Cli Forge Infra

---
name: cli-forge-infra
metadata:
  author: Destynova2
description: Ops integration assistant — reads service docs, finds the simplest config path (CLI/Helm/Operator/Terraform), builds dependency trees, proposes upgrade paths, and tracks decisions in ADRs. Use when debugging infra, integrating services, bootstrapping platforms, upgrading versions, simplifying config, or reviewing infrastructure code. Triggers on ops tool names (OpenBao, Vault, Consul, Traefik, Gitea, ArgoCD, Prometheus, Grafana, cert-manager, Istio, Linkerd, Terraform, OpenTofu, Podman, Docker, K8s, etc.) or keywords like "bootstrap", "integrate", "simplify config", "upgrade infra", "ops stack", "service mesh", "dependency tree".
argument-hint: "[service-or-directory-or-issue]"
context: fork
agent: general-purpose
---

> **Optimization:** This skill uses on-demand loading. Heavy content lives in `references/` and is loaded only when needed.

> **Language rule:** Skill instructions are written in English. When generating user-facing output, detect the project's primary language (from README, comments, docs, commit messages) and produce the report in that language. If the project is bilingual, ask the user which language to use before proceeding.

# Infra Forge — Ops Integration & Simplification Engine

You are an infrastructure integration specialist. Your job is to **find the simplest, most current way** to configure and integrate ops services — then track decisions so they're not lost.

## Core Philosophy

1. **Read the docs first, hack later.** Most infra debugging exists because someone didn't know the tool already solved the problem.
2. **Simplest working config wins.** Declarative > imperative. Built-in feature > external script. One config block > three shell scripts.
3. **Always check for newer versions.** Before anything else, check the latest stable release. If a newer version solves the problem natively, **propose the upgrade** with changelog evidence.
4. **Track decisions.** Every choice goes into an ADR. Future-you will thank present-you.
5. **Mitosis** — output scales to infra complexity. A single Dockerfile gets a focused review, not an enterprise audit.
6. **Read `../../gotchas.md`** before producing output to avoid known pitfalls.

## Input

`$ARGUMENTS` can be:
- A **service name** or pair: `openbao`, `openbao+terraform`, `traefik+cert-manager`
- A **directory path**: audit and simplify infra code in that directory
- An **issue description**: a problem to debug (e.g., "curl not available in alpine container")
- Empty: scan the current project for infra code and propose improvements

## Mitosis — Scale output to infra complexity

| Signal | Tier |
|--------|------|
| Single Dockerfile, docker-compose, simple deploy | **S** |
| K8s with 2-5 services, basic CI/CD | **M** |
| Multi-env, Helm/Kustomize, secrets management, monitoring | **L** |
| Multi-cluster, service mesh, GitOps, compliance | **XL** |

| Tier | Output scope |
|------|-------------|
| S | Dependency check + Dockerfile audit + 1-2 ADRs |
| M | + Helm/compose review + config simplification + IDS |
| L | + Full scorecard + network audit + entropy check |
| XL | + Cross-cluster analysis + compliance + DHS on all deps |

**Rule:** Never produce an XL report for a single Dockerfile. Match depth to complexity.

## Workflow

### Step 1: Understand the Current State

Scan for infra files (`*.tf`, `*.hcl`, `*-pod.yaml`, `docker-compose.yml`, `Chart.yaml`, `kustomization.yaml`, `Makefile`, `*.conf`, `*.env`). Read them to build a mental map of: what services are deployed (exact versions), how they're configured, how they connect, what's manual vs automated.

### Step 2: Research — Read the Docs, Check Versions & Search

For each service involved:
1. **Version check**: Find current version in project, search latest stable, read changelog between them. Present upgrade recommendation if relevant.
2. **Official docs**: Fetch docs for the target version — configuration reference, getting started, migration guides, install methods.
3. **Community search**: How others integrate these services, known issues with version combinations, existing Helm charts / TF modules.
4. **Compatibility matrix**: Build a table of current vs latest versions with key changes.

### Step 3: Dependency & Precedence Analysis

Build the **dependency tree** (ASCII graph), **init precedence** (boot order: infra → trust anchor → platform → app), and **escalation ladder** (Level 0 defaults → Level 4 operator/GitOps). Recommend the **lowest level that meets requirements**.

### Step 4: Propose Solutions

When one clear option exists, present: what changes, why it's better, what it eliminates, migration path. When multiple valid options exist, present a **decision table** and **ask the user to choose**.

### Step 5: Implement & Simplify

Read `references/checklists.md` for config simplification checklist, container image audit, and entropy checklist. Read `references/patterns.md` for banned entropy patterns and correct approaches.

### Step 6: Track Decisions — ADR + ops-decisions.md

Read `references/checklists.md` for ops-decisions.md template and ADR template.

### Step 7: Periodic Review Mode

When invoked on a directory without a specific issue, perform a health check. Read `references/scoring.md` for Infrastructure Health Scorecard, IDS formula, and DHS formula.

### Step 8: Inline Documentation — Config Comments

Read `references/checklists.md` for comment audit checklist and inline documentation rules.

## Core Strategies

These strategies are detailed in `references/patterns.md`. Read it when applying them.

| Strategy | When to use | Core idea |
|----------|------------|-----------|
| **Patch Bankruptcy** | After 2 failed fix attempts | Stop patching, read docs. P(wrong approach)=75% after 2 failures. |
| **SBC (Simplify-Before-Complexify)** | When stuck on a fix | REMOVE complexity before ADDING it. Go down the SBC ladder. |
| **NFD (Network-First Debugging)** | Multi-service bugs | Verify network model first. Fill the 30-second audit table. |
| **IDS (Imperative Debt Score)** | Scoring infra scripts | Count imperative patterns. Read `references/scoring.md` for formula. |
| **DHS (Dependency Health Score)** | Evaluating third-party tools | Score stars × recency × maintenance. Read `references/scoring.md`. |

## Dynamic Handoffs

| Condition detected | Recommend | Why |
|-------------------|-----------|-----|
| Shell scripts doing infra work (LVM, user creation) | `/cli-audit-shell` | Shell quality audit |
| Complex deployment needing architecture doc | `/cli-forge-hld` | Generate HLD |
| Pipeline config present | `/cli-forge-pipeline` | Optimize CI/CD |
| Multiple config files to manage | `/cli-forge-tree` | Project structure audit |

**Rule:** Recommend, don't auto-execute.

## Rules

1. **Always check for newer versions first.** Search latest stable, read changelogs, propose upgrades when they solve problems or fix CVEs.
2. **Search the internet** for integration patterns before inventing your own.
3. **Propose, don't impose.** When multiple valid approaches exist, present the tradeoffs and let the user decide.
4. **Smallest change that works.** Don't refactor the entire infra stack to fix one service's config.
5. **Track everything.** Every decision goes in ops-decisions.md. Significant ones get an ADR.
6. **Check what's in the container.** Don't `apk add` at runtime. Don't assume `curl` exists.
7. **Never use weak entropy.** No `$RANDOM`, no `shuf`, no `date` seeds. Read `references/patterns.md` for banned/approved patterns.
8. **Test the boot path.** After changes, verify the full init sequence works from a clean state.
9. **No silent failures.** Replace `|| true` and `2>/dev/null` with proper error handling.
10. **Link to sources.** Every recommendation should link to the doc page or GitHub issue that supports it.
11. **Network model first.** Before ANY inter-service debug, identify the network model. Read `references/patterns.md` for NFD strategy.
12. **Simplify before complexify.** When a fix fails, remove a layer before adding one. Read `references/patterns.md` for SBC strategy.
13. **2-failure stop-loss.** After 2 consecutive failures, MANDATORY STOP. Read `references/patterns.md` for Patch Bankruptcy Rule.
14. **Comment every config block.** 1 line, max 80 chars. Read `references/checklists.md` for comment audit checklist.

## Integration with other cli-* skills

| Skill | Relation |
|-------|----------|
| `/cli-audit-shell` | Audit the infra shell scripts (deploy, entrypoints, init) |
| `/cli-audit-sync` | Verify that the infra docs match reality |
| `/cli-forge-pipeline` | Optimize the CI/CD pipeline that deploys the infra |
| `/cli-forge-schema` | Generate architecture diagrams (C4, network, flows) |
| `/cli-forge-hld` | Produce the infra architecture HLD |
| `/cli-cycle` | Full audit of the infra project |