npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.1.0 → 1.2.0 - Mend

@raishin/vanguard-frontier-agentic 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (293) hide show

package/skills/azure/azure-live-app-service-slot-swap-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,46 @@
+# Preflight Commands: Azure Live App Service Slot Swap Guard
+Run these before initiating a slot swap. Paste sanitized output as evidence.
+## 1. Confirm identity and App Service target
+```bash
+az account show --query "{subscription:id, name:name, user:user.name}"
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{name:name, state:properties.state, hostNames:properties.hostNames}"
+```
+## 2. List all slots and their current traffic weights
+```bash
+az webapp deployment slot list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "[].{name:name, state:properties.state}"
+az webapp traffic-routing show -g <RESOURCE_GROUP> -n <APP_NAME>
+```
+## 3. Compare app settings between slots
+```bash
+az webapp config appsettings list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --slot staging --query "[].{name:name, slotSetting:slotSetting}"
+az webapp config appsettings list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "[].{name:name, slotSetting:slotSetting}"
+```
+Pay special attention to `slotSetting: false` — those settings WILL swap with the slot.
+Settings with `slotSetting: true` are slot-sticky and will NOT be swapped.
+## 4. Check slot health before swap
+```bash
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "{state:properties.state, availabilityState:properties.availabilityState}"
+# State must be "Running" and availabilityState must be "Normal" before swap
+```
+## 5. Review connection strings
+```bash
+az webapp config connection-string list -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "[].{name:name, type:type, slotSetting:slotSetting}"
+```

package/skills/azure/azure-live-app-service-slot-swap-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,46 @@
+# Rollback Playbook: Azure Live App Service Slot Swap Guard
+## Immediate swap-back (standard rollback path)
+The swap operation is symmetric — a second swap returns both slots to their original state.
+```bash
+# Verify current slot state before swapping back
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{hostNames:properties.hostNames}"
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "{hostNames:properties.hostNames}"
+# Swap back: production → staging (reverts the original swap)
+az webapp deployment slot swap \
+  -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --slot staging \
+  --target-slot production
+```
+## Verify after rollback
+```bash
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{state:properties.state, defaultHostName:properties.defaultHostName}"
+# Check application health endpoint
+curl -s https://<APP_NAME>.azurewebsites.net/health
+```
+## Traffic shifting (partial rollback via A/B routing)
+```bash
+# Route 10% of traffic to staging while investigating
+az webapp traffic-routing set -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --distribution staging=10
+# Return all traffic to production
+az webapp traffic-routing clear -g <RESOURCE_GROUP> -n <APP_NAME>
+```
+## Rollback limitations
+- Slot swap is symmetric and reversible **only if you swap back before a second swap**.
+- App settings with `slotSetting: false` were swapped — they will swap back.
+- Any data written by the new code version to a shared database or storage is NOT rolled back by swapping.
+- Log stream evidence must be captured before initiating a rollback; logs do not travel with slot state.

package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: azure-live-arm-deployment-stack-guard
+description: Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# Azure Live ARM Deployment Stack Guard
+## Purpose
+Act as the guarded live Azure operator for azure-live-arm-deployment-stack-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+## When to use
+Use this skill when:
+- an ARM or Bicep deployment must be previewed and possibly executed against a live Azure environment
+- the session involves Deployment Stacks with denySettings and protected resource scopes
+- a human needs guarded execution help with change evidence and rollback design
+## Lean operating rules
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+## References
+Load these only when needed:
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+## Response minimum
+Return, at minimum:
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/azure/azure-live-arm-deployment-stack-guard/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "azure-live-arm-deployment-stack-guard",
+  "name": "Azure Live ARM Deployment Stack Guard",
+  "type": "skill",
+  "provider": "azure",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
+    "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
+  ],
+  "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
+  "last_verified": "2026-04-30",
+  "path": "skills/azure/azure-live-arm-deployment-stack-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/azure/azure-live-arm-deployment-stack-guard/references/official-sources.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Official Sources: Azure Live ARM Deployment Stack Guard
+## ARM and Bicep deployments
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/rollback-on-error
+## Deployment Stacks
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks-scenarios
+## Source-grounding rule
+Use official Microsoft Learn documentation as source of truth for ARM and Bicep behavior.
+Always verify what-if output against live resource state, not just template assumptions.

package/skills/azure/azure-live-arm-deployment-stack-guard/references/permission-model.md ADDED Viewed

@@ -0,0 +1,68 @@
+# Permission Model: Azure Live ARM Deployment Stack Guard
+## Custom role — what-if and stack write, stack deletion excluded
+```json
+{
+  "Name": "ARM Deployment Stack Guard",
+  "IsCustom": true,
+  "Description": "Minimum rights for guarded ARM what-if and Deployment Stack changes in one target resource group. Stack deletion is EXCLUDED — it requires a separate PIM-elevated role.",
+  "Actions": [
+    "Microsoft.Resources/deployments/read",
+    "Microsoft.Resources/deployments/write",
+    "Microsoft.Resources/deployments/whatIf/action",
+    "Microsoft.Resources/deploymentStacks/read",
+    "Microsoft.Resources/deploymentStacks/write",
+    "Microsoft.Resources/subscriptions/resourceGroups/read"
+  ],
+  "NotActions": [
+    "Microsoft.Resources/deploymentStacks/delete"
+  ],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<TARGET_RG>"
+  ]
+}
+```
+`deploymentStacks/delete` is in `NotActions`. Stack deletion requires a separate
+PIM-eligible role activated only for confirmed decommission windows (see below).
+## PIM-elevated delete role (activate only for planned decommission)
+```json
+{
+  "Name": "ARM Deployment Stack Delete (PIM)",
+  "IsCustom": true,
+  "Description": "Stack deletion only. Must be PIM-activated with approval and time-bound to a decommission window.",
+  "Actions": [
+    "Microsoft.Resources/deploymentStacks/read",
+    "Microsoft.Resources/deploymentStacks/delete"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<TARGET_RG>"
+  ]
+}
+```
+Assign as **PIM-eligible only**. Require manager approval. Maximum 2-hour activation.
+## Deployment Stacks denySettings recommendation
+```bash
+az deployment-stack group create \
+  --deny-settings-mode denyDelete \
+  --deny-settings-apply-to-child-scopes \
+  ...
+```
+Use `denyWriteAndDelete` for compliance-mandated immutable resources.
+## Do not assign
+- `Owner` at subscription scope
+- `Contributor` at management-group scope
+- `Microsoft.Resources/*` wildcards
+- `Microsoft.Authorization/roleAssignments/write` (privilege escalation risk)

package/skills/azure/azure-live-arm-deployment-stack-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,55 @@
+# Preflight Commands: Azure Live ARM Deployment Stack Guard
+Run these before any ARM or Deployment Stack mutation. Paste sanitized output as evidence.
+## 1. Confirm identity and subscription target
+```bash
+az account show --query "{subscription:id, name:name, user:user.name}"
+az group show -n <RESOURCE_GROUP> --query "{name:name, location:location, provisioningState:properties.provisioningState}"
+```
+## 2. Run what-if before any deployment
+```bash
+# ARM template what-if
+az deployment group what-if \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.json> \
+  --parameters @<PARAMS.json>
+# Bicep what-if
+az deployment group what-if \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.bicep> \
+  --parameters @<PARAMS.bicepparam>
+```
+Review the what-if output for resource replacements (marked with `~` or `-/+`).
+Any replacement of a stateful resource (database, storage, Key Vault) must be
+explicitly approved before proceeding.
+## 3. Inspect existing Deployment Stack state
+```bash
+az deployment-stack group show \
+  -n <STACK_NAME> \
+  -g <RESOURCE_GROUP> \
+  --query "{provisioningState:provisioningState, denySettings:properties.denySettings, resources:properties.resources[].id}"
+```
+## 4. List managed resources and their protection status
+```bash
+az deployment-stack group show -n <STACK_NAME> -g <RESOURCE_GROUP> \
+  --query "properties.resources[].{id:id, denyStatus:denyStatus}"
+```
+## 5. Validate the template without deploying
+```bash
+az deployment group validate \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.json> \
+  --parameters @<PARAMS.json>
+```

package/skills/azure/azure-live-arm-deployment-stack-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,53 @@
+# Rollback Playbook: Azure Live ARM Deployment Stack Guard
+## Cancel an in-progress deployment
+```bash
+# List recent deployments to find the in-flight one
+az deployment group list -g <RESOURCE_GROUP> \
+  --query "[?properties.provisioningState=='Running'].{name:name, timestamp:properties.timestamp}"
+# Cancel by name
+az deployment group cancel -g <RESOURCE_GROUP> -n <DEPLOYMENT_NAME>
+```
+Cancellation is best-effort. Resources already provisioned before cancel are NOT torn down.
+## Redeploy the last known-good template version
+```bash
+# List deployment history to find the target
+az deployment group list -g <RESOURCE_GROUP> \
+  --query "[].{name:name, state:properties.provisioningState, timestamp:properties.timestamp}" \
+  --output table
+# Export the template from a prior successful deployment
+az deployment group export -g <RESOURCE_GROUP> -n <GOOD_DEPLOYMENT_NAME> \
+  --output json > rollback-template.json
+# Redeploy
+az deployment group create \
+  -g <RESOURCE_GROUP> \
+  --template-file rollback-template.json \
+  --parameters @<PARAMS.json>
+```
+## Deployment Stack — update back to previous config
+```bash
+# Re-apply the previous stack config (update, not recreate)
+az deployment-stack group create \
+  -n <STACK_NAME> \
+  -g <RESOURCE_GROUP> \
+  --template-file rollback-template.json \
+  --parameters @<PARAMS.json> \
+  --action-on-unmanage deleteResources \
+  --deny-settings-mode denyDelete
+```
+## Rollback limitations
+- ARM deployments are additive by default — they do not auto-delete resources added in the failed run.
+- Deployment Stack `deleteResources` on unmanage will delete resources removed from the template.
+- Stateful resources (databases, storage accounts, Key Vaults) cannot be "rolled back" — only re-provisioned from backup.
+- If a resource was replaced (`~` in what-if), the original resource may already be deleted.

package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: azure-live-cost-budget-action-guard
+description: Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# Azure Live Cost Budget Action Guard
+## Purpose
+Act as the guarded live Azure operator for azure-live-cost-budget-action-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+## When to use
+Use this skill when:
+- a cost budget action threshold or notification must be modified for a subscription or management group
+- a GPU or HPC VM SKU scale-up is requested and spend-limit approval is required
+- a runaway cost event is detected and emergency quota reduction or VM deallocation is needed
+## Lean operating rules
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+## References
+Load these only when needed:
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+## Response minimum
+Return, at minimum:
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/azure/azure-live-cost-budget-action-guard/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "azure-live-cost-budget-action-guard",
+  "name": "Azure Live Cost Budget Action Guard",
+  "type": "skill",
+  "provider": "azure",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
+    "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
+    "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
+  ],
+  "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
+  "last_verified": "2026-04-30",
+  "path": "skills/azure/azure-live-cost-budget-action-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/azure/azure-live-cost-budget-action-guard/references/official-sources.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Official Sources: Azure Live Cost Budget Action Guard
+## Azure Cost Management budgets
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/manage-automation
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-analysis-common-uses
+## Azure Quotas and limits
+- https://learn.microsoft.com/en-us/azure/quotas/quotas-overview
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
+## Source-grounding rule
+Use official Microsoft Learn documentation as the source of truth.
+Budget and quota behavior changes with service versions — verify current API behavior against docs.

package/skills/azure/azure-live-cost-budget-action-guard/references/permission-model.md ADDED Viewed

@@ -0,0 +1,66 @@
+# Permission Model: Azure Live Cost Budget Action Guard
+## Custom role — budget read/write, quota read, no VM creation
+```json
+{
+  "Name": "Cost Budget Action Guard",
+  "IsCustom": true,
+  "Description": "Read and modify subscription budgets and read compute quotas. Cannot create VMs. Cannot delete budgets.",
+  "Actions": [
+    "Microsoft.Consumption/budgets/read",
+    "Microsoft.Consumption/budgets/write",
+    "Microsoft.CostManagement/budgets/read",
+    "Microsoft.CostManagement/budgets/write",
+    "Microsoft.CostManagement/query/action",
+    "Microsoft.Compute/locations/usages/read",
+    "Microsoft.Compute/locations/vmSizes/read",
+    "Microsoft.Quota/quotas/read",
+    "Microsoft.Quota/usages/read"
+  ],
+  "NotActions": [
+    "Microsoft.Compute/virtualMachines/write",
+    "Microsoft.Compute/virtualMachineScaleSets/write",
+    "Microsoft.Quota/quotas/write",
+    "Microsoft.Consumption/budgets/delete",
+    "Microsoft.CostManagement/budgets/delete"
+  ],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>"
+  ]
+}
+```
+`Microsoft.Quota/quotas/write` is excluded: quota increase requests carry spending risk
+and must go through a separate approval workflow, not this role. VM creation is
+explicitly excluded to prevent the cost guard from becoming a provisioning path.
+`Microsoft.Consumption/budgets/delete` and `Microsoft.CostManagement/budgets/delete`
+are excluded: deleting a budget silently removes the only cross-region financial
+guardrail and disables every threshold alert on the subscription. Cleanup of stale or
+test budgets must go through a separate PIM-eligible role with MFA + justification gates.
+## Azure Policy guardrail (deploy alongside the role)
+Deny GPU VM SKU provisioning without an approved budget tag:
+```json
+{
+  "if": {
+    "allOf": [
+      {"field": "type", "equals": "Microsoft.Compute/virtualMachines"},
+      {"field": "Microsoft.Compute/virtualMachines/sku.name", "in": [
+        "Standard_ND96asr_v4", "Standard_NC24rs_v3", "Standard_ND40rs_v2"
+      ]},
+      {"field": "tags.BudgetApproval", "exists": "false"}
+    ]
+  },
+  "then": {"effect": "Deny"}
+}
+```
+## Do not assign
+- `Cost Management Contributor` at management-group scope
+- `Billing Account Contributor`
+- `Microsoft.Compute/virtualMachines/write` to this role

package/skills/azure/azure-live-cost-budget-action-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,48 @@
+# Preflight Commands: Azure Live Cost Budget Action Guard
+Run these before any budget modification. Paste sanitized output as evidence.
+## 1. Confirm identity and subscription
+```bash
+az account show --query "{subscription:id, name:name, user:user.name}"
+```
+## 2. List current budgets
+```bash
+az consumption budget list --query \
+  "[].{name:name, amount:properties.amount, timeGrain:properties.timeGrain, currentSpend:properties.currentSpend.amount}"
+```
+## 3. Inspect a specific budget detail
+```bash
+az consumption budget show -n <BUDGET_NAME> \
+  --query "{amount:properties.amount, filter:properties.filter, notifications:properties.notifications}"
+```
+## 4. Check current spend vs. budget
+```bash
+az costmanagement query \
+  --type ActualCost \
+  --dataset-aggregation '{"totalCost":{"name":"PreTaxCost","function":"Sum"}}' \
+  --timeframe MonthToDate \
+  --scope "/subscriptions/<SUBSCRIPTION_ID>"
+```
+## 5. Check compute quota usage before action
+```bash
+az vm list-usage -l <LOCATION> \
+  --query "[?contains(name.value,'cores') || contains(name.value,'GPU')].{name:name.localizedValue, current:currentValue, limit:limit}"
+```
+## 6. Verify budget action groups are configured
+```bash
+az consumption budget show -n <BUDGET_NAME> \
+  --query "properties.notifications"
+# All notification.actionGroups should point to valid Action Group resource IDs
+```

package/skills/azure/azure-live-cost-budget-action-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,40 @@
+# Rollback Playbook: Azure Live Cost Budget Action Guard
+## Revert a budget modification
+```bash
+# Inspect current state before revert
+az consumption budget show -n <BUDGET_NAME>
+# Delete and recreate with original values
+az consumption budget delete -n <BUDGET_NAME>
+az consumption budget create \
+  -n <BUDGET_NAME> \
+  --amount <ORIGINAL_AMOUNT> \
+  --time-grain <Monthly|Quarterly|Annually> \
+  --start-date <YYYY-MM-01> \
+  --end-date <YYYY-MM-01> \
+  --notification <KEY=VALUE pairs from original>
+```
+## Remove a runaway action group from a budget
+```bash
+# Show notification rules
+az consumption budget show -n <BUDGET_NAME> --query "properties.notifications"
+# Update budget to clear action groups on a specific notification key
+az consumption budget create -n <BUDGET_NAME> \
+  --amount <AMOUNT> \
+  --time-grain Monthly \
+  --start-date <DATE> \
+  --end-date <DATE>
+# Re-specify only the notification rules you want to keep
+```
+## Rollback limitations
+- Spend that already occurred before the budget alert triggered cannot be reversed.
+- Deleting a budget does NOT stop any VMs or resources — it only removes the alerting rule.
+- Quota increases, once approved by Microsoft, cannot be reduced below the original limit.

package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: azure-live-keyvault-rotation-purge-guard
+description: Guard Key Vault key rotation, rotation policy changes, soft-delete enforcement, and purge-protection enablement with irreversibility warnings and rollback evidence.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# Azure Live Key Vault Rotation Purge Guard
+## Purpose
+Act as the guarded live Azure operator for azure-live-keyvault-rotation-purge-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+## When to use
+Use this skill when:
+- a Key Vault key or secret rotation must be triggered or scheduled against a live vault
+- soft-delete or purge-protection must be verified or enabled on a production vault
+- a key or secret has been soft-deleted and recovery or permanent purge must be decided
+## Lean operating rules
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+## References
+Load these only when needed:
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+## Response minimum
+Return, at minimum:
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason