Claude agents
Specialised Claude subagents live under .claude/agents/ — each one is a topical expert that Claude can delegate to when you ask about that domain. They share the same cluster context (via CLAUDE.md + project memory) but carry deep knowledge of their own area: command patterns, safety rails, common pitfalls, and the exact flags they use for this cluster.
You don't need to specify which agent — Claude routes automatically based on the question. This page is the catalogue, for when you want to know who's on the shelf.
The full list
| Agent | Model | Domain | When to reach for it |
|---|---|---|---|
argocd-manager | sonnet | ArgoCD state + sync flow | App list / diff / sync / get, diagnosing OutOfSync + Degraded, ApplicationSet debugging, sync-wave and ignoreDifferences quirks |
k8s-manager | opus | Live kubectl operations | Pod / node status, logs, exec, describe, drain, top, port-forward, general "is this workload OK?" inspection |
network-expert | sonnet | Cluster + cloud networking | Cilium / Hubble inspection, CoreDNS issues, Traefik routing, Cloudflared tunnel debugging, NetworkPolicy reasoning |
db-manager | sonnet | MariaDB / MaxScale | myCnf tuning, operator CR edits, version research, registry tag lookups, replication recovery, storage resize |
secrets-manager | sonnet | Sealed Secrets lifecycle | Create / rotate / re-seal / trace, the seal.sh flow, copy-to-multiple-locations for cluster-wide secrets |
terraform-manager | sonnet | Hetzner Cloud infra | Plan / apply / destroy / import via tf.sh, main.tf edits, IP allocation, plan file management |
hcloud-operator | haiku | Live Hetzner Cloud queries | Server list, LB health, network inspection, metrics — read-only cloud state |
helm-searcher | haiku | Helm chart research | Available versions, default values, value diffs between versions, local template rendering |
vault-manager | sonnet | Bitwarden / Vaultwarden access | bw-unlock.sh flow, credential file setup, session troubleshooting — other agents delegate vault issues here |
client-onboarder | opus | New client provisioning | Full config-driven onboarding (~25 files + ~6 shared infra edits) using wecare as a living template |
gitops-commit-pusher | haiku | Git commits + pushes | Structured commit messages, staging the right subset of changes, per-app commit conventions |
k8s-manifest-locator | haiku | Fast file retrieval | "Where does X live?" — finds the file, returns the relevant YAML, no kubectl needed |
devops-setup | sonnet | Local machine setup | OS detection, tool install guidance (kubectl, argocd, bw, kubeseal, terraform, etc.), onboarding a new team member |
One paragraph each
argocd-manager
Owns ArgoCD state inspection and sync operations. It uses the argo.sh wrapper (port-forwards to the in-cluster server, auto-authenticates with the admin secret — bypasses Cloudflare Zero Trust), and understands this repo's app-of-apps pattern, multi-source Helm apps ($values references), ApplicationSet generators, ignoreDifferences, sync waves, ServerSideApply requirements, and RBAC roles. Reach for it whenever an app is stuck or you want to see the cluster-vs-git diff without risking a sync.
k8s-manager
Runs kubectl directly against the cluster. Opus-tier because it's the generalist — it handles pod / node / deployment inspection, log retrieval (including --previous for crash-loops), node drain + uncordon with explicit confirmation, kubectl top, and port-forwards. It knows the namespace → component map, won't kubectl apply or kubectl delete GitOps-managed resources, and won't kubectl scale KEDA-owned Deployments.
network-expert
Runs Cilium/Hubble diagnostics directly (cilium-dbg, hubble observe) and general network tools (ping, dig, traceroute, mtr, curl). Delegates general kubectl to k8s-manager and Hetzner Cloud queries to hcloud-operator as needed. Best for "traffic isn't getting where it should" — it knows the full path (Hetzner LB → cloudflared tunnel → Traefik → Service → pod → Cilium egress → coredns → upstream).
db-manager
MariaDB + MaxScale expert. Knows the mariadb-operator CRDs, the myCnf parameter surface, the replication topology, MaxScale's routing, and common failure modes. Can query container registries for image tags (Docker Hub, GHCR, Quay, MariaDB's own registry), tune buffer pool sizes against container limits, and walk through the replication recovery procedure. Delegate any MariaDB data-plane change here — the "don't wipe the data dir" rule is load-bearing.
secrets-manager
Owns the end-to-end Sealed Secrets flow: create plaintext YAML in untracked/secrets/, register in seal.sh (seal vs cluster_seal), run, copy to the correct manifests_v1/app-constructs/<app>/ location, commit. Knows the sharing rules (which secrets belong in multiple bases) and never outputs plaintext values. If build-autoscaler-config.sh fails because Bitwarden is locked, it delegates to vault-manager.
terraform-manager
Hetzner Cloud infrastructure via ./tf.sh. Handles plan/apply/destroy/import, main.tf edits following the existing hcloud_server + null_resource pattern, plan file naming, IP allocation checks (which must cross-reference both main.tf and live kubectl get nodes -o wide because the autoscaler shares the subnet), and drain-before-destroy. Never runs bare terraform. Destructive operations always require explicit confirmation.
hcloud-operator
A thin, read-only agent for live Hetzner Cloud queries via the hcloud CLI. Server listings, LB target health, private network member IPs, firewall rules, server metrics. Useful when you want to know "what's actually running in Hetzner right now" separately from Terraform's desired state. For infra changes, use terraform-manager instead.
helm-searcher
Search and inspect Helm charts — helm search repo, helm show values, helm template with local values files, and diffs between chart versions. Doesn't install or upgrade anything (this is a GitOps repo; ArgoCD owns deployments). Good for "what does chart X look like at version N", "what changed between X.Y and X.Z", or scouting a new chart.
vault-manager
Bitwarden / Vaultwarden access owner. Verifies the CLI is installed, the credentials file exists, bw-unlock.sh works, and the vault is actually reachable. Other agents that need secrets (terraform-manager, secrets-manager, hcloud-operator) delegate vault troubleshooting here instead of each duplicating the diagnosis. First stop for "my script says Bitwarden is locked" problems.
client-onboarder
Reads a filled-in untracked/client-onboarding/<client>.yaml, uses wecare as a living reference, generates ~25 new files across infrastructure/prod/, adveshop4/base/, adveshop4/prod/, adveshop4/stg/, modifies ~6 shared infra files (Longhorn tolerations, cluster-autoscaler pools, Cloudflared entries, Kyverno policy, Grafana dashboards kustomization, Ansible inventory), and produces a delegation report for terraform-manager, secrets-manager, and gitops-commit-pusher. See Add a client.
gitops-commit-pusher
Stages the right files, writes a structured commit message in the project's [App: <name>] <summary> style, pushes to origin. Doesn't invent changes — it takes existing modifications and commits them cleanly. Useful at the end of a multi-step workflow so you don't have to hand-craft the commit message.
k8s-manifest-locator
Fast file retrieval — "where does X live in the repo?" returns the path and the YAML. No live cluster access. Mostly used by other agents as a lookup service, but handy for humans when you're hunting a CRD definition, a specific kustomization.yaml, or a particular tenant's overlay.
devops-setup
Detects your OS (macOS / Linux / Windows / WSL), checks which required tools are present (kubectl, argocd, bw, kubeseal, terraform, python3, git, jq), and produces step-by-step install instructions for what's missing. It does not verify authentication / connectivity — that's delegated to the owning agent per tool. First stop when a new team member joins.
Just ask
You don't need to name the agent — Claude routes to the right one based on the question. A few examples of how the routing falls out:
- "Show me the ArgoCD app list" → argocd-manager
- "Drain wecare-web-3 for maintenance" → k8s-manager
- "pods can't reach MariaDB" → network-expert
- "What MariaDB 11.x versions are available?" → db-manager
- "Rotate the cloudflared tunnel credentials" → secrets-manager
- "Add a new wecare-web-5 node" → terraform-manager
- "Is the Hetzner LB healthy?" → hcloud-operator
- "What values does the traefik 34.x chart expose?" → helm-searcher
- "Onboard client acme using untracked/client-onboarding/acme.yaml" → client-onboarder
- "Commit and push everything I've changed" → gitops-commit-pusher
Further reading
- Rules & guardrails — the conventions each agent enforces
- Scripts — the tools behind each agent (argo.sh, tf.sh, seal.sh, …)
- Ansible playbooks — the OS-level operations that don't have an agent wrapper