@raishin/vanguard-frontier-agentic 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (561) hide show
  1. package/README.md +250 -110
  2. package/agents/AGENTS.md +263 -21
  3. package/agents/argocd/README.md +46 -0
  4. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
  5. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
  6. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
  7. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
  8. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
  9. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
  10. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
  11. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
  12. package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
  13. package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
  14. package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
  15. package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
  16. package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
  17. package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
  18. package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
  19. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
  20. package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
  21. package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
  22. package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
  23. package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
  24. package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
  25. package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
  26. package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
  27. package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
  28. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  29. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
  30. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  31. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  32. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  33. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  34. package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  35. package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
  36. package/agents/azure/README.md +45 -0
  37. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
  38. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  39. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
  40. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  41. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  42. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  43. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  44. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  45. package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
  46. package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
  47. package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
  48. package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
  49. package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
  50. package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
  51. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
  52. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
  53. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
  54. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
  55. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
  56. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  57. package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  58. package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
  59. package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
  60. package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
  61. package/agents/backstage/README.md +36 -0
  62. package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
  63. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
  64. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
  65. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
  66. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
  67. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
  68. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
  69. package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
  70. package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
  71. package/agents/cert-manager/README.md +46 -0
  72. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
  73. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
  74. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
  75. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
  76. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
  77. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
  78. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
  79. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
  80. package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
  81. package/agents/cilium/README.md +46 -0
  82. package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
  83. package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  84. package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
  85. package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
  86. package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
  87. package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
  88. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  89. package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  90. package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
  91. package/agents/falco/README.md +36 -0
  92. package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
  93. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
  94. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
  95. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
  96. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
  97. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
  98. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
  99. package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
  100. package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
  101. package/agents/finops/README.md +27 -0
  102. package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
  103. package/agents/fluxcd/README.md +39 -0
  104. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
  105. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
  106. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
  107. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
  108. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
  109. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
  110. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
  111. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
  112. package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
  113. package/agents/istio/README.md +46 -0
  114. package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
  115. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
  117. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
  118. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
  119. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
  120. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
  122. package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
  123. package/agents/kubernetes/README.md +143 -0
  124. package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
  125. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
  126. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
  127. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
  128. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
  129. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
  130. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
  131. package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
  132. package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
  133. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
  134. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
  135. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
  136. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
  137. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
  138. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
  139. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
  140. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
  141. package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
  142. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
  143. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  144. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
  145. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  146. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  147. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  148. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  149. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  150. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +37 -0
  151. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
  152. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
  153. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
  154. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
  155. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
  156. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
  157. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  158. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  159. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +37 -0
  160. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
  161. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  162. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
  163. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  164. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  165. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  166. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  167. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  168. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +37 -0
  169. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
  170. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
  171. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
  172. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
  173. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
  174. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
  175. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  176. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  177. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +37 -0
  178. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
  179. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
  180. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
  181. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
  182. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
  183. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
  184. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  185. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  186. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
  187. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
  188. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
  189. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
  190. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
  191. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
  192. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
  193. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  194. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
  195. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +38 -0
  196. package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
  197. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
  198. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
  199. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
  200. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
  201. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
  202. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  203. package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  204. package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
  205. package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
  206. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
  207. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
  208. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
  209. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
  210. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
  211. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
  212. package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
  213. package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
  214. package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
  215. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
  216. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
  217. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
  218. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
  219. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
  220. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
  221. package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
  222. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +38 -0
  223. package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
  224. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
  225. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
  226. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
  227. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
  228. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
  229. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
  230. package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
  231. package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
  232. package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
  233. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
  234. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
  235. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
  236. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
  237. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
  238. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
  239. package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
  240. package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
  241. package/agents/kyverno/README.md +46 -0
  242. package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
  243. package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
  244. package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
  245. package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
  246. package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
  247. package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
  248. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
  249. package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
  250. package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
  251. package/agents/oci/README.md +45 -0
  252. package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
  253. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
  254. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
  255. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
  256. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
  257. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
  258. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
  259. package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
  260. package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
  261. package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
  262. package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
  263. package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
  264. package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
  265. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
  266. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
  267. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
  268. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
  269. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
  270. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  271. package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
  272. package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
  273. package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
  274. package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
  275. package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
  276. package/agents/opentelemetry/README.md +37 -0
  277. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
  278. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
  279. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
  280. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
  281. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
  282. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
  283. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
  284. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
  285. package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
  286. package/agents/prometheus/README.md +36 -0
  287. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
  288. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
  289. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
  290. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
  291. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
  292. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
  293. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
  294. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
  295. package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
  296. package/agents/sigstore/README.md +38 -0
  297. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
  298. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
  299. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
  300. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
  301. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
  302. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
  303. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
  304. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
  305. package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
  306. package/agents/terraform/README.md +29 -0
  307. package/agents/terraform/terraform-reviewer/AGENT.md +2 -1
  308. package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
  309. package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
  310. package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
  311. package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
  312. package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
  313. package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
  314. package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
  315. package/agents/terraform/terraform-reviewer/metadata.json +10 -1
  316. package/agents/velero/README.md +41 -0
  317. package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
  318. package/catalog/agents.json +1452 -634
  319. package/catalog/install-roles.json +455 -0
  320. package/catalog/skill-manifest.json +1089 -335
  321. package/catalog/skills.json +1298 -528
  322. package/package.json +32 -3
  323. package/schemas/AGENTS.md +14 -0
  324. package/schemas/agent.frontmatter.schema.json +89 -0
  325. package/schemas/agent.schema.json +8 -0
  326. package/schemas/skill.frontmatter.schema.json +95 -0
  327. package/scripts/apply-skill-allowed-tools.py +142 -0
  328. package/scripts/backfill-skill-metadata.py +410 -0
  329. package/scripts/export-marketplace-agents.mjs +275 -9
  330. package/scripts/update-catalog-new-agents.py +88 -0
  331. package/skills/argocd/README.md +30 -0
  332. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +43 -0
  333. package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
  334. package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
  335. package/skills/argocd/argocd-gitops-review/SKILL.md +46 -0
  336. package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
  337. package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
  338. package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
  339. package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
  340. package/skills/aws/README.md +3 -1
  341. package/skills/aws/aws-agentcore/SKILL.md +3 -0
  342. package/skills/aws/aws-api-edge-delivery-review/SKILL.md +3 -0
  343. package/skills/aws/aws-bedrock-agent-security-governor/SKILL.md +3 -0
  344. package/skills/aws/aws-change-impact-advisor/SKILL.md +3 -0
  345. package/skills/aws/aws-ci-cd-release-engineer/SKILL.md +3 -0
  346. package/skills/aws/aws-compliance-evidence-mapper/SKILL.md +3 -0
  347. package/skills/aws/aws-cost-anomaly-watch-coordinator/SKILL.md +3 -0
  348. package/skills/aws/aws-cost-optimization-governor/SKILL.md +3 -0
  349. package/skills/aws/aws-daily-operations-briefing-coordinator/SKILL.md +3 -0
  350. package/skills/aws/aws-data-protection-backup-steward/SKILL.md +3 -0
  351. package/skills/aws/aws-deployment-hotfix-operator/SKILL.md +3 -0
  352. package/skills/aws/aws-devops-agent-skill-designer/SKILL.md +3 -0
  353. package/skills/aws/aws-dynamodb-data-modeling-performance-review/SKILL.md +3 -0
  354. package/skills/aws/aws-ec2-compute-operations-steward/SKILL.md +3 -0
  355. package/skills/aws/aws-ecs-fargate-platform-operator/SKILL.md +3 -0
  356. package/skills/aws/aws-ecs-service-remediation-operator/SKILL.md +3 -0
  357. package/skills/aws/aws-eks-platform-operator/SKILL.md +3 -0
  358. package/skills/aws/aws-event-driven-architecture-review/SKILL.md +3 -0
  359. package/skills/aws/aws-generative-ai-developer/SKILL.md +3 -0
  360. package/skills/aws/aws-iac-change-safety-review/SKILL.md +3 -0
  361. package/skills/aws/aws-iac-patch-executor/SKILL.md +3 -0
  362. package/skills/aws/aws-iam-least-privilege-review/SKILL.md +3 -0
  363. package/skills/aws/aws-kms-secrets-lifecycle-steward/SKILL.md +3 -0
  364. package/skills/aws/aws-landing-zone-governor/SKILL.md +3 -0
  365. package/skills/aws/aws-live-deployment-guarded-operator/SKILL.md +3 -0
  366. package/skills/aws/aws-live-ecs-rollout-guard/SKILL.md +3 -0
  367. package/skills/aws/aws-live-iac-change-guard/SKILL.md +3 -0
  368. package/skills/aws/aws-live-pipeline-approval-operator/SKILL.md +3 -0
  369. package/skills/aws/aws-live-serverless-release-guard/SKILL.md +3 -0
  370. package/skills/aws/aws-maestro/SKILL.md +3 -0
  371. package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
  372. package/skills/aws/aws-migration-cutover-architect/SKILL.md +3 -0
  373. package/skills/aws/aws-network-architect/SKILL.md +3 -0
  374. package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md +3 -0
  375. package/skills/aws/aws-observability-incident-responder/SKILL.md +3 -0
  376. package/skills/aws/aws-pipeline-fix-operator/SKILL.md +3 -0
  377. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +42 -0
  378. package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
  379. package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
  380. package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
  381. package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
  382. package/skills/aws/aws-rds-aurora-performance-investigator/SKILL.md +3 -0
  383. package/skills/aws/aws-resilience-bcdr-review/SKILL.md +3 -0
  384. package/skills/aws/aws-s3-data-perimeter-governor/SKILL.md +3 -0
  385. package/skills/aws/aws-security-posture-hardening/SKILL.md +3 -0
  386. package/skills/aws/aws-serverless-production-readiness/SKILL.md +3 -0
  387. package/skills/aws/aws-serverless-rollout-corrector/SKILL.md +3 -0
  388. package/skills/aws/aws-solution-architect/SKILL.md +3 -0
  389. package/skills/aws/aws-ticket-triage-escalation-coordinator/SKILL.md +3 -0
  390. package/skills/azure/README.md +3 -1
  391. package/skills/azure/azure-ai-foundry-ops-governor/SKILL.md +3 -0
  392. package/skills/azure/azure-aks-platform-operator/SKILL.md +3 -0
  393. package/skills/azure/azure-app-service-production-readiness/SKILL.md +3 -0
  394. package/skills/azure/azure-cosmosdb-application-developer/SKILL.md +3 -0
  395. package/skills/azure/azure-cosmosdb-performance-investigator/SKILL.md +3 -0
  396. package/skills/azure/azure-cosmosdb-platform-operator/SKILL.md +3 -0
  397. package/skills/azure/azure-cost-estimation-review/SKILL.md +3 -0
  398. package/skills/azure/azure-cost-optimization-governor/SKILL.md +3 -0
  399. package/skills/azure/azure-entra-id-specialist/SKILL.md +3 -0
  400. package/skills/azure/azure-governance-policy-guardrails/SKILL.md +3 -0
  401. package/skills/azure/azure-identity-governance-review/SKILL.md +3 -0
  402. package/skills/azure/azure-key-vault-secret-lifecycle-auditor/SKILL.md +3 -0
  403. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +40 -0
  404. package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
  405. package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
  406. package/skills/azure/azure-landing-zone-architect/SKILL.md +3 -0
  407. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +3 -0
  408. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +3 -0
  409. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +3 -0
  410. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +3 -0
  411. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +59 -0
  412. package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
  413. package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
  414. package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
  415. package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
  416. package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
  417. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +3 -0
  418. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +3 -0
  419. package/skills/azure/azure-maestro/SKILL.md +3 -0
  420. package/skills/azure/azure-migrate-landing-zone-cutover/SKILL.md +3 -0
  421. package/skills/azure/azure-network-topology-review/SKILL.md +3 -0
  422. package/skills/azure/azure-observability-investigator/SKILL.md +3 -0
  423. package/skills/azure/azure-platform-automation-devops/SKILL.md +3 -0
  424. package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md +3 -0
  425. package/skills/azure/azure-rbac-review/SKILL.md +3 -0
  426. package/skills/azure/azure-resilience-bcdr-review/SKILL.md +3 -0
  427. package/skills/azure/azure-resource-health-incident-triage/SKILL.md +3 -0
  428. package/skills/azure/azure-role-selector/SKILL.md +3 -0
  429. package/skills/azure/azure-security-posture-hardening/SKILL.md +3 -0
  430. package/skills/azure/azure-subscription-resource-organization/SKILL.md +3 -0
  431. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +42 -0
  432. package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
  433. package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
  434. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +43 -0
  435. package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
  436. package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
  437. package/skills/cilium/README.md +30 -0
  438. package/skills/cilium/cilium-network-policy-review/SKILL.md +46 -0
  439. package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
  440. package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
  441. package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
  442. package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
  443. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +40 -0
  444. package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
  445. package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
  446. package/skills/finops/README.md +30 -0
  447. package/skills/finops/finops-cloud-price-advisor/SKILL.md +3 -0
  448. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +43 -0
  449. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
  450. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
  451. package/skills/istio/README.md +28 -0
  452. package/skills/istio/istio-ambient-mesh-review/SKILL.md +46 -0
  453. package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
  454. package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
  455. package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
  456. package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
  457. package/skills/kubernetes/README.md +30 -0
  458. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +40 -0
  459. package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
  460. package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
  461. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +43 -0
  462. package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
  463. package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
  464. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +60 -0
  465. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
  466. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
  467. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
  468. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
  469. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
  470. package/skills/kubernetes/kubernetes-maestro/SKILL.md +48 -0
  471. package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
  472. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
  473. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
  474. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +46 -0
  475. package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
  476. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
  477. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
  478. package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
  479. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +41 -0
  480. package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
  481. package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
  482. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +41 -0
  483. package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
  484. package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
  485. package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
  486. package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
  487. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +46 -0
  488. package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
  489. package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
  490. package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
  491. package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
  492. package/skills/kyverno/README.md +30 -0
  493. package/skills/kyverno/kyverno-policy-review/SKILL.md +46 -0
  494. package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
  495. package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
  496. package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
  497. package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
  498. package/skills/oci/README.md +63 -0
  499. package/skills/oci/oci-autonomous-database-architect/SKILL.md +3 -0
  500. package/skills/oci/oci-certificates-issuer-review/SKILL.md +40 -0
  501. package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
  502. package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
  503. package/skills/oci/oci-cloud-guard-responder/SKILL.md +3 -0
  504. package/skills/oci/oci-compute-instance-agent-operator/SKILL.md +3 -0
  505. package/skills/oci/oci-compute-platform-operator/SKILL.md +3 -0
  506. package/skills/oci/oci-cost-finops-analyst/SKILL.md +3 -0
  507. package/skills/oci/oci-database-platform-dba/SKILL.md +3 -0
  508. package/skills/oci/oci-dbtools-sql-analyst/SKILL.md +3 -0
  509. package/skills/oci/oci-devops-container-platform-engineer/SKILL.md +3 -0
  510. package/skills/oci/oci-exadata-database-architect/SKILL.md +3 -0
  511. package/skills/oci/oci-exadata-platform-architect/SKILL.md +3 -0
  512. package/skills/oci/oci-fusion-apps-environment-operator/SKILL.md +3 -0
  513. package/skills/oci/oci-goldengate-replication-operator/SKILL.md +3 -0
  514. package/skills/oci/oci-identity-access-governor/SKILL.md +3 -0
  515. package/skills/oci/oci-iot-digital-twin-engineer/SKILL.md +3 -0
  516. package/skills/oci/oci-limits-capacity-planner/SKILL.md +3 -0
  517. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +3 -0
  518. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +3 -0
  519. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +3 -0
  520. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +60 -0
  521. package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
  522. package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
  523. package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
  524. package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
  525. package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
  526. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +3 -0
  527. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +3 -0
  528. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +3 -0
  529. package/skills/oci/oci-load-balancer-traffic-engineer/SKILL.md +3 -0
  530. package/skills/oci/oci-maestro/SKILL.md +3 -0
  531. package/skills/oci/oci-migration-cutover-architect/SKILL.md +3 -0
  532. package/skills/oci/oci-multi-cloud-architect/SKILL.md +3 -0
  533. package/skills/oci/oci-mysql-heatwave-ai-specialist/SKILL.md +3 -0
  534. package/skills/oci/oci-network-architect/SKILL.md +3 -0
  535. package/skills/oci/oci-observability-incident-responder/SKILL.md +3 -0
  536. package/skills/oci/oci-recovery-service-operator/SKILL.md +3 -0
  537. package/skills/oci/oci-registry-artifact-governor/SKILL.md +3 -0
  538. package/skills/oci/oci-resource-search-inventory-analyst/SKILL.md +3 -0
  539. package/skills/oci/oci-security-compliance-reviewer/SKILL.md +3 -0
  540. package/skills/oci/oci-solution-architect/SKILL.md +3 -0
  541. package/skills/oci/oci-storage-backup-steward/SKILL.md +3 -0
  542. package/skills/oci/oci-support-incident-coordinator/SKILL.md +3 -0
  543. package/skills/oci/oracle-oci-mcp-grounded-advisor/SKILL.md +3 -0
  544. package/skills/opentelemetry/README.md +31 -0
  545. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +47 -0
  546. package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
  547. package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
  548. package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
  549. package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
  550. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +41 -0
  551. package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
  552. package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
  553. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +42 -0
  554. package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
  555. package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
  556. package/skills/terraform/README.md +29 -0
  557. package/skills/terraform/terraform-maestro/SKILL.md +3 -0
  558. package/skills/velero/velero-backup-restore-guard/SKILL.md +44 -0
  559. package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
  560. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
  561. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,155 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Identify the deployment mode
6
+
7
+ `OpenTelemetryCollector` supports four deployment modes, each appropriate for different use cases:
8
+
9
+ 1. **`mode: deployment`** — collector runs as a stateless `Deployment`, multiple replicas. Use for OTLP gateway / aggregation; NOT for hostmetrics.
10
+ 2. **`mode: statefulset`** — ordered, stable identity. Required for Target Allocator (sharding Prometheus scrape jobs across collectors).
11
+ 3. **`mode: daemonset`** — one collector per node. Use for hostmetrics, filelog (node-local logs), and per-node OTLP receiver.
12
+ 4. **`mode: sidecar`** — injected into application pods via annotation `sidecar.opentelemetry.io/inject: <name>`. Use for short-lived workloads or when application cannot reach a cluster-wide collector.
13
+
14
+ Common mismatches that are findings:
15
+
16
+ - `mode: deployment` with `hostmetrics` receiver — only one replica gets host data; data is incomplete.
17
+ - `mode: daemonset` with HTTP receiver bound to `0.0.0.0:4318` — every node opens a port; verify network policy.
18
+ - `mode: statefulset` without Target Allocator — wastes the ordered identity.
19
+ - `mode: sidecar` for high-volume workloads — every pod runs a collector; CPU/memory cost multiplies.
20
+
21
+ Reference: [Operator Modes](https://opentelemetry.io/docs/kubernetes/operator/) and the operator README in [open-telemetry/opentelemetry-operator](https://github.com/open-telemetry/opentelemetry-operator).
22
+
23
+ ### Step 2 — Audit the receivers
24
+
25
+ Receivers ingest telemetry. Common patterns:
26
+
27
+ - **`otlp`** — gRPC (`:4317`) and HTTP (`:4318`). Standard. Verify both protocols are needed; otherwise narrow.
28
+ - **`prometheus`** — scrapes Prometheus endpoints. Pair with Target Allocator at scale.
29
+ - **`hostmetrics`** — node CPU, memory, disk, network. Requires `hostNetwork` or volume mounts (`/hostfs`).
30
+ - **`filelog`** — reads pod/container logs. Requires `/var/log/pods` mount.
31
+ - **`k8s_cluster`** — cluster-level metrics (deployment status, node conditions). Requires RBAC.
32
+ - **`kubeletstats`** — kubelet per-node stats. Requires kubelet TLS configuration.
33
+
34
+ Findings to flag:
35
+
36
+ - `otlp` receiver with `tls.insecure: true` and inbound traffic from untrusted networks — telemetry can be tampered.
37
+ - `prometheus` receiver scraping endpoints with secrets in the response (rare; some vendor exporters do this) — sensitive data flows into the pipeline.
38
+ - `filelog` without a `multiline` config for stack traces — multi-line logs split into single-line entries.
39
+
40
+ ### Step 3 — Audit the processors (the safety net)
41
+
42
+ Processors transform data between receiver and exporter. **Two are essentially mandatory in production**:
43
+
44
+ 1. **`memory_limiter`** — drops data when collector memory exceeds a threshold. Without it, collector OOMs under load and loses everything in flight. Recommended position: **first** in the pipeline.
45
+ 2. **`batch`** — batches data before export. Without it, every span/metric is a separate export call; backend rate limits or network overhead destroy throughput. Recommended position: **last** before export.
46
+
47
+ Other commonly required processors:
48
+
49
+ - **`k8sattributes`** — enriches data with `k8s.namespace.name`, `k8s.pod.name`, `k8s.deployment.name`, `k8s.node.name`. Without it, dashboards and SLOs cannot group by Kubernetes object.
50
+ - **`resource`** — sets static resource attributes (e.g., `cluster.name`, `deployment.environment`).
51
+ - **`resourcedetection`** — auto-detects from environment, system, docker, kubernetes, GCP, AWS, Azure metadata services.
52
+ - **`tail_sampling`** — keeps a sample of complete traces. **Critical caveat: changes are not retroactive — already-collected windows do not get re-sampled.**
53
+ - **`filter`** — drops spans/metrics by attribute. Risk: a typo can drop everything.
54
+ - **`transform`** — modifies attribute values via OTTL. Risk: a bad OTTL expression can corrupt every signal.
55
+ - **`probabilistic_sampler`** — randomly samples a percentage. Simpler than tail sampling but loses correlated traces.
56
+
57
+ Stress-tests:
58
+
59
+ - Pipeline with no `memory_limiter` and high-volume traces — collector OOMs on burst, loses everything.
60
+ - Pipeline with `memory_limiter` placed **after** other processors — those processors run on data that should have been dropped, wasting CPU.
61
+ - Pipeline with `batch` placed **before** `tail_sampling` — sampling decisions are made per-batch, breaking trace coherence.
62
+ - Pipeline with `k8sattributes` `auth_type: serviceAccount` but no RBAC granting `pods/get,list,watch` — enrichment fails silently.
63
+
64
+ Reference: [Collector configuration](https://opentelemetry.io/docs/collector/configuration/) and [Collector processors](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor).
65
+
66
+ ### Step 4 — Audit the exporters
67
+
68
+ Exporters send data to backends. Findings:
69
+
70
+ - **No exporter on a pipeline** — the pipeline silently drops everything. Confirm at least one non-`debug` exporter per pipeline.
71
+ - **Only `debug` exporter** in production — data prints to collector logs and is not sent anywhere. Useful for testing only.
72
+ - **`tls.insecure: true`** on a production exporter — telemetry flows in plaintext. PII/PHI leak path.
73
+ - **Missing `sending_queue`** — exporter blocks the pipeline when backend is slow; backpressure cascades.
74
+ - **`sending_queue.enabled: false`** explicitly — telemetry is lost on any backend hiccup.
75
+ - **`retry_on_failure.enabled: false`** — temporary network failures lose data.
76
+ - **`prometheusremotewrite` exporter without `external_labels`** — multiple collectors write to the same Prometheus, time series collide.
77
+
78
+ Reference: [Exporter configuration patterns](https://opentelemetry.io/docs/collector/configuration/#exporters).
79
+
80
+ ### Step 5 — Audit the `service.pipelines` ordering
81
+
82
+ Three signal pipelines (`traces`, `metrics`, `logs`) compose receivers → processors → exporters. Order in the `processors` list **matters** — it is the execution order.
83
+
84
+ Recommended order for a traces pipeline:
85
+
86
+ ```yaml
87
+ service:
88
+ pipelines:
89
+ traces:
90
+ receivers: [otlp]
91
+ processors:
92
+ - memory_limiter # 1. drop early under pressure
93
+ - resourcedetection # 2. detect environment
94
+ - k8sattributes # 3. enrich with K8s context
95
+ - resource # 4. add static attributes
96
+ - tail_sampling # 5. sample after enrichment
97
+ - batch # 6. batch last
98
+ exporters: [otlp, debug]
99
+ ```
100
+
101
+ Common findings: `batch` not last, `memory_limiter` not first, `k8sattributes` after `tail_sampling` (sampling on un-enriched data, then enriching what survived = wasted).
102
+
103
+ ### Step 6 — Audit the `Instrumentation` CR
104
+
105
+ The `Instrumentation` CR (`opentelemetry.io/v1alpha1`) drives auto-instrumentation. Pods are instrumented when they have one of the annotations: `instrumentation.opentelemetry.io/inject-java`, `inject-nodejs`, `inject-python`, `inject-dotnet`, `inject-go`, or `inject-sdk`.
106
+
107
+ Critical concerns:
108
+
109
+ - **Removing an `Instrumentation` CR while pods reference it** — running pods continue working, but on next restart the init container injection fails, and the pod starts without instrumentation. Telemetry stops silently.
110
+ - **Image tag drift** — auto-instrumentation images are pinned per language. If the application moves to a newer runtime (e.g., Java 21) but the auto-instrumentation image hasn't been updated, instrumentation may not load.
111
+ - **`exporter.endpoint` pointing to a collector that no longer exists** — telemetry calls fail; application logs may show OTLP export errors.
112
+ - **`sampler.type: parentbased_traceidratio` with `argument: "0.0"`** — samples nothing.
113
+ - **Missing `propagators`** — distributed traces don't link across services.
114
+ - **`resource.resourceAttributes.deployment.environment` not set** — every environment looks the same in dashboards.
115
+
116
+ Reference: [Operator auto-instrumentation](https://opentelemetry.io/docs/kubernetes/operator/automatic/).
117
+
118
+ ### Step 7 — Audit the Target Allocator (StatefulSet mode)
119
+
120
+ When `targetAllocator.enabled: true`, Prometheus scrape jobs are sharded across the StatefulSet replicas. Findings:
121
+
122
+ - `targetAllocator.allocationStrategy: least-weighted` (default) is good for even distribution; `consistent-hashing` is better for re-shard stability.
123
+ - `targetAllocator.prometheusCR.enabled: true` requires `ServiceMonitor`/`PodMonitor` selectors. An empty selector matches everything; a too-narrow selector matches nothing.
124
+ - Missing RBAC for the Target Allocator — it cannot list ServiceMonitors and silently scrapes nothing.
125
+
126
+ Reference: [Target Allocator](https://opentelemetry.io/docs/kubernetes/operator/target-allocator/).
127
+
128
+ ### Step 8 — Stress-test operational hygiene
129
+
130
+ - Prefer `v1beta1` `OpenTelemetryCollector` over `v1alpha1` — current stable.
131
+ - Prefer named pipelines that match the source data shape (`traces/api`, `metrics/host`, `logs/app`) when one collector handles multiple streams.
132
+ - Prefer `debug` exporter only in non-production.
133
+ - Prefer `OTEL_RESOURCE_ATTRIBUTES` env propagation in `Instrumentation` over hardcoded values — makes the CR portable across environments.
134
+ - Test pipeline changes by sending synthetic OTLP and watching the collector's `otelcol_` self-metrics — `otelcol_exporter_send_failed_spans` should be zero.
135
+
136
+ ## Output
137
+
138
+ Return:
139
+
140
+ - **target**: which `OpenTelemetryCollector` (and mode) or `Instrumentation` CR,
141
+ - **evidence level**: `live evidence` / `documentation-based` / `sanitized user evidence` / `inference`,
142
+ - **deployment-mode appropriateness** for the use case,
143
+ - **pipeline correctness**: receivers, processors (with explicit `memory_limiter` and `batch` audit), exporters,
144
+ - **failure mode**: what happens when backend is unreachable or backed up,
145
+ - **risk findings** (with severity: high / medium / low),
146
+ - **safest next actions** with sample manifest changes and self-metric expectations,
147
+ - **rollback plan**: how to revert without losing the in-flight buffer,
148
+ - **assumptions and missing facts**.
149
+
150
+ ## Security notes
151
+
152
+ - Never recommend removing `memory_limiter` from a production pipeline.
153
+ - Never recommend `tls.insecure: true` on a production exporter shipping data outside the cluster.
154
+ - Never recommend deleting an `Instrumentation` CR without first confirming no running deployments reference it via annotation.
155
+ - Do not print collector authentication tokens or vendor API keys; reference them by configuration key only.
package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md ADDED
@@ -0,0 +1,41 @@
1
+ ---
2
+ name: prometheus-alerting-cardinality-review
3
+ description: Use this skill when reviewing Prometheus or AlertManager configuration for cardinality, alerting correctness, scrape security, remote_write safety, or retention adequacy. Trigger when a user provides prometheus.yml, alertmanager.yml, recording rules YAML, alerting rules YAML, or asks whether their Prometheus setup is production-ready.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: observability
10
+ ---
11
+
12
+ # Prometheus Alerting and Cardinality Review
13
+
14
+ ## Purpose
15
+ This skill reviews Prometheus and AlertManager configuration for cardinality explosion risks, recording rule adequacy, alert expression correctness, routing tree safety, scrape configuration security, and retention posture. Cardinality explosion is the leading cause of Prometheus OOM crashes in production, and flapping alerts from missing `for:` durations erode on-call trust faster than any other alerting defect.
16
+
17
+ ## Lean operating rules
18
+ - Flag any label dimension that is unbounded at the application level (e.g., `user_id`, `request_id`, `session_id`, `url_path`, `pod_hash`) — these cause cardinality explosion and must be moved off the label set or aggregated away.
19
+ - Treat `prometheus_tsdb_head_series` exceeding 5 million as a cardinality warning threshold; note it if the user reports series counts or if the config makes it likely.
20
+ - Treat any alert rule with `for: 0m`, `for: 0s`, or no `for:` field as HIGH — bare threshold alerts flap on every scrape jitter.
21
+ - Treat `honor_labels: true` on any scrape target that is not a trusted federation endpoint as HIGH — it allows the scraped workload to override `job` and `instance` labels.
22
+ - Treat any scrape config with a non-cluster HTTP scheme (`http://external-host`) as a potential SSRF candidate and flag it.
23
+ - Recording rules are required for any PromQL expression used in dashboards or SLO burn-rate calculations; flag their absence as MEDIUM.
24
+ - Multi-window multi-burn-rate (MWMB) alerting is the correct pattern for SLO breach detection; flag single-window SLO alerts as MEDIUM.
25
+ - Flag `remote_write` configs where `write_relabel_configs` drop non-`__` metric labels — data loss is silent.
26
+ - Flag retention under 30 days with no `remote_write` or Thanos/Cortex integration as MEDIUM compliance risk.
27
+ - Do not recommend disabling any existing alert or recording rule without stating the specific reason and risk trade-off.
28
+
29
+ ## References
30
+ Load these only when needed:
31
+ - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review or formatting the final answer.
32
+
33
+ ## Response minimum
34
+ Return, at minimum:
35
+ - Cardinality risk assessment (label audit findings)
36
+ - Alert expression correctness findings (for: duration, absent() misuse, MWMB posture)
37
+ - AlertManager routing and inhibition findings
38
+ - Scrape config security findings
39
+ - Retention and remote_write findings
40
+ - Severity-labelled finding list (critical / high / medium / low)
41
+ - Safe next actions
package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "prometheus-alerting-cardinality-review",
3
+ "name": "Prometheus Alerting and Cardinality Review",
4
+ "type": "skill",
5
+ "provider": "prometheus",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://prometheus.io/docs/prometheus/latest/querying/basics/",
11
+ "https://prometheus.io/docs/practices/naming/",
12
+ "https://prometheus.io/docs/practices/alerting/",
13
+ "https://prometheus.io/docs/alerting/latest/alertmanager/",
14
+ "https://prometheus.io/docs/prometheus/latest/storage/",
15
+ "https://prometheus.io/docs/practices/remote_write/"
16
+ ],
17
+ "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/prometheus/prometheus-alerting-cardinality-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }
package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md ADDED
@@ -0,0 +1,221 @@
1
+ # Workflow and Output Contract
2
+
3
+ ## Workflow
4
+
5
+ ### Step 1 — Collect inputs
6
+
7
+ Ask the user to provide one or more of the following as sanitized YAML snippets (no real endpoints, no auth tokens):
8
+ - `prometheus.yml` (global, scrape_configs, rule_files, remote_write, alerting)
9
+ - Alerting rules YAML (`groups[].rules[]` with `alert:`, `expr:`, `for:`, `labels:`, `annotations:`)
10
+ - Recording rules YAML (`groups[].rules[]` with `record:`, `expr:`)
11
+ - `alertmanager.yml` (route, inhibit_rules, receivers)
12
+ - Optional: current `prometheus_tsdb_head_series` metric value or approximate series count
13
+
14
+ If the user provides only a partial config, note which sections are absent and limit findings to the provided scope.
15
+
16
+ ### Step 2 — Cardinality audit
17
+
18
+ Scan every `scrape_configs` job and every metric label dimension referenced in alerting and recording rules.
19
+
20
+ Check for:
21
+ - Labels sourced from high-cardinality application dimensions:
22
+ - `user_id`, `request_id`, `session_id`, `transaction_id`, `trace_id`
23
+ - `url_path`, `uri`, `endpoint` (unless aggressively normalized)
24
+ - `pod` or `container` labels used as primary grouping in `sum by()` without aggregation
25
+ - Use of `__` internal labels in user-facing metric names
26
+
27
+ Example cardinality risk:
28
+ ```yaml
29
+ # HIGH — request_id is unbounded; this creates one series per request
30
+ http_requests_total{method="GET", path="/api/v1/items", request_id="abc-123"} 1
31
+ ```
32
+
33
+ Correct pattern:
34
+ ```yaml
35
+ # CORRECT — drop high-cardinality label before exposition
36
+ http_requests_total{method="GET", path="/api/v1/items"} 1
37
+ ```
38
+
39
+ Note the `prometheus_tsdb_head_series` threshold: above 5 million series, TSDB memory pressure becomes significant. Above 10 million, OOM risk is high without explicit memory tuning (`--storage.tsdb.max-block-duration`, chunk encoding).
40
+
41
+ ### Step 3 — Recording rules audit
42
+
43
+ Check whether recording rules exist for:
44
+ - SLO error-rate expressions that appear in alerting rules
45
+ - High-cardinality aggregation queries used in Grafana dashboards
46
+ - Any `rate()` or `increase()` expression over a window longer than 5 minutes that is queried at sub-minute dashboard refresh
47
+
48
+ Flag absence of recording rules for any expression that appears more than once across rules files as MEDIUM.
49
+
50
+ Example correct recording rule:
51
+ ```yaml
52
+ groups:
53
+ - name: slo_recordings
54
+ rules:
55
+ - record: job:http_requests_total:rate5m
56
+ expr: sum(rate(http_requests_total[5m])) by (job)
57
+ ```
58
+
59
+ ### Step 4 — Alert expression correctness audit
60
+
61
+ For every `alert:` rule, check:
62
+
63
+ **4a. `for:` duration**
64
+ - Missing `for:` or `for: 0m` → HIGH (bare threshold, flapping)
65
+ - `for:` less than two scrape intervals → flag as LOW (alert may still flap)
66
+ - Recommended minimum: `for: 5m` for infrastructure alerts, `for: 1m` for latency SLOs
67
+
68
+ ```yaml
69
+ # HIGH — missing for:
70
+ - alert: HighErrorRate
71
+ expr: rate(http_errors_total[5m]) > 0.05
72
+
73
+ # CORRECT
74
+ - alert: HighErrorRate
75
+ expr: rate(http_errors_total[5m]) > 0.05
76
+ for: 5m
77
+ ```
78
+
79
+ **4b. `absent()` usage**
80
+ - `absent(some_metric)` fires if `some_metric` was never scraped — review whether the metric is always expected to exist
81
+ - If the metric only appears when the condition is active (e.g., an error counter), `absent()` fires in the absence of errors, which is a false positive
82
+
83
+ **4c. SLO alerting pattern**
84
+ - MWMB (multi-window multi-burn-rate) is the Google SRE-recommended SLO alerting pattern
85
+ - Single-window SLO alerts miss slow burns → MEDIUM finding
86
+
87
+ Example MWMB pattern:
88
+ ```yaml
89
+ # MWMB — fast burn (1h + 5m windows) and slow burn (6h + 30m windows)
90
+ - alert: SLOFastBurn
91
+ expr: >
92
+ (
93
+ job:slo_error_rate:rate1h > (14.4 * 0.001)
94
+ and
95
+ job:slo_error_rate:rate5m > (14.4 * 0.001)
96
+ )
97
+ for: 1m
98
+ labels:
99
+ severity: page
100
+ ```
101
+
102
+ ### Step 5 — AlertManager routing audit
103
+
104
+ Parse the `route:` tree and check:
105
+
106
+ **5a. Duplicate alert routing**
107
+ - Routes that lack `continue: false` on a catch-all receiver may send alerts to multiple receivers unexpectedly
108
+ - Verify whether `continue: true` on intermediate routes is intentional
109
+
110
+ **5b. Inhibition rules**
111
+ - `inhibit_rules[].source_matchers` and `target_matchers` must reference labels that actually appear on alerts
112
+ - Overly broad inhibition (e.g., `source_matchers: [severity="critical"]` without namespace scope) can suppress alerts across unrelated services
113
+
114
+ Example inhibition rule review:
115
+ ```yaml
116
+ # RISKY — inhibits all warnings when any critical fires, across all namespaces
117
+ inhibit_rules:
118
+ - source_matchers: [severity="critical"]
119
+ target_matchers: [severity="warning"]
120
+ equal: [alertname]
121
+ ```
122
+
123
+ **5c. Receiver configuration**
124
+ - Slack/PagerDuty receivers must have `api_url` or `routing_key` from environment variables or Kubernetes secrets — never hardcoded in the YAML
125
+ - Check for hardcoded webhook URLs or tokens as a CRITICAL security finding
126
+
127
+ ### Step 6 — Scrape config security audit
128
+
129
+ For every `scrape_configs` entry check:
130
+
131
+ **6a. `honor_labels`**
132
+ ```yaml
133
+ # HIGH — untrusted workload can override job/instance labels
134
+ scrape_configs:
135
+ - job_name: user-app
136
+ honor_labels: true
137
+ ```
138
+ Only `honor_labels: true` on trusted federation endpoints is acceptable.
139
+
140
+ **6b. External HTTP targets**
141
+ - Any target with a scheme pointing outside the cluster (e.g., `http://api.external.com`) is an SSRF candidate
142
+ - Flag all non-cluster targets for review
143
+
144
+ **6c. `job_name` uniqueness**
145
+ - Duplicate `job_name` values cause target label collisions — flag as HIGH
146
+
147
+ ### Step 7 — remote_write and retention audit
148
+
149
+ **7a. remote_write queue memory**
150
+ ```yaml
151
+ remote_write:
152
+ - url: https://metrics.example.com/api/v1/write
153
+ queue_config:
154
+ capacity: 100000 # HIGH memory if series count is large
155
+ max_samples_per_send: 10000
156
+ ```
157
+ Flag `capacity` values above 10,000 combined with high series counts as a memory risk.
158
+
159
+ **7b. write_relabel_configs label drops**
160
+ ```yaml
161
+ # MEDIUM — silently drops 'region' label before remote_write; data loss
162
+ write_relabel_configs:
163
+ - source_labels: [region]
164
+ action: labeldrop
165
+ ```
166
+ Flag any `labeldrop` or `labelmap` action that targets non-`__` labels without explicit justification.
167
+
168
+ **7c. Retention**
169
+ - Default Prometheus retention is 15 days (`--storage.tsdb.retention.time=15d`)
170
+ - No remote_write + retention < 30d → MEDIUM (compliance gap for most regulated environments)
171
+ - Recommend Thanos, Cortex, or Grafana Mimir for long-term storage
172
+
173
+ ### Step 8 — Produce the output
174
+
175
+ Format findings using the Output section below.
176
+
177
+ ---
178
+
179
+ ## Output
180
+
181
+ Return findings in this structure:
182
+
183
+ ```
184
+ ## Verdict
185
+ <one sentence summary: pass / needs work / critical issues found>
186
+
187
+ ## Evidence level
188
+ <live evidence | user-provided sanitized config | documentation-based | inference>
189
+
190
+ ## Findings
191
+
192
+ ### CRITICAL
193
+ - [C1] <finding title>: <description> — <remediation>
194
+
195
+ ### HIGH
196
+ - [H1] <finding title>: <description> — <remediation>
197
+
198
+ ### MEDIUM
199
+ - [M1] <finding title>: <description> — <remediation>
200
+
201
+ ### LOW
202
+ - [L1] <finding title>: <description> — <remediation>
203
+
204
+ ## Safe next actions
205
+ 1. <action>
206
+ 2. <action>
207
+ ...
208
+
209
+ ## Open questions
210
+ - <question requiring user clarification>
211
+ ```
212
+
213
+ ---
214
+
215
+ ## Security notes
216
+
217
+ - Never recommend setting `honor_labels: true` on any scrape target unless the user explicitly confirms it is a trusted Prometheus federation endpoint.
218
+ - Treat hardcoded webhook URLs, API keys, or tokens in `alertmanager.yml` receivers as CRITICAL — they must be moved to Kubernetes Secrets or environment variable references.
219
+ - Do not recommend disabling scrape TLS verification (`tls_config.insecure_skip_verify: true`) without flagging it as a security regression.
220
+ - Treat any recording rule or alert rule that references a metric with unbounded label cardinality as HIGH, even if the immediate symptom (OOM) has not yet occurred.
221
+ - Flag the absence of alerting on `prometheus_tsdb_head_series` itself — teams often have no alert for their own Prometheus health.
package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ name: sigstore-cosign-supply-chain-review
3
+ description: Use this skill when reviewing Sigstore Cosign supply chain security for Kubernetes workloads. Trigger when the user asks whether images are properly signed, whether Kyverno imageVerify policy is correctly scoped, whether SLSA provenance attestations exist, whether SBOM attestations are present, whether keyless signing is in use, or whether Rekor transparency log posture is appropriate for private images.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-05-05"
9
+ category: security
10
+ ---
11
+
12
+ # Sigstore Cosign Supply Chain Review
13
+
14
+ ## Purpose
15
+
16
+ Review Cosign image signing verification, Kyverno imageVerify admission policy, SBOM and SLSA provenance attestations, Rekor transparency log posture, and keyless vs key-based signing configuration against supply chain integrity, SLSA level claims, and Kubernetes admission-time enforcement. Sigstore's security model depends entirely on the identity constraints baked into admission policy — an imageVerify rule with no issuer or subject constraint is functionally equivalent to no verification at all.
17
+
18
+ ## Lean operating rules
19
+
20
+ - Prefer live evidence (`cosign verify`, `kubectl get clusterpolicies`, `cosign verify-attestation`) when the active client exposes it; otherwise fall back to official Sigstore documentation and sanitized YAML from the user.
21
+ - Separate confirmed facts from inference. If Kyverno policy state, Rekor log inclusion, or provenance attestation presence was not directly queried, say so.
22
+ - Treat a Kyverno imageVerify policy missing both `issuer` and `subject` constraints as a critical finding — any Sigstore-signed image from any identity passes.
23
+ - Treat `exclude` rules in imageVerify that match broad glob patterns (`*` or `registry.io/*`) as a high finding — third-party images bypass verification.
24
+ - Treat SLSA L2+ claimed but no SLSA provenance attestation verifiable via `slsa-verifier` as a high finding.
25
+ - Treat long-lived Cosign keypairs stored as CI secrets as a high finding — keyless OIDC Workload Identity is the preferred pattern.
26
+ - Treat `COSIGN_NO_TLOG=1` on non-private-Rekor setups as a medium finding — public transparency is disabled without a private transparency alternative.
27
+ - Keep the answer scoped, evidence-labeled, and explicit about what was not queried.
28
+
29
+ ## References
30
+
31
+ Load these only when needed:
32
+ - [Workflow and output contract](references/workflow-and-output.md)
33
+
34
+ ## Response minimum
35
+
36
+ Return, at minimum:
37
+ - the scoped target (image, imageVerify policy, CI pipeline signing step, or SLSA level claim) and evidence level,
38
+ - the signing identity (keyless OIDC via Fulcio, long-lived key, or unverified),
39
+ - the admission enforcement posture (Kyverno imageVerify, policy-controller, or none),
40
+ - the attestation inventory (SBOM present/absent, SLSA provenance present/absent),
41
+ - the Rekor transparency posture (public log, private log, or disabled),
42
+ - the safest next actions and any assumptions or blockers.
package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json ADDED
@@ -0,0 +1,22 @@
1
+ {
2
+ "id": "sigstore-cosign-supply-chain-review",
3
+ "name": "Sigstore Cosign Supply Chain Review",
4
+ "type": "skill",
5
+ "provider": "sigstore",
6
+ "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
7
+ "summary": "Review Sigstore Cosign image signing, Kyverno imageVerify policy, SBOM attestations, SLSA provenance, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain security.",
8
+ "source_type": "original",
9
+ "official_docs": [
10
+ "https://docs.sigstore.dev/cosign/overview/",
11
+ "https://docs.sigstore.dev/policy-controller/overview/",
12
+ "https://slsa.dev/spec/v1.0/requirements",
13
+ "https://kyverno.io/docs/writing-policies/verify-images/",
14
+ "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
15
+ "https://rekor.sigstore.dev/"
16
+ ],
17
+ "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
18
+ "last_verified": "2026-05-02",
19
+ "path": "skills/sigstore/sigstore-cosign-supply-chain-review",
20
+ "author": "github: Raishin",
21
+ "version": "0.1.0"
22
+ }