Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

avav25/infra-change

Name: infra-change
Author: avav25

plugin/skills/infra-change/SKILL.md

npx skillsauth add avav25/ai-assets infra-change

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Infrastructure Change

Safe infrastructure change workflow for Terraform, Helm, and Kubernetes. Every mutation requires explicit user approval after reviewing the plan/diff. Applies Agent(devops-engineer) for all steps.

⚠️ SAFETY: No apply, upgrade, delete, or scale command runs without explicit user APPROVE.

0. Gather Context

Read CLAUDE.md (or AGENTS.md) at the project root to identify:

Infrastructure tools in use (Terraform, Helm, kubectl, Pulumi, OpenTofu)
Cloud platform (GCP, Azure, AWS) — apply cloud-platforms skill for platform-specific commands
Environment structure (dev, staging, production)
State backend and workspace conventions

0a. Detect orchestration / GitOps controllers — route first

Before running terraform apply or helm upgrade directly, check whether the repo's infra changes flow through a controller. If so, the change is a git PR, not an imperative command.

GitOps platform detection (Argo / Flux / Atlantis / HCP / Spacelift / env0) — see @gitops-detection.

0b. Detect Terraform fork

OpenTofu fork detection + command substitution rules — see @terraform-procedures.

0c. Policy-as-code gate (when configured)

If .conftest/ (Conftest), .opa/ (raw OPA Rego), .tflint.hcl (TFLint), or tfsec.yml (tfsec) / .checkov.yml (Checkov) configs are present, run them as a pre-plan gate. A plan that violates policy never advances to apply.

1. Define the Change

Ask the user (or extract from parent workflow context):

What needs to change? (resource scaling, new service, config update, network change, secret rotation)
Which tool? Terraform, Helm, kubectl, or combination
Environment: dev / staging / production
Risk level: Low (config), Medium (scaling, new resource), High (destroy, DB, auth, prod)

If Risk = HIGH or Environment = production:

⚠️ HIGH-RISK INFRASTRUCTURE CHANGE
Destructive actions require explicit "APPROVE" before execution.
Affected: [list resources/services]

2. Apply Roles

Apply Agent(devops-engineer). For production changes, also apply Agent(sre-engineer) for SLO impact assessment. For cloud infrastructure design (landing zones, networking topology, IAM), consult Agent(cloud-architect). For CI/CD pipeline architecture changes, consult Agent(devops-architect).

3. Review Current State

Before making changes, capture the current state:

3a. Terraform State (if applicable)

Terraform state operations + plan/apply lifecycle + OpenTofu compatibility — see @terraform-procedures.

3b. Helm State (if applicable)

Helm diff + atomic upgrade + rollback procedures — see @helm-procedures.

3c. Kubernetes State (if applicable)

// turbo
kubectl get deployments,services,ingress -n <namespace>
kubectl get pods -n <namespace> -o wide

Record: Current resource counts, versions, replicas, config values as baseline.

4. Implement Changes

Make the infrastructure code changes following Agent(devops-engineer) standards:

For Terraform:

Modify .tf files as needed
Run format and validate:

// turbo
terraform fmt -recursive
terraform validate

For Helm:

Modify values.yaml or chart templates
Lint the chart:

// turbo
helm lint <chart-path>

For raw Kubernetes manifests:

Modify YAML files
Validate with dry-run:

kubectl apply --dry-run=client -f <manifest>

5. Plan Review — MANDATORY BEFORE APPLY

Generate the plan/diff for the tool in use and present a summary table to the user.

Terraform: see @terraform-procedures for terraform plan -out=tfplan and the plan-summary format (Add / Change / Destroy table, destroy/replace highlight, data-loss flag).
Helm: see @helm-procedures for helm diff upgrade and the diff-summary format (per-object Action / Key Changes table, critical-changes highlight, downtime flag).
Kubectl:
```
kubectl diff -f <manifest>
```

WARNING — STOP. Present plan/diff summary and request APPROVE before proceeding to Step 6.

6. Apply — REQUIRES EXPLICIT APPROVE

Only after the user explicitly approves:

Terraform: terraform apply tfplan (see @terraform-procedures)
Helm: helm upgrade ... --atomic --timeout 5m --wait (see @helm-procedures)
Kubectl: kubectl apply -f <manifest>

Rules:

Never auto-run apply/upgrade commands
User must explicitly type "APPROVE" or equivalent
If the plan changed since review — re-run Step 5

7. Verify

After applying, verify the changes took effect:

// turbo
kubectl get pods -n <namespace> -o wide
kubectl get events -n <namespace> --sort-by='.lastTimestamp' --field-selector type!=Normal

Check:

[ ] All pods healthy (Running, no CrashLoopBackOff)
[ ] Expected replica counts match
[ ] No warning/error events
[ ] Services responding (health check endpoints)
[ ] Logs clean (no new errors)

If production — monitor SLIs for 5–10 minutes after apply.

8. Rollback Plan

Document the rollback before considering the change complete:

Terraform: revert .tf files and re-apply — see @terraform-procedures
Helm: helm rollback <release> <previous-revision> -n <namespace> — see @helm-procedures
Kubectl: kubectl rollout undo deployment/<name> -n <namespace>

9. Summary

## Infrastructure Change Summary
- **Change**: [what was changed]
- **Tool**: [Terraform / Helm / kubectl]
- **Environment**: [dev / staging / production]
- **Risk**: [low / medium / high]
- **Plan reviewed**: [yes — summary of add/change/destroy]
- **Applied**: [yes/no — with APPROVE]
- **Verification**: [pass/fail]
- **Rollback plan**: [documented above]
- **Next steps**: [monitoring, follow-up changes]

RALF Loop (optional)

For multi-step infra changes that may need iterative reconciliation (e.g., Terraform plans that depend on prior apply outputs), this skill MAY run inside /ralph per ralph-budget.md rule. Default per-workflow caps: 4 iter / 200K tokens / 45 min. Mandatory --kill-on oracle-pass (oracle: terraform plan -detailed-exitcode returns 0 = no diff).

Integration

Roles: Agent(devops-engineer) (primary), Agent(sre-engineer) (review), Agent(cloud-architect) (cloud design review), Agent(devops-architect) (CI/CD pipeline architecture)
Knowledge skills: @terraform-procedures, @helm-procedures, @gitops-detection, @cloud-platforms
Preceded by: /plan (infra work stream), /architecture (cloud architecture design)
Followed by: /deploy-staging, /deploy-production
Rules: ralph-budget (caps for iterative reconciliation per "RALF Loop" section)

avav25/infra-change

plugin/skills/infra-change/SKILL.md

Use this skill when changing infrastructure config (Terraform, Helm, K8s) and a destructive or production-touching operation is involved — to run the infrastructure change workflow (Terraform plan/apply, Helm diff/upgrade, Kubernetes manifest changes) with mandatory approval gates. Applies DevOps role. Safe-by-default with plan review before any mutation.

1 stars

development

Updated May 23, 2026

$ install --global

skillsauth

npx skillsauth add avav25/ai-assets infra-change

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 23, 2026, 4:32 AM27.2s1 file scanned

SKILL.md

name:: infra-change
description:: Use this skill when changing infrastructure config (Terraform, Helm, K8s) and a destructive or production-touching operation is involved — to run the infrastructure change workflow (Terraform plan/apply, Helm diff/upgrade, Kubernetes manifest changes) with mandatory approval gates. Applies DevOps role. Safe-by-default with plan review before any mutation.
disable-model-invocation:: true
argument-hint:: [description of infrastructure change]

Infrastructure Change

Safe infrastructure change workflow for Terraform, Helm, and Kubernetes. Every mutation requires explicit user approval after reviewing the plan/diff. Applies Agent(devops-engineer) for all steps.

⚠️ SAFETY: No apply, upgrade, delete, or scale command runs without explicit user APPROVE.

0. Gather Context

Read CLAUDE.md (or AGENTS.md) at the project root to identify:

Infrastructure tools in use (Terraform, Helm, kubectl, Pulumi, OpenTofu)
Cloud platform (GCP, Azure, AWS) — apply cloud-platforms skill for platform-specific commands
Environment structure (dev, staging, production)
State backend and workspace conventions

0a. Detect orchestration / GitOps controllers — route first

Before running terraform apply or helm upgrade directly, check whether the repo's infra changes flow through a controller. If so, the change is a git PR, not an imperative command.

GitOps platform detection (Argo / Flux / Atlantis / HCP / Spacelift / env0) — see @gitops-detection.

0b. Detect Terraform fork

OpenTofu fork detection + command substitution rules — see @terraform-procedures.

0c. Policy-as-code gate (when configured)

1. Define the Change

Ask the user (or extract from parent workflow context):

What needs to change? (resource scaling, new service, config update, network change, secret rotation)
Which tool? Terraform, Helm, kubectl, or combination
Environment: dev / staging / production
Risk level: Low (config), Medium (scaling, new resource), High (destroy, DB, auth, prod)

If Risk = HIGH or Environment = production:

⚠️ HIGH-RISK INFRASTRUCTURE CHANGE
Destructive actions require explicit "APPROVE" before execution.
Affected: [list resources/services]

2. Apply Roles

3. Review Current State

Before making changes, capture the current state:

3a. Terraform State (if applicable)

Terraform state operations + plan/apply lifecycle + OpenTofu compatibility — see @terraform-procedures.

3b. Helm State (if applicable)

Helm diff + atomic upgrade + rollback procedures — see @helm-procedures.

3c. Kubernetes State (if applicable)

// turbo
kubectl get deployments,services,ingress -n <namespace>
kubectl get pods -n <namespace> -o wide

Record: Current resource counts, versions, replicas, config values as baseline.

4. Implement Changes

Make the infrastructure code changes following Agent(devops-engineer) standards:

For Terraform:

Modify .tf files as needed
Run format and validate:

// turbo
terraform fmt -recursive
terraform validate

For Helm:

Modify values.yaml or chart templates
Lint the chart:

// turbo
helm lint <chart-path>

For raw Kubernetes manifests:

Modify YAML files
Validate with dry-run:

kubectl apply --dry-run=client -f <manifest>

5. Plan Review — MANDATORY BEFORE APPLY

Generate the plan/diff for the tool in use and present a summary table to the user.

Terraform: see @terraform-procedures for terraform plan -out=tfplan and the plan-summary format (Add / Change / Destroy table, destroy/replace highlight, data-loss flag).
Helm: see @helm-procedures for helm diff upgrade and the diff-summary format (per-object Action / Key Changes table, critical-changes highlight, downtime flag).
Kubectl:
```
kubectl diff -f <manifest>
```

WARNING — STOP. Present plan/diff summary and request APPROVE before proceeding to Step 6.

6. Apply — REQUIRES EXPLICIT APPROVE

Only after the user explicitly approves:

Terraform: terraform apply tfplan (see @terraform-procedures)
Helm: helm upgrade ... --atomic --timeout 5m --wait (see @helm-procedures)
Kubectl: kubectl apply -f <manifest>

Rules:

Never auto-run apply/upgrade commands
User must explicitly type "APPROVE" or equivalent
If the plan changed since review — re-run Step 5

7. Verify

After applying, verify the changes took effect:

// turbo
kubectl get pods -n <namespace> -o wide
kubectl get events -n <namespace> --sort-by='.lastTimestamp' --field-selector type!=Normal

Check:

[ ] All pods healthy (Running, no CrashLoopBackOff)
[ ] Expected replica counts match
[ ] No warning/error events
[ ] Services responding (health check endpoints)
[ ] Logs clean (no new errors)

If production — monitor SLIs for 5–10 minutes after apply.

8. Rollback Plan

Document the rollback before considering the change complete:

Terraform: revert .tf files and re-apply — see @terraform-procedures
Helm: helm rollback <release> <previous-revision> -n <namespace> — see @helm-procedures
Kubectl: kubectl rollout undo deployment/<name> -n <namespace>

9. Summary

## Infrastructure Change Summary
- **Change**: [what was changed]
- **Tool**: [Terraform / Helm / kubectl]
- **Environment**: [dev / staging / production]
- **Risk**: [low / medium / high]
- **Plan reviewed**: [yes — summary of add/change/destroy]
- **Applied**: [yes/no — with APPROVE]
- **Verification**: [pass/fail]
- **Rollback plan**: [documented above]
- **Next steps**: [monitoring, follow-up changes]

RALF Loop (optional)

Integration

Roles: Agent(devops-engineer) (primary), Agent(sre-engineer) (review), Agent(cloud-architect) (cloud design review), Agent(devops-architect) (CI/CD pipeline architecture)
Knowledge skills: @terraform-procedures, @helm-procedures, @gitops-detection, @cloud-platforms
Preceded by: /plan (infra work stream), /architecture (cloud architecture design)
Followed by: /deploy-staging, /deploy-production
Rules: ralph-budget (caps for iterative reconciliation per "RALF Loop" section)

Related Skills

avav25/knowledge-sync

development

VerifiedTrustedCommunity

Use this skill when running the recurring (daily) knowledge-base rescan for a repo that already has knowledge/.knowledge-sync.yml — the main-thread dispatcher that reads the config, computes the git delta since last_scanned_sha, maps changed paths to affected doc areas, early-exits cheaply when nothing changed, then fans out one Agent(content-writer) per affected area, applies the propose/direct update policy, advances the baseline only on success, and writes an L4 run log — all with the G1 untrusted-content choke-point, secret-scan, deny-list, and budget controls woven in. For first-time setup use /knowledge-sync-init.

1SKILL.mdUpdated May 24, 2026

avav25/knowledge-sync

avav25/knowledge-sync-init

development

VerifiedTrustedCommunity

Use this skill when bootstrapping scheduled knowledge-base sync for a repo that has no knowledge/.knowledge-sync.yml yet — to run one-time setup that detects the knowledge_root from CLAUDE.md/AGENTS.md, maps doc areas to source globs, records opt-in external sources (Linear/Notion/WebFetch, all disabled by default), captures a baseline last_scanned_sha, sets the per-area update policy, generates or seeds knowledge/CONVENTIONS.md, provisions the L4 memory dir, and offers to register the daily routine. Routes ongoing recurring sync operations to /knowledge-sync.

1SKILL.mdUpdated May 24, 2026

avav25/knowledge-sync-init

avav25/ai-skills-init

tools

VerifiedTrustedCommunity

Use this skill when bootstrapping a target repository to be ai-skills-aware — on the first run of any ai-skills workflow in a fresh repo, when adopting the ai-skills plugin in an existing repo, or after upgrading to a plugin version that adds new memory paths or templates, including when the user does not say "init" but asks to "set up" or "onboard" the repo — to detect codebase type, create CLAUDE.md + AGENTS.md scaffolding, initialize the .ai-skills-memory/ directory tree from L1 templates, and configure .gitignore. Idempotent — safe to re-run. Accepts `--codebase-type <type>` and `--overwrite`. Not for re-initializing only memory — use `/memory-init` instead.

1SKILL.mdUpdated May 18, 2026

avav25/ai-skills-init

avav25/plugin-author

tools

VerifiedTrustedCommunity

Use this skill when extending, repairing, or improving plugin assets, when ingesting a `/feedback` report as a fix-cycle backlog, or when you do not remember which lower-level command is right for the job — the umbrella workflow for ai-skills plugin-asset authoring and maintenance: creating, auditing, fixing, improving, refactoring, and migrating skills, agents, rules, hooks, prompts, schemas, and rubrics inside the plugin. Auto-classifies the request, loads the right knowledge skills (`@prompt-engineering`, `@context-engineering`, `@team-protocols`), and spawns the right subagents (`prompt-engineer`, `system-architect`, `python-engineer`, `software-engineer`, `qa-engineer`, `eval-judge`) via the `Agent` tool.

1SKILL.mdUpdated May 14, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/avav25/ai-assets.git

# Copy into Claude Code skills folder (global)
cp -r ai-assets/plugin/skills/infra-change ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

avav25/ai-assets

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT