Run any Skill in Manus with one click

governance-executor

Stars39

Forks26

UpdatedMay 26, 2026 at 11:17

Orchestrates governed job execution with risk analysis, check mode, approval, and rollback. Use when: - "Execute job template X", "Deploy to production", "Push to prod", "Launch job template" - Any execution request targeting sensitive environments - Job template launches requiring governance controls NOT for platform assessment (use governance-assessor) or troubleshooting (use forensic-troubleshooter).

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

RHEcosystemAppEng

RHEcosystemAppEng/agentic-collections

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Software DevelopersComputer and Mathematical Occupations·SOC 15-1252

File Explorer

5 files

SKILL.md

readonly

More from this repository

same repository

cve-impact

RHEcosystemAppEng/agentic-collections

**CRITICAL**: Use for ALL CVE discovery and listing. DO NOT call get_cves directly. Use when: "show critical CVEs", "CVEs on hostname X", "remediatable vulnerabilities", "impact of CVE-X", risk assessment. NOT for remediation (use `/remediation`). System-level: FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py.

2026-06-2339

fleet-inventory

RHEcosystemAppEng/agentic-collections

Query and display Red Hat Lightspeed managed system inventory. This skill focuses on discovery and listing only - for remediation actions, transition to the `/remediation` skill. Use when: - "Show the managed fleet" - "List all systems registered in Lightspeed" - "What systems are affected by CVE-X?" - "How many RHEL 8 systems do we have?" - "Show me production systems" **When NOT to use this skill** (use `/remediation` skill instead): - "Remediate CVE-X on these systems" - "Create a playbook for..." - "Patch system Y" This skill orchestrates MCP tools from lightspeed-mcp for fleet visibility and system inventory management.

2026-06-2339

mcp-lightspeed-validator

RHEcosystemAppEng/agentic-collections

Validate Red Hat Lightspeed MCP server connectivity. Use when the user asks to "validate Lightspeed MCP", "check Lightspeed connection", or when other skills need to verify lightspeed-mcp availability before CVE operations.

2026-06-2239

agentic-contribution-skill

RHEcosystemAppEng/agentic-collections

Interactive skill creation and import with automated validation and marketplace compliance. Use when: - "Create a new skill" - "Import an existing skill" - "Create a new agentic pack" - "Add skill to <pack>" - "Build skill for <rh-product>" - User mentions "skill builder", "contribute", "new skill", "import skill", or "new pack" Two modes: create from scratch or import existing SKILL.md. Guides through discovery, definition, generation, and validation. Enforces SKILL_DESIGN_PRINCIPLES.md and agentskills.io spec.

2026-06-1639

collection-compliance

RHEcosystemAppEng/agentic-collections

Diagnose and fix `.catalog/` validation failures (schema, roster, banners, sample workflows, JSON mirror). Use when: - `make validate` or CI reports collection compliance errors - A PR adds skills but catalog was not updated - `collection.json` is out of sync with `collection.yaml` - Catalog metadata/fragments might have drifted from README/CLAUDE/SKILL golden sources Remediation is via the create-collection workflow and `catalog_yaml_to_json.py`—not by weakening checks.

2026-06-1639

create-collection

RHEcosystemAppEng/agentic-collections

Author or refresh `<pack>/.catalog/collection.yaml` and related `.catalog/` artifacts from golden sources (SKILL.md, README, AGENTS.md, Lola marketplace). Use when: - Adding a new pack or refreshing the collection catalog for GitHub Pages / tooling - Aligning catalog narrative, sample workflows, and decision guide with skills on disk - Preparing a PR after changing skills or marketplace metadata Outputs only under `<pack>/.catalog/` (never overwrite README, SKILL, CLAUDE, or marketplace YAML).

2026-06-1639

name	governance-executor
description	Orchestrates governed job execution with risk analysis, check mode, approval, and rollback. Use when: - "Execute job template X", "Deploy to production", "Push to prod", "Launch job template" - Any execution request targeting sensitive environments - Job template launches requiring governance controls NOT for platform assessment (use governance-assessor) or troubleshooting (use forensic-troubleshooter).
model	inherit
color	red
license	Apache-2.0
allowed-tools	job_templates_list job_templates_retrieve job_templates_launch_retrieve job_templates_launch_create jobs_list jobs_retrieve jobs_job_events_list jobs_job_host_summaries_list jobs_relaunch_create workflow_job_templates_list inventories_list hosts_list notification_templates_list credentials_list instance_groups_list users_list

Governance Executor

Prerequisites

Required MCP Servers: aap-mcp-job-management, aap-mcp-inventory-management Required Skills: aap-mcp-validator, execution-risk-analyzer, governed-job-launcher, execution-summary

When to Use This Skill

Use this skill when:

User asks to execute, launch, deploy, or push a job template
User mentions production, staging, or any environment-targeted execution
User asks to launch a specific job template by name or ID

Do NOT use when:

User asks to assess platform readiness (use governance-assessor skill)
User asks to troubleshoot a failed job (use forensic-troubleshooter skill)
User asks about governance or compliance without an execution context

Workflow

1. Validate MCP Connectivity

Invoke the aap-mcp-validator skill:

Validate aap-mcp-job-management and aap-mcp-inventory-management
If any server fails: report and stop

2. Analyze Execution Risk

Invoke the execution-risk-analyzer skill:

The skill reads execution-governance.md
Identifies the job template and classifies inventory risk (CRITICAL / HIGH / MEDIUM / LOW)
Adapts: Checks job history -- flags recent failures or first-time execution
Adapts: Checks template launch config -- verifies check mode and limit overrides are available
Adapts: Checks notification bindings -- flags templates without failure alerting
Adapts: Checks workflow coverage -- flags standalone production templates
Adapts: Analyzes previous run events -- identifies shell/command module usage for check mode coverage
Scans extra_vars for plain-text secrets
Adjusts risk level based on operational signals (e.g., HIGH + never run + no check mode override → CRITICAL)
Reports risk assessment with Red Hat citations AND operational context

Document Consultation (performed by the skill): The execution-risk-analyzer skill reads execution-governance.md and reports its consultation.

If secrets detected: STOP. Report the finding and recommend using AAP credentials.

3. Execute Governed Launch

Invoke the governed-job-launcher skill:

The skill reads execution-governance.md
Adapts to risk analyzer signals:
- If recent failures flagged → offers to investigate first via forensic-troubleshooter
- If check mode not overridable → informs user and adapts execution path
- If shell/command modules detected → provides specific dry-run coverage percentage instead of generic warning
Applies governance controls based on adjusted risk level:
- CRITICAL: Check mode → interpret with context → approve → phased rollout
- HIGH: Check mode → interpret → approve → full run
- MEDIUM: Confirm → full run
- LOW: Execute directly
Reports results with changed-only summary
Proactive post-execution: If notifications/workflows were flagged as missing, recommends addressing those governance gaps now

Human Confirmation (REQUIRED for CRITICAL/HIGH):

After check mode: "Check mode results: [summary with coverage %]. Proceed with full execution?"
Between phases (CRITICAL): "Phase [N] succeeded. Proceed to Phase [N+1]?"
Wait for explicit user confirmation

If failure: Offer rollback options via jobs_relaunch_create.

4. Generate Execution Summary

Invoke the execution-summary skill:

Generate audit trail showing: risk classification basis, check mode results, approval decisions, execution outcome

Dependencies

Required Skills

aap-mcp-validator - MCP server validation
execution-risk-analyzer - Risk classification and secret scanning
governed-job-launcher - Check mode, execution, rollback
execution-summary - Audit trail

Required MCP Servers

aap-mcp-job-management - Job template lookup and launch
aap-mcp-inventory-management - Inventory risk classification

Required MCP Tools

None; delegated to sub-skills (execution-risk-analyzer, governed-job-launcher).

Related Skills

forensic-troubleshooter - Follow-up if execution fails
governance-assessor - Pre-execution platform readiness check

Reference Documentation

execution-governance.md - Risk classification, check mode, rollback

Example Usage

Example 1: Production Execution with Full Governance

User: "Execute the security patch on production"

Agent:

Validates MCP connectivity via aap-mcp-validator
Invokes execution-risk-analyzer:
- Finds "Security Patch" template, identifies "Production" inventory → CRITICAL risk
- Check mode is overridable, but last run failed → adds WARN signal
- No failure notifications → flags governance gap
Reports risk analysis to user with Red Hat citations
Invokes governed-job-launcher:
- Runs check mode first → presents results: "Check mode: 12 changes, 2 shell tasks skipped"
- Asks: "Proceed with full execution?"
- User approves → executes phased rollout (Phase 1: 25% of hosts)
- Phase 1 succeeds → "Proceed to Phase 2?"
Invokes execution-summary with full audit trail

Example 2: Low-Risk Development Execution

User: "Launch the dev-setup template"

Agent:

Validates MCP connectivity
Invokes execution-risk-analyzer: "Development" inventory → LOW risk, clear job history
Reports: "Low risk execution, direct execution permitted."
Invokes governed-job-launcher: executes directly, reports results
Invokes execution-summary

Critical: Human-in-the-Loop Requirements

Before full execution (CRITICAL/HIGH risk): Present check mode results, wait for approval
Between rollout phases (CRITICAL risk): Present phase results, wait for approval
Before rollback: Present failure summary, let user choose rollback strategy
Never skip check mode for CRITICAL risk, even if user says "urgent"