@raishin/vanguard-frontier-agentic 1.1.0 → 1.3.0

package/skills/azure/azure-live-aks-rollout-guard/references/rollback-playbook.md

@@ -0,0 +1,38 @@
+# Rollback Playbook: Azure Live AKS Rollout Guard
+
+## Immediate rollback — undo to previous ReplicaSet
+
+```bash
+# Pause the rollout first to stop further progress
+kubectl rollout pause deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+
+# Check rollout history to identify the target revision
+kubectl rollout history deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+
+# Undo to the immediately prior revision
+kubectl rollout undo deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+
+# Or undo to a specific revision
+kubectl rollout undo deployment/<DEPLOYMENT_NAME> -n <NAMESPACE> --to-revision=<N>
+```
+
+## Verify rollback success
+
+```bash
+kubectl rollout status deployment/<DEPLOYMENT_NAME> -n <NAMESPACE>
+kubectl get pods -n <NAMESPACE> -o wide
+kubectl describe deployment <DEPLOYMENT_NAME> -n <NAMESPACE> | grep -A 5 "Conditions:"
+```
+
+## Rollback limitations
+
+- `kubectl rollout undo` reverts the pod template spec only (image, env, volumes).
+- It does NOT revert ConfigMaps, Secrets, PVCs, or Service endpoint changes.
+- If a schema migration ran as an init container, the rollback will reuse the new schema.
+- HPA target replicas and PDB settings are not reverted by `rollout undo`.
+
+## Escalation path
+
+1. If rollback leaves pods in `CrashLoopBackOff`: check logs with `kubectl logs <POD> -n <NAMESPACE> --previous`
+2. If node is under memory pressure: drain the node with `kubectl drain <NODE> --ignore-daemonsets`
+3. If the cluster is unresponsive: escalate to AKS support via Azure portal → cluster → Support + troubleshooting

package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: azure-live-app-service-slot-swap-guard
+description: Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# Azure Live App Service Slot Swap Guard
+
+## Purpose
+
+Act as the guarded live Azure operator for azure-live-app-service-slot-swap-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- an App Service slot swap to production must be staged and committed against a live environment
+- sticky settings or connection strings differ between slots and the operator must audit before swap
+- a swap-with-preview is in progress and the operator must decide to complete or reset
+
+## Lean operating rules
+
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/azure/azure-live-app-service-slot-swap-guard/metadata.json

@@ -0,0 +1,26 @@
+{
+  "id": "azure-live-app-service-slot-swap-guard",
+  "name": "Azure Live App Service Slot Swap Guard",
+  "type": "skill",
+  "provider": "azure",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
+    "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
+    "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
+  ],
+  "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
+  "last_verified": "2026-04-30",
+  "path": "skills/azure/azure-live-app-service-slot-swap-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/azure/azure-live-app-service-slot-swap-guard/references/official-sources.md

@@ -0,0 +1,12 @@
+# Official Sources: Azure Live App Service Slot Swap Guard
+
+## App Service staging slots
+
+- https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots
+- https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#swap-operation-steps
+- https://learn.microsoft.com/en-us/azure/app-service/configure-common
+
+## Source-grounding rule
+
+Use official Microsoft Learn documentation as the source of truth for App Service behavior.
+Slot-sticky setting behavior must be verified from official docs before every swap operation.

package/skills/azure/azure-live-app-service-slot-swap-guard/references/permission-model.md

@@ -0,0 +1,40 @@
+# Permission Model: Azure Live App Service Slot Swap Guard
+
+## Custom role — slot swap only, no config writes
+
+```json
+{
+  "Name": "App Service Slot Swap Guard",
+  "IsCustom": true,
+  "Description": "Read App Service slot config and perform staged swap. No write to app settings or deployment config.",
+  "Actions": [
+    "Microsoft.Web/sites/read",
+    "Microsoft.Web/sites/slots/read",
+    "Microsoft.Web/sites/slots/config/read",
+    "Microsoft.Web/sites/slots/slotsswap/action",
+    "Microsoft.Web/sites/slotsswap/action",
+    "Microsoft.Web/sites/config/read"
+  ],
+  "NotActions": [
+    "Microsoft.Web/sites/config/write",
+    "Microsoft.Web/sites/slots/config/write",
+    "Microsoft.Web/sites/delete",
+    "Microsoft.Web/sites/slots/delete"
+  ],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<TARGET_RG>/providers/Microsoft.Web/sites/<APP_NAME>"
+  ]
+}
+```
+
+## Nearest built-in alternative
+
+`Website Contributor` includes swap rights but also allows config writes.
+Use only when custom role scope is impractical — and scope it to the single App Service, not the resource group.
+
+## Do not assign
+
+- `Owner` on the App Service — allows deletion
+- `Microsoft.Web/sites/config/write` without a change-management gate
+- `Microsoft.Web/sites/slots/delete` — slot deletion is irreversible and must not be in the swap role
+- Subscription-level `Website Contributor` for routine swap operations

package/skills/azure/azure-live-app-service-slot-swap-guard/references/preflight-commands.md

@@ -0,0 +1,46 @@
+# Preflight Commands: Azure Live App Service Slot Swap Guard
+
+Run these before initiating a slot swap. Paste sanitized output as evidence.
+
+## 1. Confirm identity and App Service target
+
+```bash
+az account show --query "{subscription:id, name:name, user:user.name}"
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{name:name, state:properties.state, hostNames:properties.hostNames}"
+```
+
+## 2. List all slots and their current traffic weights
+
+```bash
+az webapp deployment slot list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "[].{name:name, state:properties.state}"
+az webapp traffic-routing show -g <RESOURCE_GROUP> -n <APP_NAME>
+```
+
+## 3. Compare app settings between slots
+
+```bash
+az webapp config appsettings list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --slot staging --query "[].{name:name, slotSetting:slotSetting}"
+az webapp config appsettings list -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "[].{name:name, slotSetting:slotSetting}"
+```
+
+Pay special attention to `slotSetting: false` — those settings WILL swap with the slot.
+Settings with `slotSetting: true` are slot-sticky and will NOT be swapped.
+
+## 4. Check slot health before swap
+
+```bash
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "{state:properties.state, availabilityState:properties.availabilityState}"
+# State must be "Running" and availabilityState must be "Normal" before swap
+```
+
+## 5. Review connection strings
+
+```bash
+az webapp config connection-string list -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "[].{name:name, type:type, slotSetting:slotSetting}"
+```

package/skills/azure/azure-live-app-service-slot-swap-guard/references/rollback-playbook.md

@@ -0,0 +1,46 @@
+# Rollback Playbook: Azure Live App Service Slot Swap Guard
+
+## Immediate swap-back (standard rollback path)
+
+The swap operation is symmetric — a second swap returns both slots to their original state.
+
+```bash
+# Verify current slot state before swapping back
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{hostNames:properties.hostNames}"
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> --slot staging \
+  --query "{hostNames:properties.hostNames}"
+
+# Swap back: production → staging (reverts the original swap)
+az webapp deployment slot swap \
+  -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --slot staging \
+  --target-slot production
+```
+
+## Verify after rollback
+
+```bash
+az webapp show -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --query "{state:properties.state, defaultHostName:properties.defaultHostName}"
+# Check application health endpoint
+curl -s https://<APP_NAME>.azurewebsites.net/health
+```
+
+## Traffic shifting (partial rollback via A/B routing)
+
+```bash
+# Route 10% of traffic to staging while investigating
+az webapp traffic-routing set -g <RESOURCE_GROUP> -n <APP_NAME> \
+  --distribution staging=10
+
+# Return all traffic to production
+az webapp traffic-routing clear -g <RESOURCE_GROUP> -n <APP_NAME>
+```
+
+## Rollback limitations
+
+- Slot swap is symmetric and reversible **only if you swap back before a second swap**.
+- App settings with `slotSetting: false` were swapped — they will swap back.
+- Any data written by the new code version to a shared database or storage is NOT rolled back by swapping.
+- Log stream evidence must be captured before initiating a rollback; logs do not travel with slot state.

package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: azure-live-arm-deployment-stack-guard
+description: Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# Azure Live ARM Deployment Stack Guard
+
+## Purpose
+
+Act as the guarded live Azure operator for azure-live-arm-deployment-stack-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- an ARM or Bicep deployment must be previewed and possibly executed against a live Azure environment
+- the session involves Deployment Stacks with denySettings and protected resource scopes
+- a human needs guarded execution help with change evidence and rollback design
+
+## Lean operating rules
+
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/azure/azure-live-arm-deployment-stack-guard/metadata.json

@@ -0,0 +1,27 @@
+{
+  "id": "azure-live-arm-deployment-stack-guard",
+  "name": "Azure Live ARM Deployment Stack Guard",
+  "type": "skill",
+  "provider": "azure",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
+    "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
+  ],
+  "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
+  "last_verified": "2026-04-30",
+  "path": "skills/azure/azure-live-arm-deployment-stack-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/azure/azure-live-arm-deployment-stack-guard/references/official-sources.md

@@ -0,0 +1,17 @@
+# Official Sources: Azure Live ARM Deployment Stack Guard
+
+## ARM and Bicep deployments
+
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/rollback-on-error
+
+## Deployment Stacks
+
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks-scenarios
+
+## Source-grounding rule
+
+Use official Microsoft Learn documentation as source of truth for ARM and Bicep behavior.
+Always verify what-if output against live resource state, not just template assumptions.

package/skills/azure/azure-live-arm-deployment-stack-guard/references/permission-model.md

@@ -0,0 +1,68 @@
+# Permission Model: Azure Live ARM Deployment Stack Guard
+
+## Custom role — what-if and stack write, stack deletion excluded
+
+```json
+{
+  "Name": "ARM Deployment Stack Guard",
+  "IsCustom": true,
+  "Description": "Minimum rights for guarded ARM what-if and Deployment Stack changes in one target resource group. Stack deletion is EXCLUDED — it requires a separate PIM-elevated role.",
+  "Actions": [
+    "Microsoft.Resources/deployments/read",
+    "Microsoft.Resources/deployments/write",
+    "Microsoft.Resources/deployments/whatIf/action",
+    "Microsoft.Resources/deploymentStacks/read",
+    "Microsoft.Resources/deploymentStacks/write",
+    "Microsoft.Resources/subscriptions/resourceGroups/read"
+  ],
+  "NotActions": [
+    "Microsoft.Resources/deploymentStacks/delete"
+  ],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<TARGET_RG>"
+  ]
+}
+```
+
+`deploymentStacks/delete` is in `NotActions`. Stack deletion requires a separate
+PIM-eligible role activated only for confirmed decommission windows (see below).
+
+## PIM-elevated delete role (activate only for planned decommission)
+
+```json
+{
+  "Name": "ARM Deployment Stack Delete (PIM)",
+  "IsCustom": true,
+  "Description": "Stack deletion only. Must be PIM-activated with approval and time-bound to a decommission window.",
+  "Actions": [
+    "Microsoft.Resources/deploymentStacks/read",
+    "Microsoft.Resources/deploymentStacks/delete"
+  ],
+  "NotActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<TARGET_RG>"
+  ]
+}
+```
+
+Assign as **PIM-eligible only**. Require manager approval. Maximum 2-hour activation.
+
+## Deployment Stacks denySettings recommendation
+
+```bash
+az deployment-stack group create \
+  --deny-settings-mode denyDelete \
+  --deny-settings-apply-to-child-scopes \
+  ...
+```
+
+Use `denyWriteAndDelete` for compliance-mandated immutable resources.
+
+## Do not assign
+
+- `Owner` at subscription scope
+- `Contributor` at management-group scope
+- `Microsoft.Resources/*` wildcards
+- `Microsoft.Authorization/roleAssignments/write` (privilege escalation risk)

package/skills/azure/azure-live-arm-deployment-stack-guard/references/preflight-commands.md

@@ -0,0 +1,55 @@
+# Preflight Commands: Azure Live ARM Deployment Stack Guard
+
+Run these before any ARM or Deployment Stack mutation. Paste sanitized output as evidence.
+
+## 1. Confirm identity and subscription target
+
+```bash
+az account show --query "{subscription:id, name:name, user:user.name}"
+az group show -n <RESOURCE_GROUP> --query "{name:name, location:location, provisioningState:properties.provisioningState}"
+```
+
+## 2. Run what-if before any deployment
+
+```bash
+# ARM template what-if
+az deployment group what-if \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.json> \
+  --parameters @<PARAMS.json>
+
+# Bicep what-if
+az deployment group what-if \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.bicep> \
+  --parameters @<PARAMS.bicepparam>
+```
+
+Review the what-if output for resource replacements (marked with `~` or `-/+`).
+Any replacement of a stateful resource (database, storage, Key Vault) must be
+explicitly approved before proceeding.
+
+## 3. Inspect existing Deployment Stack state
+
+```bash
+az deployment-stack group show \
+  -n <STACK_NAME> \
+  -g <RESOURCE_GROUP> \
+  --query "{provisioningState:provisioningState, denySettings:properties.denySettings, resources:properties.resources[].id}"
+```
+
+## 4. List managed resources and their protection status
+
+```bash
+az deployment-stack group show -n <STACK_NAME> -g <RESOURCE_GROUP> \
+  --query "properties.resources[].{id:id, denyStatus:denyStatus}"
+```
+
+## 5. Validate the template without deploying
+
+```bash
+az deployment group validate \
+  -g <RESOURCE_GROUP> \
+  --template-file <TEMPLATE.json> \
+  --parameters @<PARAMS.json>
+```

package/skills/azure/azure-live-arm-deployment-stack-guard/references/rollback-playbook.md

@@ -0,0 +1,53 @@
+# Rollback Playbook: Azure Live ARM Deployment Stack Guard
+
+## Cancel an in-progress deployment
+
+```bash
+# List recent deployments to find the in-flight one
+az deployment group list -g <RESOURCE_GROUP> \
+  --query "[?properties.provisioningState=='Running'].{name:name, timestamp:properties.timestamp}"
+
+# Cancel by name
+az deployment group cancel -g <RESOURCE_GROUP> -n <DEPLOYMENT_NAME>
+```
+
+Cancellation is best-effort. Resources already provisioned before cancel are NOT torn down.
+
+## Redeploy the last known-good template version
+
+```bash
+# List deployment history to find the target
+az deployment group list -g <RESOURCE_GROUP> \
+  --query "[].{name:name, state:properties.provisioningState, timestamp:properties.timestamp}" \
+  --output table
+
+# Export the template from a prior successful deployment
+az deployment group export -g <RESOURCE_GROUP> -n <GOOD_DEPLOYMENT_NAME> \
+  --output json > rollback-template.json
+
+# Redeploy
+az deployment group create \
+  -g <RESOURCE_GROUP> \
+  --template-file rollback-template.json \
+  --parameters @<PARAMS.json>
+```
+
+## Deployment Stack — update back to previous config
+
+```bash
+# Re-apply the previous stack config (update, not recreate)
+az deployment-stack group create \
+  -n <STACK_NAME> \
+  -g <RESOURCE_GROUP> \
+  --template-file rollback-template.json \
+  --parameters @<PARAMS.json> \
+  --action-on-unmanage deleteResources \
+  --deny-settings-mode denyDelete
+```
+
+## Rollback limitations
+
+- ARM deployments are additive by default — they do not auto-delete resources added in the failed run.
+- Deployment Stack `deleteResources` on unmanage will delete resources removed from the template.
+- Stateful resources (databases, storage accounts, Key Vaults) cannot be "rolled back" — only re-provisioned from backup.
+- If a resource was replaced (`~` in what-if), the original resource may already be deleted.

package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: azure-live-cost-budget-action-guard
+description: Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+
+# Azure Live Cost Budget Action Guard
+
+## Purpose
+
+Act as the guarded live Azure operator for azure-live-cost-budget-action-guard work. Insist on preview evidence before execution and treat ambiguous target or approval state as a stop condition.
+
+## When to use
+
+Use this skill when:
+
+- a cost budget action threshold or notification must be modified for a subscription or management group
+- a GPU or HPC VM SKU scale-up is requested and spend-limit approval is required
+- a runaway cost event is detected and emergency quota reduction or VM deallocation is needed
+
+## Lean operating rules
+
+- Prefer Azure CLI (`az`) official documentation when available; fall back to Microsoft Learn docs and sanitized user evidence.
+- Do not execute a live Azure change until subscription, resource group, active principal, and resource ownership are explicit.
+- Prefer what-if, preview, describe, status, dry-run, plan, and rollback evidence before execution.
+- If the request skips preview or rollback design, push back.
+- Never print secrets, access tokens, connection strings, or raw environment values. Summarize sanitized evidence only.
+- Load references only when needed.
+
+## References
+
+Load these only when needed:
+
+- [Preflight commands](references/preflight-commands.md) — CLI commands to run before any mutation.
+- [Rollback playbook](references/rollback-playbook.md) — concrete rollback steps for this service.
+- [Permission model](references/permission-model.md) — RBAC role definitions and PIM guidance.
+- [Official sources](references/official-sources.md) — authoritative Azure documentation links.
+
+## Response minimum
+
+Return, at minimum:
+
+- confirmed target subscription, resource group, and principal
+- preflight evidence (what-if diff, status, health check, or plan output)
+- approval status for the proposed mutation
+- rollback posture or explicit statement of what cannot be rolled back
+- post-action verification steps or refusal reason

package/skills/azure/azure-live-cost-budget-action-guard/metadata.json

@@ -0,0 +1,27 @@
+{
+  "id": "azure-live-cost-budget-action-guard",
+  "name": "Azure Live Cost Budget Action Guard",
+  "type": "skill",
+  "provider": "azure",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
+  "source_type": "original",
+  "official_docs": [
+    "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+    "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
+    "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
+    "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
+  ],
+  "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
+  "last_verified": "2026-04-30",
+  "path": "skills/azure/azure-live-cost-budget-action-guard",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/azure/azure-live-cost-budget-action-guard/references/official-sources.md

@@ -0,0 +1,17 @@
+# Official Sources: Azure Live Cost Budget Action Guard
+
+## Azure Cost Management budgets
+
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/manage-automation
+- https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-analysis-common-uses
+
+## Azure Quotas and limits
+
+- https://learn.microsoft.com/en-us/azure/quotas/quotas-overview
+- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
+
+## Source-grounding rule
+
+Use official Microsoft Learn documentation as the source of truth.
+Budget and quota behavior changes with service versions — verify current API behavior against docs.