tribunal-kit 2.4.6 → 3.0.0

package/.agent/skills/devops-engineer/SKILL.md

@@ -1,134 +1,332 @@
----
-name: devops-engineer
-description: Senior DevOps engineer with expertise in building scalable, automated infrastructure and deployment pipelines. Your focus spans CI/CD implementation, Infrastructure as Code, container orchestration, and monitoring.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 1.0.0
-last-updated: 2026-03-12
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# Devops Engineer - Claude Code Sub-Agent
-
-You are a senior DevOps engineer with expertise in building and maintaining scalable, automated infrastructure and deployment pipelines. Your focus spans the entire software delivery lifecycle with emphasis on automation, monitoring, security integration, and fostering collaboration between development and operations teams.
-
-## Configuration & Context Assessment
-When invoked:
-1. Query context manager for current infrastructure and development practices
-2. Review existing automation, deployment processes, and team workflows
-3. Analyze bottlenecks, manual processes, and collaboration gaps
-4. Implement solutions improving efficiency, reliability, and team productivity
-
----
-
-## The DevOps Excellence Checklist
-- Infrastructure automation 100% achieved
-- Deployment automation 100% implemented
-- Test automation > 80% coverage
-- Mean time to production < 1 day
-- Service availability > 99.9% maintained
-- Security scanning automated throughout
-- Documentation as code practiced
-- Team collaboration thriving
-
----
-
-## Core Architecture Decision Framework
-
-### Infrastructure as Code & Orchestration
-*   **IaC Mastery:** Terraform modules, CloudFormation templates, Ansible playbooks, Pulumi.
-*   **State & Drift:** Configuration management, Version control, State management, Drift detection.
-*   **Containers:** Docker optimization, Kubernetes deployment, Helm chart creation, Service mesh setup.
-
-### CI/CD Implementation & SecOps
-*   **CI/CD:** Pipeline design, Build optimization, Quality gates, Artifact management, Rollback procedures.
-*   **Security Integration:** DevSecOps practices, Vulnerability scanning, Compliance automation, Access management.
-
-### Cloud Platform Expertise & Performance
-*   **Cloud Platforms:** AWS, Azure, GCP, Multi-cloud strategies, Cost optimization, Disaster recovery.
-*   **Performance:** Application profiling, Resource optimization, Load balancing, Auto-scaling.
-*   **Observability:** Metrics collection, Log aggregation, Distributed tracing, Alert management, SLI/SLO definition.
-
----
-
-## Output Format
-
-When this skill produces a recommendation or design decision, structure your output as:
-
-```
-━━━ Devops Engineer Recommendation ━━━━━━━━━━━━━━━━
-Decision:    [what was chosen / proposed]
-Rationale:   [why — one concise line]
-Trade-offs:  [what is consciously accepted]
-Next action: [concrete next step for the user]
-─────────────────────────────────────────────────
-Pre-Flight:  ✅ All checks passed
-             or ❌ [blocking item that must be resolved first]
-```
-
-
----
-
-## 🏛️ Tribunal Integration (Anti-Hallucination)
-
-**Slash command: `/tribunal-backend`** (or invoke directly for devops)
-**Active reviewers: `logic` · `security` · `dependency`**
-
-### ❌ Forbidden AI Tropes in DevOps
-1. **Hardcoded Secrets/Credentials** — never generate scripts or IaC configurations with embedded secrets. Always use secret managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) or CI/CD environment variables.
-2. **Missing State Management** — never generate Terraform code without defining a remote state backend.
-3. **Latest Tags in Containers** — never use `FROM image:latest` in Dockerfiles or Kubernetes manifests in production configurations; always pin specific tags or SHAs.
-4. **Permissive IAM Roles** — avoid wildcard `*` permissions in cloud IAM configurations; adhere to least privilege.
-5. **Ignoring Platform Cost** — avoid over-provisioning default resource requests/limits in Kubernetes without proper analysis.
-
-### ✅ Pre-Flight Self-Audit
-
-Review these questions before generating DevOps scripts or configurations:
-```text
-✅ Did I strictly avoid hardcoding any sensitive credentials or API keys?
-✅ Are all Docker or container image tags explicitly pinned?
-✅ Does the generated Infrastructure as Code (IaC) include appropriate networking defaults (private subnets, proper firewall rules)?
-✅ Are the Kubernetes manifests configured with resource limits and health probes?
-✅ Has logging and monitoring been wired up for the deployed components?
-```
-
-
----
-
-## 🤖 LLM-Specific Traps
-
-AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
-
-1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
-2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
-3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
-4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
-5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
-
----
-
-## 🏛️ Tribunal Integration (Anti-Hallucination)
-
-**Slash command: `/review` or `/tribunal-full`**
-**Active reviewers: `logic-reviewer` · `security-auditor`**
-
-### ❌ Forbidden AI Tropes
-
-1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
-2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
-3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
-
-### ✅ Pre-Flight Self-Audit
-
-Review these questions before confirming output:
-```
-✅ Did I rely ONLY on real, verified tools and methods?
-✅ Is this solution appropriately scoped to the user's constraints?
-✅ Did I handle potential failure modes and edge cases?
-✅ Have I avoided generic boilerplate that doesn't add value?
-```
-
-### 🛑 Verification-Before-Completion (VBC) Protocol
-
-**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
-- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
-- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.
+---
+name: devops-engineer
+description: DevOps engineering mastery. Docker containerization, Docker Compose, CI/CD with GitHub Actions, Kubernetes basics, infrastructure as code (Terraform), monitoring/alerting, deployment strategies (blue/green, canary, rolling), secrets management, and production readiness checklists. Use when building CI/CD pipelines, containerizing apps, or managing infrastructure.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 2.0.0
+last-updated: 2026-04-01
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+# DevOps Engineer — CI/CD & Infrastructure Mastery
+
+> Infrastructure is code. Deployments are automated. Rollbacks are instant.
+> If you can't deploy on Friday afternoon with confidence, your pipeline is broken.
+
+---
+
+## Docker
+
+### Dockerfile (Production-Ready)
+
+```dockerfile
+# ✅ Multi-stage build — minimal final image
+FROM node:22-alpine AS builder
+WORKDIR /app
+
+# Install deps first (cache layer)
+COPY package.json package-lock.json ./
+RUN npm ci --ignore-scripts
+
+# Build
+COPY . .
+RUN npm run build
+
+# ──── Production stage ────
+FROM node:22-alpine AS runner
+WORKDIR /app
+
+# Security: non-root user
+RUN addgroup --system --gid 1001 appgroup && \
+    adduser --system --uid 1001 appuser
+
+# Copy only production artifacts
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./
+
+USER appuser
+EXPOSE 3000
+ENV NODE_ENV=production
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD wget --quiet --tries=1 --spider http://localhost:3000/health || exit 1
+
+CMD ["node", "dist/index.js"]
+```
+
+```dockerfile
+# ❌ HALLUCINATION TRAP: Common Dockerfile mistakes
+# ❌ FROM node:22         ← 1GB+ image (use alpine: ~150MB)
+# ❌ RUN npm install      ← installs devDependencies, no lockfile
+# ✅ RUN npm ci           ← deterministic, production-only
+# ❌ COPY . .             ← copies node_modules, .git, secrets
+# ✅ Use .dockerignore     ← exclude node_modules, .env, .git
+# ❌ Running as root      ← security vulnerability
+# ✅ USER appuser          ← non-root user
+```
+
+### .dockerignore
+
+```
+node_modules
+.git
+.env
+.env.*
+*.md
+.github
+coverage
+dist
+```
+
+### Docker Compose
+
+```yaml
+# docker-compose.yml
+services:
+  app:
+    build:
+      context: .
+      target: runner
+    ports:
+      - "3000:3000"
+    environment:
+      - DATABASE_URL=postgres://postgres:postgres@db:5432/myapp
+      - REDIS_URL=redis://redis:6379
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_started
+    restart: unless-stopped
+
+  db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_DB: myapp
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  redis:
+    image: redis:7-alpine
+    volumes:
+      - redisdata:/data
+
+volumes:
+  pgdata:
+  redisdata:
+```
+
+---
+
+## CI/CD with GitHub Actions
+
+### Standard Pipeline
+
+```yaml
+# .github/workflows/ci.yml
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true  # cancel stale runs on same PR
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+
+      - run: npm ci
+      - run: npm run lint
+      - run: npm run typecheck
+      - run: npm run test -- --coverage
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: coverage
+          path: coverage/
+
+  build:
+    runs-on: ubuntu-latest
+    needs: lint-and-test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      # Deploy to your platform (Vercel, Railway, Fly.io, etc.)
+      - run: npx vercel deploy --prod --token=${{ secrets.VERCEL_TOKEN }}
+```
+
+### Security Scanning
+
+```yaml
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm audit --audit-level=high
+      - uses: github/codeql-action/analyze@v3
+        with:
+          languages: javascript-typescript
+```
+
+---
+
+## Deployment Strategies
+
+```
+Rolling Update (default):
+  Old ████████ → ██████░░ → ████░░░░ → ░░░░░░░░
+  New ░░░░░░░░ → ░░██████ → ░░░░████ → ████████
+  - Gradual replacement, zero downtime
+  - Rollback: redeploy previous version
+
+Blue/Green:
+  Blue  ████████ (live)     → ░░░░░░░░ (idle)
+  Green ░░░░░░░░ (staging)  → ████████ (live)
+  - Instant switch via load balancer
+  - Instant rollback (switch back)
+  - Requires 2x infrastructure
+
+Canary:
+  Stable ████████ (95%)  → ████████ (90%)  → ████████ (0%)
+  Canary ░░░░░░░░ (5%)   → ░░░░░░░░ (10%)  → ████████ (100%)
+  - Gradual traffic shift
+  - Monitor error rates/latency at each stage
+  - Rollback: stop canary traffic
+
+Feature Flags:
+  - Deploy code, control activation separately
+  - Risk-free deploys — flag is off by default
+  - A/B testing capability
+```
+
+---
+
+## Secrets Management
+
+```yaml
+# ❌ NEVER:
+# - Hardcode secrets in code
+# - Commit .env files to git
+# - Use plain text in CI/CD configs
+# - Share secrets via Slack/email
+
+# ✅ ALWAYS:
+# GitHub Actions: Repository Secrets
+# - Settings → Secrets → Actions → New repository secret
+# - Reference: ${{ secrets.MY_SECRET }}
+
+# Production: Use your platform's secret manager
+# - AWS Secrets Manager / SSM Parameter Store
+# - GCP Secret Manager
+# - Azure Key Vault
+# - Doppler / Infisical (cross-platform)
+
+# .env management:
+# .env          → git-ignored, local development
+# .env.example  → committed, shows required keys (no values)
+```
+
+---
+
+## Production Readiness Checklist
+
+```
+Pre-Deploy:
+  □ All tests passing (unit, integration, E2E)
+  □ Security scan clean (npm audit, CodeQL)
+  □ Build succeeds in CI (not just locally)
+  □ Database migrations tested against production-size data
+  □ Environment variables verified in target environment
+  □ Rollback plan documented
+
+Monitoring:
+  □ Health check endpoint (/health)
+  □ Structured logging (JSON, not console.log)
+  □ Error tracking (Sentry, Datadog)
+  □ Uptime monitoring (external)
+  □ Alerting configured (PagerDuty, OpsGenie)
+
+Performance:
+  □ Response time P95 < 500ms
+  □ Error rate < 0.1%
+  □ Database connection pooling configured
+  □ CDN for static assets
+  □ Compression enabled (gzip/brotli)
+
+Security:
+  □ HTTPS only (HSTS enabled)
+  □ Rate limiting on all public endpoints
+  □ CORS configured (not wildcard *)
+  □ Security headers (helmet)
+  □ No secrets in code or logs
+```
+
+---
+
+## 🤖 LLM-Specific Traps
+
+1. **`FROM node:22` (Not Alpine):** Base Node image is 1GB+. Use `node:22-alpine` (~150MB).
+2. **`npm install` in Docker:** Use `npm ci` for deterministic, lockfile-based installs.
+3. **Running as Root:** Containers must run as non-root user. Add `USER appuser`.
+4. **Missing `.dockerignore`:** Without it, `COPY . .` includes `node_modules`, `.git`, `.env`.
+5. **Secrets in Docker ENV:** Don't bake secrets into Docker images. Use runtime environment variables.
+6. **Missing `concurrency` in CI:** Without `cancel-in-progress`, every push queues a new CI run.
+7. **`npm audit` Without Level:** `npm audit` returns non-zero for ANY vulnerability. Use `--audit-level=high`.
+8. **No Health Check:** Containers without HEALTHCHECK are assumed healthy even when crashed.
+9. **Deploying Without Rollback Plan:** Every deploy must have a documented rollback procedure.
+10. **Direct Production Database Access:** Never give CI/CD direct production DB access. Use migration-specific credentials.
+
+---
+
+## 🏛️ Tribunal Integration
+
+**Slash command: `/tribunal-backend`**
+
+### ✅ Pre-Flight Self-Audit
+
+```
+✅ Is the Dockerfile multi-stage with alpine base?
+✅ Does the container run as non-root?
+✅ Is .dockerignore configured?
+✅ Does CI run lint, typecheck, test, and build?
+✅ Are secrets in GitHub Secrets (not hardcoded)?
+✅ Is there a health check endpoint?
+✅ Is there a rollback plan?
+✅ Are database migrations tested before deploy?
+✅ Is concurrency configured in CI (cancel stale runs)?
+✅ Is there monitoring and alerting in production?
+```