UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

166 lines (117 loc) 4.93 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
--- name: net-dns-check description: Verify DNS resolution matches declared records across all zones trigger: when the operator requests DNS verification, zone check, or record validation --- # DNS Health Check ## Purpose Verify that every DNS record declared in `network-state.yaml` resolves correctly via the authoritative nameserver. Detect mismatches, NXDOMAIN responses, stale records, and missing records. Produce a DNS health report with per-record status and a prioritized remediation list. ## Workflow ### 1. Load Declared DNS Records Read `network-state.yaml` and extract all declared DNS zones and records: ``` Input: network-state.yaml (dns_zones section) Output: List of (zone, provider, server, record-name, record-type, expected-value, ttl) ``` Example extraction: ```yaml zones: - zone: example.internal provider: unbound server: 192.168.1.1 records: - name: gateway type: A value: 192.168.1.1 - name: nas type: A value: 192.168.10.20 ``` ### 2. Resolve Each Record For each declared record, perform a live DNS lookup against the declared authoritative nameserver: ```bash # A / AAAA record dig +short {record-fqdn} {A|AAAA} @{nameserver} # CNAME record dig +short {record-fqdn} CNAME @{nameserver} # MX record dig +short {record-fqdn} MX @{nameserver} # TXT record dig +short {record-fqdn} TXT @{nameserver} # SRV record dig +short {record-fqdn} SRV @{nameserver} # PTR record (reverse lookup) dig +short -x {ip-address} @{nameserver} ``` Collect results including: - Resolved value(s) - TTL returned - Response code (NOERROR, NXDOMAIN, SERVFAIL, etc.) - Query latency (for health trending) ### 3. Compare Expected vs. Actual For each record, classify the result: | Status | Condition | |--------|-----------| | PASS | Resolved value matches expected value; response is NOERROR | | TTL_DRIFT | Value matches but TTL differs from declared value by more than 10% | | WRONG_VALUE | Resolved value differs from declared expected value | | NXDOMAIN | Record does not exist in DNS | | SERVFAIL | Nameserver returned an error | | NO_RESPONSE | Nameserver did not respond within timeout | | EXTRA_RECORD | Record exists in DNS but is not declared in network-state.yaml (discovered via zone transfer or secondary check) | ### 4. Check for Undeclared Records (Optional Zone Transfer) If the operator requests a full zone audit and the nameserver permits zone transfers: ```bash dig @{nameserver} {zone} AXFR ``` Compare the live zone contents against declared records. Flag records present in DNS but absent from `network-state.yaml` as `UNDOCUMENTED`. > This step requires explicit operator authorization zone transfers expose the full zone and should be treated as sensitive. ### 5. Cross-Check Against Service Connectivity For A and AAAA records that resolve to internal hosts, optionally verify the host is reachable: ```bash # TCP connect to expected service port nc -zv -w5 {resolved-ip} {service-port} # ICMP ping ping -c 2 -W 3 {resolved-ip} ``` Flag records that resolve correctly but whose target is unreachable as `STALE_RECORD` the DNS entry exists but the host or service it points to is gone. ### 6. Produce DNS Health Report ```markdown # DNS Health Report — {timestamp} ## Summary - Zones checked: {count} - Records checked: {count} - PASS: {count} - WRONG_VALUE: {count} - NXDOMAIN: {count} - SERVFAIL / NO_RESPONSE: {count} - TTL_DRIFT: {count} - UNDOCUMENTED: {count} - STALE_RECORD: {count} ## Record-by-Record Results | Zone | FQDN | Type | Expected | Actual | TTL Expected | TTL Actual | Status | |------|------|------|----------|--------|-------------|-----------|--------| | {zone} | {fqdn} | {type} | {expected} | {resolved} | {ttl} | {actual-ttl} | {status} | ## Critical Issues (NXDOMAIN / SERVFAIL / WRONG_VALUE) | FQDN | Type | Issue | Expected | Actual | Impact | |------|------|-------|----------|--------|--------| | {fqdn} | {type} | {issue} | {expected} | {actual} | {affected-services} | ## Undocumented Records Records present in live DNS but absent from network-state.yaml: | Zone | FQDN | Type | Value | Action Required | |------|------|------|-------|----------------| | {zone} | {fqdn} | {type} | {value} | Add to state file or remove from DNS | ## Stale Records Records that resolve correctly but whose targets are unreachable: | FQDN | Type | Resolved IP | Reachability | Action Required | |------|------|------------|-------------|----------------| | {fqdn} | {type} | {ip} | UNREACHABLE | Verify host status; remove or update record | ## Remediation Actions | Priority | FQDN | Action | |----------|------|--------| | {P1|P2|P3} | {fqdn} | {specific remediation step} | ``` ## Output - `dns-health-{timestamp}.md` Full DNS health report - Console summary with status counts - Exit non-zero if any NXDOMAIN, SERVFAIL, WRONG_VALUE, or STALE_RECORD results are found