@synapta/skills 0.1.0 → 0.1.2

package/skills/deploy-k8s/references/stateful-patterns.md

@@ -0,0 +1,130 @@
+# StatefulSet Patterns -- Stateful Workloads
+
+**Load this reference when generating:** StatefulSet, headless Service, PersistentVolumeClaim (stateful apps), VolumeSnapshot, or any workload requiring stable identity or persistent storage.
+
+## When to Use a StatefulSet
+When pods need: **stable network identity** (predictable DNS per pod), **stable per-pod storage** (PVC follows the pod across reschedules), or **ordered deployment** (sequential create/delete). Common: PostgreSQL, MySQL, Kafka, RabbitMQ, etcd, ZooKeeper, Redis Sentinel, Cassandra.
+
+## StatefulSet vs Deployment
+| Concern | Deployment | StatefulSet |
+|---|---|---|
+| Pod identity | Random suffix, interchangeable | Ordinal index, stable hostname |
+| Storage | Shared PVC or none | Per-pod PVC via volumeClaimTemplates |
+| Scaling | All pods equal | Ordered creation/deletion |
+| DNS | Via Service only | Per-pod DNS via headless Service |
+
+**Anti-pattern:** Using StatefulSet when a Deployment + single PVC (RWX) or external database suffices. If you only need storage (not per-pod identity), a Deployment with a PVC is simpler.
+
+## Stable Network Identity
+A headless Service (`clusterIP: None`) is **required**. It creates per-pod DNS: `<pod>.<headless-svc>.<ns>.svc.cluster.local`. Example: `postgres-0.postgres-headless.database.svc.cluster.local`.
+
+## volumeClaimTemplates
+Creates one PVC per pod. PVCs are **never auto-deleted** on scale-down (protects data).
+- **StorageClass**: verify it matches durability needs. Never rely on the default class in prod.
+- **Access mode**: `ReadWriteOnce` for databases. `ReadWriteOncePod` (1.27+ GA) for stricter guarantees.
+- **Size**: plan for growth. PVCs can expand (if `allowVolumeExpansion: true`) but never shrink.
+
+## Pod Management Policy
+- `OrderedReady` (default): sequential 0, 1, 2... each must be Ready before next starts. Use for consensus systems.
+- `Parallel`: all pods launch simultaneously. Use when pods initialize independently (Cassandra).
+
+## Update Strategy
+- **RollingUpdate**: reverse ordinal order. Set `partition` for canary -- pods >= partition get the new version.
+- **OnDelete**: manual control. Pods update only when you delete them. Use for databases needing careful upgrade sequencing.
+
+## Backup and Restore
+- **VolumeSnapshot**: CSI snapshots for point-in-time backups. Automate with CronJobs or Velero.
+- **Application-level**: always run logical backups (pg_dump, mysqldump) alongside snapshots -- snapshots alone can be crash-inconsistent.
+- Test restores regularly. A backup never restored is not a backup.
+
+## Example: PostgreSQL StatefulSet
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-headless
+spec:
+  clusterIP: None
+  selector: { app.kubernetes.io/name: postgres, app.kubernetes.io/component: database }
+  ports: [{ port: 5432, targetPort: 5432, protocol: TCP }]
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  labels: { app.kubernetes.io/name: postgres, app.kubernetes.io/component: database }
+spec:
+  serviceName: postgres-headless
+  replicas: 3
+  podManagementPolicy: OrderedReady
+  updateStrategy: { type: RollingUpdate, rollingUpdate: { partition: 0 } }
+  selector:
+    matchLabels: { app.kubernetes.io/name: postgres, app.kubernetes.io/component: database }
+  template:
+    metadata:
+      labels: { app.kubernetes.io/name: postgres, app.kubernetes.io/component: database }
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
+        seccompProfile: { type: RuntimeDefault }
+      terminationGracePeriodSeconds: 120
+      containers:
+        - name: postgres
+          image: postgres:16.2-bookworm
+          ports: [{ containerPort: 5432, protocol: TCP }]
+          env:
+            - { name: PGDATA, value: /var/lib/postgresql/data/pgdata }
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef: { name: postgres-credentials, key: password }
+          resources:
+            requests: { cpu: 500m, memory: 1Gi }
+            limits:   { cpu: "2", memory: 2Gi }
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities: { drop: ["ALL"] }
+          readinessProbe:
+            exec: { command: ["pg_isready", "-U", "postgres"] }
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            exec: { command: ["pg_isready", "-U", "postgres"] }
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          volumeMounts:
+            - { name: data, mountPath: /var/lib/postgresql/data }
+            - { name: tmp, mountPath: /tmp }
+            - { name: run, mountPath: /var/run/postgresql }
+      volumes:
+        - { name: tmp, emptyDir: {} }
+        - { name: run, emptyDir: {} }
+  volumeClaimTemplates:
+    - metadata: { name: data }
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: gp3-encrypted
+        resources: { requests: { storage: 50Gi } }
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgres
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels: { app.kubernetes.io/name: postgres, app.kubernetes.io/component: database }
+```
+
+## LLM Mistake Checklist
+1. **Missing headless Service.** StatefulSet requires `clusterIP: None`. Without it, pods get no stable DNS and `serviceName` validation fails.
+2. **Forgetting `serviceName`.** Must match the headless Service name exactly. Omitting it is an API error.
+3. **volumeClaimTemplates nested under `template.spec`.** It is a peer of `template`, not inside it.
+4. **Expecting PVCs deleted on scale-down.** They are retained intentionally. Delete manually or set `persistentVolumeClaimRetentionPolicy` (1.27+).
+5. **ReadWriteMany for single-node databases.** Use `ReadWriteOnce` or `ReadWriteOncePod`. RWX adds complexity and is rarely supported by performant storage.
+6. **Low terminationGracePeriodSeconds.** Default 30s is insufficient for databases. Set 60-120s for clean shutdown.
+7. **Omitting PGDATA subdirectory.** PostgreSQL needs the data dir as a subdirectory of the mount (e.g., `.../data/pgdata`) because the mount root may contain `lost+found`.
+8. **No PodDisruptionBudget.** Stateful workloads are disruption-sensitive. Always create a PDB with `maxUnavailable: 1`.

package/skills/deploy-k8s/references/storage-and-state.md

@@ -0,0 +1,330 @@
+# Storage and State
+
+**Directive:** When generating or reviewing any workload that persists data, ALWAYS configure StorageClass, PVC sizing, access modes, and reclaim policies correctly. Data loss from misconfigured storage is irreversible. Default security posture is PSS "restricted" profile.
+
+## When to use
+
+Consult this reference whenever the task involves:
+- Any workload with persistent data (databases, file storage, caches)
+- Creating or modifying PersistentVolumeClaims or StorageClasses
+- Configuring StatefulSet volumeClaimTemplates
+- Volume snapshots, backup/restore, or data migration
+- Choosing between ephemeral and persistent storage
+
+---
+
+## PersistentVolume and PersistentVolumeClaim Model
+
+- **PersistentVolume (PV):** A piece of storage provisioned in the cluster, either manually or dynamically.
+- **PersistentVolumeClaim (PVC):** A request for storage by a workload. Binds to a PV that satisfies its requirements.
+- **Dynamic provisioning** is the default and preferred approach. Manual PV creation is only needed for pre-existing storage (NFS shares, existing cloud disks).
+
+The binding flow: PVC specifies `storageClassName`, size, and access mode. The provisioner for that StorageClass creates a PV automatically and binds it to the PVC.
+
+---
+
+## StorageClass Configuration
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: fast-retain
+provisioner: ebs.csi.aws.com          # or pd.csi.storage.gke.io, disk.csi.azure.com
+parameters:
+  type: gp3                            # cloud-specific volume type
+  encrypted: "true"
+reclaimPolicy: Retain                  # CRITICAL for production data
+volumeBindingMode: WaitForFirstConsumer  # bind PV only when a pod needs it
+allowVolumeExpansion: true             # allow PVC resize without recreation
+mountOptions:
+  - noatime                            # reduce unnecessary metadata writes
+```
+
+Key fields:
+
+| Field | Production value | Why |
+|---|---|---|
+| `reclaimPolicy` | `Retain` | `Delete` (the default!) destroys the underlying volume when the PVC is deleted. Use `Retain` for any data you care about. |
+| `volumeBindingMode` | `WaitForFirstConsumer` | `Immediate` (the default) provisions the volume before a pod is scheduled, which can place the volume in a different availability zone than the pod. `WaitForFirstConsumer` provisions in the same zone as the pod. |
+| `allowVolumeExpansion` | `true` | Without this, you must delete and recreate the PVC to resize -- causing data loss if `reclaimPolicy` is `Delete`. |
+
+---
+
+## Access Modes
+
+| Mode | Abbreviation | Meaning | Typical support |
+|---|---|---|---|
+| `ReadWriteOnce` | RWO | One node can mount read-write | All block storage (EBS, PD, Azure Disk) |
+| `ReadOnlyMany` | ROX | Many nodes can mount read-only | NFS, CephFS, cloud file storage |
+| `ReadWriteMany` | RWX | Many nodes can mount read-write | NFS, CephFS, EFS, Azure Files -- NOT block storage |
+| `ReadWriteOncePod` | RWOP | Exactly one pod can mount read-write (k8s 1.29+) | CSI drivers that support it |
+
+Common mistake: requesting `ReadWriteMany` with a block storage provisioner (EBS, GCE PD). Block storage is physically attached to one node -- it cannot be RWX. Use a file storage solution for shared access.
+
+---
+
+## Volume Expansion
+
+To expand a PVC, the StorageClass must have `allowVolumeExpansion: true`. Then patch the PVC:
+
+```bash
+kubectl patch pvc data-postgres-0 -n databases \
+  -p '{"spec":{"resources":{"requests":{"storage":"100Gi"}}}}'
+```
+
+For file systems, expansion happens online. For block storage, some CSI drivers require the pod to be restarted. Always check your CSI driver documentation.
+
+---
+
+## VolumeSnapshot for Backup and Restore
+
+```yaml
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshot
+metadata:
+  name: postgres-snapshot-2025-03-15
+  namespace: databases
+spec:
+  volumeSnapshotClassName: csi-snapclass
+  source:
+    persistentVolumeClaimName: data-postgres-0
+---
+# Restore from snapshot into a new PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data-postgres-restored
+  namespace: databases
+spec:
+  storageClassName: fast-retain
+  dataSource:
+    name: postgres-snapshot-2025-03-15
+    kind: VolumeSnapshot
+    apiGroup: snapshot.storage.k8s.io
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+```
+
+**Rule:** Always take a VolumeSnapshot before any destructive operation -- PVC deletion, StorageClass migration, or major application upgrade.
+
+---
+
+## Ephemeral Storage: emptyDir
+
+`emptyDir` volumes are tied to the pod lifecycle -- they are deleted when the pod is removed. Use them for scratch space, caches, and temporary files:
+
+```yaml
+volumes:
+  - name: tmp
+    emptyDir:
+      sizeLimit: 100Mi        # ALWAYS set sizeLimit
+  - name: cache
+    emptyDir:
+      medium: Memory           # backed by RAM (tmpfs), counts against memory limits
+      sizeLimit: 256Mi
+```
+
+**Critical rule:** ALWAYS set `sizeLimit` on `emptyDir` volumes. Without it, a runaway process can fill the node's disk and cause eviction of all pods on that node.
+
+---
+
+## CSI Drivers Overview
+
+| Environment | Default CSI driver | Notes |
+|---|---|---|
+| AWS EKS | `ebs.csi.aws.com` | Block storage (RWO only). Use EFS CSI for RWX. |
+| GKE | `pd.csi.storage.gke.io` | Block storage. Use Filestore CSI for RWX. |
+| Azure AKS | `disk.csi.azure.com` | Block storage. Use `file.csi.azure.com` for RWX. |
+| Bare metal | Longhorn, Rook-Ceph, OpenEBS | Longhorn is simplest. Rook-Ceph for production-grade distributed storage. |
+
+All major cloud CSI drivers support snapshots, volume expansion, and encryption.
+
+---
+
+## Data Protection Rules
+
+1. **Production StorageClass must use `reclaimPolicy: Retain`.** `Delete` is acceptable only for ephemeral environments (CI, preview deploys).
+2. **Take VolumeSnapshots before destructive changes.** PVC deletion, resize, migration.
+3. **Test restore procedures regularly.** A backup you have never restored is not a backup.
+4. **Encrypt volumes at rest.** Use CSI driver `parameters.encrypted: "true"` or cloud provider defaults.
+5. **Use `ReadWriteOncePod` for databases.** Prevents accidental multi-attach that corrupts data.
+
+---
+
+## StatefulSet volumeClaimTemplates
+
+StatefulSets create a PVC per replica automatically. See **stateful-patterns.md** for full StatefulSet configuration:
+
+```yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: databases
+spec:
+  serviceName: postgres
+  replicas: 3
+  selector:
+    matchLabels:
+      app: postgres
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        storageClassName: fast-retain
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 50Gi
+```
+
+This creates PVCs named `data-postgres-0`, `data-postgres-1`, `data-postgres-2`. PVCs created by `volumeClaimTemplates` are NOT deleted when the StatefulSet is deleted -- this is intentional to protect data.
+
+---
+
+## GOOD: StorageClass + PVC + Deployment
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: standard-retain
+provisioner: ebs.csi.aws.com
+parameters:
+  type: gp3
+  encrypted: "true"
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: app-data
+  namespace: production
+spec:
+  storageClassName: standard-retain
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: file-processor
+  namespace: production
+spec:
+  replicas: 1                          # RWO -- single replica only
+  selector:
+    matchLabels:
+      app: file-processor
+  template:
+    metadata:
+      labels:
+        app: file-processor
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10000
+        runAsGroup: 10000
+        fsGroup: 10000                 # ensures mounted volume is writable by this GID
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: processor
+          image: registry.example.com/file-processor:v2.1.0
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+          resources:
+            requests:
+              cpu: 200m
+              memory: 256Mi
+            limits:
+              memory: 512Mi
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: app-data
+        - name: tmp
+          emptyDir:
+            sizeLimit: 100Mi
+```
+
+## BAD: Common Storage Mistakes
+
+```yaml
+# PROBLEMATIC - DO NOT USE
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: shared-data
+spec:
+  # no storageClassName -- uses cluster default, which likely has reclaimPolicy: Delete
+  accessModes:
+    - ReadWriteMany              # block storage CSI does not support RWX -- PVC stays Pending
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+        - name: app
+          image: myapp:latest
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: scratch
+              mountPath: /tmp
+          # no securityContext, no resources
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: shared-data
+        - name: scratch
+          emptyDir: {}           # no sizeLimit -- can fill the node disk
+```
+
+Problems: no explicit StorageClass (defaults to Delete reclaim), RWX on block storage (will never bind), no `sizeLimit` on `emptyDir`, no `fsGroup` (mounted volume may not be writable by the non-root user), `:latest` image tag.
+
+---
+
+## LLM Mistake Checklist
+
+Before finalizing any storage-related manifest, verify each item:
+
+- [ ] **StorageClass `reclaimPolicy`** is `Retain` for production -- not the default `Delete`.
+- [ ] **`volumeBindingMode: WaitForFirstConsumer`** is set to avoid cross-zone volume/pod mismatch.
+- [ ] **Access mode matches the CSI driver** -- do not request `ReadWriteMany` from block storage.
+- [ ] **`allowVolumeExpansion: true`** is set on the StorageClass to allow future resizing.
+- [ ] **`emptyDir` volumes have `sizeLimit`** set -- an unbounded emptyDir can evict all pods on the node.
+- [ ] **`fsGroup`** is set in the pod security context so the non-root user can write to mounted volumes.
+- [ ] **VolumeSnapshot** is taken before any destructive operation (PVC deletion, migration).
+- [ ] **Deployment replicas match access mode** -- do not set `replicas > 1` with `ReadWriteOnce` PVCs unless using `ReadWriteOncePod` or StatefulSet per-replica volumes.

package/skills/deploy-k8s/references/validation-and-policy.md

@@ -0,0 +1,242 @@
+# Validation and Policy Enforcement
+
+> When validating Kubernetes manifests, enforcing policies, or integrating checks
+> into CI pipelines, follow these patterns. Default security posture is PSS
+> "restricted" profile.
+
+---
+
+## Validation Layers
+
+Apply in order, each catches different classes of errors:
+
+1. **Client-side schema validation** (kubeconform/kubeval) -- catches structural YAML errors, unknown fields, wrong types.
+2. **Policy enforcement** (Kyverno/OPA Gatekeeper) -- catches organizational rule violations.
+3. **Server-side dry-run** (kubectl --dry-run=server) -- catches admission webhook rejections, quota violations, naming conflicts.
+
+## kubeconform
+
+Fast, offline schema validation against specific Kubernetes versions.
+
+```bash
+# Validate all manifests against K8s 1.29
+kubeconform \
+  -kubernetes-version 1.29.0 \
+  -strict \
+  -summary \
+  -output json \
+  manifests/
+
+# With CRD schema support (e.g., for Prometheus Operator)
+kubeconform \
+  -kubernetes-version 1.29.0 \
+  -strict \
+  -schema-location default \
+  -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
+  manifests/
+
+# Validate Helm rendered output
+helm template my-release ./chart -f values-prod.yaml | \
+  kubeconform -kubernetes-version 1.29.0 -strict
+
+# Validate Kustomize rendered output
+kustomize build overlays/production | \
+  kubeconform -kubernetes-version 1.29.0 -strict
+```
+
+- Always use `-strict` to reject unknown fields.
+- Pin `-kubernetes-version` to the target cluster version.
+- Use CRD schema registries for custom resources; without them, CRDs are silently skipped.
+
+## kubectl Dry-Run
+
+```bash
+# Client-side: basic YAML parsing, no server contact
+kubectl apply -f manifest.yaml --dry-run=client
+
+# Server-side: full admission chain minus persistence
+kubectl apply -f manifest.yaml --dry-run=server
+```
+
+- `--dry-run=client` catches only syntax errors. It does not validate against the cluster schema.
+- `--dry-run=server` runs through all admission webhooks and validations. Requires cluster access.
+- Server-side dry-run is the final gate before actual apply.
+
+## Kyverno
+
+YAML-native policy engine. Policies are Kubernetes resources.
+
+### Require Resource Limits
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-resource-limits
+  annotations:
+    policies.kyverno.io/title: Require Resource Limits
+    policies.kyverno.io/severity: medium
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: check-limits
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: "All containers must have memory and cpu limits."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                    cpu: "?*"
+```
+
+### Require Standard Labels
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: check-labels
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+                - StatefulSet
+                - DaemonSet
+      validate:
+        message: "Must include app.kubernetes.io/name and app.kubernetes.io/version labels."
+        pattern:
+          metadata:
+            labels:
+              app.kubernetes.io/name: "?*"
+              app.kubernetes.io/version: "?*"
+```
+
+- `ClusterPolicy` applies cluster-wide; `Policy` is namespace-scoped.
+- `validationFailureAction: Enforce` blocks non-compliant resources; `Audit` only logs.
+- Kyverno supports validate, mutate, generate, and verifyImages rule types.
+
+## OPA Gatekeeper
+
+Policy engine using Rego. Uses a two-object model: ConstraintTemplate defines the logic, Constraint applies it.
+
+### Disallow Privileged Containers
+
+```yaml
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdisallowprivileged
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowPrivileged
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sdisallowprivileged
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          container.securityContext.privileged == true
+          msg := sprintf("Container '%v' must not be privileged", [container.name])
+        }
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          container.securityContext.privileged == true
+          msg := sprintf("Init container '%v' must not be privileged", [container.name])
+        }
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDisallowPrivileged
+metadata:
+  name: no-privileged-containers
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters: {}
+```
+
+- ConstraintTemplate defines reusable policy logic in Rego.
+- Constraint instances apply the template with specific match criteria and parameters.
+- Always check both `containers` and `initContainers` in Rego rules.
+
+## Polaris
+
+Score-based configuration auditing. Good for baseline posture assessment.
+
+```bash
+# CLI audit against manifests
+polaris audit --audit-path manifests/ --format pretty
+
+# Generate a score for CI gating
+polaris audit --audit-path manifests/ --format score
+# Fails CI if score < threshold (default 0)
+polaris audit --audit-path manifests/ --set-exit-code-on-danger
+```
+
+## CI Pipeline Integration
+
+Run validations in this order:
+
+```
+validate (kubeconform) -> lint (helm lint / kustomize build) -> policy-check (kyverno/polaris) -> dry-run (server)
+```
+
+### GitHub Actions Example
+
+```yaml
+name: Validate Kubernetes Manifests
+on: [pull_request]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: |
+          curl -sL https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar xz
+          sudo mv kubeconform /usr/local/bin/
+
+      - name: Render manifests
+        run: |
+          helm template my-release ./chart -f values-prod.yaml > rendered.yaml
+
+      - name: Schema validation
+        run: |
+          kubeconform -kubernetes-version 1.29.0 -strict -summary rendered.yaml
+
+      - name: Policy check
+        uses: kyverno/action-install-cli@v0.2
+        with:
+          release: "v1.12.0"
+      - run: |
+          kyverno apply policies/ --resource rendered.yaml
+```
+
+## LLM Mistake Checklist
+
+1. **Used `--dry-run` without `=client` or `=server`** -- bare `--dry-run` is deprecated and defaults to client; always be explicit.
+2. **Forgot CRD schemas in kubeconform** -- custom resources pass validation silently with no schema, hiding errors.
+3. **Kyverno `validationFailureAction: Audit` in production** -- logs violations but does not block them; use `Enforce`.
+4. **Gatekeeper ConstraintTemplate missing `initContainers` check** -- privileged init containers bypass the policy.
+5. **Policy match on `Pod` only** -- misses workloads created by Deployments; match the controller kind or use Kyverno auto-gen.
+6. **kubeconform without `-strict`** -- unknown/misspelled fields pass validation silently.
+7. **Skipped server-side dry-run in CI** -- client-side validation cannot catch webhook rejections or quota violations.
+8. **Policy tested only on `apply`, not on `create`** -- some admission policies behave differently on update vs create operations.