@synapta/skills 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +11 -4
- package/package.json +3 -4
- package/skills/ATTRIBUTION.md +80 -0
- package/skills/accessibility-audit/SKILL.md +325 -0
- package/skills/accessibility-audit/reference/wcag-checklist.md +103 -0
- package/skills/apns-notifier/SKILL.md +86 -0
- package/skills/approval-policy-enforcer/SKILL.md +66 -0
- package/skills/apps-sdk-builder/LICENSE.txt +201 -0
- package/skills/apps-sdk-builder/SKILL.md +328 -0
- package/skills/apps-sdk-builder/agents/openai.yaml +13 -0
- package/skills/apps-sdk-builder/references/app-archetypes.md +132 -0
- package/skills/apps-sdk-builder/references/apps-sdk-docs-workflow.md +135 -0
- package/skills/apps-sdk-builder/references/interactive-state-sync-patterns.md +113 -0
- package/skills/apps-sdk-builder/references/repo-contract-and-validation.md +93 -0
- package/skills/apps-sdk-builder/references/search-fetch-standard.md +67 -0
- package/skills/apps-sdk-builder/references/upstream-example-workflow.md +79 -0
- package/skills/apps-sdk-builder/references/window-openai-patterns.md +79 -0
- package/skills/apps-sdk-builder/scripts/scaffold_node_ext_apps.mjs +606 -0
- package/skills/architecture-selector/SKILL.md +64 -0
- package/skills/backlog-planner/SKILL.md +68 -0
- package/skills/carplay-entitlement-checker/SKILL.md +82 -0
- package/skills/concept-discovery/SKILL.md +517 -0
- package/skills/concept-discovery/assets/sample-analysis.json +81 -0
- package/skills/concept-discovery/expected_outputs/sample-enum-dictionary.md +25 -0
- package/skills/concept-discovery/expected_outputs/sample-page-user-list.md +83 -0
- package/skills/concept-discovery/expected_outputs/sample-prd-readme.md +43 -0
- package/skills/concept-discovery/references/framework-patterns.md +228 -0
- package/skills/concept-discovery/references/prd-quality-checklist.md +65 -0
- package/skills/concept-discovery/scripts/codebase_analyzer.py +732 -0
- package/skills/concept-discovery/scripts/prd_scaffolder.py +435 -0
- package/skills/dast-zap/SKILL.md +453 -0
- package/skills/dast-zap/assets/.gitkeep +9 -0
- package/skills/dast-zap/assets/github_action.yml +207 -0
- package/skills/dast-zap/assets/gitlab_ci.yml +226 -0
- package/skills/dast-zap/assets/zap_automation.yaml +196 -0
- package/skills/dast-zap/assets/zap_context.xml +192 -0
- package/skills/dast-zap/references/EXAMPLE.md +40 -0
- package/skills/dast-zap/references/api_testing_guide.md +475 -0
- package/skills/dast-zap/references/authentication_guide.md +431 -0
- package/skills/dast-zap/references/false_positive_handling.md +427 -0
- package/skills/dast-zap/references/owasp_mapping.md +255 -0
- package/skills/dep-sbom-scan/SKILL.md +466 -0
- package/skills/deploy-cloudflare/SKILL.md +930 -0
- package/skills/deploy-docker/SKILL.md +55 -0
- package/skills/deploy-fly/SKILL.md +228 -0
- package/skills/deploy-k8s/SKILL.md +108 -0
- package/skills/deploy-k8s/assets/logo.png +0 -0
- package/skills/deploy-k8s/docs/README.md +29 -0
- package/skills/deploy-k8s/docs/SUMMARY.md +56 -0
- package/skills/deploy-k8s/docs/advanced/token-efficiency.md +61 -0
- package/skills/deploy-k8s/docs/architecture/multi-tenancy.md +96 -0
- package/skills/deploy-k8s/docs/architecture/storage-and-state.md +102 -0
- package/skills/deploy-k8s/docs/architecture/workload-patterns.md +87 -0
- package/skills/deploy-k8s/docs/book.json +16 -0
- package/skills/deploy-k8s/docs/community/changelog.md +34 -0
- package/skills/deploy-k8s/docs/community/contributing.md +67 -0
- package/skills/deploy-k8s/docs/core-concepts/failure-modes.md +153 -0
- package/skills/deploy-k8s/docs/core-concepts/philosophy.md +83 -0
- package/skills/deploy-k8s/docs/core-concepts/workflow.md +124 -0
- package/skills/deploy-k8s/docs/examples/bad-patterns.md +47 -0
- package/skills/deploy-k8s/docs/examples/do-dont-checklist.md +37 -0
- package/skills/deploy-k8s/docs/examples/good-patterns.md +49 -0
- package/skills/deploy-k8s/docs/failure-modes/api-drift.md +104 -0
- package/skills/deploy-k8s/docs/failure-modes/fragile-rollouts.md +99 -0
- package/skills/deploy-k8s/docs/failure-modes/insecure-workload-defaults.md +80 -0
- package/skills/deploy-k8s/docs/failure-modes/network-exposure.md +98 -0
- package/skills/deploy-k8s/docs/failure-modes/privilege-sprawl.md +91 -0
- package/skills/deploy-k8s/docs/failure-modes/resource-starvation.md +85 -0
- package/skills/deploy-k8s/docs/getting-started/installation.md +152 -0
- package/skills/deploy-k8s/docs/getting-started/quick-start.md +115 -0
- package/skills/deploy-k8s/docs/guides/helm-patterns.md +71 -0
- package/skills/deploy-k8s/docs/guides/kustomize-patterns.md +65 -0
- package/skills/deploy-k8s/docs/guides/observability.md +67 -0
- package/skills/deploy-k8s/docs/guides/security-hardening.md +59 -0
- package/skills/deploy-k8s/docs/guides/validation-and-policy.md +66 -0
- package/skills/deploy-k8s/docs/integrations/mcp-integration.md +52 -0
- package/skills/deploy-k8s/docs/package-lock.json +2892 -0
- package/skills/deploy-k8s/docs/package.json +13 -0
- package/skills/deploy-k8s/references/api-drift.md +298 -0
- package/skills/deploy-k8s/references/conditional/aks-patterns.md +70 -0
- package/skills/deploy-k8s/references/conditional/eks-patterns.md +79 -0
- package/skills/deploy-k8s/references/conditional/gitops-controllers.md +71 -0
- package/skills/deploy-k8s/references/conditional/gke-patterns.md +74 -0
- package/skills/deploy-k8s/references/conditional/observability-stacks.md +80 -0
- package/skills/deploy-k8s/references/conditional/openshift-patterns.md +67 -0
- package/skills/deploy-k8s/references/daemonset-operator-patterns.md +155 -0
- package/skills/deploy-k8s/references/deployment-patterns.md +146 -0
- package/skills/deploy-k8s/references/do-dont-patterns.md +87 -0
- package/skills/deploy-k8s/references/examples-bad.md +282 -0
- package/skills/deploy-k8s/references/examples-good.md +440 -0
- package/skills/deploy-k8s/references/fragile-rollouts.md +303 -0
- package/skills/deploy-k8s/references/helm-patterns.md +203 -0
- package/skills/deploy-k8s/references/insecure-workload-defaults.md +300 -0
- package/skills/deploy-k8s/references/job-patterns.md +120 -0
- package/skills/deploy-k8s/references/kustomize-patterns.md +239 -0
- package/skills/deploy-k8s/references/multi-tenancy.md +343 -0
- package/skills/deploy-k8s/references/network-exposure.md +481 -0
- package/skills/deploy-k8s/references/observability.md +302 -0
- package/skills/deploy-k8s/references/privilege-sprawl.md +273 -0
- package/skills/deploy-k8s/references/resource-starvation.md +374 -0
- package/skills/deploy-k8s/references/security-hardening.md +209 -0
- package/skills/deploy-k8s/references/stateful-patterns.md +130 -0
- package/skills/deploy-k8s/references/storage-and-state.md +330 -0
- package/skills/deploy-k8s/references/validation-and-policy.md +242 -0
- package/skills/deploy-railway/SKILL.md +235 -0
- package/skills/deploy-railway/references/analyze-db-mongo.md +84 -0
- package/skills/deploy-railway/references/analyze-db-mysql.md +254 -0
- package/skills/deploy-railway/references/analyze-db-postgres.md +479 -0
- package/skills/deploy-railway/references/analyze-db-redis.md +208 -0
- package/skills/deploy-railway/references/analyze-db.md +344 -0
- package/skills/deploy-railway/references/configure.md +309 -0
- package/skills/deploy-railway/references/deploy.md +195 -0
- package/skills/deploy-railway/references/operate.md +214 -0
- package/skills/deploy-railway/references/request.md +248 -0
- package/skills/deploy-railway/references/setup.md +312 -0
- package/skills/deploy-railway/scripts/analyze-mongo.py +1549 -0
- package/skills/deploy-railway/scripts/analyze-mysql.py +1195 -0
- package/skills/deploy-railway/scripts/analyze-postgres.py +3058 -0
- package/skills/deploy-railway/scripts/analyze-redis.py +1090 -0
- package/skills/deploy-railway/scripts/dal.py +671 -0
- package/skills/deploy-railway/scripts/enable-pg-stats.py +170 -0
- package/skills/deploy-railway/scripts/pg-extensions.py +370 -0
- package/skills/deploy-railway/scripts/railway-api.sh +52 -0
- package/skills/deploy-ssh/SKILL.md +91 -0
- package/skills/deploy-vercel/SKILL.md +304 -0
- package/skills/deploy-vercel/resources/deploy-codex.sh +301 -0
- package/skills/deploy-vercel/resources/deploy.sh +301 -0
- package/skills/docs-runbooks/SKILL.md +399 -0
- package/skills/drive-status-renderer/SKILL.md +62 -0
- package/skills/iac-scan/SKILL.md +680 -0
- package/skills/iac-scan/assets/.gitkeep +9 -0
- package/skills/iac-scan/assets/checkov_config.yaml +94 -0
- package/skills/iac-scan/assets/github_actions.yml +199 -0
- package/skills/iac-scan/assets/gitlab_ci.yml +218 -0
- package/skills/iac-scan/assets/pre_commit_config.yaml +92 -0
- package/skills/iac-scan/references/EXAMPLE.md +40 -0
- package/skills/iac-scan/references/compliance_mapping.md +237 -0
- package/skills/iac-scan/references/custom_policies.md +460 -0
- package/skills/iac-scan/references/suppression_guide.md +431 -0
- package/skills/incident-briefing/SKILL.md +66 -0
- package/skills/incident-triage/SKILL.md +481 -0
- package/{LICENSE → skills/mcp-builder/LICENSE.txt} +15 -14
- package/skills/mcp-builder/SKILL.md +244 -0
- package/skills/mcp-builder/reference/evaluation.md +602 -0
- package/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/skills/mcp-builder/scripts/connections.py +151 -0
- package/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/skills/mobile-pairing/SKILL.md +52 -0
- package/skills/ops-sre/SKILL.md +297 -0
- package/skills/playwright-qa/LICENSE.txt +201 -0
- package/skills/playwright-qa/NOTICE.txt +14 -0
- package/skills/playwright-qa/SKILL.md +156 -0
- package/skills/playwright-qa/agents/openai.yaml +6 -0
- package/skills/playwright-qa/assets/playwright-small.svg +3 -0
- package/skills/playwright-qa/assets/playwright.png +0 -0
- package/skills/playwright-qa/references/cli.md +116 -0
- package/skills/playwright-qa/references/workflows.md +95 -0
- package/skills/playwright-qa/scripts/playwright_cli.sh +25 -0
- package/skills/release-publish/SKILL.md +85 -0
- package/skills/repo-bootstrap/SKILL.md +92 -0
- package/skills/repo-bootstrap/assets/example-workflows/validate-agents.yml +89 -0
- package/skills/repo-bootstrap/assets/root-thin.md +141 -0
- package/skills/repo-bootstrap/assets/root-verbose.md +149 -0
- package/skills/repo-bootstrap/assets/scoped/backend-go.md +107 -0
- package/skills/repo-bootstrap/assets/scoped/backend-php.md +94 -0
- package/skills/repo-bootstrap/assets/scoped/backend-python.md +84 -0
- package/skills/repo-bootstrap/assets/scoped/backend-typescript.md +89 -0
- package/skills/repo-bootstrap/assets/scoped/claude-code-skill.md +101 -0
- package/skills/repo-bootstrap/assets/scoped/cli.md +83 -0
- package/skills/repo-bootstrap/assets/scoped/concourse.md +196 -0
- package/skills/repo-bootstrap/assets/scoped/ddev.md +68 -0
- package/skills/repo-bootstrap/assets/scoped/docker.md +160 -0
- package/skills/repo-bootstrap/assets/scoped/documentation.md +98 -0
- package/skills/repo-bootstrap/assets/scoped/examples.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/frontend-typescript.md +88 -0
- package/skills/repo-bootstrap/assets/scoped/github-actions.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/gitlab-ci.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/oro-bundle.md +209 -0
- package/skills/repo-bootstrap/assets/scoped/oro-project.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/python-modern.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/resources.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/skill-repo.md +139 -0
- package/skills/repo-bootstrap/assets/scoped/symfony.md +168 -0
- package/skills/repo-bootstrap/assets/scoped/testing.md +87 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-docs.md +103 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-extension.md +133 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-project.md +137 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-testing.md +80 -0
- package/skills/repo-bootstrap/checkpoints.yaml +279 -0
- package/skills/repo-bootstrap/evals/evals.json +385 -0
- package/skills/repo-bootstrap/references/ai-contribution-guidelines.md +63 -0
- package/skills/repo-bootstrap/references/ai-tool-compatibility.md +223 -0
- package/skills/repo-bootstrap/references/directory-coverage.md +82 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/scripts-AGENTS.md +389 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/.env.example +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/package.json +33 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/pnpm-lock.yaml +3 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/config.ts +28 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/controllers/userController.ts +74 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/index.ts +26 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/errorHandler.ts +45 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/requestLogger.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/health.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/users.ts +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/errors.ts +40 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/logger.ts +14 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/tsconfig.json +24 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/.env.example +19 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/pyproject.toml +88 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/AGENTS.md +85 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/__init__.py +3 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/config.py +49 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/main.py +66 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/__init__.py +13 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/item.py +43 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/user.py +40 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/__init__.py +5 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/health.py +20 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/items.py +61 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/users.py +55 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/__init__.py +6 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/item_service.py +77 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/user_service.py +69 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/uv.lock +4 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/AGENTS.md +86 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/package.json +20 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/src/App.tsx +5 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/cmd/api/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/AGENTS.md +89 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/AGENTS.md +90 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/package.json +17 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/App.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Button.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Footer.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Header.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Sidebar.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package-lock.json +0 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package.json +12 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-AGENTS.md +371 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-web-AGENTS.md +448 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/composer.json +8 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/package.json +15 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/pnpm-lock.yaml +0 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/src/Controller.php +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/package.json +26 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/App.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Button.tsx +10 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Footer.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Header.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/main.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/tsconfig.json +13 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/AGENTS.md +75 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/package.json +7 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/package.json +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/src/index.ts +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-lock.yaml +42 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-workspace.yaml +2 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/examples-AGENTS.md +45 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/Classes-AGENTS.md +392 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/composer.json +8 -0
- package/skills/repo-bootstrap/references/feedback-memory-schema.md +135 -0
- package/skills/repo-bootstrap/references/git-hooks-setup.md +79 -0
- package/skills/repo-bootstrap/references/output-structure.md +124 -0
- package/skills/repo-bootstrap/references/scripts-guide.md +175 -0
- package/skills/repo-bootstrap/references/verification-guide.md +137 -0
- package/skills/repo-bootstrap/scripts/analyze-git-history.sh +315 -0
- package/skills/repo-bootstrap/scripts/check-freshness.sh +230 -0
- package/skills/repo-bootstrap/scripts/detect-golden-samples.sh +161 -0
- package/skills/repo-bootstrap/scripts/detect-heuristics.sh +93 -0
- package/skills/repo-bootstrap/scripts/detect-project.sh +486 -0
- package/skills/repo-bootstrap/scripts/detect-scopes.sh +330 -0
- package/skills/repo-bootstrap/scripts/detect-utilities.sh +133 -0
- package/skills/repo-bootstrap/scripts/extract-adrs.sh +194 -0
- package/skills/repo-bootstrap/scripts/extract-agent-configs.sh +331 -0
- package/skills/repo-bootstrap/scripts/extract-architecture-rules.sh +522 -0
- package/skills/repo-bootstrap/scripts/extract-ci-commands.sh +385 -0
- package/skills/repo-bootstrap/scripts/extract-ci-rules.sh +384 -0
- package/skills/repo-bootstrap/scripts/extract-commands.sh +358 -0
- package/skills/repo-bootstrap/scripts/extract-documentation.sh +308 -0
- package/skills/repo-bootstrap/scripts/extract-github-rulesets.sh +96 -0
- package/skills/repo-bootstrap/scripts/extract-github-settings.sh +88 -0
- package/skills/repo-bootstrap/scripts/extract-ide-settings.sh +228 -0
- package/skills/repo-bootstrap/scripts/extract-platform-files.sh +290 -0
- package/skills/repo-bootstrap/scripts/extract-quality-configs.sh +442 -0
- package/skills/repo-bootstrap/scripts/generate-agents.sh +2424 -0
- package/skills/repo-bootstrap/scripts/generate-file-map.sh +153 -0
- package/skills/repo-bootstrap/scripts/lib/config-root.sh +211 -0
- package/skills/repo-bootstrap/scripts/lib/summary.sh +244 -0
- package/skills/repo-bootstrap/scripts/lib/template.sh +397 -0
- package/skills/repo-bootstrap/scripts/validate-structure.sh +324 -0
- package/skills/repo-bootstrap/scripts/verify-commands.sh +615 -0
- package/skills/repo-bootstrap/scripts/verify-content.sh +302 -0
- package/skills/schema-api-contracts/SKILL.md +56 -0
- package/skills/secret-hygiene/SKILL.md +511 -0
- package/skills/secret-hygiene/assets/.gitkeep +9 -0
- package/skills/secret-hygiene/assets/config-balanced.toml +81 -0
- package/skills/secret-hygiene/assets/config-custom.toml +178 -0
- package/skills/secret-hygiene/assets/config-strict.toml +48 -0
- package/skills/secret-hygiene/assets/github-action.yml +181 -0
- package/skills/secret-hygiene/assets/gitlab-ci.yml +257 -0
- package/skills/secret-hygiene/assets/precommit-config.yaml +70 -0
- package/skills/secret-hygiene/references/EXAMPLE.md +40 -0
- package/skills/secret-hygiene/references/compliance_mapping.md +538 -0
- package/skills/secret-hygiene/references/detection_rules.md +276 -0
- package/skills/secret-hygiene/references/false_positives.md +598 -0
- package/skills/secret-hygiene/references/remediation_guide.md +530 -0
- package/skills/stack-selector/SKILL.md +56 -0
- package/skills/telegram-control/SKILL.md +110 -0
- package/skills/telegram-control/references/architecture.md +184 -0
- package/skills/telegram-control/references/convex.md +173 -0
- package/skills/telegram-control/references/error_handling.md +212 -0
- package/skills/telegram-control/references/initial_setup.md +165 -0
- package/skills/telegram-control/references/telegram_api.md +156 -0
- package/skills/telegram-control/scripts/cancel_message.ts +53 -0
- package/skills/telegram-control/scripts/list_scheduled.ts +103 -0
- package/skills/telegram-control/scripts/logger.ts +121 -0
- package/skills/telegram-control/scripts/proxy-util.ts +11 -0
- package/skills/telegram-control/scripts/schedule_message.ts +216 -0
- package/skills/telegram-control/scripts/send_message.ts +115 -0
- package/skills/telegram-control/scripts/setup.ts +185 -0
- package/skills/telegram-control/scripts/types.ts +75 -0
- package/skills/telegram-control/scripts/view_history.ts +74 -0
- package/skills/test-strategy/SKILL.md +352 -0
- package/skills/threat-model/SKILL.md +303 -0
- package/skills/threat-model/examples/example-output.md +196 -0
- package/skills/threat-model/template.md +96 -0
- package/skills/ts-lint/SKILL.md +80 -0
- package/skills/ui-flow/SKILL.md +668 -0
- package/skills/voice-command-router/SKILL.md +51 -0
- package/skills/widget-live-activity-sync/SKILL.md +66 -0
|
@@ -0,0 +1,481 @@
|
|
|
1
|
+
# Network Exposure
|
|
2
|
+
|
|
3
|
+
**USE THIS GUIDE** when generating or reviewing any Kubernetes networking resource:
|
|
4
|
+
Services, Ingress, Gateway, NetworkPolicy, or any manifest involving cross-pod communication.
|
|
5
|
+
Default posture: **deny all traffic** and explicitly allow only what is required.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Symptoms
|
|
10
|
+
|
|
11
|
+
- **All pods can reach all pods**: default Kubernetes networking is flat and open.
|
|
12
|
+
- **Unexpected external exposure**: `NodePort` or `LoadBalancer` Service created without intent.
|
|
13
|
+
- **DNS resolution failures**: wrong Service name, missing namespace qualifier, ndots misconfiguration.
|
|
14
|
+
- **Silent routing to nothing**: Service selector does not match any pod labels; no error, just no backends.
|
|
15
|
+
- **Lateral movement after compromise**: attacker pivots freely between namespaces because no NetworkPolicy exists.
|
|
16
|
+
- **Ingress 404s or 502s**: path matching, backend Service name, or port mismatch.
|
|
17
|
+
- **Slow DNS**: excessive search domain lookups from default `ndots: 5` setting.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## Root Causes
|
|
22
|
+
|
|
23
|
+
1. Kubernetes has **no network segmentation by default** -- every pod can reach every other pod on any port.
|
|
24
|
+
2. LLMs generate `NodePort` and `LoadBalancer` Services when `ClusterIP` is sufficient.
|
|
25
|
+
3. Service `selector` labels silently fail when they do not match pod `labels` -- zero errors, zero traffic.
|
|
26
|
+
4. NetworkPolicies are additive (union of all policies), but **no policy means allow-all**, not deny-all.
|
|
27
|
+
5. Egress policies are forgotten -- ingress-only policies still allow unrestricted outbound traffic.
|
|
28
|
+
6. DNS resolution requires the full `<svc>.<ns>.svc.cluster.local` form for cross-namespace calls.
|
|
29
|
+
7. Ingress path matching semantics differ between `Exact`, `Prefix`, and regex-based controllers.
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## Prevention Rules
|
|
34
|
+
|
|
35
|
+
### Default-Deny NetworkPolicy
|
|
36
|
+
|
|
37
|
+
Apply to every namespace before deploying any workload. Without this, all traffic is permitted.
|
|
38
|
+
|
|
39
|
+
```yaml
|
|
40
|
+
apiVersion: networking.k8s.io/v1
|
|
41
|
+
kind: NetworkPolicy
|
|
42
|
+
metadata:
|
|
43
|
+
name: default-deny-all
|
|
44
|
+
namespace: production
|
|
45
|
+
spec:
|
|
46
|
+
podSelector: {} # Matches ALL pods in the namespace
|
|
47
|
+
policyTypes:
|
|
48
|
+
- Ingress
|
|
49
|
+
- Egress
|
|
50
|
+
# No ingress or egress rules = deny everything
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
After applying default-deny, explicitly allow required traffic with additional policies.
|
|
54
|
+
|
|
55
|
+
### Allowing Specific Ingress Traffic
|
|
56
|
+
|
|
57
|
+
```yaml
|
|
58
|
+
apiVersion: networking.k8s.io/v1
|
|
59
|
+
kind: NetworkPolicy
|
|
60
|
+
metadata:
|
|
61
|
+
name: allow-api-ingress
|
|
62
|
+
namespace: production
|
|
63
|
+
spec:
|
|
64
|
+
podSelector:
|
|
65
|
+
matchLabels:
|
|
66
|
+
app: api-server
|
|
67
|
+
policyTypes:
|
|
68
|
+
- Ingress
|
|
69
|
+
ingress:
|
|
70
|
+
- from:
|
|
71
|
+
# Allow from pods in the same namespace with specific label
|
|
72
|
+
- podSelector:
|
|
73
|
+
matchLabels:
|
|
74
|
+
role: frontend
|
|
75
|
+
# Allow from pods in another namespace
|
|
76
|
+
- namespaceSelector:
|
|
77
|
+
matchLabels:
|
|
78
|
+
kubernetes.io/metadata.name: monitoring
|
|
79
|
+
podSelector:
|
|
80
|
+
matchLabels:
|
|
81
|
+
app: prometheus
|
|
82
|
+
ports:
|
|
83
|
+
- protocol: TCP
|
|
84
|
+
port: 8080
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
Important: `namespaceSelector` and `podSelector` in the same `from` entry are AND-ed.
|
|
88
|
+
Separate `from` entries are OR-ed. This is the most common NetworkPolicy mistake:
|
|
89
|
+
|
|
90
|
+
```yaml
|
|
91
|
+
# AND logic -- pods matching BOTH conditions:
|
|
92
|
+
ingress:
|
|
93
|
+
- from:
|
|
94
|
+
- namespaceSelector:
|
|
95
|
+
matchLabels:
|
|
96
|
+
env: staging
|
|
97
|
+
podSelector: # Same list item = AND
|
|
98
|
+
matchLabels:
|
|
99
|
+
app: client
|
|
100
|
+
|
|
101
|
+
# OR logic -- pods matching EITHER condition:
|
|
102
|
+
ingress:
|
|
103
|
+
- from:
|
|
104
|
+
- namespaceSelector:
|
|
105
|
+
matchLabels:
|
|
106
|
+
env: staging
|
|
107
|
+
- podSelector: # Separate list item = OR
|
|
108
|
+
matchLabels:
|
|
109
|
+
app: client
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
### Egress Policies: DNS, External APIs, Cross-Namespace
|
|
113
|
+
|
|
114
|
+
Always allow DNS (port 53) in egress policies or all name resolution breaks:
|
|
115
|
+
|
|
116
|
+
```yaml
|
|
117
|
+
apiVersion: networking.k8s.io/v1
|
|
118
|
+
kind: NetworkPolicy
|
|
119
|
+
metadata:
|
|
120
|
+
name: api-server-egress
|
|
121
|
+
namespace: production
|
|
122
|
+
spec:
|
|
123
|
+
podSelector:
|
|
124
|
+
matchLabels:
|
|
125
|
+
app: api-server
|
|
126
|
+
policyTypes:
|
|
127
|
+
- Egress
|
|
128
|
+
egress:
|
|
129
|
+
# Allow DNS resolution (kube-dns / CoreDNS)
|
|
130
|
+
- to:
|
|
131
|
+
- namespaceSelector:
|
|
132
|
+
matchLabels:
|
|
133
|
+
kubernetes.io/metadata.name: kube-system
|
|
134
|
+
ports:
|
|
135
|
+
- protocol: UDP
|
|
136
|
+
port: 53
|
|
137
|
+
- protocol: TCP
|
|
138
|
+
port: 53
|
|
139
|
+
# Allow traffic to the database in the same namespace
|
|
140
|
+
- to:
|
|
141
|
+
- podSelector:
|
|
142
|
+
matchLabels:
|
|
143
|
+
app: postgres
|
|
144
|
+
ports:
|
|
145
|
+
- protocol: TCP
|
|
146
|
+
port: 5432
|
|
147
|
+
# Allow HTTPS to external APIs (CIDR-based)
|
|
148
|
+
- to:
|
|
149
|
+
- ipBlock:
|
|
150
|
+
cidr: 0.0.0.0/0
|
|
151
|
+
except:
|
|
152
|
+
- 10.0.0.0/8
|
|
153
|
+
- 172.16.0.0/12
|
|
154
|
+
- 192.168.0.0/16
|
|
155
|
+
ports:
|
|
156
|
+
- protocol: TCP
|
|
157
|
+
port: 443
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
### Service Types
|
|
161
|
+
|
|
162
|
+
| Type | Exposure | When to use |
|
|
163
|
+
|----------------|-------------------|--------------------------------------------------|
|
|
164
|
+
| `ClusterIP` | Internal only | **Default.** All inter-service communication. |
|
|
165
|
+
| `NodePort` | Every node IP | Avoid in production. Debugging only. |
|
|
166
|
+
| `LoadBalancer` | External via LB | Only when direct external access is required. |
|
|
167
|
+
| `ExternalName` | DNS CNAME alias | Bridging to external services. No proxying. |
|
|
168
|
+
|
|
169
|
+
Always explicitly set `type: ClusterIP` rather than relying on the default -- it documents intent.
|
|
170
|
+
|
|
171
|
+
### Service Selector Matching: The Silent Failure
|
|
172
|
+
|
|
173
|
+
The number one networking debugging issue. Service `selector` must exactly match pod `labels`:
|
|
174
|
+
|
|
175
|
+
```yaml
|
|
176
|
+
# Deployment labels
|
|
177
|
+
template:
|
|
178
|
+
metadata:
|
|
179
|
+
labels:
|
|
180
|
+
app: api-server # <-- This label
|
|
181
|
+
version: v2
|
|
182
|
+
|
|
183
|
+
# Service selector -- MUST match
|
|
184
|
+
spec:
|
|
185
|
+
selector:
|
|
186
|
+
app: api-server # <-- Must be identical
|
|
187
|
+
# Do NOT include 'version: v2' unless you want to select only v2 pods
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
If the selector matches zero pods, the Service gets zero Endpoints. There is no error, no warning,
|
|
191
|
+
no log entry. Traffic simply vanishes. Always verify with `kubectl get endpoints <svc-name>`.
|
|
192
|
+
|
|
193
|
+
### Ingress and IngressClass
|
|
194
|
+
|
|
195
|
+
```yaml
|
|
196
|
+
apiVersion: networking.k8s.io/v1
|
|
197
|
+
kind: Ingress
|
|
198
|
+
metadata:
|
|
199
|
+
name: api-ingress
|
|
200
|
+
namespace: production
|
|
201
|
+
annotations:
|
|
202
|
+
# Controller-specific annotations (nginx example)
|
|
203
|
+
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
204
|
+
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
|
205
|
+
spec:
|
|
206
|
+
ingressClassName: nginx # Required -- do not omit
|
|
207
|
+
tls:
|
|
208
|
+
- hosts:
|
|
209
|
+
- api.example.com
|
|
210
|
+
secretName: api-tls-cert # Must exist as a TLS Secret in the same namespace
|
|
211
|
+
rules:
|
|
212
|
+
- host: api.example.com
|
|
213
|
+
http:
|
|
214
|
+
paths:
|
|
215
|
+
- path: /
|
|
216
|
+
pathType: Prefix # Prefix, Exact, or ImplementationSpecific
|
|
217
|
+
backend:
|
|
218
|
+
service:
|
|
219
|
+
name: api-server # Must match a Service in the same namespace
|
|
220
|
+
port:
|
|
221
|
+
number: 80 # Must match a port on the Service (not the pod)
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
### Gateway API (Modern Alternative to Ingress)
|
|
225
|
+
|
|
226
|
+
Gateway API provides richer routing, better role separation, and is the future direction:
|
|
227
|
+
|
|
228
|
+
```yaml
|
|
229
|
+
apiVersion: gateway.networking.k8s.io/v1
|
|
230
|
+
kind: HTTPRoute
|
|
231
|
+
metadata:
|
|
232
|
+
name: api-route
|
|
233
|
+
namespace: production
|
|
234
|
+
spec:
|
|
235
|
+
parentRefs:
|
|
236
|
+
- name: production-gateway
|
|
237
|
+
namespace: gateway-infra
|
|
238
|
+
hostnames:
|
|
239
|
+
- api.example.com
|
|
240
|
+
rules:
|
|
241
|
+
- matches:
|
|
242
|
+
- path:
|
|
243
|
+
type: PathPrefix
|
|
244
|
+
value: /v1
|
|
245
|
+
backendRefs:
|
|
246
|
+
- name: api-server
|
|
247
|
+
port: 80
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
### DNS Considerations
|
|
251
|
+
|
|
252
|
+
**ndots setting**: Kubernetes default is `ndots: 5`, meaning any name with fewer than 5 dots
|
|
253
|
+
gets the search domains appended first. For external names like `api.stripe.com` (2 dots),
|
|
254
|
+
the resolver tries `api.stripe.com.production.svc.cluster.local` and several others before
|
|
255
|
+
resolving the real address. Fix with a trailing dot or lower ndots:
|
|
256
|
+
|
|
257
|
+
```yaml
|
|
258
|
+
spec:
|
|
259
|
+
dnsConfig:
|
|
260
|
+
options:
|
|
261
|
+
- name: ndots
|
|
262
|
+
value: "2" # Reduces unnecessary search domain lookups
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
**Cross-namespace DNS**: always use the full form `<service>.<namespace>.svc.cluster.local`
|
|
266
|
+
or at minimum `<service>.<namespace>`. Never rely on short names across namespaces.
|
|
267
|
+
|
|
268
|
+
**Headless Services for StatefulSets**: required for stable per-pod DNS:
|
|
269
|
+
|
|
270
|
+
```yaml
|
|
271
|
+
apiVersion: v1
|
|
272
|
+
kind: Service
|
|
273
|
+
metadata:
|
|
274
|
+
name: postgres
|
|
275
|
+
namespace: production
|
|
276
|
+
spec:
|
|
277
|
+
clusterIP: None # Headless -- returns pod IPs directly
|
|
278
|
+
selector:
|
|
279
|
+
app: postgres
|
|
280
|
+
ports:
|
|
281
|
+
- port: 5432
|
|
282
|
+
```
|
|
283
|
+
|
|
284
|
+
Each pod gets a DNS record: `postgres-0.postgres.production.svc.cluster.local`.
|
|
285
|
+
|
|
286
|
+
---
|
|
287
|
+
|
|
288
|
+
## Patterns
|
|
289
|
+
|
|
290
|
+
### GOOD: Full Stack with Network Segmentation
|
|
291
|
+
|
|
292
|
+
```yaml
|
|
293
|
+
apiVersion: apps/v1
|
|
294
|
+
kind: Deployment
|
|
295
|
+
metadata:
|
|
296
|
+
name: api-server
|
|
297
|
+
namespace: production
|
|
298
|
+
spec:
|
|
299
|
+
replicas: 3
|
|
300
|
+
selector:
|
|
301
|
+
matchLabels:
|
|
302
|
+
app: api-server
|
|
303
|
+
template:
|
|
304
|
+
metadata:
|
|
305
|
+
labels:
|
|
306
|
+
app: api-server
|
|
307
|
+
spec:
|
|
308
|
+
containers:
|
|
309
|
+
- name: api
|
|
310
|
+
image: registry.example.com/api-server:v2.4.1@sha256:abc123...
|
|
311
|
+
ports:
|
|
312
|
+
- containerPort: 8080
|
|
313
|
+
---
|
|
314
|
+
apiVersion: v1
|
|
315
|
+
kind: Service
|
|
316
|
+
metadata:
|
|
317
|
+
name: api-server
|
|
318
|
+
namespace: production
|
|
319
|
+
spec:
|
|
320
|
+
type: ClusterIP
|
|
321
|
+
selector:
|
|
322
|
+
app: api-server # Matches pod label exactly
|
|
323
|
+
ports:
|
|
324
|
+
- port: 80
|
|
325
|
+
targetPort: 8080
|
|
326
|
+
protocol: TCP
|
|
327
|
+
---
|
|
328
|
+
apiVersion: networking.k8s.io/v1
|
|
329
|
+
kind: NetworkPolicy
|
|
330
|
+
metadata:
|
|
331
|
+
name: api-server-netpol
|
|
332
|
+
namespace: production
|
|
333
|
+
spec:
|
|
334
|
+
podSelector:
|
|
335
|
+
matchLabels:
|
|
336
|
+
app: api-server
|
|
337
|
+
policyTypes:
|
|
338
|
+
- Ingress
|
|
339
|
+
- Egress
|
|
340
|
+
ingress:
|
|
341
|
+
- from:
|
|
342
|
+
- namespaceSelector:
|
|
343
|
+
matchLabels:
|
|
344
|
+
kubernetes.io/metadata.name: ingress-nginx
|
|
345
|
+
ports:
|
|
346
|
+
- protocol: TCP
|
|
347
|
+
port: 8080
|
|
348
|
+
egress:
|
|
349
|
+
- to:
|
|
350
|
+
- namespaceSelector:
|
|
351
|
+
matchLabels:
|
|
352
|
+
kubernetes.io/metadata.name: kube-system
|
|
353
|
+
ports:
|
|
354
|
+
- protocol: UDP
|
|
355
|
+
port: 53
|
|
356
|
+
- protocol: TCP
|
|
357
|
+
port: 53
|
|
358
|
+
- to:
|
|
359
|
+
- podSelector:
|
|
360
|
+
matchLabels:
|
|
361
|
+
app: postgres
|
|
362
|
+
ports:
|
|
363
|
+
- protocol: TCP
|
|
364
|
+
port: 5432
|
|
365
|
+
---
|
|
366
|
+
apiVersion: networking.k8s.io/v1
|
|
367
|
+
kind: Ingress
|
|
368
|
+
metadata:
|
|
369
|
+
name: api-ingress
|
|
370
|
+
namespace: production
|
|
371
|
+
annotations:
|
|
372
|
+
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
373
|
+
spec:
|
|
374
|
+
ingressClassName: nginx
|
|
375
|
+
tls:
|
|
376
|
+
- hosts:
|
|
377
|
+
- api.example.com
|
|
378
|
+
secretName: api-tls-cert
|
|
379
|
+
rules:
|
|
380
|
+
- host: api.example.com
|
|
381
|
+
http:
|
|
382
|
+
paths:
|
|
383
|
+
- path: /
|
|
384
|
+
pathType: Prefix
|
|
385
|
+
backend:
|
|
386
|
+
service:
|
|
387
|
+
name: api-server
|
|
388
|
+
port:
|
|
389
|
+
number: 80
|
|
390
|
+
```
|
|
391
|
+
|
|
392
|
+
### BAD: NodePort Service with No Network Policy
|
|
393
|
+
|
|
394
|
+
```yaml
|
|
395
|
+
# INSECURE - DO NOT USE
|
|
396
|
+
apiVersion: v1
|
|
397
|
+
kind: Service
|
|
398
|
+
metadata:
|
|
399
|
+
name: api-server
|
|
400
|
+
spec:
|
|
401
|
+
type: NodePort # Exposed on every node's IP
|
|
402
|
+
selector:
|
|
403
|
+
app: api # Does this match the pod labels? Who knows.
|
|
404
|
+
ports:
|
|
405
|
+
- port: 80
|
|
406
|
+
targetPort: 8080
|
|
407
|
+
nodePort: 30080 # Hardcoded, conflicts with other services
|
|
408
|
+
# No NetworkPolicy -- every pod in the cluster can reach this
|
|
409
|
+
# No Ingress -- no TLS termination, no host-based routing
|
|
410
|
+
# No namespace -- lands wherever current context points
|
|
411
|
+
```
|
|
412
|
+
|
|
413
|
+
Problems with the bad example:
|
|
414
|
+
1. `NodePort` exposes the service on every node at port 30080 -- no access control.
|
|
415
|
+
2. Selector says `app: api` but pod label might be `app: api-server` -- silent mismatch.
|
|
416
|
+
3. No NetworkPolicy -- all pods in the cluster can reach this service.
|
|
417
|
+
4. No TLS termination -- traffic is unencrypted.
|
|
418
|
+
5. No namespace specified.
|
|
419
|
+
6. Hardcoded `nodePort` value -- port conflicts are discovered only at apply time.
|
|
420
|
+
7. No Ingress -- direct node IP access bypasses all edge security.
|
|
421
|
+
|
|
422
|
+
---
|
|
423
|
+
|
|
424
|
+
## LLM Mistake Checklist
|
|
425
|
+
|
|
426
|
+
Before emitting any networking manifest, verify every item:
|
|
427
|
+
|
|
428
|
+
- [ ] **Default-deny NetworkPolicy exists in the target namespace** -- or is included in the output.
|
|
429
|
+
- [ ] **Both `policyTypes: [Ingress, Egress]` specified** -- ingress-only policies still allow all egress.
|
|
430
|
+
- [ ] **DNS egress (port 53 UDP+TCP to kube-system) explicitly allowed** -- or all name resolution breaks.
|
|
431
|
+
- [ ] **Service type is `ClusterIP`** unless external access is explicitly required and justified.
|
|
432
|
+
- [ ] **Service `selector` exactly matches pod template `labels`** -- verify spelling, casing, key names.
|
|
433
|
+
- [ ] **Service `targetPort` matches the container `containerPort`** -- not the Service `port`.
|
|
434
|
+
- [ ] **Ingress specifies `ingressClassName`** -- omitting it relies on a default class that may not exist.
|
|
435
|
+
- [ ] **Ingress TLS block includes both `hosts` and `secretName`** -- and the Secret exists.
|
|
436
|
+
- [ ] **Ingress backend `service.port.number` matches the Service `port`** -- not the pod `targetPort`.
|
|
437
|
+
- [ ] **Cross-namespace DNS uses full form** `<svc>.<ns>.svc.cluster.local` -- short names do not resolve.
|
|
438
|
+
- [ ] **NetworkPolicy `namespaceSelector` + `podSelector` AND/OR logic is correct** -- same item = AND, separate items = OR.
|
|
439
|
+
- [ ] **No `hostNetwork: true`** unless explicitly required -- it bypasses all NetworkPolicy enforcement.
|
|
440
|
+
|
|
441
|
+
---
|
|
442
|
+
|
|
443
|
+
## Verification Commands
|
|
444
|
+
|
|
445
|
+
```bash
|
|
446
|
+
# Check if any NetworkPolicy exists in the namespace
|
|
447
|
+
kubectl get networkpolicy -n production
|
|
448
|
+
|
|
449
|
+
# Verify Service has endpoints (non-zero)
|
|
450
|
+
kubectl get endpoints api-server -n production
|
|
451
|
+
# If ENDPOINTS column shows <none>, selector does not match any pods
|
|
452
|
+
|
|
453
|
+
# Compare Service selector with pod labels
|
|
454
|
+
kubectl get svc api-server -n production -o jsonpath='{.spec.selector}' | jq .
|
|
455
|
+
kubectl get pods -n production -l app=api-server -o name
|
|
456
|
+
|
|
457
|
+
# Test DNS resolution from inside a pod
|
|
458
|
+
kubectl run dns-test --rm -it --restart=Never --image=busybox:1.36 -- nslookup api-server.production.svc.cluster.local
|
|
459
|
+
|
|
460
|
+
# Test connectivity between pods (with NetworkPolicy)
|
|
461
|
+
kubectl run nettest --rm -it --restart=Never --image=busybox:1.36 -- wget -qO- --timeout=3 http://api-server.production:80/healthz
|
|
462
|
+
|
|
463
|
+
# List all Services of type NodePort or LoadBalancer (potential exposure)
|
|
464
|
+
kubectl get svc -A -o json | jq -r '.items[] | select(.spec.type == "NodePort" or .spec.type == "LoadBalancer") | "\(.metadata.namespace)/\(.metadata.name): \(.spec.type)"'
|
|
465
|
+
|
|
466
|
+
# Check Ingress status and assigned addresses
|
|
467
|
+
kubectl get ingress -n production -o wide
|
|
468
|
+
|
|
469
|
+
# Verify TLS Secret exists and is valid
|
|
470
|
+
kubectl get secret api-tls-cert -n production -o jsonpath='{.type}'
|
|
471
|
+
# Should output: kubernetes.io/tls
|
|
472
|
+
|
|
473
|
+
# Inspect NetworkPolicy rules for a specific pod
|
|
474
|
+
kubectl get networkpolicy -n production -o json | jq '.items[] | select(.spec.podSelector.matchLabels.app == "api-server")'
|
|
475
|
+
|
|
476
|
+
# Check for pods using hostNetwork (bypasses NetworkPolicy)
|
|
477
|
+
kubectl get pods -A -o json | jq -r '.items[] | select(.spec.hostNetwork == true) | "\(.metadata.namespace)/\(.metadata.name)"'
|
|
478
|
+
|
|
479
|
+
# Validate manifests
|
|
480
|
+
kubeconform -strict -kubernetes-version 1.30.0 manifest.yaml
|
|
481
|
+
```
|