@raishin/vanguard-frontier-agentic 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (561) hide show
  1. package/README.md +250 -110
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +37 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +37 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +37 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +37 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +38 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +38 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/AGENT.md +2 -1
  308. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  314. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  315. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  316. package/agents/velero/README.md +41 -0
  317. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  318. package/catalog/agents.json +1452 -634
  319. package/catalog/install-roles.json +455 -0
  320. package/catalog/skill-manifest.json +1089 -335
  321. package/catalog/skills.json +1298 -528
  322. package/package.json +32 -3
  323. package/schemas/AGENTS.md +14 -0
  324. package/schemas/agent.frontmatter.schema.json +89 -0
  325. package/schemas/agent.schema.json +8 -0
  326. package/schemas/skill.frontmatter.schema.json +95 -0
  327. package/scripts/apply-skill-allowed-tools.py +142 -0
  328. package/scripts/backfill-skill-metadata.py +410 -0
  329. package/scripts/export-marketplace-agents.mjs +275 -9
  330. package/scripts/update-catalog-new-agents.py +88 -0
  331. package/skills/argocd/README.md +30 -0
  332. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +43 -0
  333. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  334. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  335. package/skills/argocd/argocd-gitops-review/SKILL.md +46 -0
  336. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  337. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  338. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  339. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  340. package/skills/aws/README.md +3 -1
  341. package/skills/aws/aws-agentcore/SKILL.md +3 -0
  342. package/skills/aws/aws-api-edge-delivery-review/SKILL.md +3 -0
  343. package/skills/aws/aws-bedrock-agent-security-governor/SKILL.md +3 -0
  344. package/skills/aws/aws-change-impact-advisor/SKILL.md +3 -0
  345. package/skills/aws/aws-ci-cd-release-engineer/SKILL.md +3 -0
  346. package/skills/aws/aws-compliance-evidence-mapper/SKILL.md +3 -0
  347. package/skills/aws/aws-cost-anomaly-watch-coordinator/SKILL.md +3 -0
  348. package/skills/aws/aws-cost-optimization-governor/SKILL.md +3 -0
  349. package/skills/aws/aws-daily-operations-briefing-coordinator/SKILL.md +3 -0
  350. package/skills/aws/aws-data-protection-backup-steward/SKILL.md +3 -0
  351. package/skills/aws/aws-deployment-hotfix-operator/SKILL.md +3 -0
  352. package/skills/aws/aws-devops-agent-skill-designer/SKILL.md +3 -0
  353. package/skills/aws/aws-dynamodb-data-modeling-performance-review/SKILL.md +3 -0
  354. package/skills/aws/aws-ec2-compute-operations-steward/SKILL.md +3 -0
  355. package/skills/aws/aws-ecs-fargate-platform-operator/SKILL.md +3 -0
  356. package/skills/aws/aws-ecs-service-remediation-operator/SKILL.md +3 -0
  357. package/skills/aws/aws-eks-platform-operator/SKILL.md +3 -0
  358. package/skills/aws/aws-event-driven-architecture-review/SKILL.md +3 -0
  359. package/skills/aws/aws-generative-ai-developer/SKILL.md +3 -0
  360. package/skills/aws/aws-iac-change-safety-review/SKILL.md +3 -0
  361. package/skills/aws/aws-iac-patch-executor/SKILL.md +3 -0
  362. package/skills/aws/aws-iam-least-privilege-review/SKILL.md +3 -0
  363. package/skills/aws/aws-kms-secrets-lifecycle-steward/SKILL.md +3 -0
  364. package/skills/aws/aws-landing-zone-governor/SKILL.md +3 -0
  365. package/skills/aws/aws-live-deployment-guarded-operator/SKILL.md +3 -0
  366. package/skills/aws/aws-live-ecs-rollout-guard/SKILL.md +3 -0
  367. package/skills/aws/aws-live-iac-change-guard/SKILL.md +3 -0
  368. package/skills/aws/aws-live-pipeline-approval-operator/SKILL.md +3 -0
  369. package/skills/aws/aws-live-serverless-release-guard/SKILL.md +3 -0
  370. package/skills/aws/aws-maestro/SKILL.md +3 -0
  371. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  372. package/skills/aws/aws-migration-cutover-architect/SKILL.md +3 -0
  373. package/skills/aws/aws-network-architect/SKILL.md +3 -0
  374. package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md +3 -0
  375. package/skills/aws/aws-observability-incident-responder/SKILL.md +3 -0
  376. package/skills/aws/aws-pipeline-fix-operator/SKILL.md +3 -0
  377. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +42 -0
  378. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  379. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  380. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  381. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  382. package/skills/aws/aws-rds-aurora-performance-investigator/SKILL.md +3 -0
  383. package/skills/aws/aws-resilience-bcdr-review/SKILL.md +3 -0
  384. package/skills/aws/aws-s3-data-perimeter-governor/SKILL.md +3 -0
  385. package/skills/aws/aws-security-posture-hardening/SKILL.md +3 -0
  386. package/skills/aws/aws-serverless-production-readiness/SKILL.md +3 -0
  387. package/skills/aws/aws-serverless-rollout-corrector/SKILL.md +3 -0
  388. package/skills/aws/aws-solution-architect/SKILL.md +3 -0
  389. package/skills/aws/aws-ticket-triage-escalation-coordinator/SKILL.md +3 -0
  390. package/skills/azure/README.md +3 -1
  391. package/skills/azure/azure-ai-foundry-ops-governor/SKILL.md +3 -0
  392. package/skills/azure/azure-aks-platform-operator/SKILL.md +3 -0
  393. package/skills/azure/azure-app-service-production-readiness/SKILL.md +3 -0
  394. package/skills/azure/azure-cosmosdb-application-developer/SKILL.md +3 -0
  395. package/skills/azure/azure-cosmosdb-performance-investigator/SKILL.md +3 -0
  396. package/skills/azure/azure-cosmosdb-platform-operator/SKILL.md +3 -0
  397. package/skills/azure/azure-cost-estimation-review/SKILL.md +3 -0
  398. package/skills/azure/azure-cost-optimization-governor/SKILL.md +3 -0
  399. package/skills/azure/azure-entra-id-specialist/SKILL.md +3 -0
  400. package/skills/azure/azure-governance-policy-guardrails/SKILL.md +3 -0
  401. package/skills/azure/azure-identity-governance-review/SKILL.md +3 -0
  402. package/skills/azure/azure-key-vault-secret-lifecycle-auditor/SKILL.md +3 -0
  403. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +40 -0
  404. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  405. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  406. package/skills/azure/azure-landing-zone-architect/SKILL.md +3 -0
  407. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +3 -0
  408. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +3 -0
  409. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +3 -0
  410. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +3 -0
  411. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +59 -0
  412. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  413. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  414. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  415. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  416. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  417. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +3 -0
  418. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +3 -0
  419. package/skills/azure/azure-maestro/SKILL.md +3 -0
  420. package/skills/azure/azure-migrate-landing-zone-cutover/SKILL.md +3 -0
  421. package/skills/azure/azure-network-topology-review/SKILL.md +3 -0
  422. package/skills/azure/azure-observability-investigator/SKILL.md +3 -0
  423. package/skills/azure/azure-platform-automation-devops/SKILL.md +3 -0
  424. package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md +3 -0
  425. package/skills/azure/azure-rbac-review/SKILL.md +3 -0
  426. package/skills/azure/azure-resilience-bcdr-review/SKILL.md +3 -0
  427. package/skills/azure/azure-resource-health-incident-triage/SKILL.md +3 -0
  428. package/skills/azure/azure-role-selector/SKILL.md +3 -0
  429. package/skills/azure/azure-security-posture-hardening/SKILL.md +3 -0
  430. package/skills/azure/azure-subscription-resource-organization/SKILL.md +3 -0
  431. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +42 -0
  432. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  433. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  434. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +43 -0
  435. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  436. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  437. package/skills/cilium/README.md +30 -0
  438. package/skills/cilium/cilium-network-policy-review/SKILL.md +46 -0
  439. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  440. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  441. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  442. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  443. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +40 -0
  444. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  445. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  446. package/skills/finops/README.md +30 -0
  447. package/skills/finops/finops-cloud-price-advisor/SKILL.md +3 -0
  448. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +43 -0
  449. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  450. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  451. package/skills/istio/README.md +28 -0
  452. package/skills/istio/istio-ambient-mesh-review/SKILL.md +46 -0
  453. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  454. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  455. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  456. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  457. package/skills/kubernetes/README.md +30 -0
  458. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +40 -0
  459. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  460. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  461. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +43 -0
  462. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  463. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  464. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +60 -0
  465. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  466. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  467. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  468. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  469. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  470. package/skills/kubernetes/kubernetes-maestro/SKILL.md +48 -0
  471. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  472. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  473. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  474. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +46 -0
  475. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  476. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  477. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  478. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  479. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +41 -0
  480. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  481. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  482. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +41 -0
  483. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  484. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  485. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  486. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  487. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +46 -0
  488. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  489. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  490. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  491. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  492. package/skills/kyverno/README.md +30 -0
  493. package/skills/kyverno/kyverno-policy-review/SKILL.md +46 -0
  494. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  495. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  496. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  497. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  498. package/skills/oci/README.md +63 -0
  499. package/skills/oci/oci-autonomous-database-architect/SKILL.md +3 -0
  500. package/skills/oci/oci-certificates-issuer-review/SKILL.md +40 -0
  501. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  502. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  503. package/skills/oci/oci-cloud-guard-responder/SKILL.md +3 -0
  504. package/skills/oci/oci-compute-instance-agent-operator/SKILL.md +3 -0
  505. package/skills/oci/oci-compute-platform-operator/SKILL.md +3 -0
  506. package/skills/oci/oci-cost-finops-analyst/SKILL.md +3 -0
  507. package/skills/oci/oci-database-platform-dba/SKILL.md +3 -0
  508. package/skills/oci/oci-dbtools-sql-analyst/SKILL.md +3 -0
  509. package/skills/oci/oci-devops-container-platform-engineer/SKILL.md +3 -0
  510. package/skills/oci/oci-exadata-database-architect/SKILL.md +3 -0
  511. package/skills/oci/oci-exadata-platform-architect/SKILL.md +3 -0
  512. package/skills/oci/oci-fusion-apps-environment-operator/SKILL.md +3 -0
  513. package/skills/oci/oci-goldengate-replication-operator/SKILL.md +3 -0
  514. package/skills/oci/oci-identity-access-governor/SKILL.md +3 -0
  515. package/skills/oci/oci-iot-digital-twin-engineer/SKILL.md +3 -0
  516. package/skills/oci/oci-limits-capacity-planner/SKILL.md +3 -0
  517. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +3 -0
  518. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +3 -0
  519. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +3 -0
  520. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +60 -0
  521. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  522. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  523. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  524. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  525. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  526. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +3 -0
  527. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +3 -0
  528. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +3 -0
  529. package/skills/oci/oci-load-balancer-traffic-engineer/SKILL.md +3 -0
  530. package/skills/oci/oci-maestro/SKILL.md +3 -0
  531. package/skills/oci/oci-migration-cutover-architect/SKILL.md +3 -0
  532. package/skills/oci/oci-multi-cloud-architect/SKILL.md +3 -0
  533. package/skills/oci/oci-mysql-heatwave-ai-specialist/SKILL.md +3 -0
  534. package/skills/oci/oci-network-architect/SKILL.md +3 -0
  535. package/skills/oci/oci-observability-incident-responder/SKILL.md +3 -0
  536. package/skills/oci/oci-recovery-service-operator/SKILL.md +3 -0
  537. package/skills/oci/oci-registry-artifact-governor/SKILL.md +3 -0
  538. package/skills/oci/oci-resource-search-inventory-analyst/SKILL.md +3 -0
  539. package/skills/oci/oci-security-compliance-reviewer/SKILL.md +3 -0
  540. package/skills/oci/oci-solution-architect/SKILL.md +3 -0
  541. package/skills/oci/oci-storage-backup-steward/SKILL.md +3 -0
  542. package/skills/oci/oci-support-incident-coordinator/SKILL.md +3 -0
  543. package/skills/oci/oracle-oci-mcp-grounded-advisor/SKILL.md +3 -0
  544. package/skills/opentelemetry/README.md +31 -0
  545. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +47 -0
  546. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  547. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  548. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  549. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  550. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +41 -0
  551. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  552. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  553. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +42 -0
  554. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  555. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  556. package/skills/terraform/README.md +29 -0
  557. package/skills/terraform/terraform-maestro/SKILL.md +3 -0
  558. package/skills/velero/velero-backup-restore-guard/SKILL.md +44 -0
  559. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  560. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  561. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/kubernetes/README.md ADDED
@@ -0,0 +1,30 @@
1
+ # ☸️ Kubernetes Skills
2
+
3
+ <p align="center">
4
+ <!-- 🖼️ Add a Kubernetes logo to assets/logos/cloud/kubernetes/ and update this path -->
5
+ <span style="font-size:3.5em">☸️</span>
6
+ </p>
7
+
8
+ This folder contains Kubernetes-focused skills curated for this marketplace.
9
+
10
+ ## Local marketplace portfolio
11
+
12
+ This folder contains **2** local Kubernetes skills:
13
+
14
+ - `kubernetes-rbac-review`
15
+ - `kubernetes-live-rbac-mutation-guard`
16
+
17
+ ## Portfolio posture
18
+
19
+ Kubernetes skills for evidence-backed RBAC review and guarded live cluster mutation.
20
+
21
+ These skills are intentionally conservative:
22
+
23
+ - prefer `kubectl auth can-i` and `kubectl get ... -o yaml` for live state grounding before any review or mutation
24
+ - capture the full current RBAC object state before every write — RBAC is additive with no built-in undo
25
+ - treat `escalate`, `bind`, and `impersonate` verbs as hard stops requiring platform-team sign-off
26
+ - never approve wildcard verb/resource grants (`verbs: ["*"]` or `resources: ["*"]`) without CISO-level justification
27
+ - always assess cluster-scope vs namespace-scope necessity — prefer a Role over a ClusterRole when namespace scope is sufficient
28
+ - use official Kubernetes documentation for RBAC behavior and policy
29
+
30
+ Run `npm run validate` after changing cataloged Kubernetes skills.
package/skills/kubernetes/external-secrets-operator-review/SKILL.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ name: external-secrets-operator-review
3
+ description: Use this skill when reviewing External Secrets Operator (ESO) configuration, including SecretStore, ClusterSecretStore, ExternalSecret, and PushSecret resources. Trigger when a user provides ESO YAML manifests, asks about secret rotation interval compliance, questions whether ClusterSecretStore scope is too broad, or wants to audit the auth method used to reach an external secret store (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, 1Password).
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: security
10
+ ---
11
+
12
+ # External Secrets Operator Review
13
+
14
+ ## Purpose
15
+ This skill reviews External Secrets Operator configuration for access scope creep, authentication anti-patterns, secret refresh interval compliance, dataFrom blast radius, template misconfiguration, and PushSecret privilege escalation. ESO is a trust bridge between your cluster and your external secret store — a misconfigured ClusterSecretStore or a broad `dataFrom.find` regex can expose every credential in your vault to every namespace, silently, with no audit trail.
16
+
17
+ ## Lean operating rules
18
+ - Treat any `ClusterSecretStore` that lacks a `namespaceSelector` or `namespaces` restriction as HIGH — it grants every namespace in the cluster the ability to reference external secrets through that store.
19
+ - Treat `dataFrom.find` with a regex that matches more than a single defined secret path prefix (e.g., `name.regexp: .*` or `path: /`) as HIGH — it pulls all matching secrets from the external store into one K8s Secret, creating an enormous blast radius if the Secret is mounted or leaked.
20
+ - Treat static credentials in `SecretStore.spec.provider.*.auth.secretRef` (a K8s Secret holding external store credentials) as HIGH — this is a credential-to-access-credentials anti-pattern; prefer IRSA, Azure Workload Identity, GCP Workload Identity, or Vault Kubernetes auth.
21
+ - Treat `refreshInterval` greater than 24 hours on any credential that has an external rotation policy shorter than the interval as MEDIUM — the cluster will use a stale, already-rotated secret until the next sync, breaking the workload.
22
+ - Treat `target.creationPolicy: Owner` without a documented backup or recreation procedure as MEDIUM — accidental deletion of the ExternalSecret deletes the managed K8s Secret, crashing workloads that mount it.
23
+ - Treat `PushSecret` resources with auth scoped to write-all on a store path as HIGH — PushSecret's write path requires elevated permissions; verify the auth scope is minimum-necessary.
24
+ - Flag `target.template` misconfigurations that could silently omit required secret keys — a partial K8s Secret causes workload startup failures or silent use of zero-value credentials.
25
+ - Do not recommend disabling `refreshInterval` entirely (`refreshInterval: 0`) — that disables automatic rotation pickup.
26
+
27
+ ## References
28
+ Load these only when needed:
29
+ - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
30
+
31
+ ## Response minimum
32
+ Return, at minimum:
33
+ - SecretStore vs ClusterSecretStore scope assessment (namespace selector coverage)
34
+ - Authentication method findings (IRSA/workload-identity vs static credentials)
35
+ - dataFrom scope audit (find regex blast radius, extract path coverage)
36
+ - refreshInterval compliance findings
37
+ - target.creationPolicy and template correctness findings
38
+ - PushSecret privilege assessment (if present)
39
+ - Severity-labelled finding list (critical / high / medium / low)
40
+ - Safe next actions
package/skills/kubernetes/external-secrets-operator-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "external-secrets-operator-review",
3
+ "name": "External Secrets Operator Review",
4
+ "type": "skill",
5
+ "provider": "kubernetes",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review ESO SecretStore, ClusterSecretStore, ExternalSecret, and PushSecret for scope creep, auth anti-patterns, refresh interval risks, and dataFrom blast radius.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://external-secrets.io/latest/introduction/overview/",
11
+ "https://external-secrets.io/latest/api/secretstore/",
12
+ "https://external-secrets.io/latest/api/externalsecret/",
13
+ "https://external-secrets.io/latest/api/clustersecretstore/",
14
+ "https://external-secrets.io/latest/provider/aws-secrets-manager/",
15
+ "https://external-secrets.io/latest/provider/azure-key-vault/"
16
+ ],
17
+ "security_notes": "ClusterSecretStore with no namespace selector grants every namespace access to every external secret reachable by the store credentials. Static credentials in SecretStore auth create a credential-to-access-credentials chain where compromise of the K8s Secret gives full access to the external store.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/kubernetes/external-secrets-operator-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,280 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Collect inputs
6
+
7
+ Ask the user to provide one or more of the following as sanitized YAML snippets (no real ARNs with account IDs, no actual secret values, no real tenant IDs or vault addresses that identify their environment):
8
+ - `SecretStore` or `ClusterSecretStore` manifest(s)
9
+ - `ExternalSecret` manifest(s)
10
+ - `PushSecret` manifest(s), if any
11
+ - Optional: ESO operator deployment manifest (to check version and RBAC permissions)
12
+ - Optional: description of the external store provider (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, 1Password Connect) and the auth method in use
13
+
14
+ If the user provides only a partial set, note which resources are absent and scope findings accordingly.
15
+
16
+ ### Step 2 — SecretStore vs ClusterSecretStore scope audit
17
+
18
+ For every `ClusterSecretStore` resource:
19
+ - Check whether `spec.conditions[].namespaceSelector` or `spec.conditions[].namespaces` is set
20
+ - If absent: flag as HIGH — every namespace can reference this store
21
+
22
+ ```yaml
23
+ # HIGH — no namespace selector; any ExternalSecret in any namespace can use this store
24
+ apiVersion: external-secrets.io/v1beta1
25
+ kind: ClusterSecretStore
26
+ metadata:
27
+ name: aws-global
28
+ spec:
29
+ provider:
30
+ aws:
31
+ service: SecretsManager
32
+ region: us-east-1
33
+ auth:
34
+ jwt:
35
+ serviceAccountRef:
36
+ name: eso-sa
37
+ namespace: external-secrets
38
+
39
+ # CORRECT — restrict to specific namespaces
40
+ apiVersion: external-secrets.io/v1beta1
41
+ kind: ClusterSecretStore
42
+ metadata:
43
+ name: aws-payments
44
+ spec:
45
+ conditions:
46
+ - namespaces:
47
+ - payments
48
+ - payments-staging
49
+ provider:
50
+ aws:
51
+ service: SecretsManager
52
+ region: us-east-1
53
+ auth:
54
+ jwt:
55
+ serviceAccountRef:
56
+ name: eso-payments-sa
57
+ namespace: external-secrets
58
+ ```
59
+
60
+ For `SecretStore` resources: verify the namespace matches the namespace of the ExternalSecrets that reference it. A SecretStore in namespace A cannot be referenced by an ExternalSecret in namespace B.
61
+
62
+ ### Step 3 — Authentication method audit
63
+
64
+ For every store, identify the auth method:
65
+
66
+ | Auth method | Risk level | Notes |
67
+ |-------------|-----------|-------|
68
+ | IRSA (AWS) | Low | Preferred for EKS |
69
+ | Azure Workload Identity | Low | Preferred for AKS |
70
+ | GCP Workload Identity | Low | Preferred for GKE |
71
+ | Vault Kubernetes auth | Low | Preferred for Vault |
72
+ | Static credentials via `secretRef` | HIGH | Credential-in-credential anti-pattern |
73
+ | Static credentials inline in manifest | CRITICAL | Never acceptable |
74
+
75
+ **Static credentials pattern to flag:**
76
+ ```yaml
77
+ # HIGH — K8s Secret holds AWS access key for the external store
78
+ spec:
79
+ provider:
80
+ aws:
81
+ service: SecretsManager
82
+ auth:
83
+ secretRef:
84
+ accessKeyIDSecretRef:
85
+ name: aws-creds
86
+ key: access-key-id
87
+ secretAccessKeySecretRef:
88
+ name: aws-creds
89
+ key: secret-access-key
90
+ ```
91
+
92
+ The K8s Secret `aws-creds` is itself a credential. Anyone who can read that Secret (namespace admin, over-privileged pod) gains full access to the AWS Secrets Manager path the store covers.
93
+
94
+ **Correct IRSA pattern:**
95
+ ```yaml
96
+ # CORRECT — pod identity; no static credentials
97
+ spec:
98
+ provider:
99
+ aws:
100
+ service: SecretsManager
101
+ region: us-east-1
102
+ auth:
103
+ jwt:
104
+ serviceAccountRef:
105
+ name: eso-payments-sa
106
+ namespace: external-secrets
107
+ ```
108
+
109
+ ### Step 4 — dataFrom scope audit
110
+
111
+ Review every `ExternalSecret.spec.dataFrom` stanza:
112
+
113
+ **4a. `dataFrom.extract`**
114
+ Fetches all key-value pairs from a specific secret path. Review that the path is as narrow as possible.
115
+ ```yaml
116
+ # ACCEPTABLE — extracts all keys from a single named secret
117
+ dataFrom:
118
+ - extract:
119
+ key: my-app/production/database
120
+ ```
121
+
122
+ **4b. `dataFrom.find`**
123
+ Fetches multiple secrets matching a regex or tag filter. HIGH blast-radius risk.
124
+ ```yaml
125
+ # HIGH — fetches ALL secrets in the store matching any name
126
+ dataFrom:
127
+ - find:
128
+ name:
129
+ regexp: ".*"
130
+
131
+ # HIGH — fetches every secret under the /production/ path prefix
132
+ dataFrom:
133
+ - find:
134
+ path: /production/
135
+
136
+ # ACCEPTABLE — narrow regex scoped to a single application prefix
137
+ dataFrom:
138
+ - find:
139
+ name:
140
+ regexp: "^my-app/production/[a-z-]+$"
141
+ tags:
142
+ app: my-app
143
+ ```
144
+
145
+ Flag any `find` with a broad regex (`.*`, `^/`, or no regex at all) as HIGH — all matching secrets are merged into a single K8s Secret, and any pod that mounts it gets access to all of them.
146
+
147
+ ### Step 5 — Refresh interval compliance audit
148
+
149
+ For every `ExternalSecret`, check `spec.refreshInterval`.
150
+
151
+ Default is `1h`. Review against the rotation policy of the external credential:
152
+
153
+ | Credential type | Typical rotation window | Recommended refreshInterval |
154
+ |----------------|------------------------|------------------------------|
155
+ | Database password (RDS IAM auth) | 15 minutes | `5m` or `10m` |
156
+ | API key with 24h rotation | 24 hours | `1h` |
157
+ | Long-lived service account key | 90 days | `1h` (acceptable) |
158
+ | TLS certificate (Let's Encrypt) | 90 days | `12h` |
159
+
160
+ ```yaml
161
+ # MEDIUM — 48h refresh on a DB password that rotates every 15 minutes
162
+ spec:
163
+ refreshInterval: 48h
164
+ secretStoreRef:
165
+ name: aws-store
166
+ kind: ClusterSecretStore
167
+ target:
168
+ name: db-password
169
+ data:
170
+ - secretKey: password
171
+ remoteRef:
172
+ key: my-app/production/db
173
+ property: password
174
+ ```
175
+
176
+ Flag `refreshInterval: 0` as a separate risk — it disables automatic refresh; secrets only update on ExternalSecret resource changes.
177
+
178
+ ### Step 6 — Target creation policy and template audit
179
+
180
+ **6a. creationPolicy**
181
+ ```yaml
182
+ # MEDIUM — Owner means ESO owns the Secret lifecycle
183
+ target:
184
+ name: my-app-secret
185
+ creationPolicy: Owner
186
+ ```
187
+ If the ExternalSecret is deleted (by a botched `helm uninstall`, namespace teardown, or GitOps drift), the managed K8s Secret is deleted immediately. Workloads using it crash. Recommend documenting this in runbooks and implementing deletion protection on critical ExternalSecrets.
188
+
189
+ Alternative `creationPolicy: Merge` — ESO writes keys into an existing Secret but does not own its lifecycle. Review that the existing Secret exists and has the correct structure.
190
+
191
+ **6b. Template correctness**
192
+ ```yaml
193
+ # RISKY — template that silently omits a key if the remote key name changes
194
+ target:
195
+ template:
196
+ data:
197
+ DB_PASS: "{{ .db_pass }}"
198
+ DB_HOST: "{{ .db_host }}"
199
+ # If the remote secret loses a key, the template renders as empty string, not an error
200
+ ```
201
+
202
+ Recommend including `engineVersion: v2` and verifying that all template references have a corresponding remote key. Flag templates with no explicit key mapping verification as LOW (template drift risk).
203
+
204
+ ### Step 7 — PushSecret audit
205
+
206
+ If `PushSecret` resources are present:
207
+
208
+ **7a. Auth scope**
209
+ PushSecret writes K8s Secret values into the external store. The auth principal for PushSecret needs write permission to the external store path. Review that:
210
+ - The IAM role / service principal / Vault policy grants write only to the specific path, not `secretsmanager:PutSecretValue` on `*`
211
+ - The auth principal is separate from the read-path principal (PushSecret auth should not be reused for ExternalSecret auth)
212
+
213
+ **7b. Selector scope**
214
+ ```yaml
215
+ # HIGH — pushes ALL secrets from the namespace into the external store
216
+ spec:
217
+ selector:
218
+ secret:
219
+ name: "" # empty = all secrets
220
+ ```
221
+
222
+ Flag any PushSecret with an empty or wildcard selector as HIGH — it exfiltrates all K8s Secrets from the namespace into the external store.
223
+
224
+ ### Step 8 — ESO operator RBAC audit (if manifest provided)
225
+
226
+ Review the ClusterRole bound to the ESO operator ServiceAccount:
227
+ - ESO needs `get`, `list`, `watch` on Secrets (to read SecretStore auth credentials)
228
+ - ESO needs `create`, `update`, `patch`, `delete` on Secrets (to manage target Secrets)
229
+ - ESO does NOT need `get` on all Secrets cluster-wide unless ClusterSecretStore is used
230
+ - Flag `resources: ["secrets"]` with no `resourceNames` restriction on a ClusterRole as MEDIUM
231
+
232
+ ### Step 9 — Produce the output
233
+
234
+ Format findings using the Output section below.
235
+
236
+ ---
237
+
238
+ ## Output
239
+
240
+ Return findings in this structure:
241
+
242
+ ```
243
+ ## Verdict
244
+ <one sentence summary: pass / needs work / critical issues found>
245
+
246
+ ## Evidence level
247
+ <live evidence | user-provided sanitized config | documentation-based | inference>
248
+
249
+ ## Findings
250
+
251
+ ### CRITICAL
252
+ - [C1] <finding title>: <description> — <remediation>
253
+
254
+ ### HIGH
255
+ - [H1] <finding title>: <description> — <remediation>
256
+
257
+ ### MEDIUM
258
+ - [M1] <finding title>: <description> — <remediation>
259
+
260
+ ### LOW
261
+ - [L1] <finding title>: <description> — <remediation>
262
+
263
+ ## Safe next actions
264
+ 1. <action>
265
+ 2. <action>
266
+ ...
267
+
268
+ ## Open questions
269
+ - <question requiring user clarification>
270
+ ```
271
+
272
+ ---
273
+
274
+ ## Security notes
275
+
276
+ - Never recommend using static credentials (`secretRef` pointing to a K8s Secret holding cloud credentials) as a permanent solution — always direct toward workload identity (IRSA, Azure Workload Identity, GCP Workload Identity, Vault Kubernetes auth).
277
+ - Treat any `ClusterSecretStore` with no `namespaceSelector` as a cross-namespace trust boundary violation — flag it regardless of whether the user considers it intentional.
278
+ - Do not recommend setting `refreshInterval: 0` on any ExternalSecret for a credential that participates in a rotation policy — zero disables automatic refresh.
279
+ - Flag the absence of monitoring on ExternalSecret sync status (`externalsecret_sync_calls_total`, `externalsecret_status_condition`) — a failing sync that goes unalerted means the cluster silently uses a stale or deleted credential.
280
+ - Treat `dataFrom.find` with a broad regex as equivalent to "grant this pod access to every secret in your vault that matches the regex" — make the blast radius explicit in the finding description.
package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md ADDED
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: kubecost-chargeback-allocation-review
3
+ description: Use this skill when reviewing a Kubecost or OpenCost installation for enterprise chargeback readiness. Trigger when the user asks whether cost allocation is accurate, whether label taxonomy is complete enough for chargeback, whether idle cost is properly attributed, whether the cost API is secured, or whether savings recommendations are being actioned.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: finops
10
+ ---
11
+
12
+ # Kubecost Chargeback and Allocation Review
13
+
14
+ ## Purpose
15
+
16
+ Review a Kubecost (or OpenCost) deployment for cost allocation accuracy, label taxonomy completeness, shared cost model selection, idle cost attribution policy, budget alert coverage, cost API authentication posture, and savings recommendation hygiene. Enterprise chargeback requires that every dollar spent can be attributed to a team, cost center, or product — gaps in label coverage, authentication, or idle allocation produce inaccurate charge-backs and hide engineering waste.
17
+
18
+ ## Lean operating rules
19
+
20
+ - Prefer user-provided Kubecost allocation API output, Helm values, and `kubectl` label query results as primary evidence; official Kubecost and OpenCost docs are the authoritative fallback.
21
+ - Treat the Kubecost cost allocation API or frontend exposed without SSO/ingress authentication as a HIGH finding — any pod in the cluster can enumerate other teams' spend.
22
+ - Treat more than 20% of pod costs appearing in the "uncategorized" or "__unallocated__" bucket as a HIGH finding — chargeback to business units is impossible for that spend.
23
+ - Treat idle cost absorbed centrally (not attributed to namespace owners) as a MEDIUM finding — it hides waste from the engineering teams responsible for right-sizing.
24
+ - Treat PV (persistent volume) costs excluded from allocation as a MEDIUM finding — stateful teams face an invisible blind spot in their bill.
25
+ - Treat no budget alerts configured for any namespace or team as a MEDIUM finding — teams have no cost signal until the end-of-month invoice.
26
+ - Treat HIGH-priority savings recommendations unactioned for more than 30 days as a HIGH finding — direct, measurable cash waste with a documented fix path.
27
+ - Distinguish OpenCost (no multi-cluster single-pane, no team RBAC) from Kubecost Enterprise (multi-cluster, RBAC, advanced savings) when scope matters for the use case.
28
+
29
+ ## References
30
+
31
+ Load these only when needed:
32
+ - [Workflow and output contract](references/workflow-and-output.md)
33
+
34
+ ## Response minimum
35
+
36
+ - Scoped target (cluster name, Kubecost version, OpenCost vs Kubecost) and evidence level
37
+ - Cost allocation accuracy verdict (all cost components enabled or missing)
38
+ - Label taxonomy completeness (% uncategorized, missing labels)
39
+ - Shared cost model and idle cost attribution policy
40
+ - Budget alert coverage (configured / absent / threshold)
41
+ - Cost API authentication posture
42
+ - Top savings recommendations status
43
+ - Safe next actions and open questions
package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "kubecost-chargeback-allocation-review",
3
+ "name": "Kubecost Chargeback and Allocation Review",
4
+ "type": "skill",
5
+ "provider": "kubernetes",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Kubecost and OpenCost cost allocation accuracy, label taxonomy completeness, shared cost model, idle cost attribution, budget alert coverage, API authentication, and savings recommendation hygiene for enterprise chargeback.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://www.kubecost.com/kubernetes-cost-optimization/",
11
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cost-allocation",
12
+ "https://www.opencost.io/docs/",
13
+ "https://docs.kubecost.com/install-and-configure/advanced-configuration/cost-model",
14
+ "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings",
15
+ "https://docs.kubecost.com/apis/apis-overview"
16
+ ],
17
+ "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access — review whether the aggregation network path is private or exposed.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/kubernetes/kubecost-chargeback-allocation-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,215 @@
1
+ # Workflow and output contract
2
+
3
+ Use this reference only when performing a full Kubecost or OpenCost chargeback readiness review, producing FinOps implementation guidance, triaging a cost allocation discrepancy, or completing a cost governance production-readiness pass.
4
+
5
+ ## Review domains
6
+
7
+ Check these areas before giving a verdict:
8
+
9
+ - Kubecost vs OpenCost distinction and version
10
+ - Cost allocation accuracy: all cost components enabled (compute, storage, network)
11
+ - Label taxonomy completeness: uncategorized cost percentage, missing label coverage
12
+ - Shared cost model: even split, proportional, or weighted — and whether it matches the chargeback agreement
13
+ - Idle cost attribution: absorbed centrally or allocated to namespace owners
14
+ - Budget alert configuration: thresholds, routing, and coverage
15
+ - Cost API and frontend authentication posture
16
+ - Savings recommendations status: HIGH-priority items and days unactioned
17
+
18
+ ## Safe workflow
19
+
20
+ 1. **Frame scope**
21
+ - Cluster name and cloud provider:
22
+ - Kubecost version (`helm list -n kubecost` or `kubectl get deployment -n kubecost -o json | jq '.items[].spec.template.spec.containers[].image'`):
23
+ - OpenCost or Kubecost (free tier / Business / Enterprise):
24
+ - Number of clusters in scope:
25
+ - Required outcome of this review:
26
+ - Explicit non-goals:
27
+
28
+ 2. **Collect evidence**
29
+ - Prefer Kubecost allocation API output, Helm values, and `kubectl` label query results as primary evidence.
30
+ - Supplement with Kubecost UI screenshots and savings recommendations export if available.
31
+ - Label each finding as `live evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
32
+
33
+ 3. **Verify all cost components are captured**
34
+ Query the allocation API to confirm compute, storage, and network are all present:
35
+ ```bash
36
+ # Allocation API — last 7 days by namespace
37
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=namespace&includeIdle=true"
38
+
39
+ # Check whether network costs are enabled in Helm values
40
+ helm get values kubecost -n kubecost | grep -A5 'networkCosts'
41
+
42
+ # Check whether PV costs are included
43
+ helm get values kubecost -n kubecost | grep -A5 'persistentVolumes'
44
+ ```
45
+ If `networkCosts.enabled: false` or PV costs are missing from the allocation response,
46
+ flag as MEDIUM — stateful or egress-heavy teams face invisible costs.
47
+
48
+ 4. **Assess label taxonomy completeness**
49
+ Run a label audit to quantify unlabeled pods:
50
+ ```bash
51
+ # Count pods missing the cost-center label
52
+ kubectl get pods -A --show-labels | grep -v 'cost-center=' | grep -v 'NAME' | wc -l
53
+
54
+ # Count pods missing the team label
55
+ kubectl get pods -A --show-labels | grep -v 'app.kubernetes.io/team=' | grep -v 'NAME' | wc -l
56
+
57
+ # Query Kubecost for uncategorized spend share
58
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=label:cost-center" | \
59
+ jq '.data[0]["__unallocated__"].totalCost / (.data[0] | to_entries | map(.value.totalCost) | add)'
60
+ ```
61
+ If the `__unallocated__` or `__idle__` bucket represents more than 20% of total cost,
62
+ label taxonomy is insufficient for chargeback — flag as HIGH.
63
+
64
+ 5. **Check shared cost model configuration**
65
+ Kubecost shared cost models in `values.yaml`:
66
+ ```yaml
67
+ # Option 1: even split (each tenant pays equal share of shared infra)
68
+ kubecostModel:
69
+ sharedCostConfiguration:
70
+ shareIdle: false
71
+ sharedNamespaces: "monitoring,ingress-nginx,cert-manager"
72
+ shareByLabel: ""
73
+ shareType: "even" # even | weighted | proportional
74
+
75
+ # Option 2: proportional (tenant pays proportional to their usage)
76
+ shareType: "proportional"
77
+
78
+ # Option 3: weighted (explicit percentage per tenant)
79
+ shareType: "weighted"
80
+ ```
81
+ If the shared cost model does not match the documented business chargeback agreement, flag as MEDIUM.
82
+ If no shared namespace is configured, monitoring and ingress costs are silently excluded from bills.
83
+
84
+ 6. **Verify idle cost attribution**
85
+ ```bash
86
+ # Check idle allocation setting
87
+ helm get values kubecost -n kubecost | grep -A3 'idle'
88
+
89
+ # Idle cost API
90
+ curl "http://localhost:9090/model/allocation?window=7d&aggregate=namespace&includeIdle=true" | \
91
+ jq '.data[0].__idle__'
92
+ ```
93
+ If `shareIdle: false` and the `__idle__` bucket is large (>15% of total), idle waste is hidden
94
+ from engineering teams. Allocating idle to namespaces creates incentive to right-size.
95
+ Flag as MEDIUM if idle cost is absorbed centrally without a documented policy decision.
96
+
97
+ 7. **Audit budget alert configuration**
98
+ ```bash
99
+ # Check for configured budget alerts via Kubecost API
100
+ curl "http://localhost:9090/model/budget"
101
+
102
+ # Check Kubecost alert configuration in values
103
+ helm get values kubecost -n kubecost | grep -A20 'alerts'
104
+ ```
105
+ A well-configured alert:
106
+ ```yaml
107
+ alerts:
108
+ - type: budget
109
+ threshold: 80 # alert at 80% — not 100%
110
+ window: monthly
111
+ aggregation: namespace
112
+ filter: "namespace=team-a"
113
+ slackWebhookUrl: https://hooks.slack.com/services/...
114
+ ```
115
+ No budget alerts configured for any namespace is a MEDIUM finding.
116
+ Alert threshold at 100% (no early warning) is a MEDIUM finding.
117
+ Alert routing to a central ops black hole (not the owning team) is a MEDIUM finding.
118
+
119
+ 8. **Check cost API and frontend authentication**
120
+ ```bash
121
+ # Test whether the cost API is publicly accessible without credentials
122
+ curl -o /dev/null -s -w "%{http_code}" http://<kubecost-service>:9090/model/allocation?window=1d
123
+
124
+ # Check ingress auth annotation
125
+ kubectl get ingress -n kubecost -o yaml | grep -A5 'annotations'
126
+ ```
127
+ Expected annotations for SSO-gated ingress:
128
+ ```yaml
129
+ annotations:
130
+ nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy/oauth2/auth"
131
+ nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy/oauth2/start"
132
+ ```
133
+ A 200 response from the allocation API without auth headers means any cluster pod can enumerate
134
+ other teams' spend data — flag as HIGH.
135
+
136
+ 9. **Savings recommendations review**
137
+ ```bash
138
+ # Get rightsizing recommendations
139
+ curl "http://localhost:9090/model/savings/requestSizingV2"
140
+
141
+ # Get abandoned workload recommendations
142
+ curl "http://localhost:9090/model/savings/abandonedWorkloads"
143
+
144
+ # Get orphaned PV recommendations
145
+ curl "http://localhost:9090/model/savings/orphanedResources"
146
+ ```
147
+ Review the top 10 recommendations by estimated monthly savings. For each HIGH-priority item,
148
+ confirm whether it has been reviewed. Items unactioned for more than 30 days represent
149
+ measurable cash waste with a documented fix path — flag as HIGH.
150
+
151
+ ## Output contract
152
+
153
+ Return this structure:
154
+
155
+ ```markdown
156
+ # Kubecost Chargeback and Allocation Review: <cluster-name>
157
+
158
+ ## Executive verdict
159
+ - Status: CHARGEBACK READY / PARTIALLY READY / NOT READY / NEEDS EVIDENCE
160
+ - Biggest risk:
161
+ - Evidence level:
162
+
163
+ ## Scope and assumptions
164
+ - Cluster name and cloud provider:
165
+ - Kubecost version and tier:
166
+ - Review window:
167
+ - Confirmed:
168
+ - Unknown:
169
+ - Out of scope:
170
+
171
+ ## Findings
172
+
173
+ | Severity | Area | Finding | Evidence | Why it matters | Minimum safe action |
174
+ |---|---|---|---|---|---|
175
+
176
+ ## Cost component coverage
177
+
178
+ | Component | Enabled | Notes |
179
+ |---|---|---|
180
+ | Compute (CPU/RAM) | | |
181
+ | Persistent volume storage | | |
182
+ | Network egress (cross-AZ) | | |
183
+ | Network egress (cross-region) | | |
184
+ | GPU | | |
185
+
186
+ ## Label taxonomy summary
187
+ - Total pod count:
188
+ - Pods missing `cost-center` label:
189
+ - Estimated uncategorized cost %:
190
+
191
+ ## Shared cost and idle model
192
+ - Shared namespaces:
193
+ - Share type:
194
+ - Idle allocation policy:
195
+
196
+ ## Budget alert coverage
197
+ - Namespaces with budget alerts:
198
+ - Earliest warning threshold:
199
+ - Alert routing:
200
+
201
+ ## Top savings opportunities
202
+
203
+ | Recommendation | Est. monthly savings | Days open | Action |
204
+ |---|---|---|---|
205
+
206
+ ## Recommended actions
207
+ 1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
208
+
209
+ ## Validation
210
+ - Commands or checks:
211
+ - Expected result:
212
+
213
+ ## Residual risk
214
+ - <risk or explicit none>
215
+ ```