@raishin/vanguard-frontier-agentic 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (561) hide show
  1. package/README.md +250 -110
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +37 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +37 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +37 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +37 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +38 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +38 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/AGENT.md +2 -1
  308. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  314. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  315. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  316. package/agents/velero/README.md +41 -0
  317. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  318. package/catalog/agents.json +1452 -634
  319. package/catalog/install-roles.json +455 -0
  320. package/catalog/skill-manifest.json +1089 -335
  321. package/catalog/skills.json +1298 -528
  322. package/package.json +32 -3
  323. package/schemas/AGENTS.md +14 -0
  324. package/schemas/agent.frontmatter.schema.json +89 -0
  325. package/schemas/agent.schema.json +8 -0
  326. package/schemas/skill.frontmatter.schema.json +95 -0
  327. package/scripts/apply-skill-allowed-tools.py +142 -0
  328. package/scripts/backfill-skill-metadata.py +410 -0
  329. package/scripts/export-marketplace-agents.mjs +275 -9
  330. package/scripts/update-catalog-new-agents.py +88 -0
  331. package/skills/argocd/README.md +30 -0
  332. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +43 -0
  333. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  334. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  335. package/skills/argocd/argocd-gitops-review/SKILL.md +46 -0
  336. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  337. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  338. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  339. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  340. package/skills/aws/README.md +3 -1
  341. package/skills/aws/aws-agentcore/SKILL.md +3 -0
  342. package/skills/aws/aws-api-edge-delivery-review/SKILL.md +3 -0
  343. package/skills/aws/aws-bedrock-agent-security-governor/SKILL.md +3 -0
  344. package/skills/aws/aws-change-impact-advisor/SKILL.md +3 -0
  345. package/skills/aws/aws-ci-cd-release-engineer/SKILL.md +3 -0
  346. package/skills/aws/aws-compliance-evidence-mapper/SKILL.md +3 -0
  347. package/skills/aws/aws-cost-anomaly-watch-coordinator/SKILL.md +3 -0
  348. package/skills/aws/aws-cost-optimization-governor/SKILL.md +3 -0
  349. package/skills/aws/aws-daily-operations-briefing-coordinator/SKILL.md +3 -0
  350. package/skills/aws/aws-data-protection-backup-steward/SKILL.md +3 -0
  351. package/skills/aws/aws-deployment-hotfix-operator/SKILL.md +3 -0
  352. package/skills/aws/aws-devops-agent-skill-designer/SKILL.md +3 -0
  353. package/skills/aws/aws-dynamodb-data-modeling-performance-review/SKILL.md +3 -0
  354. package/skills/aws/aws-ec2-compute-operations-steward/SKILL.md +3 -0
  355. package/skills/aws/aws-ecs-fargate-platform-operator/SKILL.md +3 -0
  356. package/skills/aws/aws-ecs-service-remediation-operator/SKILL.md +3 -0
  357. package/skills/aws/aws-eks-platform-operator/SKILL.md +3 -0
  358. package/skills/aws/aws-event-driven-architecture-review/SKILL.md +3 -0
  359. package/skills/aws/aws-generative-ai-developer/SKILL.md +3 -0
  360. package/skills/aws/aws-iac-change-safety-review/SKILL.md +3 -0
  361. package/skills/aws/aws-iac-patch-executor/SKILL.md +3 -0
  362. package/skills/aws/aws-iam-least-privilege-review/SKILL.md +3 -0
  363. package/skills/aws/aws-kms-secrets-lifecycle-steward/SKILL.md +3 -0
  364. package/skills/aws/aws-landing-zone-governor/SKILL.md +3 -0
  365. package/skills/aws/aws-live-deployment-guarded-operator/SKILL.md +3 -0
  366. package/skills/aws/aws-live-ecs-rollout-guard/SKILL.md +3 -0
  367. package/skills/aws/aws-live-iac-change-guard/SKILL.md +3 -0
  368. package/skills/aws/aws-live-pipeline-approval-operator/SKILL.md +3 -0
  369. package/skills/aws/aws-live-serverless-release-guard/SKILL.md +3 -0
  370. package/skills/aws/aws-maestro/SKILL.md +3 -0
  371. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  372. package/skills/aws/aws-migration-cutover-architect/SKILL.md +3 -0
  373. package/skills/aws/aws-network-architect/SKILL.md +3 -0
  374. package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md +3 -0
  375. package/skills/aws/aws-observability-incident-responder/SKILL.md +3 -0
  376. package/skills/aws/aws-pipeline-fix-operator/SKILL.md +3 -0
  377. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +42 -0
  378. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  379. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  380. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  381. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  382. package/skills/aws/aws-rds-aurora-performance-investigator/SKILL.md +3 -0
  383. package/skills/aws/aws-resilience-bcdr-review/SKILL.md +3 -0
  384. package/skills/aws/aws-s3-data-perimeter-governor/SKILL.md +3 -0
  385. package/skills/aws/aws-security-posture-hardening/SKILL.md +3 -0
  386. package/skills/aws/aws-serverless-production-readiness/SKILL.md +3 -0
  387. package/skills/aws/aws-serverless-rollout-corrector/SKILL.md +3 -0
  388. package/skills/aws/aws-solution-architect/SKILL.md +3 -0
  389. package/skills/aws/aws-ticket-triage-escalation-coordinator/SKILL.md +3 -0
  390. package/skills/azure/README.md +3 -1
  391. package/skills/azure/azure-ai-foundry-ops-governor/SKILL.md +3 -0
  392. package/skills/azure/azure-aks-platform-operator/SKILL.md +3 -0
  393. package/skills/azure/azure-app-service-production-readiness/SKILL.md +3 -0
  394. package/skills/azure/azure-cosmosdb-application-developer/SKILL.md +3 -0
  395. package/skills/azure/azure-cosmosdb-performance-investigator/SKILL.md +3 -0
  396. package/skills/azure/azure-cosmosdb-platform-operator/SKILL.md +3 -0
  397. package/skills/azure/azure-cost-estimation-review/SKILL.md +3 -0
  398. package/skills/azure/azure-cost-optimization-governor/SKILL.md +3 -0
  399. package/skills/azure/azure-entra-id-specialist/SKILL.md +3 -0
  400. package/skills/azure/azure-governance-policy-guardrails/SKILL.md +3 -0
  401. package/skills/azure/azure-identity-governance-review/SKILL.md +3 -0
  402. package/skills/azure/azure-key-vault-secret-lifecycle-auditor/SKILL.md +3 -0
  403. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +40 -0
  404. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  405. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  406. package/skills/azure/azure-landing-zone-architect/SKILL.md +3 -0
  407. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +3 -0
  408. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +3 -0
  409. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +3 -0
  410. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +3 -0
  411. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +59 -0
  412. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  413. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  414. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  415. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  416. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  417. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +3 -0
  418. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +3 -0
  419. package/skills/azure/azure-maestro/SKILL.md +3 -0
  420. package/skills/azure/azure-migrate-landing-zone-cutover/SKILL.md +3 -0
  421. package/skills/azure/azure-network-topology-review/SKILL.md +3 -0
  422. package/skills/azure/azure-observability-investigator/SKILL.md +3 -0
  423. package/skills/azure/azure-platform-automation-devops/SKILL.md +3 -0
  424. package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md +3 -0
  425. package/skills/azure/azure-rbac-review/SKILL.md +3 -0
  426. package/skills/azure/azure-resilience-bcdr-review/SKILL.md +3 -0
  427. package/skills/azure/azure-resource-health-incident-triage/SKILL.md +3 -0
  428. package/skills/azure/azure-role-selector/SKILL.md +3 -0
  429. package/skills/azure/azure-security-posture-hardening/SKILL.md +3 -0
  430. package/skills/azure/azure-subscription-resource-organization/SKILL.md +3 -0
  431. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +42 -0
  432. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  433. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  434. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +43 -0
  435. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  436. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  437. package/skills/cilium/README.md +30 -0
  438. package/skills/cilium/cilium-network-policy-review/SKILL.md +46 -0
  439. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  440. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  441. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  442. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  443. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +40 -0
  444. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  445. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  446. package/skills/finops/README.md +30 -0
  447. package/skills/finops/finops-cloud-price-advisor/SKILL.md +3 -0
  448. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +43 -0
  449. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  450. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  451. package/skills/istio/README.md +28 -0
  452. package/skills/istio/istio-ambient-mesh-review/SKILL.md +46 -0
  453. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  454. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  455. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  456. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  457. package/skills/kubernetes/README.md +30 -0
  458. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +40 -0
  459. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  460. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  461. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +43 -0
  462. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  463. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  464. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +60 -0
  465. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  466. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  467. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  468. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  469. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  470. package/skills/kubernetes/kubernetes-maestro/SKILL.md +48 -0
  471. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  472. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  473. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  474. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +46 -0
  475. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  476. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  477. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  478. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  479. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +41 -0
  480. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  481. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  482. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +41 -0
  483. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  484. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  485. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  486. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  487. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +46 -0
  488. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  489. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  490. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  491. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  492. package/skills/kyverno/README.md +30 -0
  493. package/skills/kyverno/kyverno-policy-review/SKILL.md +46 -0
  494. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  495. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  496. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  497. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  498. package/skills/oci/README.md +63 -0
  499. package/skills/oci/oci-autonomous-database-architect/SKILL.md +3 -0
  500. package/skills/oci/oci-certificates-issuer-review/SKILL.md +40 -0
  501. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  502. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  503. package/skills/oci/oci-cloud-guard-responder/SKILL.md +3 -0
  504. package/skills/oci/oci-compute-instance-agent-operator/SKILL.md +3 -0
  505. package/skills/oci/oci-compute-platform-operator/SKILL.md +3 -0
  506. package/skills/oci/oci-cost-finops-analyst/SKILL.md +3 -0
  507. package/skills/oci/oci-database-platform-dba/SKILL.md +3 -0
  508. package/skills/oci/oci-dbtools-sql-analyst/SKILL.md +3 -0
  509. package/skills/oci/oci-devops-container-platform-engineer/SKILL.md +3 -0
  510. package/skills/oci/oci-exadata-database-architect/SKILL.md +3 -0
  511. package/skills/oci/oci-exadata-platform-architect/SKILL.md +3 -0
  512. package/skills/oci/oci-fusion-apps-environment-operator/SKILL.md +3 -0
  513. package/skills/oci/oci-goldengate-replication-operator/SKILL.md +3 -0
  514. package/skills/oci/oci-identity-access-governor/SKILL.md +3 -0
  515. package/skills/oci/oci-iot-digital-twin-engineer/SKILL.md +3 -0
  516. package/skills/oci/oci-limits-capacity-planner/SKILL.md +3 -0
  517. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +3 -0
  518. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +3 -0
  519. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +3 -0
  520. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +60 -0
  521. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  522. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  523. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  524. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  525. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  526. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +3 -0
  527. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +3 -0
  528. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +3 -0
  529. package/skills/oci/oci-load-balancer-traffic-engineer/SKILL.md +3 -0
  530. package/skills/oci/oci-maestro/SKILL.md +3 -0
  531. package/skills/oci/oci-migration-cutover-architect/SKILL.md +3 -0
  532. package/skills/oci/oci-multi-cloud-architect/SKILL.md +3 -0
  533. package/skills/oci/oci-mysql-heatwave-ai-specialist/SKILL.md +3 -0
  534. package/skills/oci/oci-network-architect/SKILL.md +3 -0
  535. package/skills/oci/oci-observability-incident-responder/SKILL.md +3 -0
  536. package/skills/oci/oci-recovery-service-operator/SKILL.md +3 -0
  537. package/skills/oci/oci-registry-artifact-governor/SKILL.md +3 -0
  538. package/skills/oci/oci-resource-search-inventory-analyst/SKILL.md +3 -0
  539. package/skills/oci/oci-security-compliance-reviewer/SKILL.md +3 -0
  540. package/skills/oci/oci-solution-architect/SKILL.md +3 -0
  541. package/skills/oci/oci-storage-backup-steward/SKILL.md +3 -0
  542. package/skills/oci/oci-support-incident-coordinator/SKILL.md +3 -0
  543. package/skills/oci/oracle-oci-mcp-grounded-advisor/SKILL.md +3 -0
  544. package/skills/opentelemetry/README.md +31 -0
  545. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +47 -0
  546. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  547. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  548. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  549. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  550. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +41 -0
  551. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  552. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  553. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +42 -0
  554. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  555. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  556. package/skills/terraform/README.md +29 -0
  557. package/skills/terraform/terraform-maestro/SKILL.md +3 -0
  558. package/skills/velero/velero-backup-restore-guard/SKILL.md +44 -0
  559. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  560. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  561. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-private-endpoint-adoption-planner
3
3
  description: Use this skill for Azure Private Link and private endpoint adoption planning, including hub-versus-spoke placement, private DNS zone linkage, route implications, centralized versus workload-local endpoint trade-offs, and safe rollout validation.
4
+ allowed-tools: Read Grep Glob WebFetch
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: networking
7
10
  ---
8
11
 
9
12
  # Azure Private Endpoint Adoption Planner
package/skills/azure/azure-rbac-review/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-rbac-review
3
3
  description: Use this skill for Azure RBAC, Entra-backed access, role assignment, custom role, scope, subscription, management group, or least-privilege review tasks. Trigger when the user asks whether Azure access is too broad or how to grant access safely.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: security
7
10
  ---
8
11
 
9
12
  # Azure RBAC Review
package/skills/azure/azure-resilience-bcdr-review/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-resilience-bcdr-review
3
3
  description: Use this skill for Azure resilience, business continuity, and disaster recovery reviews covering RTO/RPO realism, failover and failback assumptions, shared-responsibility gaps, and recovery runbook or drill quality.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: resilience
7
10
  ---
8
11
 
9
12
  # Azure Resilience BCDR Review
package/skills/azure/azure-resource-health-incident-triage/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-resource-health-incident-triage
3
3
  description: Use this skill for Azure Resource Health, Service Health, activity-log alert, and first-pass incident triage when the question is whether Azure platform health is part of the problem.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: observability
7
10
  ---
8
11
 
9
12
  # Azure Resource Health Incident Triage
package/skills/azure/azure-role-selector/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-role-selector
3
3
  description: Use this skill when the user asks which Azure role to assign, how to grant minimum access, whether a built-in role is sufficient, or when a custom role may be required.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: compliance
7
10
  ---
8
11
 
9
12
  # Azure Role Selector
package/skills/azure/azure-security-posture-hardening/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-security-posture-hardening
3
3
  description: Use this skill for Azure security posture review, baseline hardening, managed identity adoption, Key Vault posture, private access decisions, Azure Policy guardrails, and logging or audit gap analysis. Trigger when the user asks how to harden an Azure workload or platform without defaulting to broad access or public exposure.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: security
7
10
  ---
8
11
 
9
12
  # Azure Security Posture Hardening
package/skills/azure/azure-subscription-resource-organization/SKILL.md CHANGED
@@ -1,9 +1,12 @@
1
1
  ---
2
2
  name: azure-subscription-resource-organization
3
3
  description: Use this skill for Azure management-group hierarchy, subscription placement, resource-group boundary, and platform-versus-workload ownership decisions that affect governance, operations, and landing-zone scale.
4
+ allowed-tools: Read Grep Glob
4
5
  metadata:
5
6
  author: github: Raishin
6
7
  version: 0.1.0
8
+ updated: "2026-05-05"
9
+ category: compliance
7
10
  ---
8
11
 
9
12
  # Azure Subscription Resource Organization
package/skills/backstage/backstage-scaffolder-template-review/SKILL.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ name: backstage-scaffolder-template-review
3
+ description: Use this skill when reviewing Backstage Scaffolder software templates. Trigger when the user asks whether a template is safe for developer self-service, whether template RBAC gates are in place, whether input parameters are validated, whether a step action has excessive blast radius, or whether template outputs expose secrets.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: delivery
10
+ ---
11
+
12
+ # Backstage Scaffolder Template Review
13
+
14
+ ## Purpose
15
+
16
+ Review Backstage Scaffolder `Template` kind resources for action blast-radius, input parameter injection risk, RBAC permission gate coverage, integration secret scope, catalog entity poisoning via `catalog:register`, and plaintext secret exposure in `output:` stanzas. Backstage Scaffolder gives developers a curated UI to trigger powerful backend actions — without RBAC gates and input validation, every authenticated developer effectively has write access to whatever the Scaffolder integration credentials can reach.
17
+
18
+ ## Lean operating rules
19
+
20
+ - Prefer user-provided sanitized Template YAML as primary evidence; official Backstage docs are the authoritative fallback.
21
+ - Treat any `steps:` action that provisions real cloud infrastructure (Terraform, Crossplane CRD apply, CloudFormation deploy, `kubectl apply`) with no RBAC permission gate as a CRITICAL finding.
22
+ - Treat input parameters flowing unsanitized into `publish:github.repoUrl`, file-path actions, or shell-exec actions as a HIGH finding — path traversal and injection are realistic.
23
+ - Treat `publish:github` with `visibility: public` as the default or without an `allowedHosts` constraint as a HIGH finding.
24
+ - Treat `output:` stanzas exposing plaintext generated credentials, connection strings, or API keys in the Backstage UI as a HIGH finding.
25
+ - Treat the absence of `@backstage/plugin-permission-backend` policies for infrastructure-provisioning templates as a HIGH finding — any authenticated Backstage user can trigger them.
26
+ - Treat `catalog:register` accepting arbitrary user-supplied YAML without server-side entity schema validation as a MEDIUM finding — catalog poisoning overwrites ownership and lifecycle metadata.
27
+ - Keep the answer scoped: report what was reviewed, the evidence level, and exactly which steps or fields triggered each finding.
28
+
29
+ ## References
30
+
31
+ Load these only when needed:
32
+ - [Workflow and output contract](references/workflow-and-output.md)
33
+
34
+ ## Response minimum
35
+
36
+ - Scoped target (Template `metadata.name`) and evidence level
37
+ - Each `steps:` action type and its provisioning blast radius
38
+ - Input parameter validation gaps (missing `maxLength`, `pattern`, `enum`)
39
+ - RBAC permission gate verdict (present / absent / partial)
40
+ - Integration secret scope assessment
41
+ - `output:` stanza exposure assessment
42
+ - Safe next actions and open questions
package/skills/backstage/backstage-scaffolder-template-review/metadata.json ADDED
@@ -0,0 +1,21 @@
1
+ {
2
+ "id": "backstage-scaffolder-template-review",
3
+ "name": "Backstage Scaffolder Template Review",
4
+ "type": "skill",
5
+ "provider": "backstage",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Backstage Scaffolder software templates for action blast-radius, input parameter injection, RBAC gate coverage, secret scope, catalog entity poisoning, and output exposure.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://backstage.io/docs/features/software-templates/",
11
+ "https://backstage.io/docs/features/software-templates/writing-templates",
12
+ "https://backstage.io/docs/features/software-templates/builtin-actions",
13
+ "https://backstage.io/docs/permissions/overview",
14
+ "https://backstage.io/docs/integrations/github/github-apps"
15
+ ],
16
+ "security_notes": "Backstage Scaffolder templates without RBAC gate and without input validation allow any developer to trigger infrastructure provisioning actions. Templates that provision cloud resources via Terraform or Crossplane CRDs effectively grant cloud-write to all Backstage users.",
17
+ "last_verified": "2026-05-02",
18
+ "path": "skills/backstage/backstage-scaffolder-template-review",
19
+ "author": "github: Raishin",
20
+ "version": "0.1.0"
21
+ }
package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,179 @@
1
+ # Workflow and output contract
2
+
3
+ Use this reference only when performing a full Backstage Scaffolder template review, producing implementation guidance, triaging a scaffolder security incident, or completing a production-readiness pass.
4
+
5
+ ## Review domains
6
+
7
+ Check these areas before giving a verdict:
8
+
9
+ - Template `metadata.name`, `spec.owner`, and namespace scoping
10
+ - Each `steps:` entry: action type, input parameters, and provisioning blast radius
11
+ - Input `parameters:` schema: type enforcement, `maxLength`, `pattern`, `enum`, and data-flow into step inputs
12
+ - RBAC permission gate: presence and scope of `@backstage/plugin-permission-backend` policies for this template
13
+ - Integration secret scope: GitHub PAT, Azure DevOps token, or other credential used by `publish:*` actions
14
+ - `catalog:register` usage: whether registered YAML is user-supplied or template-controlled
15
+ - `output:` stanza: whether plaintext secrets or credentials are surfaced in the Backstage UI
16
+
17
+ ## Safe workflow
18
+
19
+ 1. **Frame scope**
20
+ - Template name and `spec.owner`:
21
+ - Target environment (dev / staging / production):
22
+ - Backstage version and active plugins:
23
+ - Whether `@backstage/plugin-permission-backend` is installed:
24
+ - Required outcome of this review:
25
+ - Explicit non-goals:
26
+
27
+ 2. **Collect evidence**
28
+ - Prefer user-provided sanitized Template YAML as primary evidence.
29
+ - Confirm Backstage version and installed plugins from `app-config.yaml` or Backstage `package.json`.
30
+ - Label each finding as `user-provided evidence`, `documentation-based`, or `inference`.
31
+
32
+ 3. **Map action blast radius**
33
+ For each `steps[].action`, ask:
34
+ ```
35
+ - What external system does this action write to?
36
+ - What credential does it use and what is that credential's scope?
37
+ - Is there an RBAC permission policy gating this template for that action?
38
+ - Can a user-controlled input reach this action unsanitized?
39
+ ```
40
+ Example: `publish:github` with `repoUrl: ${{ parameters.repoName }}` where `repoName` has no `pattern`
41
+ validation — a value like `../../../sensitive-repo` could traverse the expected org boundary.
42
+
43
+ 4. **Validate input parameter schema**
44
+ Check each parameter field:
45
+ ```yaml
46
+ parameters:
47
+ - title: Repository Name
48
+ properties:
49
+ repoName:
50
+ type: string
51
+ # REQUIRED: maxLength to prevent oversized inputs
52
+ maxLength: 63
53
+ # REQUIRED: pattern to block path traversal and injection
54
+ pattern: '^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$'
55
+ ```
56
+ Missing `maxLength` or `pattern` on fields that flow into `publish:github.repoUrl`,
57
+ `roadiehq:utils:fs:write`, or shell-exec actions is a HIGH finding.
58
+
59
+ 5. **Check RBAC permission gate**
60
+ A permission policy protecting a Terraform-provisioning template looks like:
61
+ ```typescript
62
+ // packages/backend/src/plugins/permission.ts
63
+ if (
64
+ isPermission(request.permission, scaffolderTemplateRules.instantiateTemplate)
65
+ ) {
66
+ if (request.credentials.principal.type === 'user') {
67
+ const groups = await catalogClient.getEntities({
68
+ filter: { kind: 'Group', 'spec.members': request.credentials.principal.userEntityRef }
69
+ });
70
+ const isPlatformEngineer = groups.items.some(g => g.metadata.name === 'platform-engineers');
71
+ return { result: isPlatformEngineer ? AuthorizeResult.ALLOW : AuthorizeResult.DENY };
72
+ }
73
+ }
74
+ ```
75
+ If no policy like this exists for infrastructure-provisioning templates, flag as CRITICAL.
76
+
77
+ 6. **Assess integration secret scope**
78
+ Examine the Backstage `integrations:` config that the template's `publish:*` action uses:
79
+ ```yaml
80
+ # app-config.yaml
81
+ integrations:
82
+ github:
83
+ - host: github.com
84
+ token: ${GITHUB_TOKEN} # scope: repo (read/write all repos in org)
85
+ ```
86
+ A token with `repo` scope on all org repos means any template using `publish:github`
87
+ can write to any repo in the org. Prefer a scoped GitHub App with per-repo installation.
88
+
89
+ 7. **Review catalog:register usage**
90
+ ```yaml
91
+ steps:
92
+ - id: register
93
+ action: catalog:register
94
+ input:
95
+ repoContentsUrl: ${{ steps['publish'].output.repoContentsUrl }}
96
+ catalogInfoPath: '/catalog-info.yaml'
97
+ ```
98
+ If `catalogInfoPath` or the registered YAML content is user-controlled (not template-generated),
99
+ it can inject arbitrary `spec.owner`, `spec.lifecycle`, or `metadata.annotations` values
100
+ into the catalog — overwriting existing entities' ownership metadata. Flag as MEDIUM.
101
+
102
+ 8. **Inspect output stanza**
103
+ ```yaml
104
+ output:
105
+ links:
106
+ - title: Repository
107
+ url: ${{ steps['publish'].output.remoteUrl }}
108
+ # HIGH: do not surface generated credentials here
109
+ # - title: Database password
110
+ # url: ${{ steps['create-db'].output.password }}
111
+ ```
112
+ Any `output:` value that contains a generated password, API key, connection string,
113
+ or bearer token is a HIGH finding — it persists in the Backstage task log in plaintext.
114
+
115
+ 9. **Recommend the smallest safe action**
116
+ - Prefer narrowing input validation before adding RBAC, as validation is deploy-free.
117
+ - For RBAC gaps, provide the minimum permission policy snippet.
118
+ - If the safest action is to quarantine the template (mark it `spec.lifecycle: deprecated`
119
+ and alert the platform team), say that plainly.
120
+
121
+ ## Validation commands
122
+
123
+ ```bash
124
+ # List all templates in the catalog
125
+ kubectl get templates -n backstage --all-namespaces
126
+
127
+ # Inspect a specific template
128
+ kubectl get template <name> -n backstage -o yaml
129
+
130
+ # Check whether permission backend plugin is present
131
+ grep -r 'plugin-permission-backend' packages/backend/package.json
132
+
133
+ # List Backstage integrations config (sanitize before sharing)
134
+ grep -A5 'integrations:' app-config.yaml
135
+
136
+ # Enumerate templates with no permission policy annotation
137
+ kubectl get templates -A -o json | jq '.items[] | select(.metadata.annotations["backstage.io/permission-policy"] == null) | .metadata.name'
138
+ ```
139
+
140
+ ## Output contract
141
+
142
+ Return this structure:
143
+
144
+ ```markdown
145
+ # Backstage Scaffolder Template Review: <template-name>
146
+
147
+ ## Executive verdict
148
+ - Status: SAFE / SAFE WITH RISKS / NOT SAFE / NEEDS EVIDENCE
149
+ - Biggest risk:
150
+ - Evidence level:
151
+
152
+ ## Scope and assumptions
153
+ - Template name and owner:
154
+ - Backstage version:
155
+ - Permission backend installed:
156
+ - Confirmed:
157
+ - Unknown:
158
+ - Out of scope:
159
+
160
+ ## Findings
161
+
162
+ | Severity | Field / Step | Finding | Evidence | Why it matters | Minimum safe action |
163
+ |---|---|---|---|---|---|
164
+
165
+ ## Action blast radius summary
166
+
167
+ | Step ID | Action | Blast radius | RBAC gated? |
168
+ |---|---|---|---|
169
+
170
+ ## Recommended actions
171
+ 1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
172
+
173
+ ## Validation
174
+ - Commands or checks:
175
+ - Expected result:
176
+
177
+ ## Residual risk
178
+ - <risk or explicit none>
179
+ ```
package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md ADDED
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: cert-manager-issuer-trust-review
3
+ description: Use this skill when reviewing cert-manager PKI configuration for Kubernetes clusters. Trigger when the user asks about Issuer or ClusterIssuer scope, CertificateRequestPolicy coverage, certificate SAN or duration risks, trust-manager bundle distribution, SPIFFE mesh CA integration, cert-manager webhook health, or cloud CA authentication method.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: security
10
+ ---
11
+
12
+ # cert-manager Issuer Trust Review
13
+
14
+ ## Purpose
15
+
16
+ Review cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy (approver-policy) authorization coverage, certificate SAN wildcard and duration risks, trust-manager CA bundle distribution blast radius, SPIFFE/service-mesh CA integration, and cloud-backed CA authentication method. cert-manager's security posture depends on whether namespace-scoped request authorization exists — without CertificateRequestPolicy, any namespace can issue a certificate for any DNS name from a shared ClusterIssuer.
17
+
18
+ ## Lean operating rules
19
+
20
+ - Prefer live evidence (`kubectl get clusterissuer,issuer -A -o yaml`, `kubectl get certificaterequestpolicy -o yaml`, `kubectl get certificate -A -o yaml`) when the active client exposes it; otherwise fall back to official cert-manager documentation and sanitized YAML from the user.
21
+ - Separate confirmed facts from inference. If CertificateRequestPolicy deployment, certificate health, or trust-manager bundle scope was not directly queried, say so.
22
+ - Treat no CertificateRequestPolicy deployed cluster-wide as a critical finding — any cert request in any namespace is auto-approved against any ClusterIssuer.
23
+ - Treat a ClusterIssuer backed by a corporate private CA with no namespace restriction via CertificateRequestPolicy as a high finding — any namespace can request corp-trusted certs.
24
+ - Treat Certificate `spec.dnsNames` containing wildcards like `*.internal.company.com` for a single microservice as a high finding — overly broad trust grants.
25
+ - Treat `spec.duration` exceeding 90 days for workload certs as a high finding; certs with `duration: 87600h` (10 years) are critical.
26
+ - Treat cert-manager-webhook in a degraded or failing state as a high finding — no new cert renewals can complete.
27
+ - Treat a trust-manager Bundle with no namespace selector distributing CA bundles to all namespaces as a medium finding unless intentionally cluster-wide.
28
+ - Keep the answer scoped, evidence-labeled, and explicit about what was not queried.
29
+
30
+ ## References
31
+
32
+ Load these only when needed:
33
+ - [Workflow and output contract](references/workflow-and-output.md)
34
+
35
+ ## Response minimum
36
+
37
+ Return, at minimum:
38
+ - the scoped target (ClusterIssuer, Issuer, Certificate, CertificateRequestPolicy, or trust-manager Bundle) and evidence level,
39
+ - the issuer type and backing CA (self-signed, ACME, AWS PCA, Azure Key Vault, Vault, etc.) and whether it is namespace-scoped or cluster-scoped,
40
+ - CertificateRequestPolicy presence and subject/issuer constraint coverage,
41
+ - certificate SAN scope and duration for any reviewed Certificate resources,
42
+ - trust-manager Bundle distribution scope,
43
+ - the safest next actions and any assumptions or blockers.
package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "cert-manager-issuer-trust-review",
3
+ "name": "cert-manager Issuer Trust Review",
4
+ "type": "skill",
5
+ "provider": "cert-manager",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy (approver-policy) coverage, certificate SAN and duration risks, trust-manager bundle distribution, and cloud CA integration authentication for Kubernetes PKI posture.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://cert-manager.io/docs/",
11
+ "https://cert-manager.io/docs/concepts/certificate/",
12
+ "https://cert-manager.io/docs/concepts/issuer/",
13
+ "https://cert-manager.io/docs/projects/approver-policy/",
14
+ "https://cert-manager.io/docs/projects/trust-manager/",
15
+ "https://cert-manager.io/docs/configuration/"
16
+ ],
17
+ "security_notes": "A ClusterIssuer backed by a corporate Private CA with no CertificateRequestPolicy means any namespace can issue certs for any DNS name trusted by the corporate CA, enabling MITM against internal mTLS services.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/cert-manager/cert-manager-issuer-trust-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,222 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify scope and collect raw evidence
6
+
7
+ 1. Confirm the review target: a ClusterIssuer, a namespace-scoped Issuer, a Certificate resource, a CertificateRequestPolicy, or a trust-manager Bundle.
8
+ 2. List all issuers and their types:
9
+ ```bash
10
+ kubectl get clusterissuer -o yaml
11
+ kubectl get issuer -A -o yaml
12
+ ```
13
+ For each issuer, note the `spec` type: `acme`, `ca`, `selfSigned`, `vault`, `venafi`, `acmepca` (AWS), `azureKeyVault`.
14
+ 3. List all CertificateRequestPolicy resources (approver-policy CRD):
15
+ ```bash
16
+ kubectl get certificaterequestpolicy -o yaml
17
+ ```
18
+ If the CRD does not exist, approver-policy is not installed — all cert requests are auto-approved. Record this as a critical gap.
19
+ 4. List certificates with their issuers and SAN content:
20
+ ```bash
21
+ kubectl get certificate -A -o custom-columns=\
22
+ "NS:.metadata.namespace,NAME:.metadata.name,ISSUER:.spec.issuerRef.name,\
23
+ KIND:.spec.issuerRef.kind,DURATION:.spec.duration,DNS:.spec.dnsNames"
24
+ ```
25
+
26
+ ### Step 2 — Audit ClusterIssuer vs Issuer scope
27
+
28
+ 1. For every ClusterIssuer, determine what namespaces can reference it:
29
+ - A `ClusterIssuer` has no namespace — any Certificate in any namespace can reference it.
30
+ - An `Issuer` is namespace-scoped — only Certificates in the same namespace can reference it.
31
+ 2. For cloud-backed ClusterIssuers (AWS PCA, Azure Key Vault, Vault), check the authentication method:
32
+ ```bash
33
+ # AWS PCA ClusterIssuer — check for IRSA annotation
34
+ kubectl get clusterissuer <name> -o jsonpath='{.spec.acmepca}' 2>/dev/null
35
+ kubectl get serviceaccount -n cert-manager cert-manager -o jsonpath='{.metadata.annotations}'
36
+ ```
37
+ Flag as **HIGH** if the ClusterIssuer authenticates to a cloud CA using static credentials (AWS access key, Azure client secret) instead of workload identity (IRSA, Azure Workload Identity).
38
+ 3. Example of a safely scoped setup vs a risky setup:
39
+ ```yaml
40
+ # SAFE: Namespace-scoped Issuer, only one namespace can use it
41
+ apiVersion: cert-manager.io/v1
42
+ kind: Issuer
43
+ metadata:
44
+ name: internal-ca
45
+ namespace: payments
46
+ spec:
47
+ ca:
48
+ secretName: payments-ca-secret
49
+
50
+ # RISKY: ClusterIssuer for corporate CA with no request policy
51
+ apiVersion: cert-manager.io/v1
52
+ kind: ClusterIssuer
53
+ metadata:
54
+ name: corp-private-ca
55
+ spec:
56
+ acmepca:
57
+ arn: arn:aws:acm-pca:us-east-1:123456789:certificate-authority/abc
58
+ ```
59
+
60
+ ### Step 3 — Audit CertificateRequestPolicy coverage
61
+
62
+ CertificateRequestPolicy is the RBAC layer for PKI. Without it, any Certificate resource is auto-approved.
63
+
64
+ 1. Verify approver-policy is installed:
65
+ ```bash
66
+ kubectl get crd certificaterequestpolicies.policy.cert-manager.io
67
+ ```
68
+ If not found, record as **CRITICAL**: all certificate requests are auto-approved.
69
+ 2. For each CertificateRequestPolicy, inspect the subject constraints:
70
+ ```bash
71
+ kubectl get certificaterequestpolicy <name> -o yaml
72
+ ```
73
+ Check:
74
+ - `spec.allowed.dnsNames.values` — which DNS names the policy permits
75
+ - `spec.allowed.dnsNames.validations` — regex constraints on allowed names
76
+ - `spec.allowed.subject` — allowed subject distinguished names
77
+ - `spec.selector.issuerRef` — which issuers this policy covers
78
+ - `spec.selector.namespace` — which namespaces this policy governs
79
+ 3. Example of a correctly constrained CertificateRequestPolicy:
80
+ ```yaml
81
+ apiVersion: policy.cert-manager.io/v1alpha1
82
+ kind: CertificateRequestPolicy
83
+ metadata:
84
+ name: payments-internal-certs
85
+ spec:
86
+ allowed:
87
+ dnsNames:
88
+ values:
89
+ - "*.payments.svc.cluster.local"
90
+ validations:
91
+ - rule: self.endsWith('.payments.svc.cluster.local')
92
+ message: "DNS name must be in payments namespace service domain"
93
+ subject:
94
+ organizations:
95
+ values: ["payments-team"]
96
+ usages:
97
+ - "digital signature"
98
+ - "key encipherment"
99
+ - "server auth"
100
+ - "client auth"
101
+ selector:
102
+ issuerRef:
103
+ name: corp-private-ca
104
+ kind: ClusterIssuer
105
+ group: cert-manager.io
106
+ namespace:
107
+ matchLabels:
108
+ team: payments
109
+ ```
110
+ 4. Flag as **CRITICAL** if no CertificateRequestPolicy restricts a ClusterIssuer backed by a corporate or cloud CA.
111
+ 5. Flag as **HIGH** if a CertificateRequestPolicy allows `dnsNames` with a wildcard that covers high-value internal FQDNs (e.g., `*.internal.company.com`).
112
+
113
+ ### Step 4 — Audit Certificate SAN and duration
114
+
115
+ 1. For each Certificate, review `spec.dnsNames` for excessive scope:
116
+ ```bash
117
+ kubectl get certificate -A -o yaml | grep -A 5 "dnsNames"
118
+ ```
119
+ 2. Flag as **HIGH** any Certificate where a single microservice's cert includes:
120
+ - `*.internal.company.com` (covers all internal services)
121
+ - `*.svc.cluster.local` (covers all cluster services)
122
+ 3. Review certificate duration and renewal:
123
+ ```bash
124
+ kubectl get certificate -A -o custom-columns=\
125
+ "NAME:.metadata.name,DURATION:.spec.duration,RENEW:.spec.renewBefore,READY:.status.conditions[0].status"
126
+ ```
127
+ - Flag as **HIGH** if `duration` exceeds `8760h` (1 year) for workload certs.
128
+ - Flag as **CRITICAL** if `duration` is `87600h` (10 years) or similar for workload certs.
129
+ - Flag as **MEDIUM** if `renewBefore` is not set or is less than 1/3 of `duration`.
130
+ 4. Verify certificate readiness:
131
+ ```bash
132
+ kubectl get certificate -A | grep -v "True"
133
+ ```
134
+ Any certificate not in `Ready=True` state that is approaching expiry is a **HIGH** finding.
135
+
136
+ ### Step 5 — Audit cert-manager webhook health
137
+
138
+ A failing cert-manager webhook blocks all new certificate issuance and renewals.
139
+
140
+ 1. Check webhook pod health:
141
+ ```bash
142
+ kubectl get pods -n cert-manager
143
+ kubectl describe deployment cert-manager-webhook -n cert-manager
144
+ ```
145
+ 2. Check webhook configuration:
146
+ ```bash
147
+ kubectl get validatingwebhookconfiguration cert-manager-webhook -o yaml | grep -A 5 "failurePolicy"
148
+ ```
149
+ `failurePolicy: Fail` means a webhook outage blocks all cert operations. `failurePolicy: Ignore` means webhook failures are skipped — cert validation is bypassed.
150
+ 3. Check for recent CertificateRequest failures:
151
+ ```bash
152
+ kubectl get certificaterequest -A | grep -v "True"
153
+ kubectl describe certificaterequest -A | grep -A 5 "Reason:"
154
+ ```
155
+ 4. Flag as **HIGH** if the cert-manager-webhook deployment has unavailable replicas and any certificates are approaching expiry within 30 days.
156
+
157
+ ### Step 6 — Audit trust-manager Bundle distribution
158
+
159
+ 1. List trust-manager Bundles:
160
+ ```bash
161
+ kubectl get bundle -o yaml
162
+ kubectl get configmapbundle -o yaml 2>/dev/null
163
+ ```
164
+ 2. For each Bundle, check the target namespace selector:
165
+ ```yaml
166
+ # RISKY: no namespaceSelector distributes to all namespaces
167
+ spec:
168
+ target:
169
+ configMap:
170
+ key: "bundle.pem"
171
+ namespaceSelector: {} # matches all namespaces
172
+
173
+ # SAFE: explicit namespace label selector
174
+ spec:
175
+ target:
176
+ configMap:
177
+ key: "bundle.pem"
178
+ namespaceSelector:
179
+ matchLabels:
180
+ cert-manager.io/trust-bundle: "enabled"
181
+ ```
182
+ 3. Flag as **MEDIUM** if a Bundle distributes a corporate or cloud CA bundle to all namespaces without a restrictive namespace selector — untrusted workloads receive the CA and can potentially use it for internal service impersonation if combined with a cert issuance gap.
183
+
184
+ ### Step 7 — Audit SPIFFE / service mesh CA integration
185
+
186
+ 1. Check if cert-manager is serving as the Istio CA via istio-csr:
187
+ ```bash
188
+ kubectl get pods -n istio-system | grep cert-manager
189
+ kubectl get cm istio -n istio-system -o yaml | grep caAddress
190
+ ```
191
+ 2. If cert-manager feeds the mesh trust domain, the ClusterIssuer it references is the root of trust for all SPIFFE SVIDs in the mesh.
192
+ - A compromised ClusterIssuer in this scenario allows forging any SPIFFE SVID for any mesh workload.
193
+ - Flag as **HIGH** if the mesh CA ClusterIssuer uses a shared corporate private CA without CertificateRequestPolicy constraints on the istio-csr service account.
194
+ 3. For Linkerd:
195
+ ```bash
196
+ kubectl get secret linkerd-identity-issuer -n linkerd -o yaml | grep -v "^ tls"
197
+ ```
198
+ Verify the issuer cert expiry is managed by cert-manager and has a `renewBefore` set.
199
+
200
+ ## Output
201
+
202
+ Return:
203
+
204
+ - **target**: ClusterIssuer/Issuer names, Certificate references, or CertificateRequestPolicy names, with evidence source,
205
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
206
+ - **issuer scope**: namespace-scoped Issuer or cluster-wide ClusterIssuer, backing CA type, authentication method (workload identity vs static credentials),
207
+ - **CertificateRequestPolicy coverage**: present/absent, constrained issuers, allowed DNS names scope, namespace selector,
208
+ - **certificate SAN and duration audit**: wildcard SAN findings, duration exceeding recommended thresholds, renewBefore settings,
209
+ - **webhook health**: cert-manager-webhook pod state, failurePolicy, any CertificateRequest failures,
210
+ - **trust-manager posture**: Bundle distribution scope, namespace selector presence,
211
+ - **mesh integration**: whether cert-manager feeds a mesh CA and the blast radius of that issuer,
212
+ - **risk findings** (with severity: critical / high / medium / low),
213
+ - **safest next actions** with sample YAML,
214
+ - **assumptions and missing facts**.
215
+
216
+ ## Security notes
217
+
218
+ - Never recommend removing CertificateRequestPolicy to unblock a blocked cert request — the correct path is to add an appropriate policy.
219
+ - Never request or print CA private key contents, PKCS#12 bundles, Vault tokens, or AWS credentials.
220
+ - A ClusterIssuer backed by a corporate Private CA with no CertificateRequestPolicy is equivalent to an open PKI endpoint — any namespace can issue trusted certs for any FQDN.
221
+ - Always confirm approver-policy CRD presence before concluding that cert requests are constrained.
222
+ - cert-manager `failurePolicy: Ignore` on the webhook means the webhook can be bypassed — verify this is not used in production cert issuance paths for sensitive CAs.
package/skills/cilium/README.md ADDED
@@ -0,0 +1,30 @@
1
+ # 🐝 Cilium Skills
2
+
3
+ <p align="center">
4
+ <!-- 🖼️ Add a Cilium logo to assets/logos/cnative/cilium/ and update this path -->
5
+ <span style="font-size:3.5em">🐝</span>
6
+ </p>
7
+
8
+ This folder contains Cilium-focused skills curated for this marketplace.
9
+
10
+ ## Local marketplace portfolio
11
+
12
+ This folder contains **1** local Cilium skill:
13
+
14
+ - `cilium-network-policy-review`
15
+
16
+ ## Portfolio posture
17
+
18
+ Cilium skills for evidence-backed eBPF networking review covering the three policy formats (`NetworkPolicy`, `CiliumNetworkPolicy`, `CiliumClusterwideNetworkPolicy`), L7 policy via embedded Envoy, ClusterMesh cross-cluster semantics, Hubble flow observability, and `CiliumEgressGatewayPolicy` for SNAT egress.
19
+
20
+ These skills are intentionally conservative:
21
+
22
+ - prefer `kubectl get networkpolicies,ciliumnetworkpolicies,ciliumclusterwidenetworkpolicies,ciliumegressgatewaypolicies -A -o yaml` for live policy state grounding before any review
23
+ - treat **removal of a default-deny `NetworkPolicy`** as a critical finding — pods become reachable from any source/destination
24
+ - challenge `CiliumNetworkPolicy` egress with `toCIDRSet: [0.0.0.0/0]` — unrestricted egress = data exfiltration path
25
+ - challenge `policy-default-local-cluster` flag changes in ClusterMesh — cross-cluster policy semantics change globally for every existing policy
26
+ - challenge `CiliumEgressGatewayPolicy` IP collisions — two policies SNATing to the same IP cause silent connection breakage
27
+ - prefer `cilium clustermesh inspect-policy-default-local-cluster` before any flag flip — it lists every policy that would change behavior
28
+ - use official Cilium documentation (docs.cilium.io) for policy syntax, CRD versions, ClusterMesh setup, and L7 policy semantics
29
+
30
+ Run `npm run validate` after changing cataloged Cilium skills.