claude-autopm 2.8.1 → 2.8.3

package/packages/plugin-cloud/plugin.json

@@ -0,0 +1,338 @@
+{
+  "name": "@claudeautopm/plugin-cloud",
+  "version": "2.0.0",
+  "schemaVersion": "2.0",
+  "displayName": "Cloud Providers & Infrastructure",
+  "description": "Complete cloud infrastructure plugin with agents for AWS, Azure, GCP, Kubernetes, Terraform, and infrastructure automation",
+  "category": "cloud",
+  "metadata": {
+    "category": "Cloud Infrastructure",
+    "author": "ClaudeAutoPM Team",
+    "license": "MIT",
+    "homepage": "https://github.com/rafeekpro/ClaudeAutoPM",
+    "repository": {
+      "type": "git",
+      "url": "git+https://github.com/rafeekpro/ClaudeAutoPM.git",
+      "directory": "packages/plugin-cloud"
+    },
+    "size": "~15 KB (gzipped)",
+    "required": false,
+    "tags": ["cloud", "aws", "azure", "gcp", "kubernetes", "terraform", "infrastructure"]
+  },
+  "agents": [
+    {
+      "name": "aws-cloud-architect",
+      "file": "agents/aws-cloud-architect.md",
+      "category": "cloud",
+      "description": "AWS cloud architecture and infrastructure design patterns",
+      "version": "2.0.0",
+      "tags": ["aws", "cloud", "architecture", "ec2", "s3", "vpc"],
+      "mcp": ["aws", "terraform"],
+      "context7": [
+        "/websites/aws_amazon",
+        "/hashicorp/terraform-provider-aws"
+      ]
+    },
+    {
+      "name": "azure-cloud-architect",
+      "file": "agents/azure-cloud-architect.md",
+      "category": "cloud",
+      "description": "Azure cloud architecture and resource management",
+      "version": "2.0.0",
+      "tags": ["azure", "cloud", "architecture", "arm", "bicep"],
+      "mcp": ["azure-cli", "terraform"],
+      "context7": [
+        "/microsoftdocs/azure-docs",
+        "/microsoftdocs/architecture-center"
+      ]
+    },
+    {
+      "name": "gcp-cloud-architect",
+      "file": "agents/gcp-cloud-architect.md",
+      "category": "cloud",
+      "description": "Google Cloud Platform architecture and design",
+      "version": "2.0.0",
+      "tags": ["gcp", "google-cloud", "architecture", "compute-engine"],
+      "mcp": ["gcp", "terraform"],
+      "context7": [
+        "/websites/cloud_google_architecture"
+      ]
+    },
+    {
+      "name": "gcp-cloud-functions-engineer",
+      "file": "agents/gcp-cloud-functions-engineer.md",
+      "category": "cloud",
+      "description": "Google Cloud Functions and serverless application development",
+      "version": "2.0.0",
+      "tags": ["gcp", "cloud-functions", "serverless", "functions-as-a-service"],
+      "mcp": ["gcp"],
+      "context7": [
+        "/websites/cloud_google_architecture"
+      ]
+    },
+    {
+      "name": "gemini-api-expert",
+      "file": "agents/gemini-api-expert.md",
+      "category": "ai-integration",
+      "description": "Google Gemini API integration and AI application development",
+      "version": "2.0.0",
+      "tags": ["gemini", "google", "ai", "api", "llm"],
+      "mcp": ["gcp"],
+      "context7": [
+        "/websites/cloud_google_architecture"
+      ]
+    },
+    {
+      "name": "kubernetes-orchestrator",
+      "file": "agents/kubernetes-orchestrator.md",
+      "category": "orchestration",
+      "description": "Kubernetes cluster orchestration and container management",
+      "version": "2.0.0",
+      "tags": ["kubernetes", "k8s", "containers", "orchestration", "helm"],
+      "mcp": ["kubernetes"],
+      "context7": [
+        "/kubernetes/kubernetes"
+      ]
+    },
+    {
+      "name": "openai-python-expert",
+      "file": "agents/openai-python-expert.md",
+      "category": "ai-integration",
+      "description": "OpenAI API integration with Python for AI applications",
+      "version": "2.0.0",
+      "tags": ["openai", "python", "ai", "api", "gpt"],
+      "mcp": ["openai"],
+      "context7": [
+        "/openai/openai-python"
+      ]
+    },
+    {
+      "name": "terraform-infrastructure-expert",
+      "file": "agents/terraform-infrastructure-expert.md",
+      "category": "infrastructure",
+      "description": "Terraform infrastructure as code for multi-cloud deployments",
+      "version": "2.0.0",
+      "tags": ["terraform", "iac", "infrastructure", "multi-cloud", "hcl"],
+      "mcp": ["terraform"],
+      "context7": [
+        "/hashicorp/terraform",
+        "/hashicorp/terraform-provider-aws"
+      ]
+    }
+  ],
+  "commands": [
+    {
+      "name": "infra-deploy",
+      "file": "commands/infra-deploy.md",
+      "description": "Deploy infrastructure to cloud providers using IaC",
+      "category": "deployment",
+      "tags": ["infrastructure", "deployment", "terraform", "cloud"],
+      "requiredAgents": ["terraform-infrastructure-expert"],
+      "context7": [
+        "/hashicorp/terraform"
+      ]
+    },
+    {
+      "name": "ssh-security",
+      "file": "commands/ssh-security.md",
+      "description": "Configure SSH security hardening for cloud instances",
+      "category": "security",
+      "tags": ["ssh", "security", "hardening", "infrastructure"],
+      "context7": [
+        "/websites/aws_amazon"
+      ]
+    },
+    {
+      "name": "traefik-setup",
+      "file": "commands/traefik-setup.md",
+      "description": "Setup Traefik reverse proxy for cloud infrastructure",
+      "category": "networking",
+      "tags": ["traefik", "proxy", "networking", "load-balancer"],
+      "requiredAgents": ["kubernetes-orchestrator"],
+      "context7": [
+        "/traefik/traefik"
+      ]
+    },
+    {
+      "name": "k8s-deploy",
+      "file": "commands/k8s-deploy.md",
+      "description": "Deploy applications to Kubernetes clusters",
+      "category": "deployment",
+      "tags": ["kubernetes", "k8s", "deployment", "containers"],
+      "requiredAgents": ["kubernetes-orchestrator"],
+      "context7": [
+        "/kubernetes/kubernetes"
+      ]
+    },
+    {
+      "name": "cloud-validate",
+      "file": "commands/cloud-validate.md",
+      "description": "Validate cloud infrastructure configuration and credentials",
+      "category": "validation",
+      "tags": ["cloud", "validation", "security", "credentials", "terraform"],
+      "requiredAgents": ["aws-cloud-architect", "azure-cloud-architect", "gcp-cloud-architect", "terraform-infrastructure-expert"],
+      "context7": [
+        "/aws/aws-cdk",
+        "/hashicorp/terraform",
+        "/docker/docs",
+        "/kubernetes/kubernetes"
+      ]
+    },
+    {
+      "name": "cloud-cost-optimize",
+      "file": "commands/cloud-cost-optimize.md",
+      "description": "Analyze and optimize cloud infrastructure costs",
+      "category": "cost-optimization",
+      "tags": ["cloud", "cost", "optimization", "finops", "savings"],
+      "requiredAgents": ["aws-cloud-architect", "azure-cloud-architect", "gcp-cloud-architect"],
+      "context7": [
+        "/aws/aws-cdk",
+        "/hashicorp/terraform"
+      ]
+    }
+  ],
+  "rules": [
+    {
+      "name": "infrastructure-pipeline",
+      "file": "rules/infrastructure-pipeline.md",
+      "priority": "high",
+      "description": "Infrastructure deployment pipeline standards and validation",
+      "tags": ["infrastructure", "pipeline", "terraform", "docker", "kubernetes"],
+      "appliesTo": ["commands", "agents"],
+      "enforcesOn": ["terraform-infrastructure-expert", "kubernetes-orchestrator"]
+    },
+    {
+      "name": "cloud-security-compliance",
+      "file": "rules/cloud-security-compliance.md",
+      "priority": "critical",
+      "description": "Cloud security best practices and compliance standards enforcement",
+      "tags": ["security", "compliance", "cloud", "encryption", "access-control"],
+      "appliesTo": ["commands", "agents", "deployments"],
+      "enforcesOn": ["aws-cloud-architect", "azure-cloud-architect", "gcp-cloud-architect", "terraform-infrastructure-expert", "kubernetes-orchestrator"]
+    }
+  ],
+  "hooks": [
+    {
+      "name": "pre-cloud-deploy",
+      "file": "hooks/pre-cloud-deploy.js",
+      "type": "pre-command",
+      "description": "Security validation before cloud infrastructure deployment",
+      "blocking": true,
+      "tags": ["security", "validation", "deployment", "terraform"],
+      "triggers": ["cloud:deploy", "infra-deploy", "k8s-deploy", "terraform-deploy"]
+    }
+  ],
+  "scripts": [
+    {
+      "name": "terraform-init",
+      "file": "scripts/examples/terraform-init.sh",
+      "description": "Terraform initialization and validation example",
+      "type": "example",
+      "executable": true,
+      "category": "terraform",
+      "tags": ["terraform", "init", "validation"]
+    },
+    {
+      "name": "aws-validate",
+      "file": "scripts/examples/aws-validate.sh",
+      "description": "AWS environment validation and credential check",
+      "type": "example",
+      "executable": true,
+      "category": "aws",
+      "tags": ["aws", "validation", "credentials"]
+    },
+    {
+      "name": "azure-setup",
+      "file": "scripts/examples/azure-setup.sh",
+      "description": "Azure environment setup and configuration",
+      "type": "example",
+      "executable": true,
+      "category": "azure",
+      "tags": ["azure", "setup", "configuration"]
+    },
+    {
+      "name": "gcp-setup",
+      "file": "scripts/examples/gcp-setup.sh",
+      "description": "Google Cloud Platform environment setup",
+      "type": "example",
+      "executable": true,
+      "category": "gcp",
+      "tags": ["gcp", "setup", "configuration"]
+    },
+    {
+      "name": "k8s-validate",
+      "file": "scripts/examples/k8s-validate.sh",
+      "description": "Kubernetes cluster validation and health check",
+      "type": "example",
+      "executable": true,
+      "category": "kubernetes",
+      "tags": ["kubernetes", "k8s", "validation", "health-check"]
+    }
+  ],
+  "features": {
+    "multi_cloud": {
+      "enabled": true,
+      "description": "Support for AWS, Azure, and GCP cloud providers"
+    },
+    "infrastructure_as_code": {
+      "enabled": true,
+      "description": "Terraform-based infrastructure automation"
+    },
+    "kubernetes_orchestration": {
+      "enabled": true,
+      "description": "Kubernetes cluster management and deployment"
+    },
+    "serverless": {
+      "enabled": true,
+      "description": "Cloud Functions and serverless architectures"
+    },
+    "ai_integration": {
+      "enabled": true,
+      "description": "AI API integrations (OpenAI, Gemini)"
+    },
+    "security_hardening": {
+      "enabled": true,
+      "description": "SSH and infrastructure security best practices"
+    },
+    "networking": {
+      "enabled": true,
+      "description": "Load balancing, proxies, and network configuration"
+    }
+  },
+  "dependencies": [],
+  "peerPlugins": [
+    "@claudeautopm/plugin-core"
+  ],
+  "mcpServers": {
+    "recommended": [
+      "aws",
+      "azure-cli",
+      "gcp",
+      "terraform",
+      "kubernetes"
+    ],
+    "optional": [
+      "openai"
+    ]
+  },
+  "keywords": [
+    "claudeautopm",
+    "plugin",
+    "cloud",
+    "aws",
+    "azure",
+    "gcp",
+    "google-cloud",
+    "kubernetes",
+    "k8s",
+    "terraform",
+    "infrastructure",
+    "iac",
+    "serverless",
+    "devops",
+    "architecture",
+    "containers",
+    "orchestration"
+  ],
+  "compatibleWith": ">=3.0.0"
+}

package/packages/plugin-cloud/rules/cloud-security-compliance.md

@@ -0,0 +1,313 @@
+# Cloud Security Compliance Rule
+
+**Priority:** `critical`
+
+## Purpose
+
+Enforce security best practices and compliance standards across all cloud infrastructure operations for AWS, Azure, and GCP.
+
+## Scope
+
+This rule applies to:
+- All cloud infrastructure commands
+- Infrastructure deployment operations
+- Cloud resource modifications
+- Security configuration changes
+- Terraform/IaC code
+
+## Required Documentation
+
+Before any cloud security operation, Context7 queries are MANDATORY:
+
+**Documentation Queries:**
+- `mcp://context7/security/cloud-security` - Cloud security best practices
+- `mcp://context7/aws/security` - AWS security guidelines
+- `mcp://context7/azure/security` - Azure security center best practices
+- `mcp://context7/gcp/security` - GCP security command center patterns
+- `mcp://context7/compliance/standards` - Industry compliance standards (SOC2, HIPAA, PCI-DSS)
+
+## Security Requirements
+
+### 1. Encryption Standards
+
+**MANDATORY:**
+- ✅ All data must be encrypted at rest
+- ✅ All data must be encrypted in transit (TLS 1.2+)
+- ✅ Use cloud provider managed keys (KMS, Key Vault, Cloud KMS)
+- ✅ Implement key rotation policies (90 days maximum)
+
+**PROHIBITED:**
+- ❌ Storing secrets in code or configuration files
+- ❌ Using default encryption keys
+- ❌ Disabling encryption for any storage service
+- ❌ Using deprecated encryption algorithms (MD5, SHA1)
+
+### 2. Access Control
+
+**MANDATORY:**
+- ✅ Implement least privilege principle
+- ✅ Use IAM roles instead of access keys
+- ✅ Enable MFA for all human access
+- ✅ Implement RBAC for all resources
+- ✅ Regular access review (quarterly minimum)
+
+**PROHIBITED:**
+- ❌ Root/admin account usage for daily operations
+- ❌ Long-lived access keys (>90 days)
+- ❌ Wildcard permissions in policies
+- ❌ Public access to sensitive resources
+
+### 3. Network Security
+
+**MANDATORY:**
+- ✅ Use private subnets for application workloads
+- ✅ Implement network segmentation
+- ✅ Enable VPC Flow Logs / NSG Flow Logs
+- ✅ Use security groups / firewall rules with least privilege
+- ✅ Enable DDoS protection
+
+**PROHIBITED:**
+- ❌ 0.0.0.0/0 ingress rules (except for public load balancers)
+- ❌ Direct internet access for databases
+- ❌ Disabled firewall or security groups
+- ❌ Unrestricted SSH/RDP access (22/3389 open to 0.0.0.0/0)
+
+### 4. Logging and Monitoring
+
+**MANDATORY:**
+- ✅ Enable CloudTrail / Activity Log / Cloud Audit Logs
+- ✅ Log retention minimum 90 days
+- ✅ Enable automated threat detection
+- ✅ Configure alerting for security events
+- ✅ Implement log analysis and SIEM integration
+
+**PROHIBITED:**
+- ❌ Disabling audit logging
+- ❌ Deleting or modifying audit logs
+- ❌ Insufficient log retention
+- ❌ No monitoring for suspicious activity
+
+### 5. Compliance Standards
+
+**MANDATORY:**
+- ✅ Tag all resources with compliance requirements
+- ✅ Use compliant regions (data residency)
+- ✅ Enable automated compliance scanning
+- ✅ Document compliance exceptions
+- ✅ Regular compliance audits
+
+**PROHIBITED:**
+- ❌ Storing regulated data in non-compliant regions
+- ❌ Bypassing compliance controls
+- ❌ Undocumented security exceptions
+
+## Enforcement
+
+### Pre-Deployment Checks
+
+Before any infrastructure deployment:
+
+1. **Context7 Query** - Verify current security best practices
+2. **Security Scan** - Run automated security scanner
+3. **Compliance Check** - Validate against compliance frameworks
+4. **Code Review** - Manual security review for critical changes
+5. **Approval** - Security team sign-off for production
+
+### Automated Validation
+
+The following checks run automatically:
+
+```bash
+# Pre-deployment security validation
+/cloud:validate --scope security --strict
+
+# Resource compliance check
+terraform plan | security-scanner
+
+# Secret detection
+git-secrets --scan
+
+# Policy validation
+opa test security-policies/
+```
+
+### Deployment Blocks
+
+Deployment is **BLOCKED** if:
+- ❌ Public S3 buckets without explicit approval
+- ❌ Security group rules allowing 0.0.0.0/0 ingress (except approved LBs)
+- ❌ Disabled encryption on storage resources
+- ❌ IAM policies with `*` actions or resources
+- ❌ Secrets detected in code or config
+- ❌ Compliance violations detected
+- ❌ Missing required tags (Environment, Owner, CostCenter, Compliance)
+
+### Warning Triggers
+
+Warnings issued for:
+- ⚠️ Resources without backup configured
+- ⚠️ Long-lived access credentials
+- ⚠️ Outdated software versions
+- ⚠️ Insufficient monitoring coverage
+- ⚠️ Non-production resources in production VPC
+
+## Implementation Examples
+
+### Terraform Security Validation
+
+```hcl
+# GOOD: Encrypted S3 bucket with versioning
+resource "aws_s3_bucket" "secure" {
+  bucket = "my-secure-bucket"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+        kms_master_key_id = aws_kms_key.bucket_key.arn
+      }
+    }
+  }
+
+  versioning {
+    enabled = true
+  }
+
+  logging {
+    target_bucket = aws_s3_bucket.logs.id
+  }
+}
+
+# BAD: Public, unencrypted bucket
+resource "aws_s3_bucket" "bad" {
+  bucket = "my-bad-bucket"
+  acl    = "public-read"  # ❌ BLOCKED
+  # No encryption configured  # ❌ BLOCKED
+}
+```
+
+### Security Group Best Practices
+
+```hcl
+# GOOD: Restricted security group
+resource "aws_security_group" "app" {
+  name   = "app-sg"
+  vpc_id = aws_vpc.main.id
+
+  ingress {
+    from_port       = 443
+    to_port         = 443
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]  # ✅ Specific source
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]  # ⚠️ Warning, but acceptable for egress
+  }
+}
+
+# BAD: Overly permissive
+resource "aws_security_group" "bad" {
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # ❌ BLOCKED - SSH to world
+  }
+}
+```
+
+### IAM Policy Best Practices
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-specific-bucket/*"
+      ]
+    }
+  ]
+}
+```
+
+## Exceptions Process
+
+Security exceptions require:
+
+1. **Written Justification** - Business case for exception
+2. **Risk Assessment** - Document security impact
+3. **Compensating Controls** - Alternative security measures
+4. **Approval** - Security team and management sign-off
+5. **Time Limit** - All exceptions have expiration date
+6. **Review** - Quarterly exception reviews
+
+### Exception Documentation Template
+
+```yaml
+exception:
+  id: SEC-2025-001
+  resource: arn:aws:s3:::public-website-assets
+  violation: Public S3 bucket
+  justification: Static website hosting requires public access
+  compensating_controls:
+    - CloudFront distribution with WAF
+    - S3 bucket policy restricting to CloudFront only
+    - No sensitive data in bucket
+  approved_by: security-team@company.com
+  expires: 2025-12-31
+  review_date: 2025-09-30
+```
+
+## Incident Response
+
+If security violation detected:
+
+1. **Alert** - Immediate notification to security team
+2. **Block** - Prevent deployment if pre-deployment
+3. **Quarantine** - Isolate affected resources if post-deployment
+4. **Investigate** - Determine scope and impact
+5. **Remediate** - Fix vulnerability
+6. **Review** - Post-incident review and process improvement
+
+## Compliance Frameworks Supported
+
+- **SOC 2** - Service Organization Control 2
+- **HIPAA** - Health Insurance Portability and Accountability Act
+- **PCI-DSS** - Payment Card Industry Data Security Standard
+- **GDPR** - General Data Protection Regulation
+- **ISO 27001** - Information Security Management
+- **FedRAMP** - Federal Risk and Authorization Management Program
+- **NIST** - National Institute of Standards and Technology frameworks
+
+## Related Rules
+
+- `infrastructure-pipeline.md` - Deployment pipeline standards
+- `cost-optimization.md` - Cost management without compromising security
+- `backup-recovery.md` - Disaster recovery requirements
+
+## Enforcement Tools
+
+This rule is enforced using:
+
+- **Pre-deployment hooks** - `.claude/hooks/pre-cloud-deploy.js`
+- **Terraform validators** - `tfsec`, `checkov`, `terraform-compliance`
+- **Cloud-native tools** - AWS Config, Azure Policy, GCP Security Command Center
+- **Custom scanners** - Project-specific security validators
+
+## Version History
+
+- v2.0.0 - Initial Schema v2.0 release
+- Comprehensive security requirements
+- Multi-cloud support (AWS, Azure, GCP)
+- Compliance framework integration
+- Context7 documentation integration

package/packages/plugin-cloud/scripts/examples/aws-validate.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# AWS environment validation example
+# Usage: ./aws-validate.sh
+
+set -euo pipefail
+
+echo "🔍 Validating AWS environment..."
+
+# Check AWS CLI is installed
+if ! command -v aws &> /dev/null; then
+    echo "❌ AWS CLI not found. Please install it first."
+    exit 1
+fi
+
+# Verify AWS credentials
+echo "📋 Checking AWS credentials..."
+aws sts get-caller-identity
+
+# Check default region
+echo "🌍 Current region: $(aws configure get region)"
+
+# List available regions
+echo "📍 Available regions:"
+aws ec2 describe-regions --output table
+
+# Validate IAM permissions
+echo "🔐 Checking IAM permissions..."
+aws iam get-user || echo "⚠️  IAM user access may be limited"
+
+echo "✅ AWS environment validation complete"