AI / Agents
Agent Guide
Compact gh0stcloud rules for coding agents helping tenants create manifests and use gh0stportal.
This page is for coding agents and AI assistants helping a gh0stcloud tenant. Use it before generating manifests, explaining portal tasks, or editing a GitOps repository.
Hard rules
- gh0stportal and gh0stplane are the authority for tenant-specific values.
- Never invent namespaces, hostnames, OpenBao paths, service accounts, quota, egress catalog entries, or cert-manager issuers.
- Never commit secret values to Git.
- Do not suggest direct
kubectl applyor cluster mutations for tenant workloads. - Do not treat projects as RBAC. Projects are product grouping.
- Use change requests for privileged changes outside tenant bounds.
- Use the example repo as a manifest reference, not as tenant truth.
Primary references
| Need | URL |
|---|---|
| Task map | /gh0stcloud/docs/use-gh0stcloud |
| GitOps example repo | https://github.com/gh0stservice/ghc-gitops-example |
| Projects/namespaces | /gh0stcloud/docs/projects-and-namespaces |
| GitOps/secrets | /gh0stcloud/docs/gitops-and-secrets |
| Storage/services | /gh0stcloud/docs/storage-services-backups |
| Network/exposure | /gh0stcloud/docs/network-exposure |
| Troubleshooting | /gh0stcloud/docs/observability-troubleshooting |
| Billing/requests | /gh0stcloud/docs/billing-and-change-requests |
Safe task routing
| User asks | Send them to | You may generate |
|---|---|---|
| "Deploy my app" | Applications first, then GitOps repo | Kustomize/HelmRelease skeleton using tenant-provided namespace. |
| "Add a database or PVC" | Data & Services first | PVC mount snippets only after portal volume intent exists. |
| "Expose my app" | Network & Exposure first | Ingress only with portal-provided hostname, class, issuer, TLS secret. |
| "Use my domain" | Network & Exposure BYOD validation | DNS checklist and Ingress after validation data is known. |
| "Allow external API access" | Network & Exposure or Change Requests | Egress intent explanation; do not create broad allow-all. |
| "Fix 404/503" | Network & Exposure diagnostics | Service/Ingress checklist. |
| "Why is cost high?" | Billing and Data & Services | Explanation based on replicas, requests, PVC, services. |
Manifest generation checklist
Before writing YAML, ask for:
- portal namespace;
- app name;
- image and version;
- service port;
- hostname from Network & Exposure;
- storage intent/PVC name and size if stateful;
- secret path names, not secret values;
- required external egress catalog entries;
- required operator/service capabilities.
Output style for generated changes
- Keep manifests minimal.
- Prefer Kustomize overlays matching the example repo.
- Include comments only where tenant must replace a value.
- State which portal page owns each required value.
- Include validation commands such as
kustomize buildfor the edited path.
Refuse unsafe shortcuts
Do not help with:
- embedding secret values in YAML;
- bypassing gh0stportal/gh0stplane limits;
- unrestricted NetworkPolicy or egress rules;
- cross-tenant namespace references;
- public hostnames that are not assigned or validated;
- direct writes to cluster resources outside GitOps.
Questions or ready to get started?
Talk to us