agentic-collections

**CRITICAL**: Use for ALL CVE discovery and listing. DO NOT call get_cves directly. Use when: "show critical CVEs", "CVEs on hostname X", "remediatable vulnerabilities", "impact of CVE-X", risk assessment. NOT for remediation (use `/remediation`). System-level: FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py.

Query and display Red Hat Lightspeed managed system inventory. This skill focuses on discovery and listing only - for remediation actions, transition to the `/remediation` skill. Use when: - "Show the managed fleet" - "List all systems registered in Lightspeed" - "What systems are affected by CVE-X?" - "How many RHEL 8 systems do we have?" - "Show me production systems" **When NOT to use this skill** (use `/remediation` skill instead): - "Remediate CVE-X on these systems" - "Create a playbook for..." - "Patch system Y" This skill orchestrates MCP tools from lightspeed-mcp for fleet visibility and system inventory management.

Validate Red Hat Lightspeed MCP server connectivity. Use when the user asks to "validate Lightspeed MCP", "check Lightspeed connection", or when other skills need to verify lightspeed-mcp availability before CVE operations.

Interactive skill creation and import with automated validation and marketplace compliance. Use when: - "Create a new skill" - "Import an existing skill" - "Create a new agentic pack" - "Add skill to <pack>" - "Build skill for <rh-product>" - User mentions "skill builder", "contribute", "new skill", "import skill", or "new pack" Two modes: create from scratch or import existing SKILL.md. Guides through discovery, definition, generation, and validation. Enforces SKILL_DESIGN_PRINCIPLES.md and agentskills.io spec.

Diagnose and fix `.catalog/` validation failures (schema, roster, banners, sample workflows, JSON mirror). Use when: - `make validate` or CI reports collection compliance errors - A PR adds skills but catalog was not updated - `collection.json` is out of sync with `collection.yaml` - Catalog metadata/fragments might have drifted from README/CLAUDE/SKILL golden sources Remediation is via the create-collection workflow and `catalog_yaml_to_json.py`—not by weakening checks.

Author or refresh `<pack>/.catalog/collection.yaml` and related `.catalog/` artifacts from golden sources (SKILL.md, README, AGENTS.md, Lola marketplace). Use when: - Adding a new pack or refreshing the collection catalog for GitHub Pages / tooling - Aligning catalog narrative, sample workflows, and decision guide with skills on disk - Preparing a PR after changing skills or marketplace metadata Outputs only under `<pack>/.catalog/` (never overwrite README, SKILL, CLAUDE, or marketplace YAML).

Guide users through creating a federation PR to register an external agentic pack in the marketplace. Collects only repository URL and pack path, infers other metadata from the repo, and confirms before proceeding. Use when: - "I want to federate my pack" - "How do I add an external pack to the marketplace?" - "Create a federation request" - "Register an external module" - User mentions "federation request", "federate", or "external module" NOT for reviewing federation PRs (use /federation-review instead). NOT for direct contributions (use /agentic-contribution-skill instead).

Validate a federation PR: license check, automated validation, and Lola marketplace verification. Use when: - "Review federation PR" - "Validate federated pack" - User mentions "federation", "federate", or "external pack" NOT for direct contributions (use /agentic-contribution-skill instead).

Bootstrap installer. Fetches and installs all Red Hat agent skills into this project.

Diagnose OpenShift RBAC permission failures that cause workloads to fail with 403 Forbidden errors when accessing the Kubernetes API. Automates multi-step diagnosis: pod logs for FORBIDDEN errors, readiness probe failures, ServiceAccount identification, RoleBinding/ClusterRoleBinding analysis, and remediation history for regression detection. Use when: - "403 forbidden when accessing Kubernetes API" - "ServiceAccount permission denied" - "pods can't list resources" - "missing RoleBinding" - User mentions "RBAC denied", "403 forbidden", "permission denied" NOT for SCC admission failures (use /debug-scc instead).

Diagnose OpenShift Security Context Constraint (SCC) violations that prevent pods from being created. Automates multi-step diagnosis: Deployment status, ReplicaSet FailedCreate events, security context field extraction, SCC rejection parsing, and ServiceAccount SCC binding analysis. Use when: - "SCC violation blocking pod creation" - "unable to validate against any security context constraint" - "FailedCreate forbidden" - "pod blocked by SCC" - User mentions "SCC", "security context constraint", "FailedCreate" NOT for pods crashing after creation (use /debug-pod instead).

End-to-end OpenShift cluster creation using Red Hat Assisted Installer. Handles Single-Node OpenShift (SNO) and HA multi-node clusters on baremetal, vsphere, oci, nutanix. Use when: - "Create a new OpenShift cluster" - "Install OpenShift on my servers" - "Set up a single-node cluster for edge deployment" - "Deploy a production HA cluster" Complete workflow: cluster definition, ISO generation, host discovery/validation, role assignment, network configuration (VIPs, static networking), installation monitoring, credential retrieval. NOT for: - Listing existing clusters → Use `/cluster-inventory` skill - Modifying running clusters → Out of scope (Day-2 operations require direct cluster access) - Cluster upgrades (not yet supported)

List and inspect OpenShift clusters across self-managed (OCP, SNO) and managed service (ROSA, ARO, OSD) deployments. Returns cluster name, ID, version, status, platform, and creation date. Use when: - "List all clusters" - "Show cluster status" - "What clusters are available?" - "Get details of cluster [name]" - "Show cluster events for diagnostics" Read-only operations. Does NOT modify clusters.

Generate a consolidated health report across multiple OpenShift clusters. Verifies each kubeconfig context is a genuine OpenShift cluster before reporting. Non-OpenShift contexts are skipped by default. Collects node resources (CPU, memory, GPUs), namespace counts, and pod status into a single comparison view. Use when: - "Show me a report across all clusters" - "Compare cluster health" - "Multi-cluster status overview" - "How are my clusters doing?" - "Include all clusters including non-OpenShift" (override default filter) NOT for single-cluster deep-dives or troubleshooting specific pods.

Analyze AI model performance, GPU utilization, and cluster health on OpenShift AI. Use when: - "How is my model performing?" - "What GPUs are available in the cluster?" - "Show me inference latency for Llama" - "Check OpenShift cluster health metrics" - "Trace a slow inference request" - "Correlate errors across my inference stack" Query-driven, read-only analysis. Routes to the appropriate observability domain based on user intent. NOT for deploying models (use /model-deploy). NOT for debugging failed deployments (use /debug-inference).

Troubleshoot failed or slow InferenceService deployments on OpenShift AI. Use when: - "My InferenceService won't start" - "Model deployment is stuck" - "Inference endpoint returns errors" - "Model is slow / high latency" - "GPU scheduling failed for my model" Progressive diagnosis: status conditions, events, pod logs, GPU health, and observability analysis. NOT for deploying models (use /model-deploy). NOT for creating runtimes (use /serving-runtime-config).

Deploy AI/ML models on OpenShift AI using KServe with vLLM, NVIDIA NIM, or Caikit+TGIS runtimes. Use when: - "Deploy Llama 3 on my cluster" - "Set up a vLLM inference endpoint" - "Deploy a model with NIM" - "Create an InferenceService for Granite" - "I need to serve a model on OpenShift AI" Handles runtime selection, GPU validation, InferenceService CR creation, and rollout monitoring. NOT for NIM platform setup (use /nim-setup first). NOT for custom runtime creation (use /serving-runtime-config).

Configure NVIDIA NIM platform on OpenShift AI for optimized model inference. Use when: - "Set up NIM on my cluster" - "Configure NGC credentials for NIM" - "I want to deploy a NIM model but haven't set up the platform" - "Create the NIM Account CR" One-time prerequisite before deploying models with NVIDIA NIM runtime via /model-deploy. NOT for deploying models (use /model-deploy instead). NOT for vLLM or Caikit deployments (NIM-specific only).

Configure custom ServingRuntime CRs on OpenShift AI for model serving frameworks not covered by built-in runtimes. Use when: - "Create a custom serving runtime" - "I need a runtime for ONNX / Triton / custom framework" - "Customize vLLM runtime parameters" - "What serving runtimes are available?" - "Add a custom container image for model serving" Handles listing existing runtimes, creating new ServingRuntime CRs, and validating compatibility with target models. NOT for deploying models (use /model-deploy after runtime is configured). NOT for NIM platform setup (use /nim-setup).

Analyze execution risk by classifying inventory, scanning extra_vars for secrets, and assessing scope. Use when: - "Execute on production", "Deploy to production" (as first step before launch) - "Is this execution safe?" - "Check execution risk" - "Validate the execution target" NOT for: launching jobs (use governed-job-launcher) or troubleshooting failures (use job-failure-analyzer).

Generate concise execution audit reports tracking documents consulted, MCP tools used, decisions made, and outcomes. Use when: - "Generate execution summary" - "Create execution report" - "Show workflow audit trail" - After completing any governance workflow (assessment, execution, troubleshooting) NOT for: starting a new workflow (use the appropriate skill instead).

Orchestrates forensic analysis of failed jobs with event extraction, host correlation, and resolution advisory. Use when: - "Job #X failed", "Why did the execution fail?" - "Analyze the failure", "What went wrong?" - "Root cause analysis of job #X" NOT for execution (use governance-executor) or platform assessment (use governance-assessor).

Orchestrates AAP governance readiness assessments -- full platform audit or scoped to specific domains. Assesses 7 governance domains + 1 bonus: 1. Workflow Governance (approval gates, workflow coverage) 2. Notification Coverage (failure alerting, notification bindings) 3. Access Control / RBAC (teams, roles, least privilege) 4. Credential Security (separation of duties, credential hygiene) 5. Execution Environments (custom EEs, image provenance) 6. Workload Isolation (instance groups, capacity separation) 7. Audit Trail (activity stream, change tracking) Bonus: External Authentication (LDAP, SAML, SSO) Use when: - Full: "Is my AAP ready for production?", "Audit my platform governance" - Scoped: "Assess my credentials setup", "Check my RBAC", "How are my notifications?" - "What should I fix before executing jobs?" - Any question about specific AAP governance domains above NOT for job execution (use governance-executor) or troubleshooting (use forensic-troubleshooter).

Orchestrates governed job execution with risk analysis, check mode, approval, and rollback. Use when: - "Execute job template X", "Deploy to production", "Push to prod", "Launch job template" - Any execution request targeting sensitive environments - Job template launches requiring governance controls NOT for platform assessment (use governance-assessor) or troubleshooting (use forensic-troubleshooter).

Assess AAP platform governance readiness -- full 7-domain audit or scoped to specific domains. Use when: - Full assessment: "Is my AAP ready for production?", "Audit my platform governance" - Scoped assessment: "Assess my credentials setup", "Check my RBAC", "How are my notifications configured?" - "What should I fix before executing jobs?" - "Assess my AAP configuration" - Any question about a specific governance domain (credentials, RBAC, workflows, notifications, EEs, instance groups, audit, auth) NOT for: executing jobs (use governance-executor) or troubleshooting failures (use forensic-troubleshooter).

Execute governed job launches with check mode, approval gates, phased rollout, and rollback. Use when: - After execution-risk-analyzer has classified the execution risk - "Launch with check mode first", "Run the dry run" - "Execute the job" (after risk analysis) - "Rollback the failed job" NOT for: risk analysis (use execution-risk-analyzer first) or troubleshooting (use job-failure-analyzer).

Correlate job failures with host system facts to determine platform drift and resource issues. Use when: - After job failure analysis identifies affected hosts - "Check the system facts for failed hosts" - "Is the host healthy?", "Check disk space on server-01" - "Why is the service failing on this host?" NOT for: analyzing job events (use job-failure-analyzer first) or resolution guidance (use resolution-advisor after).

Extract and analyze failure events from AAP jobs to classify errors and reconstruct failure timelines. Use when: - "Job #X failed", "Why did the execution fail?" - "Analyze the failed job", "What went wrong?" - "Show me the failure details" NOT for: host fact correlation (use host-fact-inspector) or resolution recommendations (use resolution-advisor).

Provide Red Hat documentation-backed resolution recommendations for classified job errors. Use when: - After failure analysis and host fact inspection: "How do I fix this?" - "What does Red Hat recommend for this error?" - "What's the fix for privilege escalation timeout?" - "Is this a known AAP issue?" NOT for: analyzing events (use job-failure-analyzer first) or checking host facts (use host-fact-inspector first).

Complete end-to-end workflow for containerizing and deploying applications to OpenShift or standalone RHEL systems. Orchestrates /detect-project, /s2i-build, /deploy, /helm-deploy, and /rhel-deploy skills with user confirmation checkpoints at each phase. Supports S2I, Podman, Helm deployment strategies for OpenShift, and Podman/native deployments for RHEL hosts. Use this skill when user wants to go from source code to running application in one guided workflow. Supports resume after interruption and rollback on failure. Triggers on /containerize-deploy command.

Diagnose OpenShift build failures including S2I builds, Docker/Podman builds, and BuildConfig issues. Automates multi-step diagnosis: BuildConfig validation, build pod logs, registry authentication, and source repository access. Use this skill when builds fail, hang, or produce unexpected results. Triggers on /debug-build command or phrases like "build failed", "S2I error", "can't pull builder image", "can't push to registry", "build timeout".

Diagnose local container issues with Podman/Docker including image pull errors, container startup failures, OOM kills, and networking problems. Automates multi-step diagnosis: container inspect, logs retrieval, image analysis, and resource constraint checking. Use this skill when containers fail to run locally before deployment. Triggers on /debug-container command or phrases like "container won't start", "podman run fails", "local container crashing", "container exits immediately".

Diagnose OpenShift service connectivity issues including DNS resolution, service endpoints, route ingress, and network policies. Automates multi-step diagnosis: service endpoint verification, pod selector matching, route status, and network policy analysis. Use this skill when services can't communicate, routes return 503/502 errors, or external access fails. Triggers on /debug-network command or phrases like "can't reach service", "route returning 503", "pods can't communicate", "no endpoints".

Diagnose OpenShift Pipelines (Tekton) CI/CD failures including PipelineRun failures, TaskRun step errors, workspace/PVC binding issues, and authentication problems. Automates multi-step diagnosis: PipelineRun status, failed TaskRun analysis, step container logs, and related resource checks. Use this skill when pipelines fail, hang, or produce unexpected results. Triggers on /debug-pipeline command or phrases like "pipeline failed", "PipelineRun error", "TaskRun failed", "tekton error", "pipeline stuck", "pipeline timeout".

Diagnose pod failures on OpenShift including CrashLoopBackOff, ImagePullBackOff, OOMKilled, and pending pods. Automates multi-step diagnosis: pod status, events, logs (current + previous), and resource constraint analysis. Use this skill when pods are not running, restarting frequently, or stuck in non-ready states. Triggers on /debug-pod command or phrases like "my pod is crashing", "pod won't start", "CrashLoopBackOff", "ImagePullBackOff", "OOMKilled".

Diagnose RHEL system issues including systemd service failures, SELinux denials, firewall blocking, and system resource problems. Automates multi-step diagnosis: journalctl log analysis, SELinux denial detection (ausearch), firewall rule inspection, and systemd unit status. Use this skill when applications fail on standalone RHEL/Fedora/CentOS hosts deployed via /rhel-deploy. Triggers on /debug-rhel command or phrases like "service won't start on RHEL", "SELinux blocking", "systemd failed", "firewall blocking".

Create Kubernetes Deployment, Service, and Route resources on OpenShift to deploy and expose an application. Use this skill after /s2i-build to make the built image accessible. Handles port detection, replica configuration, HTTPS route creation, rollout monitoring, and rollback on failure. Triggers on /deploy command when user wants to deploy a container image to OpenShift.

Analyze a project folder or GitHub repository to detect programming language, framework, and version requirements. Use this skill when containerizing an application, selecting an S2I builder image, deploying to OpenShift or RHEL, or determining a project's tech stack. Supports Node.js, Python, Java, Go, Ruby, .NET, PHP, and Perl. Triggers on /detect-project command or when user needs build strategy recommendations. Run before /s2i-build or /rhel-deploy.

Deploy applications to OpenShift using Helm charts. Use this skill when user wants to deploy with Helm, when a Helm chart is detected in the project, or when /helm-deploy command is invoked. Supports both existing charts and chart creation. Handles chart detection, values customization, install/upgrade operations, and rollback. Requires kubernetes MCP Helm tools.

Structured incident investigation for OpenShift using the Five Whys methodology, investigation guardrails, Prometheus metric analysis, and adversarial due diligence. Orchestrates multi-resource diagnosis across Deployments, ReplicaSets, Pods, Services, and cluster resources to trace from observed symptoms to root cause. Use when: - "investigate this incident" - "triage this alert" - "root cause analysis" - "what caused this outage" - User mentions "five whys", "incident", "triage", "RCA" NOT for single-resource issues with clear patterns (use /debug-pod, /debug-scc, /debug-rbac, or /debug-network instead).