@raishin/vanguard-frontier-agentic 2.5.0 → 2.6.0

package/plugins/vanguard-frontier-agentic/skills/vanguard-frontier-agentic-install/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: vanguard-frontier-agentic-install
+description: Install all Vanguard Frontier Agentic Codex agents and companion skills into the current user's ~/.codex home after adding or installing the plugin marketplace.
+---
+
+# Vanguard Frontier Agentic Codex Install
+
+Use this skill when the user wants the Vanguard Frontier Agentic marketplace content installed into Codex as real user-level agents and skills.
+
+## Reliable two-stage install
+
+Run from any directory:
+
+```bash
+codex plugin marketplace add Raishin/vanguard-frontier-agentic
+npx --yes -p @raishin/vanguard-frontier-agentic \
+  vfa-export-agents --platform codex --all --repo "$HOME" --force
+```
+
+If working from a local checkout of the repository, prefer the local exporter so unpublished branch changes are used:
+
+```bash
+node scripts/export-marketplace-agents.mjs --platform codex --all --repo "$HOME" --force
+```
+
+## Verify
+
+```bash
+find "$HOME/.codex/agents" -maxdepth 1 -name '*.toml' | wc -l
+find "$HOME/.codex/skills" -mindepth 1 -maxdepth 1 -type d | wc -l
+```
+
+Expected for this release: all Codex-capable VFA agents are installed under `$HOME/.codex/agents`, and companion skills are installed under `$HOME/.codex/skills`.
+
+## Important limitation
+
+`codex plugin marketplace add` installs/tracks the marketplace source. It does not, by itself, prove that Codex installed the plugin cache or exported repo-level agent TOML files. The exporter is the deterministic second stage for agents and companion skills.

package/powers/README.md

@@ -1,6 +1,6 @@
 # `powers/` — Kiro Powers
 
-This directory holds **14 Kiro Powers** for `vanguard-frontier-agentic`, one
+This directory holds **32 Kiro Powers** for `vanguard-frontier-agentic`, one
 per cloud/platform/IaC provider. Each Power is a directory containing a
 `POWER.md` file with strict-5 frontmatter and steering content.
 
@@ -8,20 +8,38 @@ per cloud/platform/IaC provider. Each Power is a directory containing a
 
 ```
 powers/
+├── vanguard-alibaba/POWER.md
+├── vanguard-argocd/POWER.md
 ├── vanguard-aws/POWER.md
 ├── vanguard-azure/POWER.md
+├── vanguard-backstage/POWER.md
+├── vanguard-cert-manager/POWER.md
+├── vanguard-cilium/POWER.md
+├── vanguard-contabo/POWER.md
+├── vanguard-dotnet/POWER.md
+├── vanguard-falco/POWER.md
+├── vanguard-fluxcd/POWER.md
 ├── vanguard-gcp/POWER.md
-├── vanguard-oci/POWER.md
-├── vanguard-alibaba/POWER.md
-├── vanguard-huawei/POWER.md
-├── vanguard-ovhcloud/POWER.md
-├── vanguard-scaleway/POWER.md
+├── vanguard-generic/POWER.md
 ├── vanguard-hetzner/POWER.md
-├── vanguard-contabo/POWER.md
+├── vanguard-hr/POWER.md
+├── vanguard-huawei/POWER.md
 ├── vanguard-ionos/POWER.md
+├── vanguard-istio/POWER.md
 ├── vanguard-kubernetes/POWER.md
-├── vanguard-terraform/POWER.md
-└── vanguard-nvidia/POWER.md
+├── vanguard-kyverno/POWER.md
+├── vanguard-legal/POWER.md
+├── vanguard-marketing/POWER.md
+├── vanguard-multi-cloud/POWER.md
+├── vanguard-nvidia/POWER.md
+├── vanguard-oci/POWER.md
+├── vanguard-opentelemetry/POWER.md
+├── vanguard-ovhcloud/POWER.md
+├── vanguard-prometheus/POWER.md
+├── vanguard-salesforce/POWER.md
+├── vanguard-scaleway/POWER.md
+├── vanguard-sigstore/POWER.md
+└── vanguard-terraform/POWER.md
 ```
 
 Each `POWER.md` declares:
@@ -58,7 +76,7 @@ cd vanguard-frontier-agentic
 ## How to update
 
 ```bash
-# Regenerate the 14 Powers from catalog/agents.json + per-provider config:
+# Regenerate the 32 Powers from catalog/agents.json + per-provider config:
 npm run kiro-powers:write
 
 # Then verify everything is in sync:

package/powers/vanguard-argocd/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-argocd"
+displayName: "Vanguard Frontier — ArgoCD"
+description: "Curated ArgoCD review agents covering argo rollouts progressive delivery, gitops. Reference agents directly under agents/argocd/. Static review only; no live mutations."
+keywords: ["argocd", "gitops", "progressive-delivery", "application-sync"]
+author: "Raishin"
+---
+# Vanguard Frontier — ArgoCD
+
+Curated ArgoCD review agents covering argo rollouts progressive delivery, gitops. Reference agents directly under agents/argocd/. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references ArgoCD services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/argocd/`)*
+
+Reference agents directly from agents/argocd/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Sync and rollout strategies must be validated against the target cluster GitOps workflow.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/argocd/` in that repository. All 2 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider argocd --repo .`

package/powers/vanguard-backstage/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-backstage"
+displayName: "Vanguard Frontier — Backstage"
+description: "Reviews backstage Scaffolder software templates for action blast-radius, input parameter injection, RBAC gate coverage,... Static review only; no live mutations."
+keywords: ["backstage", "scaffolder", "software-templates", "developer-portal"]
+author: "Raishin"
+---
+# Vanguard Frontier — Backstage
+
+Reviews backstage Scaffolder software templates for action blast-radius, input parameter injection, RBAC gate coverage,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Backstage services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/backstage/`)*
+
+Reference agents directly from agents/backstage/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Template parameters and scaffolder actions must be reviewed for injection and secret-exposure risks.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/backstage/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider backstage --repo .`

package/powers/vanguard-cert-manager/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-cert-manager"
+displayName: "Vanguard Frontier — Cert-Manager"
+description: "Reviews cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy coverage, certificate SAN and duration risks,... Static review only; no live mutations."
+keywords: ["cert-manager", "x509", "certificate-lifecycle", "pki"]
+author: "Raishin"
+---
+# Vanguard Frontier — Cert-Manager
+
+Reviews cert-manager Issuer and ClusterIssuer scope, CertificateRequestPolicy coverage, certificate SAN and duration risks,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Cert-Manager services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/cert-manager/`)*
+
+Reference agents directly from agents/cert-manager/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Certificate renewal windows and issuer trust chains must be validated before any policy change.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/cert-manager/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider cert-manager --repo .`

package/powers/vanguard-cilium/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-cilium"
+displayName: "Vanguard Frontier — Cilium"
+description: "Reviews cilium CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, standard NetworkPolicy, ClusterMesh cross-cluster policy... Static review only; no live mutations."
+keywords: ["cilium", "network-policy", "ebpf", "cluster-mesh"]
+author: "Raishin"
+---
+# Vanguard Frontier — Cilium
+
+Reviews cilium CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, standard NetworkPolicy, ClusterMesh cross-cluster policy... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Cilium services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/cilium/`)*
+
+Reference agents directly from agents/cilium/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Network policies must be reviewed for unintended traffic blocking across namespaces and cluster-mesh endpoints.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/cilium/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider cilium --repo .`

package/powers/vanguard-dotnet/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-dotnet"
+displayName: "Vanguard Frontier — .NET"
+description: "Curated .NET agents for aspire cloud native, aspnetcore api, aspnetcore identity authz, csharp runtime. Routes via dotnet-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["dotnet", "csharp", "aspnet-core", "ef-core", "nuget"]
+author: "Raishin"
+---
+# Vanguard Frontier — .NET
+
+Curated .NET agents for aspire cloud native, aspnetcore api, aspnetcore identity authz, csharp runtime. Routes via dotnet-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references .NET services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`dotnet-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through dotnet-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Review covers language runtime, frameworks, data access, testing, and supply-chain integrity.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/dotnet/` in that repository. All 10 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider dotnet --repo .`

package/powers/vanguard-falco/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-falco"
+displayName: "Vanguard Frontier — Falco"
+description: "Reviews falco rules for macro correctness, exception blast radius, sensitive-path coverage, K8s audit gaps, and alert output... Static review only; no live mutations."
+keywords: ["falco", "runtime-threat", "syscall-rules", "container-security"]
+author: "Raishin"
+---
+# Vanguard Frontier — Falco
+
+Reviews falco rules for macro correctness, exception blast radius, sensitive-path coverage, K8s audit gaps, and alert output... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Falco services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/falco/`)*
+
+Reference agents directly from agents/falco/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Rule changes must be evaluated for false-positive rate impact on production alerting.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/falco/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider falco --repo .`

package/powers/vanguard-fluxcd/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-fluxcd"
+displayName: "Vanguard Frontier — FluxCD"
+description: "Reviews fluxCD Kustomization, HelmRelease, and source resources for SOPS encryption, source trust, ServiceAccount scoping,... Static review only; no live mutations."
+keywords: ["fluxcd", "gitops", "kustomization", "helm-release"]
+author: "Raishin"
+---
+# Vanguard Frontier — FluxCD
+
+Reviews fluxCD Kustomization, HelmRelease, and source resources for SOPS encryption, source trust, ServiceAccount scoping,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references FluxCD services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/fluxcd/`)*
+
+Reference agents directly from agents/fluxcd/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Kustomization and HelmRelease reconciliation intervals must align with the GitOps change cadence.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/fluxcd/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider fluxcd --repo .`

package/powers/vanguard-generic/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-generic"
+displayName: "Vanguard Frontier — Generic"
+description: "Curated Generic review agents covering ci test pipeline, helm chart quality, kubernetes manifest quality, llm ai pipeline test. Reference agents directly under agents/generic/. Static review only; no live mutations."
+keywords: ["test-quality", "ci-pipeline", "helm-chart", "manifest-review"]
+author: "Raishin"
+---
+# Vanguard Frontier — Generic
+
+Curated Generic review agents covering ci test pipeline, helm chart quality, kubernetes manifest quality, llm ai pipeline test. Reference agents directly under agents/generic/. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Generic services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/generic/`)*
+
+Reference agents directly from agents/generic/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Agents are provider-agnostic and focus on CI, Helm, manifest, and test-quality patterns.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/generic/` in that repository. 9 of 10 agents in this provider ship a Kiro adapter; the rest provide steering context only.
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider generic --repo .`

package/powers/vanguard-hr/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-hr"
+displayName: "Vanguard Frontier — HR"
+description: "Curated HR agents for analytics people data, benefits payroll, compensation equity, culture dei. Routes via hr-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["hr-governance", "employment-risk", "compensation-equity", "recruiting"]
+author: "Raishin"
+---
+# Vanguard Frontier — HR
+
+Curated HR agents for analytics people data, benefits payroll, compensation equity, culture dei. Routes via hr-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references HR services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`hr-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through hr-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- All findings must respect employee privacy and data-minimization principles.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/hr/` in that repository. All 15 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider hr --repo .`

package/powers/vanguard-istio/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-istio"
+displayName: "Vanguard Frontier — Istio"
+description: "Reviews istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope,... Static review only; no live mutations."
+keywords: ["istio", "service-mesh", "ambient-mesh", "mtls"]
+author: "Raishin"
+---
+# Vanguard Frontier — Istio
+
+Reviews istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Istio services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/istio/`)*
+
+Reference agents directly from agents/istio/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Service mesh policies affect traffic routing cluster-wide; review blast radius before changes.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/istio/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider istio --repo .`

package/powers/vanguard-kyverno/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-kyverno"
+displayName: "Vanguard Frontier — Kyverno"
+description: "Reviews kyverno ClusterPolicy and Policy resources for failureAction, background scanning, PolicyException audit,... Static review only; no live mutations."
+keywords: ["kyverno", "admission-policy", "cluster-policy", "policy-enforcement"]
+author: "Raishin"
+---
+# Vanguard Frontier — Kyverno
+
+Reviews kyverno ClusterPolicy and Policy resources for failureAction, background scanning, PolicyException audit,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Kyverno services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/kyverno/`)*
+
+Reference agents directly from agents/kyverno/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Cluster-scoped policies can reject legitimate workloads; validate against existing deployments before applying.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/kyverno/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider kyverno --repo .`

package/powers/vanguard-legal/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-legal"
+displayName: "Vanguard Frontier — Legal"
+description: "Curated Legal agents for contract, counsel, employment law risk, ethics investigations. Routes via legal-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["legal-risk", "contract-review", "privacy-compliance", "regulatory"]
+author: "Raishin"
+---
+# Vanguard Frontier — Legal
+
+Curated Legal agents for contract, counsel, employment law risk, ethics investigations. Routes via legal-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Legal services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`legal-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through legal-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Agents provide risk-flagging only; output is not legal advice and does not create attorney-client privilege.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/legal/` in that repository. All 13 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider legal --repo .`

package/powers/vanguard-marketing/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-marketing"
+displayName: "Vanguard Frontier — Marketing"
+description: "Curated Marketing agents for ai advertising targeting fairness, analytics data minimization, email sender authentication, eu ai act marketing system. Routes via marketing-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["marketing-governance", "consent-compliance", "advertising-fairness", "email-authentication"]
+author: "Raishin"
+---
+# Vanguard Frontier — Marketing
+
+Curated Marketing agents for ai advertising targeting fairness, analytics data minimization, email sender authentication, eu ai act marketing system. Routes via marketing-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Marketing services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`marketing-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through marketing-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Review covers consent, privacy, fairness, and regulatory compliance for marketing systems.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/marketing/` in that repository. All 14 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider marketing --repo .`