UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

146 lines (106 loc) 4.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
--- name: net-vlan-audit description: Compare live VLAN assignments against network-state.yaml and report drift trigger: when the operator requests VLAN audit, network state verification, or switch config check --- # VLAN Audit ## Purpose Compare the declared VLAN configuration in `network-state.yaml` against the live state on managed switches and the UniFi controller. Produce a drift report with a severity classification per finding, and flag any VLAN or port configuration that deviates from the documented state. ## Workflow ### 1. Load Declared State Read `network-state.yaml` from the repository root (or the path specified by the operator). Extract the declared VLAN table: ``` Input: network-state.yaml Output: Declared VLAN list with id, name, subnet, gateway, dhcp range, and tagged_ports per VLAN ``` Build the expected state model: ```yaml expected_vlans: - id: {vlan-id} name: {name} subnet: {cidr} gateway: {ip} dhcp: range_start: {ip} range_end: {ip} tagged_ports: - switch: {switch-name} port: {port-id} mode: {trunk|access} ``` ### 2. Collect Live VLAN State Query live VLAN state from each switch or controller in scope. **UniFi Controller API:** ```bash # Authenticate and retrieve network configuration TOKEN=$(cat /etc/unifi/api-token) curl -s -H "Authorization: Bearer $TOKEN" \ "https://{controller}/api/s/default/rest/networkconf" \ | jq '.data[] | {vlan_id: .vlan, name, ip_subnet, dhcpd_start, dhcpd_stop}' ``` **Managed Switch CLI (SSH):** ```bash # Show VLAN database ssh {switch-mgmt-ip} "show vlan" # Show trunk port configuration for each documented trunk port ssh {switch-mgmt-ip} "show interfaces {port} trunk" ssh {switch-mgmt-ip} "show interfaces {port} switchport" ``` **DHCP Server (dnsmasq or ISC DHCP):** ```bash # Show active DHCP scopes cat /etc/dnsmasq.d/*.conf | grep "dhcp-range" # or cat /etc/dhcp/dhcpd.conf | grep -A5 "subnet" ``` Collect output into a live state model matching the expected state structure. ### 3. Diff Documented vs. Actual For each declared VLAN, compare each field of the expected state against the live state: | Field | Comparison | |-------|-----------| | VLAN ID | Present in live switch VLAN database | | VLAN Name | Matches declared name | | Subnet | Matches declared CIDR | | Gateway | Reachable and assigned to correct interface | | DHCP Range | Scope start/end matches declared values | | Tagged Ports | Each declared port has the VLAN in its trunk allowed list | Classify each discrepancy: - **CRITICAL**: VLAN exists live but is absent from `network-state.yaml` (undocumented) security and audit risk - **CRITICAL**: VLAN declared but absent from the live switch the documented state is fictional - **HIGH**: Subnet, gateway, or DHCP range mismatch between documented and live - **HIGH**: A declared trunk port does not carry the VLAN in its live allowed list - **HIGH**: A VLAN appears on ports not listed in `network-state.yaml` (undocumented trunk scope creep) - **INFORMATIONAL**: VLAN name mismatch, minor verify whether this is an alias or a real drift ### 4. Produce Drift Report Output a structured drift report: ```markdown # VLAN Audit Report — {timestamp} ## Summary - Switches audited: {count} - VLANs declared: {count} - VLANs matched: {count} - Drift items: {count} ({critical} critical, {high} high, {informational} informational) ## Drift Items | VLAN | Field | Documented | Actual | Severity | Recommended Action | |------|-------|-----------|--------|----------|--------------------| | {id} | {field} | {expected} | {actual} | {severity} | {action} | ## Undocumented VLANs (Live but Not in State File) | VLAN ID | Name | Switch | Ports | |---------|------|--------|-------| | {id} | {name} | {switch} | {ports} | ## Phantom VLANs (Documented but Not Live) | VLAN ID | Name | Documented Subnet | Last Seen | |---------|------|--------------------|-----------| | {id} | {name} | {cidr} | {date-if-known|unknown} | ``` ### 5. Flag Remediation Actions For each drift item, include a recommended action: - **Undocumented VLAN**: "Add to network-state.yaml or remove from switch — operator decision required" - **Phantom VLAN**: "Remove from network-state.yaml or recreate on switch — operator decision required" - **Subnet / DHCP mismatch**: "Reconcile — verify which state is intended; update state file or live config" - **Missing trunk port**: "Add VLAN {id} to trunk allowed list on {switch}/{port} or remove from state file" - **Extra trunk port**: "Remove VLAN {id} from trunk on {switch}/{port} or add port to state file" ## Output - `vlan-audit-{timestamp}.md` Full drift report with remediation recommendations - Console summary with drift count by severity - Exit non-zero if any CRITICAL or HIGH drift items are found (for CI integration)