Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews Argo CD Application, AppProject, ApplicationSet, RBAC, and sync windows for production safety, least-privilege sync identity, and controlled blast radius.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:argocd-gitops-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review Argo CD `Application`, `AppProject`, `ApplicationSet`, sync windows, RBAC, and the central `argocd-cm` / `argocd-rbac-cm` configuration against blast radius, drift handling, and least-privilege sync identity. Argo CD's controller defaults to cluster-admin permissions on every destination cluster — the security posture lives in `AppProject` boundaries, sync impersonation, and explicit RBA...
Review Argo CD Application, AppProject, ApplicationSet, sync windows, RBAC, and the central argocd-cm / argocd-rbac-cm configuration against blast radius, drift handling, and least-privilege sync identity. Argo CD's controller defaults to cluster-admin permissions on every destination cluster — the security posture lives in AppProject boundaries, sync impersonation, and explicit RBAC, not in the controller defaults.
kubectl get applications,appprojects,applicationsets -n argocd -o yaml plus the argocd-cm and argocd-rbac-cm ConfigMaps) when the active client exposes it; otherwise fall back to official Argo CD documentation and sanitized YAML from the user.application.sync.impersonation.enabled: false (default) in production as a critical finding — every sync runs as the controller's cluster-admin ServiceAccount.AppProject with sourceRepos: ['*'] and destinations: ['*'] as a wide-blast-radius finding — any commit in any repo can deploy anywhere.automated.prune: true + automated.selfHeal: true on production Applications as critical without an explicit allowlist of authorized Git refs and a tested rollback runbook — Git divergence becomes irreversible deletion.ApplicationSet generators that include unbounded clusters (clusters: {}) or label selectors with no exclusion — one mis-labeled cluster joins the rollout.syncOptions: ['Replace=true'] and syncOptions: ['ServerSideApply=false'] on stateful resources — Replace deletes-then-creates, breaking PVC bindings.Load these only when needed:
Return, at minimum:
Application, AppProject, ApplicationSet, or argocd-rbac-cm policy) and evidence level,destinationServiceAccount),sourceRepos, destinations, clusterResourceWhitelist, namespaceResourceBlacklist),automated, prune, selfHeal, syncWindows),npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticImplements GitOps continuous delivery with Argo CD or Flux: app-of-apps patterns, automated sync policies, drift detection, multi-environment promotion. For declarative Kubernetes management from Git.
Reviews FluxCD Kustomization, HelmRelease, and GitRepository resources for production safety, SOPS encryption, prune safety, commit verification, and least-privilege ServiceAccounts.
Guides GitOps implementation with ArgoCD and Flux for automated Kubernetes deployments, including repo structure, sync policies, app-of-apps pattern, and secret management.