@raishin/vanguard-frontier-agentic 1.1.0 → 1.2.0

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: oci-live-autonomous-db-lifecycle-guard
+description: Guard Autonomous Database lifecycle changes — scale, start, stop, clone, terminate — with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# OCI Live Autonomous DB Lifecycle Guard
+
+## Purpose
+
+Act as the guarded live OCI operator for oci-live-autonomous-db-lifecycle-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- an Autonomous Database must be scaled, started, stopped, cloned, or terminated against a live OCI environment
+- a protection tag must be audited before a lifecycle operation that could cause data loss or outage
+- an Autonomous Database backup or wallet must be confirmed before a scale or clone operation
+
+## Lean operating rules
+
+- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
+- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
+- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
+- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed tenancy, compartment, and active principal
+- preflight evidence (plan output, drift result, inspect/read, health check)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/metadata.json

@@ -0,0 +1,27 @@
+{
+  "id": "oci-live-autonomous-db-lifecycle-guard",
+  "name": "OCI Live Autonomous DB Lifecycle Guard",
+  "type": "skill",
+  "provider": "oci",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard Autonomous Database lifecycle changes \u2014 scale, start, stop, clone, terminate \u2014 with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
+  ],
+  "security_notes": "ADB termination is permanent \u2014 the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
+  "last_verified": "2026-04-30",
+  "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/official-sources.md

@@ -0,0 +1,13 @@
+# Official Sources: OCI Live Autonomous DB Lifecycle Guard
+
+## OCI Autonomous Database
+
+- https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm
+- https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbmanaging.htm
+- https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm
+- https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm
+
+## Source-grounding rule
+
+Use official Oracle Cloud Infrastructure documentation as the source of truth for ADB behavior.
+Lifecycle state transitions and backup retention windows must be verified from current OCI docs.

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/permission-model.md

@@ -0,0 +1,49 @@
+# Permission Model: OCI Live Autonomous DB Lifecycle Guard
+
+## 3-tier separation
+
+| Tier | Group | Verb | Scope |
+|------|-------|------|-------|
+| Audit | `<adb-auditors>` | inspect / read | `<prod-db-compartment>` |
+| Operator | `<adb-operators>` | use | `<prod-db-compartment>` |
+| Admin | `<adb-admins>` | manage + tag condition | `<prod-db-compartment>` |
+
+## Baseline read (no mutation)
+
+```
+Allow group <adb-auditors> to inspect autonomous-databases in compartment <prod-db-compartment>
+Allow group <adb-auditors> to read autonomous-databases in compartment <prod-db-compartment>
+Allow group <adb-auditors> to read autonomous-database-backups in compartment <prod-db-compartment>
+```
+
+## Operator — start, stop, scale (use verb, no terminate/clone)
+
+```
+Allow group <adb-operators> to use autonomous-databases in compartment <prod-db-compartment>
+```
+
+With `use`: start, stop, scale CPU/storage, generate wallet.
+Cannot: terminate, clone, change network-access type.
+
+## Admin — clone and terminate (manage + tag condition)
+
+```
+Allow group <adb-admins> to manage autonomous-databases in compartment <prod-db-compartment>
+  where target.resource.tag.Operations.Lifecycle.value != 'protected'
+```
+
+The `Operations.Lifecycle = protected` tag must be set in a **protected tag namespace** on all
+production ADBs. Only tag-namespace admins can remove the tag.
+
+> **IRREVERSIBILITY WARNING**
+> - **Termination** is permanent. OCI does not recover terminated ADB instances.
+> - **Storage scale-up** is a one-way door — storage can only grow, never shrink.
+> - Both operations require dual-sign-off and a confirmed maintenance window.
+
+## Do not use
+
+```
+# FORBIDDEN
+Allow group <adb-operators> to manage autonomous-databases in tenancy
+Allow any-user to use autonomous-databases in compartment prod-db
+```

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/preflight-commands.md

@@ -0,0 +1,58 @@
+# Preflight Commands: OCI Live Autonomous DB Lifecycle Guard
+
+Run these before any ADB lifecycle mutation. Paste sanitized output as evidence.
+
+## 1. Confirm identity and tenancy
+
+```bash
+oci iam region list --query "data[0]" 2>/dev/null || true
+oci iam user get --user-id $(oci iam user list --query "data[0].id" --raw-output) \
+  --query "data.{name:name,id:id}" 2>/dev/null
+# Or check OCI config profile
+cat ~/.oci/config | grep -E "^(user|tenancy|region|fingerprint)"
+```
+
+## 2. Get current ADB state
+
+```bash
+oci db autonomous-database get \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data.{displayName:\"display-name\",lifecycleState:\"lifecycle-state\",ocpuCount:\"ocpu-count\",dataStorageSizeInTBs:\"data-storage-size-in-tbs\",freeformTags:\"freeform-tags\",definedTags:\"defined-tags\"}"
+```
+
+## 3. Verify protection tag is set (before any manage-verb operation)
+
+```bash
+oci db autonomous-database get \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data.\"defined-tags\".Operations.Lifecycle"
+# Must return "protected" on production ADBs
+```
+
+## 4. Confirm recent backup exists
+
+```bash
+oci db autonomous-database-backup list \
+  --autonomous-database-id <ADB_OCID> \
+  --sort-by TIMECREATED \
+  --sort-order DESC \
+  --limit 3 \
+  --query "data[].{displayName:\"display-name\",lifecycleState:\"lifecycle-state\",timeStarted:\"time-started\",isAutomatic:\"is-automatic\"}"
+```
+
+## 5. Check wallet and connection strings (before scale/clone)
+
+```bash
+oci db autonomous-database get \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data.{connectionStrings:\"connection-strings\",connectionUrls:\"connection-urls\"}"
+```
+
+## 6. Verify no in-flight operations
+
+```bash
+oci db autonomous-database get \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data.{lifecycleState:\"lifecycle-state\",lifecycleDetails:\"lifecycle-details\"}"
+# lifecycleState must be AVAILABLE before any mutation
+```

package/skills/oci/oci-live-autonomous-db-lifecycle-guard/references/rollback-playbook.md

@@ -0,0 +1,44 @@
+# Rollback Playbook: OCI Live Autonomous DB Lifecycle Guard
+
+## Restore from automatic backup (after accidental stop or data issue)
+
+```bash
+# List available backups
+oci db autonomous-database-backup list \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data[].{id:id,displayName:\"display-name\",timeStarted:\"time-started\",type:type}"
+
+# Restore to a specific backup
+oci db autonomous-database restore \
+  --autonomous-database-id <ADB_OCID> \
+  --timestamp <ISO8601_TIMESTAMP>
+# Example: --timestamp "2025-04-29T12:00:00.000Z"
+```
+
+## Start a stopped database
+
+```bash
+oci db autonomous-database start \
+  --autonomous-database-id <ADB_OCID>
+
+# Poll for AVAILABLE state
+oci db autonomous-database get \
+  --autonomous-database-id <ADB_OCID> \
+  --query "data.\"lifecycle-state\""
+```
+
+## Scale CPU down (if over-provisioned)
+
+```bash
+oci db autonomous-database update \
+  --autonomous-database-id <ADB_OCID> \
+  --ocpu-count <TARGET_COUNT>
+# Note: storage cannot be scaled down — only CPU is reversible
+```
+
+## Rollback limitations
+
+- **Termination is permanent** — no recovery path exists after an ADB is terminated.
+- **Storage scale-up is irreversible** — OCI does not shrink ADB storage after an increase.
+- Point-in-time restore is available only within the automatic backup retention window (default: 60 days).
+- Connection wallet files generated for the new ADB (after clone) are not interchangeable with the source ADB wallet.

package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: oci-live-cost-budget-runaway-guard
+description: Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# OCI Live Cost Budget Runaway Guard
+
+## Purpose
+
+Act as the guarded live OCI operator for oci-live-cost-budget-runaway-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- an OCI budget rule threshold or alert must be modified for a tenancy or compartment
+- a GPU or HPC shape provisioning request requires spend-limit approval before creating
+- a runaway GPU cost event is detected and emergency quota reduction or instance stop is needed
+
+## Lean operating rules
+
+- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
+- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
+- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
+- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed tenancy, compartment, and active principal
+- preflight evidence (plan output, drift result, inspect/read, health check)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/oci/oci-live-cost-budget-runaway-guard/metadata.json

@@ -0,0 +1,27 @@
+{
+  "id": "oci-live-cost-budget-runaway-guard",
+  "name": "OCI Live Cost Budget Runaway Guard",
+  "type": "skill",
+  "provider": "oci",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
+  ],
+  "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights \u2014 escalate if not held.",
+  "last_verified": "2026-04-30",
+  "path": "skills/oci/oci-live-cost-budget-runaway-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/oci/oci-live-cost-budget-runaway-guard/references/official-sources.md

@@ -0,0 +1,17 @@
+# Official Sources: OCI Live Cost Budget Runaway Guard
+
+## OCI Budgets and cost management
+
+- https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/budgetsoverview.htm
+- https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm
+- https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingalertrules.htm
+
+## OCI Quotas
+
+- https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/quotasoverview.htm
+- https://docs.oracle.com/en-us/iaas/Content/Quotas/Tasks/managingquotas.htm
+
+## Source-grounding rule
+
+Use official Oracle Cloud Infrastructure documentation as the source of truth.
+Budget behavior and alert rule mechanics must be verified against current OCI docs.

package/skills/oci/oci-live-cost-budget-runaway-guard/references/permission-model.md

@@ -0,0 +1,59 @@
+# Permission Model: OCI Live Cost Budget Runaway Guard
+
+## 3-tier separation
+
+| Tier | Group | Verb | Scope |
+|------|-------|------|-------|
+| Audit | `<cost-auditors>` | inspect / read | tenancy |
+| Operator | `<cost-operators>` | use | tenancy / compartment |
+| Admin | `<cost-admins>` | manage | tenancy |
+
+## Budget read (audit — no mutation)
+
+```
+Allow group <cost-auditors> to inspect usage-budgets in tenancy
+Allow group <cost-auditors> to read usage-budgets in tenancy
+Allow group <cost-auditors> to inspect costs in tenancy
+Allow group <cost-auditors> to read costs in tenancy
+```
+
+## Budget write (manage — budgets are tenancy-scoped resources)
+
+```
+Allow group <cost-admins> to manage usage-budgets in tenancy
+```
+
+## Quota inspection and resource search
+
+```
+Allow group <cost-admins> to inspect quota in tenancy
+Allow group <cost-admins> to read quota in tenancy
+Allow group <cost-admins> to use resource-search in tenancy
+```
+
+## Cost operators (middle tier — adjust budgets, cannot delete)
+
+`use usage-budgets` permits update + alert rule changes. It does NOT permit
+budget creation or deletion — those remain with `<cost-admins>`.
+
+```
+Allow group <cost-operators> to use usage-budgets in tenancy
+Allow group <cost-operators> to read costs in tenancy
+Allow group <cost-operators> to use ons-topics in compartment <cost-alerts-compartment>
+```
+
+## GPU/HPC shape gate via compartment quota
+
+```
+set compute-core-count quota gpu-vm-count to 0 in compartment <default-compute>
+```
+
+This physically prevents GPU shape provisioning without a quota increase — a harder gate than IAM deny policies.
+
+## Do not use
+
+```
+# FORBIDDEN
+Allow group <cost-admins> to manage all-resources in tenancy
+Allow group <cost-admins> to manage compute-instances in tenancy
+```

package/skills/oci/oci-live-cost-budget-runaway-guard/references/preflight-commands.md

@@ -0,0 +1,42 @@
+# Preflight Commands: OCI Live Cost Budget Runaway Guard
+
+Run these before any budget modification. Paste sanitized output as evidence.
+
+## 1. Confirm identity and tenancy target
+
+```bash
+oci iam region-subscription list --query "data[].{homeRegion:\"is-home-region\",regionName:\"region-name\"}"
+oci budgets budget list --compartment-id <TENANCY_OCID> \
+  --query "data[].{displayName:\"display-name\",amount:amount,actualSpend:\"actual-spend\",forecastedSpend:\"forecasted-spend\",lifecycleState:\"lifecycle-state\"}"
+```
+
+## 2. Inspect a specific budget
+
+```bash
+oci budgets budget get --budget-id <BUDGET_OCID> \
+  --query "data.{displayName:\"display-name\",amount:amount,actualSpend:\"actual-spend\",percentUsed:\"percent-used\",alertRuleCount:\"alert-rule-count\",targets:targets}"
+```
+
+## 3. List alert rules on the budget
+
+```bash
+oci budgets alert-rule list --budget-id <BUDGET_OCID> \
+  --query "data[].{displayName:\"display-name\",type:type,threshold:threshold,thresholdType:\"threshold-type\",recipients:recipients}"
+```
+
+## 4. Check current compute shape usage against quota
+
+```bash
+oci limits resource-availability get \
+  --service-name compute \
+  --limit-name standard-e4-core-count \
+  --compartment-id <COMPARTMENT_OCID> \
+  --availability-domain <AD>
+```
+
+## 5. Verify ONS topic is active (for alert routing)
+
+```bash
+oci ons topic get --topic-id <TOPIC_OCID> \
+  --query "data.{displayName:\"display-name\",lifecycleState:\"lifecycle-state\"}"
+```

package/skills/oci/oci-live-cost-budget-runaway-guard/references/rollback-playbook.md

@@ -0,0 +1,44 @@
+# Rollback Playbook: OCI Live Cost Budget Runaway Guard
+
+## Revert a budget threshold change
+
+```bash
+# Re-apply original budget amount
+oci budgets budget update \
+  --budget-id <BUDGET_OCID> \
+  --amount <ORIGINAL_AMOUNT>
+```
+
+## Remove a runaway alert rule
+
+```bash
+# List current alert rules
+oci budgets alert-rule list --budget-id <BUDGET_OCID> \
+  --query "data[].{id:id,displayName:\"display-name\",threshold:threshold}"
+
+# Delete a specific alert rule
+oci budgets alert-rule delete \
+  --budget-id <BUDGET_OCID> \
+  --alert-rule-id <RULE_OCID> \
+  --force
+```
+
+## Restore previous alert rule configuration
+
+```bash
+oci budgets alert-rule create \
+  --budget-id <BUDGET_OCID> \
+  --display-name <NAME> \
+  --type <ACTUAL|FORECAST> \
+  --threshold <VALUE> \
+  --threshold-type <PERCENTAGE|ABSOLUTE> \
+  --recipients <EMAIL> \
+  --message "Budget threshold reached"
+```
+
+## Rollback limitations
+
+- Spend that already occurred before the budget alert triggered cannot be reversed.
+- Deleting a budget does NOT stop any running compute instances — it only removes the alert.
+- Compartment quota reductions (setting `gpu-vm-count to 0`) take effect immediately but do not terminate existing instances.
+- OCI does not auto-stop resources when budget limits are hit — only notifications are sent.

package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: oci-live-iam-policy-compartment-guard
+description: Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# OCI Live IAM Policy Compartment Guard
+
+## Purpose
+
+Act as the guarded live OCI operator for oci-live-iam-policy-compartment-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- an OCI IAM policy must be created or modified in a compartment or at tenancy root
+- a dynamic group rule must be changed and blast-radius must be audited before write
+- an IAM audit finds overly broad policies that must be narrowed with least-privilege verb selection
+
+## Lean operating rules
+
+- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
+- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
+- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
+- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed tenancy, compartment, and active principal
+- preflight evidence (plan output, drift result, inspect/read, health check)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/oci/oci-live-iam-policy-compartment-guard/metadata.json

@@ -0,0 +1,27 @@
+{
+  "id": "oci-live-iam-policy-compartment-guard",
+  "name": "OCI Live IAM Policy Compartment Guard",
+  "type": "skill",
+  "provider": "oci",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
+  ],
+  "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
+  "last_verified": "2026-04-30",
+  "path": "skills/oci/oci-live-iam-policy-compartment-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/oci/oci-live-iam-policy-compartment-guard/references/official-sources.md

@@ -0,0 +1,13 @@
+# Official Sources: OCI Live IAM Policy Compartment Guard
+
+## OCI IAM policies
+
+- https://docs.oracle.com/en-us/iaas/Content/Identity/policiesgs/get-started-with-policies.htm
+- https://docs.oracle.com/en-us/iaas/Content/Identity/policieshow/Policy_How_Policies_Work.htm
+- https://docs.oracle.com/en-us/iaas/Content/Identity/policyreference/policyreference.htm
+- https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/managingdynamicgroups.htm
+
+## Source-grounding rule
+
+Use official Oracle Cloud Infrastructure documentation as the source of truth for IAM policy syntax.
+OCI policy-based IAM does not use JSON like AWS — verify statement syntax against OCI policy reference.

package/skills/oci/oci-live-iam-policy-compartment-guard/references/permission-model.md

@@ -0,0 +1,71 @@
+# Permission Model: OCI Live IAM Policy Compartment Guard
+
+## OCI verb hierarchy
+
+```
+inspect  = ListXxx APIs only. No resource content.
+read     = GetXxx + inspect. Can see resource details.
+use      = read + limited mutation (no create/terminate).
+manage   = full CRUD. Always scope to compartment, never tenancy for broad resources.
+```
+
+## 3-tier separation
+
+| Tier | Group | Scope | Activation |
+|------|-------|-------|-----------|
+| Auditor | `<iam-auditors>` | tenancy (read-only) | Standing |
+| Operator | `<iam-operators>` | compartment + name pattern | Standing (restricted) |
+| Tenancy-root admin | `<iam-tenancy-admins>` | tenancy | Break-glass only, MFA-TOTP gated |
+
+## Audit-only policy
+
+```
+Allow group <iam-auditors> to inspect policies in tenancy
+Allow group <iam-auditors> to read policies in tenancy
+Allow group <iam-auditors> to inspect dynamic-groups in tenancy
+Allow group <iam-auditors> to read dynamic-groups in tenancy
+Allow group <iam-auditors> to inspect groups in tenancy
+Allow group <iam-auditors> to read users in tenancy
+```
+
+## Policy operator (compartment-scoped, name-pattern restricted)
+
+```
+Allow group <iam-operators> to manage policies in compartment <iam-compartment>
+  where target.policy.name = /iam-managed-*/
+Allow group <iam-operators> to manage dynamic-groups in tenancy
+  where target.dynamicGroup.name = /iam-managed-*/
+```
+
+`dynamic-groups` are tenancy-scoped in OCI — compartment scope is not supported. The
+`where target.dynamicGroup.name = /iam-managed-*/` name-pattern condition prevents
+privilege escalation through creation of an unrestricted dynamic group.
+
+**Critical syntax**: OCI IAM uses **forward-slash regex** `/pattern*/`, **not** quoted strings,
+for wildcard matching. `= 'iam-managed-*'` would only match the literal string
+`iam-managed-*` (one specific name with a literal asterisk) — the operator could
+create any other dynamic group and bypass the guard entirely. Always use `/.../`
+slashes for pattern conditions. Reference: Oracle policy conditions docs at
+`https://docs.oracle.com/en-us/iaas/Content/Identity/policysyntax/conditions.htm`.
+
+## Tenancy-root admin (break-glass only, MFA-TOTP gated)
+
+```
+Allow group <iam-tenancy-admins> to manage policies in tenancy
+  where request.user.mfaTotpVerified = 'true'
+Allow group <iam-tenancy-admins> to manage groups in tenancy
+  where target.group.name != 'Administrators'
+```
+
+- MFA-TOTP gate is enforced at policy-evaluation time, not just login.
+- Cannot modify the `Administrators` group — requires the bootstrap tenancy admin.
+- Membership must be empty by default; add only during an approved change window.
+
+## Do not use
+
+```
+# FORBIDDEN
+Allow any-group to manage policies in tenancy
+Allow group <iam-operators> to manage policies in tenancy
+Allow any-user to inspect all-resources in tenancy
+```