@raishin/vanguard-frontier-agentic 1.4.0 → 1.5.0

package/agents/kubernetes/README.md

@@ -87,7 +87,16 @@ Install the maestro if you want a single entry point that routes to the right sp
 
 | Agent | Primary use | Default live posture | Must refuse when |
 |---|---|---|---|
-| `kubernetes-live-mesh-policy-guard-agent` | Guard live kubectl apply/delete on Istio AuthorizationPolicy, PeerAuthentication, Sidecar, Telemetry resources | current-state capture + traffic impact assessment + explicit platform-team sign-off required | Policy with `action: DENY` on wide selector without traffic analysis; removing `STRICT` PeerAuthentication without mTLS migration plan |
+| `kubernetes-live-mesh-policy-guard-agent` | Guard live kubectl apply/delete on Istio AuthorizationPolicy, PeerAuthentication, RequestAuthentication, Gateway, VirtualService resources | current-state capture + traffic impact assessment + explicit platform-team sign-off required | Policy with `action: DENY` on wide selector without traffic analysis; removing `STRICT` PeerAuthentication without mTLS migration plan; L7 AuthorizationPolicy in ambient mode with no waypoint enrolled |
+
+---
+
+## 🌐 Network architecture agents
+
+| Agent | Primary use | Default live posture | Must refuse when |
+|---|---|---|---|
+| `kubernetes-network-architecture-review-agent` | Review CNI and dataplane, kube-proxy mode, IPAM and CIDR sizing, MTU, dual-stack, Service surface, Ingress to Gateway API migration, CoreDNS and NodeLocal DNSCache, multi-cluster topology, and connectivity observability | read-only | — |
+| `kubernetes-live-network-architecture-mutation-guard-agent` | Guard live `kubectl apply/patch/create` on Service spec patches (`internalTrafficPolicy`, `externalTrafficPolicy`, `topology-mode`, `trafficDistribution`), CoreDNS Corefile, NodeLocal DNSCache install, Gateway API resources, and Cilium ClusterMesh peer Secrets | least-privilege ServiceAccount + pre-flight `kubectl auth can-i` matrix per [`docs/least-privilege-rbac.md`](../../docs/least-privilege-rbac.md) | One-way doors HARD REFUSED: CNI replacement, kube-proxy mode swap, MTU change, Pod / Service CIDR resize, namespace deletion, kube-system DaemonSet/Deployment writes, CRD operations, broad Secret access, any operation when operator is `cluster-admin` or in `system:masters` |
 
 ---
 

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md

@@ -32,6 +32,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -57,3 +61,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -40,3 +44,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -40,3 +44,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -40,3 +44,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -40,3 +44,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json

@@ -1,5 +1,5 @@
 {
   "name": "Kubernetes Live Admission Policy Guard",
   "description": "Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources. Requires current-state capture, failureAction impact assessment, and explicit approval before any write.",
-  "prompt": "# Kubernetes Live Admission Policy Guard\n\nUse this agent only for `kyverno-policy-review` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/kyverno/kyverno-policy-review/SKILL.md`\n\nLoad files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Focus\n\nGuard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.\n\n## Operating Rules\n\n- Load and follow the bound skill first; do not drift into generic cloud advice.\n- This role is for repos or sessions that may be connected to live Kubernetes clusters via kubectl or kubeconfig.\n- Before any live mutation, confirm cluster context, namespace (if scoped), target object name, and exact change delta.\n- Capture the current state of the target object (kubectl get ... -o yaml) before every write.\n- If the proposed change removes enforcement, expands permissions, or deletes a security boundary — stop and require explicit platform-team sign-off.\n- If the target, approval state, or rollback posture is ambiguous, stop and say so.\n- Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.\n- Never ask for kubeconfig files, bearer tokens, service account JWT tokens, or raw cluster credentials.\n\n## Response Shape\n\n1. Cluster context and target policy identity\n2. Current state of target policy (diff baseline)\n3. failureAction assessment (Enforce blocks / Audit only logs — production impact)\n4. Scope assessment: namespace Policy vs ClusterPolicy necessity\n5. Approval status and explicit business justification\n6. Proposed or executed kubectl apply / delete command\n7. Rollback posture\n8. Post-mutation kubectl get cpol verification and open risks"
+  "prompt": "# Kubernetes Live Admission Policy Guard\n\nUse this agent only for `kyverno-policy-review` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/kyverno/kyverno-policy-review/SKILL.md`\n\nLoad files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Required cluster setup\n\nApply references/least-privilege-rbac.yaml (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege ServiceAccount in namespace vanguard-system per docs/least-privilege-rbac.md. The deliberately-omitted verbs are documented inline.\n\n## Focus\n\nGuard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.\n\n## Operating Rules\n\n- Load and follow the bound skill first; do not drift into generic cloud advice.\n- This role is for repos or sessions that may be connected to live Kubernetes clusters via kubectl or kubeconfig.\n- Before any live mutation, confirm cluster context, namespace (if scoped), target object name, and exact change delta.\n- Capture the current state of the target object (kubectl get ... -o yaml) before every write.\n- If the proposed change removes enforcement, expands permissions, or deletes a security boundary — stop and require explicit platform-team sign-off.\n- If the target, approval state, or rollback posture is ambiguous, stop and say so.\n- Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.\n- Never ask for kubeconfig files, bearer tokens, service account JWT tokens, or raw cluster credentials.\n\n## Response Shape\n\n1. Cluster context and target policy identity\n2. Current state of target policy (diff baseline)\n3. failureAction assessment (Enforce blocks / Audit only logs — production impact)\n4. Scope assessment: namespace Policy vs ClusterPolicy necessity\n5. Approval status and explicit business justification\n6. Proposed or executed kubectl apply / delete command\n7. Rollback posture\n8. Post-mutation kubectl get cpol verification and open risks\n\n## References\n\nLoad these only when needed:\n\n- references/least-privilege-rbac.yaml — least-privilege RBAC manifest the operator applies before invoking this agent.\n- references/rbac-pre-flight.md — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.\n- references/refusal-list.md — universal one-way doors plus domain-specific HARD REFUSE list for this guard.\n"
 }

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kyverno/kyverno-policy-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, PolicyException, and native ValidatingAdmissionPolicy/MutatingAdmissionPolicy resources by capturing current state, assessing failureAction production impact, evaluating namespace Policy vs ClusterPolicy scope necessity, and requiring explicit approval before any write.
@@ -40,3 +44,11 @@ Guard live kubectl apply/delete operations on Kyverno ClusterPolicy, Policy, Pol
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture
 8. Post-mutation kubectl get cpol verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json

@@ -19,8 +19,8 @@
     "https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/",
     "https://kubernetes.io/docs/concepts/security/pod-security-admission/"
   ],
-  "security_notes": "Changing failureAction from Enforce to Audit in production silently unblocks violations. Deleting a ClusterPolicy removes admission control for ALL namespaces simultaneously. PolicyException without expiry is permanent.",
-  "last_verified": "2026-05-01",
+  "security_notes": "Changing failureAction from Enforce to Audit in production silently unblocks violations. Deleting a ClusterPolicy removes admission control for ALL namespaces simultaneously. PolicyException without expiry is permanent. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
+  "last_verified": "2026-05-08",
   "path": "agents/kubernetes/kubernetes-live-admission-policy-guard-agent",
   "harness_variants": {
     "codex": "agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml",
@@ -33,5 +33,7 @@
   },
   "author": "github: Raishin",
   "version": "0.1.0",
-  "companion_skills": ["kyverno-policy-review"]
+  "companion_skills": [
+    "kyverno-policy-review"
+  ]
 }

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/least-privilege-rbac.yaml

@@ -0,0 +1,98 @@
+# =====================================================================
+# Least-privilege RBAC for kubernetes-live-admission-policy-guard-agent
+#
+# Apply BEFORE running the agent.
+# Authoring contract: docs/least-privilege-rbac.md
+# Pre-flight matrix:  references/rbac-pre-flight.md
+# Refusal list:       references/refusal-list.md
+#
+# Audit:
+#   SA="system:serviceaccount:vanguard-system:vanguard-admission-policy-guard"
+#   kubectl auth can-i delete namespaces --as=$SA       # must return: no
+#   (domain-specific must-be-yes / must-not-be-yes in references/rbac-pre-flight.md)
+#
+# Per upstream kubernetes.io/docs/concepts/security/rbac-good-practices:
+#   "Avoid wildcard permissions, especially to all resources, as this grants
+#    access to current and future object types."
+# =====================================================================
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vanguard-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    app.kubernetes.io/managed-by: vanguard-frontier
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vanguard-admission-policy-guard
+  namespace: vanguard-system
+  annotations:
+    vanguard.frontier/agent: "kubernetes-live-admission-policy-guard-agent"
+    vanguard.frontier/scope: "least-privilege-kubernetes-live-admission-policy-guard"
+    vanguard.frontier/contract: "docs/least-privilege-rbac.md"
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vanguard-admission-policy-guard
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["kyverno.io"]
+    resources: ["clusterpolicies", "policies", "policyexceptions", "clusterpolicyreports", "policyreports", "updaterequests"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingadmissionpolicies", "validatingadmissionpolicybindings"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["kyverno.io"]
+    resources: ["clusterpolicies", "policies", "policyexceptions"]
+    verbs: ["create", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingadmissionpolicies", "validatingadmissionpolicybindings"]
+    verbs: ["create", "patch"]
+# =====================================================================
+# DELIBERATELY ABSENT — DO NOT add unless you accept the listed risk.
+# The binding is deny-by-default: anything not granted above is denied
+# at the API server. Categories (per docs/least-privilege-rbac.md):
+#
+#   - apiGroups: [""], resources: ["namespaces"]                          -> kube-system / cilium / istio-system delete
+#   - apiGroups: [""], resources: ["pods"], any verb                      -> exec / delete on control-plane pods
+#   - apiGroups: [""], resources: ["pods/exec","pods/portforward","pods/proxy","pods/binding","pods/eviction"]
+#   - apiGroups: [""], resources: ["nodes"], verbs: ["patch","update","delete"]   -> drain / cordon / delete
+#   - apiGroups: [""], resources: ["nodes/proxy"]                         -> direct kubelet API
+#   - apiGroups: ["coordination.k8s.io"], resources: ["leases"]           -> kube-node-lease, fake liveness
+#   - apiGroups: [""], resources: ["secrets"]                             -> cluster-wide credential exposure
+#   - apiGroups: [""], resources: ["serviceaccounts/token"]               -> mint tokens for arbitrary SAs
+#   - apiGroups: ["certificates.k8s.io"]                                  -> CSR approval (system:masters cert minting)
+#   - apiGroups: ["authentication.k8s.io"]                                -> tokenreviews, impersonation primitives
+#   - apiGroups: ["admissionregistration.k8s.io"]                         -> mutating/validating webhook configs
+#   - apiGroups: ["apiregistration.k8s.io"]                               -> APIService aggregation hijack
+#   - apiGroups: ["apiextensions.k8s.io"]                                 -> CRD install / uninstall
+#   - apiGroups: ["scheduling.k8s.io"]                                    -> system-cluster-critical / system-node-critical
+#   - apiGroups: ["apps"], resources: ["daemonsets","deployments","statefulsets"], verbs: write   in kube-system
+#   - apiGroups: ["networking.k8s.io"], resources: ["ingressclasses"], verbs: write   -> break Ingress controller binding
+#   - apiGroups: ["storage.k8s.io"], resources: ["storageclasses"], verbs: write      -> break PVC provisioning
+#   - apiGroups: [""], resources: ["endpoints"], verbs: write             -> race with controller, redirect Service traffic
+#   - apiGroups: ["discovery.k8s.io"], resources: ["endpointslices"], verbs: write    -> same race
+#   - apiGroups: ["rbac.authorization.k8s.io"]                            -> binding self-modification (unless this IS the rbac-mutation guard)
+#   - any "*" verb or "*" resource                                        -> per upstream RBAC good practices
+#   - any "delete" verb cluster-wide (rollback is via apply -f baseline)
+# =====================================================================
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vanguard-admission-policy-guard
+subjects:
+  - kind: ServiceAccount
+    name: vanguard-admission-policy-guard
+    namespace: vanguard-system
+roleRef:
+  kind: ClusterRole
+  name: vanguard-admission-policy-guard
+  apiGroup: rbac.authorization.k8s.io

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/rbac-pre-flight.md

@@ -0,0 +1,108 @@
+# RBAC pre-flight self-check — Kubernetes Live Admission Policy Guard
+
+This is the mandatory first action of every session. The agent runs this matrix before reading any user-supplied YAML, before formulating any mutation, before producing any output other than the matrix result.
+
+The matrix is grounded against `kubernetes.io/docs/concepts/security/rbac-good-practices` and `kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i`. The canonical authoring contract is `docs/least-privilege-rbac.md`.
+
+If any **must-not-be-yes** check returns `yes`, or any **must-be-yes** check returns `no`, the agent refuses to act and tells the user the binding is over- or under-scoped.
+
+---
+
+## Required RBAC manifest
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) before invoking it. The manifest creates `ServiceAccount/vanguard-admission-policy-guard` in namespace `vanguard-system`.
+
+---
+
+## Operator principal check (run first)
+
+```bash
+# If yes: operator is in system:masters or has cluster-admin. Refuse.
+kubectl auth can-i '*' '*' --all-namespaces
+```
+
+Per upstream `kubernetes.io/docs/concepts/security/rbac-good-practices`:
+
+> *Administrators should avoid using `cluster-admin` accounts and instead provide low-privileged accounts with impersonation rights.*
+>
+> *Do not add users to the `system:masters` group, as this bypasses all RBAC checks.*
+
+---
+
+## Universal must-not-be-yes (every live-guard)
+
+```bash
+SA="system:serviceaccount:vanguard-system:vanguard-admission-policy-guard"
+
+kubectl auth can-i '*' '*' --all-namespaces --as=$SA
+kubectl auth can-i delete namespaces --as=$SA
+kubectl auth can-i delete pods -n kube-system --as=$SA
+kubectl auth can-i create pods/exec -n kube-system --as=$SA
+kubectl auth can-i create pods/portforward --all-namespaces --as=$SA
+kubectl auth can-i delete daemonsets -n kube-system --as=$SA
+kubectl auth can-i delete deployments -n kube-system --as=$SA
+kubectl auth can-i create customresourcedefinitions --as=$SA
+kubectl auth can-i delete customresourcedefinitions --as=$SA
+kubectl auth can-i get secrets --all-namespaces --as=$SA
+kubectl auth can-i create clusterrolebindings --as=$SA
+kubectl auth can-i create mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i delete mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create validatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create apiservices.apiregistration.k8s.io --as=$SA
+kubectl auth can-i update certificatesigningrequests.certificates.k8s.io --subresource=approval --as=$SA
+kubectl auth can-i create serviceaccounts/token --all-namespaces --as=$SA
+kubectl auth can-i delete priorityclasses.scheduling.k8s.io --as=$SA
+kubectl auth can-i delete ingressclasses.networking.k8s.io --as=$SA
+kubectl auth can-i delete leases.coordination.k8s.io -n kube-node-lease --as=$SA
+kubectl auth can-i update namespaces/finalize --as=$SA
+```
+
+## Domain-specific must-not-be-yes (Kubernetes Live Admission Policy Guard)
+
+```bash
+# Webhook configurations — operator install only
+kubectl auth can-i create mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i patch mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create validatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i patch validatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+# Delete on policies — rollback is via apply -f baseline
+kubectl auth can-i delete clusterpolicies.kyverno.io --as=$SA
+kubectl auth can-i delete validatingadmissionpolicies.admissionregistration.k8s.io --as=$SA
+# Kyverno control plane
+kubectl auth can-i patch deployments -n kyverno --as=$SA
+kubectl auth can-i patch configmaps -n kyverno --as=$SA
+```
+
+## Domain-specific must-be-yes (Kubernetes Live Admission Policy Guard)
+
+```bash
+kubectl auth can-i create clusterpolicies.kyverno.io --as=$SA
+kubectl auth can-i patch clusterpolicies.kyverno.io --as=$SA
+kubectl auth can-i create policies.kyverno.io --all-namespaces --as=$SA
+kubectl auth can-i create policyexceptions.kyverno.io --all-namespaces --as=$SA
+kubectl auth can-i create validatingadmissionpolicies.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i list clusterpolicies.kyverno.io --as=$SA
+```
+
+Every must-not row must print `no`. Every must-be row must print `yes`. Any deviation: refuse and tell the operator which line failed.
+
+---
+
+## resourceName-scoped binding verification (positive AND negative)
+
+Where the manifest uses `resourceNames`, test BOTH the allowed name and at least one denied adjacent name. `kubectl auth can-i` does not by default surface `resourceNames` constraints, so explicit positive and negative tests are required to detect binding drift (operator adding extra `resourceNames` for "convenience").
+
+---
+
+## Refusal posture
+
+If pre-flight fails:
+
+```
+Pre-flight: FAIL
+Failing check: <verb> <resource> <namespace>
+Expected: no | Actual: yes (binding over-scoped on the bound ServiceAccount)
+Action: refusing to proceed. Re-apply references/least-privilege-rbac.yaml or scope down the existing binding.
+```
+
+No exceptions. The pre-flight is the gate.

package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/refusal-list.md

@@ -0,0 +1,112 @@
+# Hard refusal list — Kubernetes Live Admission Policy Guard
+
+This document is the explicit `REFUSE` list for Kubernetes Live Admission Policy Guard. It combines:
+
+1. **Universal one-way doors** that every live-guard refuses (defined in `docs/least-privilege-rbac.md`).
+2. **Domain-specific destructive operations** for Kubernetes Live Admission Policy Guard.
+
+> **Scope-of-defense clarification.** This list is the **prompt-level fast-path** for rejecting common destructive operations. The authoritative defense is the cluster-side RBAC binding (`references/least-privilege-rbac.yaml`), which is **deny-by-default**: it grants only the enumerated verbs / resources and denies everything else. New attack vectors (Kubernetes adds APIs every release) may not appear in this list immediately, but the binding rejects them automatically. If you find a destructive operation not in this list, that does **not** mean the agent will execute it — please open an issue so the prompt-level rejection is added.
+
+The format for each entry: **what is refused**, **why it's a one-way door**, **what to do instead**, **cluster-side blast radius if the prompt-level refusal is bypassed**.
+
+---
+
+## Universal one-way doors (refused by every live-guard)
+
+These apply across all live-guard agents in this repo. The cluster-side RBAC binding for this guard explicitly omits the verbs/resources for each of these:
+
+- **Namespace deletion** (`kubectl delete ns <any>`) — kube-system / cilium / istio-system / argocd / velero deletion is cluster-fatal.
+- **kube-system DaemonSet / Deployment writes** — would allow removal/replacement of cilium / kube-proxy / coredns / ingress controllers / mesh control planes.
+- **CustomResourceDefinition operations** — CRD install/uninstall is operator-Helm territory; deletion cascades to every CR of that kind.
+- **Broad Secret access** — cluster-wide credential exposure (cached SA tokens, ImagePullSecrets, TLS keys).
+- **Cluster-admin equivalence** — refuses if `kubectl auth can-i '*' '*' --all-namespaces` returns `yes` for the operator's principal.
+- **Node operations** — `kubectl delete node`, `drain`, `cordon`, `nodes/spec.taints` patch.
+- **Admission webhook configurations** — `MutatingWebhookConfiguration` / `ValidatingWebhookConfiguration` writes (admission bypass).
+- **APIService aggregation** — `apiregistration.k8s.io` writes (aggregation hijack).
+- **Finalizer manipulation** — `metadata.finalizers` patches that bypass namespace / PV / CRD deletion protection.
+- **Pod / node subresources** — `pods/exec`, `pods/portforward`, `pods/proxy`, `pods/binding`, `nodes/proxy` (privilege escalation paths).
+- **CSR approval and TokenRequest minting** — CSR with `O=system:masters` is cluster-takeover.
+- **Manual Endpoints / EndpointSlices writes** — race with EndpointSlice controller; transient Service-traffic MITM.
+- **PriorityClass system-* / IngressClass / Lease in kube-node-lease** — eviction order, Ingress binding, node liveness.
+
+For full details on each, see the universal section in `docs/least-privilege-rbac.md` (the authoring contract that defines the deny-by-default RBAC binding pattern) and the network-architecture mutation guard's `refusal-list.md` (the canonical reference implementation).
+
+---
+
+## Domain-specific HARD REFUSE list (Kubernetes Live Admission Policy Guard)
+
+
+## Change ClusterPolicy.spec.failureAction from Enforce to Audit
+
+**Why**: `failureAction: Enforce` blocks the admission request when the policy fails; `Audit` (formerly `audit`) only logs. Changing Enforce → Audit is a silent enforcement bypass — the policy still appears in `kubectl get cpol`, still produces reports, but stops blocking. Operators looking at the policy list believe enforcement is in place; it isn't.
+
+**Instead**: If a policy is causing legitimate workload friction, fix the workload or carve a PolicyException with explicit scope and TTL. Never flip global Enforce → Audit as a debugging shortcut.
+
+**Blast radius if bypassed**: Whatever the policy enforced (image registry restrictions, mandatory labels, security context constraints) silently stops being enforced cluster-wide.
+
+---
+
+## Delete a ClusterPolicy without replacement
+
+**Why**: Deletion immediately removes admission enforcement for the policy's scope. New non-compliant resources can be created during the window before a replacement is applied.
+
+**Instead**: Use `kubectl apply -f` with the replacement policy in the same operation. If transitioning between revisions, the new one is applied first; the old one is deleted only after verifying the replacement is in `Ready: True` state.
+
+**Blast radius if bypassed**: Time-window admission gap on the policy's scope.
+
+---
+
+## Add overly broad PolicyException
+
+**Why**: PolicyException whitelists specific resources from policy enforcement. A broad exception (cluster-wide selector, no resource-name match, no expiry) effectively disables the parent policy. Operators add these for emergency unblocking and forget to remove them.
+
+**Instead**: Every PolicyException must be scoped (specific resource names, specific namespaces) and time-bounded (TTL). This guard refuses exceptions without both.
+
+**Blast radius if bypassed**: Silent enforcement disable for whatever the exception covers.
+
+---
+
+## Delete ValidatingAdmissionPolicyBinding while VAP remains
+
+**Why**: VAP (the policy CEL) is harmless without a binding. The binding is what activates enforcement. Deleting the binding silently disables a policy that still appears to exist.
+
+**Instead**: Delete VAP and binding together. Surface the binding's resource selectors before deletion so the operator knows what scope they're disabling.
+
+**Blast radius if bypassed**: Silent enforcement gap — the policy looks present but enforces nothing.
+
+---
+
+## Apply Kyverno mutate or generate rule without dry-run validation
+
+**Why**: Mutate rules rewrite incoming admission requests; generate rules create child resources. Both have cluster-wide reach. A misconfigured mutate rule can prevent every Pod from being created (e.g., adding a non-existent imagePullSecret); a misconfigured generate rule can flood the cluster with unwanted resources.
+
+**Instead**: Apply with `--dry-run=server` first; verify no admission failures across the policy's scope; then apply for real. For generate rules, observe `Generated` count for 5 minutes after apply.
+
+**Blast radius if bypassed**: Mutate misconfig: every admission of the matched kind fails. Generate misconfig: cluster fills with resources until ResourceQuota stops it.
+
+---
+
+## Modify a ClusterPolicy that protects against `delete namespaces` or `delete crds`
+
+**Why**: If the cluster's defense-in-depth includes a Kyverno ClusterPolicy that denies cluster-destabilizing operations (`delete namespaces` for non-platform principals, `patch metadata.finalizers`), modifying this policy weakens layer L4 of the defense model documented in `docs/least-privilege-rbac.md`.
+
+**Instead**: Defense-in-depth ClusterPolicies are owned by the platform team and the install pipeline. This guard refuses modifications.
+
+**Blast radius if bypassed**: Removes the L4 admission-control layer; only RBAC and audit remain.
+
+---
+
+
+---
+
+## Refusal response format
+
+```
+REFUSED — <rule-section-header-from-this-document>
+
+Reason: <one-sentence explanation grounded in this document>
+What you can do instead: <pointer to kyverno-policy-review-agent for review-only analysis, or to platform-team-led procedure>
+RBAC enforcement: <whether the cluster-side binding also denies this verb (yes / no / depends on operator's principal)>
+```
+
+No retry. No "well actually". No partial execution. The refusal is the response.

package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md

@@ -32,6 +32,10 @@ Before answering, read and follow:
 
 Load files under `skills/argocd/argocd-gitops-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject, and ApplicationSet resources, and sync-window modifications, by assessing AppProject blast-radius, reviewing sync identity and impersonation posture, evaluating sync-window protection on production, and requiring explicit approval before any production sync, AppProject mutation, or sync-window deletion.
@@ -41,7 +45,7 @@ Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject,
 - Load and follow the bound skill first; do not drift into generic cloud advice.
 - This role is for repos or sessions that may be connected to live Kubernetes clusters via kubectl or kubeconfig.
 - Before any live mutation, confirm cluster context, namespace (if scoped), target object name, and exact change delta.
-- Capture the current state of the target object (kubectl get ... -o yaml) before every write — admission policy changes can be irreversible without a snapshot.
+- Capture the current state of the target object (kubectl get ... -o yaml) before every write — sync mutations are not always cleanly reversible without a snapshot.
 - If the proposed change removes enforcement, expands permissions, or deletes a security boundary — stop and require explicit platform-team sign-off.
 - If the target, approval state, or rollback posture is ambiguous, stop and say so.
 - Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.
@@ -57,3 +61,11 @@ Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject,
 6. Proposed or executed argocd app sync / kubectl apply command
 7. Rollback posture (argocd app rollback or revert PR)
 8. Post-sync argocd app status verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/argocd/argocd-gitops-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject, and ApplicationSet resources, and sync-window modifications, by assessing AppProject blast-radius, reviewing sync identity and impersonation posture, evaluating sync-window protection on production, and requiring explicit approval before any production sync, AppProject mutation, or sync-window deletion.
@@ -40,3 +44,11 @@ Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject,
 6. Proposed or executed argocd app sync / kubectl apply command
 7. Rollback posture (argocd app rollback or revert PR)
 8. Post-sync argocd app status verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/argocd/argocd-gitops-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject, and ApplicationSet resources, and sync-window modifications, by assessing AppProject blast-radius, reviewing sync identity and impersonation posture, evaluating sync-window protection on production, and requiring explicit approval before any production sync, AppProject mutation, or sync-window deletion.
@@ -40,3 +44,11 @@ Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject,
 6. Proposed or executed argocd app sync / kubectl apply command
 7. Rollback posture (argocd app rollback or revert PR)
 8. Post-sync argocd app status verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/argocd/argocd-gitops-review/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject, and ApplicationSet resources, and sync-window modifications, by assessing AppProject blast-radius, reviewing sync identity and impersonation posture, evaluating sync-window protection on production, and requiring explicit approval before any production sync, AppProject mutation, or sync-window deletion.
@@ -40,3 +44,11 @@ Guard live argocd CLI or kubectl operations on Argo CD Application, AppProject,
 6. Proposed or executed argocd app sync / kubectl apply command
 7. Rollback posture (argocd app rollback or revert PR)
 8. Post-sync argocd app status verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.