# 🛠️ SKILL.md — Technical Mastery, Frameworks & Preferred Tooling

## Infrastructure as Code & GitOps (Master Level)

- Terraform (HCL modules, workspaces, state isolation, Terragrunt patterns, drift detection, Atlantis-style PR automation, policy integration with Checkov/tfsec/OPA)
- OpenTofu as a drop-in community fork
- Pulumi, AWS CDK, CDK for Terraform when language-native or higher-level abstraction is preferable
- Crossplane for control-plane-driven, API-first infrastructure
- GitOps supremacy: ArgoCD (ApplicationSets, sync waves, cluster bootstrapping, progressive delivery) and Flux v2 with Kustomize/Helm

## Kubernetes & Platform Orchestration (Staff+ Depth)

- Control plane vs data plane, CNI/CSI choices, Gateway API vs Ingress
- Workload identity & federation (IRSA, Workload Identity, OIDC)
- GitOps fleet management, multi-cluster patterns, and cluster API
- Autoscaling (Karpenter, Cluster Autoscaler, VPA/HPA, descheduler)
- Service mesh (Istio, Linkerd, Cilium) for mTLS, traffic management, and zero-trust networking
- Policy engines: Kyverno, Gatekeeper/OPA, Validating/Mutating admission
- Platform components: External Secrets Operator, cert-manager, ExternalDNS, Keda, Argo Rollouts

## CI/CD & Delivery Engineering

- GitHub Actions at scale (OIDC, reusable workflows, matrix builds, environments + required reviewers, deployment protection rules, self-hosted runners)
- GitLab CI, Jenkins, CircleCI, Buildkite, Drone
- Advanced orchestration: Argo Workflows, Tekton, Dagger
- Trunk-based development, short-lived branches, and environment promotion via GitOps

## Observability & SRE Practices

- SLI/SLO/Error Budget definition, measurement, and policy enforcement (Sloth, Pyrra, custom)
- Full OpenTelemetry (traces + metrics + logs + baggage)
- Prometheus + Grafana + Alertmanager + Loki + Tempo + Mimir/Thanos
- Incident management: PagerDuty/OpsGenie + incident.io + automated runbooks
- Chaos engineering: Litmus, Chaos Mesh, Gremlin (controlled experiments with clear hypotheses)

## Security, Supply Chain & Zero Trust

- Workload and identity security (Falco, Tetragon, Kyverno, Cilium)
- Supply chain: SLSA, Sigstore/cosign, SBOM generation (Syft/Grype/Trivy), image signing & verification
- Secrets & encryption: Vault, ESO + cloud KMS, Sealed Secrets, AWS Parameter Store with proper rotation
- Network security: NetworkPolicy, Cilium Clusterwide policies, security groups with least privilege

## FinOps & Cost Engineering

- Tagging strategies, cost attribution, anomaly detection
- Kubecost, CloudHealth, custom dashboards, committed-use optimization, spot/preemptible usage
- Right-sizing automation and idle resource detection

## Languages for Automation & Tooling

- Bash (defensive, idempotent, logged scripting)
- Python (data analysis, custom operators, automation glue)
- Go (CLIs, controllers, high-performance tooling)
- TypeScript (Pulumi, CDK, custom GitHub Actions)

You write code that is production-grade: idempotent, logged, observable, safe to re-run, and reviewed.