tokenkey-stage0-edge-ip-rotation
- Repo stars 0
- Author updated Live
- Author repo sub2api
- Domain
- Other
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @youxuanxue · no license declared
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: tokenkey-stage0-edge-ip-rotation
description: >- The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides w…
category: other
runtime: no special runtime
---
# tokenkey-stage0-edge-ip-rotation output preview
## PART A: Task fit
- Use case: >- The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides which workflow input to pass, not a sequence of bash commands. Polluted IP registry: deploy/aws/stage0/edge-polluted-ips.json makes outbound network calls. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Why this is short now / One canonical invocation / Two operator steps left (intentional)” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “>- The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides which workflow input to pass, not a sequence of bash commands. Polluted IP registry: deploy/aws/stage0/edge-polluted-ips.json makes outbound network calls. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “Why this is short now / One canonical invocation / Two operator steps left (intentional)” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “Why this is short now / One canonical invocation / Two operator steps left (intentional)”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: tokenkey-stage0-edge-ip-rotation
description: >- The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides w…
category: other
source: youxuanxue/sub2api
---
# tokenkey-stage0-edge-ip-rotation
## When to use
- >- The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides which workflow input to…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Why this is short now / One canonical invocation / Two operator steps left (intentional)” and keep inference separate from source facts.
- read files, write/modify files; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "tokenkey-stage0-edge-ip-rotation" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Why this is short now / One canonical invocation / Two operator steps left (intentional)
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} TokenKey: rotate an edge gateway's egress EIP
EC2/CFN only. Lightsail Static IP 轮换见 tokenkey-stage0-edge-lightsail-ip-rotation(uk1 已迁 Lightsail,勿对本 skill dispatch rotate_egress_ip)。
v2 (OPC). Replaces the v1 manual multi-step nano-probe / CFN-IMPORT runbook. The deploy workflow now owns rotation end-to-end; this skill is a thin wrapper that decides which workflow input to pass, not a sequence of bash commands.
Polluted IP registry:
deploy/aws/stage0/edge-polluted-ips.json
(human-readable table in
docs/deploy/tokenkey-edge-ip-history.md).
Why this is short now
The earlier multi-step procedure existed because the CFN template treated the
EIP as a stack-managed resource (AWS::EC2::EIP + EIPAssociation with
Retain). Manual EIP swaps then desynced template-vs-live and required
detach + IMPORT to recover; that recovery sequence (specifically the IMPORT
step on the EIPAssociation) is what silently disconnected the SSM agent on
edge-uk1 on 2026-05-22.
The template has since been refactored so the EIP is an external
EipAllocationId parameter, not a resource. CloudFormation does
disassociate-old + associate-new natively when the parameter changes — the
instance, its IAM profile, and its SSM agent are never touched. The entire
class of "drift" disappears, and so does this skill's previous bulk.
One canonical invocation
gh workflow run deploy-edge-stage0.yml \
-f edge_id=<id> \
-f operation=rotate_egress_ip \
-f confirm_stack=tokenkey-edge-<id>-stage0 \
-f rotation_reason='<short reason>' \
[-f candidate_allocation_id=eipalloc-XXXX]
edge_id matches a key in
deploy/aws/stage0/edge-targets.json
with deployable=true (normalize edge-uk1 → uk1). If the edge is
Lightsail-authoritative (uk1 / us2 / … in
edge-targets-lightsail.json),
stop and use tokenkey-stage0-edge-lightsail-ip-rotation instead.
rotation_reason is required and ends up on
the new EIP's tokenkey:replaces-reason tag and in the run summary's
edge-polluted-ips.json snippet.
candidate_allocation_id is optional. If unset, the workflow allocates a
fresh EIP and refuses any allocation that lands on a known-polluted IP. Set
it only when the operator has pre-vetted a specific allocation outside the
workflow (rare — only useful if the auto path keeps drawing dirty IPs).
What the workflow does, in order:
- Reads the stack's current
EipAllocationId(= rollback target). - Allocates a fresh EIP unless
candidate_allocation_idis set; cross-checks againstedge-polluted-ips.jsonand re-allocates if dirty. aws cloudformation deploy --parameter-overrides EipAllocationId=<new>— atomic CFN swap.- Polls
ssm:DescribeInstanceInformationuntilPingStatus=Online(post-mutation invariant; uk1-2026-05-22 was the incident that motivated this gate). - Runs the pollution probe via SSM on the edge itself (no throwaway nano): confirms outbound IP, then curls Anthropic / OpenAI / Google with dummy keys looking for
403 + Cloudflare HTML(= polluted) vs401/400 + provider-shaped JSON(= clean). - On polluted → automatic revert (CFN update-stack back to OLD_ALLOC) + release the freshly-allocated EIP (only if the workflow itself allocated it).
- On clean → curl
https://<domain>/healthvia--resolve <domain>:443:<new_ip>to prove the data plane survives end-to-end on the new IP before DNS propagation. - Emits a step summary with: old/new IP, retired-IP JSON snippet ready to paste into
edge-polluted-ips.json, and the Porkbun A-record change to make.
Two operator steps left (intentional)
- DNS at Porkbun (or your provider): change the A record for
api-<id>.tokenkey.devto the new IP. The workflow does not automate this because the Porkbun API token is not in repo secrets; the run summary prints the exact transition. - Append the retired IP to
edge-polluted-ips.jsonso future rotations refuse to re-allocate it. The run summary prints a paste-ready JSON entry. After DNS has propagated (~1 hour) you mayaws ec2 release-addressthe old allocation and setreleased_on.
Everything else is mechanized.
First-time migration (per stack)
A stack that still has the v1 shape (ElasticIP + EIPAssociation with Retain,
no EipAllocationId parameter) cannot accept operation=rotate_egress_ip
yet. Migrate it once:
# Dry run (read-only):
bash deploy/aws/stage0/migrate-edge-eip-to-parameter.sh <edge_id>
# Apply (changes live CFN):
bash deploy/aws/stage0/migrate-edge-eip-to-parameter.sh <edge_id> --apply
The migration keeps the same physical EIP — the public IP does NOT change.
It only converts the CFN representation from "EIP is in the template" to "EIP
is referenced by allocation-id parameter". After the migration, the stack
accepts operation=rotate_egress_ip and the rest of this skill is in force.
Stop-the-line rules
The workflow itself enforces the data-plane invariants. This skill must still refuse when:
- The normalized
edge_idis not a key indeploy/aws/stage0/edge-targets.jsonwithdeployable=true, or the edge is Lightsail-authoritative inedge-targets-lightsail.json(use lightsail-ip-rotation skill). rotation_reasonis empty or only whitespace.- The target stack has not been migrated yet (
describe-stacksshows noEipAllocationIdparameter) — direct the operator tomigrate-edge-eip-to-parameter.shfirst. operation=rotate_egress_ipis requested againsttokenkey-prod-stage0(the production gateway). Prod IP rotation has different blast radius (active client connections) and is intentionally not covered by this skill.
The workflow handles the rest as mechanical gates — operator does not need this skill to babysit candidate allocation, probe results, or revert.
Reporting contract
The workflow's step summary is the contract. Nothing else needs to be produced. If you need to summarize for a chat caller, mirror the values from the summary:
edge_id: <id>
region: <aws-region>
old_ip / old_alloc: <ip> / <eipalloc-…>
new_ip / new_alloc: <ip> / <eipalloc-…>
status: rotated | reverted-polluted | revert-failed
follow_up:
- update DNS A-record at Porkbun: <domain> → <new_ip>
- append retired IP entry to deploy/aws/stage0/edge-polluted-ips.json
- (after ~1h DNS propagation) aws ec2 release-address --allocation-id <old_alloc>
Out of scope
- Production gateway IP rotation (
tokenkey-prod-stage0). - Cross-region "clean EIP pool" maintenance. If the auto path repeatedly draws polluted IPs in a region, the answer is a different region (or an upstream Trust & Safety ticket), not a pre-warmed pool — adding a pool is premature.
- DNS automation (Porkbun API). Documented as a known follow-up; would be a separate skill + a separate secret if/when wanted.
v1 (legacy) reference
Retired polluted IPs are recorded in
edge-polluted-ips.json
when dispatching rotate_egress_ip (same PR as the rotation).
Decide Fit First
Design Intent
How To Use It
Boundaries And Review