@raishin/vanguard-frontier-agentic
v3.3.0
Published
Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.
Maintainers
Readme
Vanguard Frontier Agentic
This is the edge of agentic intelligence — an enterprise-grade ecosystem for running AI agents at scale in environments where a wrong move is a board-level incident. It collects reusable skills, agents, rules, MCP references, and supporting assets for AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, and Terraform — plus cross-functional Legal, HR, Marketing, Salesforce, .NET, FinOps, Accounting, Finance, Oracle NetSuite ERP, Microsoft 365 / Dynamics 365, and Azure-ecosystem Databricks and Snowflake data-platform agentic ecosystems.
This is not just cloud infrastructure tooling. It is agentic coordination: maestro routing, escalation-aware protocol, structured handoff between specialists, and refusal-by-default safety on every irreversible action. Cloud is one domain it operates in. Coordination, governance, and escalation are the product.
📊 Catalog at a glance
| Catalog | Count | | --- | --- | | Skills | 623 | | Agents | 600 | | Providers | 41 | | Install roles | 32 | | Rules | 1 | | MCP references | 3 |
- 🧠 Skills = step-by-step workflows an AI assistant can follow.
- 🤖 Agents = reusable expert roles for review, architecture, and operations.
- 📏 Rules = durable instructions for a specific AI harness.
- 🔌 MCP references = trusted notes for connecting tools to real systems.
- 🗂️ Catalogs = machine-readable indexes so tools can discover everything.
Works with: Claude Code · Codex · GitHub Copilot · Cursor · Gemini CLI · Kiro · and any other coding agent.
📦 Available on npm:
@raishin/vanguard-frontier-agenticis published on the public npm registry.⚠️ ALPHA FINOPS BUNDLE: As of v1.8.0, this package includes 4 new experimental FinOps agents and 7 skills for cloud cost optimization, AI economics modeling, Kubernetes rightsizing, and FOCUS-spec normalization. All are marked
lifecycle: experimental. See the board readiness memo for known limitations, risk mitigation, and 30-day diligence closure requirements. Use at your own risk in pre-production environments. Production deployment requires signed design-partner SOWs, Big 4 accounting validation, and SOC 2 Type II observation (≥150 days).
🛰️ Why Vanguard Frontier?
"Vanguard frontier" is not branding — it is an operating posture. This ecosystem is built for the front line of agentic deployment, where AI agents touch real production systems, real regulated data, and real legal exposure.
- 🏛️ Built for Fortune 50 / high-stakes environments. Every agent assumes the blast radius is enterprise-scale: regulated data, audited controls, and decisions that survive legal discovery. Refusal-by-default beats a fast path to a board-level incident.
- ⚖️ The Legal + HR ecosystem is proof of cross-functional agentic coordination. 28 specialist agents (Legal maestro + 12 specialists, HR maestro + 14 specialists) and 3 cross-functional protocol skills demonstrate that agents can hand off, escalate, and coordinate across organizational boundaries — not just answer in isolation.
- 🧾 Audit-ready, privacy-preserving, escalation-aware by design. Every
review and live-guard agent emits a structured verdict (
verdict,evidence_level,blockers,safe_next_actions,open_questions) that maps directly to SOC 2, PCI DSS, NIS2, NIST CSF, and ISO 27001 — no post-processing. - 🛡️ Battle-tested against real compliance, governance, and risk workflows. These patterns are exercised against live IAM mutations, KMS destruction, litigation holds, RIF planning, and privacy reviews — the workflows where a generic agent gets an organization sued.
The bar: an auditor, a regulator, or opposing counsel should be able to read the agent's output and trace exactly who decided what, on what evidence, and who approved the risk.
🧱 What's Inside — the three-layer agentic architecture
Vanguard Frontier is not a flat bag of prompts. It is a deliberate three-layer system, and every domain — cloud providers, Kubernetes, marketing, Legal, HR — follows the same shape.
| Layer | Role | Examples |
| ----- | ---- | -------- |
| 1. 🧭 Maestro (router) | Entry point. Classifies the request, routes to the right specialist, never executes risk itself. | legal-maestro-agent, hr-maestro-agent, kubernetes-maestro-agent, provider maestros |
| 2. 🤖 Specialists | Domain experts with judgment and a hardened permission model. Each loads one companion skill and emits a guarded verdict. | 13 Legal specialists, 15 HR specialists, cloud advisory + live-guard operators |
| 3. 🔗 Cross-functional protocol | Shared contracts that let specialists hand off, escalate, and coordinate across organizational boundaries without leaking scope. | legal-hr-routing-protocol, legal-hr-case-capsule, legal-hr-risk-taxonomy |
How it flows: a request enters at the maestro, which routes to a specialist. When a matter crosses a boundary — an HR investigation that needs privileged Legal review, or a Legal hold that triggers an HR data freeze — the cross-functional protocol carries a structured case capsule between agents, preserving privilege, minimizing data, and recording the escalation path.
This is what "agentic coordination" means here: routing, protocol, and escalation are first-class, not improvised.
🚀 Get Started
Pick the install path for your coding agent. Each dropdown is crystal-clear, step-by-step, and one-click plug-and-play where the harness supports it; the npm/export path works for everything else.
At a glance — which path is yours:
| Your harness | Fastest path | One-liner |
| ------------ | ------------ | --------- |
| 🤖 Claude Code | Plugin marketplace | /plugin marketplace add Raishin/vanguard-frontier-agentic |
| 🐙 GitHub Copilot CLI | Plugin marketplace | copilot plugin marketplace add Raishin/vanguard-frontier-agentic |
| 🖱️ Cursor | Clone + register plugin dir | git clone … then Settings → Plugins → Add Plugin Directory |
| ⚡ Codex | Plugin marketplace | codex plugin marketplace add Raishin/vanguard-frontier-agentic |
| ♊ Gemini / Antigravity | npm export | npx vfa-export-agents --platform gemini --all --repo . |
| 🔮 Kiro | Add Powers per-directory | Powers panel → Add Custom Power → Local Directory |
| 📦 Any other | npm + vfa-export-agents CLI | npm install @raishin/vanguard-frontier-agentic@latest |
Expand the matching dropdown below for the full step-by-step.
/plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agentic@vanguard-frontier-agenticOr wire it into ~/.claude/settings.json (or your project's .claude/settings.json) for team-wide trust:
{
"extraKnownMarketplaces": {
"vanguard-frontier-agentic": {
"source": { "source": "github", "repo": "Raishin/vanguard-frontier-agentic" }
}
},
"enabledPlugins": {
"vanguard-frontier-agentic@vanguard-frontier-agentic": true
}
}Pin to a tag for reproducible installs: pick any released tag for stable versions, or use @latest for the current release.
- Bundled: all 600 cloud, security, compliance, Kubernetes, Terraform agents (incl. provider maestros and live-guard agents)
- Spec:
.claude-plugin/marketplace.json+.claude-plugin/plugin.json(canonical Claude Code plugin layout) - Not bundled: skills, rules, MCP references — use the npm path for those
- Docs: code.claude.com/docs/en/plugin-marketplaces
# Add the marketplace, then install
copilot plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agenticOr in .github/copilot/settings.json for repo-wide trust:
{
"extraKnownMarketplaces": [
"https://raw.githubusercontent.com/Raishin/vanguard-frontier-agentic/master/.github/plugin/marketplace.json"
]
}- Marketplace manifest:
.github/plugin/marketplace.jsondeclares this repo as a single-plugin marketplace - Source path:
./(the repo root is the plugin root) - Bundled: 600 Copilot agent adapters under
agents/<provider>/<agent>/harnesses/copilot.agent.md - Docs: github.com/github/copilot-cli (
/plugin marketplace add)
# Clone the repo, then register it as a plugin directory in Cursor:
git clone https://github.com/Raishin/vanguard-frontier-agenticIn Cursor: Settings → Plugins → Add Plugin Directory → pick the cloned repo path. Or via the Cursor Extension API:
vscode.cursor.plugins.registerPath("/absolute/path/to/vanguard-frontier-agentic");- Plugin manifest:
.cursor-plugin/plugin.jsonenumerates all 600 Cursor agent adapters explicitly via theagentsfield - Bundled: all agents from
agents/<provider>/<agent>/harnesses/cursor.agent.md - Rules: existing
rules/directory at repo root is auto-discovered by Cursor - Docs: cursor.com/docs/plugins · cursor.com/docs/reference/plugins
Kiro Powers UI is per-Power directory add — there is no single-command marketplace flow. This repo ships 38 Powers under powers/, one per provider, so Kiro users can add only what they need.
# 1. Clone this repo
git clone https://github.com/Raishin/vanguard-frontier-agentic
cd vanguard-frontier-agentic
# 2. In Kiro:
# Open the Powers panel → "Add Custom Power" → "Local Directory"
# Paste the absolute path to the Power(s) you need, one at a time:
# /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-aws
# /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-kubernetes
# /absolute/path/to/vanguard-frontier-agentic/powers/vanguard-terraform- Powers available:
vanguard-accounting,vanguard-alibaba,vanguard-argocd,vanguard-aws,vanguard-azure,vanguard-backstage,vanguard-cert-manager,vanguard-cilium,vanguard-contabo,vanguard-databricks,vanguard-dotnet,vanguard-falco,vanguard-finance,vanguard-fluxcd,vanguard-gcp,vanguard-generic,vanguard-hetzner,vanguard-hr,vanguard-huawei,vanguard-ionos,vanguard-istio,vanguard-kubernetes,vanguard-kyverno,vanguard-legal,vanguard-marketing,vanguard-microsoft,vanguard-multi-cloud,vanguard-netsuite,vanguard-nvidia,vanguard-oci,vanguard-opentelemetry,vanguard-ovhcloud,vanguard-prometheus,vanguard-salesforce,vanguard-scaleway,vanguard-sigstore,vanguard-snowflake,vanguard-terraform - Each Power ships: routing pattern (maestro entry), live-mutation discipline, provider invariants (account-ID/region, MLPS 2.0, EU sovereignty, etc.)
- Frontmatter: strict-5 fields (
name,displayName,description,keywords,author) per Kiro spec - For Kiro agent adapter files (
.kiro/agents/*.md,.kiro/agents/*.json): use the npm-export path below - Docs: github.com/kirodotdev/powers
Antigravity reads skills from .agent/skills/<name>/SKILL.md (workspace) or ~/.gemini/antigravity/skills/<name>/ (global). There is no first-party marketplace install command — use the npm export to write skills + adapters into the right paths:
# Install the package
npm install @raishin/vanguard-frontier-agentic@latest
# Export agents + companion skills for Gemini Antigravity
npx vfa-export-agents --platform gemini --all --repo .Or for a single provider:
npx vfa-export-agents --platform gemini --provider aws --repo .- Workspace skills install to:
.agent/skills/<name>/SKILL.md - Global rules:
~/.gemini/GEMINI.md - MCP servers: configure via Antigravity's MCP Store UI →
mcp_config.json - Docs: antigravity.google · github.com/google-gemini/gemini-cli
# Add the marketplace, then enable the bundled plugin
codex plugin marketplace add Raishin/vanguard-frontier-agentic
/plugin install vanguard-frontier-agentic@vanguard-frontier-agenticcodex plugin marketplace add writes the marketplace into your ~/.codex/config.toml. The resulting block looks like this (the screenshot pattern):
[marketplaces.vanguard-frontier-agentic]
last_updated = "2026-05-11T06:46:00Z"
last_revision = "<sha>"
source_type = "git"
source = "https://github.com/Raishin/vanguard-frontier-agentic.git"
[plugins."vanguard-frontier-agentic@vanguard-frontier-agentic"]
enabled = true- Marketplace registry:
.agents/plugins/marketplace.jsonat repo root (canonical Codex location per codex-rs plugin-json-spec) - Bundled plugins:
vanguard-frontier-agentic— the main plugin, manifest atplugins/vanguard-frontier-agentic/.codex-plugin/plugin.jsoncross-platform-agent-template— scaffold for new cross-platform agents
- For agent adapter files (
.codex/agents/*.toml): after enabling the plugin, runnpx vfa-export-agents --platform codex --all --repo .to write the 600 agent adapters into your repo - Other commands:
codex plugin marketplace upgrade vanguard-frontier-agentic,codex plugin marketplace remove vanguard-frontier-agentic - Docs: github.com/openai/codex · Codex plugin spec
Prerequisite: Node.js 18+
# 1️⃣ Install the package
npm install @raishin/vanguard-frontier-agentic@latest
# 2️⃣ Export agents for your role into your repo (claude-code shown — swap platform)
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --repo .
# 3️⃣ Open your coding agent and reference the exported agent
# "Use kubernetes-rbac-review-agent to audit this RBAC change."Supports --platform: claude-code, codex, copilot, cursor, gemini, kiro, kiro-ide, kiro-cli. Supports --role, --agents, --all, --provider filters. See the Install Reference for the full argument matrix.
Install paths
There are now eight supported install paths — Claude Code plugin marketplace, GitHub Copilot CLI marketplace, Cursor plugin, Codex plugin marketplace, Kiro Powers, Gemini Antigravity skills, npm package + vfa-export-agents CLI, and the third-party skills CLI — each with different versioning, trust, and scope characteristics. See docs/integrations/skills-cli.md for the full trust matrix, verified flag syntax, pinning guidance, and pre-install inspection steps.
npm install @raishin/vanguard-frontier-agentic@latest🖥️ Terminal UI (vfa-tui)
⚠️ Alpha — the TUI is functional but under active development.
An enterprise-grade terminal interface for interactive catalog browsing, validation gate execution, and export command building — built in Rust for speed and security by construction. Distributed as the vfa-tui crate.
Install (recommended — from crates.io):
cargo install vfa-tuiOr download a prebuilt binary (Linux / macOS / Windows, x86-64 + arm64) — each release attaches the binaries alongside their SBOM and checksums.sha256 — from the latest vfa-tui release.
Build from source (alternative):
cd tools/vfa-tui && cargo build --releaseRun (from the repo root — auto-detects workspace):
vfa-tui # installed via cargo or prebuilt binary
./tools/vfa-tui/target/release/vfa-tui # from a source buildKey features:
- 🗂️ Catalog browsing with fuzzy search across all agents, skills, and providers
- ✅ Validation gate execution with real-time progress and structured output
- 📦 Export command builder with platform/role/provider selection
- 🔐 Security by construction — no shell injection, no credential handling, no network access
🧠 Skills
623 skills across AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, CNCF ecosystem, Terraform, marketing governance, and more.
| Domain | Count | What they cover | | ------------------ | ----: | ------------------------------------------------------------------------------------------------- | | 🟧 AWS | 47 | IAM, EKS, ECS, Lambda, RDS, S3, Cost, DevOps, Bedrock, Security, WAF reviews, Live Guards | | 🟥 OCI | 41 | ADB, OKE, IAM, Vault, Resource Manager, Cost, Networking, WAF reviews, Live Guards | | 🟩 GCP | 51 | GKE, BigQuery, Vertex AI, Cloud Run, AlloyDB, Firebase, Gemini API, WAF reviews, Live Guards | | 🟦 Azure | 36 | AKS, App Service, ARM/Bicep, Key Vault, PIM, Cost, Entra ID, CosmosDB, WAF reviews, Live Guards | | 🟠 Alibaba Cloud | 43 | ACK, ECS, PolarDB, MaxCompute, RAM, OSS, MLPS 2.0, WAF reviews, Live Guards | | 🔴 Huawei Cloud | 43 | CCE, GaussDB, ModelArts, DEW, SecMaster, OBS, MLPS 2.0, WAF reviews, Live Guards | | ☸️ Kubernetes | 10 | RBAC review, workload identity, PSA, live RBAC/admission/mesh/network/ArgoCD guards, maestro | | 🛡️ Kyverno | 1 | ClusterPolicy/Policy, PolicyException, failureAction, background scan | | 🔄 Argo CD | 2 | AppProject blast-radius, sync impersonation, RollingSync, sync-window | | 🕸️ Istio | 1 | Ambient mesh, ztunnel L4 vs waypoint L7, PeerAuthentication, mTLS posture | | 🐝 Cilium | 1 | CiliumNetworkPolicy, ClusterMesh trust, 169.254.169.254 egress, WireGuard encryption | | 📡 OpenTelemetry | 1 | Collector pipeline, memory_limiter, receiver exposure, exporter cardinality, credential handling | | 🟩 Terraform | 1 | IaC review and plan safety | | 📣 Marketing | 14 | Consent, pixel-leakage, martech access, GPC, email auth, ads.txt, targeting fairness, EU AI Act, audience uploads, list retention, influencer, dark patterns, analytics, maestro | | ☁️ Salesforce | 25 | Org assessment, metadata review, permissions audit, Flow automation, Apex/LWC code review, release readiness, integration, marketing consent, Agentforce risk review, zero-trust maturity, DevSecOps pipeline, SOQL generation, Apex generation and test generation, operational T1/T2 runtime skills | | Ⓜ️ Microsoft 365 / D365 | 38 | Maestro routing (microsoft/m365/d365/Power Platform/Copilot), Entra Zero Trust & Conditional Access, Microsoft 365 Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization, Dataverse/DLP security, Power Platform ALM, Power Automate risk review, Copilot Studio governance, Fabric/Power BI governance, Fabric data engineering, Fabric analytics engineering, D365 Success by Design, SoD, data migration/cutover, finance close-to-report, supply chain, field service, customer service, sales ops, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization, live-guard identity posture + Dataverse security role (read-only-runtime, Phase A), live-guard Dataverse record field update + sensitivity label apply (mutating-runtime, Phase B) | | 🧱 Databricks (Azure) | 3 | Azure Databricks Unity Catalog governance (least-privilege grants, admin separation) + lakehouse engineering (medallion, managed-identity storage, cluster policies) — static review; + Unity Catalog schema-scoped grant guard (mutating-runtime live-guard, Phase B) | | ❄️ Snowflake (Azure) | 3 | Snowflake-on-Azure RBAC governance (SoD, ACCOUNTADMIN restriction, network policies) + data-platform engineering (Private Link, masking/row-access governance) — static review; + RBAC grant guard (mutating-runtime live-guard, Phase B) |
🛡️ Live Guard skills — stop before you break prod
Live-guard skills enforce approval gates and rollback posture for irreversible operations:
🟧 AWS (5):
aws-live-deployment-guarded-operator— approval-gated generic live deployment actions with account/region confirmationaws-live-iac-change-guard— CloudFormation/SAM/CDK/Terraform change set + drift + rollback posture enforcementaws-live-pipeline-approval-operator— CodePipeline approval gating with exact stage and approver scopeaws-live-serverless-release-guard— Lambda alias/canary/linear rollout with alarm + rollback requiredaws-live-ecs-rollout-guard— ECS/Fargate deployment circuit breaker, health check evidence, rollback path
🟩 GCP (6):
gcp-live-gke-rollout-guard— GKE deployment and node pool mutations, control-plane version gatinggcp-live-iam-policy-change-guard— IAM binding mutations, org policy changes, SA key creation — org-wide blast radiusgcp-live-kms-key-destruction-guard— Cloud KMS key version destruction — CMEK data permanently unrecoverablegcp-live-cost-budget-action-guard— budget thresholds, CUD commitments, quota increases — financial authority gategcp-live-bigquery-dataset-deletion-guard— dataset deletion, table truncation, authorized view changes — irreversible data lossgcp-live-cloud-run-traffic-migration-guard— Cloud Run revision traffic shifts, min-instances changes — production traffic blast radius
🟠 Alibaba Cloud (6):
alibaba-live-ack-rollout-guard— ACK deployment mutations, node pool scaling, cluster version upgradesalibaba-live-ram-policy-change-guard— RAM policy/role mutations — account-wide blast radius, privilege escalation riskalibaba-live-kms-key-mutation-guard— KMS key deletion/disable — encrypted data permanently inaccessiblealibaba-live-cost-budget-action-guard— budget threshold changes, Savings Plan purchases, RI commitments — financial authority gatealibaba-live-oss-bucket-policy-guard— OSS bucket ACL/policy changes — public exposure or China data-residency violationalibaba-live-rds-polardb-mutation-guard— RDS/PolarDB instance deletion, spec downgrade, backup policy removal — data loss risk
🔴 Huawei Cloud (6):
huawei-live-cce-rollout-guard— CCE deployment mutations, node pool upgrades, cluster version changeshuawei-live-iam-policy-change-guard— IAM policy/SCP mutations — account-wide blast radius, privilege escalationhuawei-live-kms-key-destruction-guard— DEW/KMS key deletion — CSMS secrets and DBSS-encrypted data permanently losthuawei-live-cost-budget-action-guard— budget threshold changes, RI purchases, CUD commitments — financial authority gatehuawei-live-obs-bucket-policy-guard— OBS bucket ACL/policy changes — public exposure or data residency violationhuawei-live-gaussdb-mutation-guard— GaussDB/RDS instance deletion, spec downgrade, backup policy changes — data loss
🟦 Azure (7):
azure-live-aks-rollout-guard— PDB audit, rollout pause/undo, post-rollout healthazure-live-arm-deployment-stack-guard— what-if evidence, denySettings, PIM-gated deleteazure-live-app-service-slot-swap-guard— sticky-setting audit, traffic shifting, swap-back pathazure-live-keyvault-rotation-purge-guard— rotation policy, soft-delete/purge-protection, PIM gateazure-live-pim-jit-activation-guard— eligible assignment audit, MFA gate, JIT revocationazure-live-cost-budget-action-guard— budget mutation, GPU SKU policy, quota read-onlyazure-live-entra-role-assignment-guard— permanent role assignment scope/principal audit, PIM-preference enforcement, Guest principal blocking
🟥 OCI (7):
oci-live-autonomous-db-lifecycle-guard— ADB scale/stop/clone/terminate with tag enforcementoci-live-oke-rollout-guard— DevOps pipeline approval, PDB audit, rollout pause/undooci-live-resource-manager-stack-guard— plan-before-apply, drift detection, job-lock enforcementoci-live-vault-key-destruction-guard— rotation vs. destruction separation, 7–30 day deletion windowoci-live-iam-policy-compartment-guard— MFA break-glass, dual-approval for tenancy-root changesoci-live-cost-budget-runaway-guard— 3-tier budget management, GPU shape gate, ONS alert routingoci-live-network-security-rule-guard— Security List/NSG rule capture, 0.0.0.0/0 detection, DB-subnet criticality, Path Analyzer gate
☸️ Kubernetes (5):
kubernetes-live-rbac-mutation-guard— escalate/bind/impersonate verb detection, wildcard blocking, pre-mutation state capture, rollback via YAML backupkubernetes-live-admission-policy-guard— Kyverno/VAP mutation blast-radius, failureAction enforcement, PolicyException scope validationkubernetes-live-mesh-policy-guard— Istio AuthorizationPolicy/PeerAuthentication traffic impact, PERMISSIVE→STRICT migration gatingkubernetes-live-network-policy-guard— CiliumNetworkPolicy/NetworkPolicy connectivity impact, metadata service egress blockingkubernetes-live-argocd-sync-guard— AppProject blast-radius, sync impersonation identity review, sync-window change gating
Sample skills
- 🔐
skills/aws/aws-iam-least-privilege-review— Review AWS IAM policies and reduce unnecessary access. - 🟦
skills/azure/azure-rbac-review— Review Azure RBAC assignments, scopes, and custom roles. - 🟥
skills/oci/oci-autonomous-database-architect— Design and review Oracle Autonomous Database across OCI and multicloud options. - 🟩
skills/gcp/gcp-gke-platform-operator— GKE Standard/Autopilot design with Day-0/Day-1 decisions, Workload Identity, and AI inference quickstart. - 🟠
skills/alibaba/alibaba-china-compliance— MLPS 2.0, DSL, PIPL, and ICP filing compliance review for workloads in Alibaba Cloud China regions. - 🔴
skills/huawei/huawei-secmaster-security-operations— Huawei SecMaster SIEM/SOAR, HSS, CFW, WAF posture hardening and incident triage. - 💰
skills/finops/finops-cloud-price-advisor— Fetch live prices from AWS, Azure, and OCI public pricing APIs; estimate costs for live environments or prototypes. - 📣
skills/marketing/marketing-pixel-data-leakage-review— Review advertising pixels and event tracking for PII/PHI leakage to ad networks.
Rule of thumb: if the asset teaches how to do a repeatable task, it is a skill.
🤖 Agents
600 agents matching the skill catalog — agents ship harness adapters and a hardened permission model.
| Provider | Count | Specialisations |
| ------------------ | ----: | ----------------------------------------------------------------------------------- |
| 🟩 GCP | 51 | advisory, live-guard operators, maestro router |
| 🟧 AWS | 47 | advisory, execution, live-guard operators |
| 🟠 Alibaba Cloud | 43 | advisory, live-guard operators, maestro router |
| 🔴 Huawei Cloud | 43 | advisory, live-guard operators, maestro router |
| 🟥 OCI | 39 | advisory, live-guard operators |
| 🟦 Azure | 36 | advisory, live-guard operators |
| ☸️ Kubernetes | 15 | RBAC review, workload identity, PSA, 5 live-guard operators, maestro router |
| ☁️ OVHcloud | 6 | advisory, live KMS guard, maestro router |
| 🌐 IONOS Cloud | 6 | advisory, live DB lifecycle guard, maestro router |
| 🇫🇷 Scaleway | 6 | advisory, live Kapsule rollout guard, maestro router |
| 🇩🇪 Hetzner Cloud | 6 | advisory, live firewall + server lifecycle guards, maestro router |
| 💰 Contabo | 6 | advisory, live instance + storage guards, maestro router |
| 🛡️ Kyverno | 1 | Admission policy review |
| 🔄 Argo CD | 2 | GitOps review, live sync guard |
| 🕸️ Istio | 1 | Ambient mesh review |
| 🐝 Cilium | 1 | Network policy review |
| 📡 OpenTelemetry | 1 | Collector config review |
| 💡 Backstage | 1 | IDP scaffolder review |
| 🔐 cert-manager | 1 | PKI certificate lifecycle review |
| 🦅 Falco | 1 | runtime threat detection review |
| 🔁 Flux CD | 1 | GitOps Kustomization/HelmRelease review |
| 📊 Prometheus | 1 | alerting and cardinality review |
| 🔏 Sigstore | 1 | supply-chain security review |
| 🟩 Terraform | 2 | IaC review, maestro |
| 💸 FinOps | 4 | cross-cloud price advisor + experimental cost/economics agents |
| 🟣 .NET | 10 | C#/runtime, ASP.NET Core API & identity, EF Core data access, testing, NuGet supply chain, performance/AOT, OpenTelemetry, Aspire — static-review specialists + maestro router |
| 🟤 NVIDIA | 12 | CUDA/GPU infrastructure, TensorRT/TensorRT-LLM, Triton serving, NeMo/NIM generative AI, agentic-AI platform, NGC supply chain, AI networking fabric, day-2 operations, GPU Operator on Kubernetes, model promotion gatekeeper — advisory + live-runtime gate + maestro router |
| 📣 Marketing | 14 | 13 governance review agents + maestro router |
| ⚖️ Legal | 13 | contract review, employment law risk, privacy & data protection, regulatory compliance, IP & open source, litigation & discovery hold, ethics & investigations, vendor/procurement risk, policy governance, public disclosure, counsel review, knowledge management |
| 👥 HR | 15 | employee relations, workplace investigations, performance management, compensation & equity, benefits & payroll, recruiting & selection, workforce planning & RIF, leave & accommodation, learning policy, culture & DEI, people analytics, HRIS process controls, termination readiness, risk triage |
| 🧪 QA | 10 | Playwright E2E review + execution, flakiness triage, coverage quality, CI test pipeline review, PLC control-logic safety, RPA workflow resilience — static-review + opt-in execution |
| ☁️ Salesforce | 30 | 20 Wave 1 domain specialists (admin, dev, security, integration, Sales/Service/Marketing/Industry clouds, Agentforce, analytics, compliance) + 10 Wave 3 infrastructure security + DevSecOps agents — maestro router + live-guard authority gate |
| Ⓜ️ Microsoft 365 / D365 | 40 | 5 maestro routers (microsoft, m365, d365, Power Platform, Copilot governance) + 31 static-review specialists + 2 read-only-runtime live-guards (Phase A: identity posture, Dataverse security role) + 2 mutating-runtime live-guards (Phase B: Dataverse record field update, sensitivity label apply) across M365 (Entra identity/Zero Trust, Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization), Power Platform (Dataverse security, ALM pipelines, automation risk, Copilot Studio governance), Fabric/Power BI (governance, data engineering, analytics engineering), D365 (Success by Design, SoD, data migration/cutover, finance, supply chain, field service, customer service, sales, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization), and live-guard runtime (Phase A: identity posture, Dataverse security role; Phase B: Dataverse record field update guard, sensitivity label apply guard) |
| 🧱 Databricks (Azure) | 3 | 2 static-review specialists (Phase A): Unity Catalog governance (metastore→catalog→schema→table, least-privilege grants, account/workspace/metastore admin separation, run-as-service-principal) + lakehouse engineering (medallion architecture, ADLS Gen2 via Access Connector managed identity, cluster policies, AKV-backed secret scopes, VNet/Private Link); + 1 mutating-runtime live-guard (Phase B): Unity Catalog schema-scoped grant guard (single GRANT to one principal, REVOKE rollback, written approval token + PREFLIGHT required) |
| ❄️ Snowflake (Azure) | 3 | 2 static-review specialists (Phase A): RBAC governance (ACCOUNTADMIN/SECURITYADMIN/SYSADMIN separation, custom least-privilege roles, SoD, network policies, Entra OAuth/SSO/SCIM) + data-platform engineering (warehouses, Azure Private Link, storage integration to ADLS Gen2/Blob, dynamic masking/row-access/tagging, ACCESS_HISTORY); + 1 mutating-runtime live-guard (Phase B): Snowflake RBAC grant guard (single GRANT to one grantee, REVOKE rollback, written approval token + PREFLIGHT required, ACCOUNTADMIN/SECURITYADMIN/SYSADMIN escalation denied) |
| 🔗 Cross-functional skills | 3 | legal-hr-routing-protocol, legal-hr-case-capsule, legal-hr-risk-taxonomy (protocol skills, not agents) |
⚖️ The Legal + HR cross-functional agentic ecosystem
Beyond cloud and platform agents, Vanguard Frontier ships a 28-agent cross-functional Legal + HR ecosystem plus 3 cross-functional protocol skills — proof that agentic coordination works across organizational boundaries, not just inside one cloud account.
Every Legal and HR agent is escalation-aware (knows when a matter must go to privileged counsel or a human owner), privacy-preserving (minimizes personal and sensitive data in every handoff), and audit-ready (emits the same structured verdict shape as the cloud live-guard agents). These agents advise on process and risk posture — they do not replace licensed legal counsel or qualified HR professionals, and they say so.
🟣 The .NET application review board
.NET is a free, cross-platform, open-source developer platform — runtime, libraries, and languages (C# is the most popular) — with ASP.NET Core as its lean, modular framework for modern cloud-based web services and EF Core as its lightweight, extensible data-access layer. The board is a dotnet-maestro router plus nine static-review specialists covering C#/runtime correctness, ASP.NET Core API architecture, identity and authorization, EF Core data access, test quality, CI/NuGet supply chain, performance/AOT/trimming, in-app OpenTelemetry wiring, and .NET Aspire cloud-native readiness — every agent reads source and sanitized configuration only and never builds, runs, migrates, or contacts a live system. These agents use provider: generic with a dotnet- ID prefix because .NET is a language/runtime, not a cloud provider — mirroring the existing non-cloud boards.
Ⓜ️ The Microsoft 365 / Dynamics 365 board
A maestro-routed board for the Microsoft business cloud (M365, Dynamics 365, Power Platform, and Copilot) — the SaaS surface, distinct from Azure infrastructure. A top-level microsoft-maestro routes to four sub-maestros (m365, d365, power-platform, copilot-governance) and refuses Azure-IaaS / cross-cloud work, deflecting it to the Azure/AWS/GCP maestros. Under them sit 31 static-review specialists + 2 read-only-runtime live-guards (Phase A) + 2 mutating-runtime live-guards (Phase B) organized into categories:
- M365 — identity & Copilot: Entra Conditional Access / Zero Trust and Microsoft 365 Copilot readiness & data-exposure governance (the Copilot Zero Trust 7-layer / oversharing model).
- Power Platform & Copilot Studio: environment + DLP + Dataverse security, ALM pipelines, automation (Power Automate) risk review, and Copilot Studio agent governance / ALM.
- Analytics: Microsoft Fabric / Power BI semantic-model trust, RLS/OLS, and workspace governance.
- Dynamics 365: Success by Design implementation governance, Finance & Operations segregation-of-duties, data migration & cutover, finance close-to-report, supply chain plan-to-produce, field service-to-cash, customer service & contact center, sales revenue operations, and license-to-value realization.
Static-review agents produce no tenant mutations; every verdict requires explicit human approval. The board also ships Phase A read-only-runtime live-guards (m365-live-identity-posture-guard-agent, d365-live-security-role-guard-agent) that read live tenant state without writing, and Phase B mutating-runtime live-guards (d365-live-record-field-update-guard-agent, m365-live-sensitivity-label-apply-guard-agent) that execute exactly one controlled WRITE operation (a named Dataverse field PATCH or a Graph sensitivity-label assignment to one driveItem) only after a written approval token, PREFLIGHT dry-run, and inverse-rollback path are confirmed — bulk edits, DELETE, ownerid/security-role fields, label-policy writes, and broad directory permissions are unconditionally denied. The board is grounded on Microsoft Learn and ships alongside 15 cross-functional protocol skills (provider: generic, recommendation-only) that orchestrate it across business processes — lead-to-cash, procure-to-pay, close-to-report, copilot-data-readiness, erp-crm-cutover, identity-to-data-access, and more.
Every agent ships:
- 📄
AGENT.md— harness-neutral contract with guarded response shape - 🗂️
metadata.json— schema-validated catalog entry - 🔌 Harness adapters — claude-code + codex (EU providers); all 7 adapters for established providers
agents/
├── accounting/ (14 agents — maestro + corporate accounting specialists: revenue recognition (ASC 606/IFRS 15), close cycle, consolidation/intercompany, fixed assets, lease accounting (ASC 842), hedge accounting, FX translation, tax provision, payroll, procure-to-pay, equity compensation, indirect tax/e-invoicing, business combinations — all advisory, no ledger writes)
├── alibaba/ (43 agents — advisory, live-guard operators, maestro)
├── argocd/ (2 agents — GitOps review, live sync guard)
├── aws/ (47 agents — advisory, execution, live-guard operators)
├── azure/ (36 agents — advisory, live-guard operators)
├── backstage/ (1 agent — IDP scaffolder review)
├── cert-manager/ (1 agent — PKI certificate lifecycle review)
├── cilium/ (1 agent — network policy review)
├── contabo/ (6 agents — advisory, live instance + storage guards, maestro)
├── databricks/ (3 agents — Azure Databricks: Unity Catalog governance + lakehouse engineering — static review, -at-azure; + Unity Catalog schema-scoped grant guard — mutating-runtime live-guard, Phase B)
├── dotnet/ (10 agents — C#/runtime, ASP.NET Core, EF Core, testing, NuGet supply chain, performance/AOT, OpenTelemetry, Aspire — maestro + 9 specialists)
├── falco/ (1 agent — runtime threat detection review)
├── finance/ (8 agents — maestro + corporate finance specialists: variance analysis, FP&A forecasting, treasury/liquidity, working capital, debt/capital structure, capital allocation, transfer pricing/Pillar Two — all advisory, no ERP writes)
├── finops/ (4 agents — cross-cloud price advisor + experimental cost/economics agents)
├── fluxcd/ (1 agent — GitOps Kustomization/HelmRelease review)
├── frontend/ (35 agents — React/Next.js/Angular/Vue/Svelte specialists, web-platform + cross-cutting review roles, board-chair + enterprise red-team + maestro — all static-review, no build/deploy/credentials)
├── gcp/ (51 agents — advisory, live-guard operators, maestro)
├── hetzner/ (6 agents — advisory, live firewall + server lifecycle guards, maestro)
├── hr/ (15 agents — employee relations, investigations, performance, compensation, benefits, recruiting, workforce planning, learning, culture & DEI, analytics, HRIS, termination readiness, maestro)
├── huawei/ (43 agents — advisory, live-guard operators, maestro)
├── ionos/ (6 agents — advisory, live DB lifecycle guard, maestro)
├── istio/ (1 agent — ambient mesh review)
├── kubernetes/ (15 agents — RBAC, workload identity, PSA, pod-spec, ESO, Kubecost, live-guards, maestro)
├── kyverno/ (1 agent — admission policy review)
├── legal/ (13 agents — contract review, employment law, privacy & data protection, regulatory compliance, IP & open source, litigation hold, ethics & investigations, vendor risk, policy governance, public disclosure, counsel review, knowledge management)
├── marketing/ (14 agents — 13 governance review agents + maestro router)
├── microsoft/ (40 agents — Microsoft 365 / Dynamics 365 / Power Platform / Copilot — microsoft maestro + m365/d365/power-platform/copilot-governance sub-maestros, plus 31 static-review specialists: Entra Zero Trust, Copilot readiness, Purview data security & compliance, Defender XDR SecOps, Intune endpoints, Teams collaboration, Exchange/SharePoint information governance, tenant governance, backup/BCDR & data resilience, licensing/EA optimization, Dataverse/DLP security, Power Platform ALM, Power Automate risk, Copilot Studio governance, Fabric/Power BI governance, Fabric data engineering, Fabric analytics engineering, D365 Success by Design, SoD, data migration/cutover, finance, supply chain, field service, customer service, sales, Customer Insights – Journeys, F&O developer/extensions, dual-write integration, Project Operations, Commerce, value realization — all static-review, live-guard-gated; +2 read-only-runtime live-guard agents (Phase A): identity posture, Dataverse security role; +2 mutating-runtime live-guard agents (Phase B): Dataverse record field update guard, sensitivity label apply guard)
├── netsuite/ (25 agents — Oracle NetSuite ERP — maestro router, live-org mutation guard, evidence/release-drift + enterprise-architecture + SOX audit governance, plus 20 domain specialists: financial foundations, SuiteScript secure code review, SDF DevOps, OneWorld multi-subsidiary, identity/RBAC, OAuth/TBA/SSO, AI Connector/MCP, data governance, integration migration, and more — all static-review tier)
├── nvidia/ (12 agents — GPU infrastructure, TensorRT/TensorRT-LLM, Triton serving, NeMo/NIM, agentic AI, NGC supply chain, AI networking, day-2 ops, GPU Operator on Kubernetes, model promotion gatekeeper — maestro + advisory + live-runtime gate)
├── oci/ (39 agents — advisory, live-guard operators)
├── opentelemetry/ (1 agent — collector config review)
├── ovhcloud/ (6 agents — advisory, live KMS guard, maestro)
├── prometheus/ (1 agent — alerting and cardinality review)
├── qa/ (10 agents — Playwright E2E review + execution, flakiness triage, coverage quality, CI pipeline review, PLC control-logic safety, RPA workflow resilience)
├── salesforce/ (30 agents — 20 Wave 1 domain specialists + 10 Wave 3 infrastructure security/DevSecOps agents, maestro router, live-guard authority gate)
├── scaleway/ (6 agents — advisory, live Kapsule rollout guard, maestro)
├── snowflake/ (3 agents — Snowflake on Azure: RBAC governance + data-platform engineering — static review, -at-azure; + RBAC grant guard — mutating-runtime live-guard, Phase B)
├── sigstore/ (1 agent — supply-chain security review)
└── terraform/ (2 agents — IaC review, maestro)Example:
- 🧱
agents/terraform/terraform-reviewer— Review Terraform modules, plans, provider usage, and state assumptions.
Use an agent when you need a role with judgment, not just a checklist.
📦 Install Reference
Everything you can install, and exactly how to install it. One section, no hunting.
🧭 How to pick what to install
🙋 I know my job function → use --role
🎯 I know the specific agent I want → use --agents
☁️ I work on one cloud provider only → add --provider to either of the above
💥 I want everything for a platform → use --all
🔍 I don't know what exists yet → use --list or --list-roles first🏷️ Argument reference
| Argument | Values | Required | Description |
| -------------- | ----------------------------------------------------- | --------------------------------------- | ---------------------------------------------------- |
| --platform | see table below | ✅ yes (except --list, --list-roles) | Target AI harness |
| --role | see role table below | pick one ↓ | Install all agents for a job role |
| --agents | comma-separated agent IDs | pick one ↓ | Install specific agents by ID |
| --all | — | pick one ↓ | Install every agent for the platform |
| --provider | aws azure oci gcp alibaba huawei ovhcloud ionos scaleway hetzner contabo kubernetes terraform finops kyverno argocd istio cilium opentelemetry | ➕ optional | Narrow --role results to one provider |
| --repo | path | ➕ optional | Target repo root (defaults to current directory) |
| --force | — | ➕ optional | Overwrite files that already exist |
| --list | — | 🔍 standalone | Print all agent IDs, providers, and names; then exit |
| --list-roles | — | 🔍 standalone | Print role IDs with agent counts; then exit |
| --list-providers | — | 🔍 standalone | List all providers with agent counts; then exit |
| --dry-run | — | ➕ optional | Print the export plan without writing files |
| --no-skills | — | ➕ optional | Skip companion skill bundling |
🖥️ Platform reference
Each platform writes agent files to a different folder in your repo.
| --platform value | AI harness | Installs into |
| ------------------ | -------------------------------- | ----------------- |
| claude-code | 🤖 Claude Code (Anthropic) | .claude/agents/ |
| codex | ⚡ Codex CLI (OpenAI) | .codex/agents/ |
| copilot | 🐙 GitHub Copilot / VS Code | .github/agents/ |
| cursor | 🖱️ Cursor | .cursor/agents/ |
| gemini | ♊ Gemini CLI (Google) | .gemini/agents/ |
| kiro | 🔮 Kiro — both IDE + CLI adapters | .kiro/agents/ |
| kiro-ide | 🔮 Kiro IDE only | .kiro/agents/ |
| kiro-cli | 🔮 Kiro CLI only | .kiro/agents/ |
ℹ️ The exporter installs agent files only. It does not write repo-level guidance files (
CLAUDE.md,AGENTS.md,.github/copilot-instructions.md, etc.). Seedocs/normalized-platform-matrix.md.
👤 Role reference
A role installs the curated set of agents a practitioner in that job function needs, across all cloud providers. Roles overlap intentionally — one agent may appear in multiple roles.
| --role value | 👤 Who it is for | 🔢 Agents | ☁️ What it covers |
| -------------------------------------------- | ------------------------------------------------------------------------ | -------: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| cloud-security-engineer | 🔐 Security engineers, compliance teams, IAM owners | 51 | IAM/RBAC review, secrets lifecycle, identity governance, live guards for access and key mutations — AWS · Azure · OCI · GCP · Alibaba · Huawei · OVHcloud · Scaleway · Contabo · K8s |
| cloud-platform-engineer | 🏗️ Infrastructure/SRE, IaC owners, Kubernetes platform teams | 58 | IaC safety review, container platform operators, networking, landing zones, live deployment guards — AWS · Azure · OCI · GCP · Alibaba · Huawei · EU providers · Terraform |
| cloud-dba | 🗄️ Database administrators, data platform engineers | 20 | RDS/Aurora, DynamoDB, CosmosDB, OCI Autonomous/Exadata/MySQL HeatWave, IONOS DBaaS, replication, live DB lifecycle guards |
| cloud-finops-analyst | 💰 FinOps leads, cost governance teams | 25 | Cost optimization governors, anomaly watch, budget runaway guards, capacity planning — AWS · Azure · OCI · GCP · Alibaba · Huawei · EU providers |
| cloud-solutions-architect | 🏛️ Cloud architects, migration leads, AI/generative engineers | 38 | Solution architecture, migration cutover, resilience/BCDR, event-driven design, multi-cloud, AI/generative — AWS · Azure · OCI · GCP · Alibaba · Huawei |
| cloud-devops-engineer | 🚀 CI/CD engineers, release managers, SRE ops | 49 | CI/CD, pipeline approval gates, live rollout guards, deployment hotfix operators, serverless readiness, observability — AWS · Azure · OCI · GCP · Alibaba · Huawei |
| kubernetes-admission-security-engineer | 🛡️ Platform security, policy engineers, admission control owners | 6 | Kyverno policy review, K8s workload identity, PSA profiles, live admission-policy guard, live RBAC guard |
| kubernetes-network-engineer | 🐝 Network engineers, platform SREs, zero-trust mesh owners | 5 | Cilium/NetworkPolicy review, Istio ambient mesh review, live network-policy and mesh-policy guards |
| kubernetes-application-platform-engineer | 🔄 Platform engineers, GitOps owners, ArgoCD operators | 3 | Argo CD GitOps review, live ArgoCD sync guard, kubernetes-maestro router |
| kubernetes-runtime-security-engineer | 🔍 Runtime security, observability, and threat detection engineers | 6 | Falco threat rules, Sigstore supply chain, K8s workload identity, RBAC review, pod-spec review, live RBAC guard |
| kubernetes-pki-engineer | 🔐 PKI/cert lifecycle engineers, secrets management owners | 6 | cert-manager Issuer/ClusterIssuer, CertificateRequestPolicy gap, ESO scope, AWS Private CA, Azure KV cert, OCI Certificates |
| kubernetes-observability-engineer | 📊 SRE observability engineers, FinOps cost analysts | 4 | Prometheus alerting/cardinality, OTEL Collector pipeline, Kubecost chargeback/allocation, maestro router |
| kubernetes-supply-chain-security-engineer | 🔏 Supply chain security engineers, DevSecOps practitioners | 7 | Sigstore/Cosign, Falco runtime rules, Kyverno admission policy, PSA hardening, pod-spec review, live admission guard |
| kubernetes-developer-platform-engineer | 🎭 IDP/platform engineers, GitOps owners, developer experience leads | 6 | Backstage Scaffolder templates, Argo CD, Argo Rollouts progressive delivery, FluxCD Kustomization/HelmRelease, maestro router |
| kubernetes-disaster-recovery-engineer | 💾 SRE disaster recovery engineers, backup and restore owners | 2 | Velero live-guarded restore operations with pre-restore checklist, maestro router |
# 🔍 See exactly which roles exist and how many agents each has
npx vfa-export-agents --list-roles
# 📦 Install a cloud role
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --repo .
# ☁️ Install a cloud role but only for one provider
npx vfa-export-agents --platform claude-code --role cloud-security-engineer --provider azure --repo .
# ☸️ Install a Kubernetes specialist role
npx vfa-export-agents --platform claude-code --role kubernetes-admission-security-engineer --repo .
npx vfa-export-agents --platform claude-code --role kubernetes-network-engineer --repo .☁️ Provider reference
Use --provider with --role to narrow the install to one cloud.
| --provider value | Domain | 🔢 Agents in catalog |
| ------------------- | ---------------------------------------- | ------------------: |
| aws | 🟧 Amazon Web Services | 47 |
| azure | 🟦 Microsoft Azure | 36 |
| oci | 🟥 Oracle Cloud Infrastructure | 39 |
| gcp | 🟩 Google Cloud Platform | 51 |
| alibaba | 🟠 Alibaba Cloud | 43 |
| huawei | 🔴 Huawei Cloud | 43 |
| ovhcloud | ☁️ OVHcloud | 6 |
| ionos | 🌐 IONOS Cloud | 6 |
| scaleway | 🇫🇷 Scaleway | 6 |
| hetzner | 🇩🇪 Hetzner Cloud | 6 |
| contabo | 💰 Contabo | 6 |
| kubernetes | ☸️ Kubernetes (cross-cloud) | 15 |
| kyverno | 🛡️ Kyverno (admission policy) | 1 |
| argocd | 🔄 Argo CD + Argo Rollouts (GitOps) | 2 |
| istio | 🕸️ Istio (service mesh) | 1 |
| cilium | 🐝 Cilium (network policy) | 1 |
| opentelemetry | 📡 OpenTelemetry (observability) | 1 |
| terraform | 🟩 Terraform (cross-cloud) | 2 |
| multi-cloud | 💰 FinOps / multi-cloud | 1 |
| prometheus | 📊 Prometheus (alerting + cardinality) | 1 |
| falco | 🦅 Falco (runtime threat detection) | 1 |
| sigstore | 🔏 Sigstore / Cosign (supply chain) | 1 |
| cert-manager | 🔐 cert-manager (PKI / cert lifecycle) | 1 |
| fluxcd | 🔄 FluxCD (GitOps) | 1 |
| backstage | 🎭 Backstage (IDP / developer platform) | 1 |
| velero | 💾 Velero (backup + restore) | 1 |
| marketing | 📣 Marketing governance (consent, pixel, access, AI, deliverability) | 14 |
# 🟥 Install every OCI agent for a cloud-platform-engineer (OCI-only team)
npx vfa-export-agents --platform codex --role cloud-platform-engineer --provider oci --repo .
# 🟦 Install every Azure agent for a cloud-devops-engineer
npx vfa-export-agents --platform copilot --role cloud-devops-engineer --provider azure --repo .🎯 Common install scenarios
| 🙋 I want to… | Command |
| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| 🔍 See what agents exist | npx vfa-export-agents --list |
| 🔍 See what roles exist | npx vfa-export-agents --list-roles |
| 🔍 See what providers exist | npx vfa-export-agents --list-providers |
| 👤 Install for my job role (Claude Code) | npx vfa-export-agents --platform claude-code --role <role> --repo . |
| ☁️ Install for my job role, one cloud only | npx vfa-export-agents --platform claude-code --role <role> --provider aws --repo . |
| ☸️ Install K8s admission security role | npx vfa-export-agents --platform claude-code --role kubernetes-admission-security-engineer --repo . |
| 🐝 Install K8s network engineering role | npx vfa-export-agents --platform claude-code --role kubernetes-network-engineer --repo . |
| 🧭 Install the Kubernetes maestro router only | npx vfa-export-agents --platform claude-code --agents kubernetes-maestro-agent --repo . |
| 🎯 Install one specific agent | npx vfa-export-agents --platform claude-code --agents kubernetes-rbac-review-agent --repo .
