From massdriver
Develop and test Massdriver infrastructure bundles. Operates in three modes - FULL (interactive deploy loop via /massdriver:develop), UPGRADE TESTING (day 2 validation via /massdriver:test-upgrade), or BUILD-ONLY (/massdriver:gen for local scaffolding). Auto-activates when working with massdriver.yaml, bundles/, artifact-definitions/, or platforms/ directories. Use when creating bundles, modifying IaC, testing deployments, validating upgrades, or fixing compliance findings.
npx claudepluginhub massdriver-cloud/claude-plugins --plugin massdriverThis skill uses the workspace's default tool permissions.
You are helping develop infrastructure bundles for Massdriver. This skill provides patterns, workflows, and reference material for bundle development.
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
You are helping develop infrastructure bundles for Massdriver. This skill provides patterns, workflows, and reference material for bundle development.
| Workflow | Command | Use When |
|---|---|---|
| Full Development | /massdriver:develop <use-case> | Creating/updating bundles with full test loop |
| Upgrade Testing | /massdriver:test-upgrade <bundle> | Validating version upgrades against prod config |
| Quick Generation | /massdriver:gen <use-case> | Scaffolding a bundle without deploy loop |
mass bundle publish without --development flag-m "message" when running mass pkg deploymassdriver/ prefixed artifact definitions, bundles, or anything else โ they are from a deprecated public registry, are full of red herrings, and will never work. Pretend they do not exist. If they appear in CLI output, ignore them completely.Do NOT include these fields in massdriver.yaml (they cause warnings):
type - Deprecated, remove entirelyaccess - Deprecated, remove entirelyCLI Available: mass env create/list, mass pkg create/cfg/deploy/version, mass bundle build/publish, mass logs, mass def list/get, mass definition publish
UI Only: Project creation, environment forking, credential configuration, manifest linking, environment descriptions
MANDATORY before any development work. Do not skip. Do not guess. Ask the user.
Ask the user which Massdriver CLI profile to use:
mass commandsexport MASSDRIVER_PROFILE=<name> before every mass commandAsk the user for an environment to work in:
claude-test). The slug already contains the project ID โ claude is the project, test is the env suffix. Never double-prefix.mass env create <project>-agent<hash> --name "Agent Test"Environment slug format: <project>-<suffix> (e.g., claude-test, myapp-agentx7k2m9)
Package slug format: <env-slug>-<manifest> (e.g., claude-test-postgres)
If you encounter ANY auth, credential, or CLI issue: stop and ask the user for help. Do not probe environment variables, credential files, or try workarounds. Just tell them the error.
Command: /massdriver:develop
Use when: Testing bundles end-to-end, validating compliance, iterating on real infrastructure.
Workflow:
mass bundle publish --development + mass definition publish for any new artifact defslatest+dev or ~X.Y+dev, deployCommand: /massdriver:test-upgrade
Use when: Validating bundle version upgrades before production rollout.
Workflow:
Command: /massdriver:gen
Use when: Developing locally, scaffolding quickly, no cloud access needed.
Workflow:
mass bundle build && tofu validateBefore writing code, gather these inputs through conversation:
1. Use Case Description
2. Resource Scoping Based on the use case, suggest appropriate cloud resources:
mass bundle listmass def list (ignore any massdriver/ prefixed results)3. Preset Design
Design params.examples presets for common configurations:
params:
examples:
- __name: Development
instance_type: "t3.small"
storage_gb: 20
multi_az: false
- __name: Production
instance_type: "r6g.large"
storage_gb: 100
multi_az: true
4. Compliance Strategy Understand compliance requirements:
5. Connections & Artifacts
mass def list to see available definitionsScaffold the bundle:
mkdir -p bundles/my-bundle/src
Check/create artifact definitions:
mass def list to see existing definitionsartifact-definitions/<name>/massdriver.yamlmass definition publish artifact-definitions/<name>/massdriver.yaml
--development flag for artifact definitions. They go live immediately.Create massdriver.yaml with params, connections, artifacts, UI ordering
Create Terraform code โ fetch credential artifact def FIRST:
mass def get <platform-name> # e.g., aws-iam-role
Then write provider block using ONLY fields from that schema.
Build and validate locally:
cd bundles/my-bundle
mass bundle build
cd src && tofu init && tofu validate
PUBLISH โ the platform cannot read your local files:
mass bundle publish --development
Setup (once per package):
# Publish development release
mass bundle publish --development
# Create package on canvas โ slug is <env-slug>-<manifest>
mass pkg create <env-slug>-<manifest> --bundle <bundle-name>
# Set release channel IMMEDIATELY โ without this, no auto-update on publish
# Use version from massdriver.yaml: ~X.Y+dev or latest+dev
mass pkg version <env-slug>-<manifest>@latest --release-channel "latest+dev"
# Configure package params
cat > /tmp/params.json << 'EOF'
{"param1": "value1", "param2": "value2"}
EOF
mass pkg cfg <env-slug>-<manifest> --params=/tmp/params.json
# Deploy with message
mass pkg deploy <env-slug>-<manifest> -m "Initial deployment for testing"
# WATCH THE LOGS
mass logs <deployment-id>
Iteration Loop:
# Make code changes, then ALWAYS publish
mass bundle publish --development
# Package auto-upgrades if release channel is set
# Get deployment ID from the auto-triggered deploy:
mass pkg get <pkg-slug> -ojson
# JSON response contains active/latest deployment ID
# WATCH THE LOGS
mass logs <deployment-id>
# Check for Checkov findings
mass logs <deployment-id> 2>&1 | grep -E "Check:|FAILED"
Config Changes (require manual deploy):
mass pkg cfg <pkg-slug> --params=/tmp/updated-params.json
mass pkg deploy <pkg-slug> -m "Updated storage to 100GB, enabled deletion protection"
# WATCH THE LOGS
mass logs <deployment-id>
As Checkov findings emerge from deployment logs:
mass bundle publish --development
# Watch logs to verify fix
mass logs <deployment-id>
See references/compliance.md for detailed remediation guidance.
CRITICAL: Never publish stable without explicit human authorization.
When the bundle is compliance-clean and tested:
mass bundle publishFor local development without deployments:
# 1. Create/edit bundle files
cd bundles/my-bundle
# 2. Build schemas
mass bundle build
# 3. Validate IaC
cd src && tofu init && tofu validate
# 4. Fix errors, repeat steps 2-3
# 5. When ready for deployment, switch to Full Mode
Bundle: Reusable IaC module with declarative configuration (massdriver.yaml + src/ code)
Artifact Definition: Schema contract defining data passed between bundles. Lives in artifact-definitions/<name>/massdriver.yaml. Supports:
instructions/) โ Markdown walkthroughs for obtaining valuesexports/) โ Downloadable files (e.g., kubeconfig)ui.environmentDefaultGroup) โ Auto-assign to packagesui.connectionOrientation) โ How connections appear in UIPlatform: An artifact definition for cloud credentials. Lives in platforms/<name>/massdriver.yaml. Identical structure to artifact definitions โ separate directory for organization.
Artifact: Instance of an artifact definition containing actual data (credentials, connection strings). Created by bundles (massdriver_artifact resource) or users (UI form).
Connection: How bundles receive artifacts. Declared in massdriver.yaml, assigned in UI, flows as Terraform variable at deploy.
Key Flow: Edit massdriver.yaml โ mass bundle build โ tofu validate โ mass bundle publish --development
Design bundles around developer use cases, not raw cloud APIs:
Bad: aws-s3-bucket (exposes every S3 option)
Good: asset-storage (for static assets), data-lake-landing (for data ingestion)
A good bundle covers 80% of use cases. If a developer needs something outside that, they fork it. Resist over-generalization.
Good bundles don't just encode defaults โ they intentionally omit capabilities that don't belong:
Ask application questions, not infrastructure questions:
Presets (params.examples) anchor common choices in familiar language.
Foundational (rarely changes): Networks, registries, DNS zones Stateful (medium lifecycle): Databases, caches, queues Compute (frequent changes): Applications, functions, jobs
Is this resource...
โโ Shared by multiple things? โโโโโโโโโโโโ> Connection
โโ Created before and lives after? โโโโโโโ> Connection
โโ Owned by a different team? โโโโโโโโโโโโ> Connection
โโ Changes on very different schedule? โโโ> Connection
โโ Specific to and dies with primary? โโโโ> Same bundle
Massdriver validates massdriver.yaml against:
Auto-generated by mass bundle build - changes will be overwritten:
schema-*.json_massdriver_variables.tfParams and connections share Terraform variable namespace:
# BAD - Both create var.network
params:
properties:
network:
connections:
properties:
network:
connections:
properties:
network:
$ref: network # References artifact-definitions/network/
# massdriver.yaml
artifacts:
properties:
database: # <-- field name
# src/artifacts.tf
resource "massdriver_artifact" "database" {
field = "database" # Must match
}
terraform {
required_providers {
massdriver = {
source = "massdriver-cloud/massdriver"
version = "~> 1.3"
}
}
}
Always mass def get <platform-name> before writing a provider block. The provider must use ONLY the fields from the credential artifact definition schema.
| File | Purpose | Editable? |
|---|---|---|
massdriver.yaml | Source of truth - params, connections, artifacts, UI | Yes |
README.md | Bundle documentation (displayed in UI) | Yes |
src/main.tf | IaC code | Yes |
src/artifacts.tf | massdriver_artifact resources | Yes |
src/.checkov.yml | Checkov skip rules | Yes |
operator.md | Runbook with mustache templating | Yes |
schema-*.json | Generated schemas | Never |
_massdriver_variables.tf | Generated variables | Never |
provider "aws" {
region = var.region
assume_role {
role_arn = var.aws_authentication.arn
external_id = try(var.aws_authentication.external_id, null)
}
default_tags {
tags = var.md_metadata.default_tags
}
}
var.network.id
var.database.auth.hostname
[for s in var.network.subnets : s.id if s.type == "private"]
resource "massdriver_artifact" "database" {
field = "database"
name = "PostgreSQL ${var.md_metadata.name_prefix}"
artifact = jsonencode({
id = aws_rds_cluster.main.id
auth = {
hostname = aws_rds_cluster.main.endpoint
port = 5432
database = var.database_name
username = var.username
password = random_password.main.result
}
})
}
params:
examples:
- __name: Development
instance_type: "t3.small"
storage_gb: 20
- __name: Production
instance_type: "r6g.large"
storage_gb: 100
properties:
instance_type:
type: string
storage_gb:
type: integer
params:
properties:
database_policy:
type: string
$md.enum:
connection: database
options: .policies
value: .name
connections:
required:
- network # Required
properties:
network:
$ref: network
bucket:
$ref: bucket # Optional - not in required
locals {
has_bucket = var.bucket != null
}
Use src/.checkov.yml (inline comments don't work):
skip-check:
# Aurora-only check, not applicable to standard RDS instances
- CKV_AWS_162
# Security group egress required for AWS API connectivity
- CKV_AWS_382
Configure behavior in massdriver.yaml:
steps:
- path: src
provisioner: opentofu:1.10
config:
checkov:
enable: true
halt_on_failure: '.params.md_metadata.default_tags["md-target"] == "production"'
A skipped check is skipped EVERYWHERE โ halt_on_failure does NOTHING for skipped checks.
ONLY skip checks that are genuinely irrelevant across ALL environments including production.
Valid reasons to skip:
NEVER skip a check for something configurable via params (e.g., multi-AZ, deletion protection, enhanced monitoring, TLS, automatic failover). If a user can toggle it, let checkov flag it naturally. halt_on_failure enforces compliance in production while giving users freedom in non-prod.
Invalid reasons to skip:
Comments in .checkov.yml must be factual about WHY the check is irrelevant. Never reference environments, presets, dev/prod distinctions, or halt_on_failure as justification.
When in doubt, DO NOT skip. Let the check fail, and let halt_on_failure do its job.
Before publishing:
mass bundle build succeedsmassdriver_artifact resourcetofu init && tofu validate passesmassdriver-cloud/massdrivermass def get <platform> output (not guessed)| Mistake | Fix |
|---|---|
| Coupled lifecycles (VPC in database bundle) | Use connections for foundational resources |
| Provider auth fails | mass def get <platform> first, use ALL fields, try() for optional |
| "variable not declared" | Run mass bundle build |
| Param/connection name collision | Rename one |
| artifacts.tf field mismatch | Ensure field = "X" matches artifacts.properties.X |
| Publishing stable during development | Use --development flag always until production-ready |
| Forgot to publish after code change | Platform can't read local files โ always publish |
| Package not auto-updating | Set release channel to latest+dev or ~X.Y+dev right after create |
| Inline checkov:skip comments | Use src/.checkov.yml file instead |
Using massdriver/ prefixed defs | These are deprecated โ ignore them completely |
| Guessing provider config | Always mass def get first โ providers and artifact defs are 1:1 |
| Deploy without watching logs | Always mass logs <id> after every deploy |
| Config deploy without message | Always use -m "description" with mass pkg deploy |
| What Changed | Command | Notes |
|---|---|---|
| Bundle code | mass bundle publish --development | Always use --development |
| Artifact definition | mass definition publish artifact-definitions/<name>/massdriver.yaml | No --development flag โ goes live immediately, get user approval |
| Platform definition | mass definition publish platforms/<name>/massdriver.yaml | Same as artifact defs โ live immediately |
After ANY change, you MUST publish. The platform has no access to your local filesystem โ changes don't exist until you publish.
# Discovery
mass bundle list # List available bundles
mass def list # List artifact definitions (ignore massdriver/ prefixed)
mass def get <name> # Get artifact definition schema โ ALWAYS do before writing providers
# Build
mass bundle build # Generate schemas + variables
tofu init && tofu validate # Validate IaC
# Publish Bundles (NEVER without --development unless human authorized)
mass bundle publish --development
# Publish Artifact/Platform Definitions (no --development flag, live immediately)
mass definition publish artifact-definitions/my-artifact/massdriver.yaml
mass definition publish platforms/my-cloud/massdriver.yaml
# Package Management
mass pkg create <slug> --bundle <bundle>
mass pkg version <slug>@latest --release-channel "latest+dev" # Do IMMEDIATELY after create
mass pkg cfg <slug> --params=/tmp/params.json
mass pkg deploy <slug> -m "Description of changes"
# ALWAYS watch logs
mass logs <deployment-id>
# Debugging
mass pkg get <slug> -ojson # Get package JSON with active/latest deployment ID
mass artifact get <artifact-name>
# Environment
mass env create <slug> --name "<Name>"
mass env list <project>