@synapta/skills 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +11 -4
- package/package.json +3 -4
- package/skills/ATTRIBUTION.md +80 -0
- package/skills/accessibility-audit/SKILL.md +325 -0
- package/skills/accessibility-audit/reference/wcag-checklist.md +103 -0
- package/skills/apns-notifier/SKILL.md +86 -0
- package/skills/approval-policy-enforcer/SKILL.md +66 -0
- package/skills/apps-sdk-builder/LICENSE.txt +201 -0
- package/skills/apps-sdk-builder/SKILL.md +328 -0
- package/skills/apps-sdk-builder/agents/openai.yaml +13 -0
- package/skills/apps-sdk-builder/references/app-archetypes.md +132 -0
- package/skills/apps-sdk-builder/references/apps-sdk-docs-workflow.md +135 -0
- package/skills/apps-sdk-builder/references/interactive-state-sync-patterns.md +113 -0
- package/skills/apps-sdk-builder/references/repo-contract-and-validation.md +93 -0
- package/skills/apps-sdk-builder/references/search-fetch-standard.md +67 -0
- package/skills/apps-sdk-builder/references/upstream-example-workflow.md +79 -0
- package/skills/apps-sdk-builder/references/window-openai-patterns.md +79 -0
- package/skills/apps-sdk-builder/scripts/scaffold_node_ext_apps.mjs +606 -0
- package/skills/architecture-selector/SKILL.md +64 -0
- package/skills/backlog-planner/SKILL.md +68 -0
- package/skills/carplay-entitlement-checker/SKILL.md +82 -0
- package/skills/concept-discovery/SKILL.md +517 -0
- package/skills/concept-discovery/assets/sample-analysis.json +81 -0
- package/skills/concept-discovery/expected_outputs/sample-enum-dictionary.md +25 -0
- package/skills/concept-discovery/expected_outputs/sample-page-user-list.md +83 -0
- package/skills/concept-discovery/expected_outputs/sample-prd-readme.md +43 -0
- package/skills/concept-discovery/references/framework-patterns.md +228 -0
- package/skills/concept-discovery/references/prd-quality-checklist.md +65 -0
- package/skills/concept-discovery/scripts/codebase_analyzer.py +732 -0
- package/skills/concept-discovery/scripts/prd_scaffolder.py +435 -0
- package/skills/dast-zap/SKILL.md +453 -0
- package/skills/dast-zap/assets/.gitkeep +9 -0
- package/skills/dast-zap/assets/github_action.yml +207 -0
- package/skills/dast-zap/assets/gitlab_ci.yml +226 -0
- package/skills/dast-zap/assets/zap_automation.yaml +196 -0
- package/skills/dast-zap/assets/zap_context.xml +192 -0
- package/skills/dast-zap/references/EXAMPLE.md +40 -0
- package/skills/dast-zap/references/api_testing_guide.md +475 -0
- package/skills/dast-zap/references/authentication_guide.md +431 -0
- package/skills/dast-zap/references/false_positive_handling.md +427 -0
- package/skills/dast-zap/references/owasp_mapping.md +255 -0
- package/skills/dep-sbom-scan/SKILL.md +466 -0
- package/skills/deploy-cloudflare/SKILL.md +930 -0
- package/skills/deploy-docker/SKILL.md +55 -0
- package/skills/deploy-fly/SKILL.md +228 -0
- package/skills/deploy-k8s/SKILL.md +108 -0
- package/skills/deploy-k8s/assets/logo.png +0 -0
- package/skills/deploy-k8s/docs/README.md +29 -0
- package/skills/deploy-k8s/docs/SUMMARY.md +56 -0
- package/skills/deploy-k8s/docs/advanced/token-efficiency.md +61 -0
- package/skills/deploy-k8s/docs/architecture/multi-tenancy.md +96 -0
- package/skills/deploy-k8s/docs/architecture/storage-and-state.md +102 -0
- package/skills/deploy-k8s/docs/architecture/workload-patterns.md +87 -0
- package/skills/deploy-k8s/docs/book.json +16 -0
- package/skills/deploy-k8s/docs/community/changelog.md +34 -0
- package/skills/deploy-k8s/docs/community/contributing.md +67 -0
- package/skills/deploy-k8s/docs/core-concepts/failure-modes.md +153 -0
- package/skills/deploy-k8s/docs/core-concepts/philosophy.md +83 -0
- package/skills/deploy-k8s/docs/core-concepts/workflow.md +124 -0
- package/skills/deploy-k8s/docs/examples/bad-patterns.md +47 -0
- package/skills/deploy-k8s/docs/examples/do-dont-checklist.md +37 -0
- package/skills/deploy-k8s/docs/examples/good-patterns.md +49 -0
- package/skills/deploy-k8s/docs/failure-modes/api-drift.md +104 -0
- package/skills/deploy-k8s/docs/failure-modes/fragile-rollouts.md +99 -0
- package/skills/deploy-k8s/docs/failure-modes/insecure-workload-defaults.md +80 -0
- package/skills/deploy-k8s/docs/failure-modes/network-exposure.md +98 -0
- package/skills/deploy-k8s/docs/failure-modes/privilege-sprawl.md +91 -0
- package/skills/deploy-k8s/docs/failure-modes/resource-starvation.md +85 -0
- package/skills/deploy-k8s/docs/getting-started/installation.md +152 -0
- package/skills/deploy-k8s/docs/getting-started/quick-start.md +115 -0
- package/skills/deploy-k8s/docs/guides/helm-patterns.md +71 -0
- package/skills/deploy-k8s/docs/guides/kustomize-patterns.md +65 -0
- package/skills/deploy-k8s/docs/guides/observability.md +67 -0
- package/skills/deploy-k8s/docs/guides/security-hardening.md +59 -0
- package/skills/deploy-k8s/docs/guides/validation-and-policy.md +66 -0
- package/skills/deploy-k8s/docs/integrations/mcp-integration.md +52 -0
- package/skills/deploy-k8s/docs/package-lock.json +2892 -0
- package/skills/deploy-k8s/docs/package.json +13 -0
- package/skills/deploy-k8s/references/api-drift.md +298 -0
- package/skills/deploy-k8s/references/conditional/aks-patterns.md +70 -0
- package/skills/deploy-k8s/references/conditional/eks-patterns.md +79 -0
- package/skills/deploy-k8s/references/conditional/gitops-controllers.md +71 -0
- package/skills/deploy-k8s/references/conditional/gke-patterns.md +74 -0
- package/skills/deploy-k8s/references/conditional/observability-stacks.md +80 -0
- package/skills/deploy-k8s/references/conditional/openshift-patterns.md +67 -0
- package/skills/deploy-k8s/references/daemonset-operator-patterns.md +155 -0
- package/skills/deploy-k8s/references/deployment-patterns.md +146 -0
- package/skills/deploy-k8s/references/do-dont-patterns.md +87 -0
- package/skills/deploy-k8s/references/examples-bad.md +282 -0
- package/skills/deploy-k8s/references/examples-good.md +440 -0
- package/skills/deploy-k8s/references/fragile-rollouts.md +303 -0
- package/skills/deploy-k8s/references/helm-patterns.md +203 -0
- package/skills/deploy-k8s/references/insecure-workload-defaults.md +300 -0
- package/skills/deploy-k8s/references/job-patterns.md +120 -0
- package/skills/deploy-k8s/references/kustomize-patterns.md +239 -0
- package/skills/deploy-k8s/references/multi-tenancy.md +343 -0
- package/skills/deploy-k8s/references/network-exposure.md +481 -0
- package/skills/deploy-k8s/references/observability.md +302 -0
- package/skills/deploy-k8s/references/privilege-sprawl.md +273 -0
- package/skills/deploy-k8s/references/resource-starvation.md +374 -0
- package/skills/deploy-k8s/references/security-hardening.md +209 -0
- package/skills/deploy-k8s/references/stateful-patterns.md +130 -0
- package/skills/deploy-k8s/references/storage-and-state.md +330 -0
- package/skills/deploy-k8s/references/validation-and-policy.md +242 -0
- package/skills/deploy-railway/SKILL.md +235 -0
- package/skills/deploy-railway/references/analyze-db-mongo.md +84 -0
- package/skills/deploy-railway/references/analyze-db-mysql.md +254 -0
- package/skills/deploy-railway/references/analyze-db-postgres.md +479 -0
- package/skills/deploy-railway/references/analyze-db-redis.md +208 -0
- package/skills/deploy-railway/references/analyze-db.md +344 -0
- package/skills/deploy-railway/references/configure.md +309 -0
- package/skills/deploy-railway/references/deploy.md +195 -0
- package/skills/deploy-railway/references/operate.md +214 -0
- package/skills/deploy-railway/references/request.md +248 -0
- package/skills/deploy-railway/references/setup.md +312 -0
- package/skills/deploy-railway/scripts/analyze-mongo.py +1549 -0
- package/skills/deploy-railway/scripts/analyze-mysql.py +1195 -0
- package/skills/deploy-railway/scripts/analyze-postgres.py +3058 -0
- package/skills/deploy-railway/scripts/analyze-redis.py +1090 -0
- package/skills/deploy-railway/scripts/dal.py +671 -0
- package/skills/deploy-railway/scripts/enable-pg-stats.py +170 -0
- package/skills/deploy-railway/scripts/pg-extensions.py +370 -0
- package/skills/deploy-railway/scripts/railway-api.sh +52 -0
- package/skills/deploy-ssh/SKILL.md +91 -0
- package/skills/deploy-vercel/SKILL.md +304 -0
- package/skills/deploy-vercel/resources/deploy-codex.sh +301 -0
- package/skills/deploy-vercel/resources/deploy.sh +301 -0
- package/skills/docs-runbooks/SKILL.md +399 -0
- package/skills/drive-status-renderer/SKILL.md +62 -0
- package/skills/iac-scan/SKILL.md +680 -0
- package/skills/iac-scan/assets/.gitkeep +9 -0
- package/skills/iac-scan/assets/checkov_config.yaml +94 -0
- package/skills/iac-scan/assets/github_actions.yml +199 -0
- package/skills/iac-scan/assets/gitlab_ci.yml +218 -0
- package/skills/iac-scan/assets/pre_commit_config.yaml +92 -0
- package/skills/iac-scan/references/EXAMPLE.md +40 -0
- package/skills/iac-scan/references/compliance_mapping.md +237 -0
- package/skills/iac-scan/references/custom_policies.md +460 -0
- package/skills/iac-scan/references/suppression_guide.md +431 -0
- package/skills/incident-briefing/SKILL.md +66 -0
- package/skills/incident-triage/SKILL.md +481 -0
- package/{LICENSE → skills/mcp-builder/LICENSE.txt} +15 -14
- package/skills/mcp-builder/SKILL.md +244 -0
- package/skills/mcp-builder/reference/evaluation.md +602 -0
- package/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/skills/mcp-builder/scripts/connections.py +151 -0
- package/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/skills/mobile-pairing/SKILL.md +52 -0
- package/skills/ops-sre/SKILL.md +297 -0
- package/skills/playwright-qa/LICENSE.txt +201 -0
- package/skills/playwright-qa/NOTICE.txt +14 -0
- package/skills/playwright-qa/SKILL.md +156 -0
- package/skills/playwright-qa/agents/openai.yaml +6 -0
- package/skills/playwright-qa/assets/playwright-small.svg +3 -0
- package/skills/playwright-qa/assets/playwright.png +0 -0
- package/skills/playwright-qa/references/cli.md +116 -0
- package/skills/playwright-qa/references/workflows.md +95 -0
- package/skills/playwright-qa/scripts/playwright_cli.sh +25 -0
- package/skills/release-publish/SKILL.md +85 -0
- package/skills/repo-bootstrap/SKILL.md +92 -0
- package/skills/repo-bootstrap/assets/example-workflows/validate-agents.yml +89 -0
- package/skills/repo-bootstrap/assets/root-thin.md +141 -0
- package/skills/repo-bootstrap/assets/root-verbose.md +149 -0
- package/skills/repo-bootstrap/assets/scoped/backend-go.md +107 -0
- package/skills/repo-bootstrap/assets/scoped/backend-php.md +94 -0
- package/skills/repo-bootstrap/assets/scoped/backend-python.md +84 -0
- package/skills/repo-bootstrap/assets/scoped/backend-typescript.md +89 -0
- package/skills/repo-bootstrap/assets/scoped/claude-code-skill.md +101 -0
- package/skills/repo-bootstrap/assets/scoped/cli.md +83 -0
- package/skills/repo-bootstrap/assets/scoped/concourse.md +196 -0
- package/skills/repo-bootstrap/assets/scoped/ddev.md +68 -0
- package/skills/repo-bootstrap/assets/scoped/docker.md +160 -0
- package/skills/repo-bootstrap/assets/scoped/documentation.md +98 -0
- package/skills/repo-bootstrap/assets/scoped/examples.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/frontend-typescript.md +88 -0
- package/skills/repo-bootstrap/assets/scoped/github-actions.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/gitlab-ci.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/oro-bundle.md +209 -0
- package/skills/repo-bootstrap/assets/scoped/oro-project.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/python-modern.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/resources.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/skill-repo.md +139 -0
- package/skills/repo-bootstrap/assets/scoped/symfony.md +168 -0
- package/skills/repo-bootstrap/assets/scoped/testing.md +87 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-docs.md +103 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-extension.md +133 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-project.md +137 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-testing.md +80 -0
- package/skills/repo-bootstrap/checkpoints.yaml +279 -0
- package/skills/repo-bootstrap/evals/evals.json +385 -0
- package/skills/repo-bootstrap/references/ai-contribution-guidelines.md +63 -0
- package/skills/repo-bootstrap/references/ai-tool-compatibility.md +223 -0
- package/skills/repo-bootstrap/references/directory-coverage.md +82 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/scripts-AGENTS.md +389 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/.env.example +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/package.json +33 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/pnpm-lock.yaml +3 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/config.ts +28 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/controllers/userController.ts +74 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/index.ts +26 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/errorHandler.ts +45 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/requestLogger.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/health.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/users.ts +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/errors.ts +40 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/logger.ts +14 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/tsconfig.json +24 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/.env.example +19 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/pyproject.toml +88 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/AGENTS.md +85 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/__init__.py +3 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/config.py +49 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/main.py +66 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/__init__.py +13 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/item.py +43 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/user.py +40 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/__init__.py +5 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/health.py +20 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/items.py +61 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/users.py +55 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/__init__.py +6 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/item_service.py +77 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/user_service.py +69 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/uv.lock +4 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/AGENTS.md +86 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/package.json +20 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/src/App.tsx +5 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/cmd/api/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/AGENTS.md +89 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/AGENTS.md +90 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/package.json +17 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/App.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Button.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Footer.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Header.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Sidebar.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package-lock.json +0 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package.json +12 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-AGENTS.md +371 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-web-AGENTS.md +448 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/composer.json +8 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/package.json +15 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/pnpm-lock.yaml +0 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/src/Controller.php +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/package.json +26 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/App.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Button.tsx +10 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Footer.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Header.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/main.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/tsconfig.json +13 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/AGENTS.md +75 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/package.json +7 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/package.json +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/src/index.ts +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-lock.yaml +42 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-workspace.yaml +2 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/examples-AGENTS.md +45 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/Classes-AGENTS.md +392 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/composer.json +8 -0
- package/skills/repo-bootstrap/references/feedback-memory-schema.md +135 -0
- package/skills/repo-bootstrap/references/git-hooks-setup.md +79 -0
- package/skills/repo-bootstrap/references/output-structure.md +124 -0
- package/skills/repo-bootstrap/references/scripts-guide.md +175 -0
- package/skills/repo-bootstrap/references/verification-guide.md +137 -0
- package/skills/repo-bootstrap/scripts/analyze-git-history.sh +315 -0
- package/skills/repo-bootstrap/scripts/check-freshness.sh +230 -0
- package/skills/repo-bootstrap/scripts/detect-golden-samples.sh +161 -0
- package/skills/repo-bootstrap/scripts/detect-heuristics.sh +93 -0
- package/skills/repo-bootstrap/scripts/detect-project.sh +486 -0
- package/skills/repo-bootstrap/scripts/detect-scopes.sh +330 -0
- package/skills/repo-bootstrap/scripts/detect-utilities.sh +133 -0
- package/skills/repo-bootstrap/scripts/extract-adrs.sh +194 -0
- package/skills/repo-bootstrap/scripts/extract-agent-configs.sh +331 -0
- package/skills/repo-bootstrap/scripts/extract-architecture-rules.sh +522 -0
- package/skills/repo-bootstrap/scripts/extract-ci-commands.sh +385 -0
- package/skills/repo-bootstrap/scripts/extract-ci-rules.sh +384 -0
- package/skills/repo-bootstrap/scripts/extract-commands.sh +358 -0
- package/skills/repo-bootstrap/scripts/extract-documentation.sh +308 -0
- package/skills/repo-bootstrap/scripts/extract-github-rulesets.sh +96 -0
- package/skills/repo-bootstrap/scripts/extract-github-settings.sh +88 -0
- package/skills/repo-bootstrap/scripts/extract-ide-settings.sh +228 -0
- package/skills/repo-bootstrap/scripts/extract-platform-files.sh +290 -0
- package/skills/repo-bootstrap/scripts/extract-quality-configs.sh +442 -0
- package/skills/repo-bootstrap/scripts/generate-agents.sh +2424 -0
- package/skills/repo-bootstrap/scripts/generate-file-map.sh +153 -0
- package/skills/repo-bootstrap/scripts/lib/config-root.sh +211 -0
- package/skills/repo-bootstrap/scripts/lib/summary.sh +244 -0
- package/skills/repo-bootstrap/scripts/lib/template.sh +397 -0
- package/skills/repo-bootstrap/scripts/validate-structure.sh +324 -0
- package/skills/repo-bootstrap/scripts/verify-commands.sh +615 -0
- package/skills/repo-bootstrap/scripts/verify-content.sh +302 -0
- package/skills/schema-api-contracts/SKILL.md +56 -0
- package/skills/secret-hygiene/SKILL.md +511 -0
- package/skills/secret-hygiene/assets/.gitkeep +9 -0
- package/skills/secret-hygiene/assets/config-balanced.toml +81 -0
- package/skills/secret-hygiene/assets/config-custom.toml +178 -0
- package/skills/secret-hygiene/assets/config-strict.toml +48 -0
- package/skills/secret-hygiene/assets/github-action.yml +181 -0
- package/skills/secret-hygiene/assets/gitlab-ci.yml +257 -0
- package/skills/secret-hygiene/assets/precommit-config.yaml +70 -0
- package/skills/secret-hygiene/references/EXAMPLE.md +40 -0
- package/skills/secret-hygiene/references/compliance_mapping.md +538 -0
- package/skills/secret-hygiene/references/detection_rules.md +276 -0
- package/skills/secret-hygiene/references/false_positives.md +598 -0
- package/skills/secret-hygiene/references/remediation_guide.md +530 -0
- package/skills/stack-selector/SKILL.md +56 -0
- package/skills/telegram-control/SKILL.md +110 -0
- package/skills/telegram-control/references/architecture.md +184 -0
- package/skills/telegram-control/references/convex.md +173 -0
- package/skills/telegram-control/references/error_handling.md +212 -0
- package/skills/telegram-control/references/initial_setup.md +165 -0
- package/skills/telegram-control/references/telegram_api.md +156 -0
- package/skills/telegram-control/scripts/cancel_message.ts +53 -0
- package/skills/telegram-control/scripts/list_scheduled.ts +103 -0
- package/skills/telegram-control/scripts/logger.ts +121 -0
- package/skills/telegram-control/scripts/proxy-util.ts +11 -0
- package/skills/telegram-control/scripts/schedule_message.ts +216 -0
- package/skills/telegram-control/scripts/send_message.ts +115 -0
- package/skills/telegram-control/scripts/setup.ts +185 -0
- package/skills/telegram-control/scripts/types.ts +75 -0
- package/skills/telegram-control/scripts/view_history.ts +74 -0
- package/skills/test-strategy/SKILL.md +352 -0
- package/skills/threat-model/SKILL.md +303 -0
- package/skills/threat-model/examples/example-output.md +196 -0
- package/skills/threat-model/template.md +96 -0
- package/skills/ts-lint/SKILL.md +80 -0
- package/skills/ui-flow/SKILL.md +668 -0
- package/skills/voice-command-router/SKILL.md +51 -0
- package/skills/widget-live-activity-sync/SKILL.md +66 -0
|
@@ -0,0 +1,343 @@
|
|
|
1
|
+
# Multi-Tenancy
|
|
2
|
+
|
|
3
|
+
**Directive:** When designing shared clusters, namespace isolation, or tenant boundaries, ALWAYS apply defense-in-depth: ResourceQuota, LimitRange, NetworkPolicy, RBAC, and Pod Security Admission per namespace. A namespace without quotas and network policies is an open door. Default security posture is PSS "restricted" profile.
|
|
4
|
+
|
|
5
|
+
## When to use
|
|
6
|
+
|
|
7
|
+
Consult this reference whenever the task involves:
|
|
8
|
+
- Designing namespace structure for a shared cluster
|
|
9
|
+
- Isolating teams, environments, or tenants within a single cluster
|
|
10
|
+
- Configuring resource quotas, limit ranges, or RBAC per namespace
|
|
11
|
+
- Deciding between namespace isolation and separate clusters
|
|
12
|
+
- Implementing hierarchical namespace patterns
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
## Namespace as the Primary Isolation Boundary
|
|
17
|
+
|
|
18
|
+
Namespaces are the fundamental unit of multi-tenancy in Kubernetes. Every isolation mechanism -- RBAC, NetworkPolicy, ResourceQuota, Pod Security Admission -- is scoped to namespaces. A well-configured namespace provides:
|
|
19
|
+
|
|
20
|
+
- **Resource isolation** via ResourceQuota and LimitRange
|
|
21
|
+
- **Network isolation** via default-deny NetworkPolicy
|
|
22
|
+
- **Security isolation** via Pod Security Admission labels
|
|
23
|
+
- **Access isolation** via namespace-scoped RBAC
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
## ResourceQuota per Namespace
|
|
28
|
+
|
|
29
|
+
Every tenant namespace MUST have a ResourceQuota. Without it, one tenant can consume all cluster resources:
|
|
30
|
+
|
|
31
|
+
```yaml
|
|
32
|
+
apiVersion: v1
|
|
33
|
+
kind: ResourceQuota
|
|
34
|
+
metadata:
|
|
35
|
+
name: tenant-alpha-quota
|
|
36
|
+
namespace: tenant-alpha
|
|
37
|
+
spec:
|
|
38
|
+
hard:
|
|
39
|
+
requests.cpu: "8"
|
|
40
|
+
requests.memory: 16Gi
|
|
41
|
+
limits.cpu: "16"
|
|
42
|
+
limits.memory: 32Gi
|
|
43
|
+
pods: "50"
|
|
44
|
+
services: "20"
|
|
45
|
+
persistentvolumeclaims: "10"
|
|
46
|
+
secrets: "50"
|
|
47
|
+
configmaps: "50"
|
|
48
|
+
services.loadbalancers: "2"
|
|
49
|
+
services.nodeports: "0" # disallow NodePort in shared clusters
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
When a ResourceQuota exists in a namespace, every Pod in that namespace MUST specify resource `requests` and `limits`, or admission is rejected. Use LimitRange to provide defaults.
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## LimitRange per Namespace
|
|
57
|
+
|
|
58
|
+
LimitRange sets defaults and bounds so that individual pods cannot claim disproportionate resources:
|
|
59
|
+
|
|
60
|
+
```yaml
|
|
61
|
+
apiVersion: v1
|
|
62
|
+
kind: LimitRange
|
|
63
|
+
metadata:
|
|
64
|
+
name: tenant-alpha-limits
|
|
65
|
+
namespace: tenant-alpha
|
|
66
|
+
spec:
|
|
67
|
+
limits:
|
|
68
|
+
- type: Container
|
|
69
|
+
default:
|
|
70
|
+
cpu: 500m
|
|
71
|
+
memory: 256Mi
|
|
72
|
+
defaultRequest:
|
|
73
|
+
cpu: 100m
|
|
74
|
+
memory: 128Mi
|
|
75
|
+
max:
|
|
76
|
+
cpu: "4"
|
|
77
|
+
memory: 8Gi
|
|
78
|
+
min:
|
|
79
|
+
cpu: 50m
|
|
80
|
+
memory: 64Mi
|
|
81
|
+
- type: PersistentVolumeClaim
|
|
82
|
+
max:
|
|
83
|
+
storage: 50Gi
|
|
84
|
+
min:
|
|
85
|
+
storage: 1Gi
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
---
|
|
89
|
+
|
|
90
|
+
## NetworkPolicy for Inter-Namespace Isolation
|
|
91
|
+
|
|
92
|
+
Apply a default-deny ingress and egress policy to every tenant namespace. Then selectively allow required traffic:
|
|
93
|
+
|
|
94
|
+
```yaml
|
|
95
|
+
# Default deny all ingress and egress
|
|
96
|
+
apiVersion: networking.k8s.io/v1
|
|
97
|
+
kind: NetworkPolicy
|
|
98
|
+
metadata:
|
|
99
|
+
name: default-deny-all
|
|
100
|
+
namespace: tenant-alpha
|
|
101
|
+
spec:
|
|
102
|
+
podSelector: {}
|
|
103
|
+
policyTypes:
|
|
104
|
+
- Ingress
|
|
105
|
+
- Egress
|
|
106
|
+
---
|
|
107
|
+
# Allow DNS resolution (required for almost all workloads)
|
|
108
|
+
apiVersion: networking.k8s.io/v1
|
|
109
|
+
kind: NetworkPolicy
|
|
110
|
+
metadata:
|
|
111
|
+
name: allow-dns
|
|
112
|
+
namespace: tenant-alpha
|
|
113
|
+
spec:
|
|
114
|
+
podSelector: {}
|
|
115
|
+
policyTypes:
|
|
116
|
+
- Egress
|
|
117
|
+
egress:
|
|
118
|
+
- to:
|
|
119
|
+
- namespaceSelector:
|
|
120
|
+
matchLabels:
|
|
121
|
+
kubernetes.io/metadata.name: kube-system
|
|
122
|
+
ports:
|
|
123
|
+
- protocol: UDP
|
|
124
|
+
port: 53
|
|
125
|
+
- protocol: TCP
|
|
126
|
+
port: 53
|
|
127
|
+
---
|
|
128
|
+
# Allow intra-namespace communication
|
|
129
|
+
apiVersion: networking.k8s.io/v1
|
|
130
|
+
kind: NetworkPolicy
|
|
131
|
+
metadata:
|
|
132
|
+
name: allow-same-namespace
|
|
133
|
+
namespace: tenant-alpha
|
|
134
|
+
spec:
|
|
135
|
+
podSelector: {}
|
|
136
|
+
policyTypes:
|
|
137
|
+
- Ingress
|
|
138
|
+
- Egress
|
|
139
|
+
ingress:
|
|
140
|
+
- from:
|
|
141
|
+
- podSelector: {}
|
|
142
|
+
egress:
|
|
143
|
+
- to:
|
|
144
|
+
- podSelector: {}
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
See **network-exposure.md** for detailed NetworkPolicy patterns.
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
## RBAC Scoping
|
|
152
|
+
|
|
153
|
+
Use namespace-scoped `Role` and `RoleBinding` over `ClusterRole` and `ClusterRoleBinding`:
|
|
154
|
+
|
|
155
|
+
```yaml
|
|
156
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
157
|
+
kind: Role
|
|
158
|
+
metadata:
|
|
159
|
+
name: tenant-alpha-developer
|
|
160
|
+
namespace: tenant-alpha
|
|
161
|
+
rules:
|
|
162
|
+
- apiGroups: ["", "apps", "batch"]
|
|
163
|
+
resources: ["deployments", "services", "pods", "jobs", "configmaps"]
|
|
164
|
+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
165
|
+
- apiGroups: [""]
|
|
166
|
+
resources: ["secrets"]
|
|
167
|
+
verbs: ["get", "list"] # read-only for secrets
|
|
168
|
+
---
|
|
169
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
170
|
+
kind: RoleBinding
|
|
171
|
+
metadata:
|
|
172
|
+
name: tenant-alpha-developers
|
|
173
|
+
namespace: tenant-alpha
|
|
174
|
+
subjects:
|
|
175
|
+
- kind: Group
|
|
176
|
+
name: team-alpha
|
|
177
|
+
apiGroup: rbac.authorization.k8s.io
|
|
178
|
+
roleRef:
|
|
179
|
+
kind: Role
|
|
180
|
+
name: tenant-alpha-developer
|
|
181
|
+
apiGroup: rbac.authorization.k8s.io
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
See **privilege-sprawl.md** for detailed RBAC patterns and anti-patterns.
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Pod Security Admission per Namespace
|
|
189
|
+
|
|
190
|
+
Every tenant namespace MUST have PSA labels. See **insecure-workload-defaults.md** for the full security context requirements:
|
|
191
|
+
|
|
192
|
+
```yaml
|
|
193
|
+
labels:
|
|
194
|
+
pod-security.kubernetes.io/enforce: restricted
|
|
195
|
+
pod-security.kubernetes.io/audit: restricted
|
|
196
|
+
pod-security.kubernetes.io/warn: restricted
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
## Hierarchical Namespaces (HNC)
|
|
202
|
+
|
|
203
|
+
For organizations with team-of-teams structures, the Hierarchical Namespace Controller propagates policies from parent to child namespaces:
|
|
204
|
+
|
|
205
|
+
```yaml
|
|
206
|
+
# Parent namespace defines shared policies
|
|
207
|
+
apiVersion: hnc.x-k8s.io/v1alpha2
|
|
208
|
+
kind: HierarchyConfiguration
|
|
209
|
+
metadata:
|
|
210
|
+
name: hierarchy
|
|
211
|
+
namespace: platform-team
|
|
212
|
+
spec:
|
|
213
|
+
children:
|
|
214
|
+
- tenant-alpha
|
|
215
|
+
- tenant-beta
|
|
216
|
+
```
|
|
217
|
+
|
|
218
|
+
NetworkPolicies, ResourceQuotas, and RBAC Roles in the parent namespace are inherited by children. This avoids duplicating boilerplate across dozens of tenant namespaces.
|
|
219
|
+
|
|
220
|
+
---
|
|
221
|
+
|
|
222
|
+
## Service Account Isolation
|
|
223
|
+
|
|
224
|
+
Each namespace should have dedicated service accounts. Never share service accounts across namespaces:
|
|
225
|
+
|
|
226
|
+
```yaml
|
|
227
|
+
apiVersion: v1
|
|
228
|
+
kind: ServiceAccount
|
|
229
|
+
metadata:
|
|
230
|
+
name: order-service
|
|
231
|
+
namespace: tenant-alpha
|
|
232
|
+
automountServiceAccountToken: false # opt-in, not opt-out
|
|
233
|
+
```
|
|
234
|
+
|
|
235
|
+
Workloads that need API access should use Bound Service Account Token Volumes with audience and expiry, not legacy static tokens.
|
|
236
|
+
|
|
237
|
+
---
|
|
238
|
+
|
|
239
|
+
## Naming Conventions
|
|
240
|
+
|
|
241
|
+
| Pattern | Example | Use when |
|
|
242
|
+
|---|---|---|
|
|
243
|
+
| `{env}-{service}` | `prod-payments`, `staging-orders` | Environment-based isolation |
|
|
244
|
+
| `{team}-{service}` | `platform-monitoring`, `alpha-api` | Team-based multi-tenancy |
|
|
245
|
+
| `{tenant}-{env}` | `acme-prod`, `acme-staging` | External multi-tenancy (SaaS) |
|
|
246
|
+
|
|
247
|
+
Consistency matters more than the specific pattern. Pick one and enforce it with admission webhooks.
|
|
248
|
+
|
|
249
|
+
---
|
|
250
|
+
|
|
251
|
+
## What Namespaces Do NOT Isolate
|
|
252
|
+
|
|
253
|
+
Namespaces are a soft boundary. They do NOT provide:
|
|
254
|
+
|
|
255
|
+
- **Node-level isolation:** Pods from different namespaces share the same node kernel, CPU, memory, and disk. A noisy neighbor or kernel exploit affects all tenants on that node. Use taints/tolerations or node pools for hard isolation.
|
|
256
|
+
- **Cluster-scoped resources:** ClusterRoles, ClusterRoleBindings, CustomResourceDefinitions, PersistentVolumes, and Nodes are visible cluster-wide.
|
|
257
|
+
- **Kernel and container runtime:** A container escape reaches the host regardless of namespace. Sandboxed runtimes (gVisor, Kata Containers) provide stronger boundaries.
|
|
258
|
+
- **Network without NetworkPolicy:** By default, all pods in all namespaces can communicate freely. NetworkPolicy is not applied until you create one.
|
|
259
|
+
|
|
260
|
+
---
|
|
261
|
+
|
|
262
|
+
## When to Use Separate Clusters vs Namespaces
|
|
263
|
+
|
|
264
|
+
| Criteria | Namespaces | Separate clusters |
|
|
265
|
+
|---|---|---|
|
|
266
|
+
| Blast radius tolerance | Acceptable shared risk | Zero tolerance for cross-tenant impact |
|
|
267
|
+
| Compliance requirements | Same compliance domain | Different regulatory requirements (PCI vs non-PCI) |
|
|
268
|
+
| Kubernetes version needs | Same version acceptable | Tenants need different versions |
|
|
269
|
+
| Cost sensitivity | Lower cost (shared control plane) | Higher cost, stronger isolation |
|
|
270
|
+
| Noisy neighbor risk | Acceptable with quotas | Unacceptable (latency-sensitive workloads) |
|
|
271
|
+
|
|
272
|
+
Rule of thumb: use namespaces for internal teams in the same trust domain. Use separate clusters when tenants are external customers or have different compliance requirements.
|
|
273
|
+
|
|
274
|
+
---
|
|
275
|
+
|
|
276
|
+
## GOOD: Complete Tenant Namespace Setup
|
|
277
|
+
|
|
278
|
+
```yaml
|
|
279
|
+
apiVersion: v1
|
|
280
|
+
kind: Namespace
|
|
281
|
+
metadata:
|
|
282
|
+
name: tenant-alpha
|
|
283
|
+
labels:
|
|
284
|
+
pod-security.kubernetes.io/enforce: restricted
|
|
285
|
+
pod-security.kubernetes.io/audit: restricted
|
|
286
|
+
pod-security.kubernetes.io/warn: restricted
|
|
287
|
+
tenant: alpha
|
|
288
|
+
cost-center: eng-alpha
|
|
289
|
+
---
|
|
290
|
+
apiVersion: v1
|
|
291
|
+
kind: ResourceQuota
|
|
292
|
+
metadata:
|
|
293
|
+
name: compute-quota
|
|
294
|
+
namespace: tenant-alpha
|
|
295
|
+
spec:
|
|
296
|
+
hard:
|
|
297
|
+
requests.cpu: "8"
|
|
298
|
+
requests.memory: 16Gi
|
|
299
|
+
limits.memory: 32Gi
|
|
300
|
+
pods: "40"
|
|
301
|
+
persistentvolumeclaims: "10"
|
|
302
|
+
---
|
|
303
|
+
apiVersion: v1
|
|
304
|
+
kind: LimitRange
|
|
305
|
+
metadata:
|
|
306
|
+
name: default-limits
|
|
307
|
+
namespace: tenant-alpha
|
|
308
|
+
spec:
|
|
309
|
+
limits:
|
|
310
|
+
- type: Container
|
|
311
|
+
default:
|
|
312
|
+
cpu: 500m
|
|
313
|
+
memory: 256Mi
|
|
314
|
+
defaultRequest:
|
|
315
|
+
cpu: 100m
|
|
316
|
+
memory: 128Mi
|
|
317
|
+
---
|
|
318
|
+
apiVersion: networking.k8s.io/v1
|
|
319
|
+
kind: NetworkPolicy
|
|
320
|
+
metadata:
|
|
321
|
+
name: default-deny-all
|
|
322
|
+
namespace: tenant-alpha
|
|
323
|
+
spec:
|
|
324
|
+
podSelector: {}
|
|
325
|
+
policyTypes:
|
|
326
|
+
- Ingress
|
|
327
|
+
- Egress
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
---
|
|
331
|
+
|
|
332
|
+
## LLM Mistake Checklist
|
|
333
|
+
|
|
334
|
+
Before finalizing any multi-tenant namespace configuration, verify each item:
|
|
335
|
+
|
|
336
|
+
- [ ] **ResourceQuota** is present in the namespace -- a namespace without quotas is unbounded.
|
|
337
|
+
- [ ] **LimitRange** provides default requests/limits so pods without explicit resources are not rejected by quota enforcement.
|
|
338
|
+
- [ ] **Default-deny NetworkPolicy** exists -- namespaces without NetworkPolicy allow all traffic by default.
|
|
339
|
+
- [ ] **DNS egress is allowed** in the NetworkPolicy -- forgetting this breaks all service discovery.
|
|
340
|
+
- [ ] **RBAC uses namespace-scoped Role**, not ClusterRole, unless cluster-wide access is explicitly needed.
|
|
341
|
+
- [ ] **PSA labels are set** on the namespace with all three modes (enforce, audit, warn).
|
|
342
|
+
- [ ] **Service accounts are per-namespace** with `automountServiceAccountToken: false` as default.
|
|
343
|
+
- [ ] **NodePort services are restricted** via ResourceQuota (`services.nodeports: "0"`) in shared clusters to prevent port conflicts.
|