feat(skills): add network engineering and homelab skills + agents#1413
Open
arsallls wants to merge 5 commits intoaffaan-m:mainfrom
Open
feat(skills): add network engineering and homelab skills + agents#1413arsallls wants to merge 5 commits intoaffaan-m:mainfrom
arsallls wants to merge 5 commits intoaffaan-m:mainfrom
Conversation
Contributor
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
Contributor
📝 WalkthroughWalkthroughAdds four new agent specifications and nine new skill documents covering enterprise and homelab networking: architecting, troubleshooting, config review, BGP diagnostics, Cisco IOS patterns, Netmiko automation, VLANs, Pi‑hole DNS, WireGuard, interface health, and config validation. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Agent
participant Device
participant Logs
User->>Agent: Provide symptom / inventory / goals
Agent->>Device: Request/parse configs and run diagnostics (show, ping, traceroute)
Device-->>Agent: Return outputs (interfaces, routes, ACL hits)
Agent->>Logs: Correlate timestamps and events
Logs-->>Agent: Provide corroborating evidence
Agent->>User: Present findings, remediation steps, and structured root-cause summary
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Greptile SummaryThis PR adds 9 skills and 4 agents covering network engineering (BGP, Cisco IOS, interface health, Netmiko, config validation) and homelab (network setup, VLANs, Pi-hole, WireGuard) domains. Several issues flagged in prior rounds have been addressed (pfSense IoT DNS rule ordering, SNMP contradiction, dangling Related Skills references, syntax-check false FAIL). Two new P1 issues remain: the Confidence Score: 4/5Safe to merge after fixing the enable secret false-positive and the hardcoded credentials in the Netmiko example — both produce incorrect or insecure guidance that users will follow directly. Two P1 issues remain: DANGEROUS_PATTERNS flags enable secret causing pre_flight_check to always FAIL for secure configs, and the batch-operations example hardcodes credentials against its own Anti-Patterns guidance. Prior P1/P0 concerns from earlier rounds have been resolved. Remaining P2s are real but lower urgency. skills/network-config-validation/SKILL.md (enable secret false-positive) and skills/netmiko-ssh-automation/SKILL.md (hardcoded BASE_CREDS)
|
| Filename | Overview |
|---|---|
| skills/network-config-validation/SKILL.md | Pre-flight validation skill; enable secret in DANGEROUS_PATTERNS causes false FAIL for recommended Cisco configs |
| skills/netmiko-ssh-automation/SKILL.md | Multi-vendor SSH automation skill; batch operations example hardcodes credentials in direct contradiction to the Anti-Patterns section |
| skills/homelab-wireguard-vpn/SKILL.md | WireGuard VPN skill; server key generation has a brief permission-race window; generate_keypair() silently swallows wg pubkey failures |
| skills/homelab-vlan-segmentation/SKILL.md | VLAN segmentation skill; pfSense DNS exception rule now correctly precedes RFC1918 block; MikroTik DHCP network config omits dns-server parameter |
| agents/network-troubleshooter.md | Well-structured OSI-layer diagnostic agent; correct frontmatter; workflow and output format are actionable and clear |
| agents/network-config-reviewer.md | Security audit agent with clear severity tiers and verdict criteria; correct frontmatter; well-organized workflow |
| agents/network-architect.md | Enterprise network design agent with thorough topology, routing, segmentation, and redundancy sections; correct frontmatter |
| agents/homelab-architect.md | Homelab design agent that adapts to hardware capabilities; hardware-capability mapping and implementation ordering are useful; correct frontmatter |
| skills/cisco-ios-patterns/SKILL.md | IOS/IOS-XE reference skill; dangling Related Skills links removed from prior review; wildcard mask and config mode hierarchy are accurate |
| skills/network-bgp-diagnostics/SKILL.md | BGP diagnostic skill with state-by-state troubleshooting and Python parser; non-existent Related Skill reference removed |
| skills/network-interface-health/SKILL.md | Interface health diagnostic skill; Python parser correctly slices output by interface block before applying DOTALL regexes |
| skills/homelab-pihole-dns/SKILL.md | Pi-hole install and DNS skill; curl-pipe-to-bash acknowledged with inspect-first alternative; .home.arpa vs .local note is accurate |
| skills/homelab-network-setup/SKILL.md | Home network architecture skill; hardware role table and IP scheme are clear; double-NAT and VPN subnet conflict warnings are practically useful |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[pre_flight_check called] --> B[check_dangerous_commands]
B --> C{contains enable secret\nor username ... secret?}
C -->|Yes - false positive| D[dangerous = non-empty]
C -->|No| E[dangerous = empty]
D --> F[overall = FAIL even if config is correct]
E --> G[check_security]
G --> H{security issues?}
H -->|Yes| F
H -->|No| I[check subnet overlaps and duplicate IPs]
I --> J{any overlaps or dup IPs?}
J -->|Yes| F
J -->|No| K[overall = PASS]
Reviews (4): Last reviewed commit: "fix: revert heading rename, fix IoT DNS ..." | Re-trigger Greptile
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 14
🧹 Nitpick comments (1)
skills/homelab-network-setup/SKILL.md (1)
140-140: Prefer timeless wording over year-specific phrasing.Line 140 (
in 2024+) will become stale. Suggest neutral wording (e.g., “for modern homelab runs”).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/homelab-network-setup/SKILL.md` at line 140, Replace the year-specific phrase "in 2024+" in the heading "# Cat6 is the right choice for a new homelab run in 2024+" with a timeless, neutral phrasing (for example: "for modern homelab runs" or "for current homelab setups") so the statement in the SKILL.md heading remains accurate long-term; update the heading text accordingly wherever this exact string appears.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@agents/network-troubleshooter.md`:
- Around line 86-87: Replace the line titled "Test: temporarily remove ACL from
interface to confirm it's the blocker" with a non-disruptive verification-first
recommendation: instruct operators to use hit counters, explicit permit test ACL
entries, interface/packet captures, or staged source testing before any ACL
removal, and only consider temporary ACL removal as a last-resort with scheduled
change control and rollback steps; update the single-line heading and the
accompanying test steps to reflect these safer alternatives.
In `@skills/cisco-ios-patterns/SKILL.md`:
- Around line 11-232: The SKILL.md uses a nonstandard heading "When to Activate"
and omits required sections; rename "When to Activate" to "When to Use", add a
new "How It Works" section (move or summarize the explanatory content such as
"Config Mode Hierarchy", "Critical gotcha", "Essential Show Commands", and
"Wildcard Masks" under it) and add an "Examples" section (place concrete config
snippets like "Interface Configuration Patterns", ACL examples, and
saving/verifying config examples there); ensure top-level headings are exactly
"When to Use", "How It Works", and "Examples" and leave existing subheadings
(e.g., "Config Mode Hierarchy", "Essential Show Commands", "Wildcard Masks",
"Interface Configuration Patterns", "ACL Structure and Implicit Deny") under the
appropriate new sections so the file conforms to the skills/**/*.md template.
In `@skills/homelab-network-setup/SKILL.md`:
- Around line 11-21: Replace the non-standard "When to Activate" header with the
required "When to Use" header and ensure the existing bullet list under "When to
Activate" is moved unchanged under "When to Use"; then add a new "How It Works"
section explaining the skill's technical approach (brief description of expected
setup steps, VLAN/DHCP/IP addressing rationale, and key constraints) and an
"Examples" section with at least one concrete example scenario (e.g., homelab
with NAS + Pi + VLANs and a sample DHCP reservation/IP plan); search for the
headers "When to Activate" and "Hardware Roles" to locate where to insert/rename
these sections (also apply the same rename/addition for the other similar block
referenced around lines 163-176).
In `@skills/homelab-pihole-dns/SKILL.md`:
- Around line 75-79: The example exposes a weak hardcoded password via the
environment key WEBPASSWORD; replace the literal "changeme" with a placeholder
(e.g., ${PIHOLE_WEBPASSWORD}) or reference a generated/secret mechanism and
update the surrounding text to instruct users to supply a strong secret (or use
a secret store) instead of copying an insecure default; look for the WEBPASSWORD
environment entry and PIHOLE_DNS_ example in SKILL.md to make this change and
add one-line guidance about using a generated secret or environment/secret
manager.
- Around line 11-22: The section heading "When to Activate" should be renamed to
the required template heading "When to Use", the heading "How Pi-hole Works"
should be changed to the template "How It Works", and an explicit "Examples"
section must be added with representative usage examples (e.g., installing
Pi-hole, setting DNS, creating local records) so the file follows the repo skill
format; apply the same renaming and add Examples entries for the other affected
blocks referenced in the comment (the later repeated sections) to ensure all
skills/**/*.md sections use "When to Use", "How It Works", and "Examples".
In `@skills/homelab-vlan-segmentation/SKILL.md`:
- Around line 11-21: Rename the custom headings in SKILL.md to match the
required skill format: change "When to Activate" to "When to Use" and "What
VLANs Do" to "How It Works", and add an explicit "Examples" section (with at
least one concrete example of VLAN setup or rule) following the same style;
update any bullet points under the old headings to remain under the new headings
and ensure similar changes are applied to the other affected block noted (lines
229-241) so all skill files conform to "When to Use", "How It Works", and
"Examples".
In `@skills/homelab-wireguard-vpn/SKILL.md`:
- Around line 11-21: Rename and restructure the top sections in SKILL.md to
match the repository standard by replacing the current "When to Activate"
heading with an exact "When to Use" heading, ensure the "How WireGuard Works"
heading is changed to the exact "How It Works" heading, and add a new "Examples"
section that contains practical usage examples (peer config snippets, commands,
or troubleshooting scenarios); update any duplicated or similar content
(including the block referenced around lines 262-275) to follow these three
exact headings and move/merge content so each section is focused: When to Use
(short bullet triggers), How It Works (concise explanation), Examples (concrete
commands/configs).
- Around line 44-45: The pipeline that generates server keys writes to
/etc/wireguard without elevated privileges (wg genkey | tee
/etc/wireguard/server_private.key | wg pubkey >
/etc/wireguard/server_public.key), which will fail for non-root users; update
the command so the write operations run with sudo (ensure tee and the
redirection to /etc/wireguard/server_public.key run under sudo or run the entire
pipeline with sudo/sh -c), and keep the target filenames server_private.key and
server_public.key and the wg genkey / wg pubkey steps unchanged.
In `@skills/netmiko-ssh-automation/SKILL.md`:
- Around line 11-269: Rename the top-level "When to Activate" heading to "When
to Use" and restructure the document to include explicit "How It Works" and
"Examples" headings: move the explanatory paragraphs and the "Basic Connection",
"Device Types Reference", "Enable Mode", "Sending Configuration", and "Error
Handling Patterns" content under "How It Works" (explaining connection
mechanics, device_type, auth, enable, config push, and error handling) and
consolidate the runnable snippets and batch/
parsing/anti-patterns/best-practices into an "Examples" section for hands-on
usage; ensure the new headings are exact strings "When to Use", "How It Works",
and "Examples" so the file conforms to skills/**/*.md guidelines and retain all
existing code samples and unique identifiers like ConnectHandler,
send_config_set, run_command_on_device, and NetmikoAuthenticationException.
In `@skills/network-bgp-diagnostics/SKILL.md`:
- Around line 11-21: The SKILL.md needs to use the required section headings and
structure: replace the current "When to Activate" heading with "When to Use",
add a "How It Works" section summarizing what the skill does and its diagnostic
approach (e.g., reading BGP summary output, analyzing neighbor states, AS path
and filters), and add an "Examples" section that includes actionable commands or
scenarios; apply the same heading changes to the other occurrence referenced
(lines ~213-226) so all skill markdowns follow the "When to Use", "How It
Works", and "Examples" template consistently.
In `@skills/network-config-validation/SKILL.md`:
- Around line 245-247: Update the wording that currently contrasts "'enable
password' instead of 'enable secret'" and the note "'enable password' uses weak
reversible encryption; 'enable secret' uses MD5'": remove the claim that enable
secret is universally MD5 and instead state that enable secret is preferred over
enable password because enable password uses weak reversible encryption while
enable secret stores a hashed (and on modern IOS devices can use stronger) form;
replace the specific "MD5" reference with a generic "hashed/stronger" phrasing
so the guidance does not pin to MD5.
- Around line 11-265: Rename and restructure the top-level sections to match the
required template by renaming "When to Activate" to "When to Use", adding a new
"How It Works" section that briefly describes the implementations (reference
functions/checks like check_dangerous_commands, validate_config_block,
find_subnet_overlaps, extract_subnets_from_config, find_duplicate_ips,
check_best_practices, check_security, and pre_flight_check) and moving the
detailed explanations of each check under it, and add an "Examples" section that
contains the usage snippets (e.g., the router.cfg usage and sample function
outputs) so the document contains explicit "When to Use", "How It Works", and
"Examples" headings.
In `@skills/network-interface-health/SKILL.md`:
- Around line 96-100: The doc contains contradictory guidance about
auto-negotiation: one example shows "interface GigabitEthernet0/0" with "duplex
auto" and "speed auto" while another section states to never rely on
auto-negotiation for critical links; pick a single policy and make both places
consistent. Decide whether the recommendation is to prefer auto-negotiation or
to require explicit settings for critical links; then update the example block
(the "interface GigabitEthernet0/0" snippet) and the prose that currently says
"never rely on auto-negotiation for critical links" so they match—if you choose
explicit settings, change the snippet to static "duplex full" and "speed 1000"
and change the prose to mandate fixed settings for critical links; if you choose
auto, change the prose to qualify when auto is acceptable and remove the
absolute "never" phrasing.
- Around line 11-21: Normalize the skill markdown by adding explicit "When to
Use", "How It Works", and "Examples" headings and moving the existing bullet
list under "When to Use"; create a "How It Works" section that explains what to
examine in `show interfaces` output (error counters, CRC, input/output drops,
duplex/speed negotiation, flapping indicators) and how those metrics relate to
faults; add an "Examples" section with representative commands (e.g., show
interfaces <interface>, show interfaces counters errors) and brief expected
output/interpretation lines; ensure the file SKILL.md matches the repository
skill format and apply the same heading normalization to the remaining similar
sections referenced.
---
Nitpick comments:
In `@skills/homelab-network-setup/SKILL.md`:
- Line 140: Replace the year-specific phrase "in 2024+" in the heading "# Cat6
is the right choice for a new homelab run in 2024+" with a timeless, neutral
phrasing (for example: "for modern homelab runs" or "for current homelab
setups") so the statement in the SKILL.md heading remains accurate long-term;
update the heading text accordingly wherever this exact string appears.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: fd160e67-f5b9-4cec-aaf5-924278895ad8
📒 Files selected for processing (13)
agents/homelab-architect.mdagents/network-architect.mdagents/network-config-reviewer.mdagents/network-troubleshooter.mdskills/cisco-ios-patterns/SKILL.mdskills/homelab-network-setup/SKILL.mdskills/homelab-pihole-dns/SKILL.mdskills/homelab-vlan-segmentation/SKILL.mdskills/homelab-wireguard-vpn/SKILL.mdskills/netmiko-ssh-automation/SKILL.mdskills/network-bgp-diagnostics/SKILL.mdskills/network-config-validation/SKILL.mdskills/network-interface-health/SKILL.md
skills/cisco-ios-patterns/SKILL.md
Outdated
Comment on lines
+11
to
+232
| ## When to Activate | ||
|
|
||
| - Writing or reviewing Cisco IOS/IOS-XE configuration | ||
| - Generating show commands for troubleshooting | ||
| - Explaining IOS config mode hierarchy or privilege levels | ||
| - Helping with ACL wildcard mask calculations | ||
| - Diagnosing why a config change didn't take effect | ||
| - Automating IOS device interaction with Python/Netmiko | ||
|
|
||
| ## Config Mode Hierarchy | ||
|
|
||
| ``` | ||
| Router> enable # Enter privileged EXEC (requires enable password) | ||
| Router# configure terminal # Enter global config mode | ||
| Router(config)# interface Gi0/0 # Enter interface sub-mode | ||
| Router(config-if)# ip address 10.0.0.1 255.255.255.0 | ||
| Router(config-if)# no shutdown | ||
| Router(config-if)# exit # Back to global config | ||
| Router(config)# router bgp 65001 # Enter routing process sub-mode | ||
| Router(config-router)# end # Jump straight back to privileged EXEC | ||
| Router# write memory # Save — or use: copy running-config startup-config | ||
| ``` | ||
|
|
||
| **Critical gotcha: forgetting `write memory`** | ||
| IOS running-config is in RAM. A reload without saving loses all unsaved changes. Always verify with `show running-config | include <key phrase>` before and after a change window, then save. | ||
|
|
||
| ## Essential Show Commands | ||
|
|
||
| ``` | ||
| # System state | ||
| show version # IOS version, uptime, hardware | ||
| show inventory # Physical hardware/modules | ||
| show processes cpu sorted # CPU utilization | ||
| show memory statistics # Memory usage | ||
|
|
||
| # Interfaces | ||
| show interfaces # Full interface detail — errors, counters, speed/duplex | ||
| show ip interface brief # Quick status table for all interfaces | ||
| show interfaces GigabitEthernet0/0 # Single interface detail | ||
| show interfaces trunk # Trunk port status and allowed VLANs | ||
|
|
||
| # Routing | ||
| show ip route # Full routing table | ||
| show ip route 10.0.0.0 # Longest match for a specific prefix | ||
| show ip protocols # Running routing protocols + parameters | ||
| show ip ospf neighbor # OSPF adjacency table | ||
| show bgp summary # BGP session table | ||
|
|
||
| # Layer 2 | ||
| show vlan brief # VLAN table | ||
| show spanning-tree # STP state per VLAN | ||
| show mac address-table # CAM table | ||
|
|
||
| # Access lists | ||
| show ip access-lists # ACL contents + hit counters | ||
| show ip access-lists MYACL # Specific ACL | ||
|
|
||
| # Logging and events | ||
| show logging # Syslog buffer | ||
| show ip nat translations # Active NAT entries | ||
| ``` | ||
|
|
||
| ## Wildcard Masks | ||
|
|
||
| Wildcard masks are the inverse of subnet masks. `0` = must match, `1` = don't care. | ||
|
|
||
| ``` | ||
| # Subnet mask → Wildcard mask | ||
| 255.255.255.0 → 0.0.0.255 (match /24 network) | ||
| 255.255.255.252 → 0.0.0.3 (match /30 — point-to-point links) | ||
| 255.255.0.0 → 0.0.255.255 (match /16 network) | ||
| 255.0.0.0 → 0.255.255.255 (match /8 network) | ||
| 0.0.0.0 → 255.255.255.255 (match any host — used in OSPF: network 0.0.0.0 255.255.255.255 area 0) | ||
| 255.255.255.255 → 0.0.0.0 (match one specific host) | ||
|
|
||
| # Formula: wildcard = 255.255.255.255 - subnet_mask | ||
| # Example: wildcard for 255.255.255.224 = 255.255.255.255 - 255.255.255.224 = 0.0.0.31 | ||
|
|
||
| # ACL examples | ||
| access-list 10 permit 192.168.1.0 0.0.0.255 # Permit entire /24 | ||
| access-list 10 permit 10.0.0.1 0.0.0.0 # Permit single host | ||
| access-list 10 permit 172.16.0.0 0.0.255.255 # Permit entire /16 | ||
|
|
||
| # OSPF network statements | ||
| router ospf 1 | ||
| network 10.0.0.0 0.0.0.255 area 0 # Advertise /24 in area 0 | ||
| network 0.0.0.0 255.255.255.255 area 0 # Advertise all interfaces (use with care) | ||
| ``` | ||
|
|
||
| ## ACL Structure and Implicit Deny | ||
|
|
||
| ``` | ||
| # Every ACL ends with an invisible implicit deny all | ||
| # If no permit matches, traffic is dropped silently | ||
|
|
||
| ip access-list extended INBOUND | ||
| 10 permit tcp 10.0.0.0 0.0.0.255 any eq 80 | ||
| 20 permit tcp 10.0.0.0 0.0.0.255 any eq 443 | ||
| 30 permit icmp any any | ||
| ! implicit deny ip any any here — no log, no counter increment | ||
|
|
||
| # Make the deny visible and logged | ||
| ip access-list extended INBOUND | ||
| 10 permit tcp 10.0.0.0 0.0.0.255 any eq 80 | ||
| 20 permit tcp 10.0.0.0 0.0.0.255 any eq 443 | ||
| 30 permit icmp any any | ||
| 999 deny ip any any log # Now shows in 'show ip access-lists' with hit count | ||
|
|
||
| # Check ACL hit counts to confirm traffic is matching expected entries | ||
| show ip access-lists INBOUND | ||
| ``` | ||
|
|
||
| ## Interface Configuration Patterns | ||
|
|
||
| ``` | ||
| interface GigabitEthernet0/0 | ||
| description UPLINK-TO-CORE | ||
| ip address 10.0.1.1 255.255.255.252 | ||
| no shutdown | ||
| duplex full | ||
| speed 1000 | ||
|
|
||
| # Layer 2 access port | ||
| interface GigabitEthernet0/1 | ||
| description WORKSTATION-PORT | ||
| switchport mode access | ||
| switchport access vlan 10 | ||
| spanning-tree portfast | ||
| no shutdown | ||
|
|
||
| # Layer 2 trunk port | ||
| interface GigabitEthernet0/2 | ||
| description TRUNK-TO-DISTRIBUTION | ||
| switchport mode trunk | ||
| switchport trunk allowed vlan 10,20,30,100 | ||
| switchport trunk native vlan 999 | ||
| no shutdown | ||
|
|
||
| # Loopback — used for management, BGP update-source, router-id | ||
| interface Loopback0 | ||
| description MGMT-LOOPBACK | ||
| ip address 10.255.0.1 255.255.255.255 | ||
| ``` | ||
|
|
||
| ## Privilege Levels | ||
|
|
||
| ``` | ||
| # IOS has 16 privilege levels (0–15) | ||
| # 0 = user EXEC (ping, traceroute, show version) | ||
| # 1 = default user mode | ||
| # 15 = full privileged EXEC (all commands) | ||
|
|
||
| # Assign a specific command to a lower privilege level | ||
| privilege exec level 5 show running-config | ||
|
|
||
| # Create a user at a specific privilege level | ||
| username readonly privilege 5 secret MyPassword | ||
|
|
||
| # Check current privilege level | ||
| show privilege | ||
|
|
||
| # Drop back from privileged to user EXEC | ||
| disable | ||
| ``` | ||
|
|
||
| ## Saving and Verifying Config | ||
|
|
||
| ``` | ||
| # Save running config to startup config (survives reload) | ||
| write memory | ||
| # or equivalently: | ||
| copy running-config startup-config | ||
|
|
||
| # View only the lines you care about | ||
| show running-config | include bgp | ||
| show running-config | include interface|ip address | ||
| show running-config | section router bgp | ||
| show running-config | section interface GigabitEthernet | ||
|
|
||
| # Compare running vs startup (identify unsaved changes) | ||
| show archive config differences nvram:startup-config system:running-config | ||
| ``` | ||
|
|
||
| ## Anti-Patterns | ||
|
|
||
| ``` | ||
| # BAD: Applying an ACL to an interface without testing it first | ||
| # An overly broad deny can black-hole your own management traffic | ||
| # Always verify the ACL with 'show ip access-lists' and test from a safe source first | ||
|
|
||
| # BAD: Using wrong wildcard mask in OSPF network statement | ||
| router ospf 1 | ||
| network 10.0.0.0 255.255.255.0 area 0 # WRONG — this is a subnet mask, not wildcard | ||
| network 10.0.0.0 0.0.0.255 area 0 # CORRECT | ||
|
|
||
| # BAD: Forgetting 'no shutdown' on a new interface | ||
| interface GigabitEthernet0/1 | ||
| ip address 192.168.1.1 255.255.255.0 | ||
| # Missing 'no shutdown' — interface stays down | ||
|
|
||
| # BAD: Putting ACL on wrong interface direction | ||
| # 'in' filters traffic entering the interface (from that network into the router) | ||
| # 'out' filters traffic leaving the interface (from the router to that network) | ||
| ip access-group MYACL in # Applied to the interface, not the ACL definition | ||
| ``` | ||
|
|
||
| ## Best Practices | ||
|
|
||
| - Always add `description` to every interface and BGP neighbor — makes troubleshooting faster | ||
| - Use named ACLs (`ip access-list extended NAME`) instead of numbered — easier to edit individual entries | ||
| - Set `service timestamps log datetime msec localtime` so log entries have useful timestamps | ||
| - Configure `logging buffered 16384 informational` to keep a local syslog buffer | ||
| - Use `no ip domain-lookup` to prevent IOS from trying to DNS-resolve mistyped commands | ||
| - Set `exec-timeout 15 0` on VTY lines so idle sessions don't lock out other users | ||
| - Test ACLs with `show ip access-lists` hit counters before and after applying | ||
|
|
||
| ## Related Skills | ||
|
|
||
| - network-bgp-diagnostics | ||
| - network-interface-health | ||
| - network-config-validation | ||
| - network-acl-design |
Contributor
There was a problem hiding this comment.
Required skill section structure is missing.
Please align headings to include explicit sections: When to Use, How It Works, and Examples. Current structure uses “When to Activate” and omits the other required section titles.
Minimal heading refactor
-## When to Activate
+## When to Use
+## How It Works
+<!-- Move/organize the procedural reference content under this section -->
+## Examples
+<!-- Add 2-3 concrete task/input-output examples -->🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/cisco-ios-patterns/SKILL.md` around lines 11 - 232, The SKILL.md uses
a nonstandard heading "When to Activate" and omits required sections; rename
"When to Activate" to "When to Use", add a new "How It Works" section (move or
summarize the explanatory content such as "Config Mode Hierarchy", "Critical
gotcha", "Essential Show Commands", and "Wildcard Masks" under it) and add an
"Examples" section (place concrete config snippets like "Interface Configuration
Patterns", ACL examples, and saving/verifying config examples there); ensure
top-level headings are exactly "When to Use", "How It Works", and "Examples" and
leave existing subheadings (e.g., "Config Mode Hierarchy", "Essential Show
Commands", "Wildcard Masks", "Interface Configuration Patterns", "ACL Structure
and Implicit Deny") under the appropriate new sections so the file conforms to
the skills/**/*.md template.
Comment on lines
+11
to
+21
| ## When to Activate | ||
|
|
||
| - Helping someone design or redesign their home network from scratch | ||
| - Choosing between router/switch hardware options for a homelab | ||
| - Designing an IP addressing scheme for a home network | ||
| - Setting up DHCP scoping and reservations | ||
| - Planning a network that will support VLANs, a NAS, a Pi, and self-hosted services | ||
| - Troubleshooting connectivity on a newly built home network | ||
|
|
||
| ## Hardware Roles | ||
|
|
Contributor
There was a problem hiding this comment.
Use the standard skill section names required by the repo.
Please rename/add sections to explicitly include When to Use, How It Works, and Examples.
As per coding guidelines, "skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".
Also applies to: 163-176
🧰 Tools
🪛 LanguageTool
[grammar] ~14-~14: Ensure spelling is correct
Context: ...en router/switch hardware options for a homelab - Designing an IP addressing scheme for...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/homelab-network-setup/SKILL.md` around lines 11 - 21, Replace the
non-standard "When to Activate" header with the required "When to Use" header
and ensure the existing bullet list under "When to Activate" is moved unchanged
under "When to Use"; then add a new "How It Works" section explaining the
skill's technical approach (brief description of expected setup steps,
VLAN/DHCP/IP addressing rationale, and key constraints) and an "Examples"
section with at least one concrete example scenario (e.g., homelab with NAS + Pi
+ VLANs and a sample DHCP reservation/IP plan); search for the headers "When to
Activate" and "Hardware Roles" to locate where to insert/rename these sections
(also apply the same rename/addition for the other similar block referenced
around lines 163-176).
Comment on lines
+11
to
+22
| ## When to Activate | ||
|
|
||
| - Installing Pi-hole on a Raspberry Pi or Linux host | ||
| - Configuring Pi-hole as the DNS server for a home network | ||
| - Adding or managing blocklists | ||
| - Setting up DNS-over-HTTPS (DoH) upstream resolvers | ||
| - Creating local DNS records (e.g. `nas.home.lan`, `pi.home.lan`) | ||
| - Troubleshooting devices that lose internet access after Pi-hole is installed | ||
| - Running Pi-hole alongside or instead of DHCP | ||
|
|
||
| ## How Pi-hole Works | ||
|
|
Contributor
There was a problem hiding this comment.
Use the required skill section structure (When to Use, How It Works, Examples).
Line 11 uses When to Activate, and there is no explicit Examples section. Please align headings to the required skill template so this stays consistent with repo standards.
As per coding guidelines, "skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".
Also applies to: 172-249
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/homelab-pihole-dns/SKILL.md` around lines 11 - 22, The section heading
"When to Activate" should be renamed to the required template heading "When to
Use", the heading "How Pi-hole Works" should be changed to the template "How It
Works", and an explicit "Examples" section must be added with representative
usage examples (e.g., installing Pi-hole, setting DNS, creating local records)
so the file follows the repo skill format; apply the same renaming and add
Examples entries for the other affected blocks referenced in the comment (the
later repeated sections) to ensure all skills/**/*.md sections use "When to
Use", "How It Works", and "Examples".
Comment on lines
+11
to
+21
| ## When to Activate | ||
|
|
||
| - Troubleshooting BGP neighbor sessions not reaching Established state | ||
| - Diagnosing why a BGP peer shows Active, Idle, or Connect state | ||
| - Investigating missing or unexpected routes in the BGP table | ||
| - Analyzing AS path attributes, route-maps, or prefix filters | ||
| - Debugging BGP flapping neighbors or high message counts | ||
| - Validating BGP configuration before or after a change window | ||
|
|
||
| ## Reading BGP Summary Output | ||
|
|
Contributor
There was a problem hiding this comment.
Please align this skill to the required section template.
Use explicit When to Use, How It Works, and Examples headings so the format is consistent with skill standards.
As per coding guidelines, "skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".
Also applies to: 213-226
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/network-bgp-diagnostics/SKILL.md` around lines 11 - 21, The SKILL.md
needs to use the required section headings and structure: replace the current
"When to Activate" heading with "When to Use", add a "How It Works" section
summarizing what the skill does and its diagnostic approach (e.g., reading BGP
summary output, analyzing neighbor states, AS path and filters), and add an
"Examples" section that includes actionable commands or scenarios; apply the
same heading changes to the other occurrence referenced (lines ~213-226) so all
skill markdowns follow the "When to Use", "How It Works", and "Examples"
template consistently.
Comment on lines
+11
to
+265
| ## When to Activate | ||
|
|
||
| - Reviewing IOS/IOS-XE configuration before a change window | ||
| - Validating automation-generated config before applying it to a device | ||
| - Auditing an existing configuration for security or correctness issues | ||
| - Checking for dangerous commands in a proposed config block | ||
| - Verifying subnet consistency and IP address uniqueness across a config | ||
|
|
||
| ## Dangerous Command Detection | ||
|
|
||
| Some commands cause immediate, hard-to-recover impact. Always flag these before applying any config. | ||
|
|
||
| ```python | ||
| import re | ||
| from typing import Optional | ||
|
|
||
| DANGEROUS_PATTERNS: list[tuple[re.Pattern, str]] = [ | ||
| (re.compile(r"\breload\b", re.I), "device reload — causes downtime"), | ||
| (re.compile(r"\berase\s+(startup|nvram|flash)", re.I), "erase persistent storage"), | ||
| (re.compile(r"\bformat\b", re.I), "format filesystem"), | ||
| (re.compile(r"crypto\s+key\s+(generate|zeroize)", re.I), "crypto key operation"), | ||
| (re.compile(r"no\s+router\s+(bgp|ospf|eigrp)", re.I), "remove entire routing process"), | ||
| (re.compile(r"no\s+interface\s+\S+", re.I), "remove interface config"), | ||
| (re.compile(r"aaa\s+new-model", re.I), "AAA model change — can lock you out"), | ||
| (re.compile(r"(username|enable)\s+secret", re.I), "credential change"), | ||
| ] | ||
|
|
||
| def check_dangerous_commands(commands: list[str]) -> list[dict]: | ||
| warnings = [] | ||
| for i, cmd in enumerate(commands, start=1): | ||
| for pattern, reason in DANGEROUS_PATTERNS: | ||
| if pattern.search(cmd.strip()): | ||
| warnings.append({"line": i, "command": cmd.strip(), "reason": reason}) | ||
| return warnings | ||
| ``` | ||
|
|
||
| ## IOS-XE Syntax Validation | ||
|
|
||
| ```python | ||
| import re | ||
|
|
||
| # Known-valid IOS-XE command patterns | ||
| VALID_PATTERNS: list[tuple[re.Pattern, str]] = [ | ||
| (re.compile(r"^interface\s+\S+", re.I), "interface declaration"), | ||
| (re.compile(r"^\s*ip address\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d{1,3}(?:\.\d{1,3}){3}", re.I), "ip address"), | ||
| (re.compile(r"^\s*(no\s+)?shutdown", re.I), "shutdown/no shutdown"), | ||
| (re.compile(r"^\s*description\s+.+", re.I), "description"), | ||
| (re.compile(r"^\s*duplex\s+(auto|full|half)", re.I), "duplex"), | ||
| (re.compile(r"^\s*speed\s+(10|100|1000|auto)", re.I), "speed"), | ||
| (re.compile(r"^router bgp\s+\d+", re.I), "BGP process"), | ||
| (re.compile(r"^\s*neighbor\s+\S+\s+remote-as\s+\d+", re.I), "BGP neighbor"), | ||
| (re.compile(r"^router ospf\s+\d+", re.I), "OSPF process"), | ||
| (re.compile(r"^\s*network\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d{1,3}(?:\.\d{1,3}){3}\s+area\s+\d+", re.I), "OSPF network"), | ||
| (re.compile(r"^ip route\s+\S+\s+\S+", re.I), "static route"), | ||
| (re.compile(r"^(ip )?access-list\s+(standard|extended)\s+\S+", re.I), "ACL declaration"), | ||
| (re.compile(r"^\s*(permit|deny)\s+.+", re.I), "ACL entry"), | ||
| (re.compile(r"^ntp server\s+\S+", re.I), "NTP"), | ||
| (re.compile(r"^logging\s+\S+", re.I), "logging"), | ||
| (re.compile(r"^hostname\s+\S+", re.I), "hostname"), | ||
| (re.compile(r"^exit$", re.I), "exit"), | ||
| (re.compile(r"^!", re.I), "comment"), | ||
| (re.compile(r"^\s*$", re.I), "blank line"), | ||
| ] | ||
|
|
||
| def validate_ios_command(command: str) -> tuple[bool, str]: | ||
| """Returns (is_valid, matched_category).""" | ||
| for pattern, category in VALID_PATTERNS: | ||
| if pattern.match(command.strip()): | ||
| return True, category | ||
| return False, "unknown" | ||
|
|
||
| def validate_config_block(commands: list[str]) -> dict: | ||
| results = [] | ||
| invalid = [] | ||
| for i, cmd in enumerate(commands, start=1): | ||
| valid, category = validate_ios_command(cmd) | ||
| if not valid: | ||
| invalid.append(cmd.strip()) | ||
| results.append({"line": i, "command": cmd.strip(), "valid": valid, "category": category}) | ||
| return { | ||
| "valid": len(invalid) == 0, | ||
| "invalid_commands": invalid, | ||
| "results": results, | ||
| "summary": f"All {len(commands)} commands valid." if not invalid | ||
| else f"{len(invalid)} invalid command(s): {', '.join(invalid)}", | ||
| } | ||
| ``` | ||
|
|
||
| ## Subnet Overlap Detection | ||
|
|
||
| ```python | ||
| import ipaddress | ||
|
|
||
| def find_subnet_overlaps(subnets: list[str]) -> list[tuple[str, str]]: | ||
| """Return pairs of overlapping subnet strings.""" | ||
| networks = [] | ||
| for s in subnets: | ||
| try: | ||
| networks.append(ipaddress.ip_network(s, strict=False)) | ||
| except ValueError: | ||
| pass | ||
| overlaps = [] | ||
| for i, a in enumerate(networks): | ||
| for b in networks[i+1:]: | ||
| if a.overlaps(b): | ||
| overlaps.append((str(a), str(b))) | ||
| return overlaps | ||
|
|
||
| # Extract subnets from a running-config | ||
| import re | ||
| IP_ADDR_RE = re.compile( | ||
| r"ip address (?P<ip>\d{1,3}(?:\.\d{1,3}){3}) (?P<mask>\d{1,3}(?:\.\d{1,3}){3})" | ||
| ) | ||
|
|
||
| def extract_subnets_from_config(config: str) -> list[str]: | ||
| subnets = [] | ||
| for m in IP_ADDR_RE.finditer(config): | ||
| network = ipaddress.ip_interface(f"{m.group('ip')}/{m.group('mask')}").network | ||
| subnets.append(str(network)) | ||
| return subnets | ||
|
|
||
| # Usage | ||
| config = open("router.cfg").read() | ||
| subnets = extract_subnets_from_config(config) | ||
| overlaps = find_subnet_overlaps(subnets) | ||
| if overlaps: | ||
| for a, b in overlaps: | ||
| print(f"OVERLAP: {a} overlaps with {b}") | ||
| ``` | ||
|
|
||
| ## Duplicate IP Detection | ||
|
|
||
| ```python | ||
| from collections import Counter | ||
|
|
||
| def find_duplicate_ips(config: str) -> list[str]: | ||
| """Find IP addresses assigned more than once in a config.""" | ||
| matches = re.findall( | ||
| r"ip address (\d{1,3}(?:\.\d{1,3}){3}) \d{1,3}(?:\.\d{1,3}){3}", | ||
| config, | ||
| re.IGNORECASE, | ||
| ) | ||
| counts = Counter(matches) | ||
| return [ip for ip, count in counts.items() if count > 1] | ||
| ``` | ||
|
|
||
| ## Missing Best Practice Checks | ||
|
|
||
| ```python | ||
| BEST_PRACTICE_CHECKS = [ | ||
| (r"ntp server", "NTP — required for accurate log timestamps"), | ||
| (r"logging \S+", "remote syslog — required for audit trail"), | ||
| (r"snmp-server community", "SNMP — required for monitoring"), | ||
| (r"service timestamps", "timestamps in log messages"), | ||
| (r"banner (motd|login)", "login banner — legal requirement in many orgs"), | ||
| (r"ip ssh version 2", "SSH v2 (v1 has known vulnerabilities)"), | ||
| ] | ||
|
|
||
| def check_best_practices(config: str) -> list[str]: | ||
| missing = [] | ||
| for pattern, description in BEST_PRACTICE_CHECKS: | ||
| if not re.search(pattern, config, re.IGNORECASE): | ||
| missing.append(f"Missing: {description}") | ||
| return missing | ||
| ``` | ||
|
|
||
| ## Security Checks | ||
|
|
||
| ```python | ||
| SECURITY_CHECKS = [ | ||
| # SNMP v2 with 'public' community is a well-known security risk | ||
| (re.compile(r"snmp-server community public", re.I), | ||
| "SNMP community 'public' — change to something non-default"), | ||
| # Open VTY lines with no access-class allow anyone to SSH in | ||
| (re.compile(r"line vty.*\n(?:(?!access-class).)*\n", re.I | re.DOTALL), | ||
| "VTY lines without access-class — restrict SSH access by source IP"), | ||
| # SSH v1 has known vulnerabilities | ||
| (re.compile(r"ip ssh version 1", re.I), | ||
| "SSH version 1 enabled — upgrade to version 2"), | ||
| # Telnet is cleartext | ||
| (re.compile(r"transport input telnet", re.I), | ||
| "Telnet enabled on VTY lines — use SSH only"), | ||
| # No enable secret means enable password is either weak or absent | ||
| (re.compile(r"enable password\b", re.I), | ||
| "enable password (MD5-hashed) — use 'enable secret' instead"), | ||
| ] | ||
|
|
||
| def check_security(config: str) -> list[str]: | ||
| issues = [] | ||
| for pattern, description in SECURITY_CHECKS: | ||
| if pattern.search(config): | ||
| issues.append(f"SECURITY: {description}") | ||
| return issues | ||
| ``` | ||
|
|
||
| ## Full Pre-Flight Report | ||
|
|
||
| ```python | ||
| def pre_flight_check(config_lines: list[str]) -> dict: | ||
| config_str = "\n".join(config_lines) | ||
| dangerous = check_dangerous_commands(config_lines) | ||
| validation = validate_config_block(config_lines) | ||
| security = check_security(config_str) | ||
| best_prac = check_best_practices(config_str) | ||
| subnets = extract_subnets_from_config(config_str) | ||
| overlaps = find_subnet_overlaps(subnets) | ||
| dup_ips = find_duplicate_ips(config_str) | ||
|
|
||
| return { | ||
| "dangerous_commands": dangerous, | ||
| "syntax_valid": validation["valid"], | ||
| "invalid_commands": validation["invalid_commands"], | ||
| "security_issues": security, | ||
| "missing_best_practices": best_prac, | ||
| "subnet_overlaps": overlaps, | ||
| "duplicate_ips": dup_ips, | ||
| "overall": "PASS" if not dangerous and validation["valid"] | ||
| and not security and not overlaps and not dup_ips | ||
| else "FAIL", | ||
| } | ||
| ``` | ||
|
|
||
| ## Anti-Patterns | ||
|
|
||
| ``` | ||
| # BAD: Applying config to a device without a dry-run review | ||
| # One wrong command can take down a production link | ||
|
|
||
| # BAD: Not checking for subnet overlaps when adding new interfaces | ||
| # Overlapping subnets cause routing black holes | ||
|
|
||
| # BAD: Not saving config after changes | ||
| # A reload will lose all running-config changes | ||
|
|
||
| # BAD: Using 'enable password' instead of 'enable secret' | ||
| # 'enable password' uses weak reversible encryption; 'enable secret' uses MD5 | ||
|
|
||
| # BAD: Leaving SNMP community 'public' in production | ||
| # Default SNMP communities are scanned constantly by internet bots | ||
| ``` | ||
|
|
||
| ## Best Practices | ||
|
|
||
| - Always run a pre-flight check before pushing config — dangerous command detection alone prevents major incidents | ||
| - Use `propose_config_change` (dry-run only) before any live `apply_config_change` | ||
| - Verify subnet allocation centrally with IPAM before assigning any new IP range to a device | ||
| - After applying config, run `write memory` and then verify with `show running-config | section <changed section>` | ||
| - Keep ACL entries numbered (e.g. `10`, `20`, `30`) so you can insert rules between them without rewriting | ||
|
|
||
| ## Related Skills | ||
|
|
||
| - cisco-ios-patterns | ||
| - network-bgp-diagnostics | ||
| - network-interface-health | ||
| - netmiko-ssh-automation |
Contributor
There was a problem hiding this comment.
Skill template headings need to match required format.
Please add/rename sections to explicit When to Use, How It Works, and Examples.
As per coding guidelines: skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/network-config-validation/SKILL.md` around lines 11 - 265, Rename and
restructure the top-level sections to match the required template by renaming
"When to Activate" to "When to Use", adding a new "How It Works" section that
briefly describes the implementations (reference functions/checks like
check_dangerous_commands, validate_config_block, find_subnet_overlaps,
extract_subnets_from_config, find_duplicate_ips, check_best_practices,
check_security, and pre_flight_check) and moving the detailed explanations of
each check under it, and add an "Examples" section that contains the usage
snippets (e.g., the router.cfg usage and sample function outputs) so the
document contains explicit "When to Use", "How It Works", and "Examples"
headings.
Comment on lines
+11
to
+21
| ## When to Activate | ||
|
|
||
| - Investigating packet loss or high latency on a specific link | ||
| - Diagnosing CRC errors, input drops, or output drops on an interface | ||
| - Troubleshooting duplex mismatches or speed negotiation issues | ||
| - Investigating an interface that is flapping (going up and down) | ||
| - Reviewing interface health after a cable replacement or hardware change | ||
| - Building automation to monitor interface error counters at scale | ||
|
|
||
| ## Reading `show interfaces` Output | ||
|
|
Contributor
There was a problem hiding this comment.
Please normalize to the required skill sections.
This file should explicitly include When to Use, How It Works, and Examples headings to match repository skill format.
As per coding guidelines, "skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".
Also applies to: 232-245
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/network-interface-health/SKILL.md` around lines 11 - 21, Normalize the
skill markdown by adding explicit "When to Use", "How It Works", and "Examples"
headings and moving the existing bullet list under "When to Use"; create a "How
It Works" section that explains what to examine in `show interfaces` output
(error counters, CRC, input/output drops, duplex/speed negotiation, flapping
indicators) and how those metrics relate to faults; add an "Examples" section
with representative commands (e.g., show interfaces <interface>, show interfaces
counters errors) and brief expected output/interpretation lines; ensure the file
SKILL.md matches the repository skill format and apply the same heading
normalization to the remaining similar sections referenced.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
18 issues found across 13 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="skills/cisco-ios-patterns/SKILL.md">
<violation number="1" location="skills/cisco-ios-patterns/SKILL.md:232">
P2: Related Skills references `network-acl-design`, but no corresponding skill exists in the repository, creating a dangling cross-skill link.</violation>
</file>
<file name="skills/network-bgp-diagnostics/SKILL.md">
<violation number="1" location="skills/network-bgp-diagnostics/SKILL.md:226">
P2: Related skill slug points to a non-existent skill, creating a broken cross-reference.</violation>
</file>
<file name="skills/homelab-wireguard-vpn/SKILL.md">
<violation number="1" location="skills/homelab-wireguard-vpn/SKILL.md:44">
P2: WireGuard server key generation writes into `/etc/wireguard` without privilege elevation, so the documented command can fail with permission errors.</violation>
<violation number="2" location="skills/homelab-wireguard-vpn/SKILL.md:53">
P2: The example hardcodes `-o eth0` for NAT, which breaks on hosts with different interface names (ens*, enp*, wlan0). Use a placeholder or variable for the outbound interface so the instructions work across common Linux setups.</violation>
<violation number="3" location="skills/homelab-wireguard-vpn/SKILL.md:92">
P2: Full-tunnel client example is IPv4-only and omits `::/0`, so IPv6 may bypass the VPN.</violation>
<violation number="4" location="skills/homelab-wireguard-vpn/SKILL.md:124">
P2: `wg pubkey` failures are silently ignored because `subprocess.run` is used without `check=True`/return-code handling.</violation>
</file>
<file name="skills/homelab-vlan-segmentation/SKILL.md">
<violation number="1" location="skills/homelab-vlan-segmentation/SKILL.md:137">
P2: The IoT firewall template blocks RFC1918 before allowing internet, which conflicts with the recommended Pi-hole DNS server on 192.168.30.2 and can break IoT DNS resolution.</violation>
<violation number="2" location="skills/homelab-vlan-segmentation/SKILL.md:168">
P1: MikroTik VLAN example is incomplete for isolation because it omits bridge VLAN table configuration and enabling `vlan-filtering` on the bridge.</violation>
</file>
<file name="agents/network-troubleshooter.md">
<violation number="1" location="agents/network-troubleshooter.md:86">
P1: The playbook recommends temporarily removing an ACL, which conflicts with the stated diagnose-only role and can weaken security controls during troubleshooting.</violation>
</file>
<file name="skills/network-config-validation/SKILL.md">
<violation number="1" location="skills/network-config-validation/SKILL.md:163">
P2: The `BEST_PRACTICE_CHECKS` list flags missing `snmp-server community` as a required best practice ("SNMP — required for monitoring"), but `SECURITY_CHECKS` below flags the presence of `snmp-server community public` as a security risk. Together these nudge users toward configuring SNMP v2 community strings (to satisfy the best-practice check), which the security check then penalizes. Many hardened devices intentionally have no SNMP v2 at all. Replace this with a check for SNMPv3 (`snmp-server group`) or remove it from the best-practice list.</violation>
<violation number="2" location="skills/network-config-validation/SKILL.md:185">
P1: The `re.DOTALL` flag causes `.` to match newlines, so `(?:(?!access-class).)*` will span across multiple lines of the VTY block. A correctly configured VTY block with `access-class` on line 2 or 3 (after `exec-timeout` or `transport input ssh`) will still match this pattern, producing a false positive security finding. Remove `re.DOTALL` so `.` stays within a single line.</violation>
</file>
<file name="agents/homelab-architect.md">
<violation number="1" location="agents/homelab-architect.md:64">
P2: CIDR base notation is inconsistent (`192.168.x.0/16`) and can mislead generated network plans.</violation>
</file>
<file name="skills/network-interface-health/SKILL.md">
<violation number="1" location="skills/network-interface-health/SKILL.md:189">
P2: Interface parsing uses an arbitrary 1000-character chunk, which can miss counters or attribute them to the wrong interface.</violation>
<violation number="2" location="skills/network-interface-health/SKILL.md:237">
P2: Runbook contains internally contradictory duplex/speed guidance (auto-negotiate preferred vs never rely on auto), which can cause inconsistent link configuration decisions.</violation>
</file>
<file name="skills/homelab-pihole-dns/SKILL.md">
<violation number="1" location="skills/homelab-pihole-dns/SKILL.md:51">
P2: User-facing instructions execute/download from unvetted external, mutable endpoints (curl | bash installer, raw GitHub blocklists, `latest/download` binary), which violates the team guidance to avoid external repo links in docs and introduces supply-chain risk.</violation>
<violation number="2" location="skills/homelab-pihole-dns/SKILL.md:77">
P2: Docker example hardcodes a weak Pi-hole admin password (`changeme`), creating an insecure-by-default setup if copied as-is.</violation>
</file>
<file name="skills/homelab-network-setup/SKILL.md">
<violation number="1" location="skills/homelab-network-setup/SKILL.md:86">
P2: DHCP guidance recommends non-standard local domain `home.lan` instead of standards-reserved `home.arpa`, which can cause naming conflicts/leakage.</violation>
</file>
<file name="agents/network-config-reviewer.md">
<violation number="1" location="agents/network-config-reviewer.md:34">
P2: Severity guidance is internally contradictory for the same finding, which can cause incorrect WARNING vs BLOCK verdicts.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| Range: .21 to .254 (reserve .1–.20 for static) | ||
| DNS: point to Pi-hole IP if you have one, otherwise gateway IP | ||
| Lease time: 86400 (24h) for trusted; 3600 (1h) for IoT/guest | ||
| Domain: home.lan (makes hostnames like nas.home.lan work) |
Contributor
There was a problem hiding this comment.
P2: DHCP guidance recommends non-standard local domain home.lan instead of standards-reserved home.arpa, which can cause naming conflicts/leakage.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At skills/homelab-network-setup/SKILL.md, line 86:
<comment>DHCP guidance recommends non-standard local domain `home.lan` instead of standards-reserved `home.arpa`, which can cause naming conflicts/leakage.</comment>
<file context>
@@ -0,0 +1,176 @@
+ Range: .21 to .254 (reserve .1–.20 for static)
+ DNS: point to Pi-hole IP if you have one, otherwise gateway IP
+ Lease time: 86400 (24h) for trusted; 3600 (1h) for IoT/guest
+ Domain: home.lan (makes hostnames like nas.home.lan work)
+
+# DHCP reservations (static IP by MAC address) — set these for:
</file context>
| @@ -0,0 +1,182 @@ | |||
| --- | |||
Contributor
There was a problem hiding this comment.
P2: Severity guidance is internally contradictory for the same finding, which can cause incorrect WARNING vs BLOCK verdicts.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At agents/network-config-reviewer.md, line 34:
<comment>Severity guidance is internally contradictory for the same finding, which can cause incorrect WARNING vs BLOCK verdicts.</comment>
<file context>
@@ -0,0 +1,182 @@
+
+Check each category:
+
+**Remote Access Security (HIGH)**
+```
+# CRITICAL: VTY lines with no access restriction
</file context>
Contributor
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
skills/homelab-vlan-segmentation/SKILL.md (1)
11-21:⚠️ Potential issue | 🟡 MinorPlease align this skill to the required section headings.
This file still uses custom headings (
When to Activate,What VLANs Do) and does not include an explicitExamplessection. Please rename toWhen to UseandHow It Works, and add## Exampleswith at least one concrete VLAN scenario.Suggested patch
-## When to Activate +## When to Use @@ -## What VLANs Do +## How It Works @@ ## Related Skills - homelab-network-setup - homelab-pihole-dns - homelab-wireguard-vpn + +## Examples + +- Example: Block IoT (VLAN 20) from Trusted (VLAN 10), but allow IoT DNS to `192.168.30.2:53` (Pi-hole in Servers VLAN). +- Example: Map SSID `Guest` to VLAN 40 and enforce internet-only access with a local-network deny rule.As per coding guidelines, "
skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/homelab-vlan-segmentation/SKILL.md` around lines 11 - 21, Rename the custom headings: change "## When to Activate" to "## When to Use" and "## What VLANs Do" to "## How It Works" in SKILL.md; then add a new "## Examples" section containing at least one concrete VLAN scenario (include VLAN IDs, which devices go on each VLAN, SSID-to-VLAN mapping or port/trunk behavior, and the purpose e.g., IoT isolation or guest Wi‑Fi) so the skill follows the required When to Use / How It Works / Examples structure.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@skills/homelab-vlan-segmentation/SKILL.md`:
- Around line 11-21: Rename the custom headings: change "## When to Activate" to
"## When to Use" and "## What VLANs Do" to "## How It Works" in SKILL.md; then
add a new "## Examples" section containing at least one concrete VLAN scenario
(include VLAN IDs, which devices go on each VLAN, SSID-to-VLAN mapping or
port/trunk behavior, and the purpose e.g., IoT isolation or guest Wi‑Fi) so the
skill follows the required When to Use / How It Works / Examples structure.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: aa73cf82-8d93-431d-85b2-12834a6ea0f7
📒 Files selected for processing (8)
agents/network-config-reviewer.mdagents/network-troubleshooter.mdskills/cisco-ios-patterns/SKILL.mdskills/homelab-pihole-dns/SKILL.mdskills/homelab-vlan-segmentation/SKILL.mdskills/network-bgp-diagnostics/SKILL.mdskills/network-config-validation/SKILL.mdskills/network-interface-health/SKILL.md
✅ Files skipped from review due to trivial changes (5)
- skills/homelab-pihole-dns/SKILL.md
- agents/network-config-reviewer.md
- skills/network-config-validation/SKILL.md
- skills/network-bgp-diagnostics/SKILL.md
- skills/cisco-ios-patterns/SKILL.md
🚧 Files skipped from review as they are similar to previous changes (1)
- skills/network-interface-health/SKILL.md
Contributor
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/homelab-vlan-segmentation/SKILL.md`:
- Line 290: The bullet "Put Pi-hole in Servers VLAN and add a firewall rule
allowing DNS (port 53) from all other VLANs" is awkwardly cased and runs on;
update the SKILL.md entry by either splitting it into two separate bullets ("Put
Pi-hole in Servers VLAN." and "Add a firewall rule allowing DNS (port 53) from
all other VLANs.") or by lowercasing "put" to continue the sentence cleanly
("put Pi-hole in Servers VLAN and add a firewall rule allowing DNS (port 53)
from all other VLANs."), ensuring punctuation and parallelism match the
surrounding bullets.
- Around line 252-265: Remove the incorrect AP mention from the access-port
example: edit the block that starts "A port connecting to a PC in your office
should be an access port" to only list PC (VLAN: 10, untagged) and delete the
line that says "A port connecting to an AP should be an access port"; ensure the
later trunk example for APs (SSID → VLAN mappings) remains as the authoritative
guidance so AP uplinks are configured as trunks carrying multiple VLAN tags.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 20bc8315-17a7-4888-bbb2-005741913bae
📒 Files selected for processing (1)
skills/homelab-vlan-segmentation/SKILL.md
Contributor
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="skills/homelab-vlan-segmentation/SKILL.md">
<violation number="1" location="skills/homelab-vlan-segmentation/SKILL.md:11">
P2: Heading renamed to "When to Use" deviates from required "When to Activate" section used for auto-activation, risking tooling/metadata parsing failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
… overall gate, fix AP trunk guidance
Contributor
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
skills/homelab-vlan-segmentation/SKILL.md (1)
11-11:⚠️ Potential issue | 🟡 MinorUse the required heading:
When to UseThis skill still uses
When to Activate, which breaks the required skill section format.Suggested fix
-## When to Activate +## When to UseAs per coding guidelines, "
skills/**/*.md: Skill format must be Markdown with clear sections for When to Use, How It Works, and Examples".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/homelab-vlan-segmentation/SKILL.md` at line 11, Replace the incorrect heading "When to Activate" with the required heading "When to Use" in the SKILL.md so the skill conforms to the standard sections; update the header text exactly (change the string "When to Activate" to "When to Use") and ensure the section content beneath that header remains unchanged so the file now contains the required "When to Use", "How It Works", and "Examples" sections.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@skills/homelab-vlan-segmentation/SKILL.md`:
- Line 11: Replace the incorrect heading "When to Activate" with the required
heading "When to Use" in the SKILL.md so the skill conforms to the standard
sections; update the header text exactly (change the string "When to Activate"
to "When to Use") and ensure the section content beneath that header remains
unchanged so the file now contains the required "When to Use", "How It Works",
and "Examples" sections.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e21e21ba-2eb3-4e07-8a62-83c0feb356fa
📒 Files selected for processing (2)
skills/homelab-vlan-segmentation/SKILL.mdskills/network-config-validation/SKILL.md
✅ Files skipped from review due to trivial changes (1)
- skills/network-config-validation/SKILL.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new skill categories to ECC — a domain that doesn't currently exist in the repo.
Network Engineering (5 skills)
network-bgp-diagnostics— BGP neighbor state diagnosis, AS path analysis, stuck session troubleshootingcisco-ios-patterns— IOS/IOS-XE config syntax, show commands, wildcard masks, privilege levelsnetwork-interface-health— CRC errors, duplex mismatches, drops, flap detection + Python parsernetmiko-ssh-automation— multi-vendor SSH automation, parallel batch ops, TextFSM parsingnetwork-config-validation— dangerous command detection, syntax validation, subnet overlap/duplicate IP checksHomelab (4 skills)
homelab-network-setup— IP scheme design, hardware selection, DHCP, common beginner mistakeshomelab-vlan-segmentation— IoT/guest/trusted VLANs on UniFi, pfSense, MikroTikhomelab-pihole-dns— Pi-hole install, blocklists, DNS-over-HTTPS, local DNS recordshomelab-wireguard-vpn— WireGuard server, peer config, split tunnel, DDNS, key generationAgents (4)
network-troubleshooter— OSI-layer-by-layer symptom diagnosis with ranked hypothesesnetwork-config-reviewer— security audit for router/switch configs (VTY, SNMP, ACLs, NTP)network-architect— enterprise network design from requirements (WAN, DC, routing, segmentation)homelab-architect— complete home network plan from hardware inventory + goalsType
Testing
All skills and agents manually tested in Claude Code. Each skill auto-activates correctly on relevant prompts. Full verification log available on request.
Checklist
Closes #1412
Summary by cubic
Adds Network Engineering and Homelab skill categories plus four agents for design, config review, and troubleshooting. Includes Examples sections for clearer guidance and fixes IoT DNS rule ordering, AP trunk guidance, and a pre-flight gate error.
New Features
network-troubleshooter,network-config-reviewer,network-architect,homelab-architect.Bug Fixes
Written for commit 93e5551. Summary will update on new commits.
Summary by CodeRabbit
New Features
Documentation