etylsarin/deployment-infrastructure
src/orchestrator/skills/deployment-infrastructure/SKILL.md
Configures deployment pipelines, manages environment variables, schedules cron jobs, applies security headers, and implements caching strategies. Use when working with Docker, Vercel, AWS, Dockerfile, nginx.conf, or platform deployment configs.
$ install --global
skillsauthnpx skillsauth add etylsarin/opencastle deployment-infrastructureInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 17, 2026, 3:04 AM128.8s1 file scanned
SKILL.md
- name:
- deployment-infrastructure
- description:
- Configures deployment pipelines, manages environment variables, schedules cron jobs, applies security headers, and implements caching strategies. Use when working with Docker, Vercel, AWS, Dockerfile, nginx.conf, or platform deployment configs.
Deployment Infrastructure
See deployment-config.md for full architecture, env vars, cron jobs, and caching headers.
Environment Variables
Layering & Precedence
.env (defaults, committed) → .env.local (git-ignored) → .env.production / .env.preview → Platform-injected (highest).
Startup Validation
import { z } from 'zod';
const envSchema = z.object({
DATABASE_URL: z.string().url(),
API_SECRET: z.string().min(32),
PUBLIC_SITE_URL: z.string().url(),
CRON_SECRET: z.string().min(16),
NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
});
export const env = envSchema.parse(process.env);
Naming
Prefix: PUBLIC_*/NEXT_PUBLIC_* (browser-safe), SECRET_*/*_SECRET (server-only). SCREAMING_SNAKE_CASE. Gitignore .env.local, .env.*.local.
CI/CD Pipeline
Branch deployment: main → Production (auto) | feature/*, fix/* → Preview (auto)
Stages (in order): Install (--frozen-lockfile), Lint, Test (unit + integration + coverage), Build (production build), Deploy
Cron auth:
export async function GET(request: Request) {
const authHeader = request.headers.get('authorization');
if (authHeader !== `Bearer ${process.env.CRON_SECRET}`)
return new Response('Unauthorized', { status: 401 });
return Response.json({ ok: true });
}
Caching Strategy
| Asset Type | Cache-Control Header |
|---|---|
| Hashed static assets (JS, CSS) | public, max-age=31536000, immutable |
| Images / fonts | public, max-age=31536000, immutable |
| Favicon / manifest | public, max-age=86400 |
| HTML pages (SSG) | public, max-age=0, must-revalidate |
| API responses | private, no-cache |
| Prerendered pages (ISR) | public, s-maxage=3600, stale-while-revalidate=86400 |
Apply via framework headers() config or CDN rules.
Security Headers
Load security-hardening skill for full CSP inventory and header configuration.
Release Process
- Audit — lint, test, build;
git diffsince last tag; verify no draft PRs- Gate: all commands exit 0
- Changelog — generate from commits; categorize (Features, Fixes, Breaking); include migration notes
- Tag — semver tag; update version references
- Verify —
curl -sI https://example.com | grep -E 'HTTP|Strict'— smoke-test production URLs; monitor error rates- Gate: homepage returns 200; headers correct
- Fail → rollback immediately
Rollback
Prefer platform rollback (promote last good deploy). Fallback: git revert -m 1 HEAD && git push.
- Roll back → 2. Smoke-test (
curl -sI) → 3. Confirm 200 + correct behavior → 4. If still broken, escalate - Notify team; create post-mortem ticket
Anti-Patterns
| Anti-Pattern | Fix |
|---|---|
| Hardcoding secrets | Env vars + Zod startup validation |
| Skipping preview deployments | Deploy every branch to preview |
| Cache-Control: no-store everywhere | Per-asset cache durations (see table) |
| Disabling security headers "temporarily" | Keep strict; document exceptions |
| Builds without --frozen-lockfile | Always use --frozen-lockfile in CI |
Related Skills
etylsarin/validation-gates
development
VerifiedTrustedCommunity
Defines 10 sequential validation gates: secret scanning, lint/test/build checks, blast radius analysis, dependency auditing, browser testing, cache management, regression checks, and smoke tests. Use when running pre-deploy validation or CI checks, CI/CD pipelines, deployment pipeline validation, pre-merge checks, continuous integration, or pull request validation.
44SKILL.mdUpdated May 17, 2026
etylsarin/testing-workflow
development
VerifiedTrustedCommunity
Generates test plans, writes unit/integration/E2E test files, identifies coverage gaps, and flags common testing anti-patterns. Use when writing tests, creating test suites, planning test strategies, mocking dependencies, measuring code coverage, or test planning.
44SKILL.mdUpdated May 17, 2026
etylsarin/team-lead-reference
development
VerifiedTrustedCommunity
Provides model routing rules, validates delegation prerequisites, supplies cost tracking templates, and defines dead-letter queue formats for Team Lead orchestration. Load when assigning tasks to agents, choosing model tiers, starting a delegation session, running a multi-agent workflow, delegating work, choosing which model to use, or assigning tasks.
44SKILL.mdUpdated May 17, 2026
etylsarin/session-checkpoints
testing
VerifiedTrustedCommunity
Saves and restores session state including task progress, file changes, and delegation history. Use when saving progress, resuming interrupted work, picking up where you left off, or checkpointing current work.
44SKILL.mdUpdated May 17, 2026