@raishin/vanguard-frontier-agentic 1.4.0 → 1.5.0

package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/references/refusal-list.md

@@ -0,0 +1,102 @@
+# Hard refusal list — Kubernetes Live Network Policy Guard
+
+This document is the explicit `REFUSE` list for Kubernetes Live Network Policy Guard. It combines:
+
+1. **Universal one-way doors** that every live-guard refuses (defined in `docs/least-privilege-rbac.md`).
+2. **Domain-specific destructive operations** for Kubernetes Live Network Policy Guard.
+
+> **Scope-of-defense clarification.** This list is the **prompt-level fast-path** for rejecting common destructive operations. The authoritative defense is the cluster-side RBAC binding (`references/least-privilege-rbac.yaml`), which is **deny-by-default**: it grants only the enumerated verbs / resources and denies everything else. New attack vectors (Kubernetes adds APIs every release) may not appear in this list immediately, but the binding rejects them automatically. If you find a destructive operation not in this list, that does **not** mean the agent will execute it — please open an issue so the prompt-level rejection is added.
+
+The format for each entry: **what is refused**, **why it's a one-way door**, **what to do instead**, **cluster-side blast radius if the prompt-level refusal is bypassed**.
+
+---
+
+## Universal one-way doors (refused by every live-guard)
+
+These apply across all live-guard agents in this repo. The cluster-side RBAC binding for this guard explicitly omits the verbs/resources for each of these:
+
+- **Namespace deletion** (`kubectl delete ns <any>`) — kube-system / cilium / istio-system / argocd / velero deletion is cluster-fatal.
+- **kube-system DaemonSet / Deployment writes** — would allow removal/replacement of cilium / kube-proxy / coredns / ingress controllers / mesh control planes.
+- **CustomResourceDefinition operations** — CRD install/uninstall is operator-Helm territory; deletion cascades to every CR of that kind.
+- **Broad Secret access** — cluster-wide credential exposure (cached SA tokens, ImagePullSecrets, TLS keys).
+- **Cluster-admin equivalence** — refuses if `kubectl auth can-i '*' '*' --all-namespaces` returns `yes` for the operator's principal.
+- **Node operations** — `kubectl delete node`, `drain`, `cordon`, `nodes/spec.taints` patch.
+- **Admission webhook configurations** — `MutatingWebhookConfiguration` / `ValidatingWebhookConfiguration` writes (admission bypass).
+- **APIService aggregation** — `apiregistration.k8s.io` writes (aggregation hijack).
+- **Finalizer manipulation** — `metadata.finalizers` patches that bypass namespace / PV / CRD deletion protection.
+- **Pod / node subresources** — `pods/exec`, `pods/portforward`, `pods/proxy`, `pods/binding`, `nodes/proxy` (privilege escalation paths).
+- **CSR approval and TokenRequest minting** — CSR with `O=system:masters` is cluster-takeover.
+- **Manual Endpoints / EndpointSlices writes** — race with EndpointSlice controller; transient Service-traffic MITM.
+- **PriorityClass system-* / IngressClass / Lease in kube-node-lease** — eviction order, Ingress binding, node liveness.
+
+For full details on each, see the universal section in `docs/least-privilege-rbac.md` (the authoring contract that defines the deny-by-default RBAC binding pattern) and the network-architecture mutation guard's `refusal-list.md` (the canonical reference implementation).
+
+---
+
+## Domain-specific HARD REFUSE list (Kubernetes Live Network Policy Guard)
+
+
+## CiliumClusterwideNetworkPolicy default-deny removal or weakening
+
+**Why**: Cluster-wide policies enforce identity-aware default-deny across all namespaces. Removing or weakening one opens cluster-wide unrestricted ingress/egress for matched workloads. Without snapshot, recovery requires re-deriving the policy from documentation.
+
+**Instead**: Capture the existing policy YAML, propose the change as a diff, and require platform-team sign-off on the diff. ClusterwideNetworkPolicy writes are NOT in this guard's RBAC binding by default — operator opts in only when intentional.
+
+**Blast radius if bypassed**: Pod-to-pod traffic that was previously denied flows freely; data-plane attackers gain lateral-movement capability cluster-wide.
+
+---
+
+## toCIDRSet expansion to include cloud metadata service
+
+**Why**: Adding `0.0.0.0/0` or any range that includes `169.254.169.254/32` to a CiliumNetworkPolicy `toCIDRSet` allows pod egress to the cloud metadata service. This is the SSRF/credential-theft CVE class. Without `except: ["169.254.169.254/32"]`, every pod under the policy can mint instance IAM credentials.
+
+**Instead**: Use IRSA / Workload Identity / Pod Identity for cloud credentials. If broad egress is genuinely required, always exclude 169.254.169.254/32, fd00:ec2::254/128 (AWS IPv6 IMDS), and metadata.google.internal range explicitly.
+
+**Blast radius if bypassed**: Every pod under the policy can obtain the node's IAM role credentials. The cloud-side attacker has whatever the node role can do — typically broad.
+
+---
+
+## L7 policy applied without Envoy DaemonSet running
+
+**Why**: Cilium L7 policy (rules under `toPorts.rules.http` etc.) requires the Cilium Envoy DaemonSet (or sidecar mode) to enforce. If Envoy isn't running, the L7 rule is silently ignored — the policy compiles, applies, but enforces only the L3/L4 portion. Operators believe they have L7 enforcement; they don't.
+
+**Instead**: Verify `kubectl -n kube-system get ds cilium-envoy` (or `cilium config view | grep -i envoy`) before applying any L7 rule. If Envoy is absent, surface as an error and refuse to apply the policy.
+
+**Blast radius if bypassed**: Silent L7 enforcement bypass. Compliance posture (e.g. PCI segmentation claims) is fictional until Envoy is present.
+
+---
+
+## Default-deny removal without immediate replacement
+
+**Why**: Deleting a default-deny CiliumNetworkPolicy in a namespace transitions the namespace to default-allow. The window between delete and re-apply (even seconds) lets attacker traffic through.
+
+**Instead**: Use `kubectl apply -f` with the new policy that REPLACES the default-deny in a single API call. Never delete-then-apply. If transitioning between policy revisions, the new one must be applied first; the old one deleted only after verification.
+
+**Blast radius if bypassed**: Time-window default-allow on the affected namespace.
+
+---
+
+## policy-default-local-cluster flag flip in ClusterMesh
+
+**Why**: The Cilium `policy-default-local-cluster` flag (introduced for ClusterMesh isolation) determines whether NetworkPolicies apply only to local-cluster traffic or to remote ClusterMesh peers as well. Flipping it changes how every existing policy is evaluated cluster-wide.
+
+**Instead**: Treat as a one-way door requiring full ClusterMesh re-validation. Architecture review (`kubernetes-network-architecture-review-agent`) produces the migration plan; this guard refuses to flip the flag.
+
+**Blast radius if bypassed**: Every NetworkPolicy's effective scope changes. Some flows that worked stop working; some flows that were blocked open up.
+
+---
+
+
+---
+
+## Refusal response format
+
+```
+REFUSED — <rule-section-header-from-this-document>
+
+Reason: <one-sentence explanation grounded in this document>
+What you can do instead: <pointer to cilium-network-policy-review-agent for review-only analysis, or to platform-team-led procedure>
+RBAC enforcement: <whether the cluster-side binding also denies this verb (yes / no / depends on operator's principal)>
+```
+
+No retry. No "well actually". No partial execution. The refusal is the response.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md

@@ -32,6 +32,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live `kubectl apply`, `create`, or `delete` operations on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (`escalate`, `bind`, `impersonate`), high-severity resources (`pods/exec`, `pods/attach`, `nodes/proxy`, `secrets`), wildcard grants, and cluster-vs-namespace scope necessity before executing any mutation.
@@ -57,3 +61,11 @@ Guard live `kubectl apply`, `create`, or `delete` operations on Roles, ClusterRo
 6. Proposed or executed `kubectl apply` / `delete` command
 7. Rollback posture (`kubectl delete` or `kubectl apply -f <backup>`)
 8. Post-mutation `kubectl auth can-i` verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.
@@ -40,3 +44,11 @@ Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture (kubectl delete or kubectl apply -f <backup>)
 8. Post-mutation kubectl auth can-i verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md

@@ -28,6 +28,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.
@@ -53,3 +57,11 @@ Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture (kubectl delete or kubectl apply -f <backup>)
 8. Post-mutation kubectl auth can-i verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md

@@ -17,6 +17,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.
@@ -42,3 +46,11 @@ Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture (kubectl delete or kubectl apply -f <backup>)
 8. Post-mutation kubectl auth can-i verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md

@@ -16,6 +16,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.
@@ -41,3 +45,11 @@ Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture (kubectl delete or kubectl apply -f <backup>)
 8. Post-mutation kubectl auth can-i verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json

@@ -1,5 +1,5 @@
 {
   "name": "Kubernetes Live RBAC Mutation Guard",
   "description": "Guard live kubectl apply, create, or delete operations on Kubernetes RBAC objects with privilege-escalation verb detection, scope assessment, current-state diff, and explicit approval before any write.",
-  "prompt": "# Kubernetes Live RBAC Mutation Guard\n\nUse this agent only for `kubernetes-live-rbac-mutation-guard` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md`\n\nLoad files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Focus\n\nGuard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.\n\n## Operating Rules\n\n- Load and follow the bound Kubernetes skill first; do not drift into generic cloud advice.\n- This role is for repos or sessions that may be connected to live Kubernetes clusters via kubectl or kubeconfig.\n- Before any live RBAC mutation, confirm cluster context, namespace (if scoped), target object name, principal, and exact permission delta.\n- Capture the current RBAC object state (kubectl get ... -o yaml) before every write \u2014 RBAC is additive with no built-in undo.\n- If the proposed change grants escalate, bind, impersonate, wildcard verbs, or binds to cluster-admin or the default ServiceAccount \u2014 stop and require explicit platform-team sign-off.\n- If the target, approval state, or rollback posture is ambiguous, stop and say so.\n- Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.\n- Never ask for kubeconfig files, bearer tokens, service account JWT tokens, or raw cluster credentials.\n\n## Response Shape\n\n1. Cluster context and namespace identity confirmation (kubectl config current-context)\n2. Current state of target RBAC object (diff baseline)\n3. Privilege-escalation verb and high-severity resource assessment\n4. Scope assessment: namespace Role vs ClusterRole necessity\n5. Approval status and explicit business justification\n6. Proposed or executed kubectl apply / delete command\n7. Rollback posture (kubectl delete or kubectl apply -f <backup>)\n8. Post-mutation kubectl auth can-i verification and open risks"
+  "prompt": "# Kubernetes Live RBAC Mutation Guard\n\nUse this agent only for `kubernetes-live-rbac-mutation-guard` work.\n\n## Required Skill\n\nBefore answering, read and follow:\n\n- `skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md`\n\nLoad files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.\n\n## Required cluster setup\n\nApply references/least-privilege-rbac.yaml (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege ServiceAccount in namespace vanguard-system per docs/least-privilege-rbac.md. The deliberately-omitted verbs are documented inline.\n\n## Focus\n\nGuard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.\n\n## Operating Rules\n\n- Load and follow the bound Kubernetes skill first; do not drift into generic cloud advice.\n- This role is for repos or sessions that may be connected to live Kubernetes clusters via kubectl or kubeconfig.\n- Before any live RBAC mutation, confirm cluster context, namespace (if scoped), target object name, principal, and exact permission delta.\n- Capture the current RBAC object state (kubectl get ... -o yaml) before every write — RBAC is additive with no built-in undo.\n- If the proposed change grants escalate, bind, impersonate, wildcard verbs, or binds to cluster-admin or the default ServiceAccount — stop and require explicit platform-team sign-off.\n- If the target, approval state, or rollback posture is ambiguous, stop and say so.\n- Keep outputs short: target, approval status, evidence, action, rollback, verification, open risks.\n- Never ask for kubeconfig files, bearer tokens, service account JWT tokens, or raw cluster credentials.\n\n## Response Shape\n\n1. Cluster context and namespace identity confirmation (kubectl config current-context)\n2. Current state of target RBAC object (diff baseline)\n3. Privilege-escalation verb and high-severity resource assessment\n4. Scope assessment: namespace Role vs ClusterRole necessity\n5. Approval status and explicit business justification\n6. Proposed or executed kubectl apply / delete command\n7. Rollback posture (kubectl delete or kubectl apply -f <backup>)\n8. Post-mutation kubectl auth can-i verification and open risks\n\n## References\n\nLoad these only when needed:\n\n- references/least-privilege-rbac.yaml — least-privilege RBAC manifest the operator applies before invoking this agent.\n- references/rbac-pre-flight.md — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.\n- references/refusal-list.md — universal one-way doors plus domain-specific HARD REFUSE list for this guard.\n"
 }

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md

@@ -15,6 +15,10 @@ Before answering, read and follow:
 
 Load files under `skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/` only when the task needs that reference. Do not dump reference text into the response.
 
+## Required cluster setup
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) BEFORE invoking it. The manifest creates a least-privilege `ServiceAccount` in namespace `vanguard-system` per the canonical authoring contract at `docs/least-privilege-rbac.md`. The deliberately-omitted verbs are documented inline in the manifest.
+
 ## Focus
 
 Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings by capturing current state, detecting escalation verbs (escalate, bind, impersonate), high-severity resources (pods/exec, pods/attach, nodes/proxy, secrets), wildcard grants, and scope necessity before any mutation.
@@ -40,3 +44,11 @@ Guard live kubectl apply/create/delete on Roles, ClusterRoles, RoleBindings, and
 6. Proposed or executed kubectl apply / delete command
 7. Rollback posture (kubectl delete or kubectl apply -f <backup>)
 8. Post-mutation kubectl auth can-i verification and open risks
+
+## References
+
+Load these only when needed:
+
+- `references/least-privilege-rbac.yaml` — least-privilege RBAC manifest the operator applies before invoking this agent.
+- `references/rbac-pre-flight.md` — the kubectl auth can-i matrix the agent runs FIRST every session, with positive and negative resourceName tests.
+- `references/refusal-list.md` — universal one-way doors plus domain-specific HARD REFUSE list for this guard.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json

@@ -19,8 +19,8 @@
     "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
     "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
   ],
-  "security_notes": "Capture current RBAC state before every mutation — no built-in rollback exists. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard verb/resource grants. Cached service account tokens remain valid after binding deletion until they expire.",
-  "last_verified": "2026-05-01",
+  "security_notes": "Capture current RBAC state before every mutation — no built-in rollback exists. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard verb/resource grants. Cached service account tokens remain valid after binding deletion until they expire. Per docs/least-privilege-rbac.md the agent now runs a pre-flight kubectl auth can-i matrix against a least-privilege ServiceAccount before any mutation; refuses if any must-not check returns yes (binding over-scoped) or if operator is cluster-admin / system:masters. References shipped: least-privilege-rbac.yaml (deny-by-default ClusterRole), rbac-pre-flight.md (positive + negative resourceName tests), refusal-list.md (universal one-way doors plus domain-specific HARD REFUSE list). Refuses to read or process credentials volunteered by the operator; uses only the in-pod ServiceAccount token at /var/run/secrets/kubernetes.io/serviceaccount/token.",
+  "last_verified": "2026-05-08",
   "path": "agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent",
   "harness_variants": {
     "codex": "agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml",
@@ -32,5 +32,8 @@
     "kiro-cli": "agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json"
   },
   "author": "github: Raishin",
-  "version": "0.1.0"
+  "version": "0.1.0",
+  "companion_skills": [
+    "kubernetes-live-rbac-mutation-guard"
+  ]
 }

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/least-privilege-rbac.yaml

@@ -0,0 +1,92 @@
+# =====================================================================
+# Least-privilege RBAC for kubernetes-live-rbac-mutation-guard-agent
+#
+# Apply BEFORE running the agent.
+# Authoring contract: docs/least-privilege-rbac.md
+# Pre-flight matrix:  references/rbac-pre-flight.md
+# Refusal list:       references/refusal-list.md
+#
+# Audit:
+#   SA="system:serviceaccount:vanguard-system:vanguard-rbac-mutation-guard"
+#   kubectl auth can-i delete namespaces --as=$SA       # must return: no
+#   (domain-specific must-be-yes / must-not-be-yes in references/rbac-pre-flight.md)
+#
+# Per upstream kubernetes.io/docs/concepts/security/rbac-good-practices:
+#   "Avoid wildcard permissions, especially to all resources, as this grants
+#    access to current and future object types."
+# =====================================================================
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vanguard-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    app.kubernetes.io/managed-by: vanguard-frontier
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vanguard-rbac-mutation-guard
+  namespace: vanguard-system
+  annotations:
+    vanguard.frontier/agent: "kubernetes-live-rbac-mutation-guard-agent"
+    vanguard.frontier/scope: "least-privilege-kubernetes-live-rbac-mutation-guard"
+    vanguard.frontier/contract: "docs/least-privilege-rbac.md"
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vanguard-rbac-mutation-guard
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces", "serviceaccounts"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["create", "patch"]
+# =====================================================================
+# DELIBERATELY ABSENT — DO NOT add unless you accept the listed risk.
+# The binding is deny-by-default: anything not granted above is denied
+# at the API server. Categories (per docs/least-privilege-rbac.md):
+#
+#   - apiGroups: [""], resources: ["namespaces"]                          -> kube-system / cilium / istio-system delete
+#   - apiGroups: [""], resources: ["pods"], any verb                      -> exec / delete on control-plane pods
+#   - apiGroups: [""], resources: ["pods/exec","pods/portforward","pods/proxy","pods/binding","pods/eviction"]
+#   - apiGroups: [""], resources: ["nodes"], verbs: ["patch","update","delete"]   -> drain / cordon / delete
+#   - apiGroups: [""], resources: ["nodes/proxy"]                         -> direct kubelet API
+#   - apiGroups: ["coordination.k8s.io"], resources: ["leases"]           -> kube-node-lease, fake liveness
+#   - apiGroups: [""], resources: ["secrets"]                             -> cluster-wide credential exposure
+#   - apiGroups: [""], resources: ["serviceaccounts/token"]               -> mint tokens for arbitrary SAs
+#   - apiGroups: ["certificates.k8s.io"]                                  -> CSR approval (system:masters cert minting)
+#   - apiGroups: ["authentication.k8s.io"]                                -> tokenreviews, impersonation primitives
+#   - apiGroups: ["admissionregistration.k8s.io"]                         -> mutating/validating webhook configs
+#   - apiGroups: ["apiregistration.k8s.io"]                               -> APIService aggregation hijack
+#   - apiGroups: ["apiextensions.k8s.io"]                                 -> CRD install / uninstall
+#   - apiGroups: ["scheduling.k8s.io"]                                    -> system-cluster-critical / system-node-critical
+#   - apiGroups: ["apps"], resources: ["daemonsets","deployments","statefulsets"], verbs: write   in kube-system
+#   - apiGroups: ["networking.k8s.io"], resources: ["ingressclasses"], verbs: write   -> break Ingress controller binding
+#   - apiGroups: ["storage.k8s.io"], resources: ["storageclasses"], verbs: write      -> break PVC provisioning
+#   - apiGroups: [""], resources: ["endpoints"], verbs: write             -> race with controller, redirect Service traffic
+#   - apiGroups: ["discovery.k8s.io"], resources: ["endpointslices"], verbs: write    -> same race
+#   - apiGroups: ["rbac.authorization.k8s.io"]                            -> binding self-modification (unless this IS the rbac-mutation guard)
+#   - any "*" verb or "*" resource                                        -> per upstream RBAC good practices
+#   - any "delete" verb cluster-wide (rollback is via apply -f baseline)
+# =====================================================================
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vanguard-rbac-mutation-guard
+subjects:
+  - kind: ServiceAccount
+    name: vanguard-rbac-mutation-guard
+    namespace: vanguard-system
+roleRef:
+  kind: ClusterRole
+  name: vanguard-rbac-mutation-guard
+  apiGroup: rbac.authorization.k8s.io

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/rbac-pre-flight.md

@@ -0,0 +1,115 @@
+# RBAC pre-flight self-check — Kubernetes Live RBAC Mutation Guard
+
+This is the mandatory first action of every session. The agent runs this matrix before reading any user-supplied YAML, before formulating any mutation, before producing any output other than the matrix result.
+
+The matrix is grounded against `kubernetes.io/docs/concepts/security/rbac-good-practices` and `kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i`. The canonical authoring contract is `docs/least-privilege-rbac.md`.
+
+If any **must-not-be-yes** check returns `yes`, or any **must-be-yes** check returns `no`, the agent refuses to act and tells the user the binding is over- or under-scoped.
+
+---
+
+## Required RBAC manifest
+
+Apply `references/least-privilege-rbac.yaml` (shipped with this agent) before invoking it. The manifest creates `ServiceAccount/vanguard-rbac-mutation-guard` in namespace `vanguard-system`.
+
+---
+
+## Operator principal check (run first)
+
+```bash
+# If yes: operator is in system:masters or has cluster-admin. Refuse.
+kubectl auth can-i '*' '*' --all-namespaces
+```
+
+Per upstream `kubernetes.io/docs/concepts/security/rbac-good-practices`:
+
+> *Administrators should avoid using `cluster-admin` accounts and instead provide low-privileged accounts with impersonation rights.*
+>
+> *Do not add users to the `system:masters` group, as this bypasses all RBAC checks.*
+
+---
+
+## Universal must-not-be-yes (every live-guard)
+
+```bash
+SA="system:serviceaccount:vanguard-system:vanguard-rbac-mutation-guard"
+
+kubectl auth can-i '*' '*' --all-namespaces --as=$SA
+kubectl auth can-i delete namespaces --as=$SA
+kubectl auth can-i delete pods -n kube-system --as=$SA
+kubectl auth can-i create pods/exec -n kube-system --as=$SA
+kubectl auth can-i create pods/portforward --all-namespaces --as=$SA
+kubectl auth can-i delete daemonsets -n kube-system --as=$SA
+kubectl auth can-i delete deployments -n kube-system --as=$SA
+kubectl auth can-i create customresourcedefinitions --as=$SA
+kubectl auth can-i delete customresourcedefinitions --as=$SA
+kubectl auth can-i get secrets --all-namespaces --as=$SA
+kubectl auth can-i create clusterrolebindings --as=$SA
+kubectl auth can-i create mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i delete mutatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create validatingwebhookconfigurations.admissionregistration.k8s.io --as=$SA
+kubectl auth can-i create apiservices.apiregistration.k8s.io --as=$SA
+kubectl auth can-i update certificatesigningrequests.certificates.k8s.io --subresource=approval --as=$SA
+kubectl auth can-i create serviceaccounts/token --all-namespaces --as=$SA
+kubectl auth can-i delete priorityclasses.scheduling.k8s.io --as=$SA
+kubectl auth can-i delete ingressclasses.networking.k8s.io --as=$SA
+kubectl auth can-i delete leases.coordination.k8s.io -n kube-node-lease --as=$SA
+kubectl auth can-i update namespaces/finalize --as=$SA
+```
+
+## Domain-specific must-not-be-yes (Kubernetes Live RBAC Mutation Guard)
+
+```bash
+# Cluster-scoped RBAC writes — opt-in only; default refusal
+kubectl auth can-i create clusterroles.rbac.authorization.k8s.io --as=$SA
+kubectl auth can-i create clusterrolebindings.rbac.authorization.k8s.io --as=$SA
+kubectl auth can-i patch clusterroles.rbac.authorization.k8s.io --as=$SA
+kubectl auth can-i patch clusterrolebindings.rbac.authorization.k8s.io --as=$SA
+# Privilege-escalation primitives
+kubectl auth can-i escalate roles.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i bind roles.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i escalate clusterroles.rbac.authorization.k8s.io --as=$SA
+kubectl auth can-i bind clusterroles.rbac.authorization.k8s.io --as=$SA
+kubectl auth can-i impersonate users --as=$SA
+kubectl auth can-i impersonate groups --as=$SA
+kubectl auth can-i impersonate serviceaccounts --all-namespaces --as=$SA
+# Delete — rollback is via apply -f baseline
+kubectl auth can-i delete roles.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i delete rolebindings.rbac.authorization.k8s.io --all-namespaces --as=$SA
+# ServiceAccount creation (separate from RBAC; could be used to create a privileged SA)
+kubectl auth can-i create serviceaccounts --all-namespaces --as=$SA
+```
+
+## Domain-specific must-be-yes (Kubernetes Live RBAC Mutation Guard)
+
+```bash
+kubectl auth can-i create roles.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i patch roles.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i create rolebindings.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i patch rolebindings.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i list rolebindings.rbac.authorization.k8s.io --all-namespaces --as=$SA
+kubectl auth can-i list serviceaccounts --all-namespaces --as=$SA
+```
+
+Every must-not row must print `no`. Every must-be row must print `yes`. Any deviation: refuse and tell the operator which line failed.
+
+---
+
+## resourceName-scoped binding verification (positive AND negative)
+
+Where the manifest uses `resourceNames`, test BOTH the allowed name and at least one denied adjacent name. `kubectl auth can-i` does not by default surface `resourceNames` constraints, so explicit positive and negative tests are required to detect binding drift (operator adding extra `resourceNames` for "convenience").
+
+---
+
+## Refusal posture
+
+If pre-flight fails:
+
+```
+Pre-flight: FAIL
+Failing check: <verb> <resource> <namespace>
+Expected: no | Actual: yes (binding over-scoped on the bound ServiceAccount)
+Action: refusing to proceed. Re-apply references/least-privilege-rbac.yaml or scope down the existing binding.
+```
+
+No exceptions. The pre-flight is the gate.

package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/refusal-list.md

@@ -0,0 +1,132 @@
+# Hard refusal list — Kubernetes Live RBAC Mutation Guard
+
+This document is the explicit `REFUSE` list for Kubernetes Live RBAC Mutation Guard. It combines:
+
+1. **Universal one-way doors** that every live-guard refuses (defined in `docs/least-privilege-rbac.md`).
+2. **Domain-specific destructive operations** for Kubernetes Live RBAC Mutation Guard.
+
+> **Scope-of-defense clarification.** This list is the **prompt-level fast-path** for rejecting common destructive operations. The authoritative defense is the cluster-side RBAC binding (`references/least-privilege-rbac.yaml`), which is **deny-by-default**: it grants only the enumerated verbs / resources and denies everything else. New attack vectors (Kubernetes adds APIs every release) may not appear in this list immediately, but the binding rejects them automatically. If you find a destructive operation not in this list, that does **not** mean the agent will execute it — please open an issue so the prompt-level rejection is added.
+
+The format for each entry: **what is refused**, **why it's a one-way door**, **what to do instead**, **cluster-side blast radius if the prompt-level refusal is bypassed**.
+
+---
+
+## Universal one-way doors (refused by every live-guard)
+
+These apply across all live-guard agents in this repo. The cluster-side RBAC binding for this guard explicitly omits the verbs/resources for each of these:
+
+- **Namespace deletion** (`kubectl delete ns <any>`) — kube-system / cilium / istio-system / argocd / velero deletion is cluster-fatal.
+- **kube-system DaemonSet / Deployment writes** — would allow removal/replacement of cilium / kube-proxy / coredns / ingress controllers / mesh control planes.
+- **CustomResourceDefinition operations** — CRD install/uninstall is operator-Helm territory; deletion cascades to every CR of that kind.
+- **Broad Secret access** — cluster-wide credential exposure (cached SA tokens, ImagePullSecrets, TLS keys).
+- **Cluster-admin equivalence** — refuses if `kubectl auth can-i '*' '*' --all-namespaces` returns `yes` for the operator's principal.
+- **Node operations** — `kubectl delete node`, `drain`, `cordon`, `nodes/spec.taints` patch.
+- **Admission webhook configurations** — `MutatingWebhookConfiguration` / `ValidatingWebhookConfiguration` writes (admission bypass).
+- **APIService aggregation** — `apiregistration.k8s.io` writes (aggregation hijack).
+- **Finalizer manipulation** — `metadata.finalizers` patches that bypass namespace / PV / CRD deletion protection.
+- **Pod / node subresources** — `pods/exec`, `pods/portforward`, `pods/proxy`, `pods/binding`, `nodes/proxy` (privilege escalation paths).
+- **CSR approval and TokenRequest minting** — CSR with `O=system:masters` is cluster-takeover.
+- **Manual Endpoints / EndpointSlices writes** — race with EndpointSlice controller; transient Service-traffic MITM.
+- **PriorityClass system-* / IngressClass / Lease in kube-node-lease** — eviction order, Ingress binding, node liveness.
+
+For full details on each, see the universal section in `docs/least-privilege-rbac.md` (the authoring contract that defines the deny-by-default RBAC binding pattern) and the network-architecture mutation guard's `refusal-list.md` (the canonical reference implementation).
+
+---
+
+## Domain-specific HARD REFUSE list (Kubernetes Live RBAC Mutation Guard)
+
+
+## Bind a non-infrastructure ServiceAccount to cluster-admin
+
+**Why**: ClusterRoleBinding to `cluster-admin` grants every verb on every resource. The bound SA can now perform every other destructive operation on this list.
+
+**Instead**: Define a narrowly-scoped ClusterRole with the minimum verbs the workload needs. Per upstream RBAC good practices: `Avoid wildcard permissions, especially to all resources`.
+
+**Blast radius if bypassed**: Cluster-admin equivalence for the bound SA.
+
+---
+
+## Grant escalate verb on roles
+
+**Why**: Per upstream `kubernetes.io/docs/concepts/security/rbac-good-practices`: *granting users the `escalate` right allows them to bypass Kubernetes' built-in protections against privilege escalation*. A user with `escalate` on `clusterroles` can update any ClusterRole to include verbs they don't currently hold.
+
+**Instead**: The platform team uses a documented escalation procedure (e.g. break-glass account) instead of granting `escalate`. This guard refuses creation of any Role/ClusterRole with `escalate` verb without explicit CISO sign-off.
+
+**Blast radius if bypassed**: Self-bootstrap to cluster-admin in two API calls.
+
+---
+
+## Grant bind verb on roles
+
+**Why**: Per upstream RBAC good practices: *granting users the `bind` right allows them to bypass Kubernetes' built-in protections against privilege escalation*. A user with `bind` on `clusterroles` can create bindings to roles with rights they don't already possess.
+
+**Instead**: Same as `escalate` — break-glass procedure, not RBAC grant. Refuse without CISO sign-off.
+
+**Blast radius if bypassed**: Self-bootstrap to any existing privileged role.
+
+---
+
+## Grant impersonate verb on users / groups / serviceaccounts
+
+**Why**: The `impersonate` verb on `users` lets the principal request operations as any user, including `system:admin`. On `groups` it includes `system:masters` (the RBAC-bypass group). On `serviceaccounts` it lets the principal act as any SA cluster-wide.
+
+**Instead**: Impersonation rights are reserved for low-privileged operator accounts that pre-flight the mutation guards (per `docs/least-privilege-rbac.md`) — explicitly NOT for routine workloads. Never grant impersonate without operator-account justification.
+
+**Blast radius if bypassed**: Impersonation as `system:masters` group bypasses RBAC entirely (per upstream).
+
+---
+
+## Wildcard verb (`*`) or wildcard resource (`*`) in any rule
+
+**Why**: Per upstream RBAC good practices verbatim: *Avoid wildcard permissions, especially to all resources, as this grants access to current and future object types.* New API kinds added in future Kubernetes releases are auto-granted.
+
+**Instead**: Enumerate verbs and resources explicitly. The list of verbs on each resource is finite and well-documented.
+
+**Blast radius if bypassed**: Future-proof privilege escalation; new APIs grant new powers automatically.
+
+---
+
+## Add a subject in `system:masters` group
+
+**Why**: Per upstream: *Do not add users to the `system:masters` group, as this bypasses all RBAC checks and grants unrestricted superuser access.* Subjects in this group are NEVER subject to RBAC authorization — every verb is allowed regardless of binding.
+
+**Instead**: There is no legitimate use case for adding a non-bootstrap user to `system:masters`. This guard HARD REFUSES any binding with this group.
+
+**Blast radius if bypassed**: Permanent, irrevocable cluster-admin equivalence — the only fix is rotating the cluster CA.
+
+---
+
+## Bind to the `default` ServiceAccount in any namespace
+
+**Why**: The `default` SA is shared by every Pod in the namespace that doesn't specify its own SA. A binding to it grants the role to every such Pod — typically every Pod in the namespace at first.
+
+**Instead**: Create a dedicated ServiceAccount for the workload; bind only that SA. Refuse bindings to `default`.
+
+**Blast radius if bypassed**: Shared blast radius; future Pods in the namespace inherit the binding silently.
+
+---
+
+## Delete a ClusterRoleBinding without confirming dependent workloads
+
+**Why**: RBAC has no built-in revocation grace period or dependency tracking. Deleting a binding mid-workload-flight causes API calls to start returning `forbidden` immediately. Workloads that retry indefinitely consume resources; workloads that crash on auth failure cycle.
+
+**Instead**: Identify dependent workloads via `kubectl get rolebindings.rbac.authorization.k8s.io -A -o json | jq '.items[] | select(.roleRef.name=="<role>")'`; coordinate workload migration before deletion.
+
+**Blast radius if bypassed**: Authorization denial cascade; cached SA tokens may keep working briefly until the API server's authorization cache expires.
+
+---
+
+
+---
+
+## Refusal response format
+
+```
+REFUSED — <rule-section-header-from-this-document>
+
+Reason: <one-sentence explanation grounded in this document>
+What you can do instead: <pointer to kubernetes-rbac-review-agent for review-only analysis, or to platform-team-led procedure>
+RBAC enforcement: <whether the cluster-side binding also denies this verb (yes / no / depends on operator's principal)>
+```
+
+No retry. No "well actually". No partial execution. The refusal is the response.