// Kubernetes-layer health triage for Anton. Use when Codex checks whether the cluster is OK, Flux is healthy, platform controllers are ready, CNI or DNS is failing, cert-manager or ESO is stuck, gateways are broken, cloudflared is disconnected, or apps are unhealthy.
Anton ADR lifecycle — author new architectural decision records, list existing ones by status or affects-category, and mark old decisions superseded. Use when capturing a decision (especially after `cluster-intake-gatekeeper` returns an ADD/DEFER/REJECT verdict), when reviewing prior decisions before changing direction, when checking if a candidate component has been removed before, or when promoting a decision out of memory into a durable record. ADRs live in `context/adrs/` and are immutable — supersession is the only way to change a decision. The ADR index is built by scanning ADR files directly and injected into every Codex session by `.Codex/hooks/inject_adr_index.py`. Keywords — ADR, architecture decision record, decision log, supersede, decision history, why did we, prior decision, recorded decision, MADR, immutable, intake handoff, cluster-intake-gatekeeper handoff, removal graveyard, reverted decision.
Intake gate for adding new system or infrastructure components to Anton. Asks the user to declare intent (concrete need, honest learning, or both), then applies the matching rubric — full production rubric for concrete need, contained-learning rubric for learning intake — and returns add / defer / reject with an ADR-ready summary. Welcomes honest learning intake (anton is partly a learning cluster; "things that don't scale" are okay when declared) but rejects completionism dressed as need. Read-only — never scaffolds manifests, never applies to the cluster. Use when asking "should I add X", "can I run X on the cluster", "is X worth adopting", "I want to try X", "I want to learn X", "evaluate new component", "vet this helm chart", "cluster intake", "new app decision", before scaffolding a new Flux app, or when tempted by a shiny project on HN. Hands passing candidates off to add-flux-app. Keywords — intake, adopt, install, new component, new app, evaluate, should I run, worth it, learning, experiment, try out,
Expose a workload for access. Four paths: envoy-internal (LAN via split-horizon DNS), Tailscale Ingress (internal remote HTTP with browser-trusted TLS), Tailscale Service annotation (raw TCP / non-HTTP), envoy-external + Cloudflare tunnel (genuinely public, requires explicit approval). Handles HTTPRoute authoring, DNSEndpoint for secondary domains, and per-domain cert wiring.
Triage ntfy.sh-routed alerts in Anton — identify which alert fired, why it fired (or why it didn't deliver), and propose a fix. Use when "got an ntfy alert", "alert just fired", "ntfy not delivering", "AlertmanagerClusterFailedToSendAlerts", "AlertmanagerFailedToSendAlerts", "code 40014", "attachments not allowed", "iOS push missing", "test the ntfy receiver", "send a test alert", "what just paged me", "is ntfy working". Combines kube-prometheus-stack Alertmanager API, the self-hosted ntfy server (ADR 0026), and the ntfy CLI for poll/publish probes. Read-only by default; proposes edits the operator applies.
Anton planner skill — author, update, and close multi-session initiatives (migrations, rollouts, long-running refactors) in `context/plans/`. Use when starting a multi-session initiative, tracking next steps on in-flight work, migrating a memory entry to a durable plan, closing a completed initiative, or reviewing what's open. Plans live at `context/plans/NNNN-kebab-slug.md` and are mutable — they capture execution state (what's next, what's blocked, log of decisions made during work) while ADRs capture immutable decisions (why). The active-plan index is built by scanning plan files directly and injected into every Codex session by `.Codex/hooks/inject_plans_index.py`. Keywords — plan, planner, initiative, track work, multi-session, next steps, checklist, migration plan, rollout plan, roadmap, in-flight, blocker, close plan, review-by, exit plan, timebox, memory-to-plan handoff.
Use when Codex needs to inspect or troubleshoot the Anton cluster's self-hosted Temporal deployment with the local Temporal CLI, including checking cluster health, namespaces, workflow visibility, schedules, search attributes, Web UI reachability, or Kubernetes readiness for the `temporal` namespace. Prefer this for Temporal CLI tasks in Anton rather than generic Temporal SDK guidance.
| name | anton-cluster-health |
| description | Kubernetes-layer health triage for Anton. Use when Codex checks whether the cluster is OK, Flux is healthy, platform controllers are ready, CNI or DNS is failing, cert-manager or ESO is stuck, gateways are broken, cloudflared is disconnected, or apps are unhealthy. |
Goal: Triage Anton from Kubernetes upward and stop at the first failing layer.
Success means:
talos-inspect first.Stop when: the first red layer is explained or every layer is green enough for the user's question.
talos-inspect for node, disk, etcd, or network symptoms.references/layer-3-cni-dns.md.references/layer-4-flux.md.references/layer-5-platform.md.references/layer-6-apps.md.references/silent-killers.md when symptoms look clean but behavior is wrong.kubectl get nodes -o wide
kubectl get pods -A
flux get sources git -A
flux get ks -A
flux get hr -A
kubectl -n cert-manager get pods
kubectl -n external-secrets get pods
kubectl -n network get pods,httproute,gateway
Return:
Keep the triage read-only. Hand off fixes to the relevant manifest, Flux, Talos, or credential workflow.