npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@raishin/vanguard-frontier-agentic

v3.3.0

Published

Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.

Readme

Vanguard Frontier Agentic


This is the edge of agentic intelligence — an enterprise-grade ecosystem for running AI agents at scale in environments where a wrong move is a board-level incident. It collects reusable skills, agents, rules, MCP references, and supporting assets for AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, and Terraform — plus cross-functional Legal, HR, Marketing, Salesforce, .NET, FinOps, Accounting, Finance, Oracle NetSuite ERP, Microsoft 365 / Dynamics 365, and Azure-ecosystem Databricks and Snowflake data-platform agentic ecosystems.

This is not just cloud infrastructure tooling. It is agentic coordination: maestro routing, escalation-aware protocol, structured handoff between specialists, and refusal-by-default safety on every irreversible action. Cloud is one domain it operates in. Coordination, governance, and escalation are the product.

📊 Catalog at a glance

| Catalog | Count | | --- | --- | | Skills | 623 | | Agents | 600 | | Providers | 41 | | Install roles | 32 | | Rules | 1 | | MCP references | 3 |

  • 🧠 Skills = step-by-step workflows an AI assistant can follow.
  • 🤖 Agents = reusable expert roles for review, architecture, and operations.
  • 📏 Rules = durable instructions for a specific AI harness.
  • 🔌 MCP references = trusted notes for connecting tools to real systems.
  • 🗂️ Catalogs = machine-readable indexes so tools can discover everything.

Works with: Claude Code  ·  Codex  ·  GitHub Copilot  ·  Cursor  ·  Gemini CLI  ·  Kiro  ·  and any other coding agent.

📦 Available on npm: @raishin/vanguard-frontier-agentic is published on the public npm registry.

⚠️ ALPHA FINOPS BUNDLE: As of v1.8.0, this package includes 4 new experimental FinOps agents and 7 skills for cloud cost optimization, AI economics modeling, Kubernetes rightsizing, and FOCUS-spec normalization. All are marked lifecycle: experimental. See the board readiness memo for known limitations, risk mitigation, and 30-day diligence closure requirements. Use at your own risk in pre-production environments. Production deployment requires signed design-partner SOWs, Big 4 accounting validation, and SOC 2 Type II observation (≥150 days).


🛰️ Why Vanguard Frontier?

"Vanguard frontier" is not branding — it is an operating posture. This ecosystem is built for the front line of agentic deployment, where AI agents touch real production systems, real regulated data, and real legal exposure.

  • 🏛️ Built for Fortune 50 / high-stakes environments. Every agent assumes the blast radius is enterprise-scale: regulated data, audited controls, and decisions that survive legal discovery. Refusal-by-default beats a fast path to a board-level incident.
  • ⚖️ The Legal + HR ecosystem is proof of cross-functional agentic coordination. 28 specialist agents (Legal maestro + 12 specialists, HR maestro + 14 specialists) and 3 cross-functional protocol skills demonstrate that agents can hand off, escalate, and coordinate across organizational boundaries — not just answer in isolation.
  • 🧾 Audit-ready, privacy-preserving, escalation-aware by design. Every review and live-guard agent emits a structured verdict (verdict, evidence_level, blockers, safe_next_actions, open_questions) that maps directly to SOC 2, PCI DSS, NIS2, NIST CSF, and ISO 27001 — no post-processing.
  • 🛡️ Battle-tested against real compliance, governance, and risk workflows. These patterns are exercised against live IAM mutations, KMS destruction, litigation holds, RIF planning, and privacy reviews — the workflows where a generic agent gets an organization sued.

The bar: an auditor, a regulator, or opposing counsel should be able to read the agent's output and trace exactly who decided what, on what evidence, and who approved the risk.


🧱 What's Inside — the three-layer agentic architecture

Vanguard Frontier is not a flat bag of prompts. It is a deliberate three-layer system, and every domain — cloud providers, Kubernetes, marketing, Legal, HR — follows the same shape.

| Layer | Role | Examples | | ----- | ---- | -------- | | 1. 🧭 Maestro (router) | Entry point. Classifies the request, routes to the right specialist, never executes risk itself. | legal-maestro-agent, hr-maestro-agent, kubernetes-maestro-agent, provider maestros | | 2. 🤖 Specialists | Domain experts with judgment and a hardened permission model. Each loads one companion skill and emits a guarded verdict. | 13 Legal specialists, 15 HR specialists, cloud advisory + live-guard operators | | 3. 🔗 Cross-functional protocol | Shared contracts that let specialists hand off, escalate, and coordinate across organizational boundaries without leaking scope. | legal-hr-routing-protocol, legal-hr-case-capsule, legal-hr-risk-taxonomy |

How it flows: a request enters at the maestro, which routes to a specialist. When a matter crosses a boundary — an HR investigation that needs privileged Legal review, or a Legal hold that triggers an HR data freeze — the cross-functional protocol carries a structured case capsule between agents, preserving privilege, minimizing data, and recording the escalation path.

This is what "agentic coordination" means here: routing, protocol, and escalation are first-class, not improvised.


🚀 Get Started

Pick the install path for your coding agent. Each dropdown is crystal-clear, step-by-step, and one-click plug-and-play where the harness supports it; the npm/export path works for everything else.

At a glance — which path is yours:

| Your harness | Fastest path | One-liner | | ------------ | ------------ | --------- | | 🤖 Claude Code | Plugin marketplace | /plugin marketplace add Raishin/vanguard-frontier-agentic | | 🐙 GitHub Copilot CLI | Plugin marketplace | copilot plugin marketplace add Raishin/vanguard-frontier-agentic | | 🖱️ Cursor | Clone + register plugin dir | git clone … then Settings → Plugins → Add Plugin Directory | | ⚡ Codex | Plugin marketplace | codex plugin marketplace add Raishin/vanguard-frontier-agentic | | ♊ Gemini / Antigravity | npm export | npx vfa-export-agents --platform gemini --all --repo . | | 🔮 Kiro | Add Powers per-directory | Powers panel → Add Custom Power → Local Directory | | 📦 Any other | npm + vfa-export-agents CLI | npm install @raishin/vanguard-frontier-agentic@latest |

Expand the matching dropdown below for the full step-by-step.

/plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic

Or wire it into ~/.claude/settings.json (or your project's .claude/settings.json) for team-wide trust:

{
  "extraKnownMarketplaces": {
    "vanguard-frontier-agentic": {
      "source": { "source": "github", "repo": "Raishin/vanguard-frontier-agentic" }
    }
  },
  "enabledPlugins": {
    "vanguard-frontier-agentic@vanguard-frontier-agentic": true
  }
}

Pin to a tag for reproducible installs: pick any released tag for stable versions, or use @latest for the current release.

# Add the marketplace, then install
copilot plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agentic

Or in .github/copilot/settings.json for repo-wide trust:

{
  "extraKnownMarketplaces": [
    "https://raw.githubusercontent.com/Raishin/vanguard-frontier-agentic/master/.github/plugin/marketplace.json"
  ]
}
  • Marketplace manifest: .github/plugin/marketplace.json declares this repo as a single-plugin marketplace
  • Source path: ./ (the repo root is the plugin root)
  • Bundled: 600 Copilot agent adapters under agents/<provider>/<agent>/harnesses/copilot.agent.md
  • Docs: github.com/github/copilot-cli (/plugin marketplace add)
# Clone the repo, then register it as a plugin directory in Cursor:
git clone https://github.com/Raishin/vanguard-frontier-agentic

In Cursor: Settings → Plugins → Add Plugin Directory → pick the cloned repo path. Or via the Cursor Extension API:

vscode.cursor.plugins.registerPath("/absolute/path/to/vanguard-frontier-agentic");

Kiro Powers UI is per-Power directory add — there is no single-command marketplace flow. This repo ships 38 Powers under powers/, one per provider, so Kiro users can add only what they need.

# 1. Clone this repo
git clone https://github.com/Raishin/vanguard-frontier-agentic
cd vanguard-frontier-agentic

# 2. In Kiro:
#    Open the Powers panel → "Add Custom Power" → "Local Directory"
#    Paste the absolute path to the Power(s) you need, one at a time:
#       /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-aws
#       /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-kubernetes
#       /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-terraform
  • Powers available: vanguard-accounting, vanguard-alibaba, vanguard-argocd, vanguard-aws, vanguard-azure, vanguard-backstage, vanguard-cert-manager, vanguard-cilium, vanguard-contabo, vanguard-databricks, vanguard-dotnet, vanguard-falco, vanguard-finance, vanguard-fluxcd, vanguard-gcp, vanguard-generic, vanguard-hetzner, vanguard-hr, vanguard-huawei, vanguard-ionos, vanguard-istio, vanguard-kubernetes, vanguard-kyverno, vanguard-legal, vanguard-marketing, vanguard-microsoft, vanguard-multi-cloud, vanguard-netsuite, vanguard-nvidia, vanguard-oci, vanguard-opentelemetry, vanguard-ovhcloud, vanguard-prometheus, vanguard-salesforce, vanguard-scaleway, vanguard-sigstore, vanguard-snowflake, vanguard-terraform
  • Each Power ships: routing pattern (maestro entry), live-mutation discipline, provider invariants (account-ID/region, MLPS 2.0, EU sovereignty, etc.)
  • Frontmatter: strict-5 fields (name, displayName, description, keywords, author) per Kiro spec
  • For Kiro agent adapter files (.kiro/agents/*.md, .kiro/agents/*.json): use the npm-export path below
  • Docs: github.com/kirodotdev/powers

Antigravity reads skills from .agent/skills/<name>/SKILL.md (workspace) or ~/.gemini/antigravity/skills/<name>/ (global). There is no first-party marketplace install command — use the npm export to write skills + adapters into the right paths:

# Install the package
npm install @raishin/vanguard-frontier-agentic@latest

# Export agents + companion skills for Gemini Antigravity
npx vfa-export-agents --platform gemini --all --repo .

Or for a single provider:

npx vfa-export-agents --platform gemini --provider aws --repo .
# Add the marketplace, then enable the bundled plugin
codex plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agentic@vanguard-frontier-agentic

codex plugin marketplace add writes the marketplace into your ~/.codex/config.toml. The resulting block looks like this (the screenshot pattern):

[marketplaces.vanguard-frontier-agentic]
last_updated = "2026-05-11T06:46:00Z"
last_revision = "<sha>"
source_type = "git"
source = "https://github.com/Raishin/vanguard-frontier-agentic.git"

[plugins."vanguard-frontier-agentic@vanguard-frontier-agentic"]
enabled = true

Prerequisite: Node.js 18+

# 1️⃣ Install the package
npm install @raishin/vanguard-frontier-agentic@latest

# 2️⃣ Export agents for your role into your repo (claude-code shown — swap platform)
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --repo .

# 3️⃣ Open your coding agent and reference the exported agent
#    "Use kubernetes-rbac-review-agent to audit this RBAC change."

Supports --platform: claude-code, codex, copilot, cursor, gemini, kiro, kiro-ide, kiro-cli. Supports --role, --agents, --all, --provider filters. See the Install Reference for the full argument matrix.


Install paths

There are now eight supported install paths — Claude Code plugin marketplace, GitHub Copilot CLI marketplace, Cursor plugin, Codex plugin marketplace, Kiro Powers, Gemini Antigravity skills, npm package + vfa-export-agents CLI, and the third-party skills CLI — each with different versioning, trust, and scope characteristics. See docs/integrations/skills-cli.md for the full trust matrix, verified flag syntax, pinning guidance, and pre-install inspection steps.

npm install @raishin/vanguard-frontier-agentic@latest

🖥️ Terminal UI (vfa-tui)

⚠️ Alpha — the TUI is functional but under active development.

Crates.io

An enterprise-grade terminal interface for interactive catalog browsing, validation gate execution, and export command building — built in Rust for speed and security by construction. Distributed as the vfa-tui crate.

Install (recommended — from crates.io):

cargo install vfa-tui

Or download a prebuilt binary (Linux / macOS / Windows, x86-64 + arm64) — each release attaches the binaries alongside their SBOM and checksums.sha256 — from the latest vfa-tui release.

Build from source (alternative):

cd tools/vfa-tui && cargo build --release

Run (from the repo root — auto-detects workspace):

vfa-tui                                      # installed via cargo or prebuilt binary
./tools/vfa-tui/target/release/vfa-tui       # from a source build

Key features:

  • 🗂️ Catalog browsing with fuzzy search across all agents, skills, and providers
  • ✅ Validation gate execution with real-time progress and structured output
  • 📦 Export command builder with platform/role/provider selection
  • 🔐 Security by construction — no shell injection, no credential handling, no network access

Full documentation


🧠 Skills

623 skills across AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, CNCF ecosystem, Terraform, marketing governance, and more.

| Domain | Count | What they cover | | ------------------ | ----: | ------------------------------------------------------------------------------------------------- | | 🟧 AWS | 47 | IAM, EKS, ECS, Lambda, RDS, S3, Cost, DevOps, Bedrock, Security, WAF reviews, Live Guards | | 🟥 OCI | 41 | ADB, OKE, IAM, Vault, Resource Manager, Cost, Networking, WAF reviews, Live Guards | | 🟩 GCP | 51 | GKE, BigQuery, Vertex AI, Cloud Run, AlloyDB, Firebase, Gemini API, WAF reviews, Live Guards | | 🟦 Azure | 36 | AKS, App Service, ARM/Bicep, Key Vault, PIM, Cost, Entra ID, CosmosDB, WAF reviews, Live Guards | | 🟠 Alibaba Cloud | 43 | ACK, ECS, PolarDB, MaxCompute, RAM, OSS, MLPS 2.0, WAF reviews, Live Guards | | 🔴 Huawei Cloud | 43 | CCE, GaussDB, ModelArts, DEW, SecMaster, OBS, MLPS 2.0, WAF reviews, Live Guards | | ☸️ Kubernetes | 10 | RBAC review, workload identity, PSA, live RBAC/admission/mesh/network/ArgoCD guards, maestro | | 🛡️ Kyverno | 1 | ClusterPolicy/Policy, PolicyException, failureAction, background scan | | 🔄 Argo CD | 2 | AppProject blast-radius, sync impersonation, RollingSync, sync-window | | 🕸️ Istio | 1 | Ambient mesh, ztunnel L4 vs waypoint L7, PeerAuthentication, mTLS posture | | 🐝 Cilium | 1 | CiliumNetworkPolicy, ClusterMesh trust, 169.254.169.254 egress, WireGuard encryption | | 📡 OpenTelemetry | 1 | Collector pipeline, memory_limiter, receiver exposure, exporter cardinality, credential handling | | 🟩 Terraform | 1 | IaC review and plan safety | | 📣 Marketing | 14 | Consent, pixel-leakage, martech access, GPC, email auth, ads.txt, targeting fairness, EU AI Act, audience uploads, list retention, influencer, dark patterns, analytics, maestro | | ☁️ Salesforce | 25 | Org assessment, metadata review, permissions audit, Flow automation, Apex/LWC code review, release readiness, integration, marketing consent, Agentforce risk review, zero-trust maturity, DevSecOps pipeline, SOQL generation, Apex generation and test generation, operational T1/T2 runtime skills | | Ⓜ️ Microsoft 365 / D365 | 38 | Maestro routing (microsoft/m365/d365/Power Platform/Copilot), Entra Zero Trust & Conditional Access, Microsoft 365 Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization, Dataverse/DLP security, Power Platform ALM, Power Automate risk review, Copilot Studio governance, Fabric/Power BI governance, Fabric data engineering, Fabric analytics engineering, D365 Success by Design, SoD, data migration/cutover, finance close-to-report, supply chain, field service, customer service, sales ops, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization, live-guard identity posture + Dataverse security role (read-only-runtime, Phase A), live-guard Dataverse record field update + sensitivity label apply (mutating-runtime, Phase B) | | 🧱 Databricks (Azure) | 3 | Azure Databricks Unity Catalog governance (least-privilege grants, admin separation) + lakehouse engineering (medallion, managed-identity storage, cluster policies) — static review; + Unity Catalog schema-scoped grant guard (mutating-runtime live-guard, Phase B) | | ❄️ Snowflake (Azure) | 3 | Snowflake-on-Azure RBAC governance (SoD, ACCOUNTADMIN restriction, network policies) + data-platform engineering (Private Link, masking/row-access governance) — static review; + RBAC grant guard (mutating-runtime live-guard, Phase B) |

🛡️ Live Guard skills — stop before you break prod

Live-guard skills enforce approval gates and rollback posture for irreversible operations:

🟧 AWS (5):

  • aws-live-deployment-guarded-operator — approval-gated generic live deployment actions with account/region confirmation
  • aws-live-iac-change-guard — CloudFormation/SAM/CDK/Terraform change set + drift + rollback posture enforcement
  • aws-live-pipeline-approval-operator — CodePipeline approval gating with exact stage and approver scope
  • aws-live-serverless-release-guard — Lambda alias/canary/linear rollout with alarm + rollback required
  • aws-live-ecs-rollout-guard — ECS/Fargate deployment circuit breaker, health check evidence, rollback path

🟩 GCP (6):

  • gcp-live-gke-rollout-guard — GKE deployment and node pool mutations, control-plane version gating
  • gcp-live-iam-policy-change-guard — IAM binding mutations, org policy changes, SA key creation — org-wide blast radius
  • gcp-live-kms-key-destruction-guard — Cloud KMS key version destruction — CMEK data permanently unrecoverable
  • gcp-live-cost-budget-action-guard — budget thresholds, CUD commitments, quota increases — financial authority gate
  • gcp-live-bigquery-dataset-deletion-guard — dataset deletion, table truncation, authorized view changes — irreversible data loss
  • gcp-live-cloud-run-traffic-migration-guard — Cloud Run revision traffic shifts, min-instances changes — production traffic blast radius

🟠 Alibaba Cloud (6):

  • alibaba-live-ack-rollout-guard — ACK deployment mutations, node pool scaling, cluster version upgrades
  • alibaba-live-ram-policy-change-guard — RAM policy/role mutations — account-wide blast radius, privilege escalation risk
  • alibaba-live-kms-key-mutation-guard — KMS key deletion/disable — encrypted data permanently inaccessible
  • alibaba-live-cost-budget-action-guard — budget threshold changes, Savings Plan purchases, RI commitments — financial authority gate
  • alibaba-live-oss-bucket-policy-guard — OSS bucket ACL/policy changes — public exposure or China data-residency violation
  • alibaba-live-rds-polardb-mutation-guard — RDS/PolarDB instance deletion, spec downgrade, backup policy removal — data loss risk

🔴 Huawei Cloud (6):

  • huawei-live-cce-rollout-guard — CCE deployment mutations, node pool upgrades, cluster version changes
  • huawei-live-iam-policy-change-guard — IAM policy/SCP mutations — account-wide blast radius, privilege escalation
  • huawei-live-kms-key-destruction-guard — DEW/KMS key deletion — CSMS secrets and DBSS-encrypted data permanently lost
  • huawei-live-cost-budget-action-guard — budget threshold changes, RI purchases, CUD commitments — financial authority gate
  • huawei-live-obs-bucket-policy-guard — OBS bucket ACL/policy changes — public exposure or data residency violation
  • huawei-live-gaussdb-mutation-guard — GaussDB/RDS instance deletion, spec downgrade, backup policy changes — data loss

🟦 Azure (7):

  • azure-live-aks-rollout-guard — PDB audit, rollout pause/undo, post-rollout health
  • azure-live-arm-deployment-stack-guard — what-if evidence, denySettings, PIM-gated delete
  • azure-live-app-service-slot-swap-guard — sticky-setting audit, traffic shifting, swap-back path
  • azure-live-keyvault-rotation-purge-guard — rotation policy, soft-delete/purge-protection, PIM gate
  • azure-live-pim-jit-activation-guard — eligible assignment audit, MFA gate, JIT revocation
  • azure-live-cost-budget-action-guard — budget mutation, GPU SKU policy, quota read-only
  • azure-live-entra-role-assignment-guard — permanent role assignment scope/principal audit, PIM-preference enforcement, Guest principal blocking

🟥 OCI (7):

  • oci-live-autonomous-db-lifecycle-guard — ADB scale/stop/clone/terminate with tag enforcement
  • oci-live-oke-rollout-guard — DevOps pipeline approval, PDB audit, rollout pause/undo
  • oci-live-resource-manager-stack-guard — plan-before-apply, drift detection, job-lock enforcement
  • oci-live-vault-key-destruction-guard — rotation vs. destruction separation, 7–30 day deletion window
  • oci-live-iam-policy-compartment-guard — MFA break-glass, dual-approval for tenancy-root changes
  • oci-live-cost-budget-runaway-guard — 3-tier budget management, GPU shape gate, ONS alert routing
  • oci-live-network-security-rule-guard — Security List/NSG rule capture, 0.0.0.0/0 detection, DB-subnet criticality, Path Analyzer gate

☸️ Kubernetes (5):

  • kubernetes-live-rbac-mutation-guard — escalate/bind/impersonate verb detection, wildcard blocking, pre-mutation state capture, rollback via YAML backup
  • kubernetes-live-admission-policy-guard — Kyverno/VAP mutation blast-radius, failureAction enforcement, PolicyException scope validation
  • kubernetes-live-mesh-policy-guard — Istio AuthorizationPolicy/PeerAuthentication traffic impact, PERMISSIVE→STRICT migration gating
  • kubernetes-live-network-policy-guard — CiliumNetworkPolicy/NetworkPolicy connectivity impact, metadata service egress blocking
  • kubernetes-live-argocd-sync-guard — AppProject blast-radius, sync impersonation identity review, sync-window change gating

Sample skills

Rule of thumb: if the asset teaches how to do a repeatable task, it is a skill.


🤖 Agents

600 agents matching the skill catalog — agents ship harness adapters and a hardened permission model.

| Provider | Count | Specialisations | | ------------------ | ----: | ----------------------------------------------------------------------------------- | | 🟩 GCP | 51 | advisory, live-guard operators, maestro router | | 🟧 AWS | 47 | advisory, execution, live-guard operators | | 🟠 Alibaba Cloud | 43 | advisory, live-guard operators, maestro router | | 🔴 Huawei Cloud | 43 | advisory, live-guard operators, maestro router | | 🟥 OCI | 39 | advisory, live-guard operators | | 🟦 Azure | 36 | advisory, live-guard operators | | ☸️ Kubernetes | 15 | RBAC review, workload identity, PSA, 5 live-guard operators, maestro router | | ☁️ OVHcloud | 6 | advisory, live KMS guard, maestro router | | 🌐 IONOS Cloud | 6 | advisory, live DB lifecycle guard, maestro router | | 🇫🇷 Scaleway | 6 | advisory, live Kapsule rollout guard, maestro router | | 🇩🇪 Hetzner Cloud | 6 | advisory, live firewall + server lifecycle guards, maestro router | | 💰 Contabo | 6 | advisory, live instance + storage guards, maestro router | | 🛡️ Kyverno | 1 | Admission policy review | | 🔄 Argo CD | 2 | GitOps review, live sync guard | | 🕸️ Istio | 1 | Ambient mesh review | | 🐝 Cilium | 1 | Network policy review | | 📡 OpenTelemetry | 1 | Collector config review | | 💡 Backstage | 1 | IDP scaffolder review | | 🔐 cert-manager | 1 | PKI certificate lifecycle review | | 🦅 Falco | 1 | runtime threat detection review | | 🔁 Flux CD | 1 | GitOps Kustomization/HelmRelease review | | 📊 Prometheus | 1 | alerting and cardinality review | | 🔏 Sigstore | 1 | supply-chain security review | | 🟩 Terraform | 2 | IaC review, maestro | | 💸 FinOps | 4 | cross-cloud price advisor + experimental cost/economics agents | | 🟣 .NET | 10 | C#/runtime, ASP.NET Core API & identity, EF Core data access, testing, NuGet supply chain, performance/AOT, OpenTelemetry, Aspire — static-review specialists + maestro router | | 🟤 NVIDIA | 12 | CUDA/GPU infrastructure, TensorRT/TensorRT-LLM, Triton serving, NeMo/NIM generative AI, agentic-AI platform, NGC supply chain, AI networking fabric, day-2 operations, GPU Operator on Kubernetes, model promotion gatekeeper — advisory + live-runtime gate + maestro router | | 📣 Marketing | 14 | 13 governance review agents + maestro router | | ⚖️ Legal | 13 | contract review, employment law risk, privacy & data protection, regulatory compliance, IP & open source, litigation & discovery hold, ethics & investigations, vendor/procurement risk, policy governance, public disclosure, counsel review, knowledge management | | 👥 HR | 15 | employee relations, workplace investigations, performance management, compensation & equity, benefits & payroll, recruiting & selection, workforce planning & RIF, leave & accommodation, learning policy, culture & DEI, people analytics, HRIS process controls, termination readiness, risk triage | | 🧪 QA | 10 | Playwright E2E review + execution, flakiness triage, coverage quality, CI test pipeline review, PLC control-logic safety, RPA workflow resilience — static-review + opt-in execution | | ☁️ Salesforce | 30 | 20 Wave 1 domain specialists (admin, dev, security, integration, Sales/Service/Marketing/Industry clouds, Agentforce, analytics, compliance) + 10 Wave 3 infrastructure security + DevSecOps agents — maestro router + live-guard authority gate | | Ⓜ️ Microsoft 365 / D365 | 40 | 5 maestro routers (microsoft, m365, d365, Power Platform, Copilot governance) + 31 static-review specialists + 2 read-only-runtime live-guards (Phase A: identity posture, Dataverse security role) + 2 mutating-runtime live-guards (Phase B: Dataverse record field update, sensitivity label apply) across M365 (Entra identity/Zero Trust, Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization), Power Platform (Dataverse security, ALM pipelines, automation risk, Copilot Studio governance), Fabric/Power BI (governance, data engineering, analytics engineering), D365 (Success by Design, SoD, data migration/cutover, finance, supply chain, field service, customer service, sales, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization), and live-guard runtime (Phase A: identity posture, Dataverse security role; Phase B: Dataverse record field update guard, sensitivity label apply guard) | | 🧱 Databricks (Azure) | 3 | 2 static-review specialists (Phase A): Unity Catalog governance (metastore→catalog→schema→table, least-privilege grants, account/workspace/metastore admin separation, run-as-service-principal) + lakehouse engineering (medallion architecture, ADLS Gen2 via Access Connector managed identity, cluster policies, AKV-backed secret scopes, VNet/Private Link); + 1 mutating-runtime live-guard (Phase B): Unity Catalog schema-scoped grant guard (single GRANT to one principal, REVOKE rollback, written approval token + PREFLIGHT required) | | ❄️ Snowflake (Azure) | 3 | 2 static-review specialists (Phase A): RBAC governance (ACCOUNTADMIN/SECURITYADMIN/SYSADMIN separation, custom least-privilege roles, SoD, network policies, Entra OAuth/SSO/SCIM) + data-platform engineering (warehouses, Azure Private Link, storage integration to ADLS Gen2/Blob, dynamic masking/row-access/tagging, ACCESS_HISTORY); + 1 mutating-runtime live-guard (Phase B): Snowflake RBAC grant guard (single GRANT to one grantee, REVOKE rollback, written approval token + PREFLIGHT required, ACCOUNTADMIN/SECURITYADMIN/SYSADMIN escalation denied) | | 🔗 Cross-functional skills | 3 | legal-hr-routing-protocol, legal-hr-case-capsule, legal-hr-risk-taxonomy (protocol skills, not agents) |

⚖️ The Legal + HR cross-functional agentic ecosystem

Beyond cloud and platform agents, Vanguard Frontier ships a 28-agent cross-functional Legal + HR ecosystem plus 3 cross-functional protocol skills — proof that agentic coordination works across organizational boundaries, not just inside one cloud account.

Every Legal and HR agent is escalation-aware (knows when a matter must go to privileged counsel or a human owner), privacy-preserving (minimizes personal and sensitive data in every handoff), and audit-ready (emits the same structured verdict shape as the cloud live-guard agents). These agents advise on process and risk posture — they do not replace licensed legal counsel or qualified HR professionals, and they say so.

🟣 The .NET application review board

.NET is a free, cross-platform, open-source developer platform — runtime, libraries, and languages (C# is the most popular) — with ASP.NET Core as its lean, modular framework for modern cloud-based web services and EF Core as its lightweight, extensible data-access layer. The board is a dotnet-maestro router plus nine static-review specialists covering C#/runtime correctness, ASP.NET Core API architecture, identity and authorization, EF Core data access, test quality, CI/NuGet supply chain, performance/AOT/trimming, in-app OpenTelemetry wiring, and .NET Aspire cloud-native readiness — every agent reads source and sanitized configuration only and never builds, runs, migrates, or contacts a live system. These agents use provider: generic with a dotnet- ID prefix because .NET is a language/runtime, not a cloud provider — mirroring the existing non-cloud boards.

Ⓜ️ The Microsoft 365 / Dynamics 365 board

A maestro-routed board for the Microsoft business cloud (M365, Dynamics 365, Power Platform, and Copilot) — the SaaS surface, distinct from Azure infrastructure. A top-level microsoft-maestro routes to four sub-maestros (m365, d365, power-platform, copilot-governance) and refuses Azure-IaaS / cross-cloud work, deflecting it to the Azure/AWS/GCP maestros. Under them sit 31 static-review specialists + 2 read-only-runtime live-guards (Phase A) + 2 mutating-runtime live-guards (Phase B) organized into categories:

  • M365 — identity & Copilot: Entra Conditional Access / Zero Trust and Microsoft 365 Copilot readiness & data-exposure governance (the Copilot Zero Trust 7-layer / oversharing model).
  • Power Platform & Copilot Studio: environment + DLP + Dataverse security, ALM pipelines, automation (Power Automate) risk review, and Copilot Studio agent governance / ALM.
  • Analytics: Microsoft Fabric / Power BI semantic-model trust, RLS/OLS, and workspace governance.
  • Dynamics 365: Success by Design implementation governance, Finance & Operations segregation-of-duties, data migration & cutover, finance close-to-report, supply chain plan-to-produce, field service-to-cash, customer service & contact center, sales revenue operations, and license-to-value realization.

Static-review agents produce no tenant mutations; every verdict requires explicit human approval. The board also ships Phase A read-only-runtime live-guards (m365-live-identity-posture-guard-agent, d365-live-security-role-guard-agent) that read live tenant state without writing, and Phase B mutating-runtime live-guards (d365-live-record-field-update-guard-agent, m365-live-sensitivity-label-apply-guard-agent) that execute exactly one controlled WRITE operation (a named Dataverse field PATCH or a Graph sensitivity-label assignment to one driveItem) only after a written approval token, PREFLIGHT dry-run, and inverse-rollback path are confirmed — bulk edits, DELETE, ownerid/security-role fields, label-policy writes, and broad directory permissions are unconditionally denied. The board is grounded on Microsoft Learn and ships alongside 15 cross-functional protocol skills (provider: generic, recommendation-only) that orchestrate it across business processes — lead-to-cash, procure-to-pay, close-to-report, copilot-data-readiness, erp-crm-cutover, identity-to-data-access, and more.


Every agent ships:

  • 📄 AGENT.md — harness-neutral contract with guarded response shape
  • 🗂️ metadata.json — schema-validated catalog entry
  • 🔌 Harness adapters — claude-code + codex (EU providers); all 7 adapters for established providers
agents/
├── accounting/       (14 agents — maestro + corporate accounting specialists: revenue recognition (ASC 606/IFRS 15), close cycle, consolidation/intercompany, fixed assets, lease accounting (ASC 842), hedge accounting, FX translation, tax provision, payroll, procure-to-pay, equity compensation, indirect tax/e-invoicing, business combinations — all advisory, no ledger writes)
├── alibaba/          (43 agents — advisory, live-guard operators, maestro)
├── argocd/           (2 agents — GitOps review, live sync guard)
├── aws/              (47 agents — advisory, execution, live-guard operators)
├── azure/            (36 agents — advisory, live-guard operators)
├── backstage/        (1 agent — IDP scaffolder review)
├── cert-manager/     (1 agent — PKI certificate lifecycle review)
├── cilium/           (1 agent — network policy review)
├── contabo/          (6 agents — advisory, live instance + storage guards, maestro)
├── databricks/       (3 agents — Azure Databricks: Unity Catalog governance + lakehouse engineering — static review, -at-azure; + Unity Catalog schema-scoped grant guard — mutating-runtime live-guard, Phase B)
├── dotnet/           (10 agents — C#/runtime, ASP.NET Core, EF Core, testing, NuGet supply chain, performance/AOT, OpenTelemetry, Aspire — maestro + 9 specialists)
├── falco/            (1 agent — runtime threat detection review)
├── finance/          (8 agents — maestro + corporate finance specialists: variance analysis, FP&A forecasting, treasury/liquidity, working capital, debt/capital structure, capital allocation, transfer pricing/Pillar Two — all advisory, no ERP writes)
├── finops/           (4 agents — cross-cloud price advisor + experimental cost/economics agents)
├── fluxcd/           (1 agent — GitOps Kustomization/HelmRelease review)
├── frontend/         (35 agents — React/Next.js/Angular/Vue/Svelte specialists, web-platform + cross-cutting review roles, board-chair + enterprise red-team + maestro — all static-review, no build/deploy/credentials)
├── gcp/              (51 agents — advisory, live-guard operators, maestro)
├── hetzner/          (6 agents — advisory, live firewall + server lifecycle guards, maestro)
├── hr/               (15 agents — employee relations, investigations, performance, compensation, benefits, recruiting, workforce planning, learning, culture & DEI, analytics, HRIS, termination readiness, maestro)
├── huawei/           (43 agents — advisory, live-guard operators, maestro)
├── ionos/            (6 agents — advisory, live DB lifecycle guard, maestro)
├── istio/            (1 agent — ambient mesh review)
├── kubernetes/       (15 agents — RBAC, workload identity, PSA, pod-spec, ESO, Kubecost, live-guards, maestro)
├── kyverno/          (1 agent — admission policy review)
├── legal/            (13 agents — contract review, employment law, privacy & data protection, regulatory compliance, IP & open source, litigation hold, ethics & investigations, vendor risk, policy governance, public disclosure, counsel review, knowledge management)
├── marketing/        (14 agents — 13 governance review agents + maestro router)
├── microsoft/        (40 agents — Microsoft 365 / Dynamics 365 / Power Platform / Copilot — microsoft maestro + m365/d365/power-platform/copilot-governance sub-maestros, plus 31 static-review specialists: Entra Zero Trust, Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization, Dataverse/DLP security, Power Platform ALM, Power Automate risk, Copilot Studio governance, Fabric/Power BI governance, Fabric data engineering, Fabric analytics engineering, D365 Success by Design, SoD, data migration/cutover, finance, supply chain, field service, customer service, sales, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization — all static-review, live-guard-gated; +2 read-only-runtime live-guard agents (Phase A): identity posture, Dataverse security role; +2 mutating-runtime live-guard agents (Phase B): Dataverse record field update guard, sensitivity label apply guard)
├── netsuite/         (25 agents — Oracle NetSuite ERP — maestro router, live-org mutation guard, evidence/release-drift + enterprise-architecture + SOX audit governance, plus 20 domain specialists: financial foundations, SuiteScript secure code review, SDF DevOps, OneWorld multi-subsidiary, identity/RBAC, OAuth/TBA/SSO, AI Connector/MCP, data governance, integration migration, and more — all static-review tier)
├── nvidia/           (12 agents — GPU infrastructure, TensorRT/TensorRT-LLM, Triton serving, NeMo/NIM, agentic AI, NGC supply chain, AI networking, day-2 ops, GPU Operator on Kubernetes, model promotion gatekeeper — maestro + advisory + live-runtime gate)
├── oci/              (39 agents — advisory, live-guard operators)
├── opentelemetry/    (1 agent — collector config review)
├── ovhcloud/         (6 agents — advisory, live KMS guard, maestro)
├── prometheus/       (1 agent — alerting and cardinality review)
├── qa/               (10 agents — Playwright E2E review + execution, flakiness triage, coverage quality, CI pipeline review, PLC control-logic safety, RPA workflow resilience)
├── salesforce/       (30 agents — 20 Wave 1 domain specialists + 10 Wave 3 infrastructure security/DevSecOps agents, maestro router, live-guard authority gate)
├── scaleway/         (6 agents — advisory, live Kapsule rollout guard, maestro)
├── snowflake/        (3 agents — Snowflake on Azure: RBAC governance + data-platform engineering — static review, -at-azure; + RBAC grant guard — mutating-runtime live-guard, Phase B)
├── sigstore/         (1 agent — supply-chain security review)
└── terraform/        (2 agents — IaC review, maestro)

Example:

Use an agent when you need a role with judgment, not just a checklist.


📦 Install Reference

Everything you can install, and exactly how to install it. One section, no hunting.

🧭 How to pick what to install

🙋 I know my job function               → use --role
🎯 I know the specific agent I want     → use --agents
☁️  I work on one cloud provider only    → add --provider to either of the above
💥 I want everything for a platform     → use --all
🔍 I don't know what exists yet         → use --list or --list-roles first

🏷️ Argument reference

| Argument | Values | Required | Description | | -------------- | ----------------------------------------------------- | --------------------------------------- | ---------------------------------------------------- | | --platform | see table below | ✅ yes (except --list, --list-roles) | Target AI harness | | --role | see role table below | pick one ↓ | Install all agents for a job role | | --agents | comma-separated agent IDs | pick one ↓ | Install specific agents by ID | | --all | — | pick one ↓ | Install every agent for the platform | | --provider | aws azure oci gcp alibaba huawei ovhcloud ionos scaleway hetzner contabo kubernetes terraform finops kyverno argocd istio cilium opentelemetry | ➕ optional | Narrow --role results to one provider | | --repo | path | ➕ optional | Target repo root (defaults to current directory) | | --force | — | ➕ optional | Overwrite files that already exist | | --list | — | 🔍 standalone | Print all agent IDs, providers, and names; then exit | | --list-roles | — | 🔍 standalone | Print role IDs with agent counts; then exit | | --list-providers | — | 🔍 standalone | List all providers with agent counts; then exit | | --dry-run | — | ➕ optional | Print the export plan without writing files | | --no-skills | — | ➕ optional | Skip companion skill bundling |


🖥️ Platform reference

Each platform writes agent files to a different folder in your repo.

| --platform value | AI harness | Installs into | | ------------------ | -------------------------------- | ----------------- | | claude-code | 🤖 Claude Code (Anthropic) | .claude/agents/ | | codex | ⚡ Codex CLI (OpenAI) | .codex/agents/ | | copilot | 🐙 GitHub Copilot / VS Code | .github/agents/ | | cursor | 🖱️ Cursor | .cursor/agents/ | | gemini | ♊ Gemini CLI (Google) | .gemini/agents/ | | kiro | 🔮 Kiro — both IDE + CLI adapters | .kiro/agents/ | | kiro-ide | 🔮 Kiro IDE only | .kiro/agents/ | | kiro-cli | 🔮 Kiro CLI only | .kiro/agents/ |

ℹ️ The exporter installs agent files only. It does not write repo-level guidance files (CLAUDE.md, AGENTS.md, .github/copilot-instructions.md, etc.). See docs/normalized-platform-matrix.md.


👤 Role reference

A role installs the curated set of agents a practitioner in that job function needs, across all cloud providers. Roles overlap intentionally — one agent may appear in multiple roles.

| --role value | 👤 Who it is for | 🔢 Agents | ☁️ What it covers | | -------------------------------------------- | ------------------------------------------------------------------------ | -------: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | cloud-security-engineer | 🔐 Security engineers, compliance teams, IAM owners | 51 | IAM/RBAC review, secrets lifecycle, identity governance, live guards for access and key mutations — AWS · Azure · OCI · GCP · Alibaba · Huawei · OVHcloud · Scaleway · Contabo · K8s | | cloud-platform-engineer | 🏗️ Infrastructure/SRE, IaC owners, Kubernetes platform teams | 58 | IaC safety review, container platform operators, networking, landing zones, live deployment guards — AWS · Azure · OCI · GCP · Alibaba · Huawei · EU providers · Terraform | | cloud-dba | 🗄️ Database administrators, data platform engineers | 20 | RDS/Aurora, DynamoDB, CosmosDB, OCI Autonomous/Exadata/MySQL HeatWave, IONOS DBaaS, replication, live DB lifecycle guards | | cloud-finops-analyst | 💰 FinOps leads, cost governance teams | 25 | Cost optimization governors, anomaly watch, budget runaway guards, capacity planning — AWS · Azure · OCI · GCP · Alibaba · Huawei · EU providers | | cloud-solutions-architect | 🏛️ Cloud architects, migration leads, AI/generative engineers | 38 | Solution architecture, migration cutover, resilience/BCDR, event-driven design, multi-cloud, AI/generative — AWS · Azure · OCI · GCP · Alibaba · Huawei | | cloud-devops-engineer | 🚀 CI/CD engineers, release managers, SRE ops | 49 | CI/CD, pipeline approval gates, live rollout guards, deployment hotfix operators, serverless readiness, observability — AWS · Azure · OCI · GCP · Alibaba · Huawei | | kubernetes-admission-security-engineer | 🛡️ Platform security, policy engineers, admission control owners | 6 | Kyverno policy review, K8s workload identity, PSA profiles, live admission-policy guard, live RBAC guard | | kubernetes-network-engineer | 🐝 Network engineers, platform SREs, zero-trust mesh owners | 5 | Cilium/NetworkPolicy review, Istio ambient mesh review, live network-policy and mesh-policy guards | | kubernetes-application-platform-engineer | 🔄 Platform engineers, GitOps owners, ArgoCD operators | 3 | Argo CD GitOps review, live ArgoCD sync guard, kubernetes-maestro router | | kubernetes-runtime-security-engineer | 🔍 Runtime security, observability, and threat detection engineers | 6 | Falco threat rules, Sigstore supply chain, K8s workload identity, RBAC review, pod-spec review, live RBAC guard | | kubernetes-pki-engineer | 🔐 PKI/cert lifecycle engineers, secrets management owners | 6 | cert-manager Issuer/ClusterIssuer, CertificateRequestPolicy gap, ESO scope, AWS Private CA, Azure KV cert, OCI Certificates | | kubernetes-observability-engineer | 📊 SRE observability engineers, FinOps cost analysts | 4 | Prometheus alerting/cardinality, OTEL Collector pipeline, Kubecost chargeback/allocation, maestro router | | kubernetes-supply-chain-security-engineer | 🔏 Supply chain security engineers, DevSecOps practitioners | 7 | Sigstore/Cosign, Falco runtime rules, Kyverno admission policy, PSA hardening, pod-spec review, live admission guard | | kubernetes-developer-platform-engineer | 🎭 IDP/platform engineers, GitOps owners, developer experience leads | 6 | Backstage Scaffolder templates, Argo CD, Argo Rollouts progressive delivery, FluxCD Kustomization/HelmRelease, maestro router | | kubernetes-disaster-recovery-engineer | 💾 SRE disaster recovery engineers, backup and restore owners | 2 | Velero live-guarded restore operations with pre-restore checklist, maestro router |

# 🔍 See exactly which roles exist and how many agents each has
npx vfa-export-agents --list-roles

# 📦 Install a cloud role
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --repo .

# ☁️  Install a cloud role but only for one provider
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --provider azure --repo .

# ☸️  Install a Kubernetes specialist role
npx vfa-export-agents --platform claude-code --role kubernetes-admission-security-engineer --repo .
npx vfa-export-agents --platform claude-code --role kubernetes-network-engineer --repo .

☁️ Provider reference

Use --provider with --role to narrow the install to one cloud.

| --provider value | Domain | 🔢 Agents in catalog | | ------------------- | ---------------------------------------- | ------------------: | | aws | 🟧 Amazon Web Services | 47 | | azure | 🟦 Microsoft Azure | 36 | | oci | 🟥 Oracle Cloud Infrastructure | 39 | | gcp | 🟩 Google Cloud Platform | 51 | | alibaba | 🟠 Alibaba Cloud | 43 | | huawei | 🔴 Huawei Cloud | 43 | | ovhcloud | ☁️ OVHcloud | 6 | | ionos | 🌐 IONOS Cloud | 6 | | scaleway | 🇫🇷 Scaleway | 6 | | hetzner | 🇩🇪 Hetzner Cloud | 6 | | contabo | 💰 Contabo | 6 | | kubernetes | ☸️ Kubernetes (cross-cloud) | 15 | | kyverno | 🛡️ Kyverno (admission policy) | 1 | | argocd | 🔄 Argo CD + Argo Rollouts (GitOps) | 2 | | istio | 🕸️ Istio (service mesh) | 1 | | cilium | 🐝 Cilium (network policy) | 1 | | opentelemetry | 📡 OpenTelemetry (observability) | 1 | | terraform | 🟩 Terraform (cross-cloud) | 2 | | multi-cloud | 💰 FinOps / multi-cloud | 1 | | prometheus | 📊 Prometheus (alerting + cardinality) | 1 | | falco | 🦅 Falco (runtime threat detection) | 1 | | sigstore | 🔏 Sigstore / Cosign (supply chain) | 1 | | cert-manager | 🔐 cert-manager (PKI / cert lifecycle) | 1 | | fluxcd | 🔄 FluxCD (GitOps) | 1 | | backstage | 🎭 Backstage (IDP / developer platform) | 1 | | velero | 💾 Velero (backup + restore) | 1 | | marketing | 📣 Marketing governance (consent, pixel, access, AI, deliverability) | 14 |

# 🟥 Install every OCI agent for a cloud-platform-engineer (OCI-only team)
npx vfa-export-agents --platform codex --role cloud-platform-engineer --provider oci --repo .

# 🟦 Install every Azure agent for a cloud-devops-engineer
npx vfa-export-agents --platform copilot --role cloud-devops-engineer --provider azure --repo .

🎯 Common install scenarios

| 🙋 I want to… | Command | | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | 🔍 See what agents exist | npx vfa-export-agents --list | | 🔍 See what roles exist | npx vfa-export-agents --list-roles | | 🔍 See what providers exist | npx vfa-export-agents --list-providers | | 👤 Install for my job role (Claude Code) | npx vfa-export-agents --platform claude-code --role <role> --repo . | | ☁️ Install for my job role, one cloud only | npx vfa-export-agents --platform claude-code --role <role> --provider aws --repo . | | ☸️ Install K8s admission security role | npx vfa-export-agents --platform claude-code --role kubernetes-admission-security-engineer --repo . | | 🐝 Install K8s network engineering role | npx vfa-export-agents --platform claude-code --role kubernetes-network-engineer --repo . | | 🧭 Install the Kubernetes maestro router only | npx vfa-export-agents --platform claude-code --agents kubernetes-maestro-agent --repo . | | 🎯 Install one specific agent | npx vfa-export-agents --platform claude-code --agents kubernetes-rbac-review-agent --repo .