cuioss/deploy
.claude/skills/deploy/SKILL.md
Build, deploy, and test NiFi E2E environment (Docker containers)
$ install --global
skillsauthnpx skillsauth add cuioss/nifi-extensions deployInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:28 AM5.6s1 file scanned
SKILL.md
- name:
- deploy
- description:
- Build, deploy, and test NiFi E2E environment (Docker containers)
- user-invocable:
- true
- allowed-tools:
- Bash, Read, mcp__claude-in-chrome__tabs_context_mcp, mcp__claude-in-chrome__tabs_create_mcp, mcp__claude-in-chrome__navigate, mcp__claude-in-chrome__find, mcp__claude-in-chrome__computer, mcp__claude-in-chrome__read_page, mcp__claude-in-chrome__browser_wait_for
NiFi E2E Deployment Skill
Manages the Docker-based NiFi + Keycloak test environment for E2E testing.
Parameters
Optional argument selects the workflow:
/deployor/deploy status— Show container status/deploy start— First-time start (build NAR + start containers)/deploy redeploy— Redeploy after code changes (rebuild NAR + restart NiFi only)/deploy test— Run E2E Playwright tests (containers must be running)/deploy test <file>— Run specific E2E test file/deploy stop— Stop all containers/deploy full— Full CI workflow: stop → build → start → test → stop/deploy troubleshoot— Diagnose common issues
Workflow
Step 1: Determine Action
Parse the argument to determine which workflow to execute. Default (no args) = show status.
Step 2: Execute Action
status (default)
./integration-testing/src/main/docker/check-status.sh --quiet
start
./integration-testing/src/main/docker/run-and-deploy.sh
Builds NAR, copies to target/nifi-deploy/, starts Keycloak + NiFi.
NiFi takes ~60-80s to become healthy. URLs after start:
- NiFi: https://localhost:9095/nifi (testUser / drowssap)
- Keycloak: https://localhost:9085 (admin / admin)
After containers are healthy, run the NiFi Browser Login procedure, then display the Sandbox Credentials.
redeploy
./integration-testing/src/main/docker/redeploy-nifi.sh
Rebuilds NAR, copies to deploy dir, runs docker compose restart nifi.
Wait ~60-80s for NiFi to become healthy.
Verify: ./integration-testing/src/main/docker/check-status.sh
After NiFi is healthy, run the NiFi Browser Login procedure, then display the Sandbox Credentials.
test [file]
cd e-2-e-playwright && npm run playwright:test [-- tests/<file>.spec.js]
Containers MUST be running. Use /deploy start first if needed.
stop
cd integration-testing/src/main/docker && docker compose down -v
full
cd integration-testing/src/main/docker && docker compose down -v
cd <project-root>
./mvnw clean install
./mvnw verify -Pintegration-tests -pl e-2-e-playwright -am
IMPORTANT: Maven manages its own container lifecycle. Do NOT have manually-started containers running.
troubleshoot
Check for common issues in order:
docker ps— Are containers running? Any orphaned containers on ports 7777/9095/9443?docker compose -f integration-testing/src/main/docker/docker-compose.yml ps— Container states- Port conflicts:
lsof -i :7777 -i :9095 -i :9443 2>/dev/null - NiFi logs:
docker logs docker-nifi-1 --tail 50 - NAR loaded:
docker logs docker-nifi-1 2>&1 | grep -i cuioss
NiFi Browser Login
After every start or redeploy, open Chrome and log in to NiFi.
Prerequisites: The user must have accepted the self-signed certificate for https://localhost:9095 in Chrome beforehand. If the browser shows a certificate error page, ask the user to manually accept the certificate (Advanced → Proceed) and then retry.
CRITICAL — Chrome extension false negatives:
The tabs_context_mcp call frequently returns "Browser extension is not connected" even when the extension IS connected and working. This is a transient MCP initialization issue, NOT an actual disconnection. You MUST retry up to 5 times before concluding the extension is truly disconnected. NEVER tell the user the extension is disconnected based on failed calls alone — just keep retrying silently. In practice, the extension is almost always connected; failures resolve after 1-5 retries.
Login steps:
- Call
tabs_context_mcpwithcreateIfEmpty: true. If it returns "not connected", retry up to 5 times (no delay needed between retries). Only after 5 consecutive failures should you ask the user to check the extension. - Create a new tab with
tabs_create_mcp - Navigate to
https://localhost:9095/nifi/— this redirects to NiFi's own login page (#/login) - Take a screenshot to see the current page state
- Click the Username input field and type
testUser - Click the Password input field and type
drowssap - Click the "Log in" button
- Wait until the URL contains
#/process-groups/and the page title is "NiFi Flow" to verify a successful login - Report login success to the user
Notes:
- This is NiFi's built-in login form — not Keycloak. The login page URL is
https://localhost:9095/nifi/#/login. - If the URL already contains
#/process-groups/after navigation, the user is already logged in — skip the login steps. - If NiFi is still starting and the page doesn't load, wait a few seconds and retry navigation.
- Use
computertool with coordinate-based clicks for the login form —findandread_pagecan be unreliable inside NiFi's Angular UI.
Critical Rules
- Maven E2E (
./mvnw verify -Pintegration-tests) automatically stops existing containers before starting fresh ones (via fixeddeploy-and-start.sh) - After
./mvnw clean install, the NAR intarget/nifi-deploy/is stale — must run/deploy redeployto update running containers - NiFi loads NARs only at startup — code changes require container restart, not just file copy
- The
target/nifi-deploy/directory is volume-mounted into the NiFi container
Key Paths
| Path | Purpose |
|------|---------|
| target/nifi-deploy/ | NAR deployment dir (Docker volume mount) |
| integration-testing/src/main/docker/docker-compose.yml | Docker Compose config |
| integration-testing/src/main/docker/*.sh | Local deployment scripts |
| e-2-e-playwright/scripts/*.sh | Maven-phase scripts |
| e-2-e-playwright/target/test-results/ | Test artifacts |
Sandbox Credentials
After a successful start or redeploy (and browser login), display these credentials to the user so they can use the Token Fetch form in the Endpunkt-Tester tab:
Sandbox Keycloak Credentials (for Token Fetch)
───────────────────────────────────────────────
Realm: oauth_integration_tests
Client-ID: test_client
Client-Secret: yTKslWLtf4giJcWCaoVJ20H8sy6STexM
ROPC (password grant):
Username: testUser
Password: drowssap
Token Endpoint (auto-discovered via issuer):
https://keycloak:8443/realms/oauth_integration_tests/protocol/openid-connect/token
Other realm (for cross-issuer testing):
Realm: other_realm
Client-ID: other_client
Client-Secret: otherClientSecretValue123456789
Username: otherUser / drowssap
Note: The issuer dropdown in the Endpunkt-Tester auto-populates from the processor's Controller Service config. The token endpoint is resolved via OIDC discovery when clicking "Ermitteln".
NiFi Custom UI Browser Verification
The Custom UI runs inside an iframe. To access it manually:
- Navigate to
https://localhost:9095/nifi/ - Double-click process group to enter it
- Right-click processor → look for "Advanced" menu item
- If not visible: click "Configure" → click Custom UI icon (top-right of dialog, red sticky-note icon)
- Custom UI loads in iframe with
?id={processorId}query parameter
Related Skills
cuioss/update-guide-screenshots
testing
VerifiedTrustedCommunity
Verify NiFi custom UI tabs via Chrome and update doc/guides screenshots and guides
3SKILL.mdUpdated Apr 16, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026