@synapta/skills 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (354) hide show
  1. package/dist/index.js +11 -4
  2. package/package.json +3 -4
  3. package/skills/ATTRIBUTION.md +80 -0
  4. package/skills/accessibility-audit/SKILL.md +325 -0
  5. package/skills/accessibility-audit/reference/wcag-checklist.md +103 -0
  6. package/skills/apns-notifier/SKILL.md +86 -0
  7. package/skills/approval-policy-enforcer/SKILL.md +66 -0
  8. package/skills/apps-sdk-builder/LICENSE.txt +201 -0
  9. package/skills/apps-sdk-builder/SKILL.md +328 -0
  10. package/skills/apps-sdk-builder/agents/openai.yaml +13 -0
  11. package/skills/apps-sdk-builder/references/app-archetypes.md +132 -0
  12. package/skills/apps-sdk-builder/references/apps-sdk-docs-workflow.md +135 -0
  13. package/skills/apps-sdk-builder/references/interactive-state-sync-patterns.md +113 -0
  14. package/skills/apps-sdk-builder/references/repo-contract-and-validation.md +93 -0
  15. package/skills/apps-sdk-builder/references/search-fetch-standard.md +67 -0
  16. package/skills/apps-sdk-builder/references/upstream-example-workflow.md +79 -0
  17. package/skills/apps-sdk-builder/references/window-openai-patterns.md +79 -0
  18. package/skills/apps-sdk-builder/scripts/scaffold_node_ext_apps.mjs +606 -0
  19. package/skills/architecture-selector/SKILL.md +64 -0
  20. package/skills/backlog-planner/SKILL.md +68 -0
  21. package/skills/carplay-entitlement-checker/SKILL.md +82 -0
  22. package/skills/concept-deepener/SKILL.md +86 -0
  23. package/skills/concept-discovery/SKILL.md +517 -0
  24. package/skills/concept-discovery/assets/sample-analysis.json +81 -0
  25. package/skills/concept-discovery/expected_outputs/sample-enum-dictionary.md +25 -0
  26. package/skills/concept-discovery/expected_outputs/sample-page-user-list.md +83 -0
  27. package/skills/concept-discovery/expected_outputs/sample-prd-readme.md +43 -0
  28. package/skills/concept-discovery/references/framework-patterns.md +228 -0
  29. package/skills/concept-discovery/references/prd-quality-checklist.md +65 -0
  30. package/skills/concept-discovery/scripts/codebase_analyzer.py +732 -0
  31. package/skills/concept-discovery/scripts/prd_scaffolder.py +435 -0
  32. package/skills/dast-zap/SKILL.md +453 -0
  33. package/skills/dast-zap/assets/.gitkeep +9 -0
  34. package/skills/dast-zap/assets/github_action.yml +207 -0
  35. package/skills/dast-zap/assets/gitlab_ci.yml +226 -0
  36. package/skills/dast-zap/assets/zap_automation.yaml +196 -0
  37. package/skills/dast-zap/assets/zap_context.xml +192 -0
  38. package/skills/dast-zap/references/EXAMPLE.md +40 -0
  39. package/skills/dast-zap/references/api_testing_guide.md +475 -0
  40. package/skills/dast-zap/references/authentication_guide.md +431 -0
  41. package/skills/dast-zap/references/false_positive_handling.md +427 -0
  42. package/skills/dast-zap/references/owasp_mapping.md +255 -0
  43. package/skills/dep-sbom-scan/SKILL.md +466 -0
  44. package/skills/deploy-cloudflare/SKILL.md +930 -0
  45. package/skills/deploy-docker/SKILL.md +55 -0
  46. package/skills/deploy-fly/SKILL.md +228 -0
  47. package/skills/deploy-k8s/SKILL.md +108 -0
  48. package/skills/deploy-k8s/assets/logo.png +0 -0
  49. package/skills/deploy-k8s/docs/README.md +29 -0
  50. package/skills/deploy-k8s/docs/SUMMARY.md +56 -0
  51. package/skills/deploy-k8s/docs/advanced/token-efficiency.md +61 -0
  52. package/skills/deploy-k8s/docs/architecture/multi-tenancy.md +96 -0
  53. package/skills/deploy-k8s/docs/architecture/storage-and-state.md +102 -0
  54. package/skills/deploy-k8s/docs/architecture/workload-patterns.md +87 -0
  55. package/skills/deploy-k8s/docs/book.json +16 -0
  56. package/skills/deploy-k8s/docs/community/changelog.md +34 -0
  57. package/skills/deploy-k8s/docs/community/contributing.md +67 -0
  58. package/skills/deploy-k8s/docs/core-concepts/failure-modes.md +153 -0
  59. package/skills/deploy-k8s/docs/core-concepts/philosophy.md +83 -0
  60. package/skills/deploy-k8s/docs/core-concepts/workflow.md +124 -0
  61. package/skills/deploy-k8s/docs/examples/bad-patterns.md +47 -0
  62. package/skills/deploy-k8s/docs/examples/do-dont-checklist.md +37 -0
  63. package/skills/deploy-k8s/docs/examples/good-patterns.md +49 -0
  64. package/skills/deploy-k8s/docs/failure-modes/api-drift.md +104 -0
  65. package/skills/deploy-k8s/docs/failure-modes/fragile-rollouts.md +99 -0
  66. package/skills/deploy-k8s/docs/failure-modes/insecure-workload-defaults.md +80 -0
  67. package/skills/deploy-k8s/docs/failure-modes/network-exposure.md +98 -0
  68. package/skills/deploy-k8s/docs/failure-modes/privilege-sprawl.md +91 -0
  69. package/skills/deploy-k8s/docs/failure-modes/resource-starvation.md +85 -0
  70. package/skills/deploy-k8s/docs/getting-started/installation.md +152 -0
  71. package/skills/deploy-k8s/docs/getting-started/quick-start.md +115 -0
  72. package/skills/deploy-k8s/docs/guides/helm-patterns.md +71 -0
  73. package/skills/deploy-k8s/docs/guides/kustomize-patterns.md +65 -0
  74. package/skills/deploy-k8s/docs/guides/observability.md +67 -0
  75. package/skills/deploy-k8s/docs/guides/security-hardening.md +59 -0
  76. package/skills/deploy-k8s/docs/guides/validation-and-policy.md +66 -0
  77. package/skills/deploy-k8s/docs/integrations/mcp-integration.md +52 -0
  78. package/skills/deploy-k8s/docs/package-lock.json +2892 -0
  79. package/skills/deploy-k8s/docs/package.json +13 -0
  80. package/skills/deploy-k8s/references/api-drift.md +298 -0
  81. package/skills/deploy-k8s/references/conditional/aks-patterns.md +70 -0
  82. package/skills/deploy-k8s/references/conditional/eks-patterns.md +79 -0
  83. package/skills/deploy-k8s/references/conditional/gitops-controllers.md +71 -0
  84. package/skills/deploy-k8s/references/conditional/gke-patterns.md +74 -0
  85. package/skills/deploy-k8s/references/conditional/observability-stacks.md +80 -0
  86. package/skills/deploy-k8s/references/conditional/openshift-patterns.md +67 -0
  87. package/skills/deploy-k8s/references/daemonset-operator-patterns.md +155 -0
  88. package/skills/deploy-k8s/references/deployment-patterns.md +146 -0
  89. package/skills/deploy-k8s/references/do-dont-patterns.md +87 -0
  90. package/skills/deploy-k8s/references/examples-bad.md +282 -0
  91. package/skills/deploy-k8s/references/examples-good.md +440 -0
  92. package/skills/deploy-k8s/references/fragile-rollouts.md +303 -0
  93. package/skills/deploy-k8s/references/helm-patterns.md +203 -0
  94. package/skills/deploy-k8s/references/insecure-workload-defaults.md +300 -0
  95. package/skills/deploy-k8s/references/job-patterns.md +120 -0
  96. package/skills/deploy-k8s/references/kustomize-patterns.md +239 -0
  97. package/skills/deploy-k8s/references/multi-tenancy.md +343 -0
  98. package/skills/deploy-k8s/references/network-exposure.md +481 -0
  99. package/skills/deploy-k8s/references/observability.md +302 -0
  100. package/skills/deploy-k8s/references/privilege-sprawl.md +273 -0
  101. package/skills/deploy-k8s/references/resource-starvation.md +374 -0
  102. package/skills/deploy-k8s/references/security-hardening.md +209 -0
  103. package/skills/deploy-k8s/references/stateful-patterns.md +130 -0
  104. package/skills/deploy-k8s/references/storage-and-state.md +330 -0
  105. package/skills/deploy-k8s/references/validation-and-policy.md +242 -0
  106. package/skills/deploy-railway/SKILL.md +235 -0
  107. package/skills/deploy-railway/references/analyze-db-mongo.md +84 -0
  108. package/skills/deploy-railway/references/analyze-db-mysql.md +254 -0
  109. package/skills/deploy-railway/references/analyze-db-postgres.md +479 -0
  110. package/skills/deploy-railway/references/analyze-db-redis.md +208 -0
  111. package/skills/deploy-railway/references/analyze-db.md +344 -0
  112. package/skills/deploy-railway/references/configure.md +309 -0
  113. package/skills/deploy-railway/references/deploy.md +195 -0
  114. package/skills/deploy-railway/references/operate.md +214 -0
  115. package/skills/deploy-railway/references/request.md +248 -0
  116. package/skills/deploy-railway/references/setup.md +312 -0
  117. package/skills/deploy-railway/scripts/analyze-mongo.py +1549 -0
  118. package/skills/deploy-railway/scripts/analyze-mysql.py +1195 -0
  119. package/skills/deploy-railway/scripts/analyze-postgres.py +3058 -0
  120. package/skills/deploy-railway/scripts/analyze-redis.py +1090 -0
  121. package/skills/deploy-railway/scripts/dal.py +671 -0
  122. package/skills/deploy-railway/scripts/enable-pg-stats.py +170 -0
  123. package/skills/deploy-railway/scripts/pg-extensions.py +370 -0
  124. package/skills/deploy-railway/scripts/railway-api.sh +52 -0
  125. package/skills/deploy-ssh/SKILL.md +91 -0
  126. package/skills/deploy-vercel/SKILL.md +304 -0
  127. package/skills/deploy-vercel/resources/deploy-codex.sh +301 -0
  128. package/skills/deploy-vercel/resources/deploy.sh +301 -0
  129. package/skills/docs-runbooks/SKILL.md +399 -0
  130. package/skills/drive-status-renderer/SKILL.md +62 -0
  131. package/skills/iac-scan/SKILL.md +680 -0
  132. package/skills/iac-scan/assets/.gitkeep +9 -0
  133. package/skills/iac-scan/assets/checkov_config.yaml +94 -0
  134. package/skills/iac-scan/assets/github_actions.yml +199 -0
  135. package/skills/iac-scan/assets/gitlab_ci.yml +218 -0
  136. package/skills/iac-scan/assets/pre_commit_config.yaml +92 -0
  137. package/skills/iac-scan/references/EXAMPLE.md +40 -0
  138. package/skills/iac-scan/references/compliance_mapping.md +237 -0
  139. package/skills/iac-scan/references/custom_policies.md +460 -0
  140. package/skills/iac-scan/references/suppression_guide.md +431 -0
  141. package/skills/incident-briefing/SKILL.md +66 -0
  142. package/skills/incident-triage/SKILL.md +481 -0
  143. package/{LICENSE → skills/mcp-builder/LICENSE.txt} +15 -14
  144. package/skills/mcp-builder/SKILL.md +244 -0
  145. package/skills/mcp-builder/reference/evaluation.md +602 -0
  146. package/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
  147. package/skills/mcp-builder/reference/node_mcp_server.md +970 -0
  148. package/skills/mcp-builder/reference/python_mcp_server.md +719 -0
  149. package/skills/mcp-builder/scripts/connections.py +151 -0
  150. package/skills/mcp-builder/scripts/evaluation.py +373 -0
  151. package/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
  152. package/skills/mcp-builder/scripts/requirements.txt +2 -0
  153. package/skills/mobile-pairing/SKILL.md +52 -0
  154. package/skills/ops-sre/SKILL.md +297 -0
  155. package/skills/playwright-qa/LICENSE.txt +201 -0
  156. package/skills/playwright-qa/NOTICE.txt +14 -0
  157. package/skills/playwright-qa/SKILL.md +156 -0
  158. package/skills/playwright-qa/agents/openai.yaml +6 -0
  159. package/skills/playwright-qa/assets/playwright-small.svg +3 -0
  160. package/skills/playwright-qa/assets/playwright.png +0 -0
  161. package/skills/playwright-qa/references/cli.md +116 -0
  162. package/skills/playwright-qa/references/workflows.md +95 -0
  163. package/skills/playwright-qa/scripts/playwright_cli.sh +25 -0
  164. package/skills/release-publish/SKILL.md +85 -0
  165. package/skills/repo-bootstrap/SKILL.md +92 -0
  166. package/skills/repo-bootstrap/assets/example-workflows/validate-agents.yml +89 -0
  167. package/skills/repo-bootstrap/assets/root-thin.md +141 -0
  168. package/skills/repo-bootstrap/assets/root-verbose.md +149 -0
  169. package/skills/repo-bootstrap/assets/scoped/backend-go.md +107 -0
  170. package/skills/repo-bootstrap/assets/scoped/backend-php.md +94 -0
  171. package/skills/repo-bootstrap/assets/scoped/backend-python.md +84 -0
  172. package/skills/repo-bootstrap/assets/scoped/backend-typescript.md +89 -0
  173. package/skills/repo-bootstrap/assets/scoped/claude-code-skill.md +101 -0
  174. package/skills/repo-bootstrap/assets/scoped/cli.md +83 -0
  175. package/skills/repo-bootstrap/assets/scoped/concourse.md +196 -0
  176. package/skills/repo-bootstrap/assets/scoped/ddev.md +68 -0
  177. package/skills/repo-bootstrap/assets/scoped/docker.md +160 -0
  178. package/skills/repo-bootstrap/assets/scoped/documentation.md +98 -0
  179. package/skills/repo-bootstrap/assets/scoped/examples.md +96 -0
  180. package/skills/repo-bootstrap/assets/scoped/frontend-typescript.md +88 -0
  181. package/skills/repo-bootstrap/assets/scoped/github-actions.md +174 -0
  182. package/skills/repo-bootstrap/assets/scoped/gitlab-ci.md +174 -0
  183. package/skills/repo-bootstrap/assets/scoped/oro-bundle.md +209 -0
  184. package/skills/repo-bootstrap/assets/scoped/oro-project.md +170 -0
  185. package/skills/repo-bootstrap/assets/scoped/python-modern.md +170 -0
  186. package/skills/repo-bootstrap/assets/scoped/resources.md +96 -0
  187. package/skills/repo-bootstrap/assets/scoped/skill-repo.md +139 -0
  188. package/skills/repo-bootstrap/assets/scoped/symfony.md +168 -0
  189. package/skills/repo-bootstrap/assets/scoped/testing.md +87 -0
  190. package/skills/repo-bootstrap/assets/scoped/typo3-docs.md +103 -0
  191. package/skills/repo-bootstrap/assets/scoped/typo3-extension.md +133 -0
  192. package/skills/repo-bootstrap/assets/scoped/typo3-project.md +137 -0
  193. package/skills/repo-bootstrap/assets/scoped/typo3-testing.md +80 -0
  194. package/skills/repo-bootstrap/checkpoints.yaml +279 -0
  195. package/skills/repo-bootstrap/evals/evals.json +385 -0
  196. package/skills/repo-bootstrap/references/ai-contribution-guidelines.md +63 -0
  197. package/skills/repo-bootstrap/references/ai-tool-compatibility.md +223 -0
  198. package/skills/repo-bootstrap/references/directory-coverage.md +82 -0
  199. package/skills/repo-bootstrap/references/examples/coding-agent-cli/AGENTS.md +70 -0
  200. package/skills/repo-bootstrap/references/examples/coding-agent-cli/go.mod +3 -0
  201. package/skills/repo-bootstrap/references/examples/coding-agent-cli/scripts-AGENTS.md +389 -0
  202. package/skills/repo-bootstrap/references/examples/express-api-ts/.env.example +13 -0
  203. package/skills/repo-bootstrap/references/examples/express-api-ts/AGENTS.md +91 -0
  204. package/skills/repo-bootstrap/references/examples/express-api-ts/package.json +33 -0
  205. package/skills/repo-bootstrap/references/examples/express-api-ts/pnpm-lock.yaml +3 -0
  206. package/skills/repo-bootstrap/references/examples/express-api-ts/src/AGENTS.md +91 -0
  207. package/skills/repo-bootstrap/references/examples/express-api-ts/src/config.ts +28 -0
  208. package/skills/repo-bootstrap/references/examples/express-api-ts/src/controllers/userController.ts +74 -0
  209. package/skills/repo-bootstrap/references/examples/express-api-ts/src/index.ts +26 -0
  210. package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/errorHandler.ts +45 -0
  211. package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/requestLogger.ts +18 -0
  212. package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/health.ts +18 -0
  213. package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/users.ts +13 -0
  214. package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/errors.ts +40 -0
  215. package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/logger.ts +14 -0
  216. package/skills/repo-bootstrap/references/examples/express-api-ts/tsconfig.json +24 -0
  217. package/skills/repo-bootstrap/references/examples/fastapi-app/.env.example +19 -0
  218. package/skills/repo-bootstrap/references/examples/fastapi-app/AGENTS.md +92 -0
  219. package/skills/repo-bootstrap/references/examples/fastapi-app/pyproject.toml +88 -0
  220. package/skills/repo-bootstrap/references/examples/fastapi-app/src/AGENTS.md +85 -0
  221. package/skills/repo-bootstrap/references/examples/fastapi-app/src/__init__.py +3 -0
  222. package/skills/repo-bootstrap/references/examples/fastapi-app/src/config.py +49 -0
  223. package/skills/repo-bootstrap/references/examples/fastapi-app/src/main.py +66 -0
  224. package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/__init__.py +13 -0
  225. package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/item.py +43 -0
  226. package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/user.py +40 -0
  227. package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/__init__.py +5 -0
  228. package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/health.py +20 -0
  229. package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/items.py +61 -0
  230. package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/users.py +55 -0
  231. package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/__init__.py +6 -0
  232. package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/item_service.py +77 -0
  233. package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/user_service.py +69 -0
  234. package/skills/repo-bootstrap/references/examples/fastapi-app/uv.lock +4 -0
  235. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/.scopes +3 -0
  236. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/AGENTS.md +86 -0
  237. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/package.json +20 -0
  238. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/src/App.tsx +5 -0
  239. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/cmd/api/main.go +7 -0
  240. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/go.mod +2 -0
  241. package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/main.go +7 -0
  242. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/.scopes +3 -0
  243. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/AGENTS.md +89 -0
  244. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/go.mod +2 -0
  245. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/AGENTS.md +90 -0
  246. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/package.json +17 -0
  247. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/App.tsx +1 -0
  248. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Button.tsx +1 -0
  249. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Footer.tsx +1 -0
  250. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Header.tsx +1 -0
  251. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Sidebar.tsx +1 -0
  252. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/main.go +7 -0
  253. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package-lock.json +0 -0
  254. package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package.json +12 -0
  255. package/skills/repo-bootstrap/references/examples/ldap-selfservice/AGENTS.md +70 -0
  256. package/skills/repo-bootstrap/references/examples/ldap-selfservice/go.mod +3 -0
  257. package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-AGENTS.md +371 -0
  258. package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-web-AGENTS.md +448 -0
  259. package/skills/repo-bootstrap/references/examples/php-with-frontend/.scopes +3 -0
  260. package/skills/repo-bootstrap/references/examples/php-with-frontend/AGENTS.md +91 -0
  261. package/skills/repo-bootstrap/references/examples/php-with-frontend/composer.json +8 -0
  262. package/skills/repo-bootstrap/references/examples/php-with-frontend/package.json +15 -0
  263. package/skills/repo-bootstrap/references/examples/php-with-frontend/pnpm-lock.yaml +0 -0
  264. package/skills/repo-bootstrap/references/examples/php-with-frontend/src/Controller.php +3 -0
  265. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/AGENTS.md +92 -0
  266. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/package.json +26 -0
  267. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/App.tsx +3 -0
  268. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Button.tsx +10 -0
  269. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Footer.tsx +9 -0
  270. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Header.tsx +9 -0
  271. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/main.tsx +3 -0
  272. package/skills/repo-bootstrap/references/examples/php-with-frontend/web/tsconfig.json +13 -0
  273. package/skills/repo-bootstrap/references/examples/pnpm-workspace/AGENTS.md +75 -0
  274. package/skills/repo-bootstrap/references/examples/pnpm-workspace/package.json +7 -0
  275. package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/package.json +11 -0
  276. package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/src/index.ts +11 -0
  277. package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-lock.yaml +42 -0
  278. package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-workspace.yaml +2 -0
  279. package/skills/repo-bootstrap/references/examples/simple-ldap-go/AGENTS.md +70 -0
  280. package/skills/repo-bootstrap/references/examples/simple-ldap-go/examples-AGENTS.md +45 -0
  281. package/skills/repo-bootstrap/references/examples/simple-ldap-go/go.mod +3 -0
  282. package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/AGENTS.md +70 -0
  283. package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/Classes-AGENTS.md +392 -0
  284. package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/composer.json +8 -0
  285. package/skills/repo-bootstrap/references/feedback-memory-schema.md +135 -0
  286. package/skills/repo-bootstrap/references/git-hooks-setup.md +79 -0
  287. package/skills/repo-bootstrap/references/output-structure.md +124 -0
  288. package/skills/repo-bootstrap/references/scripts-guide.md +175 -0
  289. package/skills/repo-bootstrap/references/verification-guide.md +137 -0
  290. package/skills/repo-bootstrap/scripts/analyze-git-history.sh +315 -0
  291. package/skills/repo-bootstrap/scripts/check-freshness.sh +230 -0
  292. package/skills/repo-bootstrap/scripts/detect-golden-samples.sh +161 -0
  293. package/skills/repo-bootstrap/scripts/detect-heuristics.sh +93 -0
  294. package/skills/repo-bootstrap/scripts/detect-project.sh +486 -0
  295. package/skills/repo-bootstrap/scripts/detect-scopes.sh +330 -0
  296. package/skills/repo-bootstrap/scripts/detect-utilities.sh +133 -0
  297. package/skills/repo-bootstrap/scripts/extract-adrs.sh +194 -0
  298. package/skills/repo-bootstrap/scripts/extract-agent-configs.sh +331 -0
  299. package/skills/repo-bootstrap/scripts/extract-architecture-rules.sh +522 -0
  300. package/skills/repo-bootstrap/scripts/extract-ci-commands.sh +385 -0
  301. package/skills/repo-bootstrap/scripts/extract-ci-rules.sh +384 -0
  302. package/skills/repo-bootstrap/scripts/extract-commands.sh +358 -0
  303. package/skills/repo-bootstrap/scripts/extract-documentation.sh +308 -0
  304. package/skills/repo-bootstrap/scripts/extract-github-rulesets.sh +96 -0
  305. package/skills/repo-bootstrap/scripts/extract-github-settings.sh +88 -0
  306. package/skills/repo-bootstrap/scripts/extract-ide-settings.sh +228 -0
  307. package/skills/repo-bootstrap/scripts/extract-platform-files.sh +290 -0
  308. package/skills/repo-bootstrap/scripts/extract-quality-configs.sh +442 -0
  309. package/skills/repo-bootstrap/scripts/generate-agents.sh +2424 -0
  310. package/skills/repo-bootstrap/scripts/generate-file-map.sh +153 -0
  311. package/skills/repo-bootstrap/scripts/lib/config-root.sh +211 -0
  312. package/skills/repo-bootstrap/scripts/lib/summary.sh +244 -0
  313. package/skills/repo-bootstrap/scripts/lib/template.sh +397 -0
  314. package/skills/repo-bootstrap/scripts/validate-structure.sh +324 -0
  315. package/skills/repo-bootstrap/scripts/verify-commands.sh +615 -0
  316. package/skills/repo-bootstrap/scripts/verify-content.sh +302 -0
  317. package/skills/schema-api-contracts/SKILL.md +56 -0
  318. package/skills/secret-hygiene/SKILL.md +511 -0
  319. package/skills/secret-hygiene/assets/.gitkeep +9 -0
  320. package/skills/secret-hygiene/assets/config-balanced.toml +81 -0
  321. package/skills/secret-hygiene/assets/config-custom.toml +178 -0
  322. package/skills/secret-hygiene/assets/config-strict.toml +48 -0
  323. package/skills/secret-hygiene/assets/github-action.yml +181 -0
  324. package/skills/secret-hygiene/assets/gitlab-ci.yml +257 -0
  325. package/skills/secret-hygiene/assets/precommit-config.yaml +70 -0
  326. package/skills/secret-hygiene/references/EXAMPLE.md +40 -0
  327. package/skills/secret-hygiene/references/compliance_mapping.md +538 -0
  328. package/skills/secret-hygiene/references/detection_rules.md +276 -0
  329. package/skills/secret-hygiene/references/false_positives.md +598 -0
  330. package/skills/secret-hygiene/references/remediation_guide.md +530 -0
  331. package/skills/stack-selector/SKILL.md +56 -0
  332. package/skills/telegram-control/SKILL.md +110 -0
  333. package/skills/telegram-control/references/architecture.md +184 -0
  334. package/skills/telegram-control/references/convex.md +173 -0
  335. package/skills/telegram-control/references/error_handling.md +212 -0
  336. package/skills/telegram-control/references/initial_setup.md +165 -0
  337. package/skills/telegram-control/references/telegram_api.md +156 -0
  338. package/skills/telegram-control/scripts/cancel_message.ts +53 -0
  339. package/skills/telegram-control/scripts/list_scheduled.ts +103 -0
  340. package/skills/telegram-control/scripts/logger.ts +121 -0
  341. package/skills/telegram-control/scripts/proxy-util.ts +11 -0
  342. package/skills/telegram-control/scripts/schedule_message.ts +216 -0
  343. package/skills/telegram-control/scripts/send_message.ts +115 -0
  344. package/skills/telegram-control/scripts/setup.ts +185 -0
  345. package/skills/telegram-control/scripts/types.ts +75 -0
  346. package/skills/telegram-control/scripts/view_history.ts +74 -0
  347. package/skills/test-strategy/SKILL.md +352 -0
  348. package/skills/threat-model/SKILL.md +303 -0
  349. package/skills/threat-model/examples/example-output.md +196 -0
  350. package/skills/threat-model/template.md +96 -0
  351. package/skills/ts-lint/SKILL.md +80 -0
  352. package/skills/ui-flow/SKILL.md +668 -0
  353. package/skills/voice-command-router/SKILL.md +51 -0
  354. package/skills/widget-live-activity-sync/SKILL.md +66 -0
package/skills/deploy-k8s/references/examples-bad.md ADDED
@@ -0,0 +1,282 @@
1
+ # Bad Examples -- Common LLM Anti-Patterns
2
+
3
+ > These are manifests that LLMs frequently generate. Each one compiles and appears
4
+ > valid but has serious issues in production. Study the annotations to understand
5
+ > what is wrong and why.
6
+
7
+ ---
8
+
9
+ ## 1. Deployment Running as Root with No Security Context
10
+
11
+ ```yaml
12
+ # BAD -- DO NOT USE
13
+ apiVersion: apps/v1
14
+ kind: Deployment
15
+ metadata:
16
+ name: my-app
17
+ spec:
18
+ replicas: 1
19
+ selector:
20
+ matchLabels:
21
+ app: my-app
22
+ template:
23
+ metadata:
24
+ labels:
25
+ app: my-app
26
+ spec:
27
+ containers:
28
+ - name: my-app
29
+ image: my-app:latest
30
+ ports:
31
+ - containerPort: 8080
32
+ ```
33
+
34
+ **What is wrong:**
35
+ - No `securityContext` at pod or container level -- container runs as root by default.
36
+ - Missing `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, `readOnlyRootFilesystem: true`.
37
+ - Missing `capabilities.drop: ["ALL"]` -- container retains all Linux capabilities.
38
+ - No `seccompProfile` -- fails PSS restricted profile.
39
+ - No resource requests or limits -- can consume unbounded node resources.
40
+ - No probes -- Kubernetes cannot detect if the app is healthy or ready.
41
+ - No standard `app.kubernetes.io/*` labels.
42
+ - Uses `:latest` tag (see anti-pattern 5).
43
+
44
+ ## 2. Service with Selector That Matches No Pods
45
+
46
+ ```yaml
47
+ # BAD -- DO NOT USE
48
+ apiVersion: apps/v1
49
+ kind: Deployment
50
+ metadata:
51
+ name: web-frontend
52
+ spec:
53
+ selector:
54
+ matchLabels:
55
+ app: web-frontend
56
+ template:
57
+ metadata:
58
+ labels:
59
+ app: web-frontend
60
+ version: v2
61
+ spec:
62
+ containers:
63
+ - name: web
64
+ image: ghcr.io/org/web:v2.0.0
65
+ ---
66
+ apiVersion: v1
67
+ kind: Service
68
+ metadata:
69
+ name: web-frontend
70
+ spec:
71
+ selector:
72
+ app: web-frontend
73
+ version: v1 # <-- MISMATCH: pods have version: v2
74
+ ports:
75
+ - port: 80
76
+ targetPort: 8080
77
+ ```
78
+
79
+ **What is wrong:**
80
+ - Service selector includes `version: v1` but pods have `version: v2`.
81
+ - Kubernetes does not warn about selector mismatches -- the Service silently has zero endpoints.
82
+ - This is a frequent LLM mistake when updating version labels on the Deployment without updating the Service.
83
+ - Debug with `kubectl get endpoints web-frontend` -- it will show an empty subset.
84
+
85
+ ## 3. ClusterRoleBinding with cluster-admin for a Single-Namespace App
86
+
87
+ ```yaml
88
+ # BAD -- DO NOT USE
89
+ apiVersion: v1
90
+ kind: ServiceAccount
91
+ metadata:
92
+ name: my-app
93
+ namespace: my-app
94
+ ---
95
+ apiVersion: rbac.authorization.k8s.io/v1
96
+ kind: ClusterRoleBinding
97
+ metadata:
98
+ name: my-app-admin
99
+ subjects:
100
+ - kind: ServiceAccount
101
+ name: my-app
102
+ namespace: my-app
103
+ roleRef:
104
+ kind: ClusterRole
105
+ name: cluster-admin
106
+ apiGroup: rbac.authorization.k8s.io
107
+ ```
108
+
109
+ **What is wrong:**
110
+ - `cluster-admin` grants unrestricted access to the entire cluster: every namespace, every resource, every verb.
111
+ - A single-namespace application needs only a namespace-scoped Role with specific verbs.
112
+ - If this service account token is compromised, the attacker owns the entire cluster.
113
+ - Use a namespace-scoped `Role` + `RoleBinding` with only the specific API groups, resources, and verbs needed.
114
+
115
+ ## 4. Liveness Probe Checking External Database
116
+
117
+ ```yaml
118
+ # BAD -- DO NOT USE
119
+ apiVersion: apps/v1
120
+ kind: Deployment
121
+ metadata:
122
+ name: api-server
123
+ spec:
124
+ selector:
125
+ matchLabels:
126
+ app: api-server
127
+ template:
128
+ metadata:
129
+ labels:
130
+ app: api-server
131
+ spec:
132
+ containers:
133
+ - name: api
134
+ image: ghcr.io/org/api:v1.0.0
135
+ livenessProbe:
136
+ exec:
137
+ command:
138
+ - /bin/sh
139
+ - -c
140
+ - "pg_isready -h postgres.db.svc -p 5432"
141
+ periodSeconds: 10
142
+ failureThreshold: 3
143
+ ```
144
+
145
+ **What is wrong:**
146
+ - Liveness probe depends on an external database. If the database is briefly unavailable, Kubernetes kills all API pods.
147
+ - This causes cascading failure: database blip -> all pods restart -> thundering herd reconnects -> database overloaded further.
148
+ - Liveness probes must check only the process's own health (e.g., `/healthz` that returns 200 if the HTTP server is responsive).
149
+ - Use readiness probes (not liveness) to check dependency connectivity, so the pod is removed from Service endpoints but not killed.
150
+
151
+ ## 5. Deployment with :latest Tag and No imagePullPolicy
152
+
153
+ ```yaml
154
+ # BAD -- DO NOT USE
155
+ apiVersion: apps/v1
156
+ kind: Deployment
157
+ metadata:
158
+ name: worker
159
+ spec:
160
+ replicas: 3
161
+ selector:
162
+ matchLabels:
163
+ app: worker
164
+ template:
165
+ metadata:
166
+ labels:
167
+ app: worker
168
+ spec:
169
+ containers:
170
+ - name: worker
171
+ image: org/worker:latest
172
+ ```
173
+
174
+ **What is wrong:**
175
+ - `:latest` is a mutable tag. Different nodes may pull different versions, causing inconsistent behavior across replicas.
176
+ - When `imagePullPolicy` is not set and the tag is `:latest`, Kubernetes defaults to `Always`. But if the tag is anything else, it defaults to `IfNotPresent`.
177
+ - Rollbacks are impossible because every revision points to `:latest`.
178
+ - No way to audit which exact image is running.
179
+ - Use immutable tags (`v1.2.3`) or digests (`@sha256:abc...`). Set `imagePullPolicy: IfNotPresent` with immutable tags.
180
+
181
+ ## 6. Ingress Using Removed API Version
182
+
183
+ ```yaml
184
+ # BAD -- DO NOT USE
185
+ apiVersion: extensions/v1beta1
186
+ kind: Ingress
187
+ metadata:
188
+ name: app-ingress
189
+ annotations:
190
+ kubernetes.io/ingress.class: nginx
191
+ spec:
192
+ rules:
193
+ - host: app.example.com
194
+ http:
195
+ paths:
196
+ - path: /
197
+ backend:
198
+ serviceName: frontend
199
+ servicePort: 80
200
+ ```
201
+
202
+ **What is wrong:**
203
+ - `extensions/v1beta1` Ingress was removed in Kubernetes 1.22. This manifest fails on any modern cluster.
204
+ - The `kubernetes.io/ingress.class` annotation is deprecated; use `spec.ingressClassName: nginx`.
205
+ - The backend syntax (`serviceName`/`servicePort`) is the old format. The `networking.k8s.io/v1` API uses `service.name` and `service.port.number`.
206
+ - Missing `pathType` field, which is required in `networking.k8s.io/v1`.
207
+ - LLMs frequently generate this because training data contains many examples of the old API.
208
+
209
+ ## 7. Secret Data in a ConfigMap
210
+
211
+ ```yaml
212
+ # BAD -- DO NOT USE
213
+ apiVersion: v1
214
+ kind: ConfigMap
215
+ metadata:
216
+ name: app-config
217
+ namespace: my-app
218
+ data:
219
+ DATABASE_URL: "postgres://admin:s3cretP@ssw0rd@postgres:5432/mydb"
220
+ API_KEY: "sk-live-abc123def456"
221
+ AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
222
+ config.yaml: |
223
+ smtp:
224
+ username: noreply@company.com
225
+ password: emailP@ss123
226
+ ```
227
+
228
+ **What is wrong:**
229
+ - ConfigMaps are stored unencrypted in etcd and are readable by anyone with `get` access to the namespace.
230
+ - ConfigMap data appears in plain text in `kubectl describe`, in logs, and in version control if committed.
231
+ - Credentials, API keys, and passwords must be in Secrets (which are at least base64-encoded and can be encrypted at rest).
232
+ - Better: use ExternalSecrets or Sealed Secrets so credentials never appear in manifests at all.
233
+ - Connection strings with embedded passwords are especially dangerous because they are easily overlooked in review.
234
+
235
+ ## 8. PVC with ReadWriteMany on an Unsupported Provider
236
+
237
+ ```yaml
238
+ # BAD -- DO NOT USE
239
+ apiVersion: v1
240
+ kind: PersistentVolumeClaim
241
+ metadata:
242
+ name: shared-data
243
+ spec:
244
+ accessModes:
245
+ - ReadWriteMany
246
+ storageClassName: gp3
247
+ resources:
248
+ requests:
249
+ storage: 50Gi
250
+ ---
251
+ apiVersion: apps/v1
252
+ kind: Deployment
253
+ metadata:
254
+ name: workers
255
+ spec:
256
+ replicas: 5
257
+ selector:
258
+ matchLabels:
259
+ app: workers
260
+ template:
261
+ metadata:
262
+ labels:
263
+ app: workers
264
+ spec:
265
+ containers:
266
+ - name: worker
267
+ image: ghcr.io/org/worker:v1.0.0
268
+ volumeMounts:
269
+ - name: shared
270
+ mountPath: /data
271
+ volumes:
272
+ - name: shared
273
+ persistentVolumeClaim:
274
+ claimName: shared-data
275
+ ```
276
+
277
+ **What is wrong:**
278
+ - `gp3` (AWS EBS) does not support `ReadWriteMany`. The PVC will be stuck in `Pending` state with no clear error in pod events.
279
+ - EBS volumes are `ReadWriteOnce` only -- they can be attached to a single node.
280
+ - For RWX access, use EFS (`efs-sc`), NFS, or a distributed storage solution like Longhorn or Rook-Ceph.
281
+ - LLMs frequently pair `ReadWriteMany` with block storage classes because they do not track provider-specific storage capabilities.
282
+ - If only one pod needs write access, use `ReadWriteOnce` and a StatefulSet instead of a Deployment.
package/skills/deploy-k8s/references/examples-good.md ADDED
@@ -0,0 +1,440 @@
1
+ # Good Examples -- Production-Ready Patterns
2
+
3
+ > Annotated production-ready Kubernetes manifests. Every example follows the PSS
4
+ > "restricted" profile, includes proper labels, and sets explicit resource
5
+ > constraints.
6
+
7
+ ---
8
+
9
+ ## 1. Minimal Production Deployment
10
+
11
+ Full security context, resource bounds, probes, topology spread, and standard labels.
12
+
13
+ ```yaml
14
+ apiVersion: apps/v1
15
+ kind: Deployment
16
+ metadata:
17
+ name: api-server
18
+ labels:
19
+ app.kubernetes.io/name: api-server
20
+ app.kubernetes.io/version: "1.4.2"
21
+ app.kubernetes.io/component: backend
22
+ app.kubernetes.io/managed-by: kubectl
23
+ spec:
24
+ replicas: 3
25
+ revisionHistoryLimit: 5
26
+ selector:
27
+ matchLabels:
28
+ app.kubernetes.io/name: api-server
29
+ template:
30
+ metadata:
31
+ labels:
32
+ app.kubernetes.io/name: api-server
33
+ app.kubernetes.io/version: "1.4.2"
34
+ spec:
35
+ automountServiceAccountToken: false
36
+ securityContext:
37
+ runAsNonRoot: true
38
+ runAsUser: 65534
39
+ runAsGroup: 65534
40
+ fsGroup: 65534
41
+ seccompProfile:
42
+ type: RuntimeDefault
43
+ topologySpreadConstraints:
44
+ - maxSkew: 1
45
+ topologyKey: kubernetes.io/hostname
46
+ whenUnsatisfiable: DoNotSchedule
47
+ labelSelector:
48
+ matchLabels:
49
+ app.kubernetes.io/name: api-server
50
+ containers:
51
+ - name: api-server
52
+ image: ghcr.io/org/api-server:v1.4.2
53
+ imagePullPolicy: IfNotPresent
54
+ ports:
55
+ - name: http
56
+ containerPort: 8080
57
+ protocol: TCP
58
+ securityContext:
59
+ allowPrivilegeEscalation: false
60
+ readOnlyRootFilesystem: true
61
+ capabilities:
62
+ drop: ["ALL"]
63
+ resources:
64
+ requests:
65
+ cpu: 100m
66
+ memory: 128Mi
67
+ limits:
68
+ memory: 256Mi
69
+ livenessProbe:
70
+ httpGet:
71
+ path: /healthz
72
+ port: http
73
+ initialDelaySeconds: 10
74
+ periodSeconds: 15
75
+ failureThreshold: 3
76
+ readinessProbe:
77
+ httpGet:
78
+ path: /readyz
79
+ port: http
80
+ initialDelaySeconds: 5
81
+ periodSeconds: 5
82
+ volumeMounts:
83
+ - name: tmp
84
+ mountPath: /tmp
85
+ volumes:
86
+ - name: tmp
87
+ emptyDir: {}
88
+ ```
89
+
90
+ Key points: readOnlyRootFilesystem requires a writable `/tmp` via emptyDir. Both pod-level and container-level securityContext are set. Topology spread prevents all replicas landing on one node.
91
+
92
+ ## 2. Default-Deny NetworkPolicy
93
+
94
+ Block all traffic first, then allow only what is needed.
95
+
96
+ ```yaml
97
+ apiVersion: networking.k8s.io/v1
98
+ kind: NetworkPolicy
99
+ metadata:
100
+ name: default-deny-all
101
+ namespace: my-app
102
+ spec:
103
+ podSelector: {}
104
+ policyTypes:
105
+ - Ingress
106
+ - Egress
107
+ ---
108
+ apiVersion: networking.k8s.io/v1
109
+ kind: NetworkPolicy
110
+ metadata:
111
+ name: allow-api-traffic
112
+ namespace: my-app
113
+ spec:
114
+ podSelector:
115
+ matchLabels:
116
+ app.kubernetes.io/name: api-server
117
+ policyTypes:
118
+ - Ingress
119
+ - Egress
120
+ ingress:
121
+ - from:
122
+ - namespaceSelector:
123
+ matchLabels:
124
+ kubernetes.io/metadata.name: ingress-nginx
125
+ podSelector:
126
+ matchLabels:
127
+ app.kubernetes.io/name: ingress-nginx-controller
128
+ ports:
129
+ - protocol: TCP
130
+ port: 8080
131
+ egress:
132
+ - to:
133
+ - podSelector:
134
+ matchLabels:
135
+ app.kubernetes.io/name: postgres
136
+ ports:
137
+ - protocol: TCP
138
+ port: 5432
139
+ - to: # DNS
140
+ - namespaceSelector: {}
141
+ podSelector:
142
+ matchLabels:
143
+ k8s-app: kube-dns
144
+ ports:
145
+ - protocol: UDP
146
+ port: 53
147
+ - protocol: TCP
148
+ port: 53
149
+ ```
150
+
151
+ Key points: default-deny with empty `podSelector` applies to every pod in the namespace. Always allow DNS egress or name resolution breaks. Combine `namespaceSelector` and `podSelector` to be specific.
152
+
153
+ ## 3. Scoped RBAC for CI Deployer
154
+
155
+ Minimal permissions for a CI pipeline that deploys to a single namespace.
156
+
157
+ ```yaml
158
+ apiVersion: v1
159
+ kind: ServiceAccount
160
+ metadata:
161
+ name: ci-deployer
162
+ namespace: my-app
163
+ ---
164
+ apiVersion: rbac.authorization.k8s.io/v1
165
+ kind: Role
166
+ metadata:
167
+ name: ci-deployer
168
+ namespace: my-app
169
+ rules:
170
+ - apiGroups: ["apps"]
171
+ resources: ["deployments"]
172
+ verbs: ["get", "list", "watch", "patch", "update"]
173
+ - apiGroups: [""]
174
+ resources: ["configmaps", "secrets"]
175
+ verbs: ["get", "list", "create", "update", "patch"]
176
+ - apiGroups: [""]
177
+ resources: ["services"]
178
+ verbs: ["get", "list"]
179
+ ---
180
+ apiVersion: rbac.authorization.k8s.io/v1
181
+ kind: RoleBinding
182
+ metadata:
183
+ name: ci-deployer
184
+ namespace: my-app
185
+ subjects:
186
+ - kind: ServiceAccount
187
+ name: ci-deployer
188
+ namespace: my-app
189
+ roleRef:
190
+ kind: Role
191
+ name: ci-deployer
192
+ apiGroup: rbac.authorization.k8s.io
193
+ ```
194
+
195
+ Key points: namespace-scoped Role, not ClusterRole. Only the verbs needed for deployment. No `delete` verb unless the pipeline needs it.
196
+
197
+ ## 4. CronJob with Lifecycle Controls
198
+
199
+ Proper concurrency policy, deadline, history limits, and backoff.
200
+
201
+ ```yaml
202
+ apiVersion: batch/v1
203
+ kind: CronJob
204
+ metadata:
205
+ name: db-backup
206
+ labels:
207
+ app.kubernetes.io/name: db-backup
208
+ app.kubernetes.io/component: maintenance
209
+ spec:
210
+ schedule: "30 2 * * *"
211
+ timeZone: "UTC"
212
+ concurrencyPolicy: Forbid
213
+ startingDeadlineSeconds: 300
214
+ successfulJobsHistoryLimit: 3
215
+ failedJobsHistoryLimit: 5
216
+ jobTemplate:
217
+ spec:
218
+ backoffLimit: 2
219
+ activeDeadlineSeconds: 3600
220
+ ttlSecondsAfterFinished: 86400
221
+ template:
222
+ spec:
223
+ restartPolicy: Never
224
+ automountServiceAccountToken: false
225
+ securityContext:
226
+ runAsNonRoot: true
227
+ runAsUser: 65534
228
+ seccompProfile:
229
+ type: RuntimeDefault
230
+ containers:
231
+ - name: backup
232
+ image: ghcr.io/org/db-backup:v2.0.1
233
+ imagePullPolicy: IfNotPresent
234
+ securityContext:
235
+ allowPrivilegeEscalation: false
236
+ readOnlyRootFilesystem: true
237
+ capabilities:
238
+ drop: ["ALL"]
239
+ resources:
240
+ requests:
241
+ cpu: 250m
242
+ memory: 256Mi
243
+ limits:
244
+ memory: 512Mi
245
+ env:
246
+ - name: DB_HOST
247
+ value: "postgres.my-app.svc"
248
+ - name: DB_PASSWORD
249
+ valueFrom:
250
+ secretKeyRef:
251
+ name: db-credentials
252
+ key: password
253
+ ```
254
+
255
+ Key points: `concurrencyPolicy: Forbid` prevents overlapping runs. `startingDeadlineSeconds` skips if the schedule window is missed. `activeDeadlineSeconds` kills jobs that hang. `ttlSecondsAfterFinished` auto-cleans completed pods.
256
+
257
+ ## 5. Ingress with TLS and Path-Based Routing
258
+
259
+ ```yaml
260
+ apiVersion: networking.k8s.io/v1
261
+ kind: Ingress
262
+ metadata:
263
+ name: app-ingress
264
+ annotations:
265
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
266
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
267
+ spec:
268
+ ingressClassName: nginx
269
+ tls:
270
+ - hosts:
271
+ - app.example.com
272
+ secretName: app-tls-cert
273
+ rules:
274
+ - host: app.example.com
275
+ http:
276
+ paths:
277
+ - path: /api
278
+ pathType: Prefix
279
+ backend:
280
+ service:
281
+ name: api-server
282
+ port:
283
+ number: 8080
284
+ - path: /
285
+ pathType: Prefix
286
+ backend:
287
+ service:
288
+ name: frontend
289
+ port:
290
+ number: 3000
291
+ ```
292
+
293
+ Key points: uses `networking.k8s.io/v1` (not the removed beta). `ingressClassName` replaces the deprecated `kubernetes.io/ingress.class` annotation. TLS secret must exist in the same namespace. More specific paths listed first.
294
+
295
+ ## 6. HPA with Scale-Down Stabilization
296
+
297
+ ```yaml
298
+ apiVersion: autoscaling/v2
299
+ kind: HorizontalPodAutoscaler
300
+ metadata:
301
+ name: api-server
302
+ spec:
303
+ scaleTargetRef:
304
+ apiVersion: apps/v1
305
+ kind: Deployment
306
+ name: api-server
307
+ minReplicas: 3
308
+ maxReplicas: 20
309
+ behavior:
310
+ scaleDown:
311
+ stabilizationWindowSeconds: 300
312
+ policies:
313
+ - type: Percent
314
+ value: 25
315
+ periodSeconds: 60
316
+ scaleUp:
317
+ stabilizationWindowSeconds: 0
318
+ policies:
319
+ - type: Percent
320
+ value: 100
321
+ periodSeconds: 30
322
+ - type: Pods
323
+ value: 4
324
+ periodSeconds: 30
325
+ selectPolicy: Max
326
+ metrics:
327
+ - type: Resource
328
+ resource:
329
+ name: cpu
330
+ target:
331
+ type: Utilization
332
+ averageUtilization: 70
333
+ - type: Resource
334
+ resource:
335
+ name: memory
336
+ target:
337
+ type: Utilization
338
+ averageUtilization: 80
339
+ ```
340
+
341
+ Key points: `scaleDown.stabilizationWindowSeconds: 300` prevents flapping. Scale-down limited to 25% per minute. Scale-up is aggressive with no stabilization. `autoscaling/v2` gives access to behavior configuration.
342
+
343
+ ## 7. Namespace with Quota, LimitRange, and PSA Labels
344
+
345
+ ```yaml
346
+ apiVersion: v1
347
+ kind: Namespace
348
+ metadata:
349
+ name: my-app
350
+ labels:
351
+ pod-security.kubernetes.io/enforce: restricted
352
+ pod-security.kubernetes.io/audit: restricted
353
+ pod-security.kubernetes.io/warn: restricted
354
+ ---
355
+ apiVersion: v1
356
+ kind: ResourceQuota
357
+ metadata:
358
+ name: compute-quota
359
+ namespace: my-app
360
+ spec:
361
+ hard:
362
+ requests.cpu: "4"
363
+ requests.memory: 8Gi
364
+ limits.cpu: "8"
365
+ limits.memory: 16Gi
366
+ pods: "20"
367
+ services: "10"
368
+ persistentvolumeclaims: "5"
369
+ ---
370
+ apiVersion: v1
371
+ kind: LimitRange
372
+ metadata:
373
+ name: default-limits
374
+ namespace: my-app
375
+ spec:
376
+ limits:
377
+ - type: Container
378
+ default:
379
+ cpu: 200m
380
+ memory: 256Mi
381
+ defaultRequest:
382
+ cpu: 50m
383
+ memory: 64Mi
384
+ max:
385
+ cpu: "2"
386
+ memory: 4Gi
387
+ min:
388
+ cpu: 10m
389
+ memory: 16Mi
390
+ ```
391
+
392
+ Key points: PSA labels enforce the restricted profile at the namespace level. ResourceQuota caps total resource consumption. LimitRange provides defaults for containers that omit resource specs and prevents unreasonable single-container requests.
393
+
394
+ ## 8. ExternalSecret for Vault Integration
395
+
396
+ ```yaml
397
+ apiVersion: external-secrets.io/v1beta1
398
+ kind: SecretStore
399
+ metadata:
400
+ name: vault-backend
401
+ namespace: my-app
402
+ spec:
403
+ provider:
404
+ vault:
405
+ server: "https://vault.internal:8200"
406
+ path: "secret"
407
+ version: "v2"
408
+ auth:
409
+ kubernetes:
410
+ mountPath: "kubernetes"
411
+ role: "my-app"
412
+ serviceAccountRef:
413
+ name: my-app
414
+ ---
415
+ apiVersion: external-secrets.io/v1beta1
416
+ kind: ExternalSecret
417
+ metadata:
418
+ name: app-secrets
419
+ namespace: my-app
420
+ spec:
421
+ refreshInterval: 1h
422
+ secretStoreRef:
423
+ name: vault-backend
424
+ kind: SecretStore
425
+ target:
426
+ name: app-secrets
427
+ creationPolicy: Owner
428
+ deletionPolicy: Retain
429
+ data:
430
+ - secretKey: db-password
431
+ remoteRef:
432
+ key: my-app/database
433
+ property: password
434
+ - secretKey: api-key
435
+ remoteRef:
436
+ key: my-app/external-api
437
+ property: key
438
+ ```
439
+
440
+ Key points: SecretStore is namespace-scoped (use ClusterSecretStore only when multiple namespaces share the same Vault path). `refreshInterval` controls sync frequency. `deletionPolicy: Retain` keeps the Kubernetes Secret if the ExternalSecret is deleted, preventing accidental data loss.