@raishin/vanguard-frontier-agentic 2.5.0 → 2.7.0

package/powers/vanguard-dotnet/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-dotnet"
+displayName: "Vanguard Frontier — .NET"
+description: "Curated .NET agents for aspire cloud native, aspnetcore api, aspnetcore identity authz, csharp runtime. Routes via dotnet-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["dotnet", "csharp", "aspnet-core", "ef-core", "nuget"]
+author: "Raishin"
+---
+# Vanguard Frontier — .NET
+
+Curated .NET agents for aspire cloud native, aspnetcore api, aspnetcore identity authz, csharp runtime. Routes via dotnet-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references .NET services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`dotnet-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through dotnet-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Review covers language runtime, frameworks, data access, testing, and supply-chain integrity.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/dotnet/` in that repository. All 10 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider dotnet --repo .`

package/powers/vanguard-falco/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-falco"
+displayName: "Vanguard Frontier — Falco"
+description: "Reviews falco rules for macro correctness, exception blast radius, sensitive-path coverage, K8s audit gaps, and alert output... Static review only; no live mutations."
+keywords: ["falco", "runtime-threat", "syscall-rules", "container-security"]
+author: "Raishin"
+---
+# Vanguard Frontier — Falco
+
+Reviews falco rules for macro correctness, exception blast radius, sensitive-path coverage, K8s audit gaps, and alert output... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Falco services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/falco/`)*
+
+Reference agents directly from agents/falco/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Rule changes must be evaluated for false-positive rate impact on production alerting.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/falco/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider falco --repo .`

package/powers/vanguard-fluxcd/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-fluxcd"
+displayName: "Vanguard Frontier — FluxCD"
+description: "Reviews fluxCD Kustomization, HelmRelease, and source resources for SOPS encryption, source trust, ServiceAccount scoping,... Static review only; no live mutations."
+keywords: ["fluxcd", "gitops", "kustomization", "helm-release"]
+author: "Raishin"
+---
+# Vanguard Frontier — FluxCD
+
+Reviews fluxCD Kustomization, HelmRelease, and source resources for SOPS encryption, source trust, ServiceAccount scoping,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references FluxCD services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/fluxcd/`)*
+
+Reference agents directly from agents/fluxcd/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Kustomization and HelmRelease reconciliation intervals must align with the GitOps change cadence.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/fluxcd/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider fluxcd --repo .`

package/powers/vanguard-generic/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-generic"
+displayName: "Vanguard Frontier — Generic"
+description: "Curated Generic review agents covering ci test pipeline, helm chart quality, kubernetes manifest quality, llm ai pipeline test. Reference agents directly under agents/generic/. Static review only; no live mutations."
+keywords: ["test-quality", "ci-pipeline", "helm-chart", "manifest-review"]
+author: "Raishin"
+---
+# Vanguard Frontier — Generic
+
+Curated Generic review agents covering ci test pipeline, helm chart quality, kubernetes manifest quality, llm ai pipeline test. Reference agents directly under agents/generic/. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Generic services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/generic/`)*
+
+Reference agents directly from agents/generic/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Agents are provider-agnostic and focus on CI, Helm, manifest, and test-quality patterns.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/generic/` in that repository. 9 of 10 agents in this provider ship a Kiro adapter; the rest provide steering context only.
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider generic --repo .`

package/powers/vanguard-hr/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-hr"
+displayName: "Vanguard Frontier — HR"
+description: "Curated HR agents for analytics people data, benefits payroll, compensation equity, culture dei. Routes via hr-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["hr-governance", "employment-risk", "compensation-equity", "recruiting"]
+author: "Raishin"
+---
+# Vanguard Frontier — HR
+
+Curated HR agents for analytics people data, benefits payroll, compensation equity, culture dei. Routes via hr-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references HR services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`hr-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through hr-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- All findings must respect employee privacy and data-minimization principles.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/hr/` in that repository. All 15 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider hr --repo .`

package/powers/vanguard-istio/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-istio"
+displayName: "Vanguard Frontier — Istio"
+description: "Reviews istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope,... Static review only; no live mutations."
+keywords: ["istio", "service-mesh", "ambient-mesh", "mtls"]
+author: "Raishin"
+---
+# Vanguard Frontier — Istio
+
+Reviews istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Istio services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/istio/`)*
+
+Reference agents directly from agents/istio/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Service mesh policies affect traffic routing cluster-wide; review blast radius before changes.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/istio/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider istio --repo .`

package/powers/vanguard-kyverno/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-kyverno"
+displayName: "Vanguard Frontier — Kyverno"
+description: "Reviews kyverno ClusterPolicy and Policy resources for failureAction, background scanning, PolicyException audit,... Static review only; no live mutations."
+keywords: ["kyverno", "admission-policy", "cluster-policy", "policy-enforcement"]
+author: "Raishin"
+---
+# Vanguard Frontier — Kyverno
+
+Reviews kyverno ClusterPolicy and Policy resources for failureAction, background scanning, PolicyException audit,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Kyverno services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/kyverno/`)*
+
+Reference agents directly from agents/kyverno/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Cluster-scoped policies can reject legitimate workloads; validate against existing deployments before applying.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/kyverno/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider kyverno --repo .`

package/powers/vanguard-legal/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-legal"
+displayName: "Vanguard Frontier — Legal"
+description: "Curated Legal agents for contract, counsel, employment law risk, ethics investigations. Routes via legal-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["legal-risk", "contract-review", "privacy-compliance", "regulatory"]
+author: "Raishin"
+---
+# Vanguard Frontier — Legal
+
+Curated Legal agents for contract, counsel, employment law risk, ethics investigations. Routes via legal-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Legal services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`legal-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through legal-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Agents provide risk-flagging only; output is not legal advice and does not create attorney-client privilege.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/legal/` in that repository. All 13 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider legal --repo .`

package/powers/vanguard-marketing/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-marketing"
+displayName: "Vanguard Frontier — Marketing"
+description: "Curated Marketing agents for ai advertising targeting fairness, analytics data minimization, email sender authentication, eu ai act marketing system. Routes via marketing-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["marketing-governance", "consent-compliance", "advertising-fairness", "email-authentication"]
+author: "Raishin"
+---
+# Vanguard Frontier — Marketing
+
+Curated Marketing agents for ai advertising targeting fairness, analytics data minimization, email sender authentication, eu ai act marketing system. Routes via marketing-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Marketing services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`marketing-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through marketing-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Review covers consent, privacy, fairness, and regulatory compliance for marketing systems.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/marketing/` in that repository. All 14 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider marketing --repo .`

package/powers/vanguard-multi-cloud/POWER.md

@@ -0,0 +1,41 @@
+---
+name: "vanguard-multi-cloud"
+displayName: "Vanguard Frontier — Multi-Cloud"
+description: "Curated Multi-Cloud agents for ai economist, cloud price advisor. Routes via finops-maestro-agent to specialist agents based on task scope. Static review only; no live mutations."
+keywords: ["finops", "cloud-pricing", "cost-optimization", "reserved-instances"]
+author: "Raishin"
+---
+# Vanguard Frontier — Multi-Cloud
+
+Curated Multi-Cloud agents for ai economist, cloud price advisor. Routes via finops-maestro-agent to specialist agents based on task scope. Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Multi-Cloud services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- **`finops-maestro-agent`** — classifies and routes the task to the right specialist
+
+Use the maestro as the entry point: classify the task, then dispatch to one specialist or a parallel team of specialists. Never have the maestro itself execute a live mutation.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Route all tasks through finops-maestro-agent for proper classification and dispatch.
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Cost recommendations are estimates based on public pricing; verify against actual billing before acting.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/multi-cloud/` in that repository. All 3 agents in this provider ship a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider multi-cloud --repo .`

package/powers/vanguard-opentelemetry/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-opentelemetry"
+displayName: "Vanguard Frontier — OpenTelemetry"
+description: "Reviews openTelemetry Collector pipeline configuration — receiver/processor/exporter ordering, memory_limiter placement,... Static review only; no live mutations."
+keywords: ["opentelemetry", "otel-collector", "tracing", "observability-pipeline"]
+author: "Raishin"
+---
+# Vanguard Frontier — OpenTelemetry
+
+Reviews openTelemetry Collector pipeline configuration — receiver/processor/exporter ordering, memory_limiter placement,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references OpenTelemetry services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/opentelemetry/`)*
+
+Reference agents directly from agents/opentelemetry/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Collector pipeline changes affect observability for all instrumented services; review cardinality impact.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/opentelemetry/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider opentelemetry --repo .`

package/powers/vanguard-prometheus/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-prometheus"
+displayName: "Vanguard Frontier — Prometheus"
+description: "Reviews prometheus and AlertManager configuration for cardinality risks, alert correctness, scrape security, routing safety,... Static review only; no live mutations."
+keywords: ["prometheus", "alertmanager", "metrics-cardinality", "scrape-config"]
+author: "Raishin"
+---
+# Vanguard Frontier — Prometheus
+
+Reviews prometheus and AlertManager configuration for cardinality risks, alert correctness, scrape security, routing safety,... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Prometheus services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/prometheus/`)*
+
+Reference agents directly from agents/prometheus/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Alerting rule and scrape config changes affect monitoring coverage; review for metric-name collisions.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/prometheus/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider prometheus --repo .`

package/powers/vanguard-sigstore/POWER.md

@@ -0,0 +1,40 @@
+---
+name: "vanguard-sigstore"
+displayName: "Vanguard Frontier — Sigstore"
+description: "Reviews cosign image signing, Kyverno imageVerify policy identity constraints, SBOM and SLSA provenance attestations, Rekor... Static review only; no live mutations."
+keywords: ["sigstore", "cosign", "supply-chain-integrity", "image-signing"]
+author: "Raishin"
+---
+# Vanguard Frontier — Sigstore
+
+Reviews cosign image signing, Kyverno imageVerify policy identity constraints, SBOM and SLSA provenance attestations, Rekor... Static review only; no live mutations.
+
+## When to engage this Power
+
+Activate when the task references Sigstore services, resources, or operations. Do not activate on unrelated requests — narrow keyword matching is required to avoid false activations (Kiro Powers convention).
+
+## Routing pattern
+
+- *(no maestro for this provider; reference agents directly under `agents/sigstore/`)*
+
+Reference agents directly from agents/sigstore/ without maestro-based routing.
+
+## Live-guard agents (gate_mode only)
+
+- *(none — this provider has no live-mutation guards in the catalog)*
+
+Live-guard agents enforce approval, target confirmation, evidence capture, and rollback plans before executing a mutation. They are never auto-dispatched — the maestro must place them in `live-guard-gate` or `runtime-evidence-gate` mode.
+
+## Invariants
+
+- Static review only -- agents analyze configuration and provide findings without mutating live systems.
+- Supply-chain policy changes can block valid deployments; verify cosign keyless trust roots before enforcement.
+
+## Where the agents live
+
+Agent specs and adapters are part of the [Vanguard Frontier Agentic](https://github.com/Raishin/vanguard-frontier-agentic) marketplace. For this provider, see `agents/sigstore/` in that repository. The single agent in this provider ships a Kiro adapter (`harnesses/kiro-ide.agent.md`, `kiro-cli.agent.json`).
+
+## Companion install paths
+
+- **Claude Code:** `/plugin marketplace add Raishin/vanguard-frontier-agentic` then `/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic`
+- **Codex / Copilot / Cursor / Gemini CLI / Kiro (file export):** `npx vfa-export-agents --platform <harness> --provider sigstore --repo .`

package/scripts/export-marketplace-agents.mjs

@@ -45,6 +45,7 @@ const PLATFORM_ALIASES = {
 };
 
 const SKILLS_PLATFORM_CONFIG = {
+  codex: ".codex/skills",
   "claude-code": ".claude/skills",
   copilot: ".github/skills",
   gemini: ".gemini/skills",
@@ -332,6 +333,14 @@ function copySkillTree(sourceDir, destDir, force) {
     if (entry.isSymbolicLink()) {
       throw new Error(`Refusing to copy symbolic link in skill tree: ${src}`);
     }
+    let dstLstat = null;
+    try { dstLstat = fs.lstatSync(dst); } catch { /* dst does not exist – fine */ }
+    if (dstLstat && dstLstat.isSymbolicLink()) {
+      throw new Error(
+        `Refusing to write to symbolic link destination in skill tree: ${dst}. ` +
+        `Remove the symlink and retry.`
+      );
+    }
     if (entry.isDirectory()) {
       copySkillTree(src, dst, force);
       continue;
@@ -420,6 +429,20 @@ function copyFile(source, destination, force) {
   fs.copyFileSync(source, destination);
 }
 
+function rewriteCodexAgentSkillPaths(agentFile, targetRoot) {
+  const text = fs.readFileSync(agentFile, "utf8");
+  const rewritten = text.replace(
+    /^path = "skills\/[^"\n]+\/([^/"\n]+)\/SKILL\.md"$/gm,
+    (_match, skillName) => {
+      const skillDir = path.join(targetRoot, SKILLS_PLATFORM_CONFIG.codex, skillName);
+      return `path = ${JSON.stringify(skillDir)}`;
+    }
+  );
+  if (rewritten !== text) {
+    fs.writeFileSync(agentFile, rewritten);
+  }
+}
+
 function loadRoles() {
   const rolesPath = path.join(repoRoot, "catalog", "install-roles.json");
   if (!fs.existsSync(rolesPath)) {
@@ -640,6 +663,9 @@ function main() {
   for (const operation of operations) {
     assertWithin(args.repo, operation.dest, "write destination");
     copyFile(operation.source, operation.dest, args.force);
+    if (platform === "codex") {
+      rewriteCodexAgentSkillPaths(operation.dest, args.repo);
+    }
     console.log(
       `installed\t${operation.agentId}\t${operation.variantKey}\t${path.relative(args.repo, operation.dest)}`
     );