Feature
Beyond single-host health (#19): is the infrastructure alive — cluster, secrets engine, name resolution, tunnels — answered read-only in the morning report.
Proposed shape
k8s-health step: node readiness + non-running pod count per configured context/namespace (kubectl get exec-gated, -o json parsed to typed results); never mutates.vault-health step: seal status + token TTL remaining (vault status/lookup, exec-gated); warn at configured TTL thresholds.dns-check step: resolve configured names against configured resolvers (dig +short, exec-gated); flag mismatches vs expected addresses.tunnel-check step: reachability of configured host:port pairs (TCP connect through the net leash — hosts declared, SSRF-screened); VPN/jumpbox liveness without shelling to ssh.- All read-only, all soft-skip when the tool is absent, every program/host declared in the default grant.
Development discipline
Rust-first, jujutsu-style (no panics in lib code, RFC-1574 doc comments, lower-level tests over e2e). Follow Foundation contributor rules + the rust-tdd skill: TDD, regression tests, 80% coverage floor, README per crate, exec/net leashed, generation counters not wall-clock, credentials as references only. Plugin model per #10.
Feature
Beyond single-host health (#19): is the infrastructure alive — cluster, secrets engine, name resolution, tunnels — answered read-only in the morning report.
Proposed shape
k8s-healthstep: node readiness + non-running pod count per configured context/namespace (kubectl getexec-gated,-o jsonparsed to typed results); never mutates.vault-healthstep: seal status + token TTL remaining (vault status/lookup, exec-gated); warn at configured TTL thresholds.dns-checkstep: resolve configured names against configured resolvers (dig +short, exec-gated); flag mismatches vs expected addresses.tunnel-checkstep: reachability of configured host:port pairs (TCP connect through the net leash — hosts declared, SSRF-screened); VPN/jumpbox liveness without shelling to ssh.Development discipline
Rust-first, jujutsu-style (no panics in lib code, RFC-1574 doc comments, lower-level tests over e2e). Follow Foundation contributor rules + the rust-tdd skill: TDD, regression tests, 80% coverage floor, README per crate, exec/net leashed, generation counters not wall-clock, credentials as references only. Plugin model per #10.