ```bash
154
+ cosign verify \
155
+ --certificate-identity-regexp "<signer>" \
156
+ --certificate-oidc-issuer "<issuer>" \
157
+ <image> | jq '.[0].optional.Bundle.Payload.logIndex'
158
+ ```
159
+ A non-null `logIndex` confirms the signature is in the public Rekor transparency log.
160
+
161
+ ### Step 8 — Verify admission enforcement is active
162
+
163
+ 1. Confirm Kyverno is installed and the webhook is active:
164
+ ```bash
165
+ kubectl get mutatingwebhookconfiguration,validatingwebhookconfiguration | grep kyverno
166
+ kubectl get pods -n kyverno
167
+ ```
168
+ 2. Confirm imageVerify policy is in `Enforce` mode (not `Audit`):
169
+ ```bash
170
+ kubectl get clusterpolicy <policy-name> -o jsonpath='{.spec.validationFailureAction}'
171
+ ```
172
+ `Enforce` blocks non-conforming images at admission. `Audit` only logs — images still deploy.
173
+ 3. Flag as **HIGH** if imageVerify policy is in `Audit` mode in production — unsigned images are not blocked.
174
+
175
+ ## Output
176
+
177
+ Return:
178
+
179
+ - **target**: image reference, ClusterPolicy name, or CI pipeline step, with the evidence source,
180
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
181
+ - **signing identity**: keyless OIDC (Fulcio) vs long-lived key, with the specific issuer and subject,
182
+ - **admission enforcement**: Kyverno imageVerify / policy-controller / none, with policy mode (Enforce/Audit),
183
+ - **identity constraint audit**: issuer and subject present/absent, glob scope, exclude rule coverage,
184
+ - **attestation inventory**: SLSA provenance present/absent, SBOM present/absent, format,
185
+ - **Rekor posture**: public log / private log / disabled, with information disclosure risk if applicable,
186
+ - **risk findings** (with severity: critical / high / medium / low),
187
+ - **safest next actions** with sample policy or workflow YAML,
188
+ - **assumptions and missing facts**.
189
+
190
+ ## Security notes
191
+
192
+ - Never recommend disabling imageVerify enforcement in production to unblock a deployment — the correct path is to fix the signing pipeline.
193
+ - Never recommend broad `exclude` rules as a permanent fix for third-party image coverage gaps.
194
+ - Never request or print private Cosign keys, OIDC tokens, registry credentials, or cosign.key file contents.
195
+ - Always confirm admission policy is in `Enforce` mode before concluding that unsigned images are blocked.
196
+ - A Kyverno imageVerify policy in `Audit` mode with no `Enforce` policy provides zero actual enforcement — treat this as a critical gap.
package/skills/terraform/README.md ADDED
@@ -0,0 +1,29 @@
1
+ # 🟩 Terraform Skills
2
+
3
+ <p align="center">
4
+ <!-- 🖼️ Add a Terraform logo to assets/logos/cloud/terraform/ and update this path -->
5
+ <span style="font-size:3.5em">🟩</span>
6
+ </p>
7
+
8
+ This folder contains Terraform-focused skills curated for this marketplace.
9
+
10
+ ## Local marketplace portfolio
11
+
12
+ This folder contains **1** local Terraform skill:
13
+
14
+ - `terraform-maestro`
15
+
16
+ ## Portfolio posture
17
+
18
+ Terraform skills for evidence-backed IaC review, plan safety, and guarded apply workflows across all cloud providers.
19
+
20
+ These skills are intentionally conservative:
21
+
22
+ - always review `terraform plan` output before any apply — never apply without a human-reviewed plan
23
+ - assess blast radius: count resource deletions, replacements, and modifications before approving
24
+ - check for missing `prevent_destroy` lifecycle rules on stateful resources (databases, buckets, vaults)
25
+ - verify backend state locking is enabled before any write operation
26
+ - flag remote state outputs consumed by other stacks — changes may break downstream consumers
27
+ - use official Terraform and provider documentation for resource behavior and provider version compatibility
28
+
29
+ Run `npm run validate` after changing cataloged Terraform skills.
package/skills/velero/velero-backup-restore-guard/SKILL.md ADDED
@@ -0,0 +1,41 @@
1
+ ---
2
+ name: velero-backup-restore-guard
3
+ description: Use this skill when guarding Velero backup schedule changes, restore operations, BackupStorageLocation mutations, or volume snapshot configuration. Trigger on any request to run a velero restore, delete a Schedule, change a BSL default, or modify backup retention.
4
+ metadata:
5
+ author: "github: Raishin"
6
+ version: "0.1.0"
7
+ ---
8
+
9
+ # Velero Backup/Restore Guard
10
+
11
+ ## Purpose
12
+
13
+ Guard live Velero operations — restore execution, schedule deletion, BackupStorageLocation changes, and volume snapshot configuration — against data loss, scope creep, and missing rollback posture. A Velero restore is destructive: it overlays resources onto the cluster. Every guarded operation requires confirmed cluster context, explicit scope, current state capture, and explicit platform-team sign-off before any mutation executes.
14
+
15
+ ## Lean operating rules
16
+
17
+ - Confirm cluster context (`kubectl config current-context`) and target namespace before any Velero operation — ambiguous context is a hard stop.
18
+ - Capture current state of the target Backup, Schedule, or BSL (`velero backup describe <name> --details`, `kubectl get schedule <name> -o yaml`) before every write — Velero has no built-in undo.
19
+ - For restore operations: require `includedNamespaces` to be explicitly scoped; a cluster-wide restore (`includedNamespaces: []`) requires explicit platform-team sign-off.
20
+ - Recommend `velero restore create --dry-run` before every non-emergency restore; treat missing dry-run as a hard stop in non-emergency scenarios.
21
+ - Block deleting a Schedule that is the only backup for a production namespace unless an alternative backup source is confirmed.
22
+ - Block changing a BSL `default: true` without confirming no in-progress backups and reviewing the impact on all dependent Schedules.
23
+ - Check pre-backup hook coverage on stateful workloads (PostgreSQL, MySQL, Kafka) — missing quiesce hooks mean inconsistent backups.
24
+ - Label all claims as live evidence, documentation-based, or inference.
25
+
26
+ ## References
27
+
28
+ Load these only when needed:
29
+
30
+ - [Workflow and output contract](references/workflow-and-output.md)
31
+ - [Safety checklist](references/safety-checklist.md)
32
+
33
+ ## Response minimum
34
+
35
+ - Confirmed cluster context and target scope
36
+ - Current state of the Backup/Schedule/BSL (evidence level)
37
+ - Hard-stop assessment (is this a blocked operation?)
38
+ - Explicit platform-team sign-off status
39
+ - Recommended dry-run or safe-path command
40
+ - Rollback posture
41
+ - Post-operation verification steps
package/skills/velero/velero-backup-restore-guard/metadata.json ADDED
@@ -0,0 +1,21 @@
1
+ {
2
+ "id": "velero-backup-restore-guard",
3
+ "name": "Velero Backup/Restore Guard",
4
+ "type": "skill",
5
+ "provider": "velero",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Live-guard skill for Velero backup schedules, restore operations, BackupStorageLocation changes, and volume snapshots — requiring explicit platform-team sign-off before any mutation.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://velero.io/docs/latest/",
11
+ "https://velero.io/docs/latest/restore-reference/",
12
+ "https://velero.io/docs/latest/backup-reference/",
13
+ "https://velero.io/docs/latest/locations/",
14
+ "https://velero.io/docs/latest/hooks/"
15
+ ],
16
+ "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
17
+ "last_verified": "2026-05-02",
18
+ "path": "skills/velero/velero-backup-restore-guard",
19
+ "author": "github: Raishin",
20
+ "version": "0.1.0"
21
+ }
package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md ADDED
@@ -0,0 +1,40 @@
1
+ # Safety Checklist
2
+
3
+ ## Pre-Restore Checklist (10 items)
4
+
5
+ Before executing any `velero restore create` command, confirm all 10 items. A single unchecked item is a HARD STOP unless the approver explicitly overrides with written justification.
6
+
7
+ - [ ] **1. Cluster context confirmed** — `kubectl config current-context` output has been shown and matches the intended target cluster. Do not assume the current context is correct.
8
+ - [ ] **2. Namespace scope is explicit** — `includedNamespaces` lists one or more specific namespaces. Empty list (`[]`) = cluster-wide restore = requires explicit platform-team sign-off with ticket reference.
9
+ - [ ] **3. Backup timestamp verified** — the backup name and creation timestamp have been confirmed as the correct recovery point. Do not restore from an older backup if a closer-in-time backup exists and is healthy.
10
+ - [ ] **4. Backup phase is Completed** — `velero backup describe <name>` shows `Phase: Completed`. Do not restore from a `PartiallyFailed` or `Failed` backup without explicit acknowledgment of the incomplete scope.
11
+ - [ ] **5. Dry-run executed and reviewed** — `velero restore create --dry-run` output has been reviewed for unexpected resource counts, namespace scope, and PV restore entries. (Exception: active P0 incident with explicit platform-team override.)
12
+ - [ ] **6. existingResourcePolicy reviewed** — if `existingResourcePolicy: update` is used, the approver understands this will overwrite live Secrets, ConfigMaps, RBAC objects, and ServiceAccounts in the target namespace.
13
+ - [ ] **7. PV restore posture confirmed** — `restorePVs: true/false` intent is explicit. If false, stateful applications will start with empty persistent volumes.
14
+ - [ ] **8. Current state captured** — target namespace resources have been exported (`kubectl get all,cm,secret,pvc -n <ns> -o yaml > pre-restore-state.yaml`) as a rollback artifact.
15
+ - [ ] **9. Explicit platform-team sign-off obtained** — approver name, role, and ticket/incident reference are documented. Not implied — must be explicit.
16
+ - [ ] **10. Post-restore verification plan exists** — the team knows which pods, endpoints, and data checks confirm successful restore before closing the incident.
17
+
18
+ ---
19
+
20
+ ## Pre-Schedule-Delete Checklist (5 items)
21
+
22
+ Before executing `velero schedule delete <name>` or removing a Schedule manifest:
23
+
24
+ - [ ] **1. Alternative backup source confirmed** — the namespaces covered by this Schedule are also covered by another Schedule or a manual backup strategy. Deleting the only backup Schedule for a production namespace is a HARD STOP.
25
+ - [ ] **2. Existing backups will not be deleted** — deleting a Schedule does not delete existing Backups by default. Confirm this is the intended behavior; if cascade-delete is intended, explicitly document which backups will be removed.
26
+ - [ ] **3. No in-progress backup from this schedule** — `velero backup get | grep InProgress` shows no active backup from this Schedule. Deleting a Schedule mid-backup can leave a partial backup with no retention management.
27
+ - [ ] **4. Dependent restore references reviewed** — no existing Restore objects reference backups created by this Schedule in a pending or future recovery plan.
28
+ - [ ] **5. Platform-team sign-off obtained** — explicit written approval with ticket reference. A Schedule deletion is irreversible (re-creation restores future backups but not the deleted Schedule's backup history lineage).
29
+
30
+ ---
31
+
32
+ ## Post-Restore Verification (5 items)
33
+
34
+ After a restore completes (`velero restore describe <name>` shows `Phase: Completed`):
35
+
36
+ - [ ] **1. Pod health confirmed** — all Deployments and StatefulSets in the restored namespace reach `Ready` state within the expected startup window. Check: `kubectl get pods -n <ns> -w`.
37
+ - [ ] **2. PVC binding confirmed** — all PersistentVolumeClaims are in `Bound` status. Unbound PVCs indicate snapshot restore failure or storage class mismatch. Check: `kubectl get pvc -n <ns>`.
38
+ - [ ] **3. Application data sampling** — spot-check application-level data integrity (e.g., query a database, verify a file, check an API endpoint). Pod running does not guarantee data consistency.
39
+ - [ ] **4. Service endpoints reachable** — Services and Ingress rules are routing traffic correctly. Check: `kubectl get svc,ingress -n <ns>` and a live probe to the application endpoint.
40
+ - [ ] **5. Restore warnings reviewed** — `velero restore logs <name>` has been scanned for warnings. Warnings about skipped resources, unresolved PV references, or hook failures must be triaged before marking the restore complete.