Loading repository data…
Loading repository data…
23seriy / repository
Curated collection of AI-agent workflows, prompts & rules for DevOps/SRE — Kubernetes debugging, AWS audits, Terraform plan reviews, CI/CD triage, Dockerfile reviews, secrets scanning & incident response. Works with Windsurf, Cursor, Claude Code or any LLM.
A transparent discovery signal based on current public GitHub metadata.
This score does not audit code, security, maintainers, documentation quality, or suitability. Verify the repository and its current documentation before adoption.
A growing collection of AI-agent workflows, prompts, and rules for day-to-day DevOps / SRE / platform work.
Note: "workflows" here means Claude Code slash commands / AI-agent workflows — not GitHub Actions.
| Folder | Purpose | Audience |
|---|---|---|
.claude/commands/ | Workflow definitions, auto-discovered as slash commands by Claude Code. | Everyone |
.claude/agents/ | Repo-maintenance subagents (e.g. workflow-author) invoked via the Agent tool. | Maintainers |
.claude/settings.json | Shared project settings: pre-approved read-only Bash(...) patterns + a deny list that blocks cluster/cloud mutations even if a workflow tries. | Claude Code users |
prompts/ | Reusable system / task prompts (incident triage, code review, post-mortem, etc.) | Any LLM |
rules/ | Reusable safety rule sets to load into Claude Code (via CLAUDE.md @-reference) or any other agent | Any agent |
scripts/ | Standalone shell scripts referenced by workflows | Anyone with a shell |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| k8s-debug | /k8s-debug | General-purpose, read-only cluster diagnostics across nodes, pods, workloads, networking, storage, RBAC, events, and resource pressure. | kubectl. Optional: , metrics-server. |
jq| k8s-workload-debug | /k8s-workload-debug | Deep-dive on a single Deployment / StatefulSet / DaemonSet / Job / Pod: rollout, spec, probes, resources, logs, networking, storage, config. | kubectl. Optional: jq, metrics-server. |
| k8s-rbac-audit | /k8s-rbac-audit | RBAC risk audit — wildcards, cluster-admin bindings, risky verb/resource combos, over-privileged ServiceAccounts, anonymous access. | kubectl, jq. Optional: kubectl-who-can. |
| k8s-cost-hotspots | /k8s-cost-hotspots | Find waste: over-provisioned workloads, missing requests/limits, idle workloads, orphan PVCs/PVs, idle LoadBalancers. | kubectl, jq, metrics-server. |
| k8s-upgrade-readiness | /k8s-upgrade-readiness | Pre-flight before a control-plane / node upgrade: deprecated APIs, version skew, PDB gaps, expiring certs, broken webhooks. | kubectl. Optional: kubent or pluto, helm. |
| k8s-storage-debug | /k8s-storage-debug | Diagnose Kubernetes storage issues top-down: pod → PVC → PV → StorageClass → CSI driver → node disk pressure. Read-only, generates a markdown report. | kubectl. Optional: jq. |
| helm-release-debug | /helm-release-debug | Diagnose a stuck or failed Helm release: history, values diff, hook failures, rendered manifest vs cluster, workload health. | helm v3, kubectl. Optional: jq, yq. |
| helm-chart-review | /helm-chart-review | Review a Helm chart for security, reliability, and best practices: resource specs, probes, security context, PDBs, anti-affinity, RBAC. | Helm chart source. Optional: helm CLI. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| aws-account-audit | /aws-account-audit | Read-only AWS account security & hygiene audit: IAM, S3, EC2, RDS, CloudTrail, encryption, GuardDuty, SecurityHub. | aws CLI. Optional: jq. |
| aws-cost-quickscan | /aws-cost-quickscan | Find AWS cost waste: idle EC2/RDS, unattached EBS, old snapshots, expensive log groups, NAT data processing, missing Savings Plans. | aws CLI, Cost Explorer enabled. Optional: jq. |
| aws-vpc-debug | /aws-vpc-debug | Diagnose VPC connectivity: trace path across SGs, NACLs, route tables, NAT/IGW/TGW, VPC endpoints, DNS, and flow logs. | aws CLI. Optional: jq, dig. |
| aws-iam-policy-review | /aws-iam-policy-review | Explain an IAM policy and flag risks: admin-equivalent access, privilege escalation paths, wildcard actions, missing conditions. | aws CLI. Optional: jq. |
| aws-eks-debug | /aws-eks-debug | Read-only EKS diagnostics: cluster health, node groups, OIDC/IRSA, add-ons, VPC CNI networking, control-plane logging, version skew, and IAM access. | aws CLI. Optional: kubectl, jq. |
| aws-rds-health | /aws-rds-health | Read-only RDS/Aurora diagnostics: instance health, events, storage/I/O metrics, parameter groups, replication lag, backups, and security posture. | aws CLI. Optional: jq. |
| aws-lambda-debug | /aws-lambda-debug | Read-only Lambda diagnostics: errors, throttles, duration percentiles, cold starts, DLQ, VPC/ENI, concurrency, event source mappings, layers, and IAM role. | aws CLI. Optional: jq. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| terraform-plan-review | /terraform-plan-review | Explain a Terraform plan and flag risky changes: destroys, replacements, security group mutations, IAM changes, blast radius. | terraform plan output. Optional: terraform CLI, jq. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| ci-debug | /ci-debug | Diagnose a failing CI/CD pipeline: parse build logs from Jenkins, GitHub Actions, GitLab CI, or Bitbucket Pipelines. Root cause analysis and fix suggestions. | Build log output. Optional: repo source, CI config file. |
| jenkins-pipeline-review | /jenkins-pipeline-review | Review Jenkinsfile / shared-library Groovy for security risks, anti-patterns, missing error handling, credential leaks, CPS issues, and build config cross-references. | Jenkinsfile(s) or vars/*.groovy. Optional: repositories_v2.json. |
| release-checklist | /release-checklist | Pre-release safety gate: scope, deploy order, rollback, tests, monitoring, and communication before production release. | PR/diff summary. Optional: test results, plans, diffs. |
| dockerfile-review | /dockerfile-review | Review Dockerfiles for security, size, caching, and best practices. Flags CVE-prone bases, leaked secrets, missing health checks. | Dockerfile(s). Optional: docker, trivy. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| secrets-leak-scan | /secrets-leak-scan | Scan git repo history for leaked secrets: API keys, passwords, tokens, private keys. Uses gitleaks, trufflehog, or regex fallback. | Git repo. Optional: gitleaks, trufflehog. |
| repo-health | /repo-health | Audit repository hygiene: README, license, CI, branch/release hygiene, tracked secrets, ownership, and automation gaps. | Local git repo. Optional: gh, jq. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| incident-triage | /incident-triage | Guided first 15 minutes of a production incident: timeline, blast radius, evidence gathering, mitigation suggestions. | Access to affected environment. |
| Workflow | Slash command | Description | Prerequisites |
|---|---|---|---|
| jira-my-tasks | /jira-my-tasks | Fetch your open Jira issues (not Done) and save a timestamped markdown snapshot to ~/src/my_tasks/YYYY-MM-DD-HHMM.md. Grouped by In Progress / Ready for Testing / Backlog. | curl, python3. ~/.jira-credentials with API token. |
More on the way — see Roadmap.
Reusable system prompts you can paste into any AI agent for common DevOps tasks:
| Prompt | What it does |
|---|---|
| incident-commander | Puts the AI in incident-commander mode: timeline, blast radius, action tracking, status updates. |
| postmortem-writer | Generates a blameless post-mortem from incident notes: timeline, root cause, impact, action items. |
| code-review-devops | Reviews IaC / pipeline / Docker / K8s code with a security-first DevOps lens. |
| pr-description | Generates a PR description from a diff: what, why, how, testing, risk, rollback plan. |
| explain-like-a-senior | Explains infrastructure code to junior engineers: what it does, why, gotchas, and how it fits together. |
| runbook-from-incident | Converts incident notes or post-mortems into reusable runbooks with diagnosis, mitigation, escalation, and follow-up steps. |
Reusable, agent-agnostic safety rule sets. Reference them from a project's CLAUDE.md (e.g. @rules/kubernetes.md), paste into a system prompt, or include as context:
| Rule file | What it does |
|---|---|
| devops-agent.md | Safety guardrails for AI in DevOps repos: never modify prod without confirmation, prefer read-only, never hardcode secrets, always check context, GitOps awareness, multi-repo coordination. |
| terraform.md | Terraform-specific: state safety, ForceNew attribute warnings, provider/module pinning, workspace safety, import workflow, prevent_destroy reminders. |
| kubernetes.md | Kubernetes-specific: context verification, dry-run first, Helm safety, ArgoCD/GitOps awareness, secret handling, debugging approach, RBAC best practices. |
Standalone shell utilities referenced by workflows or useful on their own:
| Script | Usage |
|---|---|
| k8s-snapshot.sh | ./k8s-snapshot.sh [namespace|all] [output-dir] — dump cluster state (nodes, pods, events, services, top) to a timestamped Markdown file. |
| aws-whoami.sh | ./aws-whoami.sh [profile] — quick AWS identity check: caller, region, account alias, org, SSO role. |
| stale-branches.sh | ./stale-branches.sh [days] [--remote] — list git branches older than N days with last commit info. |
| validate-repo.sh | ./scripts/validate-repo.sh — validate workflow frontmatter, README links, script executability, and optional lint checks. |
Clone the repo and run Claude Code from the repo root. Every workflow under .claude/commands/ is auto-discovered as a slash command — .claude/commands/k8s-debug.md is invoked as /k8s-debug, etc. The argument-hint in each file's frontmatter is shown inline as you type.
CLAUDE.md @-imports the rule files under rules/, so the safety guardrails for Kubernetes, Terraform, and general DevOps work load automatically whenever you run Claude Code in this directory.
.claude/settings.json pre-approves read-only bash patterns commonly used while developing here (validate-repo, find, grep, git status/diff/log) and denies cluster/cloud mutations (kubectl apply|delete|scale, helm install|upgrade, terraform apply|destroy, aws iam create|delete|put, etc.) —