aigent-team 0.1.0

package/templates/teams/devops/references/review-checklist.md

@@ -0,0 +1,149 @@
+# DevOps Review Checklist
+
+Use this checklist when reviewing infrastructure, deployment, and platform
+changes. Not every item applies to every PR — use judgment, but default to
+checking rather than skipping.
+
+---
+
+## Infrastructure as Code
+
+- [ ] Changes are in Terraform/Pulumi/CDK — no ClickOps.
+- [ ] `terraform plan` output attached to PR.
+- [ ] No resources being destroyed unexpectedly (check plan for `destroy`).
+- [ ] State is remote with locking enabled.
+- [ ] Module versions pinned (no `ref=main`).
+- [ ] Provider versions pinned with pessimistic constraint (`~>`).
+- [ ] All resources tagged: Environment, Team, Service, ManagedBy, CostCenter.
+- [ ] Resource naming follows convention (`{company}-{env}-{region}-{service}-{type}`).
+- [ ] No hardcoded values — uses variables with descriptions and types.
+- [ ] Sensitive values marked with `sensitive = true`.
+- [ ] `lifecycle { prevent_destroy = true }` on critical resources (databases, S3).
+- [ ] Outputs have descriptions.
+- [ ] No `depends_on` unless absolutely necessary (prefer implicit).
+
+---
+
+## Docker
+
+- [ ] Base image pinned to specific version (no `:latest`).
+- [ ] Multi-stage build separates build and runtime.
+- [ ] Final image uses slim or distroless base.
+- [ ] Runs as non-root user (`USER` directive or K8s securityContext).
+- [ ] No secrets in image (no `COPY .env`, no secrets in `ARG`/`ENV`).
+- [ ] `.dockerignore` present and comprehensive.
+- [ ] Layer order optimized (deps before source code).
+- [ ] `HEALTHCHECK` defined (or deferred to K8s probes).
+- [ ] Image size within targets (Go < 30MB, Node < 150MB, Python < 200MB).
+- [ ] Scanned with Trivy — no CRITICAL or HIGH vulnerabilities.
+- [ ] BuildKit enabled (`DOCKER_BUILDKIT=1`).
+
+---
+
+## Kubernetes
+
+- [ ] Resource requests AND limits set on every container.
+- [ ] Liveness and readiness probes defined.
+- [ ] Startup probe added for slow-starting apps.
+- [ ] Minimum 2 replicas for production deployments.
+- [ ] PodDisruptionBudget defined for 2+ replica deployments.
+- [ ] Security context set:
+  - [ ] `runAsNonRoot: true`
+  - [ ] `readOnlyRootFilesystem: true`
+  - [ ] `allowPrivilegeEscalation: false`
+  - [ ] `capabilities.drop: ["ALL"]`
+- [ ] Image uses immutable tag (git SHA or semver), not `:latest`.
+- [ ] `imagePullPolicy` matches tag type (IfNotPresent for SHA/semver).
+- [ ] Secrets sourced from ExternalSecrets/Vault, not inline K8s Secrets.
+- [ ] NetworkPolicy exists for the namespace (default-deny + explicit allows).
+- [ ] Service account created (not using `default`).
+- [ ] TopologySpreadConstraints or pod anti-affinity for zone distribution.
+- [ ] Prometheus scrape annotations present (if metrics endpoint exists).
+- [ ] No `hostNetwork`, `hostPID`, `hostIPC`, `privileged` unless justified.
+
+---
+
+## CI/CD
+
+- [ ] Pipeline runs lint, test, build, scan, deploy in order.
+- [ ] Full pipeline completes in < 15 minutes.
+- [ ] Dependencies cached (lockfile-based cache key).
+- [ ] Docker build uses layer caching (BuildKit GHA cache or equivalent).
+- [ ] Images tagged with git SHA (immutable).
+- [ ] Image scanned before push to registry.
+- [ ] Branch protection enforced (PR required, status checks, no force push).
+- [ ] CI actions pinned to SHA, not tag.
+- [ ] Secrets injected via CI secrets manager, not in pipeline files.
+- [ ] Production deploy requires approval gate.
+- [ ] Rollback mechanism documented and tested.
+- [ ] Same image deployed across all environments (only config differs).
+- [ ] No `--force` or `--skip-tests` flags in pipeline.
+
+---
+
+## Monitoring and Observability
+
+- [ ] Golden signals dashboard exists (latency, traffic, errors, saturation).
+- [ ] Dashboard definition stored in Git.
+- [ ] Prometheus metrics endpoint exposed (`/metrics`).
+- [ ] Alert rules defined for error rate and latency SLOs.
+- [ ] Every alert has a severity label (P1-P4).
+- [ ] Every alert links to a runbook.
+- [ ] Logs are structured JSON with trace_id.
+- [ ] No PII or secrets in logs.
+- [ ] Log retention configured (not infinite).
+- [ ] Traces instrumented at service boundaries.
+- [ ] SLO defined and error budget tracked.
+
+---
+
+## Security
+
+- [ ] Service has its own IAM role/service account (not shared).
+- [ ] IAM permissions follow least privilege (no wildcards in prod).
+- [ ] No secrets in git, environment variables in manifests, or Docker images.
+- [ ] Secrets sourced from Vault/SM with rotation schedule.
+- [ ] Network access restricted (security groups reference SG IDs, not `0.0.0.0/0`).
+- [ ] TLS termination configured (no plaintext in transit).
+- [ ] Image signed and signature verified on admission.
+- [ ] Dependency versions pinned (lockfiles committed).
+- [ ] SAST and secrets scanning enabled in CI.
+- [ ] Audit logging enabled for sensitive operations.
+- [ ] K8s RBAC configured (no cluster-admin for workloads).
+
+---
+
+## Disaster Recovery
+
+- [ ] DR tier assigned and documented.
+- [ ] Backup schedule meets RPO for assigned tier.
+- [ ] Backup restore tested within the last 30 days.
+- [ ] Failover procedure documented in runbook.
+- [ ] Failover tested within the last 90 days.
+- [ ] Recovery can be performed by any on-call engineer (not just the author).
+- [ ] Critical data has cross-region replication.
+- [ ] etcd / cluster state backed up.
+
+---
+
+## Cost
+
+- [ ] All resources tagged for cost tracking.
+- [ ] Instance/pod sizing justified (not over-provisioned).
+- [ ] Storage lifecycle policies configured.
+- [ ] VPC endpoints used for AWS service access (avoid NAT costs).
+- [ ] Spot/preemptible used for non-critical workloads.
+- [ ] Budget alerts configured for the team/service.
+- [ ] No idle resources (unattached volumes, unused EIPs, stopped instances).
+- [ ] Estimated monthly cost included in PR for new infrastructure.
+
+---
+
+## General
+
+- [ ] Change is reversible (can roll back without data loss).
+- [ ] Change has been tested in staging/dev first.
+- [ ] Documentation updated (runbooks, architecture diagrams, service catalog).
+- [ ] Affected teams notified (if cross-cutting change).
+- [ ] On-call team aware of the change timing.
+- [ ] Change window appropriate (not Friday afternoon, not during peak).

package/templates/teams/devops/references/security.md

@@ -0,0 +1,225 @@
+# Security Reference
+
+## Least Privilege IAM
+
+### Principles
+
+- Every service gets its own IAM role/service account. No shared credentials.
+- Grant minimum permissions required. Start with zero, add as needed.
+- Use condition-based policies (source IP, time, MFA) for sensitive operations.
+- No wildcard (`*`) actions or resources in production policies.
+- Review IAM policies quarterly; remove unused permissions.
+
+### IAM Pattern (AWS Example)
+
+```hcl
+# Per-service role with scoped permissions
+resource "aws_iam_role" "user_api" {
+  name               = "${local.name_prefix}-user-api"
+  assume_role_policy = data.aws_iam_policy_document.eks_assume.json
+}
+
+resource "aws_iam_policy" "user_api" {
+  name = "${local.name_prefix}-user-api"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["s3:GetObject", "s3:PutObject"]
+        Resource = "arn:aws:s3:::${var.bucket_name}/user-uploads/*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["secretsmanager:GetSecretValue"]
+        Resource = "arn:aws:secretsmanager:*:*:secret:user-api/*"
+      }
+    ]
+  })
+}
+```
+
+### Service Account Mapping (Kubernetes)
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: user-api
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/user-api
+    # GKE: iam.gke.io/gcp-service-account: user-api@project.iam.gserviceaccount.com
+```
+
+### Human Access
+
+- Use SSO (Okta, Azure AD) for all human access. No local IAM users.
+- Require MFA for console and CLI access.
+- Break-glass accounts stored in physical safe or sealed-secret system.
+- Admin access via just-in-time (JIT) elevation, not permanent grants.
+- All access changes require PR review.
+
+---
+
+## Network Security
+
+### VPC Design
+
+```
+VPC (10.0.0.0/16)
+├── Public Subnets (10.0.0.0/20, 10.0.16.0/20, 10.0.32.0/20)
+│   └── Load Balancers, NAT Gateways, Bastion (if needed)
+├── Private Subnets (10.0.48.0/20, 10.0.64.0/20, 10.0.80.0/20)
+│   └── Application workloads (EKS nodes, EC2, ECS)
+└── Data Subnets (10.0.96.0/20, 10.0.112.0/20, 10.0.128.0/20)
+    └── Databases, caches, message brokers
+```
+
+### Rules
+
+- **Three availability zones minimum** for production.
+- Application workloads in private subnets only.
+- Databases in data subnets with no internet route.
+- Egress via NAT Gateway (or VPC endpoints for AWS services).
+- No SSH/RDP to production instances — use SSM Session Manager or
+  `kubectl exec` (with audit logging).
+
+### Security Groups / Firewall Rules
+
+- Default: deny all inbound, deny all outbound.
+- Allow only required ports between specific security groups.
+- Reference security groups by ID, not CIDR (self-documenting, auto-updating).
+- No `0.0.0.0/0` inbound rules except on load balancers (ports 80/443 only).
+- Document every security group rule with a description.
+
+```hcl
+resource "aws_security_group_rule" "api_from_alb" {
+  type                     = "ingress"
+  from_port                = 8080
+  to_port                  = 8080
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.alb.id
+  security_group_id        = aws_security_group.api.id
+  description              = "Allow ALB to reach API on port 8080"
+}
+```
+
+---
+
+## Secrets Management
+
+### Secrets Lifecycle
+
+```
+Create → Store in Vault/SM → Reference in config → Rotate → Revoke
+```
+
+### Rotation Schedule
+
+| Secret Type | Rotation Period | Method |
+|---|---|---|
+| Database credentials | 90 days | Automated (Vault dynamic secrets) |
+| API keys (internal) | 90 days | Automated rotation |
+| API keys (third-party) | Per vendor policy | Manual with ticket |
+| TLS certificates | Auto-renew (cert-manager) | Let's Encrypt / ACM |
+| SSH keys | 180 days | Key rotation pipeline |
+| Encryption keys | 365 days | AWS KMS auto-rotation |
+
+### Rules
+
+- Never store secrets in: git, CI pipeline files, Docker images, environment
+  variables in K8s manifests, ConfigMaps.
+- Use: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager,
+  Azure Key Vault, SOPS for encrypted files.
+- Mount as files, not env vars (env vars appear in `kubectl describe pod`,
+  crash dumps, `/proc/*/environ`).
+- Audit all secret access — who read what, when.
+- Revoke immediately on employee departure or credential compromise.
+
+---
+
+## Image Scanning
+
+### Pipeline Integration
+
+```yaml
+# Scan in CI before pushing to registry
+- name: Scan image
+  run: |
+    trivy image --exit-code 1 --severity CRITICAL,HIGH \
+      --ignore-unfixed myapp:${{ github.sha }}
+```
+
+### Scanning Layers
+
+| Layer | Tool | When |
+|---|---|---|
+| Base image CVEs | Trivy, Grype | Every build + nightly |
+| Application dependencies | Snyk, npm audit, pip-audit | Every build |
+| IaC misconfigurations | Checkov, tfsec, KICS | Every PR |
+| Secrets in code | gitleaks, trufflehog | Every commit |
+| Runtime behavior | Falco, Sysdig | Continuous |
+| Container compliance | Docker Bench, OPA | Nightly |
+
+### Rules
+
+- Block deployment on CRITICAL or HIGH vulnerabilities.
+- Allow MEDIUM/LOW with documented exception and timeline to fix.
+- Scan running images nightly — new CVEs appear after deploy.
+- Track vulnerability metrics: time-to-remediate, open count by severity.
+- Base image rebuilds trigger downstream rebuilds automatically.
+
+---
+
+## Audit Logging
+
+### What to Log
+
+| Event | Required Fields |
+|---|---|
+| Authentication (success/fail) | who, when, source IP, method |
+| Authorization (denied) | who, what resource, what action |
+| Resource creation/modification/deletion | who, what, when, before/after |
+| Secret access | who, which secret, when |
+| Configuration changes | who, what changed, PR link |
+| Privilege escalation | who, from/to role, when |
+
+### Implementation
+
+- Enable cloud provider audit logs (CloudTrail, GCP Audit, Azure Activity).
+- Enable K8s audit logging for all write operations.
+- Ship audit logs to immutable storage (S3 with Object Lock, WORM).
+- Retain audit logs for minimum 1 year (adjust per compliance: SOC2, HIPAA, PCI).
+- Alert on: root account usage, IAM policy changes, security group changes,
+  failed auth spike, secret access from unexpected sources.
+
+### Kubernetes Audit Policy
+
+```yaml
+apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+  - level: Metadata
+    resources:
+      - group: ""
+        resources: ["secrets", "configmaps"]
+  - level: RequestResponse
+    resources:
+      - group: ""
+        resources: ["pods/exec", "pods/portforward"]
+    verbs: ["create"]
+  - level: Metadata
+    verbs: ["create", "update", "patch", "delete"]
+```
+
+---
+
+## Supply Chain Security
+
+- Sign container images with cosign/Sigstore.
+- Verify signatures before admission (Kyverno, OPA Gatekeeper).
+- Pin dependencies to exact versions (lockfiles).
+- Pin CI actions to SHA, not tag.
+- Use private registries — pull-through cache for public images.
+- Generate and store SBOMs (Software Bill of Materials) with each build.
+- Review and approve new dependencies before adding.

package/templates/teams/devops/review-checklist.md

@@ -0,0 +1,72 @@
+### Infrastructure as Code
+- [ ] Changes are in Terraform/Pulumi/CDK — no manual console changes
+- [ ] Remote state configured with locking enabled
+- [ ] `terraform plan` reviewed — no unexpected destroys on stateful resources
+- [ ] Resources tagged: project, environment, team, cost-center
+- [ ] Module versions pinned (not pointing to main branch)
+- [ ] Sensitive variables marked as `sensitive = true`
+- [ ] No hardcoded values — all configurable via variables with defaults
+
+### Docker & Container Security
+- [ ] Multi-stage build — final image contains only runtime dependencies
+- [ ] Non-root user configured (`USER` instruction, `runAsNonRoot: true`)
+- [ ] Base image uses specific version tag (not `latest`)
+- [ ] Base image is slim/distroless variant
+- [ ] No secrets in Dockerfile, build args, or image layers
+- [ ] .dockerignore excludes .git, node_modules, .env, test files
+- [ ] Image scanned with Trivy — 0 critical, 0 high vulnerabilities
+- [ ] Image size within target (<200MB for Node, <50MB for Go)
+- [ ] HEALTHCHECK instruction present
+
+### Kubernetes
+- [ ] Resource requests AND limits set (requests = p50 usage, limits = p99 + headroom)
+- [ ] Liveness probe checks process health only (not dependencies)
+- [ ] Readiness probe checks ability to serve traffic (DB connected, cache available)
+- [ ] PodDisruptionBudget configured (`minAvailable: 50%` or `maxUnavailable: 1`)
+- [ ] Security context: `runAsNonRoot`, `drop: [ALL]` capabilities, `readOnlyRootFilesystem`
+- [ ] Network policies restrict pod-to-pod traffic (default deny, explicit allow)
+- [ ] Secrets via ExternalSecrets/Vault — not in K8s manifests (base64 is not encryption)
+- [ ] Minimum 2 replicas for production deployments
+- [ ] Image pull policy is `IfNotPresent` (not `Always`)
+- [ ] Anti-affinity rules spread pods across nodes/AZs
+
+### CI/CD Pipeline
+- [ ] All stages present: lint → test → build → security scan → deploy
+- [ ] Security scanning: SAST, dependency audit, container scan, secret detection
+- [ ] Build uses caching (Docker layers, dependency cache, test cache)
+- [ ] Artifacts tagged with branch-sha-buildnumber (not `latest`)
+- [ ] Production deploy has manual approval gate
+- [ ] Rollback mechanism defined and tested (automated on error rate spike)
+- [ ] Pipeline total <15 minutes
+- [ ] Pipeline steps containerized (runs same locally and in CI)
+
+### Monitoring & Alerting
+- [ ] New service has all 3 pillars: metrics, logs, traces
+- [ ] Dashboard with golden signals: latency, traffic, errors, saturation
+- [ ] Alerts on symptoms (error rate, latency) not causes (CPU, memory)
+- [ ] Alert severity appropriate (P1 pages on-call, P2 Slack, P3 ticket)
+- [ ] Runbook exists for every P1/P2 alert
+- [ ] Log format is structured JSON with request_id, service, environment
+
+### Security
+- [ ] IAM roles follow least privilege — no `*` resources, no admin policies
+- [ ] Network: app in private subnets, only LB in public, security groups restrictive
+- [ ] No hardcoded secrets, API keys, or credentials anywhere in code
+- [ ] TLS everywhere — external (HTTPS) and internal (mTLS or VPC-internal)
+- [ ] Audit logging enabled for infrastructure changes
+- [ ] Image signing verified for production deployments
+
+### Disaster Recovery & Reliability
+- [ ] Backup schedule configured for databases and persistent storage
+- [ ] Backup restore tested within the last month
+- [ ] Multi-AZ deployment for Tier 1 services
+- [ ] Failover procedure documented in runbook
+- [ ] RTO/RPO requirements documented and achievable
+- [ ] Graceful shutdown handles SIGTERM (drain connections, finish in-flight requests)
+
+### Cost
+- [ ] All new resources tagged for cost tracking
+- [ ] Instance sizing justified by usage metrics (not "biggest available")
+- [ ] Spot/preemptible used for stateless workloads where possible
+- [ ] Storage lifecycle policies set (transition to cold storage, expiration)
+- [ ] Cost impact estimated before provisioning (especially for data transfer, managed services)

package/templates/teams/devops/skill.md

@@ -0,0 +1,131 @@
+# DevOps / SRE Engineer — Skill Index
+
+You are a senior DevOps and Site Reliability Engineer. You treat infrastructure
+as software, reliability as a feature, and cost as a constraint. Every change
+ships through a pipeline, every resource is tracked in code, every incident
+feeds back into prevention.
+
+---
+
+## Core Principles
+
+1. **Automate anything done twice.** Manual steps are bugs waiting to happen.
+   If a runbook has more than three steps, script it.
+2. **Immutable infrastructure.** Replace, never patch. Bake images, push new
+   versions, roll back by redeploying the previous artifact.
+3. **Defense in depth.** No single control is sufficient. Layer network rules,
+   IAM policies, runtime scanning, and audit logging.
+4. **Blast radius minimization.** Canary first, then percentage rollout. Use
+   namespaces, accounts, and feature flags to contain failures.
+5. **Cost is a feature.** Right-size from day one. Tag every resource. Review
+   spend weekly. Reserved capacity for stable workloads, spot/preemptible for
+   ephemeral ones.
+6. **Observability over monitoring.** You cannot alert on what you cannot see.
+   Instrument first, then set thresholds.
+7. **Everything in version control.** Infrastructure, dashboards, alert rules,
+   runbooks — all live in Git. No ClickOps.
+
+---
+
+## Key Anti-Patterns — Stop These on Sight
+
+| Anti-Pattern | Why It Hurts | Fix |
+|---|---|---|
+| `kubectl exec` in prod | Bypasses audit trail, breaks immutability | Add debug sidecar or ephemeral container |
+| Local Terraform state | No locking, no team collaboration, easy to lose | Remote backend (S3+DynamoDB, GCS, Terraform Cloud) |
+| `:latest` image tag | Non-reproducible deploys, cache-busting | Use immutable tags: git SHA or semver |
+| Root containers | Full host escape on exploit | `runAsNonRoot: true`, distroless base |
+| Single replica in prod | Any restart = downtime | Minimum 2 replicas + PodDisruptionBudget |
+| Alert on everything | Alert fatigue, pages get ignored | Alert on symptoms (SLO burn rate), not causes |
+| Secrets in env vars / git | Leaked in logs, process lists, crash dumps | External secrets manager (Vault, AWS SM, SOPS) |
+| No resource limits | Noisy neighbor kills node | Always set requests AND limits |
+| Manual deploy steps | "It works on my machine" | Full CI/CD, no human in the deploy path |
+
+---
+
+## Decision Framework — Deployment Strategy
+
+```
+Is downtime acceptable?
+├─ Yes → Recreate (simplest, for dev/staging)
+└─ No
+   ├─ Need instant rollback?
+   │  ├─ Yes → Blue/Green (two full environments)
+   │  └─ No
+   │     ├─ Want gradual traffic shift?
+   │     │  ├─ Yes → Canary (progressive delivery)
+   │     │  └─ No → Rolling Update (K8s default)
+   │     └─ Need feature-level control?
+   │        └─ Yes → Feature Flags + Rolling
+   └─ Multi-region?
+      └─ Yes → Blue/Green per region, sequential rollout
+```
+
+### Strategy Quick Reference
+
+| Strategy | Rollback Speed | Resource Cost | Complexity |
+|---|---|---|---|
+| Recreate | Minutes (redeploy) | 1x | Low |
+| Rolling Update | Minutes (undo) | 1x-1.25x | Low |
+| Blue/Green | Seconds (DNS/LB) | 2x | Medium |
+| Canary | Seconds (route) | 1.1x | High |
+
+---
+
+## Reference Files
+
+| File | Covers |
+|---|---|
+| [infrastructure-as-code.md](references/infrastructure-as-code.md) | Terraform structure, state management, modules, tagging |
+| [docker.md](references/docker.md) | Base images, multi-stage builds, security, layer optimization |
+| [kubernetes.md](references/kubernetes.md) | Namespaces, resources, probes, PDB, network policies, secrets |
+| [ci-cd.md](references/ci-cd.md) | Pipeline stages, speed targets, caching, rollback |
+| [monitoring.md](references/monitoring.md) | Metrics/logs/traces, golden signals, alerting, runbooks |
+| [security.md](references/security.md) | IAM, network, secrets rotation, image scanning, audit |
+| [disaster-recovery.md](references/disaster-recovery.md) | RPO/RTO, backups, failover, chaos engineering |
+| [cost-optimization.md](references/cost-optimization.md) | Right-sizing, reservations, storage lifecycle, budgets |
+| [review-checklist.md](references/review-checklist.md) | Full review checklist across all domains |
+
+---
+
+## Workflow Index
+
+### 1. New Infrastructure Component
+1. Define in IaC (Terraform/Pulumi) — see `infrastructure-as-code.md`
+2. Add monitoring — see `monitoring.md`
+3. Document DR posture — see `disaster-recovery.md`
+4. Tag for cost tracking — see `cost-optimization.md`
+5. Review against checklist — see `review-checklist.md`
+
+### 2. Containerize a Service
+1. Write Dockerfile — see `docker.md`
+2. Add K8s manifests — see `kubernetes.md`
+3. Wire into CI/CD pipeline — see `ci-cd.md`
+4. Add probes and metrics endpoint — see `monitoring.md`
+5. Harden security context — see `security.md`
+
+### 3. Incident Response
+1. Acknowledge alert, open incident channel
+2. Assess blast radius using dashboards — see `monitoring.md`
+3. Mitigate: rollback, scale, or isolate
+4. Investigate root cause with traces/logs
+5. Write postmortem, create prevention tasks
+6. Update runbooks — see `disaster-recovery.md`
+
+### 4. Capacity Planning Review
+1. Pull 30-day resource utilization — see `monitoring.md`
+2. Identify right-sizing opportunities — see `cost-optimization.md`
+3. Forecast growth from product roadmap
+4. Adjust reservations and autoscaling thresholds
+5. Update budget alerts
+
+---
+
+## Golden Rules for Code Review
+
+- Every Terraform change must include a `plan` output in the PR.
+- Every Dockerfile change must not increase image size without justification.
+- Every K8s manifest must set resource requests, limits, and probes.
+- Every CI/CD change must not increase pipeline duration beyond 15 minutes.
+- Every alert rule must link to a runbook.
+- Every secret must reference an external secrets manager, never inline.

package/templates/teams/fe/agent.yaml

@@ -0,0 +1,28 @@
+id: fe
+name: Frontend Agent
+description: >
+  Senior frontend engineer agent. Expert in rendering performance,
+  component architecture, state management, accessibility, and modern SSR/SSG.
+role: fe
+techStack:
+  languages: [TypeScript, JavaScript, CSS, HTML]
+  frameworks: [React, Next.js, Vue, Angular, Svelte]
+  libraries: [Tailwind CSS, Zustand, Jotai, TanStack Query, React Hook Form, Zod, Radix UI]
+  buildTools: [Vite, Turbopack, Webpack, esbuild, SWC, Storybook]
+tools:
+  allowed: [Read, Write, Edit, Bash, Grep, Glob]
+globs:
+  - "**/*.tsx"
+  - "**/*.jsx"
+  - "**/*.css"
+  - "**/*.scss"
+  - "**/*.vue"
+  - "**/*.svelte"
+  - "src/components/**/*"
+  - "src/pages/**/*"
+  - "src/app/**/*"
+  - "src/hooks/**/*"
+  - "src/stores/**/*"
+sharedKnowledge:
+  - project-conventions
+  - git-workflow