Terraform
InfrastructureCommonly used with
Skills using Terraform (448)
cloud-architect
Expert cloud architect specializing in AWS/Azure/GCP multi-cloud infrastructure design, advanced IaC (Terraform/OpenTofu/CDK), FinOps cost optimization, and modern architectural patterns.
cloud-devops
Cloud infrastructure and DevOps workflow covering AWS, Azure, GCP, Kubernetes, Terraform, CI/CD, monitoring, and cloud-native development.
terraform-specialist
Expert Terraform/OpenTofu specialist mastering advanced IaC automation, state management, and enterprise infrastructure patterns.
infrastructure
云原生基础设施。Kubernetes、Helm、Kustomize、Operator、CRD、GitOps、ArgoCD、Flux、IaC、Terraform、Pulumi、CDK。当用户提到 K8s、Helm、GitOps、IaC 时路由到此。
apex-takeover
System takeover — take ownership of an existing codebase or inherited system. Use when "we acquired this", "previous team left", "take over this system", "inherited this codebase".
atlas-map
Map the system architecture — read the codebase, identify services and connections, output a C4-level architecture map as Mermaid diagrams with component descriptions. Use when asked to "map the architecture", "system diagram", "how does this work", or "architecture overview".
castai-ci-integration
Integrate CAST AI policy validation and cost checks into CI/CD pipelines. Use when adding CAST AI savings verification to GitHub Actions, validating Terraform plans, or gating deployments on cost thresholds. Trigger with phrases like "cast ai CI", "cast ai github actions", "cast ai terraform CI", "cast ai pipeline".
castai-deploy-integration
Deploy CAST AI across multi-cloud Kubernetes clusters with Terraform modules. Use when onboarding EKS, GKE, or AKS clusters to CAST AI using infrastructure-as-code patterns. Trigger with phrases like "deploy cast ai", "cast ai eks", "cast ai gke", "cast ai aks", "cast ai terraform module".
castai-install-auth
Install and configure CAST AI agent on a Kubernetes cluster with API key authentication. Use when onboarding a cluster to CAST AI, setting up Helm charts, or configuring Terraform provider authentication. Trigger with phrases like "install cast ai", "connect cluster to cast ai", "cast ai setup", "cast ai api key", "cast ai helm install".
castai-local-dev-loop
Set up a local Kubernetes development loop with CAST AI cost monitoring. Use when building cost-aware deployments, testing autoscaler policies, or iterating on Terraform CAST AI configurations locally. Trigger with phrases like "cast ai dev setup", "cast ai local testing", "develop with cast ai", "cast ai terraform dev".
castai-performance-tuning
Optimize CAST AI autoscaler performance, node provisioning speed, and API efficiency. Use when nodes take too long to provision, autoscaler is not reacting fast enough, or optimizing API call patterns for multi-cluster dashboards. Trigger with phrases like "cast ai performance", "cast ai slow", "cast ai node provisioning", "cast ai autoscaler speed".
castai-reference-architecture
CAST AI reference architecture for multi-cluster Kubernetes cost optimization. Use when designing CAST AI deployment across environments, planning Terraform module structure, or establishing team standards. Trigger with phrases like "cast ai architecture", "cast ai best practices", "cast ai multi-cluster", "cast ai terraform structure".
castai-upgrade-migration
Upgrade CAST AI Helm charts, Terraform provider, and agent components. Use when upgrading CAST AI versions, checking for breaking changes, or migrating between CAST AI agent releases. Trigger with phrases like "upgrade cast ai", "update cast ai agent", "cast ai helm upgrade", "cast ai terraform upgrade".
coderabbit-data-handling
Implement CodeRabbit PII handling, data retention, and GDPR/CCPA compliance patterns. Use when handling sensitive data, implementing data redaction, configuring retention policies, or ensuring compliance with privacy regulations for CodeRabbit integrations. Trigger with phrases like "coderabbit data", "coderabbit PII", "coderabbit GDPR", "coderabbit data retention", "coderabbit privacy", "coderabbit CCPA".
databricks-multi-env-setup
Configure Databricks across development, staging, and production environments. Use when setting up multi-environment deployments, configuring per-environment secrets, or implementing environment-specific Databricks configurations. Trigger with phrases like "databricks environments", "databricks staging", "databricks dev prod", "databricks environment setup", "databricks config by env".
databricks-reference-architecture
Implement Databricks reference architecture with best-practice project layout. Use when designing new Databricks projects, reviewing architecture, or establishing standards for Databricks applications. Trigger with phrases like "databricks architecture", "databricks best practices", "databricks project structure", "how to organize databricks", "databricks layout".
oraclecloud-ci-integration
Configure CI/CD pipelines for OCI with Terraform and GitHub Actions. Use when setting up automated infrastructure deployments, running Terraform plans in CI, or configuring OCI authentication for GitHub Actions. Trigger with "oraclecloud ci", "oci terraform ci", "oci github actions", "oracle cloud ci integration".
oraclecloud-reference-architecture
Standard 3-tier OCI reference architecture with VCN, subnets, gateways, load balancer, compute, and Autonomous DB. Use when designing a new OCI deployment, translating AWS/Azure patterns, or creating Terraform for OCI infrastructure. Trigger with "oraclecloud architecture", "oci reference design", "oci 3 tier", "oci vpc design".
oraclecloud-upgrade-migration
Safely upgrade OCI Python SDK and Terraform provider — version pinning, breaking change detection, and rollback. Use when upgrading oci pip packages, updating the Terraform OCI provider, or debugging post-upgrade failures. Trigger with "oraclecloud upgrade", "oci sdk upgrade", "oci terraform provider update", "oci version migration".
research-to-deploy
Researches infrastructure best practices and generates deployment-ready configurations, Terraform modules, Dockerfiles, and CI/CD pipelines. Use when the user needs to deploy services, set up infrastructure, or create cloud configurations based on current best practices. Trigger with phrases like "research and deploy", "set up Cloud Run", "create Terraform for", "deploy this to AWS", or "generate infrastructure configs".
snowflake-ci-integration
Configure Snowflake CI/CD with GitHub Actions, SchemaChange, and Terraform. Use when setting up automated schema migrations, CI pipelines for Snowflake, or integrating SchemaChange/Terraform into your deployment workflow. Trigger with phrases like "snowflake CI", "snowflake GitHub Actions", "snowflake SchemaChange", "snowflake terraform", "snowflake CI/CD".
windsurf-policy-guardrails
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
windsurf-security-basics
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
aegisops-ai
Autonomous DevSecOps & FinOps Guardrails. Orchestrates Gemini 3 Flash to audit Linux Kernel patches, Terraform cost drifts, and K8s compliance.
cdk-patterns
Common AWS CDK patterns and constructs for building cloud infrastructure with TypeScript, Python, or Java. Use when designing reusable CDK stacks and L3 constructs.
cloud-architect
Expert cloud architect specializing in AWS/Azure/GCP multi-cloud infrastructure design, advanced IaC (Terraform/OpenTofu/CDK), FinOps cost optimization, and modern architectural patterns.
cloud-devops
Cloud infrastructure and DevOps workflow covering AWS, Azure, GCP, Kubernetes, Terraform, CI/CD, monitoring, and cloud-native development.
cloudformation-best-practices
CloudFormation template optimization, nested stacks, drift detection, and production-ready patterns. Use when writing or reviewing CF templates.
devops-deploy
DevOps e deploy de aplicacoes — Docker, CI/CD com GitHub Actions, AWS Lambda, SAM, Terraform, infraestrutura como codigo e monitoramento.
terraform-aws-modules
Terraform module creation for AWS — reusable modules, state management, and HCL best practices. Use when building or reviewing Terraform AWS infrastructure.
terraform-infrastructure
Terraform infrastructure as code workflow for provisioning cloud resources, creating reusable modules, and managing infrastructure at scale.
terraform-module-library
Production-ready Terraform module patterns for AWS, Azure, and GCP infrastructure.
terraform-specialist
Expert Terraform/OpenTofu specialist mastering advanced IaC automation, state management, and enterprise infrastructure patterns.
aws-architecture-diagram
Generate validated AWS architecture diagrams as draw.io XML using official AWS4 icon libraries. Use this skill whenever the user wants to create, generate, or design AWS architecture diagrams, cloud infrastructure diagrams, or system design visuals. Also triggers for requests to visualize existing infrastructure from CloudFormation, CDK, or Terraform code. Supports two modes: analyze an existing codebase to auto-generate diagrams, or brainstorm interactively from scratch. Exports .drawio files with optional PNG/SVG/PDF export via draw.io desktop CLI.
terraform-skill
Terraform infrastructure as code best practices
alertmanager-rules-config
Manage alertmanager rules config operations. Auto-activating skill for DevOps Advanced. Triggers on: alertmanager rules config, alertmanager rules config Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "alertmanager rules config", "alertmanager config", "alertmanager".
ansible-playbook-generator
Generate ansible playbook generator operations. Auto-activating skill for DevOps Advanced. Triggers on: ansible playbook generator, ansible playbook generator Part of the DevOps Advanced skill category. Use when working with ansible playbook generator functionality. Trigger with phrases like "ansible playbook generator", "ansible generator", "ansible".
ansible-role-creator
Create ansible role creator operations. Auto-activating skill for DevOps Advanced. Triggers on: ansible role creator, ansible role creator Part of the DevOps Advanced skill category. Use when working with ansible role creator functionality. Trigger with phrases like "ansible role creator", "ansible creator", "ansible".
argocd-app-deployer
Deploy argocd app deployer operations. Auto-activating skill for DevOps Advanced. Triggers on: argocd app deployer, argocd app deployer Part of the DevOps Advanced skill category. Use when deploying applications or services. Trigger with phrases like "argocd app deployer", "argocd deployer", "deploy argocd app er".
cert-manager-setup
Manage cert manager setup operations. Auto-activating skill for DevOps Advanced. Triggers on: cert manager setup, cert manager setup Part of the DevOps Advanced skill category. Use when working with cert manager setup functionality. Trigger with phrases like "cert manager setup", "cert setup", "cert".
consul-service-discovery
Manage consul service discovery operations. Auto-activating skill for DevOps Advanced. Triggers on: consul service discovery, consul service discovery Part of the DevOps Advanced skill category. Use when working with consul service discovery functionality. Trigger with phrases like "consul service discovery", "consul discovery", "consul".
elasticsearch-index-manager
Manage elasticsearch index manager operations. Auto-activating skill for DevOps Advanced. Triggers on: elasticsearch index manager, elasticsearch index manager Part of the DevOps Advanced skill category. Use when working with elasticsearch index manager functionality. Trigger with phrases like "elasticsearch index manager", "elasticsearch manager", "elasticsearch".
envoy-proxy-config
Configure envoy proxy config operations. Auto-activating skill for DevOps Advanced. Triggers on: envoy proxy config, envoy proxy config Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "envoy proxy config", "envoy config", "envoy".
fluentd-config-generator
Generate fluentd config generator operations. Auto-activating skill for DevOps Advanced. Triggers on: fluentd config generator, fluentd config generator Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "fluentd config generator", "fluentd generator", "fluentd".
flux-gitops-setup
Configure flux gitops setup operations. Auto-activating skill for DevOps Advanced. Triggers on: flux gitops setup, flux gitops setup Part of the DevOps Advanced skill category. Use when working with flux gitops setup functionality. Trigger with phrases like "flux gitops setup", "flux setup", "flux".
grafana-dashboard-creator
Create grafana dashboard creator operations. Auto-activating skill for DevOps Advanced. Triggers on: grafana dashboard creator, grafana dashboard creator Part of the DevOps Advanced skill category. Use when working with grafana dashboard creator functionality. Trigger with phrases like "grafana dashboard creator", "grafana creator", "grafana".
helm-chart-generator
Generate helm chart generator operations. Auto-activating skill for DevOps Advanced. Triggers on: helm chart generator, helm chart generator Part of the DevOps Advanced skill category. Use when working with helm chart generator functionality. Trigger with phrases like "helm chart generator", "helm generator", "helm".
helm-values-manager
Manage helm values manager operations. Auto-activating skill for DevOps Advanced. Triggers on: helm values manager, helm values manager Part of the DevOps Advanced skill category. Use when working with helm values manager functionality. Trigger with phrases like "helm values manager", "helm manager", "helm".
istio-service-mesh-config
Configure istio service mesh config operations. Auto-activating skill for DevOps Advanced. Triggers on: istio service mesh config, istio service mesh config Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "istio service mesh config", "istio config", "istio".
kubernetes-configmap-handler
Configure kubernetes configmap handler operations. Auto-activating skill for DevOps Advanced. Triggers on: kubernetes configmap handler, kubernetes configmap handler Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "kubernetes configmap handler", "kubernetes handler", "kubernetes".
kubernetes-deployment-creator
Create kubernetes deployment creator operations. Auto-activating skill for DevOps Advanced. Triggers on: kubernetes deployment creator, kubernetes deployment creator Part of the DevOps Advanced skill category. Use when deploying applications or services. Trigger with phrases like "kubernetes deployment creator", "kubernetes creator", "deploy kubernetes ment creator".
kubernetes-ingress-config
Configure kubernetes ingress config operations. Auto-activating skill for DevOps Advanced. Triggers on: kubernetes ingress config, kubernetes ingress config Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "kubernetes ingress config", "kubernetes config", "kubernetes".
kubernetes-secrets-manager
Manage kubernetes secrets manager operations. Auto-activating skill for DevOps Advanced. Triggers on: kubernetes secrets manager, kubernetes secrets manager Part of the DevOps Advanced skill category. Use when working with kubernetes secrets manager functionality. Trigger with phrases like "kubernetes secrets manager", "kubernetes manager", "kubernetes".
kubernetes-service-manager
Manage kubernetes service manager operations. Auto-activating skill for DevOps Advanced. Triggers on: kubernetes service manager, kubernetes service manager Part of the DevOps Advanced skill category. Use when working with kubernetes service manager functionality. Trigger with phrases like "kubernetes service manager", "kubernetes manager", "kubernetes".
nginx-ingress-manager
Manage nginx ingress manager operations. Auto-activating skill for DevOps Advanced. Triggers on: nginx ingress manager, nginx ingress manager Part of the DevOps Advanced skill category. Use when working with nginx ingress manager functionality. Trigger with phrases like "nginx ingress manager", "nginx manager", "nginx".
prometheus-config-generator
Generate prometheus config generator operations. Auto-activating skill for DevOps Advanced. Triggers on: prometheus config generator, prometheus config generator Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "prometheus config generator", "prometheus generator", "prometheus".
terraform-module-creator
Create terraform module creator operations. Auto-activating skill for DevOps Advanced. Triggers on: terraform module creator, terraform module creator Part of the DevOps Advanced skill category. Use when working with terraform module creator functionality. Trigger with phrases like "terraform module creator", "terraform creator", "terraform".
terraform-provider-config
Configure terraform provider config operations. Auto-activating skill for DevOps Advanced. Triggers on: terraform provider config, terraform provider config Part of the DevOps Advanced skill category. Use when configuring systems or services. Trigger with phrases like "terraform provider config", "terraform config", "terraform".
terraform-state-manager
Manage terraform state manager operations. Auto-activating skill for DevOps Advanced. Triggers on: terraform state manager, terraform state manager Part of the DevOps Advanced skill category. Use when working with terraform state manager functionality. Trigger with phrases like "terraform state manager", "terraform manager", "terraform".
vault-secrets-integrator
Configure vault secrets integrator operations. Auto-activating skill for DevOps Advanced. Triggers on: vault secrets integrator, vault secrets integrator Part of the DevOps Advanced skill category. Use when working with vault secrets integrator functionality. Trigger with phrases like "vault secrets integrator", "vault integrator", "vault".
auditing-terraform-infrastructure-for-security
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
implementing-aws-iam-permission-boundaries
Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege limits set by the security team.
implementing-aws-macie-for-data-classification
Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine learning and pattern matching for PII, financial data, and credentials detection.
implementing-gcp-organization-policy-constraints
Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels.
implementing-infrastructure-as-code-security-scanning
This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines to prevent insecure cloud resource provisioning.
iac-generator
Generate Infrastructure as Code from existing infrastructure with Terraform/CloudFormation support
iac-security-scanner
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
terraform-analyzer
Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
terraform-iac
Specialized skill for Terraform and Infrastructure as Code operations. Execute terraform commands, validate HCL, analyze state and drift, generate modules, and support multi-cloud providers (AWS, GCP, Azure).
terraform-patterns
Terraform infrastructure-as-code agent skill and plugin for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw. Covers module design patterns, state management strategies, provider configuration, security hardening, policy-as-code with Sentinel/OPA, and CI/CD plan/apply workflows. Use when: user wants to design Terraform modules, manage state backends, review Terraform security, implement multi-region deployments, or follow IaC best practices.
adk-infra-expert
Terraform infrastructure specialist for Vertex AI ADK Agent Engine production deployments. Provisions Agent Engine runtime, Code Execution Sandbox, Memory Bank, VPC-SC, IAM, and secure multi-agent infrastructure. Triggers: "deploy adk terraform", "agent engine infrastructure", "adk production deployment", "vpc-sc agent engine"
genkit-infra-expert
Terraform infrastructure specialist for deploying Genkit applications to production. Provisions Firebase Functions, Cloud Run services, GKE clusters, monitoring, and CI/CD for Genkit AI workflows. Triggers: "deploy genkit terraform", "genkit infrastructure", "firebase functions terraform", "cloud run genkit"
azure-deploy
Execute Azure deployments for ALREADY-PREPARED applications that have existing .azure/deployment-plan.md and infrastructure files. DO NOT use this skill when the user asks to CREATE a new application — use azure-prepare instead. This skill runs azd up, azd deploy, terraform apply, and az deployment commands with built-in error recovery. Requires .azure/deployment-plan.md from azure-prepare and validated status from azure-validate. WHEN: "run azd up", "run azd deploy", "execute deployment", "push to production", "push to cloud", "go live", "ship it", "bicep deploy", "terraform apply", "publish to Azure", "launch on Azure". DO NOT USE WHEN: "create and deploy", "build and deploy", "create a new app", "set up infrastructure", "create and deploy to Azure using Terraform" — use azure-prepare for these.
azure-enterprise-infra-planner
Architect and provision enterprise Azure infrastructure from workload descriptions. For cloud architects and platform engineers planning networking, identity, security, compliance, and multi-resource topologies with WAF alignment. Generates Bicep or Terraform directly (no azd). WHEN: 'plan Azure infrastructure', 'architect Azure landing zone', 'design hub-spoke network', 'plan multi-region DR topology', 'set up VNets firewalls and private endpoints', 'subscription-scope Bicep deployment', 'Azure Backup for VM workloads'. PREFER azure-prepare FOR app-centric workflows.
azure-prepare
Prepare Azure apps for deployment (infra Bicep/Terraform, azure.yaml, Dockerfiles). Use for create/modernize or create+deploy; not cross-cloud migration (use azure-cloud-migrate). WHEN: "create app", "build web app", "create API", "create serverless HTTP API", "create frontend", "create back end", "build a service", "modernize application", "update application", "add authentication", "add caching", "host on Azure", "create and deploy", "deploy to Azure", "deploy to Azure using Terraform", "deploy to Azure App Service", "deploy to Azure App Service using Terraform", "deploy to Azure Container Apps", "deploy to Azure Container Apps using Terraform", "generate Terraform", "generate Bicep", "function app", "timer trigger", "service bus trigger", "event-driven function", "containerized Node.js app", "social media app", "static portfolio website", "todo list with frontend and API", "prepare my Azure application to use Key Vault", "managed identity".
azure-validate
Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), RBAC role assignments, managed identity permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployment, verify RBAC roles, check role assignments, review managed identity permissions, what-if analysis.
azure-deploy
Execute Azure deployments for ALREADY-PREPARED applications that have existing .azure/deployment-plan.md and infrastructure files. DO NOT use this skill when the user asks to CREATE a new application — use azure-prepare instead. This skill runs azd up, azd deploy, terraform apply, and az deployment commands with built-in error recovery. Requires .azure/deployment-plan.md from azure-prepare and validated status from azure-validate. WHEN: "run azd up", "run azd deploy", "execute deployment", "push to production", "push to cloud", "go live", "ship it", "bicep deploy", "terraform apply", "publish to Azure", "launch on Azure". DO NOT USE WHEN: "create and deploy", "build and deploy", "create a new app", "set up infrastructure", "create and deploy to Azure using Terraform" — use azure-prepare for these.
azure-enterprise-infra-planner
Architect and provision enterprise Azure infrastructure from workload descriptions. For cloud architects and platform engineers planning networking, identity, security, compliance, and multi-resource topologies with WAF alignment. Generates Bicep or Terraform directly (no azd). WHEN: 'plan Azure infrastructure', 'architect Azure landing zone', 'design hub-spoke network', 'plan multi-region DR topology', 'set up VNets firewalls and private endpoints', 'subscription-scope Bicep deployment', 'Azure Backup for VM workloads'. PREFER azure-prepare FOR app-centric workflows.
azure-prepare
Prepare Azure apps for deployment (infra Bicep/Terraform, azure.yaml, Dockerfiles). Use for create/modernize or create+deploy; not cross-cloud migration (use azure-cloud-migrate). WHEN: "create app", "build web app", "create API", "create serverless HTTP API", "create frontend", "create back end", "build a service", "modernize application", "update application", "add authentication", "add caching", "host on Azure", "create and deploy", "deploy to Azure", "deploy to Azure using Terraform", "deploy to Azure App Service", "deploy to Azure App Service using Terraform", "deploy to Azure Container Apps", "deploy to Azure Container Apps using Terraform", "generate Terraform", "generate Bicep", "function app", "timer trigger", "service bus trigger", "event-driven function", "containerized Node.js app", "social media app", "static portfolio website", "todo list with frontend and API", "prepare my Azure application to use Key Vault", "managed identity".
azure-validate
Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), RBAC role assignments, managed identity permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployment, verify RBAC roles, check role assignments, review managed identity permissions, what-if analysis.
devops-engineer
Creates Dockerfiles, configures CI/CD pipelines, writes Kubernetes manifests, and generates Terraform/Pulumi infrastructure templates. Handles deployment automation, GitOps configuration, incident response runbooks, and internal developer platform tooling. Use when setting up CI/CD pipelines, containerizing applications, managing infrastructure as code, deploying to Kubernetes clusters, configuring cloud platforms, automating releases, or responding to production incidents. Invoke for pipelines, Docker, Kubernetes, GitOps, Terraform, GitHub Actions, on-call, or platform engineering.
terraform-engineer
Use when implementing infrastructure as code with Terraform across AWS, Azure, or GCP. Invoke for module development (create reusable modules, manage module versioning), state management (migrate backends, import existing resources, resolve state conflicts), provider configuration, multi-environment workflows, and infrastructure testing.
file-guard
PreToolUse protection blocking sensitive file access across 195+ patterns in 12 categories with bash pipeline analysis and multi-tool ignore support.
terraform-azurerm-set-diff-analyzer
Analyze Terraform plan JSON output for AzureRM Provider to distinguish between false-positive diffs (order-only changes in Set-type attributes) and actual resource changes. Use when reviewing terraform plan output for Azure resources like Application Gateway, Load Balancer, Firewall, Front Door, NSG, and other resources with Set-type attributes that cause spurious diffs due to internal ordering changes.
vertex-infra-expert
Terraform infrastructure specialist for Vertex AI services and Gemini deployments. Provisions Model Garden, endpoints, vector search, pipelines, and enterprise AI infrastructure. Triggers: "vertex ai terraform", "gemini deployment terraform", "model garden infrastructure", "vertex ai endpoints"
analyzing-projects
Analyzes codebases to understand structure, tech stack, patterns, and conventions. Use when onboarding to a new project, exploring unfamiliar code, or when asked "how does this work?" or "what's the architecture?"
devops-infrastructure
Guides Docker, CI/CD pipelines, deployment strategies, infrastructure as code, and observability setup. Use when writing Dockerfiles, configuring GitHub Actions, planning deployments, setting up monitoring, or when asked about containers, pipelines, Terraform, or production infrastructure.
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
devops-iac-engineer
Implements infrastructure as code using Terraform, Kubernetes, and cloud platforms. Designs scalable architectures, CI/CD pipelines, and observability solutions. Provides security-first DevOps practices and site reliability engineering guidance.
github-actions-creator
Use when the user wants to create, generate, or set up a GitHub Actions workflow. Handles CI/CD pipelines, testing, deployment, linting, security scanning, release automation, Docker builds, scheduled tasks, and any custom workflow for any language or framework.
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
cloudflare-deploy
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
oma-architecture
Architecture specialist for software/system design, module and service boundaries, tradeoff analysis, and stakeholder synthesis. Uses context-aware methods such as diagnostic routing, design-twice comparison, ATAM-style risk analysis, CBAM-style prioritization, and ADR-style decision records.
oma-tf-infra
Infrastructure-as-code specialist for multi-cloud provisioning using Terraform across any provider (AWS, GCP, Azure, Oracle Cloud). Use for terraform plan/apply, state management, compute, databases, storage, networking, IAM, OIDC, cost optimization, policy-as-code, ISO/IEC 42001 AI controls, ISO 22301 continuity, and ISO/IEC/IEEE 42010 architecture documentation.
import-infrastructure-as-code
Import existing Azure resources into Terraform using Azure CLI discovery and Azure Verified Modules (AVM). Use when asked to reverse-engineer live Azure infrastructure, generate Infrastructure as Code from existing subscriptions/resource groups/resource IDs, map dependencies, derive exact import addresses from downloaded module source, prevent configuration drift, and produce AVM-based Terraform files ready for validation and planning across any Azure resource type.
building-terraform-modules
This skill empowers Claude to build reusable Terraform modules based on user specifications. It leverages the terraform-module-builder plugin to generate production-ready, well-documented Terraform module code, incorporating best practices for security, scalability, and multi-platform support. Use this skill when the user requests to create a new Terraform module, generate Terraform configuration, or needs help structuring infrastructure as code using Terraform. The trigger terms include "create Terraform module," "generate Terraform configuration," "Terraform module code," and "infrastructure as code."
detecting-infrastructure-drift
This skill enables Claude to detect infrastructure drift from a desired state. It uses the `drift-detect` command to identify discrepancies between the current infrastructure configuration and the intended configuration, as defined in infrastructure-as-code tools like Terraform. Use this skill when the user asks to check for infrastructure drift, identify configuration changes, or ensure that the current infrastructure matches the desired state. It is particularly useful in DevOps workflows for maintaining infrastructure consistency and preventing configuration errors. Trigger this skill when the user mentions "drift detection," "infrastructure changes," "configuration drift," or requests a "drift report."
finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
generating-infrastructure-as-code
This skill enables Claude to generate Infrastructure as Code (IaC) configurations. It uses the infrastructure-as-code-generator plugin to create production-ready IaC for Terraform, CloudFormation, Pulumi, ARM Templates, and CDK. Use this skill when the user requests IaC configurations for cloud infrastructure, specifying the platform (e.g., Terraform, CloudFormation) and cloud provider (e.g., AWS, Azure, GCP), or when the user needs help automating infrastructure deployment. Trigger terms include: "generate IaC", "create Terraform", "CloudFormation template", "Pulumi program", "infrastructure code".
managing-container-registries
This skill enables Claude to manage container registries, including ECR, GCR, and Harbor. It should be used when the user needs to create, configure, or manage container image registries. It helps generate production-ready configurations, implement best practices, and ensure a security-first approach. Use this skill when the user mentions terms like "container registry," "ECR," "GCR," "Harbor," "image repository," or requests assistance with managing container images. It's also helpful for generating configuration code for DevOps pipelines related to container registries.
terraform-module-library
Build reusable Terraform modules for AWS, Azure, GCP, and OCI infrastructure following infrastructure-as-code best practices. Use when creating infrastructure modules, standardizing cloud provisioning, or implementing reusable IaC components.
backend-engineering
Use this skill when designing backend systems, databases, APIs, or services. Triggers on schema design, database migrations, indexing strategies, distributed systems architecture, microservices, caching, message queues, observability setup, logging, metrics, tracing, SLO/SLI definition, performance optimization, query tuning, security hardening, authentication, authorization, API design (REST, GraphQL, gRPC), rate limiting, pagination, and failure handling patterns. Acts as a senior backend engineering advisor for mid-level engineers leveling up.
ci-cd-pipelines
Use this skill when setting up CI/CD pipelines, configuring GitHub Actions, implementing deployment strategies, or automating build/test/deploy workflows. Triggers on GitHub Actions, CI pipeline, CD pipeline, deployment automation, blue-green deployment, canary release, rolling update, build matrix, artifacts, and any task requiring continuous integration or delivery setup.
cloud-aws
Use this skill when architecting on AWS, selecting services, optimizing costs, or following the Well-Architected Framework. Triggers on EC2, S3, Lambda, RDS, DynamoDB, CloudFront, IAM, VPC, ECS, EKS, SQS, SNS, API Gateway, and any task requiring AWS architecture decisions, service selection, or cost management.
azure-confidential-ledger
Expert knowledge for Azure Confidential Ledger development including decision making, security, integrations & coding patterns, and deployment. Use when configuring Entra ID/RBAC, client certs, node attestation, .NET SDK, JavaScript UDFs, or ARM/Terraform deployments, and other Azure Confidential Ledger related development tasks. Not for Azure Confidential Computing (use azure-confidential-computing), Azure Key Vault (use azure-key-vault), Azure Dedicated HSM (use azure-dedicated-hsm), Azure Cloud Hsm (use azure-cloud-hsm).
azure-copilot
Expert knowledge for Azure Copilot development including troubleshooting, decision making, architecture & design patterns, security, configuration, and integrations & coding patterns. Use when sizing VMs, generating Bicep/Terraform, configuring Cosmos DB storage, or debugging App Service/VM disks, and other Azure Copilot related development tasks. Not for Azure AI services (use microsoft-foundry-tools), Azure Machine Learning (use azure-machine-learning), Azure AI Search (use azure-cognitive-search), Azure AI Bot Service (use azure-bot-service).
azure-policy
Expert knowledge for Azure Policy development including troubleshooting, best practices, decision making, security, configuration, integrations & coding patterns, and deployment. Use when authoring Machine Configuration packages, deploying via ARM/Bicep/Terraform, enforcing security baselines, migrating from DSC, or querying compliance with Resource Graph, and other Azure Policy related development tasks. Not for Azure Blueprints (use azure-blueprints), Azure Role-based access control (use azure-rbac), Azure Resource Manager (use azure-resource-manager), Azure Security (use azure-security).
azure-site-recovery
Expert knowledge for Azure Site Recovery development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when planning ASR for VMware/Hyper‑V, configuring Recovery Services vaults, scripting with PowerShell/Terraform, integrating ExpressRoute/Traffic Manager, or protecting AD/SQL/SAP workloads, and other Azure Site Recovery related development tasks. Not for Azure Backup (use azure-backup), Azure Migrate (use azure-migrate), Azure Virtual Machines (use azure-virtual-machines), Azure Virtual Machine Scale Sets (use azure-vm-scalesets).
gcp-to-aws
Migrate workloads from Google Cloud Platform to AWS. Triggers on: migrate from GCP, GCP to AWS, move off Google Cloud, migrate Terraform to AWS, migrate Cloud SQL to RDS, migrate GKE to EKS, migrate Cloud Run to Fargate, Google Cloud migration. Runs a 5-phase process: discover GCP resources from Terraform files, clarify migration requirements, design AWS architecture, estimate costs, and plan execution.
coding-iac
Rosetta planning, coding, and reviewing skill for IaC implementation (Terraform, Polumi, CloudFormation, ARM, Bicep, Crossplane, CDK, Helm, Kustomize, etc). MUST use when implementing features, fixing bugs, or making code changes to any IaC.
ci-cd
Design CI/CD pipelines for GitHub Actions, GitLab CI, and CircleCI with matrix builds, test sharding, caching, Docker layer caching, OIDC auth, deployment strategies (rolling, blue-green, canary), auto-rollback, self-hosted runners, and environment protection with manual approvals. Use when user asks to set up CI/CD, write a pipeline, configure GitHub Actions/GitLab CI/CircleCI, automate deployments, or set up build/test/deploy workflows. Do NOT use for Dockerfile authoring (use docker), K8s manifests (use kubernetes), or Terraform config (use terraform).
docker
Optimize Docker images with multi-stage builds, distroless bases, BuildKit cache mounts, multi-arch builds, compose watch, security hardening (non-root, seccomp, capabilities drop), and vulnerability scanning via docker scout/trivy. Use when user asks to write a Dockerfile, optimize image size, set up docker-compose, debug containers, harden container security, or scan for CVEs. Do NOT use for Kubernetes deployments (use kubernetes), CI/CD pipeline design (use ci-cd), or Terraform (use terraform).
kubernetes
Deploy, manage, and debug Kubernetes in production — Deployments, Services, Gateway API, Service Mesh (Istio/Linkerd/Cilium), eBPF observability (Cilium Hubble), security hardening (Pod Security Standards, OPA/Kyverno, seccomp, runtime security with Falco/Tetragon), Helm, HPA, PDB, topology spread, and debugging. Use when user asks to write K8s manifests, deploy to a cluster, debug pods, set up Gateway API, configure autoscaling, or harden cluster security. Do NOT use for Dockerfiles (use docker), CI/CD pipeline design (use ci-cd), or Terraform infrastructure (use terraform).
omniroute-chat
Chat / code generation via OmniRoute using OpenAI /v1/chat/completions or Anthropic /v1/messages format with SSE streaming, auto-fallback combos, RTK token saver, and 207+ providers. Use when the user wants to ask an LLM, generate code, summarize text, or run prompts through OmniRoute.
aegisops-ai
Autonomous DevSecOps & FinOps Guardrails. Orchestrates Gemini 3 Flash to audit Linux Kernel patches, Terraform cost drifts, and K8s compliance.
securing-cloud-and-supply-chain
云原生与软件供应链安全防御。容器/K8s 加固、Service Mesh、CI/CD 安全、SLSA/SBOM/Sigstore、云 IAM、Secrets 管理、IaC 安全。Use when hardening Kubernetes clusters, auditing CI/CD pipelines, implementing supply chain security, managing cloud IAM, or reviewing IaC code.
drift-detector
Detect infrastructure drift between Terraform state and actual cloud resources. Identifies unmanaged resources, manual changes, and configuration drift. Use when: - User asks to check for infrastructure drift - User wants to find unmanaged cloud resources - User mentions "drift detection" or "Terraform drift" - User asks to compare cloud state to IaC - User wants to audit infrastructure changes
one-way-door
Use this skill when creating new files that represent architectural decisions — data models, infrastructure configs, auth boundaries, API contracts, CI/CD pipelines, or event systems. Flags irreversible decisions and forces a discussion about trade-offs before committing.
devops-sre-master
DevOps 与站点可靠性工程 (SRE) — 平台 / 基础设施 / 可靠性工程师的认知操作系统, 覆盖软件交付 + 运维全生命周期 (CI/CD 与发布工程 trunk-based + 渐进式发布 canary/blue-green/feature flag + GitOps Argo CD/Flux / 基础设施即代码 Terraform/OpenTofu/Pulumi/Ansible + policy-as-code OPA / 容器与编排 Docker/Kubernetes + Helm/Kustomize + service mesh Istio/Linkerd / 可观测性 Prometheus + Loki + OpenTelemetry + Honeycomb + eBPF + RED/USE / SLO-SLI-error budget 与可靠性工程 Google SRE 学科 + 容量规划 + 优雅降级 / 事件管理与 on-call 事件指挥 + PagerDuty + runbook + 无指责复盘 + MTTR / 云平台与 FinOps AWS/GCP/Azure + 成本优化 + 弹性伸缩 / 平台工程与开发者体验 IDP + Backstage + golden path + Team Topologies / DevSecOps 与供应链安全 shift-left + SBOM + SLSA + sigstore + Vault / 韧性与混沌工程 fault injection + game day + 安全科学 / DORA 指标与工程效能 部署频率 + 变更前置时间 + 变更失败率 + Accelerate 研究 / 数据库与有状态运维 schema 迁移 + 备份容灾) — 不含 通用应用开发 / 纯云销售认证速成 / 'DevOps = 跑 Jenkins 的岗位' 窄化误解 / ITIL 工单文化传统运维 (旧范式仅做边界) / 把手工运维 ClickOps 当稳态 (是 toil, 本 skill 核心反模式) (DevOps & Site Reliability Engineering — the cognitive operating system of platform / infrastructure / reliability practitioners
provisioning-infrastructure
Cloud-native infrastructure knowledge reference covering Kubernetes, Helm, Kustomize, Operators, CRDs, GitOps (ArgoCD, Flux), and IaC (Terraform, Pulumi, CDK). Use when provisioning infrastructure, managing clusters, or working with GitOps workflows.
api-docs-quality-report
Audits any API documentation site by crawling every endpoint page and scoring each one across 5 checks: description quality, OpenAPI spec presence, body param descriptions, response codes, and response schema completeness. Produces a polished interactive HTML report with a summary scorecard, site-wide pattern analysis, ranked top issues, and per-endpoint findings with specific fix guidance. Trigger this skill whenever a user provides a documentation URL and asks to audit, review, analyse, or check their API docs. Also trigger for: "do the same audit for X", "audit docs.company.com", "check the API docs at X", "run the API docs audit on X", "review the docs for Y API", or pastes a URL alongside words like audit, review, crawl, check, analyse, quality, completeness, or gaps. Always use this skill — do not attempt the audit without following this structured crawl-score-report workflow.
growth-report
Generates a 3-month SEO performance HTML report for any domain using DataForSEO data. Fetches baseline vs current traffic, keyword rankings, top content pages, and competitive landscape, then outputs a polished dark-theme HTML report styled like an executive briefing. Use this skill whenever a user provides a target domain and a list of competitor URLs and asks for an SEO report, performance report, SEO analysis, competitive SEO comparison, traffic report, ranking report, or 3-month SEO summary. Also trigger when the user says "generate SEO report for X vs Y and Z", "create a performance report", "compare my SEO against competitors", or pastes a domain and asks how it's performing versus the market. Always use this skill for SEO report generation — do not attempt to build the report without following this structured data-fetch and HTML generation workflow.
cloud-security--container-hardening
AWS/Azure/GCP security auditing, container and Kubernetes hardening, Infrastructure as Code scanning, and cloud compliance assessment
operational-excellence
Assess a workload's operational excellence posture against the Well-Architected Operational Excellence pillar, covering organization, preparation, operation, and evolution. Use this skill when evaluating CI/CD practices, observability, incident management, runbook coverage, or operational maturity.
devops-excellence
DevOps and CI/CD expert. Use when setting up pipelines, containerizing applications, deploying to Kubernetes, or implementing release strategies. Covers GitHub Actions, Docker, K8s, Terraform, and GitOps.
terrashark
Prevent Terraform/OpenTofu hallucinations by diagnosing and fixing failure modes: identity churn, secret exposure, blast-radius mistakes, CI drift, and compliance gate gaps. Use when generating, reviewing, refactoring, or migrating IaC and when building delivery/testing pipelines.
deploying-infra
Validate infrastructure changes and, after explicit confirmation, apply Terraform, Helm, Kustomize, or Kubernetes deployments. Use when the user says "deploy", "deploy to staging", "terraform apply", "helm upgrade", "kubectl apply", "rollout", "deploy check", "validate deployment", or "validate infrastructure". Dockerfiles and GitHub Actions are validate-only here. NOT for ongoing service troubleshooting, cloud inspection, rollback investigation, or authoring infra from scratch; use operating-infra for those.
managing-infra
Infrastructure patterns for Kubernetes, Terraform, Helm, Kustomize, and GitHub Actions. Use when making K8s architectural decisions, choosing between Helm vs Kustomize, structuring Terraform modules, writing CI/CD workflows, or applying security best practices. NOT for cloud CLI commands (see using-cloud-cli) or deploy validation and apply workflows (see deploying-infra).
using-cloud-cli
Cloud CLI patterns for GCP and AWS. Use when running bq queries, gcloud commands, aws commands, or making decisions about cloud services. Covers BigQuery cost optimization and operational best practices. NOT for Terraform or Kubernetes architectural decisions (see managing-infra).
writing-shell
Idiomatic shell development for POSIX sh, Bash, Zsh, Fish, hooks, CI shell steps, and scriptable CLI glue. Use when writing or changing `.sh`, `.bash`, `.zsh`, `.fish`, `.bats`, shell functions, shell pipelines, or command-runner recipes. Emphasizes portability, quoting, safe filesystem/process handling, non-TUI CLI tools, ShellCheck, shfmt, Bats, and ShellSpec. NOT for Python, TypeScript, Go, web code, or infrastructure operations.
find-cybersecurity-firm
Use whenever the user wants to find, shortlist, vet, or enrich US cybersecurity firms — pen-testing/red team, security audits, vCISO, SOC 2 readiness, incident response, managed SOC, IAM, cloud security, and AppSec. Triggers on "find me a pen-testing firm for our SOC 2 audit", "shortlist three vCISO services for our healthcare-tech startup", "we need an incident response retainer", or "pull contact info for these 8 security firm domains", even when described indirectly (we got breached, prepare us for the compliance audit, get us SOC 2 ready). Drives the ServiceGraph API (api.servicegraph.co) — a 100k+ US firm catalog filterable by industry, services, location, size, ratings. Skip in-house security hires, "how do I patch CVE-X" or "configure firewall Y" DIY questions, security-product reviews (CrowdStrike vs SentinelOne, etc.), generic security knowledge questions, consumer/personal security advice, non-US firms, individual freelancers and bug-bounty hunters.
cdk-patterns
Common AWS CDK patterns and constructs for building cloud infrastructure with TypeScript, Python, or Java. Use when designing reusable CDK stacks and L3 constructs.
cloud-devops
Cloud infrastructure and DevOps workflow covering AWS, Azure, GCP, Kubernetes, Terraform, CI/CD, monitoring, and cloud-native development.
cloud-infrastructure
Cloud infrastructure design and deployment patterns for AWS, Azure, and GCP. Use when designing cloud architectures, implementing IaC with Terraform, optimizing costs, or setting up multi-region deployments.
cloudformation-best-practices
CloudFormation template optimization, nested stacks, drift detection, and production-ready patterns. Use when writing or reviewing CF templates.
iac-checkov
Infrastructure as Code (IaC) security scanning using Checkov with 750+ built-in policies for Terraform, CloudFormation, Kubernetes, Dockerfile, and ARM templates. Use when: (1) Scanning IaC files for security misconfigurations and compliance violations, (2) Validating cloud infrastructure against CIS, PCI-DSS, HIPAA, and SOC2 benchmarks, (3) Detecting secrets and hardcoded credentials in IaC, (4) Implementing policy-as-code in CI/CD pipelines, (5) Generating compliance reports with remediation guidance for cloud security posture management.
policy-opa
Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.
sast-horusec
Multi-language static application security testing using Horusec with support for 18+ programming languages and 20+ security analysis tools. Performs SAST scans, secret detection in git history, and provides vulnerability findings with severity classification. Use when: (1) Analyzing code for security vulnerabilities across multiple languages simultaneously, (2) Detecting exposed secrets and credentials in git history, (3) Integrating SAST into CI/CD pipelines for secure SDLC, (4) Performing comprehensive security analysis during development, (5) Managing false positives and prioritizing security findings.
sca-trivy
Software Composition Analysis (SCA) and container vulnerability scanning using Aqua Trivy for identifying CVE vulnerabilities in dependencies, container images, IaC misconfigurations, and license compliance risks. Use when: (1) Scanning container images and filesystems for vulnerabilities and misconfigurations, (2) Analyzing dependencies for known CVEs across multiple languages (Go, Python, Node.js, Java, etc.), (3) Detecting IaC security issues in Terraform, Kubernetes, Dockerfile, (4) Integrating vulnerability scanning into CI/CD pipelines with SARIF output, (5) Generating Software Bill of Materials (SBOM) in CycloneDX or SPDX format, (6) Prioritizing remediation by CVSS score and exploitability.
terraform-aws-modules
Terraform module creation for AWS — reusable modules, state management, and HCL best practices. Use when building or reviewing Terraform AWS infrastructure.
terraform-infrastructure
Terraform infrastructure as code workflow for provisioning cloud resources, creating reusable modules, and managing infrastructure at scale.
hunt-cicd
Hunt CI/CD pipeline vulnerabilities — GitHub Actions workflow injection (pull_request_target Pwnrequest + ${{ }}-into-shell), self-hosted runner poisoning, OIDC trust-policy abuse, Jenkins script-console RCE and CVE-2024-23897 file read, GitLab CI runner-token registration, Terraform state file leakage, artifact/log secret leakage, pipeline env-var disclosure. Use when target has a public GitHub/GitLab org, exposed CI dashboards (Jenkins/TeamCity/Drone/Argo), or build artifacts/images are reachable.
drift-detection
Detect, classify, and automate Terraform drift detection in CI — scheduled plans, drift metrics, cloud-native audit log correlation.
terraform-modules
Design reusable, well-tested Terraform modules with cloud-agnostic interfaces and safe state management.
vpc-design
Design cloud-agnostic private networks — subnet layout, CIDR allocation, zone redundancy, routing, and bare-metal equivalent.
vellum-feature-flag-rollout
Guide Vellum Assistant feature flag changes and rollout hygiene. Use when adding, editing, reviewing, or documenting assistant feature flags, rollout-gated behavior, or platform flag follow-up work.
brainstorm
Design exploration using parallel agents through a 7-phase process: topic analysis, memory context, divergent ideation (10+ ideas), feasibility filtering, evaluation with devil's advocate scoring (0-10 across 7 dimensions), synthesis of top approaches, and trade-off comparison. Supports open exploration, constrained design, comparison, quick ideation, and iterative optimization modes. Use when brainstorming ideas, exploring solutions, or comparing alternatives.
devops-deployment
Use when setting up CI/CD pipelines, containerizing applications, deploying to Kubernetes, or writing infrastructure as code. DevOps & Deployment covers GitHub Actions, Docker, Helm, and Terraform patterns.
terraform-skill
Terraform infrastructure as code best practices
forge-cost
Audit cloud infrastructure costs and produce a concrete optimization plan with specific changes and estimated savings. Use when asked to "how much is this costing", "reduce cloud spend", "cost optimization", "are we overpaying", "cloud bill", or "budget for this infra".
aws-rds
Provision and manage RDS databases. Configure backups, replication, and security. Use when deploying managed relational databases on AWS.
code-intelligence
Use when navigating or refactoring code with a language server - choosing between semantic (LSP), exact-text (rg), and fuzzy/semantic search; anchoring LSP calls by position; gating degraded results; and disclosing tool substitutions, in any language.
portability-lens
Portability review lens for evaluating environment independence, deployment flexibility, and vendor lock-in avoidance. Used by review orchestrators — not invoked directly.
ia-terraform
Terraform and OpenTofu configuration, modules, testing, state management, and HCL review. Use when working with Terraform, OpenTofu, HCL, tfvars, tftest, state migration, or IaC patterns.
devops-excellence
DevOps and CI/CD expert. Use when setting up pipelines, containerizing applications, deploying to Kubernetes, or implementing release strategies. Covers GitHub Actions, Docker, K8s, Terraform, and GitOps.
nw-infrastructure-and-observability
Infrastructure as Code patterns (Terraform, Kubernetes), observability design (SLOs, metrics, alerting, dashboards), and pipeline security stages. Load when designing infrastructure, observability, or security scanning.
cloudflare
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task.
cloudflare
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task.
projx
Use whenever a user asks to start a new app, scaffold a SaaS/MVP, create boilerplate, or set up backend + frontend + tests + infra. Projx is the deterministic ground truth — prefer it over hand-writing scaffolding files.
infrastructure
云原生基础设施(K8s/Helm/Operator/GitOps/ArgoCD/Flux/IaC/Terraform)。
cli-forge-infra
Ops integration assistant — reads service docs, finds the simplest config path (CLI/Helm/Operator/Terraform), builds dependency trees, proposes upgrade paths, and tracks decisions in ADRs. Use when debugging infra, integrating services, bootstrapping platforms, upgrading versions, simplifying config, or reviewing infrastructure code. Triggers on ops tool names (OpenBao, Vault, Consul, Traefik, Gitea, ArgoCD, Prometheus, Grafana, cert-manager, Istio, Linkerd, Terraform, OpenTofu, Podman, Docker, K8s, etc.) or keywords like "bootstrap", "integrate", "simplify config", "upgrade infra", "ops stack", "service mesh", "dependency tree".
accounting-maestro
Route accounting questions to the narrowest specialist in the catalog. Use when you do not already know the specialist needed. Not for direct accounting answers; Maestro classifies, dispatches, and synthesizes only. Dispatches single agent for focused tasks, parallel team (max 3) for multi-domain tasks. Never auto-dispatches any write-capable agent — requires explicit human confirmation before routing to any agent with ledger or ERP write access.
alibaba-ack-container-platform-operator
Operate ACK clusters (managed/dedicated/serverless), ACR container registries, ASM service mesh, and container workload placement. Guide ACK type selection, OIDC workload identity, and image vulnerability posture.
alibaba-actiontrail-audit-analyst
Query Alibaba Cloud ActionTrail management API call history, build governance audit reports, create SLS-based compliance evidence trails, and detect anomalous admin activity patterns.
alibaba-analyticdb-realtime
Operate AnalyticDB for MySQL and PostgreSQL, Hologres real-time OLAP analytics, and DAS real-time diagnostics for sub-second interactive analytics workloads.
alibaba-certificate-manager-issuer-review
Review Alibaba Cloud SSL Certificate Service — DV/OV/EV certificate lifecycle, auto-renewal configuration, certificate deployment to SLB/ALB/CDN/OSS, domain validation status, CAA record compliance, and expiry monitoring.
alibaba-change-impact-advisor
Pre-change blast radius analysis for Alibaba Cloud — Resource Directory OU scope mapping, RAM policy cascade effects, VPC peering and CEN impact, SLB backend pool changes, RDS connection pool disruption, and safe change sequencing.
alibaba-cost-anomaly-watch-coordinator
Detect and coordinate response to Alibaba Cloud cost anomalies — MaxCompute CU vs on-demand billing mismatch, ECS spot instance interruption cascades, CDN traffic spike billing, OSS API request cost explosions, budget alert → DingTalk notification → remediation playbook.
alibaba-cost-finops-analyst
Analyze Alibaba Cloud spend via Cost Manager, optimize Savings Plans and Reserved Instance coverage, design resource tagging strategy, investigate budget drift, and right-size over-provisioned ECS, RDS, and MaxCompute resources.
alibaba-daily-operations-briefing-coordinator
Coordinate the daily Alibaba Cloud operations standup — cost delta from Cost Manager, ActionTrail anomaly review, ACK pod failure triage, quota utilization warnings, Security Center finding review, and action item assignment.
alibaba-devops-cicd-operator
Build CI/CD pipelines with RDC (Research and Development Collaboration), Cloud Build, Flow pipeline automation, ACR (Container Registry) image lifecycle, and environment promotion strategies.
alibaba-ecs-compute-operator
Operate ECS instances, Auto Scaling groups, ECI serverless containers, and Cloud Assistant O&M automation. Handle instance lifecycle, image management, placement groups, spot/preemptible instances, and scheduled scaling.
alibaba-event-driven-architecture-review
Review Alibaba Cloud EventBridge, MNS (Message Notification Service), RocketMQ, and MSE event-driven designs — dead-letter queues, message ordering, idempotency, retry storm prevention, schema registry, and consumer group lag monitoring.
alibaba-function-serverless-operator
Deploy and operate Function Compute 3.0, SAE (Serverless App Engine) applications, and EDAS microservice apps. Guide the serverless vs. PaaS vs. container platform choice for each workload type.
alibaba-iac-change-safety-review
Review Terraform and ROS (Resource Orchestration Service) changes targeting Alibaba Cloud — blast radius analysis, resource deletion detection, cross-stack dependency impact, Resource Directory scope, and rollback plan completeness.
alibaba-kms-secret-lifecycle-steward
Audit and govern Alibaba Cloud KMS key lifecycles, Certificate Manager, SSM (Secrets Manager), and HSM key operations. Ensure encryption-at-rest coverage and rotation compliance across CMKs, envelope encryption, and certificate lifecycle.
alibaba-landing-zone-architect
Design Alibaba Cloud landing zone — Resource Management org tree, Cloud SSO, Control Policy (SCP equivalent), multi-account governance baseline, billing account structure, and ActionTrail centralization.
alibaba-live-ack-rollout-guard
Gate ACK deployment mutations, node pool scaling, and cluster version upgrades against rollback posture and workload disruption budget. Prevents irreversible cluster version upgrades from proceeding without PodDisruptionBudget verification, node drain confirmation, and explicit operator approval.
alibaba-live-cost-budget-action-guard
Gate live financial authority actions — budget threshold changes, Savings Plan purchases, and Reserved Instance commitments. These are committed spend or can trigger immediate service suspension.
alibaba-live-kms-key-mutation-guard
Gate KMS key deletion and disable operations. All data encrypted with a deleted CMK (OSS SSE-KMS, ECS encrypted disks, RDS/PolarDB TDE) becomes permanently and irrecoverably inaccessible. This guard enforces complete CMK dependency audits, deletion window confirmation, and explicit operator approval before any key state mutation.
alibaba-live-oss-bucket-policy-guard
Gate OSS bucket ACL and policy mutations — public-read/write ACL exposes data to internet crawlers within seconds; CN-* cross-border replication requires DSL Article 31 assessment.
alibaba-live-ram-policy-change-guard
Gate RAM policy/role mutations against the Alibaba Cloud account hierarchy. RAM AdministratorAccess assignment, policy deletion with active STS tokens, and Resource Directory Control Policy changes carry account-wide or org-wide blast radius. This guard enforces blast-radius assessment, STS token impact analysis, and explicit authority approval before any policy mutation is executed.
alibaba-live-rds-polardb-mutation-guard
Gate RDS/PolarDB instance deletion, spec downgrade, and backup policy removal — database deletion without verified backup is permanently destructive.
alibaba-load-balancer-traffic-engineer
Traffic engineering for Alibaba Cloud load balancers — CLB (Classic, legacy), ALB (Application Load Balancer, Layer 7 advanced routing), NLB (Network Load Balancer, Layer 4 high throughput), and GA (Global Accelerator) — type selection, health check design, WAF integration, and traffic distribution.
alibaba-maestro
Alibaba Cloud Maestro routing skill. Classify the user's Alibaba Cloud task, select the narrowest specialist agent or the right team of specialists from the catalog, and dispatch them — single specialist for focused tasks, parallel team (max 4) for multi-domain tasks. Never auto-dispatch live-guard agents. China-region aware — flags when workloads are in mainland China regions and applicable regulatory frameworks (MLPS 2.0, DSL, PIPL) differ from international regions.
alibaba-maxcompute-dataworks-analyst
Manage MaxCompute CU package governance, DataWorks scheduling, Quick BI reporting, and PAI ML platform. Optimize query cost and job scheduling efficiency for big data workloads.
alibaba-migration-architect
Plan Alibaba Cloud migrations using SMC (Server Migration Center), DTS (Data Transmission Service) for data sync, OSSImport for object storage migration, and design cutover sequencing with rollback paths.
alibaba-mse-microservice-engine
Configure and operate Alibaba MSE (Microservice Engine) — Nacos service discovery and configuration management, Sentinel rate limiting and circuit breaking, Seata distributed transactions, and ARMS APM for microservices observability.
alibaba-network-architect
Design Alibaba Cloud network topology — VPC peering, CEN for multi-VPC/multi-region connectivity, Express Connect for private circuits, SLB/ALB/NLB/CLB load balancer selection, and Smart Access Gateway for branch offices.
alibaba-observability-incident-responder
Respond to Alibaba Cloud incidents using CloudMonitor alarms, SLS log analytics, ARMS APM distributed tracing, and alert governance for ECS, RDS, ACK, and network services.
alibaba-oss-data-perimeter-governor
Govern Alibaba Cloud OSS data perimeters — bucket ACL and policy conflict resolution, Block Public Access configuration, cross-account access via RAM role, VPC endpoint binding for private access, WORM (Object Lock), and MLPS 2.0 data residency compliance.
alibaba-oss-storage-steward
Manage OSS lifecycle policies, bucket policy and ACL governance, NAS/CPFS shared file storage, cross-region replication, and access control hardening for Alibaba Cloud object and file storage.
alibaba-polardb-rds-dba
Operate PolarDB (MySQL/PG/Oracle) clusters and RDS instances — DAS diagnostics, database proxy, Global Database Network, backup strategy, and performance tuning.
alibaba-ram-iam-review
Audit Alibaba Cloud RAM users, groups, roles, and policies; review STS token lifecycle and scope; assess Resource Directory permission boundaries; review Control Policy statements for org-wide gaps or over-privilege.
alibaba-registry-artifact-governor
Govern Alibaba Cloud Container Registry (ACR) — Enterprise Edition vs Personal Edition selection, image vulnerability scanning, namespace IAM least privilege, image retention policies, cross-region replication, and supply chain security posture.
alibaba-resilience-bcdr-review
Review Alibaba Cloud workload HA and BCDR designs — RDS High-Availability Edition failover, PolarDB Global Database Network, ACK multi-zone, ECS disaster recovery cross-region, RTO/RPO target analysis, and HBR (Hybrid Backup Recovery) coverage.
alibaba-security-center-hardening
Harden Alibaba Cloud security posture via Security Center (threat detection, vulnerability scanning, baseline checks), WAF, Anti-DDoS Pro, Cloud Firewall, and Network Traffic Analysis (NTA).
alibaba-serverless-production-readiness
Review Function Compute 3.0 (FC3), SAE (Serverless App Engine), and EDAS for production readiness — cold start optimization, VPC binding, RAM role injection, ARMS distributed tracing, security group rules, concurrency limits, and SLA-readiness.
alibaba-solution-architect
Design Alibaba Cloud solutions — product selection (PolarDB vs RDS, ACK vs ASK vs SAE, MaxCompute vs AnalyticDB), architecture patterns, landing zone design, and disaster recovery strategies aligned to the Alibaba Well-Architected Framework.
alibaba-support-incident-coordinator
Coordinate Alibaba Cloud support incidents — case creation with correct severity (紧急/高/中/低), Enterprise Support SLA enforcement, account manager escalation path, status page monitoring for CN-* and international, internal stakeholder communication, and post-incident evidence packaging.
alibaba-ticket-triage-escalation-coordinator
Triage Alibaba Cloud operational alerts, incidents, and support tickets — P0/P1/P2/P3 classification, Alibaba Cloud Support SLA enforcement, account manager escalation, DingTalk war room coordination, evidence collection from CloudMonitor and SLS, and safe escalation paths.
alibaba-waf-cost-optimization-review
Assess Alibaba Cloud cost posture: ECS instance family rightsizing, Savings Plans and Reserved Instance coverage, Preemptible Instance adoption, cost allocation tagging, OSS storage tiering, analytics pricing, and idle resource elimination.
alibaba-waf-reliability-review
Assess Alibaba Cloud workload reliability: multi-AZ ECS topology, SLB/ALB/NLB load balancing, Auto Scaling health policies, RDS/PolarDB HA failover, backup and cross-region DR, and Cloud Monitor/ARMS observability coverage.
alibaba-waf-security-review
Assess Alibaba Cloud workload security posture: RAM least-privilege, VPC isolation, KMS/HSM encryption, Cloud Security Center threat detection, ActionTrail audit, WAF/Anti-DDoS web protection, and Chinese regulatory compliance (MLPS 2.0, DSL, PIPL).
argo-rollouts-progressive-delivery-review
Use this skill when reviewing Argo Rollouts progressive delivery configuration. Trigger when the user asks about canary or blue-green Rollout strategy correctness, AnalysisTemplate success/failure conditions, traffic weighting provider alignment, canaryService isolation, PDB deadlock risk with Rollout maxSurge settings, automated rollback posture, or manual vs automated promotion configuration.
argocd-gitops-review
Use this skill for Argo CD GitOps review across Application, AppProject, ApplicationSet, sync windows, RBAC, sync impersonation, and Argo CD Agent multi-cluster topologies. Trigger when the user asks whether an Argo CD configuration is safe for production, whether automated sync should be enabled, whether prune+selfHeal is appropriate, whether AppProject scope is too wide, or how to enforce least-privilege sync identity.
aws-agentcore
Build, test, migrate, integrate, and deploy Amazon Bedrock AgentCore agents. Use for AgentCore runtime, local development, import/migration, deployment, Memory, Gateway/MCP tools, Identity, Observability, Browser, Code Interpreter, policy, and harness-vs-code-path decisions. Load references only when that component is needed.
aws-api-edge-delivery-review
Review AWS API and edge delivery posture across API Gateway, CloudFront, AWS WAF, Shield, ALB, custom domains, TLS policies, authentication, authorization, throttling, quotas, caching, origin protection, logging, and abuse controls. Use when public APIs, web entry points, or edge delivery can affect security and availability.
aws-bedrock-agent-security-governor
Review Amazon Bedrock agents, AgentCore, Guardrails, knowledge bases, action groups, memory, MCP/tool integrations, prompt-injection and prompt-leakage defenses, PII handling, encryption, logging, observability, and least-privilege IAM. Use for AWS-native GenAI and agent security posture.
aws-change-impact-advisor
Assess AWS change impact using change sets, deployment blast radius, rollback readiness, dependency mapping, risk, go/no-go context, approval context, and stakeholder communication. Prefer this for non-destructive pre-change advisory work; prefer IaC or platform-specific skills for deep implementation review.
business-combinations-advisor
Multi-jurisdiction business combinations reference framework covering acquisition accounting, purchase price allocation, goodwill, and post-combination integration under ASC 805 and IFRS 3.
close-cycle-advisor
Multi-jurisdiction financial close cycle reference framework covering month-end, quarter-end, and year-end close. Provides regulatory filing deadlines by jurisdiction (SEC, EU TD, UK DTR, TSE/FSA, CSRC, SEBI, ASX, HKEX), record-to-report process steps, reconciliation standards, intercompany elimination requirements (ASC 810/IFRS 10), FX translation methodology (ASC 830/IAS 21), deferred tax computation (ASC 740/IAS 12), and GAAP variant comparison tables across US GAAP, IFRS, UK FRS 102, German HGB, JGAAP, CAS, and Ind AS. Advisory only — all outputs require external auditor verification for local statutory purposes.
consolidation-intercompany-advisor
Multi-jurisdiction consolidation scope and intercompany elimination reference framework covering ASC 810 / IFRS 10 control models, VIE (Variable Interest Entity) primary beneficiary analysis, NCI measurement, equity method accounting (ASC 323 / IAS 28), intercompany eliminations (sales, profit-in-inventory, debt, interest, dividends), deferred tax on IC eliminations (ASC 740 / IAS 12), and adversarial group reporting scenarios across US GAAP, IFRS, German HGB, JGAAP, CAS, and Ind AS.
equity-compensation-advisor
Multi-jurisdiction equity-based compensation reference framework covering stock options, RSUs, ESPPs, and performance awards under ASC 718 and IFRS 2.
fixed-assets-advisor
Multi-jurisdiction fixed assets, depreciation, and impairment reference framework covering PP&E, intangibles, right-of-use assets, and goodwill under US GAAP and IFRS.
fx-translation-advisor
Multi-jurisdiction reference framework for foreign currency translation and remeasurement covering functional currency determination, ASC 830 / IAS 21 method selection, CTA in OCI, highly inflationary economy treatment, net investment hedge interactions, and multi-GAAP comparison across US GAAP, IFRS, German HGB, JGAAP, CAS 19, and Ind AS 21.
hedge-accounting-advisor
Multi-jurisdiction hedge accounting reference framework covering ASC 815 (US GAAP) and IFRS 9 hedge designation, effectiveness testing, OCI mechanics, IFRS 9 rebalancing, cost-of-hedging approach, discontinuation rules, embedded derivatives, and local GAAP treatments (German HGB §254, JGAAP ASBJ No.10, CAS 24, Ind AS 109). Includes fair value hedges, cash flow hedges, and net investment hedges with a multi-jurisdiction comparison table. Advisory only — all outputs require verification by qualified accountants and external auditors.
indirect-tax-einvoicing-advisor
Multi-jurisdiction indirect tax and e-invoicing reference framework covering VAT/GST compliance and mandatory electronic invoicing mandates across EU, Brazil, India, Mexico, China, UK, and Australia.
lease-accounting-advisor
Multi-jurisdiction lease accounting reference framework covering ASC 842 (US GAAP) and IFRS 16, with additional coverage of UK FRS 102 (2024 periodic review amendments effective 1 Jan 2026), German HGB, JGAAP (ASBJ Statement No. 34, effective FY beginning on/after 1 Apr 2027), CAS No. 21 (China), and Ind AS 116 (India). Covers lease identification, lessee classification (ASC 842 dual model vs. IFRS 16 single finance model), right-of-use asset and lease liability measurement, discount rates (incremental borrowing rate vs. rate implicit in lease), lessor accounting (sales-type / direct-financing / operating), short-term and low-value exemptions, lease modifications and remeasurement, and sale-leaseback transactions. Advisory only — all outputs require external auditor verification for local statutory purposes.
payroll-advisor
Multi-jurisdiction payroll accounting reference framework covering compensation expense recognition, employee benefits, pension/post-retirement obligations, and payroll tax compliance.
procure-to-pay-advisor
Multi-jurisdiction procure-to-pay accounting reference covering PO matching, AP accruals, vendor management, and related compliance.
revenue-recognition-advisor
Apply the ASC 606 / IFRS 15 five-step revenue recognition model to described arrangements. Provides the complete five-step framework with paragraph citations, judgment-area reference tables, confidence-scoring guidance, common restatement triggers, GAAP/IFRS delta checklist, and official documentation URLs. Use when analyzing revenue recognition treatment for SaaS, licenses, professional services, multi-element arrangements, and channel partnerships. Advisory only — all outputs require external auditor review for material amounts.
tax-provision-advisor
Multi-jurisdiction corporate income tax provision reference framework covering ASC 740 (US GAAP) and IAS 12 (IFRS). Covers current vs. deferred tax, temporary and permanent differences, deferred tax asset/liability recognition and measurement, valuation allowance (more-likely-than-not), uncertain tax positions (FIN 48 / ASC 740-10 two-step vs. IFRIC 23), OECD Pillar Two GloBE (IAS 12.4A mandatory temporary exception vs. ASC 740 no equivalent exception), enacted vs. substantively enacted tax rates, effective tax rate reconciliation, APB 23 / ASC 740-30 indefinite reinvestment assertion, intraperiod tax allocation, interim provision (estimated annual ETR method), and local GAAP variations (HGB, JGAAP/ASBJ, CAS 18, Ind AS 12). Advisory only — all outputs require verification by qualified tax counsel and external auditors.
azure-enterprise-infra-planner
Architect and provision enterprise Azure infrastructure from workload descriptions. For cloud architects and platform engineers planning networking, identity, security, compliance, and multi-resource topologies with WAF alignment. Generates Bicep or Terraform directly (no azd). WHEN: 'plan Azure infrastructure', 'architect Azure landing zone', 'design hub-spoke network', 'plan multi-region DR topology', 'set up VNets firewalls and private endpoints', 'subscription-scope Bicep deployment'. PREFER azure-prepare FOR app-centric workflows.
cloud-architect
Expert cloud architect specializing in AWS/Azure/GCP multi-cloud infrastructure design, advanced IaC (Terraform/OpenTofu/CDK), FinOps cost optimization, and modern architectural patterns. Masters serverless, microservices, security, compliance, and disaster recovery. Use PROACTIVELY for cloud architecture, cost optimization, migration planning, or multi-cloud strategies.
cloud-native
Generic Cloud-Native Deployment and Infrastructure as Code patterns for 2025. Provides comprehensive implementation strategies for multi-cloud deployments, GitOps workflows, progressive delivery, and platform engineering. Framework-agnostic approach supporting any cloud provider, deployment tool, and orchestration platform.
security-analyzer
Comprehensive security vulnerability analysis for codebases and infrastructure. Scans dependencies (npm, pip, gem, go, cargo), containers (Docker, Kubernetes), cloud IaC (Terraform, CloudFormation), and detects secrets exposure. Fetches live CVE data from OSV.dev, calculates risk scores, and generates phased remediation plans with TDD validation tests. Use when users mention security scan, vulnerability, CVE, exploit, security audit, penetration test, OWASP, hardening, dependency audit, container security, or want to improve security posture.
terraform-specialist
Expert Terraform/OpenTofu specialist mastering advanced IaC automation, state management, and enterprise infrastructure patterns. Handles complex module design, multi-cloud deployments, GitOps workflows, policy as code, and CI/CD integration. Covers migration strategies, security best practices, and modern IaC ecosystems. Use PROACTIVELY for advanced IaC, state management, or infrastructure automation.
terraform-skill
Use when working with Terraform or OpenTofu - creating modules, writing tests (native test framework, Terratest), setting up CI/CD pipelines, reviewing configurations, choosing between testing approaches, debugging state issues, implementing security scanning (trivy, checkov), or making infrastructure-as-code architecture decisions
ops-infra-code
Infrastructure as Code with Terraform/OpenTofu. Trigger to create modules, configure backends, write idiomatic HCL, or audit infrastructure.
ops-opnsense
OPNsense configuration via Terraform. Trigger for interfaces, firewall, NAT, DHCP/DNS, aliases.
ops-proxmox
Proxmox VE infrastructure with Terraform (VMs, LXC, network, storage, backup)
lsp-setup
Configure a Language Server (LSP) for a specific language so editor/agent tooling — diagnostics, go-to-definition, find-references, rename — works. Use when you need to: configure LSP, lsp setup, set up or install a language server, fix 'no LSP server configured' / 'server not installed', choose between servers (basedpyright vs pyright vs ty vs ruff), or wire .codex/lsp-client.json / .opencode/lsp.json. 언어서버 설정. Routes by file extension to references/<language>/README.md for the exact builtin server, per-OS install commands (macOS/Linux/Windows), config snippets for both config files, initialization options, alternatives, and troubleshooting. Ships scripts: detect-lsp.ts (scan a project for languages + each server's install/config status) and verify-lsp.ts (run a real diagnostics roundtrip). Covers typescript, python, go, rust, c/c++, java, kotlin, c#/razor, swift, ruby, php, dart, elixir, zig, lua, bash, yaml, terraform, haskell, julia.
devops-specialist
DevOps 与运维专家。精通 CI/CD、容器化、编排、基础设施即代码、监控告警和自动化部署。用于构建高效、可靠的软件交付流水线和运维系统。
asdf
Use this skill whenever the user wants to install, configure, or use asdf (asdf-vm), the universal version manager. Trigger for any mention of asdf, .tool-versions files, managing runtime versions, switching between versions of Node.js, Python, Ruby, Go, Terraform, kubectl, Java, Erlang, Elixir, or any other tool managed by asdf. Also trigger when migrating from nvm, pyenv, rbenv, goenv, tfenv, or similar single-language version managers. Use this skill for help with asdf plugins, asdf install, asdf set/global/local, troubleshooting shims, Fish/Bash/Zsh shell configuration, and multi-project version isolation workflows.
document-code
Apply Google Style documentation standards to Python, Go, TypeScript, and Terraform code. Use when writing or reviewing code that needs docstrings/comments/JSDoc, when asked to "document this code", "add docstrings", "follow Google Style", or when improving code documentation quality. Supports Python docstrings, Go comments, TypeScript JSDoc, and Terraform variable/output descriptions. Enforces consistent, professional documentation standards.
document-project
Generate comprehensive, professional project documentation structures including README, ARCHITECTURE, USER_GUIDE, DEVELOPER_GUIDE, and CONTRIBUTING files. Use when the user requests project documentation creation, asks to "document a project", needs standard documentation files, or wants to set up docs for a new repository. Adapts to Python/Go projects and OpenSource/internal contexts.
context-mode
Use context-mode tools (ctx_execute, ctx_execute_file) instead of Bash/cat when processing large outputs. Triggers: "analyze logs", "summarize output", "process data", "parse JSON", "filter results", "extract errors", "check build output", "analyze dependencies", "process API response", "large file analysis", "page snapshot", "browser snapshot", "DOM structure", "inspect page", "accessibility tree", "Playwright snapshot", "run tests", "test output", "coverage report", "git log", "recent commits", "diff between branches", "list containers", "pod status", "disk usage", "fetch docs", "API reference", "index documentation", "call API", "check response", "query results", "find TODOs", "count lines", "codebase statistics", "security audit", "outdated packages", "dependency tree", "cloud resources", "CI/CD output". Also triggers on ANY MCP tool output that may exceed 20 lines. Subagent routing is handled automatically via PreToolUse hook.
besser-generators
Operational reference for BESSER code generators — covers per-generator options, generated file layout, regeneration/overwrite behavior, safe customization patterns, template overrides, and debugging generation failures. Use this skill whenever the user is configuring or running a BESSER generator (PythonGenerator, PydanticGenerator, SQLAlchemyGenerator, SQLGenerator, BackendGenerator, RESTAPIGenerator, DjangoGenerator, WebAppGenerator, ReactGenerator, BAFGenerator, QiskitGenerator, JSONSchemaGenerator, RDFGenerator, TerraformGenerator, PytorchGenerator, TFGenerator, FlutterGenerator, JavaGenerator), wondering "where does the output go", "will my edits survive regeneration", "how do I add custom endpoints to a generated FastAPI app", or "how do I switch the database dialect". Trigger on questions about generator parameters (`http_methods`, `nested_creations`, `dbms`, `containerization`, `backend_type`, `shots`, `generation_mode`), generated file paths, template overrides, or how to extend generated code witho
devops-automator
Expert DevOps engineer specializing in infrastructure automation, CI/CD pipeline development, and cloud operations
backend-engineering
Use this skill when designing backend systems, databases, APIs, or services. Triggers on schema design, database migrations, indexing strategies, distributed systems architecture, microservices, caching, message queues, observability setup, logging, metrics, tracing, SLO/SLI definition, performance optimization, query tuning, security hardening, authentication, authorization, API design (REST, GraphQL, gRPC), rate limiting, pagination, and failure handling patterns. Acts as a senior backend engineering advisor for mid-level engineers leveling up.
ci-cd-pipelines
Use this skill when setting up CI/CD pipelines, configuring GitHub Actions, implementing deployment strategies, or automating build/test/deploy workflows. Triggers on GitHub Actions, CI pipeline, CD pipeline, deployment automation, blue-green deployment, canary release, rolling update, build matrix, artifacts, and any task requiring continuous integration or delivery setup.
cloud-aws
Use this skill when architecting on AWS, selecting services, optimizing costs, or following the Well-Architected Framework. Triggers on EC2, S3, Lambda, RDS, DynamoDB, CloudFront, IAM, VPC, ECS, EKS, SQS, SNS, API Gateway, and any task requiring AWS architecture decisions, service selection, or cost management.
think-twice
Forces Claude to pause before picking an implementation approach and ask: "Is there a cleverer, cheaper way?" Triggers when the request involves generating data or fixtures (lists, datasets, sample records), implementing a problem that is likely already solved by a stdlib function, package, or public API (validation, parsing, lookups, auth, date/currency/geo data), or any implementation expected to exceed ~20 lines. Does NOT trigger when the user has explicitly chosen the approach or library, when the task is under ~10 lines, when fixing a bug in existing code, or for infra/terraform/k8s and DB queries. Run the checklist before writing code, stop at the first question that reveals a cheaper path, and take that path.
aws-solution-architect
Expert AWS solution architecture for startups focusing on serverless, scalable, and cost-effective cloud infrastructure with modern DevOps practices and infrastructure-as-code
devsecops-supply-chain-audit
Audit software supply chain across every ecosystem (npm, pip, Go, Ruby, Cargo, Maven, Docker, Terraform) — pinning, vulnerabilities, secrets, SBOM, signing, branch protection, CODEOWNERS. One sub-agent per ecosystem. Three modes.
iac-terraform-audit
Audit Terraform, OpenTofu, Terragrunt, and Pulumi modules for state, provider pinning, security (Checkov/tfsec), module hygiene, environment separation, drift, and cost. One sub-agent per module. Static, live, and apply modes.
operating-infra
Author, inspect, troubleshoot, and review infrastructure across IaC, Kubernetes, cloud resources, containers, CI/CD, and Linux hosts. Use when changing Terraform/OpenTofu, Kubernetes, Helm, Kustomize, Dockerfiles, GitHub Actions, AWS, GCP, Cloud Run, BigQuery, IAM, logs, instances, or service health. NOT for deploy/apply/rollback workflows (see deploying-infra). NOT for shell scripts or generic command pipelines (see writing-shell).
devops-engineer
Creates Dockerfiles, configures CI/CD pipelines, writes Kubernetes manifests, and generates Terraform/Pulumi infrastructure templates. Handles deployment automation, GitOps configuration, incident response runbooks, and internal developer platform tooling. Use when setting up CI/CD pipelines, containerizing applications, managing infrastructure as code, deploying to Kubernetes clusters, configuring cloud platforms, automating releases, or responding to production incidents. Invoke for pipelines, Docker, Kubernetes, GitOps, Terraform, GitHub Actions, on-call, or platform engineering.
adr
Capture architectural decisions as structured ADRs (Architecture Decision Records). Use when user says 'record this decision', 'ADR this', 'why did we choose X', 'document this trade-off', 'we decided to...', or when a significant choice is made between alternatives (framework, database, pattern, API design, infra approach).
ci
GitLab CI/CD pipeline review and scaffolding for Terraform and Helm/EKS deployments. Use when user says 'review my pipeline', 'check my gitlab-ci', 'scaffold a pipeline', 'is my CI correct', or when working in .gitlab-ci.yml files.
docker
Docker operations, Dockerfile best practices, Compose, image optimization, and registry workflows. Use when user says 'review my Dockerfile', 'optimize my image', 'reduce image size', 'container won't start', 'set up compose', 'multi-stage build', or when working in Dockerfile, docker-compose*.yml, or .dockerignore files.
github
GitHub repository operations — PRs, issues, releases, branch protection, CODEOWNERS, security settings. Use when user says 'review my PR', 'create a release', 'set up branch protection', 'add CODEOWNERS', 'audit repo settings', or asks about GitHub repo configuration.
github-actions
GitHub Actions workflow review, scaffolding, and security hardening. Use when user says 'review my workflow', 'check my actions', 'scaffold a workflow', 'is my CI correct', 'pin actions', 'OIDC to AWS', or when working in .github/workflows/*.yml files.
k8s
Kubernetes and Helm review and scaffolding for EKS workloads. Use when user says 'review my helm values', 'before I deploy', 'scaffold a new service', 'check values.yaml', or when working in values.yaml, Chart.yaml, or Helm template files.
tf
Generic Terraform review, scaffolding, and version upgrades for AWS infrastructure using the terraform-aws-modules ecosystem. Use when user says 'review my terraform', 'before I raise an MR', 'scaffold a lambda/rds/s3/eks/vpc', 'check my .tf files', 'upgrade provider', or when working in .tf or .tfvars files. NOTE: if the repo has an `_modules/` directory wrapping `clouddrove/*/aws` modules, use /clouddrove:wrapper-tf instead — the two patterns conflict.
wrapper-tf
Team standard for AWS Terraform repos built on the CloudDrove wrapper-module pattern. Use when working in a repo with an `_modules/` directory that wraps `clouddrove/*/aws` modules, scaffolding a new wrapper module, generating Terraform GitHub Actions CI, reviewing wrapper-pattern PRs, or mapping the pattern to SOC2/GDPR controls. Supersedes /tf on CloudDrove repos.
terraform-iac-expert
Terraform and OpenTofu infrastructure as code — module design, state management, multi-environment setups, remote backends, secrets management, CI/CD integration. NOT for Pulumi, CDK, Ansible, or Kubernetes manifests.
terraform
Terraform and OpenTofu configuration, modules, testing, state management, and HCL review. Use for "terraform module", "terraform test", "infrastructure as code", "IaC", "HCL", "tfvars", "terraform plan", "terraform apply", "OpenTofu", "tftest", or multi-environment patterns.
terraform-module-library
Build reusable Terraform modules for AWS, Azure, and GCP infrastructure following infrastructure-as-code best practices. Use when creating infrastructure modules, standardizing cloud provisioning, or implementing reusable IaC components.
openstack-heat
OpenStack Heat orchestration service skill. Use when working with HOT templates, stack lifecycle management, auto-scaling groups, nested stacks, resource type registry, template validation, or infrastructure-as-code patterns within OpenStack. Covers deployment via Kolla-Ansible, template authoring, stack operations, and troubleshooting common orchestration failures.
analyzing-projects
Analyzes codebases to understand structure, tech stack, patterns, and conventions. Use when onboarding to a new project, exploring unfamiliar code, or when asked "how does this work?" or "what's the architecture?"
aws-solution-architect
Expert AWS solution architecture for startups focusing on serverless, scalable, and cost-effective cloud infrastructure with modern DevOps practices and infrastructure-as-code
azure-deploy
Execute deployment to Azure. Final step after preparation and validation. Runs azd up, azd deploy, or infrastructure provisioning commands. USE FOR: run azd up, run azd deploy, execute deployment, provision infrastructure, push to production, go live, ship it, deploy web app, deploy container app, deploy static site, deploy Azure Functions, bicep deploy, terraform apply. DO NOT USE FOR: creating or building apps (use azure-prepare), validating before deploy (use azure-validate).
azure-prepare
Default entry point for Azure application development. Invoke this skill for ANY application work related to Azure: creating apps, building features, adding components, updating code, migrating, or modernizing. Analyzes your project and prepares it for Azure deployment by generating infrastructure code (Bicep/Terraform), azure.yaml configuration, and Dockerfiles. USE FOR: create an app, build a web app, create API, create frontend, create backend, add a feature, build a service, make an application, develop a project, migrate my app, modernize my code, update my application, add database, add authentication, add caching, deploy to Azure, host on Azure, Azure with Terraform (defaults to azd+Terraform), Azure with azd, generate azure.yaml, generate Bicep or Terraform, prepare Azure Functions. DO NOT USE FOR: only validating an already-prepared app (use azure-validate), only running azd up/deploy (use azure-deploy), pure Terraform without azd (prefer azd+Terraform).
devops-iac-engineer
Implements infrastructure as code using Terraform, Kubernetes, and cloud platforms. Designs scalable architectures, CI/CD pipelines, and observability solutions. Provides security-first DevOps practices and site reliability engineering guidance.
infrastructure
Infrastructure as Code patterns for deploying Guts nodes using Terraform, Docker, and Kubernetes
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
slb
Simultaneous Launch Button - Two-person rule for destructive commands in multi-agent workflows. Risk-tiered classification, command hash binding, 5 execution gates, client-side execution with environment inheritance. Go CLI.
terraform-module-library
Build reusable Terraform modules for AWS, Azure, and GCP infrastructure following infrastructure-as-code best practices. Use when creating infrastructure modules, standardizing cloud provisioning, or implementing reusable IaC components.
bicep-avm-mastery
Azure Verified Modules (AVM), Bicep best practices, and MCP-powered infrastructure as code for Azure
ccc-devops
complete DevOps ecosystem — 21 skills in one. Deployments, CI/CD, containers, AWS, monitoring, security, IaC, networking, and runbooks.
keycloak-iam
Operate, configure, deploy, secure, and integrate with Keycloak (open-source IAM) — the modern Quarkus distribution (24.x–26.6.x), the Keycloak Operator with `Keycloak` and `KeycloakRealmImport` CRDs, and realm/client/identity-provider configuration.
devops-engineer
DevOps Engineer (/devops) - Senior DevOps Engineer with 12+ years cloud infrastructure experience. Use when setting up cloud infrastructure, writing Terraform configurations (loads references/terraform.md), creating Kubernetes manifests, building CI/CD pipelines with GitHub Actions, configuring Docker, or managing secrets.
terraform
Terraform 基础设施即代码
aws-well-architected-review
Reviews AWS architectures, IaC, and design docs against the AWS Well-Architected Framework's six pillars, producing a findings report with pillar-mapped risks (High/Medium) and concrete remediation. Loads only the pillars relevant to the change. Use for AWS architecture reviews, not generic code review. Triggers on: "well-architected review", "review this AWS architecture", "WAR review", "check this design against AWS best practices", "review my Terraform/CDK for AWS pitfalls", "is this architecture production-ready".
terraform-module
Creates Terraform modules following AWS Well-Architected Framework best practices. Generates variable definitions, outputs, documentation, and module composition patterns for common AWS services including VPC, ECS, Lambda, RDS, and S3. Triggers on: "create Terraform module", "infrastructure as code", "IaC", "provision AWS resources".
cicd-pipelines
CI/CD pipeline design and DevOps automation — use when the user mentions GitHub Actions, GitLab CI, Jenkins, Terraform, infrastructure as code, DevSecOps, ArgoCD, Kubernetes deployment automation, or pipeline configuration YAML. NOT for release orchestration or semantic-release workflows (use git-workflow), NOT for Docker containers or Dockerfiles (use docker-containerization), NOT for git branching or commits (use git-workflow).
alchemy-infra
Sets up Alchemy (alchemy-run/alchemy, Infrastructure-as-TypeScript) in any codebase — new project scaffold OR add to existing app. Wires Cloudflare/AWS providers, state backend, secrets, and binding types end-to-end with strict secret hygiene. USE THIS SKILL whenever the user mentions "alchemy", "alchemy.run", "Infrastructure as TypeScript", or asks to deploy a Worker/Lambda/D1/R2/KV/Queue/DO via TS, add a state backend, configure ALCHEMY_PASSWORD, generate alchemy.run.ts, replace SST/Pulumi/CDK/Terraform with Alchemy, or scaffold a Cloudflare/AWS app from TypeScript. Trigger even when the user does not say "alchemy" explicitly but describes the workflow (e.g., "deploy a Worker with KV in pure TS", "TypeScript IaC", "wire D1 + Drizzle to a Worker", "set up Cloudflare bindings without wrangler.toml").
vanguard-frontier-agentic-install
Install all Vanguard Frontier Agentic Codex agents and companion skills into the current user's ~/.codex home after adding or installing the plugin marketplace.
deploy
Deployment strategy, production-readiness gating, and rollback planning for AWS/EKS services. Use when user says 'how should I deploy this', 'blue-green or canary', 'are we ready to ship', 'production readiness', 'plan a rollback', 'pre-deploy check', or before a first production release. Pairs with /k8s, /ci, /github-actions, /tf which own the per-artifact checks.
finops
AWS cost optimization — waste detection, right-sizing, Savings Plans, RIs, EKS cost, multi-account governance. Use when user says 'reduce AWS bill', 'find waste', 'right-size this', 'should I buy SP or RI', 'gp2 vs gp3', 'EKS is expensive', 'NAT gateway cost', or asks about AWS cost optimization.
owasp
Security review against OWASP Top 10:2025, ASVS 5.0, and Agentic AI risks. Use when user says 'review for security', 'is this secure', 'check for vulnerabilities', 'review auth/authorization', 'check input handling', or when writing cryptography, session management, or AI agent code.
skill-creator
Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, edit, or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.
terraform-skills
Terraform IaC patterns, modules, and best practices
gcp-architecture-best-practices-reviewer
Evidence-backed review of Google Cloud Platform architecture against GCP best practices and CIS GCP Foundation Benchmark concepts. Use when reviewing Terraform, Kubernetes/GKE manifests, network topology, IAM, Cloud SQL, KMS, Cloud Storage, Secret Manager, or CI/CD config for security, reliability, cost, and compliance gaps. Read-only — produces findings only.
devops-engineer
Use when setting up CI/CD pipelines, containerizing applications, or managing infrastructure as code. Invoke for pipelines, Docker, Kubernetes, cloud platforms, GitOps.
define-deployment
Capture deployment characteristics for both production and development — hosting, IaC, CI/CD, secrets, observability, local dev environment, containerization, hot reload, and seed data. Use when the project-builder agent is gathering deployment information.
analyzing-projects
Analyzes codebases to understand structure, tech stack, patterns, and conventions. Use when onboarding to a new project, exploring unfamiliar code, or when asked "how does this work?" or "what's the architecture?"
azure-confidential-ledger
Expert knowledge for Azure Confidential Ledger development including decision making, security, integrations & coding patterns, and deployment. Use when configuring Entra auth, ACL roles, UDFs, client SDKs, transaction receipts, or ARM/Terraform deployments, and other Azure Confidential Ledger related development tasks. Not for Azure Confidential Computing (use azure-confidential-computing), Azure Virtual Enclaves (use azure-virtual-enclaves), Azure Key Vault (use azure-key-vault), Azure Dedicated HSM (use azure-dedicated-hsm).
azure-copilot
Expert knowledge for Azure Copilot development including troubleshooting, decision making, architecture & design patterns, security, configuration, and integrations & coding patterns. Use when sizing VMs, generating Bicep/Terraform, configuring Cosmos DB storage, or debugging App Service/VM disks, and other Azure Copilot related development tasks. Not for Azure AI services (use microsoft-foundry-tools), Azure Machine Learning (use azure-machine-learning), Azure AI Search (use azure-cognitive-search), Azure AI Bot Service (use azure-bot-service).
web-infra-plan
Produce a sprint INFRA.md covering Terraform / gcloud changes — dry-run plan, IAM diff, cost estimate, rollback. Coordinator-only — does not apply infra changes. Pauses for user confirmation. Bias toward GCP+Terraform but works with Pulumi / CloudFormation / Serverless / CDK.
careful
Intercept destructive commands before execution — rm -rf, DROP TABLE, force-push, git reset --hard, and similar irreversible operations. Prompts for confirmation and suggests safer alternatives. Inspired by gstack's careful skill.
dependency-versions
MUST consult this skill before answering whenever the user's task involves external versioned dependencies — even if you think you can handle it directly. This applies to: checking if packages/tools are up to date, upgrading npm/pip/cargo/go dependencies, planning or writing CI/CD workflows (GitHub Actions, CircleCI, GitLab CI), pinning action versions, reviewing Dockerfiles or base images, checking Terraform providers or modules for drift, reviewing Helm chart versions, verifying Kubernetes/EKS/cloud resource versions, updating pre-commit hooks, writing Dependabot configs, or any task where the user mentions specific version numbers, package names, or config files like package.json, pyproject.toml, Dockerfile, .pre-commit-config.yaml, main.tf, or values.yaml. Even casual requests like "is this still current" or "has anything drifted" require this skill because your training data is unreliable for volatile version facts. Do NOT use for: refactoring code, writing tests, debugging errors, designing APIs, or tas
architecture-runtime-topology
Use when code work touches runtime shape: services, app/CLI/background flows, deployment/IaC, observability, resilience, external integrations, ownership, and runtime coupling.
meremoth-devops-craft
How Meremoth builds CI/CD pipelines — GitLab CI / GitHub Actions stages, secret marshalling via SOPS, hash-based config drift detection, SSH-direct deploy patterns, the prepare-not-execute rule, and the "check the CI AND the remote script" diverge-silently rule. Invoke when a pipeline or release-automation change is in scope.
meshullam-infra-design-craft
How Meshullam designs infrastructure topology — C4 diagrams, Docker Compose / Terraform / Helm structure, network layout, service connections, the no-:latest rule and resource-tagging discipline, the explicit-trade-off requirement on every topology decision. Invoke when an IaC change or topology decision is in scope.
nexus-infra
Use for infrastructure design, deployment architecture, cloud cost planning, or infra audits. Trigger on IaC reviews, "what should I deploy with", bill spikes, production-readiness checks, and paid-to-cheaper replacement requests. Route to design, evaluate, or free-alternatives flow. When in doubt, use this skill.
tenet-accessibility
Audits web accessibility issues in HTML, JSX, TSX, Vue, and Svelte UI code.
tenet-debt
Audits TODO/FIXME debt, commented code, deprecated APIs, stubs, and temporary flags.
tenet-dependencies
Audits dependencies for CVEs, stale packages, duplicates, unused deps, and outdated versions.
tenet-infra-cloud
Audits IaC and cloud risks: exposure, IAM wildcards, encryption, buckets, Kubernetes, and drift.
tenet-performance
Audits performance risks: N+1 queries, sync I/O, indexes, leaks, bundles, and rerenders.
tenet-privacy-data
Audits PII handling, consent, retention, deletion/export flows, redaction, and analytics exposure.
tenet-security
Audits security vulnerabilities including injection, auth, validation, crypto, SSRF, CORS, and CSRF.
ops-preflight
Codex deep ops-safety review of a proposed Bash command BEFORE it executes. Invoke MANUALLY (via /ops-preflight) when the ops-risk-triage hook has emitted an `ask` for an infra_mutation, external_read, destructive, or unknown command and you want a second opinion on blast radius / rollback / required post-checks before approving. NOT for code review (use go-code-review). NOT auto-invoked.
data-breach-blast-radius
Proactive blast radius analysis before a breach: sensitive data inventory, flow tracing, regulatory fine estimation (GDPR/CCPA/HIPAA), hardening roadmap. Triggers: /data-breach-blast-radius, breach impact.
fix
Fix issues end-to-end across data pipelines (Airflow/dbt), app stack (backend/frontend), and infra (CI/CD, Terraform, K8s). Scout → diagnose → apply at root cause → verify with fresh evidence → add regression guard. Use for failing DAGs, dbt test failures, 5xx, UI regressions, GH Actions failures, terraform drift, CrashLoopBackOff, lint/type errors. Stops after 3 failed attempts to question architecture.
cloud-infrastructure
Cloud infrastructure design and infrastructure-as-code (IaC) authoring. Use for Terraform module authoring, AWS CDK constructs, cloud architecture design (VPCs, load balancers, managed services, serverless), multi-region and disaster-recovery patterns, cost-optimisation analysis, and IaC code review. Trigger phrases: "write Terraform for", "design the AWS architecture", "set up a VPC", "convert this to CDK", "optimise our cloud costs". NOT for application-layer code — this skill models infrastructure, not the code running on it. NOT for Kubernetes application manifests (Deployments, Services, Ingress) — those belong in a k8s-specific skill. NOT for CI/CD pipeline configuration — that is a deployment concern separate from infrastructure provisioning.
github-actions-creator
Use when the user wants to create, generate, or set up a GitHub Actions workflow. Handles CI/CD pipelines, testing, deployment, linting, security scanning, release automation, Docker builds, scheduled tasks, and any custom workflow for any language or framework.
terraform-module-library
Build reusable Terraform modules for AWS, Azure, and GCP infrastructure following infrastructure-as-code best practices. Use when creating infrastructure modules, standardizing cloud provisioning, or implementing reusable IaC components.
a11y-gate
Audit and fix web accessibility to WCAG 2.2 AA, gated by automated checks that actually run — axe-core via Playwright for violations, scripted keyboard/focus and reflow audits, plus a mandatory manual + screen-reader checklist. Use when the user wants to make a site/app/page accessible, fix a11y or WCAG/ADA/Section 508 issues, add an accessibility CI gate, run an axe/Lighthouse-style audit, check keyboard navigation, color contrast, ARIA, screen-reader support, or remediate accessibility violations. Triggers: "accessibility", "a11y", "WCAG", "ADA compliance", "screen reader", "keyboard navigation", "axe audit".
dbt-data-quality-gate
Enforce data quality, testing, contracts, and PII governance in a dbt project, gated by checks that actually run over dbt's compiled artifacts (target/manifest.json, target/run_results.json) — both plain JSON, so the gate is stdlib-only Python with no warehouse connection. Use when the user wants to add a data-quality CI gate, require tests/descriptions/owners on dbt models, enforce data contracts, check source freshness, find untagged PII columns, set a minimum test count or test pass-rate, or harden a data pipeline before merge. Triggers: "dbt", "data quality", "data contracts", "PII", "data tests", "freshness", "data pipeline gate".
healthcare-data-interop
Build and validate healthcare-data pipelines and de-identify PHI, gated by checks that actually run — structural FHIR R4 validation, HL7 v2.x parsing, a Safe-Harbor PHI regex scan, and pydicom-based DICOM header de-identification with a re-read verify step. Use when the user works with DICOM, HL7 v2, or FHIR data; needs to ingest/transform/map clinical data; wants to de-identify or anonymize PHI; checks interoperability conformance; or builds a healthcare data pipeline. Triggers: "DICOM", "HL7", "FHIR", "de-identify PHI", "anonymize patient data", "healthcare data pipeline", "interoperability", "Safe Harbor", "US Core", "IHE".
iac-compliance-review
Review Terraform / infrastructure-as-code for security and compliance gaps and EU data residency, gated by a check that actually runs over the plan — it parses `terraform show -json` output, applies a policy catalog (public storage, unencrypted data, open security groups, wildcard IAM, missing logging, non-EU regions, missing tags, public IPs), maps each finding to ISO 27001 Annex A / SOC 2 TSC / GDPR articles, and fails the build on blocking-severity findings. Use when the user wants an IaC security or compliance review, a cloud-config audit, a data-residency check, or to gate Terraform in CI. Triggers: "Terraform", "infrastructure as code", "IaC security", "cloud compliance", "data residency", "ISO 27001", "SOC 2", "GDPR", "encryption", "IAM".
medical-ai-compliance-gate
Audit a medical/health-AI codebase or data pipeline against GDPR, EU MDR, ISO 27001, and SOC 2 — gated by automated checks that actually run. A stdlib Python scanner runs ~29 heuristics from a 47-control catalog (hardcoded secrets, PII/PHI in logs, encryption at rest, TLS, audit logging, retention/ erasure, RBAC, EU data residency, consent, model cards, data lineage, SBOM, dependency pinning, CI/tests/monitoring), maps each finding to its control + framework + severity, fails the build on blocking gaps, and sends the rest to a mandatory human attestation. Use for a compliance/readiness audit or gap analysis, a healthcare/medical-AI compliance checklist or CI gate, or a DPIA/RoPA starting point. Honest scope: engineering assistance to PREPARE for compliance — NOT legal advice, certification, an MDR conformity assessment/CE marking, or a Notified Body, ISO, or SOC 2 audit. Triggers: "GDPR", "MDR", "medical device software", "MDSW", "ISO 27001", "SOC 2", "compliance gate", "DPIA", "healthcare AI audit".
odoo-addon-publisher
Produce sale-ready Odoo addons/modules that follow the Odoo Apps Store vendor guidelines for Odoo 18.0 and 19.0, gated by a validator that runs. Scaffolds a guideline-compliant module (manifest, company/vendor info, OPL-1 licensing, static/description/index.html, icon, cover image and screenshots) and verifies any addon against the rules. Use when the user wants to build, package, publish or submit an Odoo app/module/addon, fix a __manifest__.py, prepare an App Store listing, add a cover image/icon/screenshots, or check Odoo Apps compliance. Triggers: "Odoo module/addon/app", "publish to Odoo Apps", "__manifest__.py", "OPL-1", "Odoo App Store", "Odoo 18 / 19 module".
rag-eval-guardrails
Build a verified eval harness for a RAG/LLM feature plus PII/PHI-leakage guardrails, gated by checks that actually run. Scores a precomputed predictions file (so it runs with ZERO API access) on groundedness, citation validity, retrieval hit@k, answer F1/exact-match, refusal rate, and latency; compares to config thresholds and a baseline to catch regressions; and fails the build on PII/PHI leakage. Use when the user wants to evaluate or regression-test an AI/RAG feature, measure hallucination/groundedness, add an eval gate to CI, or scan prompts/answers/logs for leaked identifiers. Triggers: "RAG evaluation", "LLM eval", "eval harness", "hallucination", "groundedness", "PII/PHI leakage", "guardrails", "regression testing for AI features".
webflow-to-react
Convert a Webflow page or site into a pixel-perfect React implementation (Vite or Next.js) with Playwright visual-regression testing as the correctness gate. Use when the user wants to migrate, port, rebuild, clone, or recreate a Webflow design 1:1 in React, move off Webflow, or set up screenshot/visual-diff testing of a rebuilt page against the original. Triggers: "convert Webflow to React", "rebuild this Webflow site in Next.js", "pixel-perfect clone", "visual regression vs the original".
ecto-thinking
This skill should be used when the user asks to "add a database table", "create a new context", "query the database", "add a field to a schema", "validate form input", "fix N+1 queries", "preload this association", "separate these concerns", or mentions Repo, changesets, migrations, Ecto.Multi, has_many, belongs_to, transactions, query composition, or how contexts should talk to each other.
elixir-thinking
This skill should be used when the user asks to "implement a feature in Elixir", "refactor this module", "should I use a GenServer here?", "how should I structure this?", "use the pipe operator", "add error handling", "make this concurrent", or mentions protocols, behaviours, pattern matching, with statements, comprehensions, structs, or coming from an OOP background. Contains paradigm-shifting insights.
oban-thinking
This skill should be used when the user asks to "add a background job", "process async", "schedule a task", "retry failed jobs", "add email sending", "run this later", "add a cron job", "unique jobs", "batch process", or mentions Oban, Oban Pro, workflows, job queues, cascades, grafting, recorded values, job args, or troubleshooting job failures.
otp-thinking
This skill should be used when the user asks to "add background processing", "cache this data", "run this async", "handle concurrent requests", "manage state across requests", "process jobs from a queue", "this GenServer is slow", or mentions GenServer, Supervisor, Agent, Task, Registry, DynamicSupervisor, handle_call, handle_cast, supervision trees, fault tolerance, "let it crash", or choosing between Broadway and Oban.
phoenix-thinking
This skill should be used when the user asks to "add a LiveView page", "create a form", "handle real-time updates", "broadcast changes to users", "add a new route", "create an API endpoint", "fix this LiveView bug", "why is mount called twice?", or mentions handle_event, handle_info, handle_params, mount, channels, controllers, components, assigns, sockets, or PubSub. Essential for avoiding duplicate queries in mount.
deploying-on-gcp
Implement applications using Google Cloud Platform (GCP) services. Use when building on GCP infrastructure, selecting compute/storage/database services, designing data analytics pipelines, implementing ML workflows, or architecting cloud-native applications with BigQuery, Cloud Run, GKE, Vertex AI, and other GCP services.
writing-infrastructure-code
Managing cloud infrastructure using declarative and imperative IaC tools. Use when provisioning cloud resources (Terraform/OpenTofu for multi-cloud, Pulumi for developer-centric workflows, AWS CDK for AWS-native infrastructure), designing reusable modules, implementing state management patterns, or establishing infrastructure deployment workflows.
infra-audit
Infrastructure and CI/CD security audit - GitHub Actions workflows (pwn-request, secret logging, missing pinning, permissions overreach), Dockerfile (latest tag, USER root, ADD on URL), Kubernetes manifests (runAsNonRoot, privileged containers, hostNetwork), Terraform (IAM wildcards, state in git, module pinning), GitLab CI equivalent checks. Stack-agnostic.
argocd-operations
Designs and debugs ArgoCD ApplicationSets, picks generators, templates per-tenant deploys, configures sync waves and hooks, and untangles syncPolicy.automated prune/selfHeal. Use when working with ArgoCD, ApplicationSet, sync wave, GitOps, or per-tenant Application deploys.
aws-codepipeline-codebuild
Authors and debugs AWS CodePipeline + CodeBuild workflows — pipeline v1 vs v2 (triggers, variables), source providers via CodeStar Connections, artifact handoff, buildspec.yml authoring, IAM service roles, ECR pull permissions, VPC build environments, S3/local caching strategies, Lambda invoke action callback pattern, and manual approval setup. Use when working with AWS CodePipeline, AWS CodeBuild, buildspec.yml, CodeStar Connections, pipeline service roles, build VPC config, or "CodeBuild can't pull image" / "Lambda action hangs" debugging.
aws-cost-investigation
Diagnoses AWS cost spikes and audits accounts for ongoing waste. Cost Explorer + Cost & Usage Report query patterns, anomaly detection, the cost-trap inventory (forever log groups, NAT egress, unattached EBS/EIPs, idle ELBs, incomplete S3 multipart uploads, gp2/gp3 migration), commitment decision rules (Compute SP vs EC2 Instance SP vs RI), and the cost-allocation-tag activation trap. Use when working with AWS billing, "bill is up", `aws ce`, Cost Explorer, Cost and Usage Report, Savings Plans, Reserved Instances, NAT vs VPC endpoint trade-offs, or AWS cost optimization.
claude-md-optimizer
Analyzes and optimizes CLAUDE.md files following Anthropic's official best practices. Use when reviewing existing CLAUDE.md for improvements, or when user mentions CLAUDE.md is too long or ineffective.
cloud-storage-identification
Identifies which object-storage provider an S3-compatible target actually hits, from endpoint URLs, env vars, or Terraform provider blocks. Prevents AWS-default assumptions on GCS/DO Spaces/R2/Hetzner/B2/MinIO. Use when working with boto3, `aws_s3_bucket`, rclone, s3cmd, or S3-compatible storage.
cloudflare-access-mcp
Adds OAuth/SSO to a remote MCP server using Cloudflare. Three paths — AI Controls MCP Portal (REST, fastest), self-hosted Access app with Managed OAuth (REST), and the same as Terraform (when IaC already exists) — with a decision matrix, REST recipes per path, Terraform templates for the IaC path, and a stdlib validator that lints a `terraform show -json` plan. Use when the user asks to put an MCP server behind Cloudflare, add OAuth/SSO to a remote MCP server, expose a private MCP server via Cloudflare Tunnel, register MCP servers with the AI Controls portal, enable Managed OAuth or DCR on an Access app, or wire Claude Desktop / claude.ai web / Claude Code to an internal MCP server.
cloudflare-cf-cli
Operates Cloudflare's new unified `cf` CLI (technical preview, April 2026) — install path, flag conventions, the local-vs-remote default trap, coexistence with Wrangler and `wrangler.jsonc`, and agent-mode usage via the Local Explorer OpenAPI. Use when the user mentions `cf`, `npx cf`, "the new Cloudflare CLI", or is choosing between `cf` / `wrangler` / REST / Terraform.
cloudflare-dns-zones
Operates Cloudflare DNS zones and records via the REST API (curl + jq) — token scoping, zone discovery, record CRUD, batch operations, BIND import/export, proxied vs DNS-only decisions, CNAME flattening at apex, DNSSEC, and DNS-01 ACME challenge wiring with cert-manager. Use when working with Cloudflare DNS, `api.cloudflare.com`, `CF_API_TOKEN`, zone records, DNS-01 challenges, mail records (MX/SPF/DKIM/DMARC), or "orange cloud / grey cloud" proxy decisions.
cloudflare-workers
Authors and reviews Cloudflare Workers projects — wrangler config (toml/jsonc), bindings (KV, R2, D1, Queues, Durable Objects, service bindings, Vectorize, Workers AI), env-scoped vs root config and the non-inheritable bindings trap, Durable Object migrations (renames, SQLite backend), compatibility_date semantics, static assets and Pages migration, secrets vs vars, cron triggers, observability, and deploy/CI patterns with `cloudflare/wrangler-action`. Use when working with Cloudflare Workers, wrangler.toml/wrangler.jsonc, Workers bindings, Durable Objects, Workers KV/R2/D1/Queues, Workers Static Assets, migrating from Pages to Workers, service bindings or WorkerEntrypoint RPC, or deploying Workers from CI.
digitalocean-app-platform
Lints DigitalOcean App Platform app specs (app.yaml / doctl apps spec JSON / digitalocean_app Terraform) for security, reliability, correctness, and sizing anti-patterns — plaintext secrets, missing health checks, single-instance services, dev databases in production, port mismatches, overlapping ingress routes, conflicting git/image sources, deprecated routes, unknown instance sizes, and app/database region mismatch. Use when working with DigitalOcean App Platform, app.yaml, .do/app.yaml, doctl apps, the digitalocean_app Terraform resource, or reviewing an App Platform deployment for problems.
digitalocean-dns-zones
Operates DigitalOcean DNS zones and records via doctl, the DigitalOcean API v2, and the digitalocean Terraform provider — domain/record CRUD, the apex CNAME / no-flattening trap when migrating from Cloudflare, account-wide token handling, FQDN trailing-dot semantics, DNS-01 ACME wildcard certs, and nameserver delegation. Use when working with DigitalOcean DNS, doctl compute domain, DIGITALOCEAN_ACCESS_TOKEN, api.digitalocean.com domains, digitalocean_record/digitalocean_domain Terraform, apex CNAME questions, wildcard cert DNS-01, or moving a zone between Cloudflare and DigitalOcean.
docker-workflows
Reviews and hardens Dockerfiles and docker-compose files — multi-stage build conversion, base-image choice, layer caching, secret leakage, root-user containers, missing healthchecks. Use when reviewing a Dockerfile, optimizing image size or build time, writing a compose file, or auditing container security.
drawio-diagramming
Create and open draw.io diagrams. Use when the user wants to generate, edit, or open a diagram in draw.io (architecture/HLA diagrams, infra & Kubernetes topology, flowcharts, network diagrams) — covers the draw.io MCP servers (open_drawio_xml/mermaid/csv) and native .drawio file generation.
gcp-iam
Debugs GCP permission-denied errors, designs IAM bindings, traces org → folder → project inheritance, and untangles service-account impersonation chains. Covers Workload Identity. Use when working with GCP IAM, gcloud, "permission denied" on GCP resources, Workload Identity, or SA impersonation.
github-actions-pipelines
Debugs and authors GitHub Actions workflows — OIDC federation to AWS/GCP/Azure, GITHUB_TOKEN permissions hardening, reusable workflows vs composite actions, deploy concurrency, caching, the path-filter/required-check trap, and pull_request_target security. Use when working with GitHub Actions, `.github/workflows/`, OIDC to cloud providers, `pull_request_target`, branch protection required checks, reusable workflows, or CI/CD pipelines that deploy to AWS/GCP/DigitalOcean.
kubernetes-operations
Debugs Kubernetes pods and controllers — FailedCreate, ImagePullBackOff, init-container failures, probe flapping, missing service endpoints, GKE NEG readiness. Use when a pod is not Running, a Deployment/StatefulSet shows FailedCreate, image pulls fail, or services lack endpoints.
kubernetes-operators
Designs and audits Kubernetes Operators — CRD shape, reconcile-loop correctness, finalizer and status-subresource handling, OperatorHub capability levels, framework choice. Use when building a controller for a CRD, reviewing an operator for capability gaps, or designing the API surface of a Custom Resource. Not for general pod debugging — see kubernetes-operations.
mindfulness-mentor
Guide users through mindfulness exercises, meditation practices, and stress reduction techniques. Use when users ask for help with relaxation, stress management, breathing exercises, or cultivating inner peace.
setup-project-skills
Installs skills from a user-curated manifest (`~/.claude/skill-manifest.json`) into the current project's `.claude/skills/` — symlinks local skills, runs `npx skills add` for third-party ones, and advises `/plugin install` for native Claude plugins. Optionally scans the project for trigger files (Dockerfile, wrangler.jsonc, *.tf, etc.) and pre-selects recommended matches. Use when the user wants to set up skills in a new project, add a skill they curated, see what skills fit the current project, or bootstrap a freshly cloned repo with their toolbox.
terraform-workflows
Reviews Terraform/OpenTofu plans, detects drift, performs state surgery (mv/rm/import), upgrades providers, and traces Terragrunt cache errors. Multi-cloud. Use when working with Terraform, OpenTofu, Terragrunt, terraform plan, drift, or provider upgrades.
terragrunt-workflows
Terragrunt-specific orchestration patterns — CLI redesign migration (run/run --all, --terragrunt-* flag removal, TG_* env vars, strict controls), config composition (include, locals, inputs deep-merge, generate blocks), dependency wiring (mock_outputs semantics), run --all safety, hooks, and the new terragrunt.stack.hcl. Use when working with Terragrunt, `terragrunt.hcl`, `terragrunt.stack.hcl`, the deprecated `run-all`, `--terragrunt-*` flags, `TERRAGRUNT_*` env vars, `include` blocks, `dependency` blocks, or `terragrunt run --all`.
cortex-skills-loop
Drives the cortex skills recommend-feedback-rate loop. Use when a context change occurs (new file types, domain shift, task pivot) or when a task completes and skill effectiveness should be recorded.
infrastructure-as-code
Provides Infrastructure as Code best practices for Terraform, Pulumi, CloudFormation, and OpenTofu. Use when provisioning infrastructure, writing IaC modules, managing cloud resources, scanning for misconfigurations, or when user mentions 'terraform', 'pulumi', 'cloudformation', 'IaC', 'opentofu', 'infrastructure', 'tfsec', 'checkov', 'drift'.
platform-engineering
Provides platform engineering best practices for Internal Developer Platforms (IDPs), golden paths, service catalogs, and developer experience. Use when building developer platforms, configuring Backstage, designing self-service workflows, or when user mentions 'platform engineering', 'backstage', 'golden path', 'IDP', 'developer portal', 'service catalog', 'DevEx', 'platform team', 'self-service'.
context-mode
Use context-mode tools (ctx_execute, ctx_execute_file) instead of Bash/cat when processing large outputs. Triggers: "analyze logs", "summarize output", "process data", "parse JSON", "filter results", "extract errors", "check build output", "analyze dependencies", "process API response", "large file analysis", "page snapshot", "browser snapshot", "DOM structure", "inspect page", "accessibility tree", "Playwright snapshot", "run tests", "test output", "coverage report", "git log", "recent commits", "diff between branches", "list containers", "pod status", "disk usage", "fetch docs", "API reference", "index documentation", "call API", "check response", "query results", "find TODOs", "count lines", "codebase statistics", "security audit", "outdated packages", "dependency tree", "cloud resources", "CI/CD output". Also triggers on ANY MCP tool output that may exceed 20 lines. Subagent routing is handled automatically via PreToolUse hook.
context-mode
Use context-mode tools (ctx_execute, ctx_execute_file) instead of Bash/cat when processing large outputs. Triggers: "analyze logs", "summarize output", "process data", "parse JSON", "filter results", "extract errors", "check build output", "analyze dependencies", "process API response", "large file analysis", "page snapshot", "browser snapshot", "DOM structure", "inspect page", "accessibility tree", "Playwright snapshot", "run tests", "test output", "coverage report", "git log", "recent commits", "diff between branches", "list containers", "pod status", "disk usage", "fetch docs", "API reference", "index documentation", "call API", "check response", "query results", "find TODOs", "count lines", "codebase statistics", "security audit", "outdated packages", "dependency tree", "cloud resources", "CI/CD output". Also triggers on ANY MCP tool output that may exceed 20 lines. Subagent routing is handled automatically via PreToolUse hook.
context-mode
Use context-mode tools (ctx_execute, ctx_execute_file) instead of Bash/cat when processing large outputs. Triggers: "analyze logs", "summarize output", "process data", "parse JSON", "filter results", "extract errors", "check build output", "analyze dependencies", "process API response", "large file analysis", "page snapshot", "browser snapshot", "DOM structure", "inspect page", "accessibility tree", "Playwright snapshot", "run tests", "test output", "coverage report", "git log", "recent commits", "diff between branches", "list containers", "pod status", "disk usage", "fetch docs", "API reference", "index documentation", "call API", "check response", "query results", "find TODOs", "count lines", "codebase statistics", "security audit", "outdated packages", "dependency tree", "cloud resources", "CI/CD output". Also triggers on ANY MCP tool output that may exceed 20 lines. Subagent routing is handled automatically via PreToolUse hook.
working-with-mise
Use when adding, configuring, or troubleshooting mise-managed tools - ensures proper CLI usage, detects existing config files, and diagnoses PATH/activation issues when commands aren't found
clone
Clone a GitHub repo as a starting skeleton — strips its git history, re-inits, generates CLAUDE.md for the detected stack, optionally renames variables/namespaces to your project
skill-bootstrap
Detects your project stack, installs the right Claude Code skills, and surfaces built-in Claude Code capabilities you might not know exist
terraform
Interactive Terraform/Terragrunt wizard — preset full-stack skeletons (AWS EKS, DigitalOcean Kubernetes) or custom AWS component picker, generates production-ready .tf files
cloudflare
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), feature flags (Flagship), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
using-elixir-skills
This skill should be used when the user works on any .ex or .exs file, mentions Elixir/Phoenix/Ecto/OTP, the project has a mix.exs, or asks "which skill should I use", "new to Elixir", "help with Elixir". Routes to the correct thinking skill BEFORE exploring code. Triggers on "implement", "add", "fix", "refactor" in Elixir projects.
silverblast-radius
This skill should be used to assess the blast radius of a proposed infrastructure or DevOps change before planning. Maps change scope, downstream dependencies, failure scenarios, rollback plan, and change window risk. Required before /devops-quality-gates in the devops-cycle workflow.
silverdevops
This skill should be used for SB-orchestrated infrastructure/CI-CD workflow: intel → silver:blast-radius → devops-skill-router → devops-quality-gates (7 IaC dims) → GSD plan/execute/verify → review → secure → ship
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
dependency-handling
TRIGGER when: adding or upgrading any dependency — library, SDK, framework, API, IaC API version (K8s/Terraform/Helm), CRD, or container image. Use BEFORE writing the call. Forces context7/capy lookup instead of guessing.
analyze
Deep cross-layer consistency audit for any codebase. Traces every feature from UI to database, finds broken wiring, missing handlers, model mismatches, and security gaps. Auto-fixes critical and warning issues. Use this after building features, before releases, or whenever something feels off. Works with any tech stack.
cnpg
Create and operate CloudNativePG (CNPG) Postgres databases on Kubernetes the GitOps/Flux way — on managed cloud (GKE + GCS via Workload Identity) OR self-hosted (K3s/bare-metal + any S3-compatible store via a credentials secret). Covers Cluster + ScheduledBackup manifests, barman WAL archiving, pgvector, PITR, prod→dev clones, and the NetworkPolicies a default-deny cluster needs. Use when provisioning a new app database, cloning prod into dev, enabling pgvector, wiring backups/PITR, writing CNPG NetworkPolicies, or debugging the silent "WAL archiving failed → PVC fills → Postgres CrashLoop → app can't read data" chain on CloudNativePG.
terrashark
Prevent Terraform/OpenTofu hallucinations by diagnosing and fixing failure modes: identity churn, secret exposure, blast-radius mistakes, CI drift, and compliance gate gaps. Use when generating, reviewing, refactoring, or migrating IaC and when building delivery/testing pipelines.
kubernetes
Kubernetes manifest generation, review, security hardening, and best practices for production workloads
digitalocean-registry-cleanup
Analyze and clean DigitalOcean Container Registry images. Lists repos with tag counts, deletes old tags (keep last N), finds stale repos, triggers garbage collection. Supports dry-run mode. Use when user says "clean registry", "delete old images", "DO registry", "registry cleanup", "docker images cleanup", "container registry", or "clean up old tags".
terrashark
Prevent Terraform/OpenTofu hallucinations by diagnosing and fixing failure modes: identity churn, secret exposure, blast-radius mistakes, CI drift, and compliance gate gaps. Use when generating, reviewing, refactoring, or migrating IaC and when building delivery/testing pipelines.
project-readme
Create, rewrite, update, or validate truthful README.md files for any project archetype. Use for libraries, SDKs, CLIs, web apps, API services, MCP servers, agent skills, monorepos, docs sites, GitHub Actions, extensions, container images, Terraform modules, Helm charts, model cards, dataset cards, research code, templates, demos, specs, desktop/mobile apps, badges, quick starts, setup docs, API or command references, README validation, and README quality checks.
terraform-station-module
Maintain the Station Terraform module itself (not test authoring). Use this skill whenever the user asks to add, change, refactor, or troubleshoot Station module behavior in root *.tf files or child module folders (application/, group/, user_assigned_identity/, hashicorp/tfe/), update variables/outputs/validations, or adjust provider/resource wiring for module consumers.
terraform-plan-reviewer
Reviews Terraform/OpenTofu plan output for destructive changes, drift, IAM expansions, hardcoded values, and unsafe resource recreations before apply. Invoke when the user shares plan output, when a CI plan job posts a diff to a PR, or before any non-trivial production apply.
vps-provisioning
VPS provisioning patterns for Linux servers covering initial setup, firewall, nginx reverse proxy, SSL/TLS with Let's Encrypt, systemd service management, and server hardening. Use whenever the project contains Ansible playbooks, shell provisioning scripts, nginx configs, systemd unit files, or certbot references, OR the user asks about VPS setup, server hardening, ufw, fail2ban, nginx reverse proxy, certbot, Let's Encrypt, systemd services, unattended-upgrades, even if VPS is not mentioned by name.
deploy-ninja
Handles zero-downtime deployments: blue-green, canary releases, rolling updates, and feature flag rollouts. Covers Kubernetes, Docker, Cloudflare Workers, Terraform, and CI/CD pipeline setup. Use this skill when the user wants to deploy an application, set up a deployment pipeline, implement canary releases, configure rolling updates, manage feature flags, or handle any release automation. Also triggers on "deploy to production," "set up CI/CD," "blue-green deployment," "canary release," "rolling update," "zero-downtime deploy," "rollback," or even casual requests like "push this to prod" or "how do I safely release this."
sast-analysis
Perform codebase analysis and architecture mapping as the first phase of a security assessment. Explores the tech stack, frameworks, entry points, data flows, and trust boundaries. Outputs sast/architecture.md. Run this before any vulnerability detection skill. Use when asked to analyze a codebase for security or when sast/architecture.md does not yet exist.
devops-best-practices
Opinionated production-grade DevOps defaults for Terraform, Kubernetes, CI/CD, Docker, cloud security, observability, cost, and disaster recovery. ALWAYS use when generating, reviewing, or modifying any infrastructure code, Kubernetes manifests (Deployment, Service, StatefulSet, Helm, Kustomize), Terraform (.tf, modules, state), Dockerfiles, docker-compose, CI/CD pipelines (.github/workflows, .gitlab-ci.yml, Jenkinsfile), cloud resources (AWS/GCP/Azure), IAM policies, security groups, observability setup (Prometheus, Grafana, OpenTelemetry), or DNS/TLS/CDN config — even if the user does not explicitly ask for best practices. Prevents the failure modes that hurt production teams most often: missing PDBs, single replicas in prod, latest image tags, public S3 buckets, long-lived credentials, missing observability, and CI/CD supply-chain risks. Apply opinionated defaults by default; surface tradeoffs when the user has reason to deviate.
arc-iac-mcp-expert
Browse, search, scaffold, compare, and security-scan the 56+ SourceFuse ARC Terraform modules — works standalone via a bundled script, no MCP server required. Use this skill whenever the user wants ARC Terraform modules, asks "which ARC module should I use", wants to scaffold/generate Terraform from an ARC module (e.g. arc-eks, arc-db, arc-network, arc-vpc, arc-s3), compare two ARC modules, look up a module's inputs/outputs/resources/versions, find which modules create a given AWS resource, or tfsec-scan HCL before a PR — even if they don't name a tool explicitly.
azure-networking
Configure Azure VNet, NSG, Load Balancer, and network topology.
grill-change
Use when a stakeholder request is rough, ambiguous, or underspecified and needs clarification before planning, writing a spec, or creating issues.
request-to-spec-issues
Use after a grill-change session is complete to turn the agreement record into an intent-first spec candidate and vertical TDD-ready issue briefs.
subagent-driven-change
Use when a scoped implementation can be delegated to an implementation subagent and then independently reviewed for spec compliance before code quality.
setup-coolify
This skill should be used when the user runs /setup-coolify, /setup-coolify plan, /setup-coolify init_cicd, /setup-coolify init_app, or /setup-coolify validate. Provisions and updates a Coolify deployment for the current repo from coolify.yaml, configures Doppler secret injection (all env_vars including NEXT_PUBLIC_* injected at runtime via DOPPLER_TOKEN — same-image promotion model), and generates .github/workflows/deploy.yml. Reads coolify.yaml from the working directory and credentials from ~/.claude/coolify.json. Designed to work across multiple repos and multiple Coolify servers via the server alias in coolify.yaml.
health-check
Check the health of the running WealthWise API, web app, and MongoDB services. Triggers when asked to "check if the app is running", "verify the API is up", "is the server healthy", or "show service status".
skill-atlas
Find the right public AI-agent skill for a job — and know whether to trust it. Load when about to start a task type (Upwork freelancing, technical interviews, office documents, MCP/tool building, prompt engineering, web/frontend, data analysis, learning English) and you want to know which existing public skills to pull in, rated by source reputation and freshness. Answers "which skill do I load for X, and can I trust it?"
orchestrate-infra
Master orchestrator for cross-repo infrastructure with dependency graph dispatch
skills-registry
Use when looking up available tools, skills, commands, agents, or plugins
test-e2e
End-to-end infrastructure pipeline validation across Terraform and Ansible repos
final-review
Use before handing off an implementation to compare the diff against the spec, tests, docs, contracts, and safety rules.
sdd-change
Use when implementing a meaningful repository change that requires an approved spec before code edits.
tdd-change
Use when changing behavior where a focused failing test or golden fixture must prove RED before implementation and GREEN after the minimal fix.
azure-best-practices
Verbindliche Best Practices für Azure-native Anwendungen: Infrastructure as Code mit Azure Verified Modules (Bicep/Terraform), Security-Baseline, Well-Architected-Framework und Auswahl des Compute-Hosts. Nutze diesen Skill IMMER, wenn Azure-Ressourcen, Bicep, Terraform, azd, App Service, Container Apps, Functions, Key Vault, Managed Identity, RBAC, Networking oder Deployment-Pipelines im Spiel sind – auch wenn nicht ausdrücklich nach "Best Practices" gefragt wird. Greift bei jedem neuen Azure-Projekt und bei jeder Änderung an Azure-Infrastruktur oder -Konfiguration.
readme-doc-writer
当需要为代码仓库新建或更新 README.md 时使用;先勘探代码库与部署目标,再按固定骨架产出一份覆盖本地开发/系统原理/生产部署的可复制粘贴 README;不适用于 API 参考、教程长文或设计文档等非 README 产物;触发词:写 readme、生成项目文档、document this project
gateway-api-migration
Migrates Kustomize modules using NGINX Ingress to Gateway API resources. Dual-target: default Traefik (GatewayClass=traefik), opt-in GKE Gateway (--gateway-class gke-l7-global-external-managed). Handles master/minion topology (common.ingress/ + common.service/) as the primary case, with standalone Ingress as a fallback. Performs cluster-side preflight (CRDs, GatewayClass, policy CRDs, Traefik version probe on Traefik targets), deterministic discovery/analysis via bundled scripts, two-phase conversion with atomic rollback from full file backups, semantic diff of path and listener coverage, plus an ingress2gateway second-opinion cross-check. Renders a comprehensive report covering per-hostname mapping, TLS map, annotation inventory (translated/stubbed/unknown), risk register, cutover checklist, verification commands, and rollback procedures. Never modifies the master source; performs idempotent in-place edits only to common.service/overlays/<env>/kustomization.yaml.
helm-version-upgrade
Manages Helm chart version upgrades across Terraform+Helm platforms. Handles atomic 3-file updates with version discovery from ArtifactHub. Use when upgrading Helm charts, checking for outdated versions, or performing version consistency checks.
ingress-controller-install
GitOps-flavored Traefik Ingress Controller bootstrap, env addition, or chart upgrade in a Kustomize + ArgoCD repo. Operates exclusively on files under `common.traefik/` (base, overlays, argocd manifests). Never runs `helm install` or `helm upgrade` — those are ArgoCD's job. Plan-only: edits Kustomize files, emits the `git add` / commit / push commands, and the operator drives git. Validates coexistence with `ingress-nginx` via Kustomize-build inspection (no live cluster required). Use for new-cluster bootstrap, adding a new env overlay, or bumping the Traefik chart version.
ingress-migration-advisor
Read-only planner that inventories every Ingress in a Kustomize repo, scores each service on five migration-readiness dimensions, and recommends one of four paths per service (direct-gateway, two-step, swap-only, defer). Output is a Mermaid Gantt plan plus ready-to-paste Zeus commands. Critical traffic-tier services are vetoed to defer. Services already on Traefik Ingress (sourceClass=traefik) auto-route to direct-gateway. Never mutates the repo; produces docs/reports/ ingress-migration-advisor/<slug>/plan.md and state.yaml. Use for end-of-life planning (ingress-nginx EOL 2025), migration sequencing, or per-service path advisory. Requires docs/ingress-tier-map.yaml in the consumer repo.
kustomize-resource-validation
Auto-trigger skill that activates when any kustomization.yaml file is edited. Validates resource references, patch references, orphaned files, cross-environment consistency, build success, and generator configurations.
nginx-to-gateway
Thin orchestrator that chains nginx-to-traefik (class swap) and gateway-api-migration (resource swap) against one Kustomize module in one operator session. Owns no conversion logic. Invokes skill A first, reads its outputs.traefikIngresses[] hand-off contract, then invokes skill B with --source-class traefik --no-redirect and the chosen --gateway-class. Produces a single combined index document linking both sub-reports. Each phase keeps its own state file; this skill records the chain in docs/reports/nginx-to-gateway/<slug>/index.yaml.
nginx-to-traefik
Class-swap migration that ports services from NGINX Ingress to Traefik Ingress (`ingressClassName: traefik`) while keeping both controllers running in parallel. DNS A-records are the only cutover lever. Designed for eye-of-horus-gitops conventions: nginx files move to archive/ (never deleted), Traefik Ingresses live in kustomization.resources (never patches), backend Service names and secretName are written verbatim (Kustomize namePrefix does not touch them). Operator-declared LB IPs only — never auto-derived from cluster state. State stored in docs/reports/nginx-to-traefik/<slug>/.
painter
Draw clear, easy-to-understand architecture diagrams, flow charts, and feature explainer graphics from code, system architecture, or DevOps pipelines. Output is an HTML artifact (inline CSS and SVG) styled with a blue-white tech palette, flat vector icons, a card-based multi-step layout, flow arrows, and dark code blocks. Supports two output levels: `basic` (single-page overview) and `detailed` (overview plus clickable drill-down per-component pages), and can use multi-agent parallel scanning to speed up analysis of large architectures. Triggered when the user asks to "draw an architecture diagram / flow chart" or invokes `*diagram` / `devops:painter`. Output renders directly in a browser for review and screenshots, suitable for technical documentation and presentation material.
release-validate
Validates package release readiness across version consistency, cross-platform link integrity, npm package content, setup script smoke testing, skill fixture suite runs (Phase 4), shell portability static checks (Phase 5), cross-repo-style fixture coverage (Phase 6, shipped in v1.15.0), cross-AI-tool registration parity (Phase 7, shipped in v1.15.0), and release artifact generation (Phase 8). Use before running `pnpm release` to catch issues that structure tests may miss. Top-level orchestrator at `scripts/release_check.sh` runs every phase and is wired into `.github/workflows/release.yml` as a pre-publish gate. Produces `docs/reports/release-validate/<version>/RELEASE-CHECK.md` suitable verbatim for the GitHub Release body.
retire-nginx
Retire the nginx ingress controller and all nginx Ingress resources from a Kustomize + ArgoCD repo after Gateway API / Traefik migration is complete. Supports single-env (dev/stg/prd) or all-envs retirement in one command. Use this skill whenever: removing nginx after migration, cleaning up dead nginx Ingress resources from a kustomize base, decommissioning the ingress-nginx controller ArgoCD Application for an env, or retiring nginx from one environment without touching others. Safety-gated: aborts if no HTTPRoutes/Traefik Ingresses found (migration not done). Uses $patch: delete in the service overlay kustomization to exclude base nginx Ingress resources per-env — base files stay intact for other envs still using them.
traefik-controller-decommission
GitOps-flavored SAFE uninstall of the `ingress-nginx` controller in a Kustomize + ArgoCD repo. Verifies cluster + repo are free of `ingressClassName: nginx` (precedence-aware: spec wins, legacy annotation falls back). After DNS bake confirmation, plans the decommission as: archive the `common.ingress-nginx/` (or equivalent) Kustomize module, disable the ArgoCD Application, wait for ArgoCD prune, then optional LB / IAM cleanup. Never runs `helm uninstall` — ArgoCD handles the actual resource removal via prune. Plan-only: emits a `commands.sh` for the operator to drive manually.
yaml-fix-suggestions
Auto-trigger skill that activates when YAML files in Kustomize module directories are modified. Checks formatting, Kubernetes label compliance, kustomization.yaml references, and build validation. Reports only when issues are found.
zeus
GitOps Engineer for Kustomize + ArgoCD platforms. Activates when the user works with Kustomize overlays, ArgoCD applications, Kubernetes manifests, or asks for YAML validation, environment management, or service scaffolding. Commanding, methodical, thorough approach.
infrastructure-standards
Use when editing Proxmox/Terraform/Ansible inventory — VMID/IP assignment ranges and the Terraform-to-Ansible inventory contract.
sync-inventory
Export Terraform inventory and distribute to Ansible repositories
cloudflare
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), feature flags (Flagship), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
language-servers
Use when configuring LSP settings for Terraform, Dockerfile, or other languages at {{companyName}}.
destroy-stack
Destroy an OCI Resource Manager stack's infrastructure.
kyma-deploy
Deploy kyma to production (AWS Fargate + S3 + Supabase) or run a Supabase-backed local test drive. Use when the user asks to deploy kyma, self-host kyma in production, set up kyma on AWS/Supabase, or tear a kyma deployment down. Drives the `kyma deploy` CLI wizard (Terraform or Pulumi under the hood).
building-terraform-modules
This skill empowers Claude to build reusable Terraform modules based on user specifications. It leverages the terraform-module-builder plugin to generate production-ready, well-documented Terraform module code, incorporating best practices for security, scalability, and multi-platform support. Use this skill when the user requests to create a new Terraform module, generate Terraform configuration, or needs help structuring infrastructure as code using Terraform. The trigger terms include "create Terraform module," "generate Terraform configuration," "Terraform module code," and "infrastructure as code."
aegisops-ai
Autonomous DevSecOps & FinOps Guardrails. Orchestrates Gemini 3 Flash to audit Linux Kernel patches, Terraform cost drifts, and K8s compliance.
horus
IaC Operations Engineer for Terraform + Helm + GKE platforms. Activates when the user works with Terraform modules, Helm charts, GKE infrastructure, or asks for validation, security scanning, or CI/CD improvements. Pipeline-driven, safety-first approach with automated checks.
terraform-dependency-analyzer
Analyzes and visualizes resource dependencies in Terraform configurations, identifies circular dependencies, and suggests optimal resource ordering. This skill should be used when users need to understand resource relationships, troubleshoot dependency issues, optimize apply order, or refactor complex configurations.
terraform-documentation-generator
Generates documentation for Terraform modules using terraform-docs tool to auto-generate README files with input/output tables, usage examples, and requirements. This skill should be used when users need to document Terraform modules, create or update README files, or maintain consistent module documentation.
terraform-module-scaffolder
Scaffolds new Terraform modules with standardized structure including main.tf, variables.tf, outputs.tf, versions.tf, and README.md. This skill should be used when users want to create a new Terraform module, set up module structure, or need templates for common infrastructure patterns like VPC, ECS, S3, or RDS modules.
terraform-state-manager
Manages Terraform state operations including importing existing resources, moving resources between states, removing resources from state, and migrating state backends. This skill should be used when users need to import infrastructure into Terraform, refactor resource addresses, fix state issues, or migrate state storage locations.
terraform-upgrade-assistant
Guides through Terraform version upgrades including identifying deprecated syntax, updating provider versions, and migrating breaking changes. This skill should be used when users need to upgrade Terraform or provider versions, fix deprecated warnings, or migrate configurations to newer syntax.
devops-delivery
Use to set up or improve delivery and operations — CI/CD pipelines, containers, infrastructure-as-code, staged/canary rollouts, observability/SLOs, rollback, and blameless postmortems. Trigger on "set up CI/CD", "containerize", "deploy", "Terraform/IaC", "canary release", "monitoring/alerting", "SLO", "rollback", or "the deploy broke". Applies top-tier release-engineering practices.
cloudflare
Comprehensive Cloudflare platform skill covering Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), networking (Tunnel, Spectrum), security (WAF, DDoS), and infrastructure-as-code (Terraform, Pulumi). Use for any Cloudflare development task. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
careful
Global safety hook — active in ALL phases, ALL projects. Before executing rm -rf, DROP TABLE, force-push, terraform destroy, or any destructive command — STOP and ask user for confirmation.
iac-container-security
Audit infrastructure-as-code and container security including Terraform/OpenTofu/Pulumi configurations, Dockerfile hardening, Kubernetes manifests, base image hygiene, container scanning, secrets in IaC, IAM policies, network exposure, and runtime security context. Multi-cloud (AWS, GCP, Azure). Use this skill whenever the user asks about Terraform security, tfsec, Checkov, Trivy, Dockerfile hardening, distroless images, k8s securityContext, network policies, IAM least privilege, IaC secret scanning, or 'audit my infrastructure'. Trigger on phrases like 'scan my Dockerfile', 'review my Terraform', 'audit my k8s manifests', 'harden my containers', 'IaC security', 'base image hygiene', 'container CVEs', 'trivy scan'. Use this even when only one IaC layer is mentioned.
hcs-policy-tier-entry
Draft a proposed YAML tier entry for a new tool or capability. Target file is canonical in system-config, not this repo. Drafts require `hcs-policy-reviewer` subagent objections and human approval before merge.
infra-security
Use this agent when you need to audit domain security posture, configure DNS records, or manage Cloudflare security features (WAF, Workers, Zero Trust) via the Cloudflare MCP server. Use terraform-architect for IaC generation; use this agent for live Cloudflare configuration and security auditing.
dast-workflow
Dynamic Application Security Testing workflow — OWASP ZAP automation (baseline/full/API scans), Burp Suite Professional playbooks, Burp Collaborator for out-of-band detection, auth-state orchestration, and CI integration with scope-safe active scanning.
iac-security
IaC misconfig scanning and cloud-aware review for Terraform, CloudFormation, Ansible and Pulumi. Covers tool orchestration (checkov/tfsec/kics/cfn-nag), policy-as-code (OPA/Conftest), CIS benchmark mapping, IAM over-permission detection, drift monitoring.
secure-coding
Language-agnostic secure-coding patterns — input validation, injection-safe APIs, authN/authZ, crypto, secrets, dependency hygiene. The default lens when no framework-specific skill applies.
deploy-script-review
배포 스크립트의 보안·안전성 리뷰를 수행한다. 롤백 절차, 장애 대응, 권한 설정을 점검한다.
lint
Run all Terraform linting checks - fmt, validate, tflint, and checkov.
documentation-adrs
Records architecture decisions to memory provider when significant technical choices are made. Lightweight format capturing what was decided, why, alternatives considered, and tradeoffs. Use when recording a decision, documenting architecture, ADR, architecture decision record, why did we choose, technical decision, or when a significant choice is made about dependencies, patterns, or infrastructure.
launch-checklist
Validates full deployment readiness beyond code, checking infrastructure, Docker configuration, Kubernetes manifests, environment config, monitoring, security headers, and pipeline status. Use when launching, deploying to production, release readiness, go-live, deployment check, pre-launch, shipping to prod, or when preparing for production deployment.
devops-infrastructure
Use when provisioning infrastructure, building containers, configuring CI/CD, or deploying services - ensures all infrastructure is codified, versioned, and reviewable with repeatable deployment strategies and proper secrets management | インフラのプロビジョニング、コンテナのビルド、CI/CDの構成、サービスのデプロイ時に使用 - すべてのインフラがコード化、バージョン管理、レビュー可能であることを保証し、再現可能なデプロイ戦略と適切なシークレット管理を実現
vuln-research
Use when performing vulnerability research, security auditing, code analysis, bug bounty hunting, CTF challenges, penetration testing, or exploit development. Covers source audit across 30+ attack domains, sink analysis for 12 languages, SAST/DAST integration, vulnerability chaining, and proof-of-concept development. Triggers: vuln assessment, pentest, bug bounty, security audit, find vulns, exploit, ctf, code audit, hunt bugs, 0-day, SAST, DAST, taint analysis, CI/CD pipeline security, GitHub Actions, Terraform, Traefik, n8n workflow, OpenTelemetry, supply chain attack, agent sweep, find me zero days, sweep everything, automated vuln discovery, binary analysis, reverse engineering, firmware audit, kernel driver, memory corruption, ROP, fuzzing harness, patch diffing.
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
azure-verified-modules
Azure Verified Modules (AVM) requirements and best practices for developing certified Azure Terraform modules. Use when creating or reviewing Azure modules that need AVM certification.
iac
Config & container security review. Scans Dockerfiles, Kubernetes/Compose manifests, and Terraform/IaC for misconfigurations (privileged containers, root, unpinned images, hardcoded secrets, public network/storage, disabled TLS); the iac-reviewer agent confirms each in context and promotes real ones into .kuzushi/findings.json (source "iac"). Distinct from /sast (source injection) and the insecure-defaults companion (app config values).
azure-networking
Configure Azure VNet, NSG, Load Balancer, and network topology.
deploy-script-review
배포 스크립트의 보안·안전성 리뷰를 수행한다. 롤백 절차, 장애 대응, 권한 설정을 점검한다.
terraform
Manage cloud infrastructure with Terraform
project-analyzer
Scan project directory to identify tech stack, frameworks, work patterns, and toolchain. Outputs structured project profile for agent-gap-analyzer. Use when onboarding a new project or auditing project characteristics.
devops-engineer
Senior DevOps engineer specializing in Docker, Kubernetes, CI/CD pipelines, cloud infrastructure (AWS/GCP/Azure), and deployment automation. Use when setting up deployment pipelines, containerizing applications, or managing cloud infrastructure.
chess
Play a quick chess puzzle right in the terminal — fetches a random tactic from ChessBout, renders a bordered Unicode board, and lets you find the best move from 4 choices. Use this skill whenever the user asks for a chess puzzle, wants to play chess, says "give me a puzzle", mentions chess tactics, or anything related to solving chess positions. Even casual mentions like "I'm bored", "anything fun to do while I wait", "kill some time", or "brain teaser" should trigger this skill. Proactive suggestion: When you launch a background task that will take a while (builds, CI pipelines, test suites, deployments, large installs, docker builds, terraform apply, database migrations), consider mentioning the chess skill as a casual aside — something like "While that runs — want a quick chess puzzle? Type /chess". Use good judgment: suggest it once early in a session when there's a natural idle moment, not after every single command. If the user ignores or declines, don't bring it up again.
eng-practices
Use when the user asks about engineering practices, code review standards, CL/PR description writing, keeping CLs/PRs small, handling reviewer comments or pushback, review speed and etiquette, the Standard of Code Review, or any topic derived from Google eng-practices (review/reviewer/* and review/developer/*). Other dev skills (pr-code-review, python-dev, go-dev, typescript-dev, api-design, database-dev, terraform-dev, ci-cd, security-check, auto-debugger, markdown-docs) link here for shared review and CL standards.
terraform-dev
Use when the user asks to implement, refactor, validate, review, or troubleshoot Terraform/OpenTofu code, modules, providers, variables, state, plans, imports, security, or infrastructure changes.
senior-devops
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
terraform-iac-expert
Terraform and OpenTofu infrastructure as code — module design, state management, multi-environment setups, remote backends, secrets management, CI/CD integration. NOT for Pulumi, CDK, Ansible, or Kubernetes manifests.
Integration detected automatically from skill content. Some results may be false positives.