@raishin/vanguard-frontier-agentic 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/README.md +23 -1
  2. package/agents/kubernetes/README.md +10 -1
  3. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +12 -0
  4. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +12 -0
  5. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +12 -0
  6. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +12 -0
  7. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +12 -0
  8. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  9. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +12 -0
  10. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +6 -3
  11. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/least-privilege-rbac.yaml +98 -0
  12. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/rbac-pre-flight.md +108 -0
  13. package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/refusal-list.md +112 -0
  14. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +13 -1
  15. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +12 -0
  16. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +12 -0
  17. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +12 -0
  18. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +12 -0
  19. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  20. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +12 -0
  21. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +6 -3
  22. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/references/least-privilege-rbac.yaml +92 -0
  23. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/references/rbac-pre-flight.md +108 -0
  24. package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/references/refusal-list.md +112 -0
  25. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +13 -1
  26. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +12 -0
  27. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +12 -0
  28. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +12 -0
  29. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +12 -0
  30. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  31. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +12 -0
  32. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +6 -3
  33. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/references/least-privilege-rbac.yaml +101 -0
  34. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/references/rbac-pre-flight.md +106 -0
  35. package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/references/refusal-list.md +102 -0
  36. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/AGENT.md +71 -0
  37. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/claude-code.agent.md +54 -0
  38. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/codex.toml +38 -0
  39. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/copilot.agent.md +54 -0
  40. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/cursor.agent.md +54 -0
  41. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/gemini.agent.md +54 -0
  42. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
  43. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/harnesses/kiro-ide.agent.md +54 -0
  44. package/agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent/metadata.json +44 -0
  45. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +14 -2
  46. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +13 -1
  47. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +13 -1
  48. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +13 -1
  49. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +13 -1
  50. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  51. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +13 -1
  52. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +6 -3
  53. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/references/least-privilege-rbac.yaml +101 -0
  54. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/references/rbac-pre-flight.md +106 -0
  55. package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/references/refusal-list.md +102 -0
  56. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +12 -0
  57. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +12 -0
  58. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +12 -0
  59. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +12 -0
  60. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +12 -0
  61. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  62. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +12 -0
  63. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +6 -3
  64. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/least-privilege-rbac.yaml +92 -0
  65. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/rbac-pre-flight.md +115 -0
  66. package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/refusal-list.md +132 -0
  67. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +15 -3
  68. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +15 -3
  69. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +2 -2
  70. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +15 -3
  71. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +15 -3
  72. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +15 -3
  73. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +1 -1
  74. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +15 -3
  75. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +7 -4
  76. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/least-privilege-rbac.yaml +92 -0
  77. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/rbac-pre-flight.md +109 -0
  78. package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/refusal-list.md +122 -0
  79. package/agents/kubernetes/kubernetes-network-architecture-review-agent/AGENT.md +65 -0
  80. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/claude-code.agent.md +48 -0
  81. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/codex.toml +37 -0
  82. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/copilot.agent.md +48 -0
  83. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/cursor.agent.md +48 -0
  84. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/gemini.agent.md +48 -0
  85. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/kiro-cli.agent.json +5 -0
  86. package/agents/kubernetes/kubernetes-network-architecture-review-agent/harnesses/kiro-ide.agent.md +48 -0
  87. package/agents/kubernetes/kubernetes-network-architecture-review-agent/metadata.json +44 -0
  88. package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +2 -1
  89. package/agents/terraform/terraform-reviewer/AGENT.md +2 -1
  90. package/catalog/agents.json +78 -12
  91. package/catalog/install-roles.json +8 -4
  92. package/catalog/skill-manifest.json +521 -422
  93. package/catalog/skills.json +67 -0
  94. package/package.json +23 -4
  95. package/schemas/AGENTS.md +14 -0
  96. package/schemas/agent.frontmatter.schema.json +89 -0
  97. package/schemas/agent.schema.json +8 -0
  98. package/schemas/skill.frontmatter.schema.json +95 -0
  99. package/scripts/apply-skill-allowed-tools.py +142 -0
  100. package/scripts/backfill-skill-metadata.py +410 -0
  101. package/scripts/export-marketplace-agents.mjs +175 -0
  102. package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +3 -0
  103. package/skills/argocd/argocd-gitops-review/SKILL.md +3 -0
  104. package/skills/aws/aws-agentcore/SKILL.md +3 -0
  105. package/skills/aws/aws-api-edge-delivery-review/SKILL.md +3 -0
  106. package/skills/aws/aws-bedrock-agent-security-governor/SKILL.md +3 -0
  107. package/skills/aws/aws-change-impact-advisor/SKILL.md +3 -0
  108. package/skills/aws/aws-ci-cd-release-engineer/SKILL.md +3 -0
  109. package/skills/aws/aws-compliance-evidence-mapper/SKILL.md +3 -0
  110. package/skills/aws/aws-cost-anomaly-watch-coordinator/SKILL.md +3 -0
  111. package/skills/aws/aws-cost-optimization-governor/SKILL.md +3 -0
  112. package/skills/aws/aws-daily-operations-briefing-coordinator/SKILL.md +3 -0
  113. package/skills/aws/aws-data-protection-backup-steward/SKILL.md +3 -0
  114. package/skills/aws/aws-deployment-hotfix-operator/SKILL.md +3 -0
  115. package/skills/aws/aws-devops-agent-skill-designer/SKILL.md +3 -0
  116. package/skills/aws/aws-dynamodb-data-modeling-performance-review/SKILL.md +3 -0
  117. package/skills/aws/aws-ec2-compute-operations-steward/SKILL.md +3 -0
  118. package/skills/aws/aws-ecs-fargate-platform-operator/SKILL.md +3 -0
  119. package/skills/aws/aws-ecs-service-remediation-operator/SKILL.md +3 -0
  120. package/skills/aws/aws-eks-platform-operator/SKILL.md +3 -0
  121. package/skills/aws/aws-event-driven-architecture-review/SKILL.md +3 -0
  122. package/skills/aws/aws-generative-ai-developer/SKILL.md +3 -0
  123. package/skills/aws/aws-iac-change-safety-review/SKILL.md +3 -0
  124. package/skills/aws/aws-iac-patch-executor/SKILL.md +3 -0
  125. package/skills/aws/aws-iam-least-privilege-review/SKILL.md +3 -0
  126. package/skills/aws/aws-kms-secrets-lifecycle-steward/SKILL.md +3 -0
  127. package/skills/aws/aws-landing-zone-governor/SKILL.md +3 -0
  128. package/skills/aws/aws-live-deployment-guarded-operator/SKILL.md +3 -0
  129. package/skills/aws/aws-live-ecs-rollout-guard/SKILL.md +3 -0
  130. package/skills/aws/aws-live-iac-change-guard/SKILL.md +3 -0
  131. package/skills/aws/aws-live-pipeline-approval-operator/SKILL.md +3 -0
  132. package/skills/aws/aws-live-serverless-release-guard/SKILL.md +3 -0
  133. package/skills/aws/aws-maestro/SKILL.md +3 -0
  134. package/skills/aws/aws-migration-cutover-architect/SKILL.md +3 -0
  135. package/skills/aws/aws-network-architect/SKILL.md +3 -0
  136. package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md +3 -0
  137. package/skills/aws/aws-observability-incident-responder/SKILL.md +3 -0
  138. package/skills/aws/aws-pipeline-fix-operator/SKILL.md +3 -0
  139. package/skills/aws/aws-private-ca-issuer-review/SKILL.md +3 -0
  140. package/skills/aws/aws-rds-aurora-performance-investigator/SKILL.md +3 -0
  141. package/skills/aws/aws-resilience-bcdr-review/SKILL.md +3 -0
  142. package/skills/aws/aws-s3-data-perimeter-governor/SKILL.md +3 -0
  143. package/skills/aws/aws-security-posture-hardening/SKILL.md +3 -0
  144. package/skills/aws/aws-serverless-production-readiness/SKILL.md +3 -0
  145. package/skills/aws/aws-serverless-rollout-corrector/SKILL.md +3 -0
  146. package/skills/aws/aws-solution-architect/SKILL.md +3 -0
  147. package/skills/aws/aws-ticket-triage-escalation-coordinator/SKILL.md +3 -0
  148. package/skills/azure/azure-ai-foundry-ops-governor/SKILL.md +3 -0
  149. package/skills/azure/azure-aks-platform-operator/SKILL.md +3 -0
  150. package/skills/azure/azure-app-service-production-readiness/SKILL.md +3 -0
  151. package/skills/azure/azure-cosmosdb-application-developer/SKILL.md +3 -0
  152. package/skills/azure/azure-cosmosdb-performance-investigator/SKILL.md +3 -0
  153. package/skills/azure/azure-cosmosdb-platform-operator/SKILL.md +3 -0
  154. package/skills/azure/azure-cost-estimation-review/SKILL.md +3 -0
  155. package/skills/azure/azure-cost-optimization-governor/SKILL.md +3 -0
  156. package/skills/azure/azure-entra-id-specialist/SKILL.md +3 -0
  157. package/skills/azure/azure-governance-policy-guardrails/SKILL.md +3 -0
  158. package/skills/azure/azure-identity-governance-review/SKILL.md +3 -0
  159. package/skills/azure/azure-key-vault-secret-lifecycle-auditor/SKILL.md +3 -0
  160. package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +3 -0
  161. package/skills/azure/azure-landing-zone-architect/SKILL.md +3 -0
  162. package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +3 -0
  163. package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +3 -0
  164. package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +3 -0
  165. package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +3 -0
  166. package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +3 -0
  167. package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +3 -0
  168. package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +3 -0
  169. package/skills/azure/azure-maestro/SKILL.md +3 -0
  170. package/skills/azure/azure-migrate-landing-zone-cutover/SKILL.md +3 -0
  171. package/skills/azure/azure-network-topology-review/SKILL.md +3 -0
  172. package/skills/azure/azure-observability-investigator/SKILL.md +3 -0
  173. package/skills/azure/azure-platform-automation-devops/SKILL.md +3 -0
  174. package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md +3 -0
  175. package/skills/azure/azure-rbac-review/SKILL.md +3 -0
  176. package/skills/azure/azure-resilience-bcdr-review/SKILL.md +3 -0
  177. package/skills/azure/azure-resource-health-incident-triage/SKILL.md +3 -0
  178. package/skills/azure/azure-role-selector/SKILL.md +3 -0
  179. package/skills/azure/azure-security-posture-hardening/SKILL.md +3 -0
  180. package/skills/azure/azure-subscription-resource-organization/SKILL.md +3 -0
  181. package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +3 -0
  182. package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +3 -0
  183. package/skills/cilium/cilium-network-policy-review/SKILL.md +3 -0
  184. package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +3 -0
  185. package/skills/finops/finops-cloud-price-advisor/SKILL.md +3 -0
  186. package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +3 -0
  187. package/skills/istio/istio-ambient-mesh-review/SKILL.md +3 -0
  188. package/skills/kubernetes/README.md +5 -1
  189. package/skills/kubernetes/external-secrets-operator-review/SKILL.md +3 -0
  190. package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +3 -0
  191. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/SKILL.md +82 -0
  192. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/metadata.json +33 -0
  193. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/least-privilege-rbac.yaml +210 -0
  194. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/official-sources.md +41 -0
  195. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/permitted-mutations.md +173 -0
  196. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/rbac-pre-flight.md +252 -0
  197. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/refusal-list.md +313 -0
  198. package/skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/rollback-patterns.md +103 -0
  199. package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +3 -0
  200. package/skills/kubernetes/kubernetes-maestro/SKILL.md +3 -0
  201. package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +1 -1
  202. package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +57 -5
  203. package/skills/kubernetes/kubernetes-network-architecture-review/SKILL.md +84 -0
  204. package/skills/kubernetes/kubernetes-network-architecture-review/metadata.json +34 -0
  205. package/skills/kubernetes/kubernetes-network-architecture-review/references/dataplane-and-cni.md +89 -0
  206. package/skills/kubernetes/kubernetes-network-architecture-review/references/dns-and-discovery.md +120 -0
  207. package/skills/kubernetes/kubernetes-network-architecture-review/references/mcp-and-evidence.md +53 -0
  208. package/skills/kubernetes/kubernetes-network-architecture-review/references/multi-cluster-and-egress.md +69 -0
  209. package/skills/kubernetes/kubernetes-network-architecture-review/references/official-sources.md +54 -0
  210. package/skills/kubernetes/kubernetes-network-architecture-review/references/service-gateway-routing.md +108 -0
  211. package/skills/kubernetes/kubernetes-network-architecture-review/references/troubleshooting-playbook.md +100 -0
  212. package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +3 -0
  213. package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +3 -0
  214. package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +3 -0
  215. package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +3 -0
  216. package/skills/kyverno/kyverno-policy-review/SKILL.md +3 -0
  217. package/skills/oci/oci-autonomous-database-architect/SKILL.md +3 -0
  218. package/skills/oci/oci-certificates-issuer-review/SKILL.md +3 -0
  219. package/skills/oci/oci-cloud-guard-responder/SKILL.md +3 -0
  220. package/skills/oci/oci-compute-instance-agent-operator/SKILL.md +3 -0
  221. package/skills/oci/oci-compute-platform-operator/SKILL.md +3 -0
  222. package/skills/oci/oci-cost-finops-analyst/SKILL.md +3 -0
  223. package/skills/oci/oci-database-platform-dba/SKILL.md +3 -0
  224. package/skills/oci/oci-dbtools-sql-analyst/SKILL.md +3 -0
  225. package/skills/oci/oci-devops-container-platform-engineer/SKILL.md +3 -0
  226. package/skills/oci/oci-exadata-database-architect/SKILL.md +3 -0
  227. package/skills/oci/oci-exadata-platform-architect/SKILL.md +3 -0
  228. package/skills/oci/oci-fusion-apps-environment-operator/SKILL.md +3 -0
  229. package/skills/oci/oci-goldengate-replication-operator/SKILL.md +3 -0
  230. package/skills/oci/oci-identity-access-governor/SKILL.md +3 -0
  231. package/skills/oci/oci-iot-digital-twin-engineer/SKILL.md +3 -0
  232. package/skills/oci/oci-limits-capacity-planner/SKILL.md +3 -0
  233. package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +3 -0
  234. package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +3 -0
  235. package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +3 -0
  236. package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +3 -0
  237. package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +3 -0
  238. package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +3 -0
  239. package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +3 -0
  240. package/skills/oci/oci-load-balancer-traffic-engineer/SKILL.md +3 -0
  241. package/skills/oci/oci-maestro/SKILL.md +3 -0
  242. package/skills/oci/oci-migration-cutover-architect/SKILL.md +3 -0
  243. package/skills/oci/oci-multi-cloud-architect/SKILL.md +3 -0
  244. package/skills/oci/oci-mysql-heatwave-ai-specialist/SKILL.md +3 -0
  245. package/skills/oci/oci-network-architect/SKILL.md +3 -0
  246. package/skills/oci/oci-observability-incident-responder/SKILL.md +3 -0
  247. package/skills/oci/oci-recovery-service-operator/SKILL.md +3 -0
  248. package/skills/oci/oci-registry-artifact-governor/SKILL.md +3 -0
  249. package/skills/oci/oci-resource-search-inventory-analyst/SKILL.md +3 -0
  250. package/skills/oci/oci-security-compliance-reviewer/SKILL.md +3 -0
  251. package/skills/oci/oci-solution-architect/SKILL.md +3 -0
  252. package/skills/oci/oci-storage-backup-steward/SKILL.md +3 -0
  253. package/skills/oci/oci-support-incident-coordinator/SKILL.md +3 -0
  254. package/skills/oci/oracle-oci-mcp-grounded-advisor/SKILL.md +3 -0
  255. package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +3 -0
  256. package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +3 -0
  257. package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +3 -0
  258. package/skills/terraform/terraform-maestro/SKILL.md +3 -0
  259. package/skills/velero/velero-backup-restore-guard/SKILL.md +5 -2
  260. package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +1 -1
  261. package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +17 -8
package/catalog/agents.json CHANGED
@@ -2594,14 +2594,14 @@
2594
2594
  "gemini",
2595
2595
  "kiro"
2596
2596
  ],
2597
- "last_verified": "2026-05-01",
2597
+ "last_verified": "2026-05-08",
2598
2598
  "official_docs": [
2599
2599
  "https://kyverno.io/docs/",
2600
2600
  "https://kyverno.io/docs/writing-policies/validate/",
2601
2601
  "https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/",
2602
2602
  "https://kubernetes.io/docs/concepts/security/pod-security-admission/"
2603
2603
  ],
2604
- "security_notes": "Changing failureAction from Enforce to Audit in production silently unblocks violations. Deleting a ClusterPolicy removes admission control for ALL namespaces simultaneously. PolicyException without expiry is permanent.",
2604
+ "security_notes": "Changing failureAction from Enforce to Audit in production silently unblocks violations. Deleting a ClusterPolicy removes admission control for ALL namespaces simultaneously. PolicyException without expiry is permanent. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2605
2605
  "source_type": "original",
2606
2606
  "version": "0.1.0"
2607
2607
  },
@@ -2620,14 +2620,14 @@
2620
2620
  "gemini",
2621
2621
  "kiro"
2622
2622
  ],
2623
- "last_verified": "2026-05-01",
2623
+ "last_verified": "2026-05-08",
2624
2624
  "official_docs": [
2625
2625
  "https://argo-cd.readthedocs.io/en/stable/",
2626
2626
  "https://argo-cd.readthedocs.io/en/stable/user-guide/projects/",
2627
2627
  "https://argo-cd.readthedocs.io/en/stable/operator-manual/sync-windows/",
2628
2628
  "https://argo-cd.readthedocs.io/en/stable/operator-manual/sync-impersonation/"
2629
2629
  ],
2630
- "security_notes": "Deleting or disabling a sync-window removes the last gate blocking unreviewed changes to production. Expanding AppProject clusterResourceWhitelist to ['*/*'] grants full cluster write. RollingSync requires auto-sync disabled.",
2630
+ "security_notes": "Deleting or disabling a sync-window removes the last gate blocking unreviewed changes to production. Expanding AppProject clusterResourceWhitelist to ['*/*'] grants full cluster write. RollingSync requires auto-sync disabled. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2631
2631
  "source_type": "original",
2632
2632
  "version": "0.1.0"
2633
2633
  },
@@ -2646,14 +2646,47 @@
2646
2646
  "gemini",
2647
2647
  "kiro"
2648
2648
  ],
2649
- "last_verified": "2026-05-01",
2649
+ "last_verified": "2026-05-08",
2650
2650
  "official_docs": [
2651
2651
  "https://istio.io/latest/docs/ambient/",
2652
2652
  "https://istio.io/latest/docs/reference/config/security/authorization-policy/",
2653
2653
  "https://istio.io/latest/docs/reference/config/security/peer_authentication/",
2654
2654
  "https://istio.io/latest/docs/ops/diagnostic-tools/istioctl-analyze/"
2655
2655
  ],
2656
- "security_notes": "Changing PeerAuthentication from STRICT to PERMISSIVE disables mTLS for all traffic to matched workloads. Deleting the only DENY AuthorizationPolicy removes the default-deny posture. L7 AuthorizationPolicy in ambient without waypoint is silently bypassed.",
2656
+ "security_notes": "Changing PeerAuthentication from STRICT to PERMISSIVE disables mTLS for all traffic to matched workloads. Deleting the only DENY AuthorizationPolicy removes the default-deny posture. L7 AuthorizationPolicy in ambient without waypoint is silently bypassed. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2657
+ "source_type": "original",
2658
+ "version": "0.1.0"
2659
+ },
2660
+ {
2661
+ "id": "kubernetes-live-network-architecture-mutation-guard-agent",
2662
+ "name": "Kubernetes Live Network Architecture Mutation Guard",
2663
+ "type": "agent",
2664
+ "provider": "kubernetes",
2665
+ "summary": "Guard live kubectl apply/patch/create operations on networking architecture surface (Service spec, CoreDNS Corefile, NodeLocal DNSCache install, Gateway API resources, ClusterMesh peer Secrets). HARD REFUSE one-way doors (CNI replacement, kube-proxy mode swap, MTU change, Pod/Service CIDR resize, namespace deletion, kube-system DaemonSet writes). Pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any write.",
2666
+ "path": "agents/kubernetes/kubernetes-live-network-architecture-mutation-guard-agent",
2667
+ "harnesses": [
2668
+ "codex",
2669
+ "copilot",
2670
+ "claude-code",
2671
+ "cursor",
2672
+ "gemini",
2673
+ "kiro"
2674
+ ],
2675
+ "last_verified": "2026-05-08",
2676
+ "official_docs": [
2677
+ "https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
2678
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
2679
+ "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/",
2680
+ "https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/",
2681
+ "https://kubernetes.io/docs/concepts/services-networking/topology-aware-routing/",
2682
+ "https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/",
2683
+ "https://gateway-api.sigs.k8s.io/api-types/gateway/",
2684
+ "https://gateway-api.sigs.k8s.io/api-types/httproute/",
2685
+ "https://gateway-api.sigs.k8s.io/api-types/grpcroute/",
2686
+ "https://coredns.io/plugins/reload/",
2687
+ "https://docs.cilium.io/en/stable/network/clustermesh/clustermesh/"
2688
+ ],
2689
+ "security_notes": "Cluster-side enforcement via least-privilege ServiceAccount per docs/least-privilege-rbac.md. Deliberately omitted: namespaces (any verb), pods (any verb), broad secrets, kube-system DaemonSets/Deployments writes, CRDs, any cluster-wide delete verb, any wildcard. Pre-flight kubectl auth can-i matrix MUST run before any mutation; refuses if any must-not check returns yes or operator is cluster-admin / system:masters. HARD REFUSE list covers one-way doors no agent in this repo will execute.",
2657
2690
  "source_type": "original",
2658
2691
  "version": "0.1.0"
2659
2692
  },
@@ -2672,14 +2705,14 @@
2672
2705
  "gemini",
2673
2706
  "kiro"
2674
2707
  ],
2675
- "last_verified": "2026-05-01",
2708
+ "last_verified": "2026-05-08",
2676
2709
  "official_docs": [
2677
2710
  "https://docs.cilium.io/en/stable/network/kubernetes/policy/",
2678
2711
  "https://docs.cilium.io/en/stable/network/egress-gateway/",
2679
2712
  "https://docs.cilium.io/en/stable/observability/hubble/",
2680
2713
  "https://kubernetes.io/docs/concepts/services-networking/network-policies/"
2681
2714
  ],
2682
- "security_notes": "Deleting a default-deny CiliumNetworkPolicy removes all ingress/egress restrictions for matched workloads. toCIDRSet change to include 0.0.0.0/0 without excluding 169.254.169.254/32 opens the cloud metadata service. CiliumClusterwideNetworkPolicy changes affect all namespaces simultaneously.",
2715
+ "security_notes": "Deleting a default-deny CiliumNetworkPolicy removes all ingress/egress restrictions for matched workloads. toCIDRSet change to include 0.0.0.0/0 without excluding 169.254.169.254/32 opens the cloud metadata service. CiliumClusterwideNetworkPolicy changes affect all namespaces simultaneously. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2683
2716
  "source_type": "original",
2684
2717
  "version": "0.1.0"
2685
2718
  },
@@ -2704,8 +2737,8 @@
2704
2737
  "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
2705
2738
  "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
2706
2739
  ],
2707
- "security_notes": "Capture current RBAC state before every mutation — no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry.",
2708
- "last_verified": "2026-05-01",
2740
+ "security_notes": "Capture current RBAC state before every mutation — no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2741
+ "last_verified": "2026-05-08",
2709
2742
  "path": "agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent",
2710
2743
  "author": "github: Raishin",
2711
2744
  "version": "0.1.0"
@@ -2732,8 +2765,8 @@
2732
2765
  "https://velero.io/docs/latest/locations/",
2733
2766
  "https://velero.io/docs/latest/hooks/"
2734
2767
  ],
2735
- "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
2736
- "last_verified": "2026-05-02",
2768
+ "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
2769
+ "last_verified": "2026-05-08",
2737
2770
  "path": "agents/kubernetes/kubernetes-live-velero-restore-guard-agent",
2738
2771
  "version": "0.1.0"
2739
2772
  },
@@ -2767,6 +2800,39 @@
2767
2800
  "source_type": "original",
2768
2801
  "version": "0.1.0"
2769
2802
  },
2803
+ {
2804
+ "id": "kubernetes-network-architecture-review-agent",
2805
+ "name": "Kubernetes Network Architecture Review",
2806
+ "type": "agent",
2807
+ "provider": "kubernetes",
2808
+ "summary": "Agent for kubernetes-network-architecture-review. Review Kubernetes cluster network architecture: CNI and dataplane (kube-proxy mode, IPAM, MTU, encapsulation, dual-stack), Service surface (EndpointSlices, internalTrafficPolicy, externalTrafficPolicy, topology-aware routing), Ingress to Gateway API migration, CoreDNS and NodeLocal DNSCache, multi-cluster topology (ClusterMesh, Submariner, MCS-API), egress topology, and connectivity observability and troubleshooting. Read-only; delegates NetworkPolicy content and live mutations to companion agents.",
2809
+ "path": "agents/kubernetes/kubernetes-network-architecture-review-agent",
2810
+ "harnesses": [
2811
+ "codex",
2812
+ "copilot",
2813
+ "claude-code",
2814
+ "cursor",
2815
+ "gemini",
2816
+ "kiro"
2817
+ ],
2818
+ "last_verified": "2026-05-07",
2819
+ "official_docs": [
2820
+ "https://kubernetes.io/docs/concepts/services-networking/",
2821
+ "https://kubernetes.io/docs/reference/networking/virtual-ips/",
2822
+ "https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/",
2823
+ "https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/",
2824
+ "https://kubernetes.io/docs/concepts/services-networking/topology-aware-routing/",
2825
+ "https://kubernetes.io/docs/concepts/services-networking/dual-stack/",
2826
+ "https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/",
2827
+ "https://gateway-api.sigs.k8s.io/",
2828
+ "https://docs.cilium.io/en/stable/network/concepts/",
2829
+ "https://docs.cilium.io/en/stable/network/kube-proxy-replacement/",
2830
+ "https://coredns.io/plugins/kubernetes/"
2831
+ ],
2832
+ "security_notes": "Pod and Service CIDR sizing are one-way architectural doors on most stacks. kube-proxy mode swap and CNI replacement are connectivity-affecting rollouts requiring an explicit cutover plan. MTU mismatch between underlay and overlay is a silent payload-stall failure mode. externalTrafficPolicy: Local black-holes traffic when no local endpoint exists. NodeLocal DNSCache OOM produces a node-wide DNS outage via stale packet-filter redirect to an unhealthy pod. Multi-cluster pod CIDR collisions break any cross-cluster scheme regardless of policy correctness. Linux Foundation CKNE program curriculum is not yet published as of last_verified; this agent is grounded in upstream Kubernetes, Gateway API, Cilium, and CoreDNS documentation.",
2833
+ "source_type": "original",
2834
+ "version": "0.1.0"
2835
+ },
2770
2836
  {
2771
2837
  "id": "kubernetes-pod-spec-review-agent",
2772
2838
  "name": "Kubernetes Pod Spec Review",
package/catalog/install-roles.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "version": "0.1.0",
3
- "description": "Role-based agent and skill selections for vfa-export-agents --role installs. Each role maps to the minimal, high-value agent and skill IDs a practitioner in that function needs across all supported cloud providers. Roles are intentionally overlapping \u2014 a single agent may serve multiple roles.",
3
+ "description": "Role-based agent and skill selections for vfa-export-agents --role installs. Each role maps to the minimal, high-value agent and skill IDs a practitioner in that function needs across all supported cloud providers. Roles are intentionally overlapping a single agent may serve multiple roles.",
4
4
  "roles": {
5
5
  "cloud-security-engineer": {
6
6
  "label": "Cloud Security Engineer",
@@ -314,18 +314,22 @@
314
314
  },
315
315
  "kubernetes-network-engineer": {
316
316
  "label": "Kubernetes Network Engineer",
317
- "description": "CNI, service mesh, ingress, egress: Cilium NetworkPolicy and CiliumClusterwideNetworkPolicy, Cilium ClusterMesh, CiliumEgressGatewayPolicy, Hubble flow observability, and Istio mesh in both sidecar and ambient modes including the L7-AuthorizationPolicy-without-waypoint trap.",
317
+ "description": "Cluster network architecture and policy: CNI selection and dataplane (kube-proxy mode, IPAM, Pod and Service CIDR sizing, MTU, encapsulation, dual-stack), Service surface (EndpointSlices, internalTrafficPolicy, externalTrafficPolicy, topology-aware routing), Ingress to Gateway API migration, CoreDNS and NodeLocal DNSCache, multi-cluster topology (ClusterMesh, Submariner, MCS-API), egress topology and connectivity troubleshooting, plus Cilium NetworkPolicy and CiliumClusterwideNetworkPolicy review, CiliumEgressGatewayPolicy, Hubble flow observability, and Istio mesh in both sidecar and ambient modes including the L7-AuthorizationPolicy-without-waypoint trap.",
318
318
  "agents": [
319
319
  "cilium-network-policy-review-agent",
320
320
  "istio-ambient-mesh-review-agent",
321
321
  "kubernetes-live-mesh-policy-guard-agent",
322
+ "kubernetes-live-network-architecture-mutation-guard-agent",
322
323
  "kubernetes-live-network-policy-guard-agent",
323
- "kubernetes-maestro-agent"
324
+ "kubernetes-maestro-agent",
325
+ "kubernetes-network-architecture-review-agent"
324
326
  ],
325
327
  "skills": [
326
328
  "cilium-network-policy-review",
327
329
  "istio-ambient-mesh-review",
328
- "kubernetes-maestro"
330
+ "kubernetes-live-network-architecture-mutation-guard",
331
+ "kubernetes-maestro",
332
+ "kubernetes-network-architecture-review"
329
333
  ]
330
334
  },
331
335
  "kubernetes-application-platform-engineer": {