npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.1.0 → 1.2.0 - Mend

@raishin/vanguard-frontier-agentic 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (293) hide show

package/skills/oci/oci-live-iam-policy-compartment-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,49 @@
+# Preflight Commands: OCI Live IAM Policy Compartment Guard
+Run these before any IAM policy modification. Paste sanitized output as evidence.
+## 1. Confirm identity and tenancy
+```bash
+oci iam user list --query "data[?contains(\"defined-tags\".keys(@), 'Operations')].{name:name,id:id}" 2>/dev/null | head -20
+# Or check active session
+oci iam region-subscription list
+```
+## 2. List policies in target compartment
+```bash
+oci iam policy list \
+  --compartment-id <COMPARTMENT_OCID> \
+  --query "data[].{id:id,name:name,lifecycleState:\"lifecycle-state\",statements:statements}"
+```
+## 3. Inspect a specific policy
+```bash
+oci iam policy get --policy-id <POLICY_OCID> \
+  --query "data.{name:name,statements:statements,versionDate:\"version-date\",freeformTags:\"freeform-tags\"}"
+```
+## 4. List dynamic groups and their matching rules
+```bash
+oci iam dynamic-group list \
+  --query "data[].{name:name,id:id,matchingRule:\"matching-rule\",lifecycleState:\"lifecycle-state\"}"
+```
+## 5. Audit recent policy changes (Activity log)
+```bash
+oci audit event list \
+  --compartment-id <TENANCY_OCID> \
+  --start-time $(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
+  --query "data[?\"event-type\"=='com.oraclecloud.identitycontrolplane.updatepolicy'].{time:\"event-time\",user:data.\"request.headers\".\"opc-principal\"[0],policyId:data.\"request.path\"}"
+```
+## 6. Check for overly broad existing policies (anti-pattern scan)
+```bash
+oci iam policy list --compartment-id <TENANCY_OCID> --all \
+  --query "data[?contains(to_string(statements), 'manage all-resources') || contains(to_string(statements), 'any-user')].{name:name,statements:statements}"
+```

package/skills/oci/oci-live-iam-policy-compartment-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,62 @@
+# Rollback Playbook: OCI Live IAM Policy Compartment Guard
+## Revert to a previous policy version
+OCI does not natively version policies, but you can restore from the prior statements.
+```bash
+# Get current policy statements
+oci iam policy get --policy-id <POLICY_OCID> --query "data.statements"
+# Update the policy with the previous statements
+oci iam policy update \
+  --policy-id <POLICY_OCID> \
+  --statements '["Allow group <previous-group> to <verb> <resource> in <scope>", ...]' \
+  --version-date $(date +%Y-%m-%d) \
+  --force
+```
+## Delete an accidentally created policy
+> ⚠️ **IRREVERSIBILITY WARNING — IAM blast radius**
+>
+> Deleting an IAM policy is **immediate** (eventual consistency: 10–30 seconds globally) and
+> may revoke access to running production workloads before any operator can react.
+> The `--force` flag below suppresses the OCI CLI's interactive confirmation prompt.
+>
+> **Required pre-delete confirmation steps** — do not skip:
+>
+> 1. Run `oci iam policy get --policy-id <POLICY_OCID>` and inspect the statements.
+> 2. Confirm the displayed `name` and `compartment-id` match the policy you intend to delete.
+> 3. Confirm in writing (chat, ticket, change record) that the policy is not in active use:
+>    `oci search resource structured-search --query-text "query policy resources where compartmentId = '<compartment>'"`
+> 4. If unsure, prefer `oci iam policy update` to empty the `statements` array first
+>    (reversible) before issuing the `delete` command.
+>
+> Only after all four steps are complete should the `delete --force` command be executed.
+```bash
+# Step 1: Confirm the target policy
+oci iam policy get --policy-id <POLICY_OCID> --query "data.{name:name,compartment:\"compartment-id\",statements:statements}"
+# Step 2: Only after operator confirmation — delete
+oci iam policy delete --policy-id <POLICY_OCID> --force
+```
+## Remove a group member added by mistake (privilege de-escalation)
+```bash
+# Find the user's group membership
+oci iam group list-users --group-id <GROUP_OCID> \
+  --query "data[?name=='<USERNAME>'].id"
+# Remove from group
+oci iam group remove-user --group-id <GROUP_OCID> --user-id <USER_OCID>
+```
+## Rollback limitations
+- OCI IAM has eventual consistency — policy changes may take up to 10–30 seconds to propagate globally.
+- There is no automated version history for policies — maintain external backups of policy statements.
+- Removing a policy statement may immediately break running workloads that depend on that grant.
+- Break-glass tenancy-root admin changes require emptying the `<iam-tenancy-admins>` group immediately after use.

package/skills/oci/oci-live-oke-rollout-guard/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: oci-live-oke-rollout-guard
+description: Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# OCI Live OKE Rollout Guard
+## Purpose
+Act as the guarded live OCI operator for oci-live-oke-rollout-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+## When to use
+Use this skill when:
+- an OKE deployment rollout must advance through a DevOps Service pipeline approval stage
+- a blue-green or canary OKE deployment is in flight and the operator must decide to promote or rollback
+- a kubectl rollout is paused on a live OKE cluster and an undo or resume decision is required
+## Lean operating rules
+- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
+- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
+- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
+- Load references only when needed.
+## References
+Load these only when needed:
+- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
+- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
+## Response minimum
+Return, at minimum:
+- confirmed tenancy, compartment, and active principal
+- preflight evidence (plan output, drift result, inspect/read, health check)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/oci/oci-live-oke-rollout-guard/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "oci-live-oke-rollout-guard",
+  "name": "OCI Live OKE Rollout Guard",
+  "type": "skill",
+  "provider": "oci",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
+  ],
+  "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact \u2014 confirm target revision before undo.",
+  "last_verified": "2026-04-30",
+  "path": "skills/oci/oci-live-oke-rollout-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/oci/oci-live-oke-rollout-guard/references/official-sources.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Official Sources: OCI Live OKE Rollout Guard
+## OCI Container Engine for Kubernetes (OKE)
+- https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm
+- https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengupgradingk8sworkernode.htm
+- https://docs.oracle.com/en-us/iaas/Content/DevOps/Concepts/devopsoverview.htm
+## Kubernetes rolling updates
+- https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment
+- https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-back-a-deployment
+- https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+## Source-grounding rule
+Use official Oracle Cloud Infrastructure and Kubernetes.io documentation as source of truth.
+OCI DevOps pipeline stage configuration details must be verified from current OCI docs.

package/skills/oci/oci-live-oke-rollout-guard/references/permission-model.md ADDED Viewed

@@ -0,0 +1,80 @@
+# Permission Model: OCI Live OKE Rollout Guard
+## 3-tier IAM separation
+| Tier | Group/Principal | Verb | Scope |
+|------|----------------|------|-------|
+| Audit | `<oke-auditors>` | read | `<prod-compartment>` |
+| Operator | `<oke-operators>` | read + use devops | `<prod-compartment>` |
+| Admin | `<oke-admins>` | use cluster + manage node-pools | `<prod-compartment>` |
+| Pipeline | `<devops-pipeline-runners>` (dynamic group) | use cluster + manage node-pools | `<prod-compartment>` |
+## OKE cluster read (no deploy rights)
+```
+Allow group <oke-auditors> to read clusters in compartment <prod-compartment>
+Allow group <oke-auditors> to read cluster-node-pools in compartment <prod-compartment>
+```
+## DevOps pipeline read + deployment use
+```
+Allow group <oke-operators> to read devops-pipelines in compartment <prod-compartment>
+Allow group <oke-operators> to read devops-deployments in compartment <prod-compartment>
+Allow group <oke-operators> to use devops-deployments in compartment <prod-compartment>
+```
+## OKE admin (use, NOT manage — cannot delete clusters)
+```
+Allow group <oke-admins> to use clusters in compartment <prod-compartment>
+Allow group <oke-admins> to manage cluster-node-pools in compartment <prod-compartment>
+```
+## DevOps pipeline dynamic group
+```
+Allow dynamic-group <devops-pipeline-runners> to use cluster in compartment <prod-compartment>
+Allow dynamic-group <devops-pipeline-runners> to manage cluster-node-pools in compartment <prod-compartment>
+```
+`use cluster` (not `manage cluster`) for the pipeline: `manage` grants cluster termination rights.
+## Service-principal policies (required for OKE and DevOps services)
+```
+Allow service OKE to manage cluster-node-pools in compartment <prod-compartment>
+Allow service OKE to use virtual-network-family in compartment <prod-compartment>
+Allow service OKE to manage instance-family in compartment <prod-compartment>
+  where target.resource.tag.Operations.OkeManaged.value = 'true'
+Allow service devops to use ons-topics in compartment <prod-compartment>
+Allow service devops to manage repos in compartment <prod-compartment>
+Allow service devops to read secret-family in compartment <prod-compartment>
+```
+The `OkeManaged = 'true'` tag prevents the OKE service principal from acting on
+instances outside of managed node pools.
+## Do not use
+```
+# FORBIDDEN
+Allow group <oke-operators> to manage clusters in compartment prod
+Allow dynamic-group <all-instances> to manage all-resources in compartment prod
+```
+## Kubernetes RBAC (in-cluster, namespace-scoped)
+```yaml
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets"]
+  verbs: ["get", "list", "watch", "patch", "update"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log", "services"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["get", "list"]
+```

package/skills/oci/oci-live-oke-rollout-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,55 @@
+# Preflight Commands: OCI Live OKE Rollout Guard
+Run these before any OKE rollout mutation. Paste sanitized output as evidence.
+## 1. Confirm identity and compartment target
+```bash
+oci iam region-subscription list
+oci ce cluster list \
+  --compartment-id <COMPARTMENT_OCID> \
+  --query "data[].{name:name,id:id,lifecycleState:\"lifecycle-state\",kubernetesVersion:\"kubernetes-version\"}"
+```
+## 2. Get cluster kubeconfig
+```bash
+oci ce cluster create-kubeconfig \
+  --cluster-id <CLUSTER_OCID> \
+  --file ~/.kube/config \
+  --region <REGION> \
+  --token-version 2.0.0
+kubectl config current-context
+```
+## 3. Check node pool health
+```bash
+oci ce node-pool list \
+  --cluster-id <CLUSTER_OCID> \
+  --compartment-id <COMPARTMENT_OCID> \
+  --query "data[].{name:name,id:id,lifecycleState:\"lifecycle-state\",quantityPerSubnet:\"quantity-per-subnet\"}"
+kubectl get nodes -o wide
+```
+## 4. Check PodDisruptionBudgets
+```bash
+kubectl get pdb -n <NAMESPACE> -o wide
+```
+## 5. Check current deployment rollout status
+```bash
+kubectl rollout status deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+kubectl get deployment <DEPLOYMENT_NAME> -n <NAMESPACE> \
+  -o jsonpath='{.spec.strategy.rollingUpdate}'
+```
+## 6. Verify DevOps pipeline approval stage is configured
+```bash
+oci devops deployment-pipeline list \
+  --project-id <PROJECT_OCID> \
+  --query "data[].{displayName:\"display-name\",id:id,lifecycleState:\"lifecycle-state\"}"
+```

package/skills/oci/oci-live-oke-rollout-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,45 @@
+# Rollback Playbook: OCI Live OKE Rollout Guard
+## Rollback a Kubernetes deployment to the previous revision
+```bash
+# Pause rollout immediately
+kubectl rollout pause deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+# Check rollout history
+kubectl rollout history deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+# Undo to previous revision
+kubectl rollout undo deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+# Or undo to a specific revision
+kubectl rollout undo deployment/<DEPLOYMENT_NAME> -n <NAMESPACE> --to-revision=<N>
+# Verify
+kubectl rollout status deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+```
+## Cancel an in-flight DevOps pipeline deployment
+```bash
+oci devops deployment list \
+  --deployment-pipeline-id <PIPELINE_OCID> \
+  --query "data[?\"lifecycle-state\"=='IN_PROGRESS'].{id:id,displayName:\"display-name\"}"
+oci devops deployment cancel --deployment-id <DEPLOYMENT_OCID> --force
+```
+## Rollback a node pool version upgrade
+```bash
+oci ce node-pool update \
+  --node-pool-id <NODE_POOL_OCID> \
+  --kubernetes-version <PREVIOUS_VERSION>
+```
+## Rollback limitations
+- `kubectl rollout undo` reverts the pod template spec only — does not revert ConfigMaps, Secrets, or database schema migrations.
+- DevOps pipeline deployment cancellation stops future stages but does not undo already-applied Kubernetes resources.
+- Node pool version downgrade is not supported by OCI — you can only go to an equal or newer Kubernetes version.
+- If the cluster upgrade (control plane version) was applied, it cannot be rolled back.

package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: oci-live-resource-manager-stack-guard
+description: Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# OCI Live Resource Manager Stack Guard
+## Purpose
+Act as the guarded live OCI operator for oci-live-resource-manager-stack-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+## When to use
+Use this skill when:
+- an OCI Resource Manager stack apply or destroy job must be run against a live environment
+- drift has been detected on a stack and resolution requires an apply job with human approval
+- a Resource Manager stack state must be inspected, imported, or rolled back after a partial apply
+## Lean operating rules
+- Prefer OCI CLI (`oci`) official documentation when available; fall back to Oracle Cloud docs and sanitized user evidence.
+- Do not execute a live OCI change until tenancy, compartment, active principal, and resource ownership are explicit.
+- Prefer plan, detect-drift, inspect, read, describe, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, API keys, tenancy OCIDs, private key contents, or raw config values. Summarize sanitized evidence only.
+- Load references only when needed.
+## References
+Load these only when needed:
+- [Preflight commands](references/preflight-commands.md) — OCI CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — OCI IAM policy statements and dynamic group guidance.
+- [Official sources](references/official-sources.md) — authoritative OCI documentation links.
+## Response minimum
+Return, at minimum:
+- confirmed tenancy, compartment, and active principal
+- preflight evidence (plan output, drift result, inspect/read, health check)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/oci/oci-live-resource-manager-stack-guard/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "oci-live-resource-manager-stack-guard",
+  "name": "OCI Live Resource Manager Stack Guard",
+  "type": "skill",
+  "provider": "oci",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
+  ],
+  "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
+  "last_verified": "2026-04-30",
+  "path": "skills/oci/oci-live-resource-manager-stack-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/oci/oci-live-resource-manager-stack-guard/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official Sources: OCI Live Resource Manager Stack Guard
+## OCI Resource Manager
+- https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm
+- https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/creatingjobs.htm
+- https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/managingstacksandjobs.htm
+## Source-grounding rule
+Use official Oracle Cloud Infrastructure documentation as the source of truth for Resource Manager behavior.
+Terraform version support and job type capabilities must be verified from current OCI docs.

package/skills/oci/oci-live-resource-manager-stack-guard/references/permission-model.md ADDED Viewed

@@ -0,0 +1,70 @@
+# Permission Model: OCI Live Resource Manager Stack Guard
+## OCI verb hierarchy reminder
+`inspect` ⊂ `read` ⊂ `use` ⊂ `manage`
+## 3-tier separation
+| Tier | Group | Verb | Scope |
+|------|-------|------|-------|
+| Auditor | `<rms-auditors>` | inspect / read | `<prod-compartment>` |
+| Planner | `<rms-planners>` | use | `<prod-compartment>` |
+| Operator | `<rms-operators>` | manage | `<prod-compartment>` |
+## Baseline read policy (auditors — no mutation)
+```
+Allow group <rms-auditors> to inspect orm-stacks in compartment <prod-compartment>
+Allow group <rms-auditors> to read orm-stacks in compartment <prod-compartment>
+Allow group <rms-auditors> to inspect orm-jobs in compartment <prod-compartment>
+Allow group <rms-auditors> to read orm-jobs in compartment <prod-compartment>
+```
+## Plan-only policy (create plan jobs, cannot apply or destroy)
+```
+Allow group <rms-planners> to use orm-stacks in compartment <prod-compartment>
+Allow group <rms-planners> to use orm-jobs in compartment <prod-compartment>
+```
+## Full operator policy (apply + destroy — gate with approval workflow)
+```
+Allow group <rms-operators> to manage orm-stacks in compartment <prod-compartment>
+Allow group <rms-operators> to manage orm-jobs in compartment <prod-compartment>
+```
+## Dynamic group for CI/CD instance principal
+```
+Any {instance.compartment.id = '<compartment_ocid>', tag.Operations.Role.value = 'rms-runner'}
+Allow dynamic-group <rms-runners> to manage orm-stacks in compartment <prod-compartment>
+Allow dynamic-group <rms-runners> to manage orm-jobs in compartment <prod-compartment>
+```
+## Service-principal policies (Resource Manager service itself)
+```
+Allow service ResourceManager to manage orm-stacks in compartment <prod-compartment>
+Allow service ResourceManager to read secret-family in compartment <prod-compartment>
+Allow service ResourceManager to use tag-namespaces in tenancy
+```
+Add resource-type rights for whatever the stack provisions, e.g.
+`Allow service ResourceManager to manage instance-family in compartment <X>`.
+Do not grant `manage all-resources` even to the service principal.
+## Platform concurrency note
+OCI Resource Manager allows only one running job at a time per stack.
+This is platform-enforced — no additional concurrency control is needed.
+## Do not use
+```
+# FORBIDDEN
+Allow any-user to manage all-resources in tenancy
+Allow group <rms-operators> to manage all-resources in compartment prod
+```

package/skills/oci/oci-live-resource-manager-stack-guard/references/preflight-commands.md ADDED Viewed

@@ -0,0 +1,57 @@
+# Preflight Commands: OCI Live Resource Manager Stack Guard
+Run these before any Resource Manager stack mutation. Paste sanitized output as evidence.
+## 1. Confirm identity and compartment
+```bash
+oci iam region-subscription list
+oci resource-manager stack list \
+  --compartment-id <COMPARTMENT_OCID> \
+  --query "data[].{displayName:\"display-name\",id:id,lifecycleState:\"lifecycle-state\",terraformVersion:\"terraform-version\"}"
+```
+## 2. Inspect stack current state
+```bash
+oci resource-manager stack get \
+  --stack-id <STACK_OCID> \
+  --query "data.{displayName:\"display-name\",lifecycleState:\"lifecycle-state\",variables:variables,freeformTags:\"freeform-tags\"}"
+```
+## 3. List recent jobs on the stack
+```bash
+oci resource-manager job list \
+  --stack-id <STACK_OCID> \
+  --sort-by TIMECREATED \
+  --sort-order DESC \
+  --limit 5 \
+  --query "data[].{operation:operation,lifecycleState:\"lifecycle-state\",timeCreated:\"time-created\",id:id}"
+```
+## 4. Run a plan job (dry-run) before apply
+```bash
+oci resource-manager job create-plan-job \
+  --stack-id <STACK_OCID> \
+  --display-name "preflight-plan-$(date +%Y%m%d%H%M)" \
+  --wait-for-state SUCCEEDED \
+  --max-wait-seconds 600
+# Get plan output (Terraform plan log)
+oci resource-manager job get-job-logs \
+  --job-id <PLAN_JOB_OCID> \
+  --query "data[].message"
+```
+## 5. Check for stack drift
+```bash
+oci resource-manager stack detect-drift \
+  --stack-id <STACK_OCID> \
+  --wait-for-state SUCCEEDED \
+  --max-wait-seconds 300
+oci resource-manager stack list-resource-drift-details \
+  --stack-id <STACK_OCID>
+```

package/skills/oci/oci-live-resource-manager-stack-guard/references/rollback-playbook.md ADDED Viewed

@@ -0,0 +1,51 @@
+# Rollback Playbook: OCI Live Resource Manager Stack Guard
+## Cancel an in-progress job
+```bash
+# Find in-progress job
+oci resource-manager job list \
+  --stack-id <STACK_OCID> \
+  --query "data[?\"lifecycle-state\"=='IN_PROGRESS'].{id:id,operation:operation}"
+# Cancel
+oci resource-manager job cancel \
+  --job-id <JOB_OCID> \
+  --force
+```
+## Revert by applying a previous Terraform state (rollback apply)
+```bash
+# Create a new apply job targeting the rollback config
+oci resource-manager job create-apply-job \
+  --stack-id <STACK_OCID> \
+  --display-name "rollback-apply-$(date +%Y%m%d%H%M)" \
+  --execution-plan-strategy FROM_PLAN_JOB_ID \
+  --execution-plan-job-id <PRIOR_PLAN_JOB_OCID> \
+  --wait-for-state SUCCEEDED \
+  --max-wait-seconds 1800
+```
+## Run a destroy job (full teardown — use with extreme caution)
+```bash
+# Plan the destroy first
+oci resource-manager job create-plan-destroy-job \
+  --stack-id <STACK_OCID> \
+  --wait-for-state SUCCEEDED
+# Approve and execute destroy
+oci resource-manager job create-destroy-job \
+  --stack-id <STACK_OCID> \
+  --execution-plan-strategy FROM_PLAN_JOB_ID \
+  --execution-plan-job-id <DESTROY_PLAN_JOB_OCID> \
+  --wait-for-state SUCCEEDED
+```
+## Rollback limitations
+- Resource Manager only allows one running job per stack — a new job cannot start while one is in progress.
+- Cancelling a job stops future Terraform operations but does not revert resources already created/modified.
+- Stateful resources (databases, block volumes, object storage buckets with data) cannot be reverted by Terraform rollback.
+- Terraform state can diverge from actual resource state if a job was cancelled mid-run — run drift detection before the next apply.