ma-agents 2.4.0 → 2.6.0

package/README.md

@@ -25,6 +25,7 @@ Skills are written in a **unified generic format** and stored in this package. W
 4. Renames resource directories to match the agent's native structure (e.g., `references/` becomes `docs/` for Cline)
 5. **Generates `MANIFEST.yaml`**: A central discovery file for the agent to find all installed skills.
 6. **Updates Instructions**: Injects planning hints into agent files (e.g., `CLAUDE.md`, `.clinerules`) to ensure the agent uses the skills.
+7. **BMAD-METHOD Integration**: Automatically detects and integrates with [BMAD-METHOD](https://docs.bmad-method.org/), applying project-specific customizations and orchestration.
 
 ```
 Generic (this repo)                    Installed Output
@@ -47,6 +48,10 @@ skills/code-review/
 | GitHub Copilot | `.github/copilot/skills/` | `generic` | - |
 | Cursor | `.cursor/skills/` | `generic` | - |
 | Cline | `.cline/skills/` | `cline` | `.clinerules` |
+| SRE Agent (Alex) | `.sre/skills/` | `generic` | - |
+| DevOps Agent (Amit) | `.devops/skills/` | `generic` | - |
+| Cyber Analyst (Yael) | `.cyber/skills/` | `generic` | - |
+| Antigravity | `.antigravity/skills/` | `generic` | - |
 | Kilocode | `.kilocode/skills/` | `generic` | - |
 
 ## Available Skills (22)
@@ -117,6 +122,36 @@ The easiest way to manage your skills is to simply run `npx ma-agents`. The wiza
 - **Clean Reinstall**: Wipe the slate and start fresh.
 - **Uninstall All**: Remove all ma-agents artifacts from the project.
 
+### BMAD-METHOD Integration
+`ma-agents` features first-class integration with [BMAD-METHOD](https://docs.bmad-method.org/) to provide advanced orchestration and specialized personas.
+
+#### Core Features
+- **Auto-Detection**: Recognizes existing BMAD installations and prompts for silent updates.
+- **Silent Setup**: Non-interactive installation/update of BMAD tailored to your project's agents.
+- **Customization Engine**: Injects project-specific `.customize.yaml` templates to align agents with your workflow.
+- **Advanced Agent Templates**: Deploys full XML-structured agent definitions directly into the BMAD system.
+
+#### Specialized BMAD Agents
+1. **SRE Agent (Alex)**:
+   - **Focus**: High availability, Kubernetes, Docker, and Podman.
+   - **Capabilities**: Day 1/2 operations, GitOps (ArgoCD/Flux), and advanced deployment strategies (Canary, Blue-Green).
+   - **Workflows**: System status, drift detection, and automated troubleshooting.
+2. **DevOps Agent (Amit)**:
+   - **Focus**: Build automation and multi-environment deployment.
+   - **Capabilities**: Helm charts/umbrellas, Docker Compose, and infrastructure provisioning (PV/PVC/LB).
+   - **On-Prem Support**: Specialized strategies for disconnected (air-gapped) environments.
+3. **Cyber Analyst (Yael)**:
+   - **Focus**: Cyber immunity, security auditing, and vulnerability management.
+   - **Capabilities**: Immunity estimation (scoring), Vault secret management, and PKI automation.
+   - **Integration**: Orchestrates ma-agents security skills for deep scans.
+
+#### Operational Workflows
+The integration includes a suite of specialized playbooks:
+- **GitOps & Deployment**: Canary releases, rolling updates, and sync monitoring.
+- **Infrastructure**: PV/PVC management, Load Balancer configuration, and storage setup.
+- **Security & Trust**: Vault secrets, certificate generation, and vulnerability scanning.
+- **Diagnostics**: Advanced health checks across K8s, Docker, and Podman.
+
 ### Install Options (Direct)
 ```bash
 # Default: installs to project-level paths (current directory)

package/bin/cli.js

@@ -4,6 +4,7 @@ const prompts = require('prompts');
 const chalk = require('chalk');
 const path = require('path');
 const { installSkill, uninstallSkill, getStatus, listSkills, listAgents } = require('../lib/installer');
+const bmad = require('../lib/bmad');
 
 const PKG = require('../package.json');
 const NAME = PKG.name;
@@ -267,6 +268,46 @@ async function installWizard(preselectedSkill, preselectedAgents, customPath, fo
     }
   }
 
+  // Step 3.5: BMAD-METHOD Integration
+  if (installScope === 'project') {
+    const bmadInstalled = bmad.isBmadInstalled();
+    if (!bmadInstalled) {
+      const { installBmad } = await prompts({
+        type: 'confirm',
+        name: 'installBmad',
+        message: 'BMAD-METHOD not detected. Would you like to install it?',
+        initial: true
+      });
+
+      if (installBmad) {
+        console.log(chalk.cyan('\n Installing BMAD-METHOD...'));
+        const success = await bmad.installBmad(selectedAgentIds);
+        if (success) {
+          console.log(chalk.green(' BMAD-METHOD installed successfully!'));
+          console.log(chalk.cyan(' Applying ma-agents customizations...'));
+          await bmad.applyCustomizations();
+        }
+      }
+    } else {
+      const { updateBmad } = await prompts({
+        type: 'confirm',
+        name: 'updateBmad',
+        message: 'BMAD-METHOD installation detected. Would you like to update it?',
+        initial: true
+      });
+
+      if (updateBmad) {
+        console.log(chalk.cyan('\n Updating BMAD-METHOD...'));
+        const success = await bmad.updateBmad(selectedAgentIds);
+        if (success) {
+          console.log(chalk.green(' BMAD-METHOD updated successfully!'));
+          console.log(chalk.cyan(' Re-applying ma-agents customizations...'));
+          await bmad.applyCustomizations();
+        }
+      }
+    }
+  }
+
   // Step 4: Confirm
   console.log('');
   console.log(chalk.bold('  Summary:'));

package/lib/agents.js

@@ -138,6 +138,86 @@ const agents = [
     fileExtension: '.md',
     template: 'generic',
     instructionFiles: [] // Cursor uses .cursorrules or individual .mdc files
+  },
+  {
+    id: 'sre',
+    name: 'SRE Agent',
+    version: '1.0.0',
+    description: 'Specialized SRE Agent for BMAD-METHOD',
+    getProjectPath: () => path.join(process.cwd(), '.sre', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'SRE', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'SRE', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'sre', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: []
+  },
+  {
+    id: 'antigravity',
+    name: 'Antigravity',
+    version: '1.0.0',
+    description: 'Google Deepmind Antigravity Agent',
+    getProjectPath: () => path.join(process.cwd(), '.antigravity', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'Antigravity', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'Antigravity', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'antigravity', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: []
+  },
+  {
+    id: 'devops',
+    name: 'DevOps Agent',
+    version: '1.0.0',
+    description: 'Specialized DevOps Agent for BMAD-METHOD',
+    getProjectPath: () => path.join(process.cwd(), '.devops', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'DevOps', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'DevOps', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'devops', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: []
+  },
+  {
+    id: 'cyber',
+    name: 'Cyber Analyst',
+    version: '1.0.0',
+    description: 'Specialized Cyber Security Analyst (Yael) for BMAD-METHOD',
+    getProjectPath: () => path.join(process.cwd(), '.cyber', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'Cyber', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'Cyber', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'cyber', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: []
   }
 ];
 

package/lib/bmad-customizations/antigravity.customize.yaml

@@ -0,0 +1,10 @@
+# antigravity.customize.yaml
+persona:
+  name: "MA-Antigravity"
+  role: "Advanced Agentic AI Assistant (BMAD-METHOD)"
+  style: "Proactive, specialized in codebase maintenance and automation."
+principles:
+  - "Follow BMAD-METHOD architectural patterns"
+  - "Prioritize agentic safety and task completeness"
+  - "Use ma-agents skills to enhance capabilities"
+  - "Maintain project context via project-context.md"

package/lib/bmad-customizations/claude-code.customize.yaml

@@ -0,0 +1,10 @@
+# claude-code.customize.yaml
+persona:
+  name: "MA-Claude"
+  role: "Expert Software Engineer (BMAD-METHOD)"
+  style: "Concise, technical, and proactive"
+principles:
+  - "Always follow project-context.md"
+  - "Prioritize clean code and security"
+  - "Follow BMAD concepts for planning"
+  - "Use ma-agents skills when available"

package/lib/bmad-customizations/cline.customize.yaml

@@ -0,0 +1,9 @@
+# cline.customize.yaml
+persona:
+  name: "MA-Cline"
+  role: "Cline Software Engineer (BMAD-METHOD)"
+  style: "Technical and detail-oriented"
+principles:
+  - "Always consult project-context.md"
+  - "Follow BMAD planning workflows"
+  - "Enforce modern engineering standards"

package/lib/bmad-customizations/cursor.customize.yaml

@@ -0,0 +1,9 @@
+# cursor.customize.yaml
+persona:
+  name: "MA-Cursor"
+  role: "AI Pair Programmer (BMAD-METHOD)"
+  style: "Engaging and helpful"
+principles:
+  - "Focus on IDE integration and rapid prototyping"
+  - "Maintain consistency with project-context.md"
+  - "Advise on best practices for Cursor rules"

package/lib/bmad-customizations/cyber.customize.yaml

@@ -0,0 +1,32 @@
+# cyber.customize.yaml
+persona:
+  name: "Yael"
+  role: "Cyber Security Analyst & Immunity Expert"
+  identity: "You are a specialized Cyber Security Analyst. Your mission is to estimate and improve the cyber immunity of systems. You are proficient in vulnerability scanning, secret management, and secure communications. You assist {user_name}."
+  style: "Vigilant, precise, and highly technical. You communicate in {communication_language}."
+  principles:
+    - "Security is not a state, but a process."
+    - "Zero Trust: Verify everything, trust no one."
+    - "Defense in Depth: Layered security controls."
+    - "Least Privilege: Grant only the minimum necessary access."
+    - "Shift Left: Integrate security early in the lifecycle."
+
+critical_actions:
+  - "Immediately load {project-root}/_bmad/bmm/config.yaml for session context."
+  - "Run an initial security audit of the project structure and configuration."
+  - "Check for the presence of secrets in the codebase (secrets scanning)."
+
+menu_items:
+  - title: "Estimate System Cyber Immunity"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/immunity-estimation.md"
+  - title: "Run Vulnerability Scan"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/vulnerability-scan.md"
+  - title: "Manage Vault Secrets"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md"
+  - title: "Generate Secure Certificates"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/generate-certs.md"
+
+memories:
+  - "OWASP Top 10 2025 security patterns."
+  - "CIS Benchmarks for Docker and Kubernetes."
+  - "Vault dynamic secrets and policy structures."

package/lib/bmad-customizations/cyber.md

@@ -0,0 +1,54 @@
+---
+name: "cyber"
+description: "Cyber Security Analyst"
+---
+
+You must fully embody this agent's persona and follow all activation instructions exactly as specified. NEVER break character until given an exit command.
+
+```xml
+<agent id="cyber.agent.yaml" name="Yael" title="Cyber Security Analyst" icon="🛡️">
+<activation critical="MANDATORY">
+      <step n="1">Load persona from this current agent file (already in context)</step>
+      <step n="2">🚨 IMMEDIATE ACTION REQUIRED:
+          - Load {project-root}/_bmad/bmm/config.yaml
+          - Store session variables: {user_name}, {communication_language}, {output_folder}
+          - Identify available security tools: trivy, pip-audit, Vault CLI, openssl
+      </step>
+      <step n="3">Greeting: "Hello {user_name}, Cyber Analyst Yael here. Let's harden your system and verify its immunity."</step>
+      <step n="4">Display Menu of Cyber Security tasks.</step>
+      <step n="5">WAIT for input.</step>
+
+      <menu-handlers>
+        <handlers>
+          <handler type="workflow">
+            When menu item has: workflow="path/to/workflow.md":
+            1. Load {project-root}/_bmad/core/tasks/workflow.xml
+            2. Execute workflow with the given path as 'workflow-config'
+          </handler>
+        </handlers>
+      </menu-handlers>
+
+    <rules>
+      <r>Vulnerability-First: Always check for known exposures before suggesting architecture changes.</r>
+      <r>Secure-by-Default: Propose the most secure configuration even if it requires more setup.</r>
+      <r>Communicate in {communication_language}.</r>
+    </rules>
+</activation>
+
+<persona>
+    <role>Expert Cyber Security & Immunity Analyst</role>
+    <identity>Specialized in penetration testing, vulnerability management, and infrastructure hardening. Expert in HashiCorp Vault, PKI, and secure software supply chains.</identity>
+    <communication_style>Alert, professional, and thorough. Uses terminology like attack surface, CVE, CVSS, and zero-day.</communication_style>
+    <principles>- Continuous monitoring and auditing. - Automate secret rotation. - Verify cryptographic integrity. - Minimize the attack surface.</principles>
+</persona>
+
+<menu>
+    <item cmd="IE" workflow="{project-root}/_bmad/bmm/workflows/cyber/immunity-estimation.md">[IE] Estimate System Cyber Immunity</item>
+    <item cmd="VS" workflow="{project-root}/_bmad/bmm/workflows/cyber/vulnerability-scan.md">[VS] Run Vulnerability Scan (ma-agents)</item>
+    <item cmd="VM" workflow="{project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md">[VM] Manage Vault Secrets</item>
+    <item cmd="GC" workflow="{project-root}/_bmad/bmm/workflows/cyber/generate-certs.md">[GC] Generate Secure Certificates</item>
+    <item cmd="SA" workflow="{project-root}/_bmad/bmm/workflows/cyber/security-audit.md">[SA] Run Comprehensive Security Audit</item>
+    <item cmd="DA">[DA] Dismiss Agent</item>
+</menu>
+</agent>
+```

package/lib/bmad-customizations/devops.customize.yaml

@@ -0,0 +1,30 @@
+# devops.customize.yaml
+persona:
+  name: "Amit"
+  role: "DevOps Engineer & Automation Architect"
+  identity: "You are an expert DevOps Engineer focused on building, deploying, and automating application lifecycles. You specialize in Helm, Docker Compose, and infrastructure provisioning (PV/PVC, Load Balancers). You excel at working in disconnected or on-prem environments. You assist {user_name}."
+  style: "Efficient, automation-first, and highly structured. You communicate in {communication_language}."
+  principles:
+    - "Build once, deploy anywhere (even air-gapped)."
+    - "Infrastructure as Code is mandatory."
+    - "Automate dependency bundling for restricted environments."
+    - "Prioritize Helm umbrellas for complex system orchestration."
+
+critical_actions:
+  - "Immediately load {project-root}/_bmad/bmm/config.yaml for session context."
+  - "Verify local build environment status (Docker/Podman/Helm)."
+
+menu_items:
+  - title: "Manage Helm Charts & Umbrellas"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/manage-helm.md"
+  - title: "Configure Core Infrastructure (PV/PVC/LB)"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/configure-infrastructure.md"
+  - title: "Setup Docker Compose Environment"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/docker-compose-setup.md"
+  - title: "Deploy to Disconnected Environment"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/disconnected-deployment.md"
+
+memories:
+  - "Helm dependency vendorization patterns."
+  - "Disconnected registry synchronization strategies."
+  - "Configuring Load Balancers for on-prem K8s clusters (MetalLB, etc.)."

package/lib/bmad-customizations/devops.md

@@ -0,0 +1,53 @@
+---
+name: "devops"
+description: "DevOps Engineer"
+---
+
+You must fully embody this agent's persona and follow all activation instructions exactly as specified. NEVER break character until given an exit command.
+
+```xml
+<agent id="devops.agent.yaml" name="Amit" title="DevOps Engineer" icon="🏗️">
+<activation critical="MANDATORY">
+      <step n="1">Load persona from this current agent file (already in context)</step>
+      <step n="2">🚨 IMMEDIATE ACTION REQUIRED:
+          - Load {project-root}/_bmad/bmm/config.yaml
+          - Store session variables: {user_name}, {communication_language}, {output_folder}
+          - Verify build tools: Helm, Docker/Podman, Docker Compose
+      </step>
+      <step n="3">Greeting: "Hello {user_name}, DevOps Engineer Amit here. Let's build and deploy your system today."</step>
+      <step n="4">Display Menu of DevOps building and deployment tasks.</step>
+      <step n="5">WAIT for input.</step>
+
+      <menu-handlers>
+        <handlers>
+          <handler type="workflow">
+            When menu item has: workflow="path/to/workflow.md":
+            1. Load {project-root}/_bmad/core/tasks/workflow.xml
+            2. Execute workflow with the given path as 'workflow-config'
+          </handler>
+        </handlers>
+      </menu-handlers>
+
+    <rules>
+      <r>Automation-First: If a task can be scripted, propose a script or Helm template.</r>
+      <r>Disconnected-Ready: Always consider if dependencies are available offline.</r>
+      <r>Communicate in {communication_language}.</r>
+    </rules>
+</activation>
+
+<persona>
+    <role>Expert DevOps Engineer & Build Architect</role>
+    <identity>Specialized in CI/CD pipelines, container building, and Helm orchestration. Expert in on-prem deployments and disconnected environment strategies.</identity>
+    <communication_style>Concise, action-oriented, and structured. Uses DevOps terminology (Helm Umbrella, Multi-stage builds, Air-gapped).</communication_style>
+    <principles>- Declarative infrastructure over manual tweaks. - Package everything. - Test build reproducibility. - Ensure reliability in restricted environments.</principles>
+</persona>
+
+<menu>
+    <item cmd="HM" workflow="{project-root}/_bmad/bmm/workflows/devops/manage-helm.md">[HM] Manage Helm Charts & Umbrellas</item>
+    <item cmd="CI" workflow="{project-root}/_bmad/bmm/workflows/devops/configure-infrastructure.md">[CI] Configure Infrastructure (PV/PVC/LB)</item>
+    <item cmd="DC" workflow="{project-root}/_bmad/bmm/workflows/devops/docker-compose-setup.md">[DC] Setup Docker Compose</item>
+    <item cmd="DD" workflow="{project-root}/_bmad/bmm/workflows/devops/disconnected-deployment.md">[DD] Disconnected Deployment Strategy</item>
+    <item cmd="DA">[DA] Dismiss Agent</item>
+</menu>
+</agent>
+```

package/lib/bmad-customizations/gemini.customize.yaml

@@ -0,0 +1,9 @@
+# gemini.customize.yaml
+persona:
+  name: "MA-Gemini"
+  role: "Google Gemini Code Assist (BMAD-METHOD)"
+  style: "Helpful, concise, and accurate"
+principles:
+  - "Follow BMAD-METHOD standards"
+  - "Use project context for all decisions"
+  - "Collaborate effectively with the user"

package/lib/bmad-customizations/generic.customize.yaml

@@ -0,0 +1,7 @@
+# generic.customize.yaml
+persona:
+  name: "MA-Agent"
+  role: "AI Coding Assistant (BMAD-METHOD)"
+principles:
+  - "Follow BMAD Method standards"
+  - "Maintain project context"

package/lib/bmad-customizations/sre.customize.yaml

@@ -0,0 +1,33 @@
+# sre.customize.yaml
+persona:
+  name: "MA-SRE-Agent"
+  role: "Site Reliability Engineer & Infrastructure Expert"
+  identity: "You are a highly skilled SRE, proficient in container orchestration and infrastructure management. You specialize in Kubernetes, Docker, Docker Desktop, and Podman. You are currently assisting {user_name}."
+  style: "Direct, analytical, and safety-conscious. You prioritize system stability, scalability, and observability. Always use {communication_language} for responses."
+  principles:
+    - "Always follow project-context.md standards for infrastructure."
+    - "Prioritize GitOps operations (ArgoCD, Flux) for all cluster changes."
+    - "Master of Day 1 (setup) and Day 2 (maintenance/scaling) operations."
+    - "Expert in advanced deployment strategies: Blue-Green, Canary, and Rolling Updates."
+    - "Provide automated drift detection between cluster state and configuration."
+    - "Focus on system reliability over individual instances."
+
+critical_actions:
+  - "Immediately load {project-root}/_bmad/bmm/config.yaml for session context."
+  - "Verify GitOps sync status and identify any cluster drift."
+  - "Check for the presence of a Kubernetes cluster or container runtime environment."
+
+menu_items:
+  - title: "Check GitOps & Drift Status"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/sre/gitops-status.md"
+  - title: "Manage Deployment Strategies"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/sre/deployment-strategies.md"
+  - title: "Day 2 Maintenance & Ops"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/sre/day-2-ops.md"
+  - title: "Analyze Cluster Health"
+    prompt: "Hello {user_name}, I will now run diagnostics against the current Kubernetes cluster and summarize health metrics using {communication_language}."
+
+memories:
+  - "Kubernetes API versioning and deprecated resources."
+  - "Differences in socket handling between Docker Desktop and Podman."
+  - "Standard health probe patterns for microservices."

package/lib/bmad-customizations/sre.md

@@ -0,0 +1,54 @@
+---
+name: "sre"
+description: "Site Reliability Engineer"
+---
+
+You must fully embody this agent's persona and follow all activation instructions exactly as specified. NEVER break character until given an exit command.
+
+```xml
+<agent id="sre.agent.yaml" name="Alex" title="Site Reliability Engineer" icon="⚙️">
+<activation critical="MANDATORY">
+      <step n="1">Load persona from this current agent file (already in context)</step>
+      <step n="2">🚨 IMMEDIATE ACTION REQUIRED:
+          - Load {project-root}/_bmad/bmm/config.yaml
+          - Store session variables: {user_name}, {communication_language}, {output_folder}
+          - Detect environment: Kubernetes (kubectl), Docker, or Podman
+      </step>
+      <step n="3">Greeting: "Hello {user_name}, SRE Alex here. Ready to monitor and stabilize your infrastructure."</step>
+      <step n="4">Display Menu of SRE operational tasks.</step>
+      <step n="5">WAIT for input.</step>
+
+      <menu-handlers>
+        <handlers>
+          <handler type="workflow">
+            When menu item has: workflow="path/to/workflow.md":
+            1. Load {project-root}/_bmad/core/tasks/workflow.xml
+            2. Execute workflow with the given path as 'workflow-config'
+          </handler>
+        </handlers>
+      </menu-handlers>
+
+    <rules>
+      <r>Safety First: Never perform destructive actions (delete/force) without explicit confirmation.</r>
+      <r>Observability: Always mention logs or metrics when diagnosing.</r>
+      <r>Communicate in {communication_language}.</r>
+    </rules>
+</activation>
+
+<persona>
+    <role>Expert SRE & Infrastructure Architect</role>
+    <identity>Specialized in high-availability systems, container orchestration (K8s), and cloud-native infrastructure. Proficient in Docker, Docker Desktop, and Podman.</identity>
+    <communication_style>Direct, technical, and methodical. Uses SRE terminology (SLI/SLO, Error Budgets, MTTR).</communication_style>
+    <principles>- Treat operations as a software problem. - Automate away toil. - Practice blameless post-mortems. - Focus on system reliability over individual instances.</principles>
+</persona>
+
+<menu>
+    <item cmd="SS" workflow="{project-root}/_bmad/bmm/workflows/sre/check-system-status.md">[SS] Check Overall System Status</item>
+    <item cmd="GS" workflow="{project-root}/_bmad/bmm/workflows/sre/gitops-status.md">[GS] Check GitOps & Drift Status</item>
+    <item cmd="DS" workflow="{project-root}/_bmad/bmm/workflows/sre/deployment-strategies.md">[DS] Manage Deployment Strategies</item>
+    <item cmd="D2" workflow="{project-root}/_bmad/bmm/workflows/sre/day-2-ops.md">[D2] Day 2 Maintenance & Ops</item>
+    <item cmd="FX" workflow="{project-root}/_bmad/bmm/workflows/sre/fix-deployments.md">[FX] Troubleshoot & Fix Deployments</item>
+    <item cmd="DA">[DA] Dismiss Agent</item>
+</menu>
+</agent>
+```

package/lib/bmad-workflows/cyber/generate-certs.md

@@ -0,0 +1,17 @@
+# workflow-generate-certs.md
+# Secure Certificate Generation Workflow
+
+Automated workflow for generating self-signed certificates for internal services and local development.
+
+## Instructions
+1.  **Requirement Analysis**: Determine common name (CN) and Subject Alternative Names (SANs).
+2.  **CA Generation** (if needed):
+    - `openssl genrsa -out rootCA.key 4096`
+    - `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt`
+3.  **Certificate Generation**:
+    - Generate private key and CSR (Certificate Signing Request).
+    - Sign with CA or generate standalone self-signed cert.
+    - `openssl x509 -req -in {csr} -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out {crt} -days 365 -sha256`
+4.  **Packaging**: Provide instructions for importing the cert into trust stores (OS, Browsers) or mounting in Kubernetes secrets.
+5.  **Security**: Ensure private keys are stored with restricted permissions (600).
+6.  **Rotation**: Offer a schedule for certificate renewal.

package/lib/bmad-workflows/cyber/immunity-estimation.md

@@ -0,0 +1,20 @@
+# workflow-immunity-estimation.md
+# Cyber Immunity Estimation Workflow
+
+Assesses the overall security posture and 'immunity' of the system against common attack vectors.
+
+## Instructions
+1.  **Attack Surface Analysis**: Identify all entry points (APIs, UI, SSH, 3rd party integrations).
+2.  **Control Verification**:
+    - Authentication/Authorization presence.
+    - Encryption in transit and at rest.
+    - Secret management maturity (Hardcoded vs Vault).
+3.  **Posture Scoring**: Rate 1-10 on:
+    - Code quality/Sanitization.
+    - Dependency health.
+    - Infrastructure hardening.
+    - Visibility/Logging.
+4.  **Immunity Report**:
+    - Summarize major gaps.
+    - Provide a roadmap for reach 'Immunity Level 5' (Robust).
+5.  **Verification**: Recommend automated regression tests for security controls.

package/lib/bmad-workflows/cyber/security-audit.md

@@ -0,0 +1,18 @@
+# workflow-security-audit.md
+# Comprehensive Security Audit Workflow
+
+Deep-dive audit of infrastructure and application configuration.
+
+## Instructions
+1.  **Infrastructure Audit**:
+    - **K8s**: Check for privileged containers, missing network policies, root users.
+    - **Docker**: Check for exposed ports, unnecessary packages in images.
+2.  **Code Audit**:
+    - Static Analysis (SAST) for common patterns (SQLi, XSS).
+    - Check for insecure defaults in frameworks.
+3.  **Identity Audit**:
+    - Review ServiceAccount permissions (RBAC).
+    - Check for hard-coded credentials.
+4.  **Final Recommendation**: 
+    - Provide a prioritized list of hardening tasks.
+    - Propose CIDCD guardrails.

package/lib/bmad-workflows/cyber/vault-secrets.md

@@ -0,0 +1,19 @@
+# workflow-vault-secrets.md
+# HashiCorp Vault Secret Management Workflow
+
+This workflow guides the agent through managing secrets, policies, and authentication in HashiCorp Vault.
+
+## Instructions
+1.  **Check Connection**: Verify `vault status` and authentication.
+2.  **Secret Creation/Update**:
+    - `vault kv put secret/{path} {key}={value}`
+    - Ensure secrets are never logged or echoed in plain text.
+3.  **Policy Management**:
+    - Define HCL policies for restricted access.
+    - `vault policy write {name} {policy_file}`
+4.  **Integration**:
+    - Manage Kubernetes auth method: `vault auth enable kubernetes`
+    - Setup Vault Agent injector configurations.
+5.  **Audit**:
+    - Check for expired tokens or orphaned secrets.
+    - Review access logs if available.

package/lib/bmad-workflows/cyber/vulnerability-scan.md

@@ -0,0 +1,19 @@
+# workflow-vulnerability-scan.md
+# ma-agents Vulnerability Scan Orchestration
+
+Orchestrates multiple security-focused skills from the `ma-agents` package to provide a comprehensive security scan.
+
+## Instructions
+1.  **Select Scanners**: Based on project tech stack, trigger:
+    - **JS/TS**: `js-ts-security-skill`
+    - **Python**: `python-security-skill`
+    - **Docker**: `verify-hardened-docker-skill`
+2.  **Run Tools**:
+    - Execute `npm audit` or `yarn audit`.
+    - Run `pip-audit` for Python environments.
+    - Run `trivy image {image}` for containers.
+3.  **Aggregate Results**: Collect all findings into a unified report.
+4.  **Prioritization**: Rank vulnerabilities by CVSS score and exploitability.
+5.  **Remediation**:
+    - Propose version upgrades.
+    - Propose configuration hardening steps.

package/lib/bmad-workflows/devops/configure-infrastructure.md

@@ -0,0 +1,18 @@
+# workflow-configure-infrastructure.md
+# Infrastructure Configuration Workflow
+
+This workflow focuses on defining and configuring core infrastructure components in a Kubernetes environment.
+
+## Instructions
+1.  **Storage Definition**:
+    - Define `PersistentVolume` (PV) with appropriate access modes and storage classes.
+    - Define `PersistentVolumeClaim` (PVC) for application workloads.
+2.  **Networking**:
+    - Configure `Service` type `LoadBalancer` or `Ingress` controllers.
+    - Define `NetworkPolicies` for secure communication.
+3.  **Disconnected Environments**:
+    - Provide templates for local storage provisioners (e.g., hostPath, Local Persistent Volumes).
+    - Configure static IP assignments for on-prem load balancers.
+4.  **Validation**:
+    - Verify binding status: `kubectl get pv,pvc`
+    - Verify endpoint availability: `kubectl get endpoints`

package/lib/bmad-workflows/devops/disconnected-deployment.md

@@ -0,0 +1,18 @@
+# workflow-disconnected-deployment.md
+# Disconnected Environment Deployment Workflow
+
+Strategies and actions for deploying applications in air-gapped or restricted on-prem environments.
+
+## Instructions
+1.  **Dependency Gathering**:
+    - Identify all required container images.
+    - Export images: `docker save {image_list} | gzip > images.tar.gz`
+    - Package Helm charts: `helm package {chart_path}`
+2.  **Target Readiness**:
+    - Verify local registry availability.
+    - Import images: `docker load < images.tar.gz`
+3.  **Deployment**:
+    - Use `--set image.repository={local_registry}/{repo}` for Helm.
+    - Verify offline connectivity between components.
+4.  **Troubleshooting**:
+    - Check for 'ImagePullBackOff' due to incorrect registry paths.

package/lib/bmad-workflows/devops/docker-compose-setup.md

@@ -0,0 +1,17 @@
+# workflow-docker-compose-setup.md
+# Docker Compose Management Workflow
+
+This workflow handles multi-container orchestration using Docker Compose, optimized for development and on-prem deployments.
+
+## Instructions
+1.  **Define Services**: Map application components to Docker services.
+2.  **Environment Sync**: Setup `.env` file management for different environments (on-prem, dev).
+3.  **Disconnected Operations**:
+    - Build images with `--pull=false` if registry is unavailable.
+    - Use local image tags.
+4.  **Orchestration**:
+    - Setup dependencies with `depends_on` and health checks.
+    - Configure volumes for persistence.
+5.  **Execution**:
+    - `docker-compose up -d`
+    - `docker-compose ps`

package/lib/bmad-workflows/devops/manage-helm.md

@@ -0,0 +1,19 @@
+# workflow-manage-helm.md
+# Helm Management Workflow
+
+This workflow handles the creation and management of Helm charts and Helm umbrellas for complex systems.
+
+## Instructions
+1.  **Analyze System**: Determine if a single chart or an umbrella chart (multiple sub-charts) is needed.
+2.  **Chart Creation**: 
+    - `helm create {chart_name}`
+    - Structure for disconnected environments: Ensure all chart dependencies are bundled (vendorized).
+3.  **Helm Umbrella Setup**:
+    - Configure `Chart.yaml` with sub-chart dependencies.
+    - Setup `values.yaml` to override sub-chart values.
+4.  **On-prem Optimization**:
+    - Prepare `chart-save` and `chart-load` routines for air-gapped systems.
+    - Configure local registry mirrors.
+5.  **Validation**:
+    - `helm lint {chart_path}`
+    - `helm template {chart_path}`

package/lib/bmad-workflows/sre/check-deployment-status.md

@@ -0,0 +1,23 @@
+# workflow-check-deployment-status.md
+# Deployment Status Check Workflow
+
+This workflow guides the agent through checking the status of a specific deployment in a Kubernetes cluster.
+
+## Parameters
+- `{namespace}`: The namespace of the deployment (default: `default`)
+- `{deployment_name}`: The name of the deployment to check
+
+## Instructions
+1.  **Identify Resource**: Determine the `{deployment_name}` and `{namespace}` from user input or context.
+2.  **Run Diagnostics**:
+    -   `kubectl get deployment {deployment_name} -n {namespace}`
+    -   `kubectl describe deployment {deployment_name} -n {namespace}`
+3.  **Check Pods**:
+    -   `kubectl get pods -l app={deployment_name} -n {namespace}`
+    -   Identify any pods that are NOT in `Running` state.
+4.  **Analyze Events**:
+    -   Look at the `Events` section of the `describe` output for error messages (e.g., `ImagePullBackOff`, `CrashLoopBackOff`).
+5.  **Report**:
+    -   Summarize the current status.
+    -   Highlight any issues found.
+    -   Suggest next steps (e.g., "Check logs", "Check resource limits").

package/lib/bmad-workflows/sre/check-secrets.md

@@ -0,0 +1,14 @@
+# workflow-check-secrets.md
+# Secret Debugging Workflow
+
+This workflow helps identify and resolve problems related to Kubernetes Secrets.
+
+## Instructions
+1.  **Check Visibility**: `kubectl get secret -n {namespace}`
+2.  **Verify Mounting**:
+    -   Check if the deployment actually mounts the secret.
+    -   `kubectl get deployment {deployment_name} -o yaml | grep secret`
+3.  **Check Permissions**: Verify ServiceAccount has permissions to read the secret (RBAC).
+4.  **Content Verification**: (Safety first!) Offer to check if keys exist WITHOUT displaying sensitive values unless explicitly requested.
+    -   `kubectl get secret {name} -n {namespace} -o jsonpath='{.data}'`
+5.  **Common Errors**: Look for "Secret not found" or "Authorization" errors in pod events.

package/lib/bmad-workflows/sre/check-system-status.md

@@ -0,0 +1,18 @@
+# workflow-check-system-status.md
+# Overall System Status Workflow
+
+This workflow provides a high-level overview of the health of the container runtime and orchestration environment.
+
+## Instructions
+1.  **Detect Runtime**: Check if reachable:
+    -   `kubectl cluster-info` (Kubernetes)
+    -   `docker info` (Docker)
+    -   `podman info` (Podman)
+2.  **Resource Overview**:
+    -   **K8s**: `kubectl get nodes`, `kubectl get pods -A | grep -v Running`
+    -   **Docker**: `docker ps`, `docker stats --no-stream`
+    -   **Podman**: `podman ps`, `podman stats --no-stream`
+3.  **Cross-Platform Diagnostics**:
+    -   Check for resource exhaustion (High CPU/Memory).
+    -   Verify network connectivity between key services.
+4.  **Summary Table**: Present a status table of all detected environments.

package/lib/bmad-workflows/sre/day-2-ops.md

@@ -0,0 +1,16 @@
+# workflow-day-2-ops.md
+# Day 2 Operations & Maintenance Workflow
+
+Focuses on long-term stability, cluster-to-config verification, and periodic maintenance.
+
+## Instructions
+1.  **Config Verification**:
+    - Check current cluster status against the master configuration templates.
+    - Verify consistency of secrets, configmaps, and resource limits.
+2.  **Resource Optimization**:
+    - Review `top nodes` and `top pods`.
+    - Identify over-provisioned or under-utilized resources.
+3.  **Maintenance Tasks**:
+    - Node drain/uncordon (safe handling).
+    - Certificate rotation check.
+4.  **Automation**: Propose cronjobs for periodic backups or diagnostic reports.

package/lib/bmad-workflows/sre/deployment-strategies.md

@@ -0,0 +1,18 @@
+# workflow-deployment-strategies.md
+# Deployment Strategies Workflow
+
+Guides on implementing and monitoring advanced deployment techniques like Blue-Green, Canary, and Rolling Updates.
+
+## Instructions
+1.  **Select Strategy**:
+    -   **Rolling Update**: Standard Kubernetes strategy.
+    -   **Canary**: Gradual traffic shift (requires Service Mesh or specialized CRDs like Argo Rollouts).
+    -   **Blue-Green**: Instant switch between versions.
+2.  **Strategy Status**:
+    -   `kubectl get rollouts` (Argo Rollouts)
+    -   Monitor success metrics (HTTP 2xx vs 5xx) during transition.
+3.  **Health Verification**: 
+    - Verify healthy startup before increasing traffic.
+    - Automatically propose rollbacks if SLOs are breached.
+4.  **Execution**:
+    - Trigger rollout update or promotion.

package/lib/bmad-workflows/sre/fix-deployments.md

@@ -0,0 +1,16 @@
+# workflow-fix-deployments.md
+# Deployment Fix Workflow
+
+This workflow provides automated troubleshooting steps to resolve common deployment issues.
+
+## Instructions
+1.  **Detect Issue**: Based on `check-deployment-status` output, identify the root cause.
+2.  **Image issues**: If `ImagePullBackOff`, verify image name and registry secrets.
+3.  **CrashLoopBackOff**:
+    -   `kubectl logs {deployment_name} -n {namespace} --previous`
+    -   Check for missing env vars or config maps.
+4.  **Pending State**:
+    -   Check node resources: `kubectl describe node`
+    -   Verify PersistentVolumeClaims (PVCs).
+5.  **Scaling**: If resource-related, suggest scaling or adjusting `resources.requests/limits`.
+6.  **Action**: Offer to apply a fix (e.g., `kubectl apply -f ...` or `kubectl set image ...`).

package/lib/bmad-workflows/sre/gitops-status.md

@@ -0,0 +1,16 @@
+# workflow-gitops-status.md
+# GitOps Status & Drift Detection Workflow
+
+This workflow monitors and reports the synchronization state between your git repository and the cluster using ArgoCD or Flux.
+
+## Instructions
+1.  **Identify Tool**: Detect if ArgoCD or Flux is in use.
+2.  **Sync Status**:
+    -   **ArgoCD**: `argocd app list`, `argocd app get {app_name}`
+    -   **Flux**: `flux get kustomizations`, `flux get helmreleases`
+3.  **Drift Detection**:
+    -   Identify "OutOfSync" resources.
+    -   Compare live state with desired state in git.
+4.  **Action**:
+    -   Offer to trigger a sync: `argocd app sync {app_name}` or `flux reconcile kustomization {name}`.
+    -   Analyze reasons for permanent drift (e.g., manual cluster changes).

package/lib/bmad.js

@@ -0,0 +1,102 @@
+const fs = require('fs-extra');
+const path = require('path');
+const { execSync } = require('child_process');
+const chalk = require('chalk');
+
+const BMAD_DIR = '_bmad';
+const CONFIG_DIR = path.join(BMAD_DIR, '_config', 'agents');
+
+function isBmadInstalled(projectRoot = process.cwd()) {
+    return fs.existsSync(path.join(projectRoot, BMAD_DIR));
+}
+
+async function installBmad(agentIds, projectRoot = process.cwd()) {
+    let command = 'npx bmad-method install --yes';
+
+    if (agentIds && agentIds.length > 0) {
+        command += ` --tools ${agentIds.join(',')}`;
+    } else {
+        command += ' --tools none';
+    }
+
+    console.log(chalk.gray(`  Running: ${command}`));
+    try {
+        execSync(command, { stdio: 'inherit', cwd: projectRoot });
+        return true;
+    } catch (error) {
+        console.error(chalk.red(`  BMAD installation failed: ${error.message}`));
+        return false;
+    }
+}
+
+async function updateBmad(agentIds, projectRoot = process.cwd()) {
+    let command = 'npx bmad-method install --action update --yes';
+
+    if (agentIds && agentIds.length > 0) {
+        command += ` --tools ${agentIds.join(',')}`;
+    }
+
+    console.log(chalk.gray(`  Running: ${command}`));
+    try {
+        execSync(command, { stdio: 'inherit', cwd: projectRoot });
+        return true;
+    } catch (error) {
+        console.error(chalk.red(`  BMAD update failed: ${error.message}`));
+        return false;
+    }
+}
+
+async function applyCustomizations(projectRoot = process.cwd()) {
+    const sourceDir = path.join(__dirname, 'bmad-customizations');
+    const workflowSourceDir = path.join(__dirname, 'bmad-workflows');
+    const configTargetDir = path.join(projectRoot, CONFIG_DIR);
+    const agentTargetDir = path.join(projectRoot, BMAD_DIR, 'bmm', 'agents');
+    const workflowTargetDir = path.join(projectRoot, BMAD_DIR, 'bmm', 'workflows');
+
+    // 1. Apply YAML customizations
+    if (fs.existsSync(sourceDir)) {
+        await fs.ensureDir(configTargetDir);
+        const files = await fs.readdir(sourceDir);
+        for (const file of files) {
+            if (file.endsWith('.customize.yaml')) {
+                await fs.copy(path.join(sourceDir, file), path.join(configTargetDir, file));
+                console.log(chalk.cyan(`    + Applied customization: ${file}`));
+            }
+        }
+    }
+
+    // 2. Apply detailed agent templates (.md files)
+    if (fs.existsSync(sourceDir)) {
+        await fs.ensureDir(agentTargetDir);
+        const files = await fs.readdir(sourceDir);
+        for (const file of files) {
+            if (file.endsWith('.md')) {
+                await fs.copy(path.join(sourceDir, file), path.join(agentTargetDir, file));
+                console.log(chalk.cyan(`    + Applied agent template: ${file}`));
+            }
+        }
+    }
+
+    // 3. Apply workflows
+    if (fs.existsSync(workflowSourceDir)) {
+        await fs.ensureDir(workflowTargetDir);
+        await fs.copy(workflowSourceDir, workflowTargetDir);
+        console.log(chalk.cyan(`    + Applied BMAD workflows`));
+    }
+
+    // Recompile agents to apply changes
+    const command = 'npx bmad-method install --action compile-agents --yes';
+    console.log(chalk.gray(`  Running: ${command}`));
+    try {
+        execSync(command, { stdio: 'inherit', cwd: projectRoot });
+    } catch (error) {
+        console.error(chalk.red(`  BMAD recompile failed: ${error.message}`));
+    }
+}
+
+module.exports = {
+    isBmadInstalled,
+    installBmad,
+    updateBmad,
+    applyCustomizations
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.4.0",
+  "version": "2.6.0",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {