RHEcosystemAppEng · GuyZivRH · May 11, 2026 · May 11, 2026 · May 12, 2026 · May 14, 2026
@@ -0,0 +1,67 @@
+# rh-developer Plugin
+
+You are an application developer assistant for Red Hat platforms. You help users build, containerize, deploy, and troubleshoot applications on OpenShift clusters and standalone RHEL/Fedora/CentOS systems.
+
+## Skill-First Rule
+
+ALWAYS use the appropriate skill for developer tasks. Do NOT call MCP tools (openshift, podman, github, lightspeed-mcp) directly — skills handle error recovery, human-in-the-loop confirmations, and fallbacks automatically.
+
+To invoke a skill, use the Skill tool with the skill name (e.g., `/deploy`).
+
+## Intent Routing
+
+Match the user's request to the correct skill:
+
+| When the user asks about... | Use skill |
+|---|---|
+| Detect language, framework, analyze project, scan repo, identify runtime | `/detect-project` |
+| Recommend builder image, S2I image, base image, image selection | `/recommend-image` |
+| S2I build, source-to-image, BuildConfig, build container image | `/s2i-build` |
+| Deploy to OpenShift, create Deployment, Service, Route, expose app | `/deploy` |
+| Helm chart, Helm deploy, Helm install, Helm values, chart template | `/helm-deploy` |
+| Deploy to RHEL, Fedora, CentOS, SSH deploy, systemd service, Podman on RHEL | `/rhel-deploy` |
+| End-to-end deployment, containerize and deploy, full workflow, deploy from source | `/containerize-deploy` |
+| Build failure, BuildConfig error, S2I error, build logs, failed build | `/debug-build` |
+| Pod failure, CrashLoopBackOff, ImagePullBackOff, OOMKilled, Pending pod | `/debug-pod` |
+| Container issue, Podman/Docker failure, local container debug, container crash | `/debug-container` |
+| Network issue, DNS, Service connectivity, Route, NetworkPolicy, ingress | `/debug-network` |
+| Pipeline failure, Tekton, PipelineRun, TaskRun error, pipeline logs | `/debug-pipeline` |
+| RHEL issue, systemd, SELinux, firewall, journal logs, system service | `/debug-rhel` |
+| Incident investigation, root cause analysis, triage alert, five whys, outage diagnosis, multi-resource issue | `/incident-triage` |
+| Check tools, verify cluster access, validate environment, prerequisites | `/validate-environment` |
+
+If the request doesn't clearly match one skill, ask the user to clarify. For complex or multi-resource issues where the root cause is unclear, prefer `/incident-triage` over individual debug skills.
+
+## Skill Chaining
+
+Some workflows require multiple skills in sequence:
+
+- **Full app deployment (S2I)**: `/detect-project` -> `/recommend-image` (optional) -> `/s2i-build` -> `/deploy`
+- **Helm deployment**: `/detect-project` -> `/helm-deploy`
+- **RHEL deployment**: `/detect-project` -> `/rhel-deploy`
+- **Unified workflow**: `/containerize-deploy` (orchestrates all above based on user selection)
+- **Pre-flight check**: Run `/validate-environment` before any deployment skill
+- **Build failure recovery**: `/debug-build` -> fix -> `/s2i-build` retry
+- **Pod failure recovery**: `/debug-pod` or `/debug-network` -> fix -> `/deploy` retry
+- **RHEL failure recovery**: `/debug-rhel` or `/debug-container` -> fix -> `/rhel-deploy` retry
+- **Incident triage**: `/incident-triage` -> identifies root cause -> routes to `/debug-pod`, `/debug-network`, or `/deploy` for targeted fix
+
+After completing a skill, suggest relevant next-step skills to the user.
+
+## MCP Servers
+
+Five MCP servers are available. Skills manage these automatically — do not call their tools directly.
+
+- **openshift** (Required) — Kubernetes resource CRUD, pod logs, events, Helm operations. The reliable foundation.
+- **observability** (Required) — Prometheus metric discovery, metadata, series, and PromQL queries. Used by `/incident-triage` for trend analysis and saturation detection.
+- **podman** (Required) — Local container builds and image management via Podman.
+- **github** (Optional) — Remote repository browsing and code analysis. Used by `/detect-project` for GitHub URLs.
+- **lightspeed-mcp** (Optional) — CVE vulnerability data, advisor rules, RHEL lifecycle checks. Used by `/rhel-deploy` and `/debug-rhel`.
+
+## Global Rules
+
+1. **Never expose credentials** — do not display API keys, passwords, tokens, or secret values in output. Only report whether they exist.
+2. **Confirm before creating resources** — always show the resource manifest (with credentials redacted) and wait for explicit user approval before creating, modifying, or deleting cluster or system resources.
+3. **Never auto-delete** — destructive operations (delete Deployment, remove systemd service, delete BuildConfig) always require user confirmation with a data-loss warning.
+4. **Report fallbacks transparently** — if a preferred tool fails and a fallback is used, briefly note it.
+5. **Suggest next steps** — after completing a skill, suggest related skills the user might want to run next.
@@ -0,0 +1,308 @@
+---
+title: S2I Builder Image Reference
+category: containers
+sources:
+  - title: Red Hat Container Catalog
+    url: https://catalog.redhat.com/software/containers/search
+    sections: UBI images, S2I builders
+    date_accessed: 2026-02-08
+  - title: OpenShift Source-to-Image (S2I)
+    url: https://docs.openshift.com/container-platform/latest/openshift_images/using_images/using-s21-images.html
+    sections: S2I builder images, Language detection
+    date_accessed: 2026-02-08
+  - title: Red Hat Universal Base Images
+    url: https://developers.redhat.com/products/rhel/ubi
+    sections: UBI9 images, Language runtimes
+    date_accessed: 2026-02-08
+---
+
+# S2I Builder Image Reference
+
+Use this reference when recommending S2I builder images to users.
+
+> **Note:** Versions marked "Recommended" may change. Always verify with `skopeo inspect` before use. Prefer matching the project's version requirements over these defaults.
+
+For use-case-aware image selection, use the `/recommend-image` skill.
+
+---
+
+## Dynamic Lookup and Verification
+
+**This reference may be outdated.** Always verify image availability before recommending.
+
+### Verify with Skopeo (Recommended)
+
+```bash
+# Check if an image exists and get metadata
+skopeo inspect docker://registry.access.redhat.com/ubi9/nodejs-20
+
+# Get specific fields
+skopeo inspect docker://registry.access.redhat.com/ubi9/nodejs-20 --format '{{.Created}}'
+skopeo inspect docker://registry.access.redhat.com/ubi9/nodejs-20 --format '{{.Architecture}}'
+
+# List all available tags
+skopeo list-tags docker://registry.access.redhat.com/ubi9/nodejs-20
+```
+
+**If skopeo is not installed**, prompt the user:
+```
+Install with: sudo dnf install skopeo (Fedora/RHEL)
+              sudo apt install skopeo (Ubuntu/Debian)
+              brew install skopeo (macOS)
+```
+
+### Check Security Status (Red Hat Security Data API)
+
+Query CVE information (no authentication required):
+
+```bash
+# Check for critical CVEs affecting UBI9
+curl -s "https://access.redhat.com/hydra/rest/securitydata/cve.json?product=Red%20Hat%20Universal%20Base%20Image%209&severity=critical" | jq 'length'
+
+# Get CVE details
+curl -s "https://access.redhat.com/hydra/rest/securitydata/cve.json?product=Red%20Hat%20Universal%20Base%20Image%209&severity=critical" | jq '.[] | {cve: .CVE, severity: .severity}'
+```
+
+### Verify with Red Hat Catalog API (Alternative)
+
+```bash
+# Search for available Node.js images
+curl -s "https://catalog.redhat.com/api/containers/v1/repositories?filter=repository=like=ubi9/nodejs" | jq '.data[].repository'
+
+# Search for available Python images
+curl -s "https://catalog.redhat.com/api/containers/v1/repositories?filter=repository=like=ubi9/python" | jq '.data[].repository'
+```
+
+---
+
+## Project Detection and Version Mapping
+
+### Extract Version from Project Files
+
+Before recommending an image, check the project's version requirements:
+
+| Project File | How to Extract Version |
+|--------------|------------------------|
+| `package.json` | `.engines.node` field |
+| `requirements.txt` | `python_requires` or comments |
+| `pyproject.toml` | `[project].requires-python` |
+| `pom.xml` | `<maven.compiler.source>` or `<java.version>` |
+| `go.mod` | `go` directive (e.g., `go 1.21`) |
+| `*.csproj` | `<TargetFramework>` (e.g., `net8.0`) |
+
+### Detect Language from Files
+
+| Indicator File(s) | Language | Framework | Version Source |
+|-------------------|----------|-----------|----------------|
+| `package.json` | Node.js | - | `.engines.node` |
+| `package.json` + `next.config.js` | Node.js | Next.js | `.engines.node` |
+| `package.json` + `angular.json` | Node.js | Angular | `.engines.node` |
+| `pom.xml` | Java | Maven | `<java.version>` or `<maven.compiler.source>` |
+| `pom.xml` + quarkus dep | Java | Quarkus | `<java.version>` (prefer 21+) |
+| `pom.xml` + spring-boot dep | Java | Spring Boot | `<java.version>` |
+| `build.gradle` / `build.gradle.kts` | Java | Gradle | `sourceCompatibility` or `java.toolchain` |
+| `requirements.txt` | Python | - | `python_requires` or shebang |
+| `Pipfile` | Python | Pipenv | `[requires].python_version` |
+| `pyproject.toml` | Python | Poetry/Modern | `[project].requires-python` |
+| `go.mod` | Go | - | `go` directive line |
+| `Gemfile` | Ruby | - | `ruby` directive or `.ruby-version` |
+| `*.csproj` / `*.sln` | .NET | - | `<TargetFramework>` (e.g., net8.0 → 80) |
+| `composer.json` | PHP | - | `require.php` field |
+| `Cargo.toml` | Rust | - | Custom (no official S2I) |
+
+### Map Version to Image
+
+**Quick lookup pattern:** `ubi9/{language}-{version}` (e.g., `ubi9/nodejs-20`, `ubi9/python-311`)
+
+| Language | Version Mapping | Image Pattern |
+|----------|-----------------|---------------|
+| Node.js | 18.x → 18, 20.x → 20, 22.x → 22 | `ubi9/nodejs-{major}` |
+| Python | 3.9 → 39, 3.11 → 311, 3.12 → 312 | `ubi9/python-{majmin}` |
+| Java | 11, 17, 21 (use nearest LTS) | `ubi9/openjdk-{version}` |
+| Go | 1.21 → 1.21, 1.22 → 1.22 | `ubi9/go-toolset:{version}` |
+| Ruby | 3.1 → 31, 3.3 → 33 | `ubi9/ruby-{majmin}` |
+| .NET | net6.0 → 60, net8.0 → 80 | `ubi9/dotnet-{version}` |
+| PHP | 8.0 → 80, 8.1 → 81 | `ubi9/php-{majmin}` |
+
+### Verify and Fallback
+
+1. **Verify image exists**: `skopeo inspect docker://registry.access.redhat.com/ubi9/{image}`
+2. **If version not found**: Use nearest available LTS version
+3. **If no version in project**: Use current LTS (check catalog API)
+
+---
+
+## Red Hat UBI-based Images
+
+### Node.js
+
+| Version | Full Image | Minimal Image | Use Case |
+|---------|------------|---------------|----------|
+| 18 LTS | `registry.access.redhat.com/ubi9/nodejs-18` | `registry.access.redhat.com/ubi9/nodejs-18-minimal` | Long-term support |
+| 20 LTS | `registry.access.redhat.com/ubi9/nodejs-20` | `registry.access.redhat.com/ubi9/nodejs-20-minimal` | **Recommended** |
+| 22 | `registry.access.redhat.com/ubi9/nodejs-22` | `registry.access.redhat.com/ubi9/nodejs-22-minimal` | Current |
+
+**Choose minimal for:** Production, security-focused, smaller image size
+**Choose full for:** Development, native module compilation
+
+### Python
+
+| Version | Image | Notes |
+|---------|-------|-------|
+| 3.9 | `registry.access.redhat.com/ubi9/python-39` | |
+| 3.11 | `registry.access.redhat.com/ubi9/python-311` | **Recommended** |
+| 3.12 | `registry.access.redhat.com/ubi9/python-312` | Latest |
+
+### Java / OpenJDK
+
+| Version | Build Image | Runtime Image | Notes |
+|---------|-------------|---------------|-------|
+| 11 LTS | `registry.access.redhat.com/ubi8/openjdk-11` | `registry.access.redhat.com/ubi8/openjdk-11-runtime` | LTS |
+| 17 LTS | `registry.access.redhat.com/ubi9/openjdk-17` | `registry.access.redhat.com/ubi9/openjdk-17-runtime` | **Recommended** |
+| 21 LTS | `registry.access.redhat.com/ubi9/openjdk-21` | `registry.access.redhat.com/ubi9/openjdk-21-runtime` | Latest LTS |
+
+**Choose runtime for:** Production with pre-built JARs, smallest footprint
+**Choose build for:** S2I builds, Maven/Gradle compilation needed
+
+### Go
+
+| Version | Image | Notes |
+|---------|-------|-------|
+| 1.20 | `registry.access.redhat.com/ubi9/go-toolset:1.20` | |
+| 1.21 | `registry.access.redhat.com/ubi9/go-toolset:1.21` | **Recommended** |
+
+### Ruby
+
+| Version | Image | Notes |
+|---------|-------|-------|
+| 3.1 | `registry.access.redhat.com/ubi9/ruby-31` | |
+| 3.3 | `registry.access.redhat.com/ubi9/ruby-33` | **Recommended** |
+
+### .NET
+
+| Version | Build Image | Runtime Image | Notes |
+|---------|-------------|---------------|-------|
+| 6.0 LTS | `registry.access.redhat.com/ubi8/dotnet-60` | `registry.access.redhat.com/ubi8/dotnet-60-runtime` | LTS |
+| 7.0 | `registry.access.redhat.com/ubi8/dotnet-70` | `registry.access.redhat.com/ubi8/dotnet-70-runtime` | |
+| 8.0 LTS | `registry.access.redhat.com/ubi9/dotnet-80` | `registry.access.redhat.com/ubi9/dotnet-80-runtime` | **Recommended** |
+
+**Choose runtime for:** Production with pre-built assemblies
+**Choose build for:** S2I builds, dotnet build/publish needed
+
+### PHP
+
+| Version | Image | Notes |
+|---------|-------|-------|
+| 8.0 | `registry.access.redhat.com/ubi9/php-80` | |
+| 8.1 | `registry.access.redhat.com/ubi9/php-81` | **Recommended** |
+
+### Perl
+
+| Version | Image | Notes |
+|---------|-------|-------|
+| 5.32 | `registry.access.redhat.com/ubi9/perl-532` | |
+
+---
+
+## Image Variants and Use-Case Selection
+
+### Quick Use-Case Matrix
+
+| Use Case | Variant | Priority | Example |
+|----------|---------|----------|---------|
+| Production | Minimal/Runtime | Security, Size | `nodejs-20-minimal` |
+| Development | Full | Tools, Debug | `nodejs-20` |
+| Serverless | Minimal | Startup Time | `openjdk-21-runtime` |
+| Edge/IoT | Minimal | Size | `nodejs-20-minimal` |
+
+### Image Variants
+
+| Variant | Description | Has Build Tools | Size |
+|---------|-------------|-----------------|------|
+| Full | Complete development environment | Yes | Largest |
+| Minimal | Essential packages only | Limited | Medium |
+| Runtime | Runtime only, no build tools | No | Smallest |
+
+**Availability by language:**
+
+| Language | Full | Minimal | Runtime |
+|----------|------|---------|---------|
+| Node.js | `nodejs-{ver}` | `nodejs-{ver}-minimal` | - |
+| Python | `python-{ver}` | - | - |
+| Java | `openjdk-{ver}` | - | `openjdk-{ver}-runtime` |
+| Go | `go-toolset:{ver}` | - | (produces static binary) |
+| .NET | `dotnet-{ver}` | - | `dotnet-{ver}-runtime` |
+| Ruby | `ruby-{ver}` | - | - |
+| PHP | `php-{ver}` | - | - |
+
+### When to Recommend Each Variant
+
+**Full variant:**
+- User needs to compile native extensions
+- Development/debugging environment
+- CI/CD build stages
+
+**Minimal variant:**
+- Production deployments
+- Security-focused environments
+- When size matters but some tools needed
+
+**Runtime variant:**
+- Pre-compiled applications (JARs, .NET assemblies)
+- Maximum security posture
+- Smallest possible footprint
+
+---
+
+## OpenShift Built-in ImageStreams
+
+These are often pre-configured in OpenShift clusters under the `openshift` namespace:
+
+| ImageStream | Usage |
+|-------------|-------|
+| `nodejs:20-ubi9` | Node.js 20 on UBI 9 |
+| `python:3.11-ubi9` | Python 3.11 on UBI 9 |
+| `openjdk-17-ubi8` | Java 17 on UBI 8 |
+| `ruby:3.1-ubi9` | Ruby 3.1 on UBI 9 |
+| `php:8.0-ubi9` | PHP 8.0 on UBI 9 |
+
+When using OpenShift ImageStreams, reference them as:
+```yaml
+from:
+  kind: ImageStreamTag
+  namespace: openshift
+  name: nodejs:20-ubi9
+```
+
+---
+
+## Framework-Specific Recommendations
+
+### Quarkus (Java)
+- **Native build**: `quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21`
+- **JVM build**: `registry.access.redhat.com/ubi9/openjdk-21`
+
+### Spring Boot (Java)
+- Use: `registry.access.redhat.com/ubi9/openjdk-17` or `openjdk-21`
+- Ensure `spring-boot-maven-plugin` is configured for packaging
+
+### Next.js / React (Node.js)
+- Use: `registry.access.redhat.com/ubi9/nodejs-20`
+- Ensure build outputs to `build/` or `.next/`
+
+### Django / Flask (Python)
+- Use: `registry.access.redhat.com/ubi9/python-311`
+- Ensure `requirements.txt` or `Pipfile` exists at root
+
+### Express.js (Node.js)
+- Use: `registry.access.redhat.com/ubi9/nodejs-18` or higher
+- Ensure `npm start` script is defined in `package.json`
+
+---
+
+## Python S2I Entry Point Requirements
+
+**Quick reference:**
+- Default entry point: `app.py` (works without configuration)
+- Custom entry points require: `gunicorn` + `APP_MODULE` environment variable
+- Format: `APP_MODULE=module:variable` (e.g., `main:app`)