@raishin/vanguard-frontier-agentic 1.0.0 → 1.2.0

package/catalog/skills.json

@@ -1,7 +1,7 @@
 [
   {
-    "id": "aws-iam-least-privilege-review",
-    "name": "AWS IAM Least Privilege Review",
+    "id": "aws-agentcore",
+    "name": "AWS AgentCore",
     "type": "skill",
     "provider": "aws",
     "harnesses": [
@@ -12,23 +12,40 @@
       "kiro",
       "other"
     ],
-    "summary": "Review AWS IAM policies, trust policies, and resource policies for least-privilege risks with official-doc-backed remediation.",
-    "source_type": "original",
+    "summary": "Build, test, migrate, and deploy Amazon Bedrock AgentCore code-based agents and harness workflows with runtime, policy, environment/skills, Memory, Gateway, Identity, Observability, Browser, Code Interpreter, and security guidance loaded progressively.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
-      "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html"
-    ],
-    "security_notes": "Prefer read-only inspection. Do not broaden permissions. Validate policy changes with IAM Access Analyzer where available.",
-    "last_verified": "2026-04-27",
-    "path": "skills/aws/aws-iam-least-privilege-review",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/develop-agents.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-get-started-cli.md",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-get-started.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-environment.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-security.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-get-started.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/browser-tool.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-tools.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-create-policies.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-core-concepts.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-operations.html"
+    ],
+    "security_notes": "Do not hardcode credentials, tokens, client secrets, account IDs, or customer data. Prefer AgentCore Identity/Gateway for managed credentials, enforce Cedar policy where Gateway is used, verify region and preview-feature constraints, keep least-privilege roles, and require explicit approval before deployment or tool-exposure changes.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-agentcore",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
-    "id": "azure-ai-foundry-ops-governor",
-    "name": "Azure AI Foundry Ops Governor",
+    "id": "aws-api-edge-delivery-review",
+    "name": "AWS API Edge Delivery Review",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -37,31 +54,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Microsoft Foundry and Azure AI Foundry operations across resource-versus-project boundaries, RBAC, quotas, network isolation, logging, and safe MCP-backed execution.",
+    "summary": "Review API Gateway, CloudFront, AWS WAF, Shield, ALB edge/API exposure, throttling, auth, TLS, origin protection, caching, logging, and abuse controls.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/foundry/concepts/architecture",
-      "https://learn.microsoft.com/en-us/azure/foundry/concepts/rbac-foundry",
-      "https://learn.microsoft.com/en-us/azure/foundry/concepts/planning",
-      "https://learn.microsoft.com/en-us/azure/foundry/mcp/security-best-practices?view=foundry",
-      "https://learn.microsoft.com/en-us/azure/foundry/how-to/configure-private-link",
-      "https://learn.microsoft.com/en-us/azure/foundry/how-to/managed-virtual-network",
-      "https://learn.microsoft.com/en-us/azure/foundry/how-to/quota",
-      "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/quotas-limits",
-      "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/how-to/monitor-models",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat MCP mutations as higher risk than read-only discovery, especially because hosted Foundry MCP security guidance documents preview and public-endpoint limitations.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-ai-foundry-ops-governor",
+      "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-best-practices.html",
+      "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html",
+      "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html",
+      "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html"
+    ],
+    "security_notes": "Do not approve public API or edge changes without auth, throttling, TLS, logging, WAF/origin protection where appropriate, sensitive-log controls, and rollback path.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-api-edge-delivery-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
-    "id": "azure-aks-platform-operator",
-    "name": "Azure AKS Platform Operator",
+    "id": "aws-bedrock-agent-security-governor",
+    "name": "AWS Bedrock Agent Security Governor",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -70,28 +81,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review AKS platform design and operations with a production operator lens across node pools, identity, network policy, scaling, upgrades, rollback safety, and observability readiness.",
+    "summary": "Review Amazon Bedrock agents, AgentCore, Guardrails, knowledge bases, action groups, memory, prompt-injection defenses, PII handling, observability, and least-privilege access.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-kubernetes",
-      "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks",
-      "https://learn.microsoft.com/en-us/azure/aks/upgrade-options",
-      "https://learn.microsoft.com/en-us/azure/aks/upgrade-conceptual",
-      "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
-      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices"
-    ],
-    "security_notes": "Do not wave through AKS as production ready without explicit upgrade, rollback, workload identity, traffic-control, subnet-capacity, and observability evidence. Treat flat pod networking, static secrets, and untested drain behavior as high-risk.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-aks-platform-operator",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/security-best-practice-agents.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-injection.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-how.html"
+    ],
+    "security_notes": "Do not grant broad tool or data access to Bedrock agents. Require least privilege, prompt-injection tests, guardrail coverage, PII controls, observability, and kill-switch/rollback design.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-bedrock-agent-security-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
-    "id": "azure-app-service-production-readiness",
-    "name": "Azure App Service Production Readiness",
+    "id": "aws-change-impact-advisor",
+    "name": "AWS Change Impact Advisor",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -100,38 +108,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure App Service and Web Apps for production readiness across plan fit, slots, networking, private ingress, identities, secrets, scaling, diagnostics, resilience, backup, rollback, and operator ownership with explicit evidence-versus-inference handling.",
+    "summary": "Assess planned AWS change impact, blast radius, rollback readiness, stakeholder communication, and non-destructive go/no-go guidance before execution.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/app-service-web-apps",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
-      "https://learn.microsoft.com/en-us/azure/app-service/app-service-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up",
-      "https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable",
-      "https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing",
-      "https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint",
-      "https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions",
-      "https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references",
-      "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
-      "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
-      "https://learn.microsoft.com/en-us/azure/app-service/configure-zone-redundancy",
-      "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service"
-    ],
-    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported Azure MCP namespaces or operations.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-app-service-production-readiness",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/choosing-git-branch-approach/plan-your-change-management-strategy.html",
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/change-calendar.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/design_principles.html"
+    ],
+    "security_notes": "This role is advisory only. Do not approve execution from weak evidence. Require explicit rollback, dependency, owner, and communication clarity before treating a change as low-risk.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-change-impact-advisor",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-cosmosdb-application-developer",
-    "name": "Azure Cosmos DB Application Developer",
-    "version": "0.1.0",
+    "id": "aws-ci-cd-release-engineer",
+    "name": "AWS CI/CD Release Engineer",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -140,32 +135,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Guide Azure Cosmos DB application development across NoSQL data modeling, partition-aware access patterns, point reads, query shape, SDK usage, transactional batch scope, and consistency-aware application behavior with explicit evidence-versus-inference handling.",
+    "summary": "Review AWS release pipelines, deployment gates, artifact provenance, CodePipeline/CodeBuild/CodeDeploy, GitHub/GitLab integrations, rollback, change correlation, and incident prevention.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/partitioning",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/modeling-data",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/transactional-batch",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge"
-    ],
-    "security_notes": "Do not recommend data models, query patterns, transactional assumptions, or SDK usage that ignore partition scope, RU cost, consistency semantics, or least-privilege access boundaries.",
-    "last_verified": "2026-04-28",
-    "path": "skills/azure/azure-cosmosdb-application-developer",
-    "author": "github: Raishin"
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent.html",
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/working-with-devops-agent-proactive-incident-prevention.html",
+      "https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-rollback-and-redeploy.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html"
+    ],
+    "security_notes": "Do not approve production pipelines without artifact integrity, least-privilege deploy roles, quality/security gates, deployment telemetry, rollback criteria, and post-deploy validation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-ci-cd-release-engineer",
+    "author": "github: Raishin",
+    "version": "0.1.2"
   },
   {
-    "id": "azure-cosmosdb-performance-investigator",
-    "name": "Azure Cosmos DB Performance Investigator",
-    "version": "0.1.0",
+    "id": "aws-compliance-evidence-mapper",
+    "name": "AWS Compliance Evidence Mapper",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -174,31 +162,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Investigate Azure Cosmos DB query latency, RU inefficiency, throttling, hot partitions, indexing gaps, and workload-level performance pathologies using explicit evidence, metrics, and step-by-step profiling discipline.",
+    "summary": "Map AWS controls, Security Hub findings, AWS Config conformance packs, Audit Manager assessments, evidence folders, manual evidence, and report gaps for audit readiness.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/troubleshoot-query-performance",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/index-metrics",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/use-metrics",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-redistribute-throughput-across-partitions",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/performance-tips-dotnet-sdk-v3",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db"
-    ],
-    "security_notes": "Do not recommend throughput increases, repartitioning, indexing changes, or SDK tuning before separating RU cost, latency, partition skew, and query-shape evidence. Avoid speculative fixes that hide workload design defects.",
-    "last_verified": "2026-04-28",
-    "path": "skills/azure/azure-cosmosdb-performance-investigator",
-    "author": "github: Raishin"
+      "https://docs.aws.amazon.com/audit-manager/latest/userguide/assessments.html",
+      "https://docs.aws.amazon.com/audit-manager/latest/userguide/review-evidence.html",
+      "https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html",
+      "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html"
+    ],
+    "security_notes": "Do not claim compliance from tool output alone. Label evidence freshness, scope, inconclusive evidence, missing Config/Security Hub coverage, and need for legal/compliance review.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-compliance-evidence-mapper",
+    "author": "github: Raishin",
+    "version": "0.1.2"
   },
   {
-    "id": "azure-cosmosdb-platform-operator",
-    "name": "Azure Cosmos DB Platform Operator",
-    "version": "0.1.0",
+    "id": "aws-cost-anomaly-watch-coordinator",
+    "name": "AWS Cost Anomaly Watch Coordinator",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -207,30 +189,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review and operate Azure Cosmos DB platform posture across accounts, databases, containers, partitioning, throughput, consistency, indexing, throttling, multi-region tradeoffs, and operational guardrails with explicit evidence-versus-inference handling.",
+    "summary": "Review AWS cost anomalies, budget drift, usage spikes, and savings opportunities with non-destructive recommendations and business-facing escalation guidance.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/partitioning",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/modeling-data",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys"
-    ],
-    "security_notes": "Do not approve a partition key, indexing posture, consistency change, or cross-partition query strategy without checking workload shape, RU impact, transactional scope, and least-privilege access implications.",
-    "last_verified": "2026-04-28",
-    "path": "skills/azure/azure-cosmosdb-platform-operator",
-    "author": "github: Raishin"
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/management-limits.html",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/getting-started-ad.html",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html"
+    ],
+    "security_notes": "Keep the role advisory and non-destructive. Do not stop workloads or alter purchasing commitments from this role. Focus on evidence, hypotheses, safe next checks, and escalation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-cost-anomaly-watch-coordinator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
   },
   {
-    "id": "azure-cost-estimation-review",
-    "name": "Azure Cost Estimation Review",
+    "id": "aws-cost-optimization-governor",
+    "name": "AWS Cost Optimization Governor",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -239,28 +216,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure cost estimates for pricing-calculator assumptions, SKU and region realism, production versus nonproduction sizing, omission risk, and explicit uncertainty labeling.",
+    "summary": "Review AWS cost posture across Cost Explorer, Budgets, Cost Optimization Hub, Compute Optimizer, commitments, tagging, showback, idle waste, and rightsizing.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/pricing-calculator",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/savings-plan/manage-savings-plan",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing"
-    ],
-    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported Azure MCP pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-cost-estimation-review",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/cost-optimization-hub.html",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-best-practices.html",
+      "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-api-best-practices.html/",
+      "https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html"
+    ],
+    "security_notes": "Do not recommend cost cuts that remove backups, logging, security controls, redundancy, or tested capacity without explicit risk acceptance and rollback evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-cost-optimization-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
-    "id": "azure-cost-optimization-governor",
-    "name": "Azure Cost Optimization Governor",
+    "id": "aws-daily-operations-briefing-coordinator",
+    "name": "AWS Daily Operations Briefing Coordinator",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -269,31 +243,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure FinOps and spend-governance posture across budgets, alerts, cost analysis visibility, tagging, exports, and reservation or savings-plan awareness with explicit ownership and evidence handling.",
+    "summary": "Prepare non-destructive AWS daily operations briefings across health signals, incidents, deployments, cost drift, open risks, and action backlog for business and engineering stakeholders.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/reporting-get-started",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-improved-exports",
-      "https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor"
-    ],
-    "security_notes": "Do not promise savings without utilization evidence, treat budgets as alerts rather than enforcement, keep billing and export data sanitized, and require named ownership for alerts, tags, exports, and optimization follow-up before calling the FinOps posture credible.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-cost-optimization-governor",
+      "https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/introduction.html",
+      "https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html",
+      "https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html"
+    ],
+    "security_notes": "Do not treat dashboards as proof. Keep reporting read-only, evidence-based, and explicit about unknowns. Never recommend mutation or production changes without separate approval and deeper technical review.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-daily-operations-briefing-coordinator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-entra-id-specialist",
-    "name": "Azure Entra ID Specialist",
-    "version": "0.1.0",
+    "id": "aws-data-protection-backup-steward",
+    "name": "AWS Data Protection Backup Steward",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -302,30 +270,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review and guide Microsoft Entra ID tenant posture across conditional access, authentication methods, MFA and SSPR registration, identity protection, workload identities, app registrations, external identities, governance boundaries, and least-privilege identity operations with explicit evidence-versus-inference handling.",
+    "summary": "Review AWS backup and data protection across AWS Backup, snapshots, vaults, restore testing, retention, encryption, immutability, cross-account copy, and recovery evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/entra/fundamentals/what-is-entra",
-      "https://learn.microsoft.com/en-us/entra/id-governance/identity-governance-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure",
-      "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration",
-      "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups",
-      "https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview",
-      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk"
-    ],
-    "security_notes": "Do not recommend broad exclusions, unsafe break-glass patterns, blanket MFA bypasses, overprivileged app registrations, or risky Conditional Access changes without scoping blast radius, role ownership, and recovery paths.",
-    "last_verified": "2026-04-28",
-    "path": "skills/azure/azure-entra-id-specialist",
-    "author": "github: Raishin"
+      "https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html",
+      "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html",
+      "https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-account-backup.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/plan-for-disaster-recovery-dr.html"
+    ],
+    "security_notes": "Do not treat snapshots as sufficient data protection. Check restore permissions, KMS access, vault policy, immutability, cross-account isolation, and tested recovery evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-data-protection-backup-steward",
+    "author": "github: Raishin",
+    "version": "0.1.2"
   },
   {
-    "id": "azure-governance-policy-guardrails",
-    "name": "Azure Governance Policy Guardrails",
+    "id": "aws-deployment-hotfix-operator",
+    "name": "AWS Deployment Hotfix Operator",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -334,31 +297,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure Policy guardrails, initiatives, assignment scope, exclusions, remediation risk, and staged governance rollout patterns.",
+    "summary": "Patch AWS deployment manifests, environment config, release toggles, and rollout settings quickly in-repo with explicit rollback notes and no live-cloud mutation by default.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/tailoring-alz",
-      "https://learn.microsoft.com/en-us/azure/governance/policy/overview",
-      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure",
-      "https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal",
-      "https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources",
-      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/migrate-azure-landing-zone-policies",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy"
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/choosing-git-branch-approach/plan-your-change-management-strategy.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/design_principles.html"
     ],
-    "security_notes": "Do not recommend broad-scope deny or remediation-first rollout without blast-radius review, inheritance analysis, exception handling, and rollback notes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-governance-policy-guardrails",
+    "security_notes": "Repo write access only. Do not deploy, apply, destroy, or mutate live AWS resources from this role by default. Require explicit human approval for any step beyond repo patching and validation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-deployment-hotfix-operator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-identity-governance-review",
-    "name": "Azure Identity Governance Review",
+    "id": "aws-devops-agent-skill-designer",
+    "name": "AWS DevOps Agent Skill Designer",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -367,32 +322,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, and ownership gaps.",
+    "summary": "Design AWS DevOps Agent-compatible skills, investigation workflows, learned skills, tool-use best practices, agent targeting, frontmatter triggers, and operational output contracts.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones",
-      "https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles",
-      "https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/manage-access-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Challenge standing privileged access by default. Do not treat PIM, access reviews, or entitlement management as sufficient unless scope, ownership, cadence, and removal behavior are explicit.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-identity-governance-review",
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-devops-agent-skills.html",
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-learned-skills.html",
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent.html",
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/aws-devops-agent-security.html"
+    ],
+    "security_notes": "Do not create AWS DevOps Agent skills with vague descriptions, broad agent targeting, secret-handling instructions, unsupported executable assumptions, or missing success criteria.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-devops-agent-skill-designer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
-    "id": "azure-key-vault-secret-lifecycle-auditor",
-    "name": "Azure Key Vault Secret Lifecycle Auditor",
+    "id": "aws-dynamodb-data-modeling-performance-review",
+    "name": "AWS DynamoDB Data Modeling Performance Review",
     "type": "skill",
-    "provider": "azure",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -401,28 +349,1509 @@
       "kiro",
       "other"
     ],
-    "summary": "Audit Azure Key Vault secret lifecycle posture across RBAC, soft delete, purge protection, expiration, rotation, metadata hygiene, eventing, and recovery readiness without exposing secret values.",
+    "summary": "Review DynamoDB table design, partition keys, sort keys, GSIs/LSIs, hot partitions, query/scan patterns, capacity, global tables, TTL, DAX, and cost/performance tradeoffs.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault",
-      "https://learn.microsoft.com/en-us/azure/key-vault/secrets/secure-secrets",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/autorotation",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
-      "https://learn.microsoft.com/en-us/azure/key-vault/policy-reference"
-    ],
-    "security_notes": "Avoid retrieving secret values unless absolutely necessary. Treat purge authority, missing soft delete, missing purge protection, and unproven rotation or recovery paths as high-risk. Prefer RBAC least privilege and metadata-based audits over content access.",
-    "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-key-vault-secret-lifecycle-auditor",
+      "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best-practices.html",
+      "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-partition-key-design.html",
+      "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-indexes.html",
+      "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html"
+    ],
+    "security_notes": "Do not recommend DynamoDB schemas without explicit access patterns, partition cardinality, index tradeoffs, capacity/cost implications, and migration or backfill safety.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-dynamodb-data-modeling-performance-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
-    "id": "azure-landing-zone-architect",
-    "name": "Azure Landing Zone Architect",
+    "id": "aws-ec2-compute-operations-steward",
+    "name": "AWS EC2 Compute Operations Steward",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review EC2, Auto Scaling, Launch Templates, AMIs, Systems Manager, Patch Manager, EBS, snapshots, health checks, instance refresh, lifecycle hooks, and fleet operations.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices.html",
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html",
+      "https://docs.aws.amazon.com/autoscaling/ec2/userguide/instance-refresh-overview.html",
+      "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html"
+    ],
+    "security_notes": "Do not approve EC2 fleet operations without patch compliance, managed access, health checks, rollback, backup/snapshot posture, IAM instance-profile review, and launch-template evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-ec2-compute-operations-steward",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-ecs-fargate-platform-operator",
+    "name": "AWS ECS Fargate Platform Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Amazon ECS and Fargate services across task roles, execution roles, deployment circuit breakers, blue/green, load balancing, autoscaling, logging, networking, and rollback.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-failure-detection.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-circuit-breaker.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-blue-green.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-roles.html"
+    ],
+    "security_notes": "Do not approve ECS/Fargate production changes without task-role separation, deployment rollback behavior, health check evidence, logs, secrets posture, and load balancer/target group validation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-ecs-fargate-platform-operator",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-ecs-service-remediation-operator",
+    "name": "AWS ECS Service Remediation Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Correct ECS/Fargate service definitions, task settings, deployment parameters, and environment configuration in-repo with bounded write access and no live service mutation by default.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_definition_parameters.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-ecs.html"
+    ],
+    "security_notes": "Repo write access only. Do not force new deployments, scale services, or alter live task state from this role by default. Surface rollout and rollback implications explicitly.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-ecs-service-remediation-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-eks-platform-operator",
+    "name": "AWS EKS Platform Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Amazon EKS platform operations across cluster identity, access entries, node strategy, networking, autoscaling, upgrades, reliability, security, observability, and cost.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/eks/latest/best-practices/introduction.html",
+      "https://docs.aws.amazon.com/eks/latest/best-practices/security.html",
+      "https://docs.aws.amazon.com/eks/latest/best-practices/reliability.html",
+      "https://docs.aws.amazon.com/eks/latest/userguide/security-iam.html"
+    ],
+    "security_notes": "Do not call an EKS cluster production-ready without explicit identity, network isolation, upgrade, node disruption, image/runtime security, and observability evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-eks-platform-operator",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-event-driven-architecture-review",
+    "name": "AWS Event Driven Architecture Review",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS EventBridge, SQS, SNS, Step Functions, Pipes, event schemas, retries, DLQs, idempotency, cross-account routing, monitoring, and event-loop risk.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-patterns-best-practices.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules-best-practices.html",
+      "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-monitoring-events-best-practices.html"
+    ],
+    "security_notes": "Do not accept event-driven designs without precise patterns, DLQs/retry semantics, idempotent consumers, monitoring, cross-account policy review, and loop/cost controls.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-event-driven-architecture-review",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-generative-ai-developer",
+    "name": "AWS Generative AI Developer",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Build Amazon Bedrock applications with a serverless-first architecture using Lambda, API Gateway, Step Functions, EventBridge, S3, DynamoDB, SQS, Guardrails, and IAM.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/security-overview.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/security-best-practice-agents.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-injection.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-example-cross-serverless-prompt-chaining-section.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/with-step-functions.html",
+      "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-best-practices.html"
+    ],
+    "security_notes": "Prefer serverless managed services for this role unless a concrete blocker is provided. Do not approve broad model access, unsafe prompt/tool flows, weak auth, uncontrolled retention, or missing observability and cost controls.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-generative-ai-developer",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-iac-change-safety-review",
+    "name": "AWS IaC Change Safety Review",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS CDK, CloudFormation, SAM, Terraform, and mixed IaC changes for replacement, deletion, drift, IAM, network, data-loss, rollback, and deployment safety risks.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/cdk/v2/guide/best-practices.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/drift-aware-change-sets.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html"
+    ],
+    "security_notes": "Never approve an AWS IaC deployment from source diff alone when production state, generated artifacts, change sets, drift, replacements, destructive changes, or rollback are unresolved.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-iac-change-safety-review",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-iac-patch-executor",
+    "name": "AWS IaC Patch Executor",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Edit AWS IaC files such as CloudFormation, SAM, CDK config, and Terraform configuration in a bounded, non-destructive way with validation-first discipline.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html",
+      "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-best-practices.html",
+      "https://docs.aws.amazon.com/cdk/v2/guide/best-practices.html"
+    ],
+    "security_notes": "Can edit IaC files, not execute live infra changes. Never hide replacements, blast-radius risks, or IAM broadening. Always surface validation gaps and rollback concerns.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-iac-patch-executor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-iam-least-privilege-review",
+    "name": "AWS IAM Least Privilege Review",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS IAM policies, trust policies, resource policies, permission boundaries, SCPs, and role design for least-privilege risks with Access Analyzer validation discipline.",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html",
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html",
+      "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html"
+    ],
+    "security_notes": "Prefer read-only inspection and minimum permission changes. Do not broaden IAM access, invent ARNs, or approve production trust changes without Access Analyzer validation where available.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-iam-least-privilege-review",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-kms-secrets-lifecycle-steward",
+    "name": "AWS KMS Secrets Lifecycle Steward",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS KMS keys, key policies, grants, rotation, multi-Region keys, Secrets Manager, secret rotation, replication, caching, endpoint conditions, and break-glass access.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/kms/latest/developerguide/grant-best-practices.html",
+      "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html",
+      "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html",
+      "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"
+    ],
+    "security_notes": "Do not change key policies, grants, key deletion, secret rotation, or multi-Region encryption without impact analysis for access, recovery, auditability, and rollback.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-kms-secrets-lifecycle-steward",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-landing-zone-governor",
+    "name": "AWS Landing Zone Governor",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS multi-account landing zones, Control Tower posture, Organizations structure, OUs, guardrails, logging, audit accounts, and account vending decisions.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html",
+      "https://docs.aws.amazon.com/controltower/latest/userguide/lz-update-best-practices.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/introduction.html"
+    ],
+    "security_notes": "Do not collapse environments into one account for convenience. Treat weak OU design, missing centralized logging, unmanaged SCPs, and unclear account ownership as governance risks.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-landing-zone-governor",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-live-deployment-guarded-operator",
+    "name": "AWS Live Deployment Guarded Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Operate guarded live AWS deployment changes only after explicit target confirmation, approval checkpoints, dry-run or preview evidence, rollback readiness, and post-change verification.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/cli/v1/reference/sts/get-caller-identity.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals.html",
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/welcome.html"
+    ],
+    "security_notes": "This role may work in repos connected to live AWS credentials. Never run live deployment mutations without explicit target confirmation, preview evidence, approval, rollback readiness, and post-change verification.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-live-deployment-guarded-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-live-ecs-rollout-guard",
+    "name": "AWS Live ECS Rollout Guard",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Guard live Amazon ECS and Fargate rollout actions with service targeting, deployment circuit breaker or alarm checks, rollback posture, and explicit approval before mutation.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-circuit-breaker.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-alarm-failure.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-failure-detection.html",
+      "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_service_deployment_events.html"
+    ],
+    "security_notes": "Live ECS rollout actions require exact service targeting, health evidence, rollback posture, and explicit approval. Never treat force-new-deployment as a harmless default.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-live-ecs-rollout-guard",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-live-iac-change-guard",
+    "name": "AWS Live IaC Change Guard",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Guard live CloudFormation, SAM, CDK, and Terraform-backed AWS infrastructure changes with change sets or plans, rollback triggers, stack policies, drift checks, and explicit approval.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-rollback-triggers.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html",
+      "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/detect-drift-stack.html"
+    ],
+    "security_notes": "Live IaC execution only with explicit preview evidence, confirmed targets, rollback triggers or equivalent safeguards, and human approval before execute. Never treat repo write access as enough authority for live infrastructure mutation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-live-iac-change-guard",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-live-pipeline-approval-operator",
+    "name": "AWS Live Pipeline Approval Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Handle live CodePipeline approval and gated resume decisions with exact pipeline targeting, approver scope, stage evidence, blast-radius review, and explicit approval auditability.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals-action-add.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals-iam-permissions.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/actions.html"
+    ],
+    "security_notes": "This role may interact with real pipeline approvals. Never approve, reject, or resume the wrong execution. Require exact targeting, approver authority, evidence review, and post-action verification.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-live-pipeline-approval-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-live-serverless-release-guard",
+    "name": "AWS Live Serverless Release Guard",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Guard live Lambda and serverless release actions with alias targeting, canary or linear rollout discipline, alarms, rollback hooks, and explicit production approval.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/configuring-alias-routing.html",
+      "https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html",
+      "https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations.html"
+    ],
+    "security_notes": "Live serverless rollout actions require exact alias or deployment targeting, explicit approval, alarms, rollback posture, and post-change observation. Never shift traffic casually in a live environment.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-live-serverless-release-guard",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-migration-cutover-architect",
+    "name": "AWS Migration Cutover Architect",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Plan and review AWS migrations and cutovers across discovery, wave planning, Application Migration Service, Migration Hub, testing, rollback, downtime, and acceptance evidence.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/mgn/latest/ug/best_practices_mgn.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-database-rehost-tools/mgn.html",
+      "https://docs.aws.amazon.com/decision-guides/latest/migration-on-aws-how-to-choose/migration-on-aws-how-to-choose.html",
+      "https://docs.aws.amazon.com/whitepapers/latest/aws-overview/migration-services.html"
+    ],
+    "security_notes": "Do not approve migration cutover without dependency evidence, tested launch, acceptance checks, rollback, security baseline, observability, and clear business owner signoff.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-migration-cutover-architect",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-network-architect",
+    "name": "AWS Network Architect",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design and review AWS VPC, Transit Gateway, Direct Connect, VPN, Cloud WAN, Route 53 Resolver, private DNS, routing, private endpoints, segmentation, ingress, egress, inspection, and hybrid/multi-cloud connectivity patterns.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html",
+      "https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html",
+      "https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html",
+      "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html",
+      "https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html",
+      "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html"
+    ],
+    "security_notes": "Do not recommend public exposure, broad routes, overlapping CIDRs, route propagation, hybrid connectivity, DNS forwarding, or centralized inspection changes without traffic-flow evidence, rollback, and blast-radius analysis.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-network-architect",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-non-destructive-task-automation-advisor",
+    "name": "AWS Non-Destructive Task Automation Advisor",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design AWS-native, non-destructive automation for reporting, notification, evidence gathering, approvals, and workflow coordination using serverless and event-driven services.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html",
+      "https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html",
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html"
+    ],
+    "security_notes": "This role must stay non-destructive. Prefer notification, approval, reporting, and evidence-collection flows. Escalate if the request drifts into mutation, remediation, or destructive operational automation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-non-destructive-task-automation-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-observability-incident-responder",
+    "name": "AWS Observability Incident Responder",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Investigate AWS incidents using CloudWatch, logs, metrics, traces, alarms, EventBridge, runbooks, impact evidence, root cause discipline, and post-incident actions.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html",
+      "https://docs.aws.amazon.com/IDR/latest/userguide/observe-idr.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-IncidentReports-terms.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/incident-report-5whys.html"
+    ],
+    "security_notes": "Do not claim root cause without evidence. Separate live telemetry, service health, deployment changes, AI-derived insights, and human inference; require rollback or containment for active incidents.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-observability-incident-responder",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-pipeline-fix-operator",
+    "name": "AWS Pipeline Fix Operator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Repair AWS-oriented CI/CD pipeline definitions, buildspecs, deployment workflow config, and release wiring in-repo without triggering live execution.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html",
+      "https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html",
+      "https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html"
+    ],
+    "security_notes": "Repo write access only. Do not manually trigger pipelines, rotate secrets, or bypass approval gates from this role. Keep fixes explicit, reviewable, and reversible.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-pipeline-fix-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-rds-aurora-performance-investigator",
+    "name": "AWS RDS Aurora Performance Investigator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Investigate Amazon RDS and Aurora latency, connection exhaustion, slow queries, lock waits, replica lag, storage pressure, failover, Performance Insights, and database capacity risk.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-devops-agent-skills.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractices.html",
+      "https://docs.aws.amazon.com/prescriptive-guidance/latest/amazon-rds-monitoring-alerting/performance-insights-tools.html",
+      "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html"
+    ],
+    "security_notes": "Do not recommend resizing, failover, parameter changes, or index changes without evidence separating CPU, I/O, lock, query-plan, storage, connection, and application-driver causes.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-rds-aurora-performance-investigator",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-resilience-bcdr-review",
+    "name": "AWS Resilience BCDR Review",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS resilience and business continuity across RTO/RPO, backup, multi-AZ, multi-Region, failover, game days, runbooks, drift, and recovery validation.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/plan-for-disaster-recovery-dr.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/framework/rel_testing_resiliency_failure_injection_resiliency.html",
+      "https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html"
+    ],
+    "security_notes": "Do not accept backup configuration as recovery proof. Require restore tests, RTO/RPO evidence, drift controls, owner/runbook clarity, and blast-radius analysis.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-resilience-bcdr-review",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-s3-data-perimeter-governor",
+    "name": "AWS S3 Data Perimeter Governor",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Amazon S3 data perimeter, Block Public Access, Object Ownership, ACL removal, bucket/access point policies, TLS-only access, encryption, replication, lifecycle, and exposure risk.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html",
+      "https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html"
+    ],
+    "security_notes": "Do not broaden S3 public or cross-account access. Prefer Block Public Access, disabled ACLs, scoped policies, TLS-only conditions, encryption, logging, and Access Analyzer validation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-s3-data-perimeter-governor",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-security-posture-hardening",
+    "name": "AWS Security Posture Hardening",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Harden AWS security posture across Security Hub CSPM, GuardDuty, Inspector, Macie, Config, IAM, logging, encryption, public exposure, and remediation workflow.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-recommendations.html",
+      "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html",
+      "https://docs.aws.amazon.com/securityhub/latest/userguide/enable-standards.html",
+      "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html"
+    ],
+    "security_notes": "Do not treat a green dashboard as proof of security. Verify service coverage, Regions, delegated admin, Config recording, suppressions, public exposure, and remediation evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-security-posture-hardening",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-serverless-production-readiness",
+    "name": "AWS Serverless Production Readiness",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AWS Lambda and serverless workloads for IAM, concurrency, event sources, retries, DLQs, observability, secrets, performance, cost, and rollback readiness.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html",
+      "https://docs.aws.amazon.com/lambda/latest/operatorguide/monitoring-observability.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html"
+    ],
+    "security_notes": "Do not approve serverless workloads that lack least-privilege execution roles, retry/DLQ semantics, concurrency controls, observability, idempotency, and rollback evidence.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-serverless-production-readiness",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-serverless-rollout-corrector",
+    "name": "AWS Serverless Rollout Corrector",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Patch serverless deployment definitions, Lambda rollout settings, event wiring, and alias/version configuration in-repo while keeping live rollout actions out of scope by default.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html",
+      "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html"
+    ],
+    "security_notes": "Can edit serverless rollout definitions in repo files only. Must not invoke live deploys, traffic shifts, or destructive remediation without separate explicit approval.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-serverless-rollout-corrector",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "aws-solution-architect",
+    "name": "AWS Solution Architect",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design and stress-test AWS solution architectures across identity, networking, compute, data, security, resilience, operations, and cost with Well-Architected evidence discipline.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/wellarchitected/latest/framework/definitions.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/framework/operational-excellence.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html"
+    ],
+    "security_notes": "Do not approve an AWS architecture without account-boundary, IAM, network exposure, data protection, observability, recovery, and cost evidence. Label unknowns instead of pretending the diagram is proof.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-solution-architect",
+    "author": "github: Raishin",
+    "version": "0.1.2"
+  },
+  {
+    "id": "aws-ticket-triage-escalation-coordinator",
+    "name": "AWS Ticket Triage Escalation Coordinator",
+    "type": "skill",
+    "provider": "aws",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Triage AWS operational tickets, alerts, and requests into priority, owner, evidence needs, and safe escalation paths without taking destructive actions.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-working-with-OpsItems.html",
+      "https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html",
+      "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html",
+      "https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/prepare.html"
+    ],
+    "security_notes": "Do not mutate infrastructure, suppress alerts, or close issues without evidence and approval. This role classifies, routes, and escalates; it does not perform destructive remediation.",
+    "last_verified": "2026-04-29",
+    "path": "skills/aws/aws-ticket-triage-escalation-coordinator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-ai-foundry-ops-governor",
+    "name": "Azure AI Foundry Ops Governor",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Govern Microsoft Foundry and Azure AI Foundry operations across resource-versus-project boundaries, RBAC, quotas, network isolation, logging, and safe MCP-backed execution.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/foundry/concepts/architecture",
+      "https://learn.microsoft.com/en-us/azure/foundry/concepts/rbac-foundry",
+      "https://learn.microsoft.com/en-us/azure/foundry/concepts/planning",
+      "https://learn.microsoft.com/en-us/azure/foundry/mcp/security-best-practices?view=foundry",
+      "https://learn.microsoft.com/en-us/azure/foundry/how-to/configure-private-link",
+      "https://learn.microsoft.com/en-us/azure/foundry/how-to/managed-virtual-network",
+      "https://learn.microsoft.com/en-us/azure/foundry/how-to/quota",
+      "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/quotas-limits",
+      "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/how-to/monitor-models",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat MCP mutations as higher risk than read-only discovery, especially because hosted Foundry MCP security guidance documents preview and public-endpoint limitations.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-ai-foundry-ops-governor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-aks-platform-operator",
+    "name": "Azure AKS Platform Operator",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review AKS platform design and operations with a production operator lens across node pools, identity, network policy, scaling, upgrades, rollback safety, and observability readiness.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-kubernetes",
+      "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks",
+      "https://learn.microsoft.com/en-us/azure/aks/upgrade-options",
+      "https://learn.microsoft.com/en-us/azure/aks/upgrade-conceptual",
+      "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
+      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices"
+    ],
+    "security_notes": "Do not wave through AKS as production ready without explicit upgrade, rollback, workload identity, traffic-control, subnet-capacity, and observability evidence. Treat flat pod networking, static secrets, and untested drain behavior as high-risk.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-aks-platform-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-app-service-production-readiness",
+    "name": "Azure App Service Production Readiness",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure App Service and Web Apps for production readiness across plan fit, slots, networking, private ingress, identities, secrets, scaling, diagnostics, resilience, backup, rollback, and operator ownership with explicit evidence-versus-inference handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/app-service-web-apps",
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
+      "https://learn.microsoft.com/en-us/azure/app-service/app-service-best-practices",
+      "https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up",
+      "https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable",
+      "https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing",
+      "https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint",
+      "https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions",
+      "https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references",
+      "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+      "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+      "https://learn.microsoft.com/en-us/azure/app-service/configure-zone-redundancy",
+      "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service"
+    ],
+    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported Azure MCP namespaces or operations.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-app-service-production-readiness",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-cosmosdb-application-developer",
+    "name": "Azure Cosmos DB Application Developer",
+    "version": "0.1.0",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Guide Azure Cosmos DB application development across NoSQL data modeling, partition-aware access patterns, point reads, query shape, SDK usage, transactional batch scope, and consistency-aware application behavior with explicit evidence-versus-inference handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/partitioning",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/modeling-data",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/transactional-batch",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge"
+    ],
+    "security_notes": "Do not recommend data models, query patterns, transactional assumptions, or SDK usage that ignore partition scope, RU cost, consistency semantics, or least-privilege access boundaries.",
+    "last_verified": "2026-04-28",
+    "path": "skills/azure/azure-cosmosdb-application-developer",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "azure-cosmosdb-performance-investigator",
+    "name": "Azure Cosmos DB Performance Investigator",
+    "version": "0.1.0",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Investigate Azure Cosmos DB query latency, RU inefficiency, throttling, hot partitions, indexing gaps, and workload-level performance pathologies using explicit evidence, metrics, and step-by-step profiling discipline.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/troubleshoot-query-performance",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/index-metrics",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/use-metrics",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-redistribute-throughput-across-partitions",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/performance-tips-dotnet-sdk-v3",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db"
+    ],
+    "security_notes": "Do not recommend throughput increases, repartitioning, indexing changes, or SDK tuning before separating RU cost, latency, partition skew, and query-shape evidence. Avoid speculative fixes that hide workload design defects.",
+    "last_verified": "2026-04-28",
+    "path": "skills/azure/azure-cosmosdb-performance-investigator",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "azure-cosmosdb-platform-operator",
+    "name": "Azure Cosmos DB Platform Operator",
+    "version": "0.1.0",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review and operate Azure Cosmos DB platform posture across accounts, databases, containers, partitioning, throughput, consistency, indexing, throttling, multi-region tradeoffs, and operational guardrails with explicit evidence-versus-inference handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/partitioning",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/modeling-data",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys"
+    ],
+    "security_notes": "Do not approve a partition key, indexing posture, consistency change, or cross-partition query strategy without checking workload shape, RU impact, transactional scope, and least-privilege access implications.",
+    "last_verified": "2026-04-28",
+    "path": "skills/azure/azure-cosmosdb-platform-operator",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "azure-cost-estimation-review",
+    "name": "Azure Cost Estimation Review",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure cost estimates for pricing-calculator assumptions, SKU and region realism, production versus nonproduction sizing, omission risk, and explicit uncertainty labeling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/pricing-calculator",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/savings-plan/manage-savings-plan",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing"
+    ],
+    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported Azure MCP pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-cost-estimation-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-cost-optimization-governor",
+    "name": "Azure Cost Optimization Governor",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure FinOps and spend-governance posture across budgets, alerts, cost analysis visibility, tagging, exports, and reservation or savings-plan awareness with explicit ownership and evidence handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/plan-manage-costs",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/reporting-get-started",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-improved-exports",
+      "https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor"
+    ],
+    "security_notes": "Do not promise savings without utilization evidence, treat budgets as alerts rather than enforcement, keep billing and export data sanitized, and require named ownership for alerts, tags, exports, and optimization follow-up before calling the FinOps posture credible.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-cost-optimization-governor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-entra-id-specialist",
+    "name": "Azure Entra ID Specialist",
+    "version": "0.1.0",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review and guide Microsoft Entra ID tenant posture across conditional access, authentication methods, MFA and SSPR registration, identity protection, workload identities, app registrations, external identities, governance boundaries, and least-privilege identity operations with explicit evidence-versus-inference handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/concepts",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/entra/fundamentals/what-is-entra",
+      "https://learn.microsoft.com/en-us/entra/id-governance/identity-governance-overview",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure",
+      "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration",
+      "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups",
+      "https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview",
+      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk"
+    ],
+    "security_notes": "Do not recommend broad exclusions, unsafe break-glass patterns, blanket MFA bypasses, overprivileged app registrations, or risky Conditional Access changes without scoping blast radius, role ownership, and recovery paths.",
+    "last_verified": "2026-04-28",
+    "path": "skills/azure/azure-entra-id-specialist",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "azure-governance-policy-guardrails",
+    "name": "Azure Governance Policy Guardrails",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design and review Azure Policy guardrails, initiatives, assignment scope, exclusions, remediation risk, and staged governance rollout patterns.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/tailoring-alz",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/overview",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/migrate-azure-landing-zone-policies",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy"
+    ],
+    "security_notes": "Do not recommend broad-scope deny or remediation-first rollout without blast-radius review, inheritance analysis, exception handling, and rollback notes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-governance-policy-guardrails",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-identity-governance-review",
+    "name": "Azure Identity Governance Review",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, and ownership gaps.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones",
+      "https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles",
+      "https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview",
+      "https://learn.microsoft.com/en-us/entra/id-governance/manage-access-review",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review",
+      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview",
+      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Challenge standing privileged access by default. Do not treat PIM, access reviews, or entitlement management as sufficient unless scope, ownership, cadence, and removal behavior are explicit.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-identity-governance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-key-vault-secret-lifecycle-auditor",
+    "name": "Azure Key Vault Secret Lifecycle Auditor",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Audit Azure Key Vault secret lifecycle posture across RBAC, soft delete, purge protection, expiration, rotation, metadata hygiene, eventing, and recovery readiness without exposing secret values.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-key-vault",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault",
+      "https://learn.microsoft.com/en-us/azure/key-vault/secrets/secure-secrets",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/autorotation",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/en-us/azure/key-vault/policy-reference"
+    ],
+    "security_notes": "Avoid retrieving secret values unless absolutely necessary. Treat purge authority, missing soft delete, missing purge protection, and unproven rotation or recovery paths as high-risk. Prefer RBAC least privilege and metadata-based audits over content access.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-key-vault-secret-lifecycle-auditor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-landing-zone-architect",
+    "name": "Azure Landing Zone Architect",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, and operations dependencies.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
+      "https://learn.microsoft.com/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or a production-ready verdict without governance, management, and recovery dependencies being addressed.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-landing-zone-architect",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-migrate-landing-zone-cutover",
+    "name": "Azure Migrate Landing Zone Cutover",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Stress-test Azure migration cutovers across assessment quality, landing-zone readiness, dependency sequencing, permissions, rollback, and post-cutover operating ownership.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/migrate/concepts-overview?view=migrate",
+      "https://learn.microsoft.com/en-us/azure/migrate/assessment-prerequisites?view=migrate",
+      "https://learn.microsoft.com/en-us/azure/migrate/review-application-assessment?view=migrate",
+      "https://learn.microsoft.com/en-us/azure/migrate/platform-landing-zone?view=migrate",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ready-azure-landing-zone",
+      "https://learn.microsoft.com/en-us/azure/migrate/whats-new?view=migrate"
+    ],
+    "security_notes": "Do not equate Azure readiness with cutover readiness. Treat stale assessments, weak dependency mapping, broad migration permissions, missing rollback checkpoints, and incomplete landing-zone connectivity or monitoring as high-risk blockers.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-migrate-landing-zone-cutover",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-network-topology-review",
+    "name": "Azure Network Topology Review",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security implications, and platform-versus-workload control ownership.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke",
+      "https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-hub-spoke-network",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, and platform-versus-workload control boundaries before calling a topology safe.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-network-topology-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-observability-investigator",
+    "name": "Azure Observability Investigator",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, and observability workflows with explicit evidence-versus-inference handling.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/application-insights",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/visualize-grafana-overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/monitor",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+    ],
+    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, and bounded verification steps.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-observability-investigator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-platform-automation-devops",
+    "name": "Azure Platform Automation DevOps",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, validation gates, and safe rollout patterns.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
+      "https://learn.microsoft.com/en-us/azure/architecture/landing-zones/bicep/landing-zone-bicep",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone",
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots?view=azure-devops-2020",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-deploy",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-mcp-server",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/"
+    ],
+    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require preview, validation, approval, and rollback paths before production-impacting Azure changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-platform-automation-devops",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-private-endpoint-adoption-planner",
+    "name": "Azure Private Endpoint Adoption Planner",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, route implications, and centralized-versus-local trade-offs.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/private-link-hub-spoke-network",
+      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration",
+      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns",
+      "https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, DNS-zone ownership, VNet links, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-private-endpoint-adoption-planner",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-rbac-review",
+    "name": "Azure RBAC Review",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure role assignments, custom roles, and scope choices for least privilege and operational safety.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices"
+    ],
+    "security_notes": "Do not recommend Owner or User Access Administrator unless justified. Prefer narrow scopes and built-in roles before custom broad grants.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-rbac-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-resilience-bcdr-review",
+    "name": "Azure Resilience BCDR Review",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review Azure resilience and disaster-recovery posture for RTO/RPO realism, failover and failback assumptions, shared-responsibility gaps, and recovery runbook or drill quality.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/principles",
+      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/disaster-recovery",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
+      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
+      "https://learn.microsoft.com/en-us/azure/service-health/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, and single-region dependencies as material risks.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-resilience-bcdr-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-resource-health-incident-triage",
+    "name": "Azure Resource Health Incident Triage",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, tenant-side changes, and unresolved evidence.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
+      "https://learn.microsoft.com/en-us/azure/service-health/",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log",
+      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule",
+      "https://learn.microsoft.com/en-us/azure/service-health/service-health-alert-overview",
+      "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-resource-health",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+    ],
+    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, invent unsupported MCP tools, or recommend broad remediation before blast radius and evidence are clear.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-resource-health-incident-triage",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-role-selector",
+    "name": "Azure Role Selector",
+    "type": "skill",
+    "provider": "azure",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Select the narrowest Azure built-in role, custom-role fallback, and assignment scope for a requested access pattern while separating control-plane and data-plane permissions.",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+    ],
+    "security_notes": "Prefer built-in roles before custom roles, minimize assignment scope, and keep control-plane and data-plane permissions separate. Do not default to Owner or Contributor for routine access requests.",
+    "last_verified": "2026-04-27",
+    "path": "skills/azure/azure-role-selector",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "azure-security-posture-hardening",
+    "name": "Azure Security Posture Hardening",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -433,26 +1862,30 @@
       "kiro",
       "other"
     ],
-    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, and operations dependencies.",
+    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, and audit-ready logging expectations.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns",
+      "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault"
     ],
-    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or a production-ready verdict without governance, management, and recovery dependencies being addressed.",
+    "security_notes": "Do not recommend broad admin roles, stored secrets, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, and verified logging coverage.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-landing-zone-architect",
+    "path": "skills/azure/azure-security-posture-hardening",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-migrate-landing-zone-cutover",
-    "name": "Azure Migrate Landing Zone Cutover",
+    "id": "azure-subscription-resource-organization",
+    "name": "Azure Subscription Resource Organization",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -463,27 +1896,29 @@
       "kiro",
       "other"
     ],
-    "summary": "Stress-test Azure migration cutovers across assessment quality, landing-zone readiness, dependency sequencing, permissions, rollback, and post-cutover operating ownership.",
+    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, and landing-zone operating-model consequences.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/migrate/concepts-overview?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/assessment-prerequisites?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/review-application-assessment?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/platform-landing-zone?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ready-azure-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/migrate/whats-new?view=migrate"
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/subscription",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/resource-group"
     ],
-    "security_notes": "Do not equate Azure readiness with cutover readiness. Treat stale assessments, weak dependency mapping, broad migration permissions, missing rollback checkpoints, and incomplete landing-zone connectivity or monitoring as high-risk blockers.",
+    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, and operational blast-radius implications.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-migrate-landing-zone-cutover",
+    "path": "skills/azure/azure-subscription-resource-organization",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-network-topology-review",
-    "name": "Azure Network Topology Review",
+    "id": "oci-autonomous-database-architect",
+    "name": "OCI Autonomous Database Architect",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -492,25 +1927,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security implications, and platform-versus-workload control ownership.",
+    "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, and platform-versus-workload control boundaries before calling a topology safe.",
+    "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-network-topology-review",
+    "path": "skills/oci/oci-autonomous-database-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-observability-investigator",
-    "name": "Azure Observability Investigator",
+    "id": "oci-cloud-guard-responder",
+    "name": "OCI Cloud Guard Responder",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -519,36 +1954,173 @@
       "kiro",
       "other"
     ],
-    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, and observability workflows with explicit evidence-versus-inference handling.",
-    "source_type": "original",
+    "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/application-insights",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/visualize-grafana-overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/monitor",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-cloud-guard-responder",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-compute-instance-agent-operator",
+    "name": "OCI Compute Instance Agent Operator",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Operate OCI Compute Instance Agent commands and executions safely for diagnostics, automation, and remediation. Use when issuing, tracking, or reviewing instance-agent commands across compute fleets.",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-compute-instance-agent-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-compute-platform-operator",
+    "name": "OCI Compute Platform Operator",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Operate OCI Compute instances and platform capacity safely with compartment/region confirmation, instance lifecycle guardrails, least-privilege IAM checks, MCP/CLI discovery, and rollback-aware change plans.",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-compute-platform-operator",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-cost-finops-analyst",
+    "name": "OCI Cost Finops Analyst",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Analyze Oracle Cloud Infrastructure cost, usage, budgets, tagging, rightsizing, commitment coverage, and FinOps governance. Use when asked to explain OCI spend, investigate cost spikes, build savings plans, review underused resources, de...",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-cost-finops-analyst",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-database-platform-dba",
+    "name": "OCI Database Platform DBA",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Operate as a ruthless OCI database platform DBA for DB systems, Autonomous Database, Exadata, backups, patching, performance triage, capacity, and IAM-scoped database operations. Use when work touches OCI Database service posture, discov...",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-database-platform-dba",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-dbtools-sql-analyst",
+    "name": "OCI Dbtools SQL Analyst",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Use OCI Database Tools and database documentation safely for SQL inspection, report definitions, table metadata, and controlled query execution. Use for DBTools connections, read-only SQL analysis, and schema/report exploration.",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
+    ],
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "last_verified": "2026-04-27",
+    "path": "skills/oci/oci-dbtools-sql-analyst",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "oci-devops-container-platform-engineer",
+    "name": "OCI Devops Container Platform Engineer",
+    "type": "skill",
+    "provider": "oci",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Engineer and review Oracle Cloud Infrastructure DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform, and container runtime workflows. Use when asked to inspect OCI Container Engine clusters, DevOps projects, OCIR repositories,...",
+    "source_type": "adapted",
+    "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, and bounded verification steps.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-observability-investigator",
+    "path": "skills/oci/oci-devops-container-platform-engineer",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-platform-automation-devops",
-    "name": "Azure Platform Automation DevOps",
+    "id": "oci-exadata-database-architect",
+    "name": "OCI Exadata Database Architect",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -557,31 +2129,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, validation gates, and safe rollout patterns.",
+    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI, Cloud@Customer, and multicloud destinations with official-source grounding.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/en-us/azure/architecture/landing-zones/bicep/landing-zone-bicep",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots?view=azure-devops-2020",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-deploy",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-mcp-server",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/"
+      "https://docs.oracle.com/en-us/iaas/exadatacloud/index.html",
+      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-at-customer/ecccm/index.html",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require preview, validation, approval, and rollback paths before production-impacting Azure changes.",
+    "security_notes": "Exadata deployments can expose high-value production databases. Validate IAM/RBAC, network isolation, backup, TDE, maintenance, and operational ownership before changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-platform-automation-devops",
+    "path": "skills/oci/oci-exadata-database-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-private-endpoint-adoption-planner",
-    "name": "Azure Private Endpoint Adoption Planner",
+    "id": "oci-exadata-platform-architect",
+    "name": "OCI Exadata Platform Architect",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -590,28 +2157,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, route implications, and centralized-versus-local trade-offs.",
-    "source_type": "original",
+    "summary": "OCI Design and operate Exadata Database Service across OCI Dedicated Infrastructure, Exadata Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS. Use for Exadata architecture, VM clusters, cloud E...",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns",
-      "https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, DNS-zone ownership, VNet links, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-private-endpoint-adoption-planner",
+    "path": "skills/oci/oci-exadata-platform-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-rbac-review",
-    "name": "Azure RBAC Review",
+    "id": "oci-fusion-apps-environment-operator",
+    "name": "OCI Fusion Apps Environment Operator",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -620,23 +2182,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure role assignments, custom roles, and scope choices for least privilege and operational safety.",
-    "source_type": "original",
+    "summary": "OCI Review Fusion Apps as a Service environment families, environments, lifecycle status, availability, and operational readiness. Use for Fusion environment inventory, status checks, change planning, and support evidence.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not recommend Owner or User Access Administrator unless justified. Prefer narrow scopes and built-in roles before custom broad grants.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-rbac-review",
+    "path": "skills/oci/oci-fusion-apps-environment-operator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-resilience-bcdr-review",
-    "name": "Azure Resilience BCDR Review",
+    "id": "oci-goldengate-replication-operator",
+    "name": "OCI Goldengate Replication Operator",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -645,29 +2207,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure resilience and disaster-recovery posture for RTO/RPO realism, failover and failback assumptions, shared-responsibility gaps, and recovery runbook or drill quality.",
-    "source_type": "original",
+    "summary": "OCI Operate and review Oracle GoldenGate domains, connections, extracts, replicats, checkpoint tables, trails, distribution paths, and replication health. Use for replication setup, lag triage, data movement, and cutover safety.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/principles",
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/disaster-recovery",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, and single-region dependencies as material risks.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-resilience-bcdr-review",
+    "path": "skills/oci/oci-goldengate-replication-operator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-resource-health-incident-triage",
-    "name": "Azure Resource Health Incident Triage",
+    "id": "oci-identity-access-governor",
+    "name": "OCI Identity Access Governor",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -676,30 +2232,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, tenant-side changes, and unresolved evidence.",
-    "source_type": "original",
+    "summary": "Govern OCI Identity and Access Management with least-privilege policy review, compartment scoping, group/dynamic-group analysis, and safe access-change workflows. Use for OCI IAM policy design, access audits, privilege reduction, identit...",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule",
-      "https://learn.microsoft.com/en-us/azure/service-health/service-health-alert-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-resource-health",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, invent unsupported MCP tools, or recommend broad remediation before blast radius and evidence are clear.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-resource-health-incident-triage",
+    "path": "skills/oci/oci-identity-access-governor",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-role-selector",
-    "name": "Azure Role Selector",
+    "id": "oci-iot-digital-twin-engineer",
+    "name": "OCI IoT Digital Twin Engineer",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -708,26 +2257,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Select the narrowest Azure built-in role, custom-role fallback, and assignment scope for a requested access pattern while separating control-plane and data-plane permissions.",
+    "summary": "Design and operate OCI IoT digital twin adapters, models, instances, relationships, and domain context. Use for digital twin topology, lifecycle, integration, and safe model/relationship changes.",
     "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Prefer built-in roles before custom roles, minimize assignment scope, and keep control-plane and data-plane permissions separate. Do not default to Owner or Contributor for routine access requests.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-role-selector",
+    "path": "skills/oci/oci-iot-digital-twin-engineer",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-security-posture-hardening",
-    "name": "Azure Security Posture Hardening",
+    "id": "oci-limits-capacity-planner",
+    "name": "OCI Limits Capacity Planner",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -736,32 +2282,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, and audit-ready logging expectations.",
-    "source_type": "original",
+    "summary": "Review OCI service limits, quotas, capacity availability, regional subscriptions, and growth risk. Use before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota increase requests.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns",
-      "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not recommend broad admin roles, stored secrets, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, and verified logging coverage.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-security-posture-hardening",
+    "path": "skills/oci/oci-limits-capacity-planner",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "azure-subscription-resource-organization",
-    "name": "Azure Subscription Resource Organization",
+    "id": "oci-load-balancer-traffic-engineer",
+    "name": "OCI Load Balancer Traffic Engineer",
     "type": "skill",
-    "provider": "azure",
+    "provider": "oci",
     "harnesses": [
       "codex",
       "claude-code",
@@ -770,27 +2307,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, and landing-zone operating-model consequences.",
-    "source_type": "original",
+    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, and failover. Use for L7/L4 traffic engineering and availability reviews.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/subscription",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/resource-group"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, and operational blast-radius implications.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/azure/azure-subscription-resource-organization",
+    "path": "skills/oci/oci-load-balancer-traffic-engineer",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-autonomous-database-architect",
-    "name": "OCI Autonomous Database Architect",
+    "id": "oci-migration-cutover-architect",
+    "name": "OCI Migration Cutover Architect",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -801,23 +2332,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
-    "source_type": "original",
+    "summary": "Plan OCI migrations and cutovers with Cloud Migrations, dependency discovery, waves, rollback, DNS, data sync, validation, and support readiness. Use for migration assessment, move groups, cutover runbooks, and go/no-go reviews.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-autonomous-database-architect",
+    "path": "skills/oci/oci-migration-cutover-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-cloud-guard-responder",
-    "name": "OCI Cloud Guard Responder",
+    "id": "oci-multi-cloud-architect",
+    "name": "OCI Multi Cloud Architect",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -828,7 +2357,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
+    "summary": "Design and review OCI multi-cloud architectures connecting Oracle Cloud Infrastructure with AWS, Azure, Google Cloud, on-premises, or SaaS through VPN, FastConnect, Direct Connect, ExpressRoute, Cloud Interconnect, identity federation, D...",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -836,13 +2365,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-cloud-guard-responder",
+    "path": "skills/oci/oci-multi-cloud-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-compute-instance-agent-operator",
-    "name": "OCI Compute Instance Agent Operator",
+    "id": "oci-mysql-heatwave-ai-specialist",
+    "name": "OCI Mysql Heatwave AI Specialist",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -853,7 +2382,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute Instance Agent commands and executions safely for diagnostics, automation, and remediation. Use when issuing, tracking, or reviewing instance-agent commands across compute fleets.",
+    "summary": "OCI Operate and review MySQL HeatWave, MySQL AI, vector/RAG workflows, connection configs, object storage ingestion, and SQL safety. Use for MySQL AI questions, HeatWave ML, vector store loading, and MySQL operational reviews.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -861,13 +2390,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-compute-instance-agent-operator",
+    "path": "skills/oci/oci-mysql-heatwave-ai-specialist",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-compute-platform-operator",
-    "name": "OCI Compute Platform Operator",
+    "id": "oci-network-architect",
+    "name": "OCI Network Architect",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -878,7 +2407,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute instances and platform capacity safely with compartment/region confirmation, instance lifecycle guardrails, least-privilege IAM checks, MCP/CLI discovery, and rollback-aware change plans.",
+    "summary": "Design, review, and troubleshoot OCI networking with safe compartment/region scoping, least-privilege network access, VCN/subnet/routing/security-list/NSG analysis, and evidence-based MCP or CLI discovery.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -886,13 +2415,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-compute-platform-operator",
+    "path": "skills/oci/oci-network-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-cost-finops-analyst",
-    "name": "OCI Cost Finops Analyst",
+    "id": "oci-observability-incident-responder",
+    "name": "OCI Observability Incident Responder",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -903,7 +2432,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Analyze Oracle Cloud Infrastructure cost, usage, budgets, tagging, rightsizing, commitment coverage, and FinOps governance. Use when asked to explain OCI spend, investigate cost spikes, build savings plans, review underused resources, de...",
+    "summary": "Operate as a ruthless OCI observability and incident responder for Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and IAM-scoped incident response. Use when work touches OCI alarms, telemetry, alert...",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -911,13 +2440,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-cost-finops-analyst",
+    "path": "skills/oci/oci-observability-incident-responder",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-database-platform-dba",
-    "name": "OCI Database Platform DBA",
+    "id": "oci-recovery-service-operator",
+    "name": "OCI Recovery Service Operator",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -928,7 +2457,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI database platform DBA for DB systems, Autonomous Database, Exadata, backups, patching, performance triage, capacity, and IAM-scoped database operations. Use when work touches OCI Database service posture, discov...",
+    "summary": "Operate OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, and recovery metrics. Use for database recovery posture, protected database health, and restore readiness.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -936,13 +2465,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-database-platform-dba",
+    "path": "skills/oci/oci-recovery-service-operator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-dbtools-sql-analyst",
-    "name": "OCI Dbtools SQL Analyst",
+    "id": "oci-registry-artifact-governor",
+    "name": "OCI Registry Artifact Governor",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -953,7 +2482,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Use OCI Database Tools and database documentation safely for SQL inspection, report definitions, table metadata, and controlled query execution. Use for DBTools connections, read-only SQL analysis, and schema/report exploration.",
+    "summary": "Govern OCI Registry repositories, container images, artifact access, retention, promotion, and deployment safety. Use for OCIR repository reviews, image lifecycle, DevOps/OKE integration, and least-privilege push/pull access.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -961,13 +2490,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-dbtools-sql-analyst",
+    "path": "skills/oci/oci-registry-artifact-governor",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-devops-container-platform-engineer",
-    "name": "OCI Devops Container Platform Engineer",
+    "id": "oci-resource-search-inventory-analyst",
+    "name": "OCI Resource Search Inventory Analyst",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -978,7 +2507,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Engineer and review Oracle Cloud Infrastructure DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform, and container runtime workflows. Use when asked to inspect OCI Container Engine clusters, DevOps projects, OCIR repositories,...",
+    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, and cross-service discovery. Use for tenancy inventory, ownership gaps, orphan detection, migration scoping, and architecture evidence collection.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -986,13 +2515,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-devops-container-platform-engineer",
+    "path": "skills/oci/oci-resource-search-inventory-analyst",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-exadata-database-architect",
-    "name": "OCI Exadata Database Architect",
+    "id": "oci-security-compliance-reviewer",
+    "name": "OCI Security Compliance Reviewer",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1003,24 +2532,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI, Cloud@Customer, and multicloud destinations with official-source grounding.",
-    "source_type": "original",
+    "summary": "Review Oracle Cloud Infrastructure security, IAM, network, logging, encryption, and compliance posture. Use when asked to audit OCI policies, compartments, tenancy security, Cloud Guard findings, buckets, vaults, security lists, NSGs, or...",
+    "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/exadatacloud/index.html",
-      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-at-customer/ecccm/index.html",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
+      "https://www.oracle.com/cloud/"
     ],
-    "security_notes": "Exadata deployments can expose high-value production databases. Validate IAM/RBAC, network isolation, backup, TDE, maintenance, and operational ownership before changes.",
+    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-exadata-database-architect",
+    "path": "skills/oci/oci-security-compliance-reviewer",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-exadata-platform-architect",
-    "name": "OCI Exadata Platform Architect",
+    "id": "oci-solution-architect",
+    "name": "OCI Solution Architect",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1031,7 +2557,7 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Design and operate Exadata Database Service across OCI Dedicated Infrastructure, Exadata Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS. Use for Exadata architecture, VM clusters, cloud E...",
+    "summary": "Design, review, and stress-test Oracle Cloud Infrastructure solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations. Use when asked for OCI...",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -1039,13 +2565,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-exadata-platform-architect",
+    "path": "skills/oci/oci-solution-architect",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-fusion-apps-environment-operator",
-    "name": "OCI Fusion Apps Environment Operator",
+    "id": "oci-storage-backup-steward",
+    "name": "OCI Storage Backup Steward",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1056,7 +2582,7 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Review Fusion Apps as a Service environment families, environments, lifecycle status, availability, and operational readiness. Use for Fusion environment inventory, status checks, change planning, and support evidence.",
+    "summary": "Operate as a ruthless OCI storage and backup steward for Object Storage, Block Volume, File Storage, backup policies, retention, replication, lifecycle rules, restore readiness, and IAM-scoped storage operations. Use when work touches OC...",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -1064,13 +2590,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-fusion-apps-environment-operator",
+    "path": "skills/oci/oci-storage-backup-steward",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-goldengate-replication-operator",
-    "name": "OCI Goldengate Replication Operator",
+    "id": "oci-support-incident-coordinator",
+    "name": "OCI Support Incident Coordinator",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1081,7 +2607,7 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review Oracle GoldenGate domains, connections, extracts, replicats, checkpoint tables, trails, distribution paths, and replication health. Use for replication setup, lag triage, data movement, and cutover safety.",
+    "summary": "Coordinate OCI support incidents with evidence quality, severity discipline, resource scope, timelines, and escalation readiness. Use for support tickets, incident evidence packs, Oracle SR preparation, and post-incident follow-up.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
@@ -1089,13 +2615,13 @@
     ],
     "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-goldengate-replication-operator",
+    "path": "skills/oci/oci-support-incident-coordinator",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-identity-access-governor",
-    "name": "OCI Identity Access Governor",
+    "id": "oracle-oci-mcp-grounded-advisor",
+    "name": "Oracle and OCI MCP Grounded Advisor",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1106,23 +2632,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Identity and Access Management with least-privilege policy review, compartment scoping, group/dynamic-group analysis, and safe access-change workflows. Use for OCI IAM policy design, access audits, privilege reduction, identit...",
-    "source_type": "adapted",
+    "summary": "Ground Oracle, OCI, SQLcl, database, and MCP recommendations in official Oracle sources before advising.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://www.oracle.com/mcp",
+      "https://github.com/oracle/mcp",
+      "https://docs.oracle.com/en-us/iaas/Content/home.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
+    "security_notes": "Oracle database and OCI MCP tools can expose sensitive data or mutate cloud resources. Verify auth model and permissions before recommending use.",
     "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-identity-access-governor",
+    "path": "skills/oci/oracle-oci-mcp-grounded-advisor",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-iot-digital-twin-engineer",
-    "name": "OCI IoT Digital Twin Engineer",
+    "id": "azure-live-arm-deployment-stack-guard",
+    "name": "Azure Live ARM Deployment Stack Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1131,23 +2658,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and operate OCI IoT digital twin adapters, models, instances, relationships, and domain context. Use for digital twin topology, lifecycle, integration, and safe model/relationship changes.",
-    "source_type": "adapted",
+    "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-iot-digital-twin-engineer",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
+    ],
+    "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-arm-deployment-stack-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-limits-capacity-planner",
-    "name": "OCI Limits Capacity Planner",
+    "id": "azure-live-pim-jit-activation-guard",
+    "name": "Azure Live PIM JIT Activation Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1156,23 +2685,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI service limits, quotas, capacity availability, regional subscriptions, and growth risk. Use before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota increase requests.",
-    "source_type": "adapted",
+    "summary": "Gate Entra ID PIM eligible role activations with justification, MFA, ticket binding, time-bound scope, and approval workflow gates before any privileged Azure role becomes active.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-limits-capacity-planner",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
+      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
+    ],
+    "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf \u2014 only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-pim-jit-activation-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-load-balancer-traffic-engineer",
-    "name": "OCI Load Balancer Traffic Engineer",
+    "id": "azure-live-aks-rollout-guard",
+    "name": "Azure Live AKS Rollout Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1181,23 +2712,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, and failover. Use for L7/L4 traffic engineering and availability reviews.",
-    "source_type": "adapted",
+    "summary": "Guard live AKS deployment rollouts with PDB audit, maxUnavailable/surge validation, rollout pause/undo gates, and post-rollout health verification.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-load-balancer-traffic-engineer",
+      "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security",
+      "https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads",
+      "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment",
+      "https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
+    ],
+    "security_notes": "Never advance an AKS rollout without PDB audit and replica health check. kubectl rollout undo is safe but must be confirmed before execution to avoid double-rollback churn.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-aks-rollout-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-migration-cutover-architect",
-    "name": "OCI Migration Cutover Architect",
+    "id": "azure-live-app-service-slot-swap-guard",
+    "name": "Azure Live App Service Slot Swap Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1206,23 +2739,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan OCI migrations and cutovers with Cloud Migrations, dependency discovery, waves, rollback, DNS, data sync, validation, and support readiness. Use for migration assessment, move groups, cutover runbooks, and go/no-go reviews.",
-    "source_type": "adapted",
+    "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
+      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
+      "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-migration-cutover-architect",
+    "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-app-service-slot-swap-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-multi-cloud-architect",
-    "name": "OCI Multi Cloud Architect",
+    "id": "azure-live-keyvault-rotation-purge-guard",
+    "name": "Azure Live Key Vault Rotation Purge Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1231,23 +2765,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review OCI multi-cloud architectures connecting Oracle Cloud Infrastructure with AWS, Azure, Google Cloud, on-premises, or SaaS through VPN, FastConnect, Direct Connect, ExpressRoute, Cloud Interconnect, identity federation, D...",
-    "source_type": "adapted",
+    "summary": "Guard Key Vault key rotation, rotation policy changes, soft-delete enforcement, and purge-protection enablement with irreversibility warnings and rollback evidence.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details",
+      "https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
+      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-multi-cloud-architect",
+    "security_notes": "Purge-protection enable is irreversible. Soft-deleted keys can be recovered within the retention window. HSM-backed hard-purged keys cannot be recovered. Never grant purge rights to routine rotation operators.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-keyvault-rotation-purge-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-mysql-heatwave-ai-specialist",
-    "name": "OCI Mysql Heatwave AI Specialist",
+    "id": "azure-live-cost-budget-action-guard",
+    "name": "Azure Live Cost Budget Action Guard",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1256,21 +2792,23 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review MySQL HeatWave, MySQL AI, vector/RAG workflows, connection configs, object storage ingestion, and SQL safety. Use for MySQL AI questions, HeatWave ML, vector store loading, and MySQL operational reviews.",
-    "source_type": "adapted",
+    "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
+      "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-mysql-heatwave-ai-specialist",
+    "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-live-cost-budget-action-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-network-architect",
-    "name": "OCI Network Architect",
+    "id": "oci-live-resource-manager-stack-guard",
+    "name": "OCI Live Resource Manager Stack Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1281,21 +2819,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI networking with safe compartment/region scoping, least-privilege network access, VCN/subnet/routing/security-list/NSG analysis, and evidence-based MCP or CLI discovery.",
-    "source_type": "adapted",
+    "summary": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-network-architect",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
+    ],
+    "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-resource-manager-stack-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-observability-incident-responder",
-    "name": "OCI Observability Incident Responder",
+    "id": "oci-live-iam-policy-compartment-guard",
+    "name": "OCI Live IAM Policy Compartment Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1306,21 +2846,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI observability and incident responder for Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and IAM-scoped incident response. Use when work touches OCI alarms, telemetry, alert...",
-    "source_type": "adapted",
+    "summary": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-observability-incident-responder",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
+    ],
+    "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-iam-policy-compartment-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-recovery-service-operator",
-    "name": "OCI Recovery Service Operator",
+    "id": "oci-live-oke-rollout-guard",
+    "name": "OCI Live OKE Rollout Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1331,21 +2873,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, and recovery metrics. Use for database recovery posture, protected database health, and restore readiness.",
-    "source_type": "adapted",
+    "summary": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-recovery-service-operator",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
+    ],
+    "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact \u2014 confirm target revision before undo.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-oke-rollout-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-registry-artifact-governor",
-    "name": "OCI Registry Artifact Governor",
+    "id": "oci-live-autonomous-db-lifecycle-guard",
+    "name": "OCI Live Autonomous DB Lifecycle Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1356,21 +2900,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Registry repositories, container images, artifact access, retention, promotion, and deployment safety. Use for OCIR repository reviews, image lifecycle, DevOps/OKE integration, and least-privilege push/pull access.",
-    "source_type": "adapted",
+    "summary": "Guard Autonomous Database lifecycle changes \u2014 scale, start, stop, clone, terminate \u2014 with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-registry-artifact-governor",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
+    ],
+    "security_notes": "ADB termination is permanent \u2014 the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-resource-search-inventory-analyst",
-    "name": "OCI Resource Search Inventory Analyst",
+    "id": "oci-live-vault-key-destruction-guard",
+    "name": "OCI Live Vault Key Destruction Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1381,21 +2927,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, and cross-service discovery. Use for tenancy inventory, ownership gaps, orphan detection, migration scoping, and architecture evidence collection.",
-    "source_type": "adapted",
+    "summary": "Guard Vault master encryption key scheduled-deletion and HSM rotation with data-association audits, key-usage reference checks, deletion-window enforcement, and cancellation playbooks.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-resource-search-inventory-analyst",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm"
+    ],
+    "security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-vault-key-destruction-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-security-compliance-reviewer",
-    "name": "OCI Security Compliance Reviewer",
+    "id": "oci-live-cost-budget-runaway-guard",
+    "name": "OCI Live Cost Budget Runaway Guard",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1406,23 +2954,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Oracle Cloud Infrastructure security, IAM, network, logging, encryption, and compliance posture. Use when asked to audit OCI policies, compartments, tenancy security, Cloud Guard findings, buckets, vaults, security lists, NSGs, or...",
-    "source_type": "adapted",
+    "summary": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
+    "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-security-compliance-reviewer",
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
+    ],
+    "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights \u2014 escalate if not held.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-live-cost-budget-runaway-guard",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-solution-architect",
-    "name": "OCI Solution Architect",
+    "id": "aws-maestro",
+    "name": "AWS Maestro",
     "type": "skill",
-    "provider": "oci",
+    "provider": "aws",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1431,23 +2981,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and stress-test Oracle Cloud Infrastructure solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations. Use when asked for OCI...",
+    "summary": "Route AWS tasks to the narrowest specialist or team of specialists from the 42-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
-    ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-solution-architect",
+      "https://docs.aws.amazon.com/",
+      "https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/agentcore.html",
+      "https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html"
+    ],
+    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
+    "last_verified": "2026-04-30",
+    "path": "skills/aws/aws-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-storage-backup-steward",
-    "name": "OCI Storage Backup Steward",
+    "id": "azure-maestro",
+    "name": "Azure Maestro",
     "type": "skill",
-    "provider": "oci",
+    "provider": "azure",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1456,21 +3009,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI storage and backup steward for Object Storage, Block Volume, File Storage, backup policies, retention, replication, lifecycle rules, restore readiness, and IAM-scoped storage operations. Use when work touches OC...",
+    "summary": "Route Azure tasks to the narrowest specialist or team of specialists from the 30-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://learn.microsoft.com/en-us/azure/",
+      "https://learn.microsoft.com/en-us/azure/architecture/",
+      "https://learn.microsoft.com/en-us/azure/well-architected/",
+      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-storage-backup-steward",
+    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
+    "last_verified": "2026-04-30",
+    "path": "skills/azure/azure-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oci-support-incident-coordinator",
-    "name": "OCI Support Incident Coordinator",
+    "id": "oci-maestro",
+    "name": "OCI Maestro",
     "type": "skill",
     "provider": "oci",
     "harnesses": [
@@ -1481,23 +3037,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate OCI support incidents with evidence quality, severity discipline, resource scope, timelines, and escalation readiness. Use for support tickets, incident evidence packs, Oracle SR preparation, and post-incident follow-up.",
+    "summary": "Route OCI tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://www.oracle.com/cloud/",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oci-support-incident-coordinator",
+    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path. OCI vault key destruction and IAM policy deletion are irreversible.",
+    "last_verified": "2026-04-30",
+    "path": "skills/oci/oci-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "oracle-oci-mcp-grounded-advisor",
-    "name": "Oracle and OCI MCP Grounded Advisor",
+    "id": "terraform-maestro",
+    "name": "Terraform Maestro",
     "type": "skill",
-    "provider": "oci",
+    "provider": "terraform",
     "harnesses": [
       "codex",
       "claude-code",
@@ -1506,16 +3064,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Ground Oracle, OCI, SQLcl, database, and MCP recommendations in official Oracle sources before advising.",
-    "source_type": "original",
+    "summary": "Route Terraform and IaC tasks to the right specialist from the cross-cloud IaC catalog. Classifies by domain (review, aws-iac, azure-iac, oci-iac, live-guard), dispatches single or parallel (max 4), and enforces live-guard gate for live apply, destroy, or stack mutations.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://www.oracle.com/mcp",
-      "https://github.com/oracle/mcp",
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm"
-    ],
-    "security_notes": "Oracle database and OCI MCP tools can expose sensitive data or mutate cloud resources. Verify auth model and permissions before recommending use.",
-    "last_verified": "2026-04-27",
-    "path": "skills/oci/oracle-oci-mcp-grounded-advisor",
+      "https://developer.hashicorp.com/terraform/docs",
+      "https://developer.hashicorp.com/terraform/language",
+      "https://developer.hashicorp.com/terraform/cli/commands/plan",
+      "https://developer.hashicorp.com/terraform/cli/commands/apply",
+      "https://registry.terraform.io/providers/hashicorp/aws/latest/docs",
+      "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs",
+      "https://registry.terraform.io/providers/oracle/oci/latest/docs"
+    ],
+    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live apply, destroy, or stack mutation agents without explicit human confirmation, blast-radius assessment, and rollback path. Terraform destroy is irreversible without state backup.",
+    "last_verified": "2026-04-30",
+    "path": "skills/terraform/terraform-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   }