full devops

README.md

@@ -1,5 +1,5 @@
 ---
-title: CI/CD + Docker Debug Environment
+title: Cloud-Native DevOps Debug Environment
 emoji: 🔧
 colorFrom: blue
 colorTo: green
@@ -8,19 +8,20 @@ app_port: 8000
 pinned: false
 ---
 
-# CI/CD Debug Environment
+# Cloud-Native DevOps Debug Environment
 
-An OpenEnv-compatible environment where AI agents learn to debug broken GitHub Actions workflows and Dockerfiles. Built for the OpenEnv Hackathon by Scaler School of Technology (partners: Meta, HuggingFace, PyTorch).
+An OpenEnv-compatible environment where AI agents learn to debug broken GitHub Actions workflows, Dockerfiles, and Kubernetes manifests. Built for the OpenEnv Hackathon by Scaler School of Technology (partners: Meta, HuggingFace, PyTorch).
 
-## Why CI/CD Debugging?
+## Why Cloud-Native Debugging?
 
-Every developer who ships code hits CI/CD failures. A misconfigured Dockerfile, a broken GitHub Actions workflow, a missing secret — these are the bugs that waste hours of developer time every week. They're hard to debug because:
+Every developer who ships code hits deployment pipeline failures. A misconfigured Dockerfile, a broken GitHub Actions workflow, a missing secret, a Kubernetes selector mismatch — these are the bugs that waste hours of developer time every week. They're hard to debug because:
 
 - Error messages are cryptic ("unable to prepare context: unable to evaluate symlinks")
 - The feedback loop is slow (push, wait for CI, read logs, fix, repeat)
-- Multiple config files interact in non-obvious ways (Dockerfile + workflow + secrets)
+- Multiple config files interact in non-obvious ways (Dockerfile + workflow + secrets + K8s manifests)
+- Kubernetes errors require cross-resource reasoning (Deployment labels must match Service selectors)
 
-This environment teaches AI agents to do what senior DevOps engineers do: read the error, trace it to the root cause, and fix it.
+This environment teaches AI agents to do what senior DevOps engineers do: read the error, trace it to the root cause across multiple files, and fix it.
 
 ---
 
@@ -30,7 +31,7 @@ This environment teaches AI agents to do what senior DevOps engineers do: read t
 ┌──────────────────────────────────────────────────────────────┐
 │  1. RESET                                                     │
 │     Agent receives:                                           │
-│     - Broken config files (Dockerfile / workflow YAML)        │
+│     - Broken config files (Dockerfile / workflow / K8s YAML)  │
 │     - Error message from the failed build/deploy              │
 │     - Available secrets list                                  │
 │     - Number of issues to find                                │
@@ -60,11 +61,11 @@ This environment teaches AI agents to do what senior DevOps engineers do: read t
 
 ---
 
-## The 6 Tasks (30 Scenarios)
+## The 10 Tasks (50 Scenarios)
 
 ### Task 1: Dockerfile Syntax Errors — Easy
 
-Simple typos and instruction errors that break `docker build`. These are the bugs every developer makes on day one.
+Simple typos and instruction errors that break `docker build`.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
@@ -72,67 +73,115 @@ Simple typos and instruction errors that break `docker build`. These are the bug
 | 2 | `invalid_base_image` | `FROM python:3.9-slimm` — extra 'm' in tag | Happens when copy-pasting image tags |
 | 3 | `invalid_run_syntax` | `RUN pip install ... \n && python setup.py` — broken line continuation | Formatting multi-line RUN commands is tricky |
 | 4 | `invalid_expose` | `EXPOSE "eighty"` — string instead of port number | EXPOSE only accepts numeric ports |
-| 5 | `missing_from_instruction` | No `FROM` instruction at all | Dockerfile must start with FROM (or ARG before FROM) |
+| 5 | `missing_from_instruction` | No `FROM` instruction at all | Dockerfile must start with FROM |
 
 ### Task 2: Dockerfile Runtime Errors — Medium
 
-The Dockerfile builds successfully, but the container crashes when you run it. These are harder because the error appears at runtime, not build time.
+The Dockerfile builds successfully, but the container crashes at runtime.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
 | 1 | `missing_workdir` | No WORKDIR — files scatter to `/` | Container runs but `npm start` can't find `package.json` |
-| 2 | `cmd_entrypoint_conflict` | Both ENTRYPOINT and CMD defined as full commands | Process starts incorrectly; CMD should be args-only when ENTRYPOINT exists |
-| 3 | `entrypoint_not_executable` | Shell script lacks execute permission | `chmod +x` missing — "permission denied" at container start |
-| 4 | `missing_required_env` | App needs `DATABASE_URL` but it's not set | Container starts then crashes: "DATABASE_URL is not defined" |
-| 5 | `non_root_privileged_port` | Non-root user tries to bind port 80 | Security best practice (non-root) conflicts with port < 1024 |
+| 2 | `cmd_entrypoint_conflict` | Both ENTRYPOINT and CMD defined as full commands | Process starts incorrectly |
+| 3 | `entrypoint_not_executable` | Shell script lacks execute permission | `chmod +x` missing — "permission denied" |
+| 4 | `missing_required_env` | App needs `DATABASE_URL` but it's not set | Container crashes: "DATABASE_URL is not defined" |
+| 5 | `non_root_privileged_port` | Non-root user tries to bind port 80 | Security best practice conflicts with port < 1024 |
 
 ### Task 3: Workflow Syntax & Structure — Easy
 
-GitHub Actions YAML has structural problems. GitHub rejects these before any job runs.
+GitHub Actions YAML has structural problems that GitHub rejects before any job runs.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
-| 1 | `checkout_after_build` | `docker build` runs before `actions/checkout` | No source code checked out — "Dockerfile not found" |
-| 2 | `missing_runs_on` | Job has no `runs-on` field | GitHub Actions rejects: every job needs a runner |
-| 3 | `invalid_trigger_syntax` | `branches: main` instead of `branches: [main]` | Must be a YAML list, not a scalar string |
-| 4 | `missing_step_uses_or_run` | Step has a name but no `uses:` or `run:` | Invalid step — must do something |
-| 5 | `missing_on_trigger` | No `on:` block at all | Workflow never triggers — GitHub doesn't know when to run it |
+| 1 | `checkout_after_build` | `docker build` before `actions/checkout` | No source code — "Dockerfile not found" |
+| 2 | `missing_runs_on` | Job has no `runs-on` field | Every job needs a runner |
+| 3 | `invalid_trigger_syntax` | `branches: main` instead of `branches: [main]` | Must be a YAML list |
+| 4 | `missing_step_uses_or_run` | Step has a name but no `uses:` or `run:` | Invalid step |
+| 5 | `missing_on_trigger` | No `on:` block at all | Workflow never triggers |
 
 ### Task 4: Workflow Secrets & Permissions — Medium
 
-Secrets exist in the repository but aren't wired correctly to the workflow steps. These are the bugs that make you say "but the secret is right there!"
+Secrets exist but aren't wired correctly to the workflow steps.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
-| 1 | `missing_env_secrets` | `$DOCKER_PASSWORD` in `run:` but no `env:` mapping | Secrets must be explicitly passed via `env:` block |
-| 2 | `wrong_secret_syntax` | `${ secrets.TOKEN }` instead of `${{ secrets.TOKEN }}` | Single braces vs double braces — subtle syntax difference |
-| 3 | `missing_token_permissions` | Pushing to GHCR without `permissions: packages: write` | GITHUB_TOKEN is read-only by default since 2023 |
-| 4 | `secret_not_in_env` | `curl` uses `$SLACK_WEBHOOK_URL` but it's not in `env:` | Same pattern as #1 — very common mistake |
-| 5 | `ghcr_wrong_credentials` | Using `DOCKER_PASSWORD` for GHCR login | GHCR uses `GITHUB_TOKEN`, not Docker Hub credentials |
+| 1 | `missing_env_secrets` | `$DOCKER_PASSWORD` without `env:` mapping | Secrets must be passed via `env:` block |
+| 2 | `wrong_secret_syntax` | `${ secrets.TOKEN }` instead of `${{ secrets.TOKEN }}` | Single vs double braces |
+| 3 | `missing_token_permissions` | Pushing to GHCR without `permissions: packages: write` | GITHUB_TOKEN is read-only by default |
+| 4 | `secret_not_in_env` | `$SLACK_WEBHOOK_URL` not in `env:` | Very common mistake |
+| 5 | `ghcr_wrong_credentials` | Using `DOCKER_PASSWORD` for GHCR login | GHCR uses `GITHUB_TOKEN` |
 
 ### Task 5: CI + Docker Integration — Medium-Hard
 
-The workflow AND the Dockerfile interact. Fixing one file alone isn't enough — you need to understand how they work together.
+The workflow AND the Dockerfile interact. Fixing one file alone isn't enough.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
-| 1 | `missing_buildx_for_platforms` | Multi-platform build without `setup-buildx-action` | Standard Docker builder can't cross-compile; need BuildKit |
-| 2 | `login_secrets_not_wired` | `docker login` step missing `env:` for secrets | Auth fails — "unauthorized: authentication required" |
-| 3 | `wrong_build_context` | Context is `./backend` but Dockerfile path is `./Dockerfile` | Path mismatch — build can't find the Dockerfile |
-| 4 | `cache_without_mode_max` | GHA cache export missing `mode=max` | Cache doesn't persist intermediate layers; slow rebuilds |
-| 5 | `push_without_login` | `docker push` without `docker login` first | "denied: requested access to the resource is denied" |
+| 1 | `missing_buildx_for_platforms` | Multi-platform build without `setup-buildx-action` | Need BuildKit for cross-compile |
+| 2 | `login_secrets_not_wired` | `docker login` missing `env:` for secrets | "unauthorized: authentication required" |
+| 3 | `wrong_build_context` | Context is `./backend` but Dockerfile path is `./Dockerfile` | Path mismatch |
+| 4 | `cache_without_mode_max` | GHA cache export missing `mode=max` | Cache doesn't persist |
+| 5 | `push_without_login` | `docker push` without `docker login` first | "denied: requested access" |
 
 ### Task 6: Multi-Stage Pipeline & Matrix — Hard
 
-Complex pipelines with multiple interacting bugs. The agent must find and fix 2-3 issues across multiple files.
+Complex pipelines with multiple interacting bugs. Agent must find 2-3 issues across files.
 
 | # | Scenario | What's Broken | Real-World Context |
 |---|----------|---------------|-------------------|
-| 1 | `artifact_path_mismatch` | `COPY --from=builder /app/dist` but React outputs to `/app/build` | Framework output directories vary — CRA uses `build/`, Vite uses `dist/` |
-| 2 | `matrix_platform_arg` | Uses `$BUILDPLATFORM` without `ARG BUILDPLATFORM` declaration | Multi-arch builds need platform ARGs declared before FROM |
-| 3 | `cross_job_artifact` | Test job downloads artifact but missing `needs: build` | Jobs run in parallel by default — artifact doesn't exist yet |
-| 4 | `multiple_issues` | Dockerfile typo + workflow secrets not wired (2 bugs) | Real debugging: problems compound across files |
-| 5 | `matrix_version_failure` | Matrix includes Node 14 but code needs >= 16 + missing `needs:` | Version compatibility + job ordering — 2 bugs to find |
+| 1 | `artifact_path_mismatch` | `COPY --from=builder /app/dist` but React outputs to `/app/build` | CRA uses `build/`, Vite uses `dist/` |
+| 2 | `matrix_platform_arg` | `$BUILDPLATFORM` without `ARG BUILDPLATFORM` | Multi-arch needs platform ARGs |
+| 3 | `cross_job_artifact` | Test job downloads artifact but missing `needs: build` | Jobs run in parallel by default |
+| 4 | `multiple_issues` | Dockerfile typo + workflow secrets not wired (2 bugs) | Problems compound across files |
+| 5 | `matrix_version_failure` | Matrix includes Node 14 but code needs >= 16 + missing `needs:` | 2 bugs to find |
+
+### Task 7: Kubernetes Pod Failures — Medium
+
+Pod crashes and scheduling failures in Kubernetes deployments.
+
+| # | Scenario | What's Broken | Real-World Context |
+|---|----------|---------------|-------------------|
+| 1 | `oom_killed` | Memory limit 64Mi too low — CrashLoopBackOff/OOMKilled | Most common K8s production issue |
+| 2 | `image_pull_backoff` | Image tag typo `nginx:latset` → ImagePullBackOff | Copy-paste tag errors |
+| 3 | `wrong_command` | `command: ["python", "workers.py"]` but file is `worker.py` | File name mismatch |
+| 4 | `missing_configmap` | `envFrom: configMapRef: app-config` but ConfigMap doesn't exist | CreateContainerConfigError |
+| 5 | `liveness_probe_failing` | Liveness probe port 3000 but app listens on 8080 | Probe misconfiguration causes restarts |
+
+### Task 8: Kubernetes Service & Ingress Issues — Hard
+
+Networking issues where pods run fine but traffic doesn't reach them.
+
+| # | Scenario | What's Broken | Real-World Context |
+|---|----------|---------------|-------------------|
+| 1 | `selector_mismatch` | Service selector `app: api` but pod label is `app: api-server` | No endpoints — most common K8s networking bug |
+| 2 | `port_mismatch` | Service targetPort 8080 but container listens on 3000 | Connection refused |
+| 3 | `ingress_wrong_service` | Ingress references `api-svc` but service name is `api-service` | Ingress 404 |
+| 4 | `network_policy_blocking` | NetworkPolicy with empty ingress rules blocks all traffic | Database unreachable |
+| 5 | `missing_ingress_class` | No `ingressClassName: nginx` specified | Ingress controller doesn't pick it up |
+
+### Task 9: CI/CD Build & Push Pipeline — Hard
+
+GHA-to-Docker-to-Registry pipeline failures spanning multiple files.
+
+| # | Scenario | What's Broken | Real-World Context |
+|---|----------|---------------|-------------------|
+| 1 | `ghcr_token_not_mapped` | `$GITHUB_TOKEN` shell var not mapped from secrets | GHCR login fails |
+| 2 | `image_tag_mismatch` | Build uses `github.ref_name` but push uses `github.sha` | "image not found locally" |
+| 3 | `missing_packages_write` | No `permissions: packages: write` for GHCR push | "permission_denied: write_package" |
+| 4 | `build_arg_not_passed` | Dockerfile `ARG APP_VERSION` but no `--build-arg` in workflow | Version file is empty |
+| 5 | `multistage_output_mismatch` | `COPY --from=builder /app/dist` but react-scripts outputs to `/app/build` | Wrong output directory |
+
+### Task 10: Full Stack Deployment Pipeline — Expert
+
+Multi-error scenarios spanning the entire stack: GHA + Dockerfile + K8s manifests. 2-4 bugs per scenario requiring cross-file reasoning.
+
+| # | Scenario | What's Broken | Real-World Context |
+|---|----------|---------------|-------------------|
+| 1 | `full_pipeline_ghcr_and_selector` | GHCR token not mapped + K8s Service selector mismatch | 2 bugs across workflow + K8s |
+| 2 | `full_pipeline_three_bugs` | Missing checkout + no WORKDIR + wrong container/service port | 4 bugs across 4 files |
+| 3 | `full_pipeline_ghcr_dockerfile_k8s` | Wrong GHCR secret + base image typo + OOM memory limit | 3 bugs across all layers |
+| 4 | `full_pipeline_permissions_image_ingress` | Missing packages:write + hardcoded image placeholder + no ingressClassName | 3 bugs |
+| 5 | `full_pipeline_secrets_build_probe` | Docker secrets not wired + wrong build output dir + probe port mismatch | 4 bugs across all layers |
 
 ---
 
@@ -162,86 +211,21 @@ Scoring is **deterministic** (same actions always produce the same score) and **
 ### The Formula
 
 ```
-FINAL SCORE = Partial Fixes + Complete Bonus + Efficiency - Hint Penalty
+FINAL SCORE = Base + Partial Fixes + Complete Bonus + Efficiency - Hint Penalty - Failed Edit Penalty
 ```
 
-Clamped to `[0.0, 1.0]`.
+Clamped to `(0.01, 0.99)`.
 
 ### Component Breakdown
 
-#### 1. Partial Fix Credit (40% max)
-
-```
-partial = 0.40 x (issues_fixed / issues_total)
-```
-
-| Fixed | Total | Partial Score |
-|-------|-------|---------------|
-| 0/2 | 2 | 0.00 |
-| 1/2 | 2 | 0.20 |
-| 2/2 | 2 | 0.40 |
-| 1/3 | 3 | 0.133 |
-
-#### 2. Complete Solution Bonus (30% max)
-
-```
-complete = 0.30  if ALL issues fixed
-complete = 0.00  otherwise
-```
-
-All-or-nothing. Fix 2/3 issues? You get 0. Fix 3/3? You get 0.30.
-
-#### 3. Efficiency Bonus (30% max)
-
-```
-if issues_fixed == 0:     efficiency = 0.00  (no credit for doing nothing)
-if steps <= issues_total:  efficiency = 0.30  (optimal — full bonus)
-if steps > issues_total:   efficiency = 0.30 - 0.03 per extra step
-```
-
-Rewards agents that fix issues quickly. The "optimal" number of steps equals the number of issues (one fix per step).
-
-| Issues | Steps Taken | Efficiency Score |
-|--------|-------------|-----------------|
-| 1 | 1 | 0.30 (optimal) |
-| 1 | 3 | 0.24 |
-| 1 | 8 | 0.09 |
-| 2 | 2 | 0.30 (optimal) |
-| 2 | 5 | 0.21 |
-| 0 fixed | any | 0.00 |
-
-#### 4. Hint Penalty (-5% each)
-
-```
-penalty = 0.05 x hints_used
-```
-
-Each `request_hint` action costs 5% off the final score.
-
-### Score Examples
-
-| Scenario | Partial | Complete | Efficiency | Hints | **Final Score** |
-|----------|---------|----------|------------|-------|-----------------|
-| Fixed 0/2 issues | 0.00 | 0.00 | 0.00 | 0 | **0.000** |
-| Fixed 1/2 in 3 steps | 0.20 | 0.00 | 0.27 | 0 | **~0.470** |
-| Fixed 2/2 in 5 steps | 0.40 | 0.30 | 0.21 | 0 | **~0.910** |
-| Fixed 1/1 in 1 step | 0.40 | 0.30 | 0.30 | 0 | **1.000** |
-| Fixed 1/1 + 2 hints | 0.40 | 0.30 | 0.30 | -0.10 | **0.900** |
-| Submitted immediately | 0.00 | 0.00 | 0.00 | 0 | **0.000** |
-
-### Per-Step Rewards (Dense Feedback)
-
-The agent also gets **immediate rewards** after each action (not just at the end):
-
-| Event | Reward |
-|-------|--------|
-| Fix validated (issue resolved) | +0.3 per issue fixed |
-| Successful validation improvement | +0.1 |
-| Failed edit (old_content didn't match) | -0.02 |
-| Request hint | -0.05 |
-| Submit (terminal) | 0.0 |
-
-This dense reward signal helps RL agents learn faster than sparse pass/fail grading.
+| Component | Weight | Description |
+|-----------|--------|-------------|
+| Base score | 5% | Participation credit |
+| Partial fixes | 35% | Proportional to `issues_fixed / issues_total` |
+| Complete bonus | 25% | All issues fixed |
+| Efficiency | 25% | Decays with extra steps beyond optimal |
+| Hint penalty | -4% each | Per `request_hint` action |
+| Failed edit penalty | -2% each | Per edit with no valid file path |
 
 ---
 
@@ -249,8 +233,8 @@ This dense reward signal helps RL agents learn faster than sparse pass/fail grad
 
 | Endpoint | Method | Description |
 |----------|--------|-------------|
-| `/` | GET | Root health check |
-| `/health` | GET | OpenEnv health endpoint — returns `{"status": "healthy"}` |
+| `/` | GET | Root page |
+| `/health` | GET | Health check — returns `{"status": "healthy"}` |
 | `/metadata` | GET | Environment name, description, version, tags |
 | `/schema` | GET | Action, observation, and state JSON schemas |
 | `/reset` | POST | Start a new episode (optional: `task_id`, `scenario_id`, `seed`) |
@@ -268,61 +252,34 @@ This dense reward signal helps RL agents learn faster than sparse pass/fail grad
 # 1. Start an episode
 curl -X POST http://localhost:8000/reset \
   -H "Content-Type: application/json" \
-  -d '{"task_id": "dockerfile_syntax", "scenario_id": "typo_filename"}'
-
-# Response: observation with broken Dockerfile + error message
+  -d '{"task_id": "k8s_pod_failures", "scenario_id": "oom_killed"}'
 
-# 2. Fix the typo
+# 2. Fix the memory limit
 curl -X POST http://localhost:8000/step \
   -H "Content-Type: application/json" \
   -d '{
     "action": {
       "action_type": "edit_file",
       "edits": [{
-        "file_path": "Dockerfile",
-        "old_content": "COPY requirments.txt .",
-        "new_content": "COPY requirements.txt ."
+        "file_path": "k8s/deployment.yaml",
+        "old_content": "memory: \"64Mi\"",
+        "new_content": "memory: \"256Mi\""
       }]
     }
   }'
 
-# Response: reward=0.4, issues_fixed=1/1
-
-# 3. Submit
-curl -X POST http://localhost:8000/step \
-  -H "Content-Type: application/json" \
-  -d '{"action": {"action_type": "submit"}}'
-
-# Response: done=true, episode complete
+# Response: reward=0.3, issues_fixed=1/1, done=true
 ```
 
 ---
 
-## Baseline Results (Llama 3.1 70B)
-
-Tested with `meta-llama/Llama-3.1-70B-Instruct` via HuggingFace router:
-
-| Task | Score | Notes |
-|------|-------|-------|
-| dockerfile_syntax | 1.000 | Solved perfectly in 1 step |
-| dockerfile_runtime | 1.000 | Solved perfectly in 1 step |
-| workflow_syntax_structure | 0.000 | LLM struggled with exact whitespace matching |
-| workflow_secrets_permissions | 1.000 | Solved perfectly in 1 step |
-| ci_docker_integration | 0.000 | Multi-step fix needed; LLM edits didn't match exactly |
-| multi_stage_pipeline_matrix | 0.283 | Fixed 1/3 issues |
-| **OVERALL** | **0.547** | |
-
-This shows the environment is both **solvable** (3 perfect scores) and **challenging** (2 zero scores, 1 partial). The main difficulty is exact string matching for edits — a realistic constraint that mirrors real file editing.
-
----
-
 ## Quick Start
 
 ### Local Development
 
 ```bash
 pip install -r requirements.txt
-python -m uvicorn server.main:app --host 0.0.0.0 --port 8000
+python -m uvicorn server.app:app --host 0.0.0.0 --port 8000
 ```
 
 ### Run Tests
@@ -334,8 +291,8 @@ pytest tests/ -v
 ### Docker
 
 ```bash
-docker build -t cicd-docker-env .
-docker run -p 8000:8000 cicd-docker-env
+docker build -t cloud-native-devops-env .
+docker run -p 8000:8000 cloud-native-devops-env
 ```
 
 ### Baseline Inference (with LLM)
@@ -352,7 +309,7 @@ python inference.py
 ## Project Structure
 
 ```
-cicd-docker-env/
+cloud-native-devops-env/
 ├── openenv.yaml              # OpenEnv environment specification
 ├── inference.py              # LLM baseline (OpenAI client + HF router)
 ├── baseline_runner.py        # Heuristic baseline for /baseline endpoint
@@ -360,24 +317,28 @@ cicd-docker-env/
 ├── requirements.txt          # Python dependencies
 │
 ├── server/
-│   ├── main.py               # FastAPI with 12 endpoints
+│   ├── app.py                # FastAPI with 12 endpoints
 │   ├── models.py             # Pydantic models (type-safe API)
 │   ├── environment.py        # Core environment loop (reset/step/state)
 │   ├── tasks/
 │   │   ├── base.py           # BaseTask with scenario loading
-│   │   ├── task_registry.py  # Maps task_id → task class
+│   │   ├── task_registry.py  # Maps task_id → task class (10 tasks)
 │   │   ├── task_1_build_errors.py        # 5 Dockerfile syntax scenarios
 │   │   ├── task_2_docker_runtime.py      # 5 Dockerfile runtime scenarios
 │   │   ├── task_3_workflow_syntax.py     # 5 workflow structure scenarios
 │   │   ├── task_4_workflow_secrets_permissions.py  # 5 secrets scenarios
 │   │   ├── task_5_ci_docker_integration.py        # 5 integration scenarios
-│   │   └── task_6_multi_stage_matrix.py           # 5 multi-issue scenarios
+│   │   ├── task_6_multi_stage_matrix.py           # 5 multi-issue scenarios
+│   │   ├── k8s_pod.py                   # 5 Kubernetes pod failure scenarios
+│   │   ├── k8s_networking.py            # 5 K8s networking scenarios
+│   │   ├── pipeline_build_deploy.py     # 5 GHA→Docker→Registry scenarios
+│   │   └── pipeline_full.py             # 5 full-stack multi-error scenarios
 │   ├── graders/
-│   │   ├── __init__.py       # Deterministic trajectory grader
-│   │   └── base.py           # Base grader with weight constants
+│   │   └── __init__.py       # Deterministic trajectory grader
 │   └── simulators/
 │       ├── docker_simulator.py   # 15+ Dockerfile validation rules
-│       └── workflow_simulator.py # 15+ workflow validation rules
+│       ├── workflow_simulator.py # 15+ workflow validation rules
+│       └── k8s_simulator.py     # Kubernetes manifest validator
 │
 └── tests/
     ├── test_endpoints.py     # API endpoint tests
@@ -389,12 +350,12 @@ cicd-docker-env/
 
 ## Design Decisions
 
-1. **Docker + GitHub Actions combined**: These two tools intersect in every modern deployment pipeline. Debugging their interaction is the hardest part of DevOps.
-2. **Simulated validation (no real Docker)**: Static analysis rules instead of running actual containers. This gives deterministic results, fast execution, and no security concerns.
-3. **Dense rewards**: Partial credit at every step (+0.3 per fix, -0.02 per failed edit) rather than sparse pass/fail. Helps RL agents learn faster.
-4. **Difficulty progression**: Easy tasks are single-file, single-issue. Hard tasks are multi-file, multi-issue with interacting bugs.
-5. **Exact string matching for edits**: Mirrors real file editing — whitespace matters. This is intentionally challenging for LLMs.
-6. **30 scenarios from real bugs**: Every scenario is based on actual developer mistakes documented on Stack Overflow, GitHub Issues, and Docker/GitHub Actions documentation.
+1. **Full cloud-native stack**: Docker + GitHub Actions + Kubernetes — the three pillars of modern deployment pipelines.
+2. **Simulated validation (no real Docker/K8s)**: Static analysis rules give deterministic results, fast execution, and no security concerns.
+3. **Dense rewards**: Partial credit at every step (+0.3 per fix, -0.02 per failed edit) rather than sparse pass/fail.
+4. **Difficulty progression**: Easy tasks are single-file, single-issue. Expert tasks are multi-file, multi-issue with interacting bugs across all three layers.
+5. **Exact string matching for edits**: Mirrors real file editing — whitespace matters.
+6. **50 scenarios from real bugs**: Every scenario is based on actual developer mistakes documented on Stack Overflow, GitHub Issues, and official documentation.
 
 ## License
 

inference.py

@@ -1,4 +1,4 @@
-"""Baseline inference script for CI/CD Debug Environment.
+"""Baseline inference script for Cloud-Native Debug Environment.
 
 Uses OpenAI-compatible client to call Llama 3.1 70B via HuggingFace router.
 Required by OpenEnv specification.
@@ -29,8 +29,8 @@ ENV_URL = os.getenv("ENV_URL", "http://localhost:8000")
 LOCAL_IMAGE_NAME = os.getenv("LOCAL_IMAGE_NAME")
 MAX_STEPS = 8  # leave 2 steps buffer before env hard-limit of 10
 
-SYSTEM_PROMPT = """You are an expert DevOps engineer debugging CI/CD pipelines.
-You will receive broken Dockerfile and/or GitHub Actions workflow files along with error messages.
+SYSTEM_PROMPT = """You are an expert DevOps engineer debugging cloud-native deployment pipelines.
+You will receive broken Dockerfile, GitHub Actions workflow, and/or Kubernetes manifest files along with error messages.
 
 Your job is to:
 1. Analyze the error message carefully
@@ -49,6 +49,18 @@ When you identify a fix, respond with a JSON object in this exact format:
   ]
 }
 
+To create a new file (e.g. a missing ConfigMap), use an empty old_content:
+{
+  "reasoning": "Create missing ConfigMap manifest",
+  "edits": [
+    {
+      "file_path": "k8s/configmap.yaml",
+      "old_content": "",
+      "new_content": "apiVersion: v1\\nkind: ConfigMap\\n..."
+    }
+  ]
+}
+
 If you believe all issues are fixed and want to submit, respond with:
 {"action": "submit"}
 
@@ -62,6 +74,8 @@ Rules:
 - Common issues: typos, wrong syntax, missing fields, wrong secret references
 - For GitHub Actions: check secret syntax (${{ }} not ${ }), env blocks, permissions
 - For Dockerfiles: check instruction syntax, file paths, base image tags
+- For Kubernetes: check label selectors, port matching, resource limits, probe configs, ingress rules
+- For full-stack pipelines: issues may span multiple files (workflow + Dockerfile + K8s manifests)
 - Always respond with valid JSON only, no markdown fences"""
 
 
@@ -280,7 +294,7 @@ def run_all_tasks(client: OpenAI) -> Dict[str, float]:
 
 def main():
     """Entry point for baseline inference."""
-    print("CI/CD Debug Environment - Baseline Inference")
+    print("Cloud-Native Debug Environment - Baseline Inference")
     print(f"API: {API_BASE_URL}")
     print(f"Model: {MODEL_NAME}")
     print(f"Environment: {ENV_URL}")

openenv.yaml

@@ -1,8 +1,8 @@
-name: cicd-docker-env
+name: cloud-native-devops-env
 version: "1.0.0"
 description: >
-  Debug broken GitHub Actions workflows and Dockerfiles.
-  AI agents identify and fix CI/CD infrastructure issues.
+  Debug broken GitHub Actions workflows, Dockerfiles, and Kubernetes manifests.
+  AI agents identify and fix cloud-native deployment pipeline issues.
 
 author: Krishna
 license: MIT
@@ -10,8 +10,10 @@ tags:
   - devops
   - docker
   - github-actions
+  - kubernetes
   - debugging
   - infrastructure
+  - cloud-native
 
 environment:
   type: text
@@ -56,6 +58,30 @@ tasks:
     difficulty: hard
     num_scenarios: 5
 
+  - id: k8s_pod_failures
+    name: Kubernetes Pod Failures
+    description: Fix Kubernetes pod failures including CrashLoopBackOff, ImagePullBackOff, and resource issues
+    difficulty: medium
+    num_scenarios: 5
+
+  - id: k8s_networking
+    name: Kubernetes Service & Ingress Issues
+    description: Fix Kubernetes networking issues including Service selectors, port mismatches, and Ingress configuration
+    difficulty: hard
+    num_scenarios: 5
+
+  - id: pipeline_build_deploy
+    name: CI/CD Build & Push Pipeline
+    description: Debug GHA-to-Docker-to-Registry pipeline failures across multiple files
+    difficulty: hard
+    num_scenarios: 5
+
+  - id: pipeline_full_stack
+    name: Full Stack Deployment Pipeline
+    description: Debug complex multi-error deployment pipelines across GHA workflows, Dockerfiles, and Kubernetes manifests
+    difficulty: expert
+    num_scenarios: 5
+
 graders:
   dockerfile_syntax:
     type: deterministic
@@ -75,6 +101,18 @@ graders:
   multi_stage_pipeline_matrix:
     type: deterministic
     score_range: [0.0, 1.0]
+  k8s_pod_failures:
+    type: deterministic
+    score_range: [0.0, 1.0]
+  k8s_networking:
+    type: deterministic
+    score_range: [0.0, 1.0]
+  pipeline_build_deploy:
+    type: deterministic
+    score_range: [0.0, 1.0]
+  pipeline_full_stack:
+    type: deterministic
+    score_range: [0.0, 1.0]
 
 baseline:
   script: inference.py
@@ -85,6 +123,10 @@ baseline:
     workflow_secrets_permissions: 0.50
     ci_docker_integration: 0.45
     multi_stage_pipeline_matrix: 0.30
+    k8s_pod_failures: 0.50
+    k8s_networking: 0.40
+    pipeline_build_deploy: 0.35
+    pipeline_full_stack: 0.20
 
 resources:
   vcpu: 2

pyproject.toml

@@ -3,16 +3,16 @@ requires = ["setuptools>=68.0", "wheel"]
 build-backend = "setuptools.build_meta"
 
 [project]
-name = "cicd-docker-env"
+name = "cloud-native-devops-env"
 version = "1.0.0"
-description = "OpenEnv environment for debugging CI/CD infrastructure — GitHub Actions workflows and Dockerfiles."
+description = "OpenEnv environment for debugging cloud-native deployment pipelines — GitHub Actions workflows, Dockerfiles, and Kubernetes manifests."
 readme = "README.md"
 license = {text = "MIT"}
 requires-python = ">=3.10"
 authors = [
     {name = "Krishna"},
 ]
-keywords = ["openenv", "cicd", "docker", "github-actions", "debugging"]
+keywords = ["openenv", "cicd", "docker", "github-actions", "kubernetes", "debugging", "cloud-native"]
 classifiers = [
     "Programming Language :: Python :: 3",
     "License :: OSI Approved :: MIT License",
@@ -44,7 +44,7 @@ inference = [
 server = "server.app:main"
 
 [project.urls]
-Homepage = "https://huggingface.co/spaces/jester1177/cicd-docker-env"
+Homepage = "https://huggingface.co/spaces/jester1177/cloud-native-devops-env"
 Repository = "https://github.com/melohub-xbit/GitHubActions-Docker-OpenEnv"
 
 [tool.setuptools.packages.find]

server/app.py

@@ -1,4 +1,4 @@
-"""FastAPI server for the CI/CD Debug Environment."""
+"""FastAPI server for the Cloud-Native DevOps Debug Environment."""
 
 from pathlib import Path
 from typing import Optional
@@ -31,8 +31,8 @@ from server.tasks.task_registry import TASK_REGISTRY
 STATIC_DIR = Path(__file__).resolve().parent / "static"
 
 app = FastAPI(
-    title="CI/CD + Docker Debug Environment",
-    description="OpenEnv-style environment for Docker + GitHub Actions debugging",
+    title="Cloud-Native Debug Environment",
+    description="OpenEnv-style environment for Docker + GitHub Actions + Kubernetes debugging",
     version="1.0.0",
 )
 
@@ -64,11 +64,11 @@ async def health():
 @app.get("/metadata")
 async def metadata():
     return {
-        "name": "cicd-docker-env",
-        "description": "Debug broken GitHub Actions workflows and Dockerfiles. AI agents identify and fix CI/CD infrastructure issues.",
+        "name": "cloud-native-devops-env",
+        "description": "Debug broken GitHub Actions workflows, Dockerfiles, and Kubernetes manifests. AI agents identify and fix cloud-native deployment pipeline issues.",
         "version": "1.0.0",
         "author": "Krishna",
-        "tags": ["devops", "docker", "github-actions", "debugging", "infrastructure"],
+        "tags": ["devops", "docker", "github-actions", "kubernetes", "debugging", "infrastructure", "cloud-native"],
     }
 
 
@@ -95,7 +95,7 @@ async def mcp(request: dict = None):
             "result": {
                 "protocolVersion": "2024-11-05",
                 "capabilities": {"tools": {}},
-                "serverInfo": {"name": "cicd-docker-env", "version": "1.0.0"},
+                "serverInfo": {"name": "cloud-native-devops-env", "version": "1.0.0"},
             },
         }
     elif method == "tools/list":

server/environment.py

@@ -15,6 +15,7 @@ from server.models import (
     TaskDifficulty,
 )
 from server.simulators.docker_simulator import DockerSimulator
+from server.simulators.k8s_simulator import KubernetesSimulator
 from server.simulators.workflow_simulator import WorkflowSimulator
 from server.tasks.task_registry import TASK_REGISTRY, get_task
 
@@ -73,14 +74,17 @@ class CICDDebugEnvironment:
         docker_result = self.docker_sim.validate(self.current_files.get("Dockerfile"), self.current_files)
         workflow_file = self._find_workflow_file()
         workflow_result = self.workflow_sim.validate(workflow_file, self.current_files)
+        k8s_result = self.k8s_sim.validate(self.current_files)
         return {
             "docker_build_valid": bool(docker_result.get("build_success", False)),
             "workflow_parse_valid": bool(workflow_result.get("parse_success", False)),
+            "k8s_valid": bool(k8s_result.get("valid", True)),
         }
 
     def __init__(self):
         self.docker_sim = DockerSimulator()
         self.workflow_sim = WorkflowSimulator()
+        self.k8s_sim = KubernetesSimulator()
 
         self.current_task_id: Optional[str] = None
         self.current_scenario_id: Optional[str] = None
@@ -203,6 +207,20 @@ class CICDDebugEnvironment:
         applied_count = 0
         for edit in action.edits:
             if edit.file_path not in self.current_files:
+                # Allow creating new files (needed for K8s ConfigMap scenarios etc.)
+                if action.action_type == ActionType.EDIT_FILE and edit.new_content:
+                    ft = FileType.OTHER
+                    if edit.file_path.startswith("k8s/") or edit.file_path.endswith(".yaml") or edit.file_path.endswith(".yml"):
+                        ft = FileType.KUBERNETES
+                    self.current_files[edit.file_path] = FileContent(
+                        path=edit.file_path,
+                        content=edit.new_content,
+                        file_type=ft,
+                        line_count=edit.new_content.count("\n") + 1,
+                    )
+                    feedbacks.append(f"Created new file: {edit.file_path}")
+                    applied_count += 1
+                    continue
                 feedbacks.append(f"File not found: {edit.file_path}")
                 continue
 
@@ -277,6 +295,9 @@ class CICDDebugEnvironment:
         if not before_validation["workflow_parse_valid"] and after_validation["workflow_parse_valid"]:
             reward += 0.1
             feedbacks.append("Workflow parse validity improved")
+        if not before_validation["k8s_valid"] and after_validation["k8s_valid"]:
+            reward += 0.1
+            feedbacks.append("Kubernetes manifest validity improved")
 
         if applied_count == 0:
             self.last_action_success = False
@@ -290,6 +311,10 @@ class CICDDebugEnvironment:
         for fix in self.expected_fixes:
             file_path = fix["file"]
             if file_path not in self.current_files:
+                # For "contains" checks on missing files, the fix is not applied
+                # For "not_contains" checks on missing files, consider it fixed
+                if fix["type"] == "not_contains":
+                    fixes_applied += 1
                 continue
             current_content = self.current_files[file_path].content
             if fix["type"] == "contains" and fix["expected"] in current_content:
@@ -313,35 +338,84 @@ class CICDDebugEnvironment:
         docker_result = self.docker_sim.validate(self.current_files.get("Dockerfile"), self.current_files)
         workflow_file = self._find_workflow_file()
         workflow_result = self.workflow_sim.validate(workflow_file, self.current_files)
+        k8s_result = self.k8s_sim.validate(self.current_files)
+
+        has_k8s = any(fc.file_type == FileType.KUBERNETES for fc in self.current_files.values())
+        has_docker = "Dockerfile" in self.current_files
+        has_workflow = workflow_file is not None
 
         reward = 0.0
         parts: List[str] = []
 
-        if docker_result["build_success"]:
-            reward += 0.3
-            parts.append("Docker build: PASS")
+        # Determine weight distribution based on what file types are present
+        if has_docker and has_workflow and has_k8s:
+            # Full stack: Docker 20%, Workflow 30%, K8s 30%, fix progress 20%
+            docker_w, wf_w, k8s_w = 0.20, 0.30, 0.30
+        elif has_docker and has_workflow:
+            docker_w, wf_w, k8s_w = 0.50, 0.50, 0.0
+        elif has_docker and has_k8s:
+            docker_w, wf_w, k8s_w = 0.40, 0.0, 0.40
+        elif has_workflow and has_k8s:
+            docker_w, wf_w, k8s_w = 0.0, 0.40, 0.40
+        elif has_k8s:
+            docker_w, wf_w, k8s_w = 0.0, 0.0, 0.80
+        elif has_docker:
+            docker_w, wf_w, k8s_w = 0.50, 0.0, 0.0
         else:
-            parts.append(f"Docker build: FAIL - {docker_result.get('error', 'unknown')}")
+            docker_w, wf_w, k8s_w = 0.0, 0.50, 0.0
 
-        if docker_result["run_success"]:
-            reward += 0.2
-            parts.append("Docker run: PASS")
-        else:
-            parts.append(f"Docker run: FAIL - {docker_result.get('run_error', 'unknown')}")
+        # Docker validation
+        if has_docker:
+            if docker_result.get("build_success"):
+                reward += docker_w * 0.6
+                parts.append("Docker build: PASS")
+            else:
+                parts.append(f"Docker build: FAIL - {docker_result.get('error', 'unknown')}")
 
-        if workflow_result["parse_success"]:
-            reward += 0.2
-            parts.append("Workflow parse: PASS")
-        else:
-            parts.append(f"Workflow parse: FAIL - {workflow_result.get('error', 'unknown')}")
+            if docker_result.get("run_success"):
+                reward += docker_w * 0.4
+                parts.append("Docker run: PASS")
+            else:
+                parts.append(f"Docker run: FAIL - {docker_result.get('run_error', 'unknown')}")
 
-        if workflow_result["execution_success"]:
-            reward += 0.3
-            parts.append("Workflow execution: PASS")
-        else:
-            parts.append(f"Workflow execution: FAIL - {workflow_result.get('exec_error', 'unknown')}")
+        # Workflow validation
+        if has_workflow:
+            if workflow_result["parse_success"]:
+                reward += wf_w * 0.4
+                parts.append("Workflow parse: PASS")
+            else:
+                parts.append(f"Workflow parse: FAIL - {workflow_result.get('error', 'unknown')}")
+
+            if workflow_result["execution_success"]:
+                reward += wf_w * 0.6
+                parts.append("Workflow execution: PASS")
+            else:
+                parts.append(f"Workflow execution: FAIL - {workflow_result.get('exec_error', 'unknown')}")
+
+        # Kubernetes validation
+        if has_k8s:
+            if k8s_result["valid"]:
+                reward += k8s_w * 0.4
+                parts.append("K8s manifests: VALID")
+            else:
+                k8s_errors = k8s_result.get("errors", [])
+                parts.append(f"K8s manifests: INVALID - {'; '.join(k8s_errors[:2])}")
+
+            pod_status = k8s_result.get("pod_status", "N/A")
+            if pod_status == "Running":
+                reward += k8s_w * 0.3
+                parts.append(f"K8s pod status: {pod_status}")
+            else:
+                parts.append(f"K8s pod status: {pod_status}")
+
+            svc_status = k8s_result.get("service_status", "N/A")
+            if "active" in svc_status.lower() or svc_status == "N/A":
+                reward += k8s_w * 0.3
+                parts.append(f"K8s service: {svc_status}")
+            else:
+                parts.append(f"K8s service: {svc_status}")
 
-        self.last_action_success = reward >= 0.8
+        self.last_action_success = reward >= 0.6
         return reward, "; ".join(parts)
 
     def _handle_hint_request(self) -> Tuple[float, str]:

server/models.py

@@ -23,11 +23,20 @@ class ActionType(str, Enum):
     REQUEST_HINT = "request_hint"
 
 
+class TaskDifficultyExtended(str, Enum):
+    EASY = "easy"
+    MEDIUM = "medium"
+    MEDIUM_HARD = "medium-hard"
+    HARD = "hard"
+    EXPERT = "expert"
+
+
 class FileType(str, Enum):
     DOCKERFILE = "dockerfile"
     WORKFLOW = "workflow"
     DOCKER_COMPOSE = "docker_compose"
     REQUIREMENTS = "requirements"
+    KUBERNETES = "kubernetes"
     OTHER = "other"
 
 
@@ -38,6 +47,11 @@ class ErrorPhase(str, Enum):
     TEST = "test"
     PUSH = "push"
     DEPLOY = "deploy"
+    K8S_VALIDATION = "k8s_validation"
+    K8S_RUNTIME = "k8s_runtime"
+    K8S_NETWORKING = "k8s_networking"
+    PIPELINE_BUILD = "pipeline_build"
+    PIPELINE_DEPLOY = "pipeline_deploy"
 
 
 class FileContent(BaseModel):
@@ -97,9 +111,9 @@ class TaskInfo(BaseModel):
 
 
 class EnvironmentInfo(BaseModel):
-    name: str = "cicd-docker-env"
+    name: str = "cloud-native-devops-env"
     version: str = "1.0.0"
-    description: str = "Debug CI/CD infrastructure issues"
+    description: str = "Debug cloud-native deployment pipeline issues"
     tasks: List[TaskInfo]
     max_steps: int = 10
     action_space: Dict[str, Any]
@@ -108,7 +122,7 @@ class EnvironmentInfo(BaseModel):
 
 class GraderResult(BaseModel):
     task_id: str
-    score: float = Field(..., gt=0.0, lt=1.0)
+    score: float = Field(..., ge=0.0, le=1.0)
     max_score: float = 1.0
     breakdown: Dict[str, float] = Field(default_factory=dict)
     feedback: str = ""

server/simulators/k8s_simulator.py

@@ -0,0 +1,328 @@
+"""Kubernetes manifest validator and simulator — deterministic, rule-based."""
+
+import re
+from typing import Any, Dict, List, Optional
+
+import yaml
+
+from server.models import FileContent
+
+
+# Valid top-level K8s resource kinds we recognise
+VALID_KINDS = {
+    "Deployment", "StatefulSet", "DaemonSet", "ReplicaSet",
+    "Pod", "Service", "Ingress", "ConfigMap", "Secret",
+    "PersistentVolumeClaim", "PersistentVolume",
+    "Job", "CronJob", "Namespace", "ServiceAccount",
+    "Role", "RoleBinding", "ClusterRole", "ClusterRoleBinding",
+    "HorizontalPodAutoscaler", "NetworkPolicy",
+}
+
+VALID_API_VERSIONS = {
+    "v1", "apps/v1", "batch/v1", "networking.k8s.io/v1",
+    "rbac.authorization.k8s.io/v1", "autoscaling/v2",
+    "autoscaling/v1", "policy/v1",
+}
+
+
+def _parse_memory(mem_str: str) -> int:
+    """Parse K8s memory string to bytes."""
+    mem_str = str(mem_str).strip()
+    multipliers = {
+        "Ki": 1024, "Mi": 1024**2, "Gi": 1024**3, "Ti": 1024**4,
+        "K": 1000, "M": 1000**2, "G": 1000**3, "T": 1000**4,
+    }
+    for suffix, mult in multipliers.items():
+        if mem_str.endswith(suffix):
+            return int(mem_str[:-len(suffix)]) * mult
+    if mem_str.isdigit():
+        return int(mem_str)
+    return 0
+
+
+class KubernetesSimulator:
+    """Simulates kubectl apply / kubectl get output.
+
+    Validates K8s manifests without a real cluster.
+    """
+
+    def validate(self, manifests: Dict[str, FileContent]) -> Dict[str, Any]:
+        """Validate all Kubernetes manifests in the file set.
+
+        Returns dict with keys:
+            valid: bool
+            errors: list of error strings
+            pod_status: simulated pod status
+            service_status: simulated service endpoint status
+        """
+        k8s_files: Dict[str, Any] = {}
+        errors: List[str] = []
+
+        # Parse all K8s YAML files
+        for path, fc in manifests.items():
+            if fc.file_type.value != "kubernetes":
+                continue
+            try:
+                docs = list(yaml.safe_load_all(fc.content))
+                for doc in docs:
+                    if doc and isinstance(doc, dict):
+                        k8s_files[path] = doc
+            except yaml.YAMLError as exc:
+                errors.append(f"YAML parse error in {path}: {exc}")
+
+        if not k8s_files and not errors:
+            return {"valid": True, "errors": [], "pod_status": "N/A", "service_status": "N/A"}
+
+        if errors:
+            return {"valid": False, "errors": errors, "pod_status": "Error", "service_status": "Error"}
+
+        # Validate each manifest
+        all_resources: List[Dict[str, Any]] = []
+        for path, doc in k8s_files.items():
+            resource_errors = self._validate_resource(path, doc)
+            errors.extend(resource_errors)
+            all_resources.append({"path": path, "doc": doc})
+
+        # Cross-resource validation
+        cross_errors = self._validate_cross_resources(all_resources)
+        errors.extend(cross_errors)
+
+        # Simulate pod status
+        pod_status = self._simulate_pod_status(all_resources)
+        service_status = self._simulate_service_status(all_resources)
+
+        return {
+            "valid": len(errors) == 0,
+            "errors": errors,
+            "pod_status": pod_status,
+            "service_status": service_status,
+        }
+
+    def _validate_resource(self, path: str, doc: Dict[str, Any]) -> List[str]:
+        """Validate a single K8s resource document."""
+        errors: List[str] = []
+
+        kind = doc.get("kind", "")
+        api_version = doc.get("apiVersion", "")
+
+        if not kind:
+            errors.append(f"{path}: missing 'kind' field")
+        elif kind not in VALID_KINDS:
+            errors.append(f"{path}: unknown kind '{kind}'")
+
+        if not api_version:
+            errors.append(f"{path}: missing 'apiVersion' field")
+        elif api_version not in VALID_API_VERSIONS:
+            errors.append(f"{path}: unknown apiVersion '{api_version}'")
+
+        metadata = doc.get("metadata", {})
+        if not isinstance(metadata, dict) or not metadata.get("name"):
+            errors.append(f"{path}: metadata.name is required")
+
+        # Kind-specific validation
+        if kind == "Deployment":
+            errors.extend(self._validate_deployment(path, doc))
+        elif kind == "Service":
+            errors.extend(self._validate_service(path, doc))
+        elif kind == "Ingress":
+            errors.extend(self._validate_ingress(path, doc))
+
+        return errors
+
+    def _validate_deployment(self, path: str, doc: Dict[str, Any]) -> List[str]:
+        errors: List[str] = []
+        spec = doc.get("spec", {})
+        if not isinstance(spec, dict):
+            errors.append(f"{path}: Deployment spec must be a mapping")
+            return errors
+
+        selector = spec.get("selector", {})
+        template = spec.get("template", {})
+
+        if not selector or not selector.get("matchLabels"):
+            errors.append(f"{path}: Deployment must have spec.selector.matchLabels")
+            return errors
+
+        tmpl_labels = template.get("metadata", {}).get("labels", {})
+        sel_labels = selector.get("matchLabels", {})
+
+        # selector must match template labels
+        for k, v in sel_labels.items():
+            if tmpl_labels.get(k) != v:
+                errors.append(
+                    f"{path}: selector matchLabels ({k}={v}) does not match template labels"
+                )
+
+        # Validate containers
+        containers = template.get("spec", {}).get("containers", [])
+        if not containers:
+            errors.append(f"{path}: Deployment must have at least one container")
+
+        for c in containers:
+            if not c.get("image"):
+                errors.append(f"{path}: container '{c.get('name', '?')}' missing image")
+
+        return errors
+
+    def _validate_service(self, path: str, doc: Dict[str, Any]) -> List[str]:
+        errors: List[str] = []
+        spec = doc.get("spec", {})
+        if not isinstance(spec, dict):
+            errors.append(f"{path}: Service spec must be a mapping")
+            return errors
+
+        if not spec.get("selector"):
+            errors.append(f"{path}: Service must have spec.selector")
+
+        ports = spec.get("ports", [])
+        if not ports:
+            errors.append(f"{path}: Service must define at least one port")
+
+        for p in ports:
+            if not p.get("port"):
+                errors.append(f"{path}: Service port entry missing 'port' field")
+
+        return errors
+
+    def _validate_ingress(self, path: str, doc: Dict[str, Any]) -> List[str]:
+        errors: List[str] = []
+        spec = doc.get("spec", {})
+        rules = spec.get("rules", [])
+        if not rules:
+            errors.append(f"{path}: Ingress must define at least one rule")
+        return errors
+
+    def _validate_cross_resources(self, resources: List[Dict[str, Any]]) -> List[str]:
+        """Validate cross-resource dependencies (e.g. Service selector matches Deployment labels)."""
+        errors: List[str] = []
+
+        # Collect all pod labels from Deployments/StatefulSets
+        pod_labels_by_name: Dict[str, Dict[str, str]] = {}
+        for r in resources:
+            doc = r["doc"]
+            kind = doc.get("kind", "")
+            if kind in ("Deployment", "StatefulSet", "DaemonSet"):
+                tmpl = doc.get("spec", {}).get("template", {})
+                labels = tmpl.get("metadata", {}).get("labels", {})
+                name = doc.get("metadata", {}).get("name", "?")
+                pod_labels_by_name[name] = labels
+
+        # Check Service selectors match some pod labels
+        for r in resources:
+            doc = r["doc"]
+            if doc.get("kind") != "Service":
+                continue
+            svc_name = doc.get("metadata", {}).get("name", "?")
+            selector = doc.get("spec", {}).get("selector", {})
+            if not selector:
+                continue
+
+            matched = False
+            for dep_name, labels in pod_labels_by_name.items():
+                if all(labels.get(k) == v for k, v in selector.items()):
+                    matched = True
+                    break
+            if not matched and pod_labels_by_name:
+                errors.append(
+                    f"Service '{svc_name}' selector {selector} does not match any pod labels"
+                )
+
+        return errors
+
+    def _simulate_pod_status(self, resources: List[Dict[str, Any]]) -> str:
+        """Simulate what pod status would be."""
+        for r in resources:
+            doc = r["doc"]
+            kind = doc.get("kind", "")
+            if kind not in ("Deployment", "StatefulSet", "DaemonSet", "Pod"):
+                continue
+
+            if kind == "Pod":
+                containers = doc.get("spec", {}).get("containers", [])
+            else:
+                containers = doc.get("spec", {}).get("template", {}).get("spec", {}).get("containers", [])
+
+            for c in containers:
+                image = c.get("image", "")
+
+                # Check for image typos (common: latset, lates, etc.)
+                if image and ":" in image:
+                    tag = image.split(":")[-1]
+                    if tag in ("latset", "lates", "latets"):
+                        return "ImagePullBackOff"
+
+                # Check for hardcoded placeholder images
+                if "OWNER/REPO" in image or "TAG" in image:
+                    return "ImagePullBackOff"
+
+                # Check memory limits
+                resources_spec = c.get("resources", {})
+                limits = resources_spec.get("limits", {})
+                mem_limit = limits.get("memory", "")
+                if mem_limit:
+                    mem_bytes = _parse_memory(str(mem_limit))
+                    # Simulate OOM if memory limit is very low
+                    if 0 < mem_bytes < 128 * 1024 * 1024:  # < 128Mi
+                        return "CrashLoopBackOff (OOMKilled)"
+
+                # Check command
+                command = c.get("command", [])
+                if command and isinstance(command, list):
+                    if any("wrong" in str(cmd).lower() or "typo" in str(cmd).lower() for cmd in command):
+                        return "CrashLoopBackOff"
+
+                # Check env refs to missing configmaps
+                env_from = c.get("envFrom", [])
+                for ef in env_from:
+                    cm_ref = ef.get("configMapRef", {})
+                    if cm_ref and cm_ref.get("name"):
+                        # Check if configmap exists in resources
+                        cm_exists = any(
+                            res["doc"].get("kind") == "ConfigMap"
+                            and res["doc"].get("metadata", {}).get("name") == cm_ref["name"]
+                            for res in resources
+                        )
+                        if not cm_exists:
+                            return f"CreateContainerConfigError (ConfigMap '{cm_ref['name']}' not found)"
+
+        return "Running"
+
+    def _simulate_service_status(self, resources: List[Dict[str, Any]]) -> str:
+        """Simulate service endpoint status."""
+        services = [r for r in resources if r["doc"].get("kind") == "Service"]
+        deployments = [r for r in resources if r["doc"].get("kind") in ("Deployment", "StatefulSet")]
+
+        if not services:
+            return "N/A"
+
+        for svc_r in services:
+            svc = svc_r["doc"]
+            selector = svc.get("spec", {}).get("selector", {})
+            if not selector:
+                continue
+
+            matched = False
+            for dep_r in deployments:
+                dep = dep_r["doc"]
+                tmpl_labels = dep.get("spec", {}).get("template", {}).get("metadata", {}).get("labels", {})
+                if all(tmpl_labels.get(k) == v for k, v in selector.items()):
+                    matched = True
+
+                    # Check port matching
+                    svc_ports = svc.get("spec", {}).get("ports", [])
+                    container_ports = []
+                    for c in dep.get("spec", {}).get("template", {}).get("spec", {}).get("containers", []):
+                        for p in c.get("ports", []):
+                            container_ports.append(p.get("containerPort"))
+
+                    for sp in svc_ports:
+                        tp = sp.get("targetPort")
+                        if tp and tp not in container_ports and container_ports:
+                            return f"Service port mismatch: targetPort {tp} not in container ports {container_ports}"
+                    break
+
+            if not matched:
+                svc_name = svc.get("metadata", {}).get("name", "?")
+                return f"No endpoints (selector {selector} matches no pods)"
+
+        return "Endpoints active"

server/static/index.html

@@ -3,8 +3,8 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>CI/CD + Docker Debug Environment</title>
-    <meta name="description" content="OpenEnv environment where AI agents learn to debug broken GitHub Actions workflows and Dockerfiles.">
+    <title>Cloud-Native DevOps Debug Environment</title>
+    <meta name="description" content="OpenEnv environment where AI agents learn to debug broken GitHub Actions workflows, Dockerfiles, and Kubernetes manifests.">
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700;800&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
     <style>
@@ -504,7 +504,7 @@
             OpenEnv Environment &middot; Live
         </div>
         <h1>
-            <span class="gradient-text">CI/CD + Docker</span><br>
+            <span class="gradient-text">Cloud-Native DevOps</span><br>
             Debug Environment
         </h1>
         <p>

server/tasks/k8s_networking.py

@@ -0,0 +1,463 @@
+"""Task: Kubernetes Service & Ingress Issues — MEDIUM-HARD.
+
+Agent fixes networking issues in Kubernetes:
+selector mismatch, port mismatch, ingress path errors,
+NetworkPolicy blocking traffic, missing ingress annotations.
+"""
+
+from server.models import TaskDifficulty
+from server.tasks.base import BaseTask
+
+
+class K8sNetworkingTask(BaseTask):
+    NAME = "Kubernetes Service & Ingress Issues"
+    DESCRIPTION = "Fix Kubernetes networking issues including Service selectors, port mismatches, and Ingress configuration"
+    DIFFICULTY = TaskDifficulty.HARD
+    AVAILABLE_SECRETS = []
+
+    SCENARIOS = [
+        # Scenario 1: Service selector does not match Deployment labels
+        {
+            "id": "selector_mismatch",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: api\n"
+                        "spec:\n"
+                        "  replicas: 3\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: api-server\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: api-server\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: api\n"
+                        "        image: myapp:latest\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: api-service\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: api\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 8080\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_networking",
+                "message": (
+                    "$ kubectl get endpoints api-service\n"
+                    "NAME          ENDPOINTS   AGE\n"
+                    "api-service   <none>      5m\n"
+                    "\n"
+                    "$ kubectl describe service api-service\n"
+                    "Name:              api-service\n"
+                    "Selector:          app=api\n"
+                    "Type:              ClusterIP\n"
+                    "Endpoints:         <none>\n"
+                    "\n"
+                    "$ kubectl get pods --show-labels\n"
+                    "NAME                   READY   STATUS    LABELS\n"
+                    "api-7f8d9c6b5-x2k9m   1/1     Running   app=api-server\n"
+                    "api-7f8d9c6b5-y3l0n   1/1     Running   app=api-server\n"
+                    "api-7f8d9c6b5-z4m1o   1/1     Running   app=api-server\n"
+                    "\n"
+                    "Note: Service selector 'app=api' does not match pod label 'app=api-server'"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/service.yaml",
+                    "type": "contains",
+                    "expected": "app: api-server",
+                    "hint": "Service selector 'app: api' doesn't match Deployment label 'app: api-server'",
+                }
+            ],
+        },
+
+        # Scenario 2: Service targetPort does not match container port
+        {
+            "id": "port_mismatch",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: frontend\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: frontend\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: frontend\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: frontend\n"
+                        "        image: frontend:v1.0\n"
+                        "        ports:\n"
+                        "        - containerPort: 3000\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: frontend-svc\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: frontend\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 8080\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_networking",
+                "message": (
+                    "$ kubectl get endpoints frontend-svc\n"
+                    "NAME           ENDPOINTS         AGE\n"
+                    "frontend-svc   10.244.0.5:8080   3m\n"
+                    "\n"
+                    "$ curl http://frontend-svc\n"
+                    "curl: (7) Failed to connect to frontend-svc port 80: Connection refused\n"
+                    "\n"
+                    "$ kubectl exec -it test-pod -- wget -qO- http://10.244.0.5:3000\n"
+                    "<!DOCTYPE html><html>...</html>\n"
+                    "\n"
+                    "Note: Service targetPort is 8080 but container listens on 3000"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/service.yaml",
+                    "type": "contains",
+                    "expected": "targetPort: 3000",
+                    "hint": "Service targetPort (8080) doesn't match container port (3000)",
+                }
+            ],
+        },
+
+        # Scenario 3: Ingress path not matching backend service
+        {
+            "id": "ingress_wrong_service",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: api\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: api\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: api\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: api\n"
+                        "        image: myapi:v1.0\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: api-service\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: api\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/ingress.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: networking.k8s.io/v1\n"
+                        "kind: Ingress\n"
+                        "metadata:\n"
+                        "  name: api-ingress\n"
+                        "spec:\n"
+                        "  rules:\n"
+                        "  - host: api.example.com\n"
+                        "    http:\n"
+                        "      paths:\n"
+                        "      - path: /\n"
+                        "        pathType: Prefix\n"
+                        "        backend:\n"
+                        "          service:\n"
+                        "            name: api-svc\n"
+                        "            port:\n"
+                        "              number: 80\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_networking",
+                "message": (
+                    "$ kubectl describe ingress api-ingress\n"
+                    "Name:             api-ingress\n"
+                    "Rules:\n"
+                    "  Host             Path  Backends\n"
+                    "  ----             ----  --------\n"
+                    "  api.example.com\n"
+                    "                   /     api-svc:80 (<error: endpoints \"api-svc\" not found>)\n"
+                    "\n"
+                    "$ kubectl get svc\n"
+                    "NAME          TYPE        CLUSTER-IP     PORT(S)\n"
+                    "api-service   ClusterIP   10.96.0.10     80/TCP\n"
+                    "\n"
+                    "Note: Ingress references service 'api-svc' but the actual service name is 'api-service'"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/ingress.yaml",
+                    "type": "contains",
+                    "expected": "name: api-service",
+                    "hint": "Ingress backend references 'api-svc' but the Service is named 'api-service'",
+                }
+            ],
+        },
+
+        # Scenario 4: NetworkPolicy blocking all ingress traffic
+        {
+            "id": "network_policy_blocking",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: database\n"
+                        "spec:\n"
+                        "  replicas: 1\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: database\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: database\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: postgres\n"
+                        "        image: postgres:15\n"
+                        "        ports:\n"
+                        "        - containerPort: 5432\n"
+                        "        env:\n"
+                        "        - name: POSTGRES_PASSWORD\n"
+                        '          value: "secretpass"\n'
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: database-svc\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: database\n"
+                        "  ports:\n"
+                        "  - port: 5432\n"
+                        "    targetPort: 5432\n"
+                    ),
+                },
+                {
+                    "path": "k8s/networkpolicy.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: networking.k8s.io/v1\n"
+                        "kind: NetworkPolicy\n"
+                        "metadata:\n"
+                        "  name: db-policy\n"
+                        "spec:\n"
+                        "  podSelector:\n"
+                        "    matchLabels:\n"
+                        "      app: database\n"
+                        "  policyTypes:\n"
+                        "  - Ingress\n"
+                        "  ingress: []\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_networking",
+                "message": (
+                    "$ kubectl exec -it api-pod -- pg_isready -h database-svc -p 5432\n"
+                    "database-svc:5432 - no response\n"
+                    "\n"
+                    "$ kubectl get pods\n"
+                    "NAME                        READY   STATUS    RESTARTS   AGE\n"
+                    "database-6b8f9d7c4-kj3m2    1/1     Running   0          5m\n"
+                    "api-pod                      1/1     Running   0          5m\n"
+                    "\n"
+                    "$ kubectl get networkpolicy\n"
+                    "NAME        POD-SELECTOR    AGE\n"
+                    "db-policy   app=database    5m\n"
+                    "\n"
+                    "$ kubectl describe networkpolicy db-policy\n"
+                    "Spec:\n"
+                    "  PodSelector:     app=database\n"
+                    "  Allowing ingress traffic: <none> (Selected pods are isolated for ingress connectivity)\n"
+                    "\n"
+                    "Note: NetworkPolicy with empty ingress list blocks ALL inbound traffic to the database"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/networkpolicy.yaml",
+                    "type": "contains",
+                    "expected": "app: api",
+                    "hint": "NetworkPolicy has empty ingress rules (blocks all traffic). Add an ingress rule allowing traffic from pods with label 'app: api'.",
+                }
+            ],
+        },
+
+        # Scenario 5: Ingress missing ingressClassName
+        {
+            "id": "missing_ingress_class",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: webapp\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: webapp\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: webapp\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: webapp\n"
+                        "        image: webapp:v2.0\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: webapp-svc\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: webapp\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/ingress.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: networking.k8s.io/v1\n"
+                        "kind: Ingress\n"
+                        "metadata:\n"
+                        "  name: webapp-ingress\n"
+                        "spec:\n"
+                        "  rules:\n"
+                        "  - host: webapp.example.com\n"
+                        "    http:\n"
+                        "      paths:\n"
+                        "      - path: /\n"
+                        "        pathType: Prefix\n"
+                        "        backend:\n"
+                        "          service:\n"
+                        "            name: webapp-svc\n"
+                        "            port:\n"
+                        "              number: 80\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_networking",
+                "message": (
+                    "$ kubectl describe ingress webapp-ingress\n"
+                    "Name:             webapp-ingress\n"
+                    "Address:          \n"
+                    "Rules:\n"
+                    "  Host                Path  Backends\n"
+                    "  ----                ----  --------\n"
+                    "  webapp.example.com  /     webapp-svc:80 (10.244.0.5:8080)\n"
+                    "\n"
+                    "$ curl -H 'Host: webapp.example.com' http://<loadbalancer-ip>/\n"
+                    "curl: (7) Failed to connect: Connection refused\n"
+                    "\n"
+                    "$ kubectl get ingressclass\n"
+                    "NAME    CONTROLLER                      PARAMETERS   AGE\n"
+                    "nginx   k8s.io/ingress-nginx           <none>       10d\n"
+                    "\n"
+                    "Note: Ingress has no ingressClassName specified. The cluster requires "
+                    "explicit ingressClassName: nginx"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/ingress.yaml",
+                    "type": "contains",
+                    "expected": "ingressClassName: nginx",
+                    "hint": "Ingress needs 'ingressClassName: nginx' in the spec to be picked up by the nginx ingress controller",
+                }
+            ],
+        },
+    ]

server/tasks/k8s_pod.py

@@ -0,0 +1,352 @@
+"""Task: Kubernetes Pod Failures — MEDIUM.
+
+Agent fixes common pod failure scenarios:
+OOMKilled, ImagePullBackOff, wrong command, missing ConfigMap, liveness probe.
+"""
+
+from server.models import TaskDifficulty
+from server.tasks.base import BaseTask
+
+
+class K8sPodTask(BaseTask):
+    NAME = "Kubernetes Pod Failures"
+    DESCRIPTION = "Fix Kubernetes pod failures including CrashLoopBackOff, ImagePullBackOff, and resource issues"
+    DIFFICULTY = TaskDifficulty.MEDIUM
+    AVAILABLE_SECRETS = []
+
+    SCENARIOS = [
+        # Scenario 1: CrashLoopBackOff — OOMKilled (memory limit too low)
+        {
+            "id": "oom_killed",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: api-server\n"
+                        "spec:\n"
+                        "  replicas: 3\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: api\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: api\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: api\n"
+                        '        image: myapp:v1.2.3\n'
+                        "        resources:\n"
+                        "          limits:\n"
+                        '            memory: "64Mi"\n'
+                        '            cpu: "100m"\n'
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                    ),
+                }
+            ],
+            "error": {
+                "phase": "k8s_runtime",
+                "message": (
+                    "$ kubectl get pods\n"
+                    "NAME                          READY   STATUS             RESTARTS   AGE\n"
+                    "api-server-7d4b8c9f5-x2k9m   0/1     CrashLoopBackOff   5          3m\n"
+                    "\n"
+                    "$ kubectl describe pod api-server-7d4b8c9f5-x2k9m\n"
+                    "...\n"
+                    "State:          Waiting\n"
+                    "  Reason:       CrashLoopBackOff\n"
+                    "Last State:     Terminated\n"
+                    "  Reason:       OOMKilled\n"
+                    "  Exit Code:    137\n"
+                    "...\n"
+                    "Events:\n"
+                    "  Warning  OOMKilling  3m  kubelet  Memory limit 64Mi exceeded"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": 'memory: "256Mi"',
+                    "hint": "Container is OOMKilled with 64Mi limit. The app needs at least 256Mi.",
+                }
+            ],
+        },
+
+        # Scenario 2: ImagePullBackOff — image tag typo
+        {
+            "id": "image_pull_backoff",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: web-app\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: web\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: web\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: web\n"
+                        "        image: nginx:latset\n"
+                        "        ports:\n"
+                        "        - containerPort: 80\n"
+                    ),
+                }
+            ],
+            "error": {
+                "phase": "k8s_runtime",
+                "message": (
+                    "$ kubectl get pods\n"
+                    "NAME                       READY   STATUS             RESTARTS   AGE\n"
+                    "web-app-5f8d7b6c4-abc12    0/1     ImagePullBackOff   0          2m\n"
+                    "\n"
+                    "$ kubectl describe pod web-app-5f8d7b6c4-abc12\n"
+                    "...\n"
+                    "Events:\n"
+                    '  Warning  Failed   2m   kubelet  Failed to pull image "nginx:latset": '
+                    "rpc error: code = NotFound desc = failed to pull and unpack image: "
+                    "reference not found\n"
+                    "  Warning  Failed   2m   kubelet  Error: ImagePullBackOff\n"
+                    "..."
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": "image: nginx:latest",
+                    "hint": "Image tag has a typo: 'latset' should be 'latest'",
+                }
+            ],
+        },
+
+        # Scenario 3: CrashLoopBackOff — wrong command
+        {
+            "id": "wrong_command",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: worker\n"
+                        "spec:\n"
+                        "  replicas: 1\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: worker\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: worker\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: worker\n"
+                        "        image: python:3.11-slim\n"
+                        "        command: [\"python\", \"workers.py\"]\n"
+                        "        resources:\n"
+                        "          limits:\n"
+                        '            memory: "512Mi"\n'
+                        '            cpu: "500m"\n'
+                    ),
+                },
+                {
+                    "path": "app/worker.py",
+                    "type": "other",
+                    "content": (
+                        "import time\n"
+                        "\n"
+                        "def main():\n"
+                        "    while True:\n"
+                        "        print('Processing...')\n"
+                        "        time.sleep(5)\n"
+                        "\n"
+                        "if __name__ == '__main__':\n"
+                        "    main()\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_runtime",
+                "message": (
+                    "$ kubectl get pods\n"
+                    "NAME                      READY   STATUS             RESTARTS   AGE\n"
+                    "worker-6b8f9d7c4-kj3m2    0/1     CrashLoopBackOff   4          2m\n"
+                    "\n"
+                    "$ kubectl logs worker-6b8f9d7c4-kj3m2\n"
+                    "python: can't open file '/workers.py': [Errno 2] No such file or directory\n"
+                    "\n"
+                    "$ kubectl describe pod worker-6b8f9d7c4-kj3m2\n"
+                    "...\n"
+                    "State:          Waiting\n"
+                    "  Reason:       CrashLoopBackOff\n"
+                    "Last State:     Terminated\n"
+                    "  Reason:       Error\n"
+                    "  Exit Code:    2\n"
+                    "..."
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": 'command: ["python", "worker.py"]',
+                    "hint": "The command references 'workers.py' but the file is named 'worker.py' (no 's')",
+                }
+            ],
+        },
+
+        # Scenario 4: CreateContainerConfigError — missing ConfigMap
+        {
+            "id": "missing_configmap",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: backend\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: backend\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: backend\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: backend\n"
+                        "        image: mybackend:v2.0\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                        "        envFrom:\n"
+                        "        - configMapRef:\n"
+                        "            name: app-config\n"
+                        "        resources:\n"
+                        "          limits:\n"
+                        '            memory: "512Mi"\n'
+                        '            cpu: "500m"\n'
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_runtime",
+                "message": (
+                    "$ kubectl get pods\n"
+                    "NAME                       READY   STATUS                       RESTARTS   AGE\n"
+                    "backend-5c9d8f7b6-lm4n5    0/1     CreateContainerConfigError   0          1m\n"
+                    "\n"
+                    "$ kubectl describe pod backend-5c9d8f7b6-lm4n5\n"
+                    "...\n"
+                    "Events:\n"
+                    '  Warning  Failed  1m  kubelet  Error: configmap "app-config" not found\n'
+                    "..."
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/configmap.yaml",
+                    "type": "contains",
+                    "expected": "name: app-config",
+                    "hint": "The ConfigMap 'app-config' is referenced but doesn't exist. Create a ConfigMap manifest.",
+                }
+            ],
+        },
+
+        # Scenario 5: Pod not ready — liveness probe failing
+        {
+            "id": "liveness_probe_failing",
+            "files": [
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: api\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: api\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: api\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: api\n"
+                        "        image: myapi:v3.1\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                        "        livenessProbe:\n"
+                        "          httpGet:\n"
+                        "            path: /healthz\n"
+                        "            port: 3000\n"
+                        "          initialDelaySeconds: 5\n"
+                        "          periodSeconds: 10\n"
+                        "        readinessProbe:\n"
+                        "          httpGet:\n"
+                        "            path: /ready\n"
+                        "            port: 8080\n"
+                        "          initialDelaySeconds: 5\n"
+                        "          periodSeconds: 10\n"
+                        "        resources:\n"
+                        "          limits:\n"
+                        '            memory: "512Mi"\n'
+                        '            cpu: "500m"\n'
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "k8s_runtime",
+                "message": (
+                    "$ kubectl get pods\n"
+                    "NAME                   READY   STATUS    RESTARTS      AGE\n"
+                    "api-7f8d9c6b5-gh7j8    0/1     Running   3 (30s ago)  2m\n"
+                    "\n"
+                    "$ kubectl describe pod api-7f8d9c6b5-gh7j8\n"
+                    "...\n"
+                    "Events:\n"
+                    "  Warning  Unhealthy  90s  kubelet  Liveness probe failed: "
+                    "Get \"http://10.244.0.5:3000/healthz\": dial tcp 10.244.0.5:3000: "
+                    "connect: connection refused\n"
+                    "  Normal   Killing    90s  kubelet  Container api failed liveness probe, "
+                    "will be restarted\n"
+                    "...\n"
+                    "\n"
+                    "Note: The application listens on port 8080, not 3000."
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": "port: 8080\n          initialDelaySeconds: 5\n          periodSeconds: 10\n        readinessProbe:",
+                    "hint": "The liveness probe port (3000) doesn't match the container port (8080). Change liveness probe port to 8080.",
+                }
+            ],
+        },
+    ]

server/tasks/pipeline_build_deploy.py

@@ -0,0 +1,361 @@
+"""Task: CI/CD Build & Push Pipeline — HARD.
+
+Agent debugs combined GHA + Docker + Registry pipeline failures:
+GHCR login missing token, wrong image tag in workflow, missing permissions,
+Dockerfile + workflow arg mismatch, multi-stage build output mismatch.
+"""
+
+from server.models import TaskDifficulty
+from server.tasks.base import BaseTask
+
+
+class PipelineBuildDeployTask(BaseTask):
+    NAME = "CI/CD Build & Push Pipeline"
+    DESCRIPTION = "Debug GHA-to-Docker-to-Registry pipeline failures across multiple files"
+    DIFFICULTY = TaskDifficulty.HARD
+    AVAILABLE_SECRETS = ["GITHUB_TOKEN", "DOCKER_USERNAME", "DOCKER_PASSWORD"]
+
+    SCENARIOS = [
+        # Scenario 1: GHCR login — GITHUB_TOKEN not mapped to env
+        {
+            "id": "ghcr_token_not_mapped",
+            "files": [
+                {
+                    "path": ".github/workflows/deploy.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build and Push to GHCR\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to GHCR\n"
+                        "        run: echo $GITHUB_TOKEN | docker login ghcr.io -u ${{ github.actor }} --password-stdin\n"
+                        "\n"
+                        "      - name: Build image\n"
+                        "        run: docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .\n"
+                        "\n"
+                        "      - name: Push image\n"
+                        "        run: docker push ghcr.io/${{ github.repository }}:${{ github.sha }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:20-alpine\n"
+                        "WORKDIR /app\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "EXPOSE 3000\n"
+                        'CMD ["npm", "start"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "myapp", "scripts": {"start": "node server.js"}}',
+                },
+            ],
+            "error": {
+                "phase": "pipeline_build",
+                "message": (
+                    "Run: Build and Push to GHCR\n"
+                    "\n"
+                    "Step: Login to GHCR\n"
+                    "Error: Cannot perform an interactive login from a non TTY device\n"
+                    "Error: GITHUB_TOKEN environment variable is not set\n"
+                    "\n"
+                    "The GITHUB_TOKEN secret is available but not mapped to an environment variable."
+                ),
+                "exit_code": 1,
+                "failed_step": "Login to GHCR",
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/deploy.yml",
+                    "type": "contains",
+                    "expected": "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}",
+                    "hint": "The GITHUB_TOKEN shell variable is used in the run command but not mapped from secrets via env block",
+                }
+            ],
+        },
+
+        # Scenario 2: Image tag mismatch between build and push steps
+        {
+            "id": "image_tag_mismatch",
+            "files": [
+                {
+                    "path": ".github/workflows/build.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build and Push\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    tags: ['v*']\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to DockerHub\n"
+                        "        run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin\n"
+                        "\n"
+                        "      - name: Build image\n"
+                        "        run: docker build -t myuser/myapp:${{ github.ref_name }} .\n"
+                        "\n"
+                        "      - name: Push image\n"
+                        "        run: docker push myuser/myapp:${{ github.sha }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM python:3.11-slim\n"
+                        "WORKDIR /app\n"
+                        "COPY requirements.txt .\n"
+                        "RUN pip install -r requirements.txt\n"
+                        "COPY . .\n"
+                        "EXPOSE 8000\n"
+                        'CMD ["python", "app.py"]\n'
+                    ),
+                },
+                {
+                    "path": "requirements.txt",
+                    "type": "requirements",
+                    "content": "flask==3.0.0\ngunicorn==21.2.0\n",
+                },
+            ],
+            "error": {
+                "phase": "pipeline_build",
+                "message": (
+                    "Run: Build and Push\n"
+                    "\n"
+                    "Step: Build image ✓\n"
+                    "Step: Push image ✗\n"
+                    "Error: An image does not exist locally with the tag: myuser/myapp:<sha>\n"
+                    "\n"
+                    "The build used github.ref_name as the tag but push used github.sha. "
+                    "These are different values."
+                ),
+                "exit_code": 1,
+                "failed_step": "Push image",
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/build.yml",
+                    "type": "contains",
+                    "expected": "docker push myuser/myapp:${{ github.ref_name }}",
+                    "hint": "Build tags image with github.ref_name but push uses github.sha — use the same tag",
+                }
+            ],
+        },
+
+        # Scenario 3: Missing packages:write permission for GHCR push
+        {
+            "id": "missing_packages_write",
+            "files": [
+                {
+                    "path": ".github/workflows/publish.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Publish to GHCR\n"
+                        "on:\n"
+                        "  release:\n"
+                        "    types: [published]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  publish:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to GHCR\n"
+                        "        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin\n"
+                        "\n"
+                        "      - name: Build\n"
+                        "        run: docker build -t ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} .\n"
+                        "\n"
+                        "      - name: Push\n"
+                        "        run: docker push ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM python:3.11-slim\n"
+                        "WORKDIR /app\n"
+                        "COPY . .\n"
+                        'CMD ["python", "app.py"]\n'
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_build",
+                "message": (
+                    "Run: Publish to GHCR\n"
+                    "\n"
+                    "Step: Login to GHCR ✓\n"
+                    "Step: Build ✓\n"
+                    "Step: Push ✗\n"
+                    "Error: denied: permission_denied: write_package\n"
+                    "Error: GITHUB_TOKEN does not have packages:write permission\n"
+                    "\n"
+                    "The default GITHUB_TOKEN only has read access to packages. "
+                    "Add a permissions block to the job."
+                ),
+                "exit_code": 1,
+                "failed_step": "Push",
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/publish.yml",
+                    "type": "contains",
+                    "expected": "packages: write",
+                    "hint": "GHCR push requires 'permissions: packages: write' in the job or workflow",
+                }
+            ],
+        },
+
+        # Scenario 4: Dockerfile ARG not passed from workflow build-arg
+        {
+            "id": "build_arg_not_passed",
+            "files": [
+                {
+                    "path": ".github/workflows/build.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build with Version\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Build image\n"
+                        "        run: docker build -t myapp:${{ github.sha }} .\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM python:3.11-slim\n"
+                        "ARG APP_VERSION\n"
+                        "WORKDIR /app\n"
+                        "COPY . .\n"
+                        "RUN echo $APP_VERSION > /app/version.txt\n"
+                        "EXPOSE 8000\n"
+                        'CMD ["python", "app.py"]\n'
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_build",
+                "message": (
+                    "Run: Build with Version\n"
+                    "\n"
+                    "Step: Build image ✓ (with warnings)\n"
+                    "Warning: /app/version.txt is empty — APP_VERSION build arg was not provided\n"
+                    "\n"
+                    "The Dockerfile declares ARG APP_VERSION but the docker build command "
+                    "does not pass --build-arg APP_VERSION=..."
+                ),
+                "exit_code": 0,
+                "failed_step": "Build image",
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/build.yml",
+                    "type": "contains",
+                    "expected": "--build-arg APP_VERSION=",
+                    "hint": "Dockerfile uses ARG APP_VERSION but the build command doesn't pass --build-arg",
+                }
+            ],
+        },
+
+        # Scenario 5: Multi-stage build — wrong output directory name
+        {
+            "id": "multistage_output_mismatch",
+            "files": [
+                {
+                    "path": ".github/workflows/build.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build Frontend\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Build image\n"
+                        "        run: docker build -t frontend:latest .\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:20-alpine AS builder\n"
+                        "WORKDIR /app\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "RUN npm run build\n"
+                        "\n"
+                        "FROM nginx:alpine\n"
+                        "COPY --from=builder /app/dist /usr/share/nginx/html\n"
+                        "EXPOSE 80\n"
+                        'CMD ["nginx", "-g", "daemon off;"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "frontend", "scripts": {"build": "react-scripts build", "start": "react-scripts start"}}',
+                },
+            ],
+            "error": {
+                "phase": "pipeline_build",
+                "message": (
+                    "Run: Build Frontend\n"
+                    "\n"
+                    "Step: Build image ✗\n"
+                    "Error: COPY failed: stat app/dist: file does not exist\n"
+                    "\n"
+                    "react-scripts build outputs to /app/build, not /app/dist. "
+                    "The COPY --from=builder path is wrong."
+                ),
+                "exit_code": 1,
+                "failed_step": "Build image",
+            },
+            "expected_fixes": [
+                {
+                    "file": "Dockerfile",
+                    "type": "contains",
+                    "expected": "COPY --from=builder /app/build",
+                    "hint": "react-scripts outputs to 'build/' not 'dist/'. Change COPY --from=builder /app/dist to /app/build",
+                }
+            ],
+        },
+    ]

server/tasks/pipeline_full.py

@@ -0,0 +1,654 @@
+"""Task: Full Stack Deployment Pipeline — EXPERT.
+
+Agent debugs multi-error scenarios spanning the entire stack:
+GHA workflow + Dockerfile + Kubernetes manifests.
+Multiple bugs per scenario requiring cross-file reasoning.
+"""
+
+from server.models import TaskDifficulty
+from server.tasks.base import BaseTask
+
+
+class PipelineFullTask(BaseTask):
+    NAME = "Full Stack Deployment Pipeline"
+    DESCRIPTION = "Debug complex multi-error deployment pipelines across GHA workflows, Dockerfiles, and Kubernetes manifests"
+    DIFFICULTY = TaskDifficulty.HARD
+    AVAILABLE_SECRETS = ["GITHUB_TOKEN", "DOCKER_USERNAME", "DOCKER_PASSWORD"]
+
+    SCENARIOS = [
+        # Scenario 1: GHCR token missing env + K8s service selector mismatch
+        {
+            "id": "full_pipeline_ghcr_and_selector",
+            "files": [
+                {
+                    "path": ".github/workflows/deploy.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build and Deploy\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  deploy:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Build Docker image\n"
+                        "        run: docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .\n"
+                        "\n"
+                        "      - name: Login to GHCR\n"
+                        "        run: echo $GITHUB_TOKEN | docker login ghcr.io -u ${{ github.actor }} --password-stdin\n"
+                        "\n"
+                        "      - name: Push image\n"
+                        "        run: docker push ghcr.io/${{ github.repository }}:${{ github.sha }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:20-alpine\n"
+                        "WORKDIR /app\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "EXPOSE 3000\n"
+                        'CMD ["npm", "start"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "myapp", "scripts": {"start": "node server.js"}}',
+                },
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: myapp\n"
+                        "spec:\n"
+                        "  replicas: 3\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: myapp\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: myapp\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: app\n"
+                        "        image: ghcr.io/OWNER/REPO:TAG\n"
+                        "        ports:\n"
+                        "        - containerPort: 3000\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: myapp-service\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: my-app\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 3000\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_deploy",
+                "message": (
+                    "Run: Build and Deploy\n"
+                    "\n"
+                    "Step: Login to GHCR ✗\n"
+                    "Error: Cannot perform an interactive login from a non TTY device\n"
+                    "Error: GITHUB_TOKEN environment variable is not set\n"
+                    "\n"
+                    "---\n"
+                    "(If login had succeeded, deployment would also fail with:)\n"
+                    "Error: Service 'myapp-service' has no endpoints — selector 'app=my-app' "
+                    "doesn't match any pods (pods have label 'app=myapp')"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/deploy.yml",
+                    "type": "contains",
+                    "expected": "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}",
+                    "hint": "GITHUB_TOKEN is used as shell variable but not mapped from secrets via env block",
+                },
+                {
+                    "file": "k8s/service.yaml",
+                    "type": "contains",
+                    "expected": "app: myapp",
+                    "hint": "Service selector 'app: my-app' doesn't match Deployment label 'app: myapp'",
+                },
+            ],
+        },
+
+        # Scenario 2: Dockerfile missing WORKDIR + workflow missing checkout + K8s wrong port
+        {
+            "id": "full_pipeline_three_bugs",
+            "files": [
+                {
+                    "path": ".github/workflows/ci.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: CI Pipeline\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - name: Build image\n"
+                        "        run: docker build -t myapp:${{ github.sha }} .\n"
+                        "\n"
+                        "      - name: Run tests\n"
+                        "        run: docker run myapp:${{ github.sha }} npm test\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:18-alpine\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "EXPOSE 3000\n"
+                        'CMD ["npm", "start"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "myapp", "scripts": {"start": "node server.js", "test": "jest"}}',
+                },
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: myapp\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: myapp\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: myapp\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: app\n"
+                        "        image: myapp:latest\n"
+                        "        ports:\n"
+                        "        - containerPort: 8080\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: myapp-svc\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: myapp\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 8080\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_deploy",
+                "message": (
+                    "Run: CI Pipeline\n"
+                    "\n"
+                    "Step: Build image ✗\n"
+                    "Error: Checkout must happen before Docker build steps\n"
+                    "(No actions/checkout@v4 step found before docker build)\n"
+                    "\n"
+                    "---\n"
+                    "Additionally:\n"
+                    "- Dockerfile has no WORKDIR set — npm will fail to find package.json\n"
+                    "- K8s deployment containerPort is 8080 but app listens on 3000 "
+                    "(service targetPort also wrong)"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/ci.yml",
+                    "type": "contains",
+                    "expected": "actions/checkout@v4",
+                    "hint": "Workflow needs a checkout step before docker build",
+                },
+                {
+                    "file": "Dockerfile",
+                    "type": "contains",
+                    "expected": "WORKDIR /app",
+                    "hint": "Dockerfile needs WORKDIR /app before COPY commands",
+                },
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": "containerPort: 3000",
+                    "hint": "Container port should be 3000 to match the app's EXPOSE/listen port",
+                },
+                {
+                    "file": "k8s/service.yaml",
+                    "type": "contains",
+                    "expected": "targetPort: 3000",
+                    "hint": "Service targetPort should be 3000 to match container port",
+                },
+            ],
+        },
+
+        # Scenario 3: Wrong GHCR password secret + Dockerfile base image typo + K8s OOM
+        {
+            "id": "full_pipeline_ghcr_dockerfile_k8s",
+            "files": [
+                {
+                    "path": ".github/workflows/release.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Release Pipeline\n"
+                        "on:\n"
+                        "  release:\n"
+                        "    types: [published]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  release:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to GHCR\n"
+                        "        run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin\n"
+                        "\n"
+                        "      - name: Build\n"
+                        "        run: docker build -t ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} .\n"
+                        "\n"
+                        "      - name: Push\n"
+                        "        run: docker push ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM python:3.9-slimm\n"
+                        "WORKDIR /app\n"
+                        "COPY requirements.txt .\n"
+                        "RUN pip install -r requirements.txt\n"
+                        "COPY . .\n"
+                        "EXPOSE 8000\n"
+                        'CMD ["gunicorn", "app:app", "-b", "0.0.0.0:8000"]\n'
+                    ),
+                },
+                {
+                    "path": "requirements.txt",
+                    "type": "requirements",
+                    "content": "flask==3.0.0\ngunicorn==21.2.0\n",
+                },
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: api\n"
+                        "spec:\n"
+                        "  replicas: 3\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: api\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: api\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: api\n"
+                        "        image: ghcr.io/myorg/myapp:latest\n"
+                        "        ports:\n"
+                        "        - containerPort: 8000\n"
+                        "        resources:\n"
+                        "          limits:\n"
+                        '            memory: "64Mi"\n'
+                        '            cpu: "100m"\n'
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_deploy",
+                "message": (
+                    "Run: Release Pipeline\n"
+                    "\n"
+                    "Step: Login to GHCR ✗\n"
+                    "Error: GHCR requires GITHUB_TOKEN for authentication, not DOCKER_PASSWORD\n"
+                    "\n"
+                    "---\n"
+                    "Additional issues found:\n"
+                    "- Dockerfile: pull access denied for python:3.9-slimm (typo in base image tag)\n"
+                    "- K8s: Pod CrashLoopBackOff with OOMKilled (64Mi memory limit too low for gunicorn)"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/release.yml",
+                    "type": "contains",
+                    "expected": "secrets.GITHUB_TOKEN",
+                    "hint": "GHCR uses GITHUB_TOKEN, not DOCKER_PASSWORD",
+                },
+                {
+                    "file": "Dockerfile",
+                    "type": "not_contains",
+                    "expected": "python:3.9-slimm",
+                    "hint": "Base image tag has a typo: 'slimm' should be 'slim'",
+                },
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": 'memory: "256Mi"',
+                    "hint": "Memory limit 64Mi is too low for gunicorn — increase to at least 256Mi",
+                },
+            ],
+        },
+
+        # Scenario 4: Missing permissions block + hardcoded K8s image + missing ingress class
+        {
+            "id": "full_pipeline_permissions_image_ingress",
+            "files": [
+                {
+                    "path": ".github/workflows/deploy.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Deploy to Production\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build-and-push:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to GHCR\n"
+                        "        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin\n"
+                        "\n"
+                        "      - name: Build and push\n"
+                        "        run: |\n"
+                        "          docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .\n"
+                        "          docker push ghcr.io/${{ github.repository }}:${{ github.sha }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:20-alpine\n"
+                        "WORKDIR /app\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "EXPOSE 3000\n"
+                        'CMD ["npm", "start"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "app", "scripts": {"start": "node index.js"}}',
+                },
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: webapp\n"
+                        "spec:\n"
+                        "  replicas: 3\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: webapp\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: webapp\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: webapp\n"
+                        "        image: ghcr.io/OWNER/REPO:TAG\n"
+                        "        ports:\n"
+                        "        - containerPort: 3000\n"
+                    ),
+                },
+                {
+                    "path": "k8s/service.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: v1\n"
+                        "kind: Service\n"
+                        "metadata:\n"
+                        "  name: webapp-svc\n"
+                        "spec:\n"
+                        "  selector:\n"
+                        "    app: webapp\n"
+                        "  ports:\n"
+                        "  - port: 80\n"
+                        "    targetPort: 3000\n"
+                    ),
+                },
+                {
+                    "path": "k8s/ingress.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: networking.k8s.io/v1\n"
+                        "kind: Ingress\n"
+                        "metadata:\n"
+                        "  name: webapp-ingress\n"
+                        "spec:\n"
+                        "  rules:\n"
+                        "  - host: webapp.example.com\n"
+                        "    http:\n"
+                        "      paths:\n"
+                        "      - path: /\n"
+                        "        pathType: Prefix\n"
+                        "        backend:\n"
+                        "          service:\n"
+                        "            name: webapp-svc\n"
+                        "            port:\n"
+                        "              number: 80\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_deploy",
+                "message": (
+                    "Run: Deploy to Production\n"
+                    "\n"
+                    "Step: Build and push ✗\n"
+                    "Error: denied: permission_denied: write_package\n"
+                    "GITHUB_TOKEN does not have packages:write permission\n"
+                    "\n"
+                    "---\n"
+                    "Additional issues:\n"
+                    "- K8s Deployment image is hardcoded as 'ghcr.io/OWNER/REPO:TAG' — "
+                    "should reference the actual built image\n"
+                    "- Ingress has no ingressClassName — won't be picked up by nginx controller"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/deploy.yml",
+                    "type": "contains",
+                    "expected": "packages: write",
+                    "hint": "Add permissions block with 'packages: write' to allow GHCR push",
+                },
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "not_contains",
+                    "expected": "OWNER/REPO:TAG",
+                    "hint": "Replace hardcoded 'OWNER/REPO:TAG' placeholder with actual image reference",
+                },
+                {
+                    "file": "k8s/ingress.yaml",
+                    "type": "contains",
+                    "expected": "ingressClassName: nginx",
+                    "hint": "Add ingressClassName: nginx to the Ingress spec",
+                },
+            ],
+        },
+
+        # Scenario 5: Workflow secrets not wired + Dockerfile wrong output dir + K8s probe port wrong
+        {
+            "id": "full_pipeline_secrets_build_probe",
+            "files": [
+                {
+                    "path": ".github/workflows/build.yml",
+                    "type": "workflow",
+                    "content": (
+                        "name: Build and Push\n"
+                        "on:\n"
+                        "  push:\n"
+                        "    branches: [main]\n"
+                        "\n"
+                        "jobs:\n"
+                        "  build:\n"
+                        "    runs-on: ubuntu-latest\n"
+                        "    steps:\n"
+                        "      - uses: actions/checkout@v4\n"
+                        "\n"
+                        "      - name: Login to DockerHub\n"
+                        "        run: echo $DOCKER_PASSWORD | docker login -u $DOCKER_USERNAME --password-stdin\n"
+                        "\n"
+                        "      - name: Build\n"
+                        "        run: docker build -t myuser/frontend:${{ github.sha }} .\n"
+                        "\n"
+                        "      - name: Push\n"
+                        "        run: docker push myuser/frontend:${{ github.sha }}\n"
+                    ),
+                },
+                {
+                    "path": "Dockerfile",
+                    "type": "dockerfile",
+                    "content": (
+                        "FROM node:20-alpine AS builder\n"
+                        "WORKDIR /app\n"
+                        "COPY package*.json ./\n"
+                        "RUN npm ci\n"
+                        "COPY . .\n"
+                        "RUN npm run build\n"
+                        "\n"
+                        "FROM nginx:alpine\n"
+                        "COPY --from=builder /app/dist /usr/share/nginx/html\n"
+                        "EXPOSE 80\n"
+                        'CMD ["nginx", "-g", "daemon off;"]\n'
+                    ),
+                },
+                {
+                    "path": "package.json",
+                    "type": "other",
+                    "content": '{"name": "frontend", "scripts": {"build": "react-scripts build", "start": "react-scripts start"}}',
+                },
+                {
+                    "path": "k8s/deployment.yaml",
+                    "type": "kubernetes",
+                    "content": (
+                        "apiVersion: apps/v1\n"
+                        "kind: Deployment\n"
+                        "metadata:\n"
+                        "  name: frontend\n"
+                        "spec:\n"
+                        "  replicas: 2\n"
+                        "  selector:\n"
+                        "    matchLabels:\n"
+                        "      app: frontend\n"
+                        "  template:\n"
+                        "    metadata:\n"
+                        "      labels:\n"
+                        "        app: frontend\n"
+                        "    spec:\n"
+                        "      containers:\n"
+                        "      - name: frontend\n"
+                        "        image: myuser/frontend:latest\n"
+                        "        ports:\n"
+                        "        - containerPort: 80\n"
+                        "        livenessProbe:\n"
+                        "          httpGet:\n"
+                        "            path: /healthz\n"
+                        "            port: 3000\n"
+                        "          initialDelaySeconds: 10\n"
+                        "          periodSeconds: 5\n"
+                    ),
+                },
+            ],
+            "error": {
+                "phase": "pipeline_deploy",
+                "message": (
+                    "Run: Build and Push\n"
+                    "\n"
+                    "Step: Login to DockerHub ✗\n"
+                    "Error: DOCKER_USERNAME and DOCKER_PASSWORD env vars are empty — "
+                    "secrets not wired via env block\n"
+                    "\n"
+                    "---\n"
+                    "Additional issues:\n"
+                    "- Dockerfile: COPY failed: stat app/dist: file does not exist "
+                    "(react-scripts outputs to 'build/' not 'dist/')\n"
+                    "- K8s: Liveness probe port 3000 doesn't match container port 80 "
+                    "(nginx listens on 80)"
+                ),
+            },
+            "expected_fixes": [
+                {
+                    "file": ".github/workflows/build.yml",
+                    "type": "contains",
+                    "expected": "DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}",
+                    "hint": "Docker login secrets need to be mapped via env block",
+                },
+                {
+                    "file": ".github/workflows/build.yml",
+                    "type": "contains",
+                    "expected": "DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}",
+                    "hint": "Both DOCKER_USERNAME and DOCKER_PASSWORD must be in env block",
+                },
+                {
+                    "file": "Dockerfile",
+                    "type": "contains",
+                    "expected": "COPY --from=builder /app/build",
+                    "hint": "react-scripts outputs to 'build/' not 'dist/'",
+                },
+                {
+                    "file": "k8s/deployment.yaml",
+                    "type": "contains",
+                    "expected": "port: 80",
+                    "hint": "Liveness probe port should be 80 to match nginx container",
+                },
+            ],
+        },
+    ]

server/tasks/task_registry.py

@@ -10,6 +10,10 @@ from server.tasks.task_3_workflow_syntax import WorkflowSyntaxStructureTask
 from server.tasks.task_4_workflow_secrets_permissions import WorkflowSecretsPermissionsTask
 from server.tasks.task_5_ci_docker_integration import CIDockerIntegrationTask
 from server.tasks.task_6_multi_stage_matrix import MultiStageMatrixTask
+from server.tasks.k8s_pod import K8sPodTask
+from server.tasks.k8s_networking import K8sNetworkingTask
+from server.tasks.pipeline_build_deploy import PipelineBuildDeployTask
+from server.tasks.pipeline_full import PipelineFullTask
 
 TASK_REGISTRY: Dict[str, Type[BaseTask]] = {
     "dockerfile_syntax": DockerfileSyntaxTask,
@@ -18,6 +22,10 @@ TASK_REGISTRY: Dict[str, Type[BaseTask]] = {
     "workflow_secrets_permissions": WorkflowSecretsPermissionsTask,
     "ci_docker_integration": CIDockerIntegrationTask,
     "multi_stage_pipeline_matrix": MultiStageMatrixTask,
+    "k8s_pod_failures": K8sPodTask,
+    "k8s_networking": K8sNetworkingTask,
+    "pipeline_build_deploy": PipelineBuildDeployTask,
+    "pipeline_full_stack": PipelineFullTask,
 }
 
 

uv.lock

@@ -333,7 +333,19 @@ wheels = [
 ]
 
 [[package]]
-name = "cicd-docker-env"
+name = "click"
+version = "8.3.2"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/57/75/31212c6bf2503fdf920d87fee5d7a86a2e3bcf444984126f13d8e4016804/click-8.3.2.tar.gz", hash = "sha256:14162b8b3b3550a7d479eafa77dfd3c38d9dc8951f6f69c78913a8f9a7540fd5", size = 302856, upload-time = "2026-04-03T19:14:45.118Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e4/20/71885d8b97d4f3dde17b1fdb92dbd4908b00541c5a3379787137285f602e/click-8.3.2-py3-none-any.whl", hash = "sha256:1924d2c27c5653561cd2cae4548d1406039cb79b858b747cfea24924bbc1616d", size = 108379, upload-time = "2026-04-03T19:14:43.505Z" },
+]
+
+[[package]]
+name = "cloud-native-devops-env"
 version = "1.0.0"
 source = { editable = "." }
 dependencies = [
@@ -374,18 +386,6 @@ requires-dist = [
 ]
 provides-extras = ["dev", "inference"]
 
-[[package]]
-name = "click"
-version = "8.3.2"
-source = { registry = "https://pypi.org/simple" }
-dependencies = [
-    { name = "colorama", marker = "sys_platform == 'win32'" },
-]
-sdist = { url = "https://files.pythonhosted.org/packages/57/75/31212c6bf2503fdf920d87fee5d7a86a2e3bcf444984126f13d8e4016804/click-8.3.2.tar.gz", hash = "sha256:14162b8b3b3550a7d479eafa77dfd3c38d9dc8951f6f69c78913a8f9a7540fd5", size = 302856, upload-time = "2026-04-03T19:14:45.118Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/e4/20/71885d8b97d4f3dde17b1fdb92dbd4908b00541c5a3379787137285f602e/click-8.3.2-py3-none-any.whl", hash = "sha256:1924d2c27c5653561cd2cae4548d1406039cb79b858b747cfea24924bbc1616d", size = 108379, upload-time = "2026-04-03T19:14:43.505Z" },
-]
-
 [[package]]
 name = "colorama"
 version = "0.4.6"