chore(workspace): add hardened startup/security workflows and skill suite

skills/swarm-kubectl-safe/SKILL.md

@@ -0,0 +1,46 @@
+---
+name: swarm-kubectl-safe
+description: Safe Kubernetes operations for the homelab cluster using the scoped swarm namespace. Use when deploying, inspecting, debugging, or scaling workloads in namespace swarm while keeping Raspberry Pi resource usage low and avoiding cluster-wide/destructive commands.
+---
+
+# Swarm Kubectl Safe
+
+Use this skill for Kubernetes actions in the shared `swarm` namespace.
+
+## Defaults
+
+- Use kubeconfig: `~/.openclaw/credentials/kubeconfig-swarm.yaml`
+- Use namespace: `swarm`
+- Prefer lightweight deployments (Pi cluster):
+  - replicas: `1` by default
+  - CPU request: `25m-100m`
+  - Memory request: `64Mi-256Mi`
+
+## Safe command wrapper
+
+Use:
+
+```bash
+skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh get pods
+skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh describe pod <name>
+skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh apply -f <file>
+```
+
+The wrapper automatically applies kubeconfig + namespace and blocks obviously dangerous cluster-wide delete operations.
+
+## Deployment workflow
+
+1. Inspect current namespace state:
+   - `.../kubectl-swarm.sh get deploy,po,svc,ingress`
+2. Apply/update manifest with conservative resources.
+3. Verify rollout:
+   - `.../kubectl-swarm.sh rollout status deploy/<name>`
+4. Inspect logs/events if unhealthy:
+   - `.../kubectl-swarm.sh logs deploy/<name> --tail=100`
+   - `.../kubectl-swarm.sh get events --sort-by=.lastTimestamp | tail -n 30`
+
+## Shared-namespace etiquette
+
+- Use unique, prefixed names (example: `zap-<app>`).
+- Avoid deleting resources you didn’t create unless explicitly asked.
+- Prefer `patch`/`rollout restart` over delete/recreate.