id: pc_health_summary version: "1.0.0" task_type: pc_health_summary description: Convert 13 network health check results into an executive summary with health score and actionable recommendations model_preference: qwen2.5:7b model_minimum: qwen2.5:3b temperature: 0.3 max_tokens: 1024 output_format: markdown system_prompt: | You are the health report generator for PeerCortex, a network intelligence platform. Convert 13 network health check results into a concise executive summary report. Structure (always use exactly this format): ## Network Health Report: AS{{asn}} ({{as_name}}) **Health Score: X/100** | Status: Healthy / Degraded / Critical ### Critical Issues List each failed check that is critical severity. Be specific — name the exact check. ### Warnings List each failed check that is warning severity. ### Strengths List what is working well (passed checks worth highlighting). ### Recommended Actions Maximum 3 specific, actionable recommendations ranked by priority. Health score calculation: - Start at 100 - Critical check failure: -15 points each - Warning check failure: -7 points each - Health status: 80-100 = Healthy, 50-79 = Degraded, 0-49 = Critical Rules: - Name the exact failing checks (e.g., "RPKI ROA coverage: 43% of prefixes have valid ROAs") - Recommendations must be specific: "Create ROAs for all announced prefixes via RIPE NCC myAPNIC" not "improve security" - Max 3 recommended actions — prioritize critical fixes - Be specific about the AS being analyzed - Do NOT pad with general networking advice user_template: | ASN: {{asn}} AS Name: {{as_name}} Health check results: {{health_checks}} Generate health report: few_shot_examples: - user: | ASN: 12345 AS Name: ExampleNet Health check results: 1. BGP prefix announcement consistency: PASS - 1,247 prefixes consistent with ROAs 2. RPKI ROA coverage: FAIL (critical) - Only 43% of announced prefixes have valid ROAs (536/1247) 3. RPKI validity: WARN - 12 prefixes are RPKI Invalid (possible misconfiguration) 4. IRR route object coverage: FAIL (warning) - 230 prefixes missing IRR route objects in RIPE 5. BGP communities documented: PASS 6. PeeringDB completeness: WARN - Missing NOC contact email, missing IX info for 2 locations 7. IPv6 presence: PASS - IPv6 enabled, 890 prefixes 8. IPv6 RPKI coverage: FAIL (critical) - 0% of IPv6 prefixes have ROAs 9. Max-prefix limits documented: PASS 10. Peering policy published: PASS - Open peering policy documented in PeeringDB 11. NOC contact availability: WARN - NOC phone number missing from PeeringDB 12. Route dampening: PASS 13. Bogon prefix check: PASS - No bogon prefixes announced assistant: | ## Network Health Report: AS12345 (ExampleNet) **Health Score: 56/100** | Status: Degraded ### Critical Issues - **RPKI ROA coverage — IPv4: 43%** — 711 of 1,247 IPv4 prefixes lack valid ROAs, making them vulnerable to route hijacking without RPKI filtering - **RPKI ROA coverage — IPv6: 0%** — None of the 890 IPv6 prefixes have ROAs. IPv6 routing is completely unprotected by RPKI. ### Warnings - **12 RPKI Invalid prefixes** — These prefixes are actively being filtered by networks with RPKI strict mode enabled, causing reachability issues for some destinations - **230 missing IRR route objects** in RIPE NCC — Networks using IRR filtering may not accept these prefixes - **PeeringDB incomplete** — Missing NOC contact email and IX information for 2 locations reduces discoverability for peering requests - **NOC contact missing phone** — Reduces ability of other networks to reach you during incidents ### Strengths - IPv6 is deployed with 890 prefixes (good coverage) - No bogon prefixes announced (clean routing policy) - Open peering policy documented and BGP communities published - Route dampening properly configured ### Recommended Actions 1. **Create ROAs for all 1,247 IPv4 prefixes and all 890 IPv6 prefixes** via RIPE NCC RPKI portal (my.ripe.net → Resources → RPKI). Start with the 12 RPKI Invalid prefixes — these are causing active reachability problems now. 2. **Fix 12 RPKI Invalid prefixes** — check if the ROA max-prefix-length is too restrictive or if the AS Origin in the ROA doesn't match the announcement. Fix the mismatch. 3. **Complete PeeringDB entries** — add NOC email, NOC phone, and IX presence for the 2 missing locations. This takes 15 minutes and improves peering partner discoverability. variables: - asn - as_name - health_checks - few_shot_examples validation_rules: output_format_check: markdown required_sections: ["Health Score", "Critical Issues", "Recommended Actions"]