@raishin/vanguard-frontier-agentic 1.8.0 → 2.0.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "vanguard-frontier-agentic",
-  "version": "1.7.1",
+  "version": "2.0.0",
   "description": "Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.",
   "author": {
     "name": "Raishin",
@@ -165,7 +165,10 @@
     "./agents/contabo/contabo-maestro-agent/harnesses/claude-code.agent.md",
     "./agents/contabo/contabo-security-hardening-agent/harnesses/claude-code.agent.md",
     "./agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md",
+    "./agents/finops/finops-ai-economist-agent/harnesses/claude-code.agent.md",
     "./agents/finops/finops-cloud-price-advisor-agent/harnesses/claude-code.agent.md",
+    "./agents/finops/finops-kubernetes-rightsizer-agent/harnesses/claude-code.agent.md",
+    "./agents/finops/finops-maestro-agent/harnesses/claude-code.agent.md",
     "./agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md",
     "./agents/gcp/gcp-alloydb-ai-developer-agent/harnesses/claude-code.agent.md",
     "./agents/gcp/gcp-alloydb-cloudsql-dba-agent/harnesses/claude-code.agent.md",

package/.cursor-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "vanguard-frontier-agentic",
-  "version": "1.7.1",
+  "version": "2.0.0",
   "description": "Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.",
   "author": {
     "name": "Raishin",
@@ -164,7 +164,10 @@
     "./agents/contabo/contabo-maestro-agent/harnesses/cursor.agent.md",
     "./agents/contabo/contabo-security-hardening-agent/harnesses/cursor.agent.md",
     "./agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md",
+    "./agents/finops/finops-ai-economist-agent/harnesses/cursor.agent.md",
     "./agents/finops/finops-cloud-price-advisor-agent/harnesses/cursor.agent.md",
+    "./agents/finops/finops-kubernetes-rightsizer-agent/harnesses/cursor.agent.md",
+    "./agents/finops/finops-maestro-agent/harnesses/cursor.agent.md",
     "./agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md",
     "./agents/gcp/gcp-alloydb-ai-developer-agent/harnesses/cursor.agent.md",
     "./agents/gcp/gcp-alloydb-cloudsql-dba-agent/harnesses/cursor.agent.md",

package/.github/plugin/marketplace.json

@@ -2,7 +2,7 @@
   "$schema": "https://raw.githubusercontent.com/github/copilot-cli/main/schemas/marketplace.schema.json",
   "name": "vanguard-frontier-agentic",
   "description": "Curated marketplace for cloud and zero-trust AI workflows. 331 agents, 286 skills, and rules across AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, and Terraform.",
-  "version": "1.7.1",
+  "version": "2.0.0",
   "owner": {
     "name": "Raishin",
     "url": "https://github.com/Raishin"

package/README.md

@@ -55,6 +55,8 @@ and compliance-heavy architecture.
 *and any other coding agent.*
 
 > 📦 **Available on npm:** `@raishin/vanguard-frontier-agentic` is published on the public npm registry.
+>
+> ⚠️ **ALPHA FINOPS BUNDLE**: As of v1.8.0, this package includes 4 new experimental FinOps agents and 7 skills for cloud cost optimization, AI economics modeling, Kubernetes rightsizing, and FOCUS-spec normalization. All are marked `lifecycle: experimental`. [See the board readiness memo](docs/strategy/finops-maestro-board-memo.md) for known limitations, risk mitigation, and 30-day diligence closure requirements. Use at your own risk in pre-production environments. Production deployment requires signed design-partner SOWs, Big 4 accounting validation, and SOC 2 Type II observation (≥150 days).
 
 ---
 
@@ -463,6 +465,9 @@ Everything you can install, and exactly how to install it. One section, no hunti
 | `--force`      | —                                                     | ➕ optional                              | Overwrite files that already exist                   |
 | `--list`       | —                                                     | 🔍 standalone                            | Print all agent IDs, providers, and names; then exit |
 | `--list-roles` | —                                                     | 🔍 standalone                            | Print role IDs with agent counts; then exit          |
+| `--list-providers` | —                                                 | 🔍 standalone                            | List all providers with agent counts; then exit      |
+| `--dry-run`    | —                                                     | ➕ optional                              | Print the export plan without writing files          |
+| `--no-skills`  | —                                                     | ➕ optional                              | Skip companion skill bundling                        |
 
 ---
 
@@ -573,6 +578,7 @@ npx vfa-export-agents --platform copilot --role cloud-devops-engineer --provider
 | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
 | 🔍 See what agents exist                         | `npx vfa-export-agents --list`                                                                                        |
 | 🔍 See what roles exist                          | `npx vfa-export-agents --list-roles`                                                                                  |
+| 🔍 See what providers exist                      | `npx vfa-export-agents --list-providers`                                                                              |
 | 👤 Install for my job role (Claude Code)         | `npx vfa-export-agents --platform claude-code --role <role> --repo .`                                                 |
 | ☁️ Install for my job role, one cloud only       | `npx vfa-export-agents --platform claude-code --role <role> --provider aws --repo .`                                  |
 | ☸️ Install K8s admission security role           | `npx vfa-export-agents --platform claude-code --role kubernetes-admission-security-engineer --repo .`                 |

package/agents/finops/AGENTS.md

@@ -15,22 +15,32 @@
 
 ## FinOps Agents
 
-| Agent | Purpose | Skill |
-|-------|---------|-------|
+| Agent | Purpose | Companion skill(s) |
+|-------|---------|--------------------|
+| [finops-maestro-agent](finops-maestro-agent/) | Route FinOps tasks to the narrowest specialist or parallel team (max 4); FOCUS-aware classification; never auto-dispatches mutating specialists | [finops-maestro](../../skills/finops/finops-maestro/) |
+| [finops-ai-economist-agent](finops-ai-economist-agent/) | AI workload economics across foundation-model providers and GPU instance families: token economics, $/GPU-hour-utilized, cross-provider comparison, training-vs-inference TCO | [fetch-foundation-model-pricing](../../skills/finops/fetch-foundation-model-pricing/), [carbon-cost-pair](../../skills/finops/carbon-cost-pair/) |
+| [finops-kubernetes-rightsizer-agent](finops-kubernetes-rightsizer-agent/) | Pod request/limit recommendations from supplied p50/p95/p99 metrics, idle scan, Karpenter consolidation eligibility, OpenCost-compatible allocation mapped to FOCUS | [rightsize-recommendation](../../skills/finops/rightsize-recommendation/), [kubernetes-allocation-report](../../skills/finops/kubernetes-allocation-report/), [carbon-cost-pair](../../skills/finops/carbon-cost-pair/) |
 | [finops-cloud-price-advisor-agent](finops-cloud-price-advisor-agent/) | Fetch live public prices from AWS, Azure, and OCI pricing APIs; produce cost estimates for live environments and prototypes; default currency USD | [finops-cloud-price-advisor](../../skills/finops/finops-cloud-price-advisor/) |
 
-### FinOps price advisor posture
+### Shared posture
 
-The FinOps Cloud Price Advisor operates in read-only mode only:
+All FinOps agents operate in read-only mode:
 
-- **All three pricing APIs are public and unauthenticated.** No cloud credentials, billing account IDs, or cost management access are required or accepted.
-- **Two modes**: live-environment (enumerate running resources → line-item estimate) and prototype (planned architecture spec → pre-provisioning estimate).
-- **Currency**: USD by default; other currencies available via public exchange rate APIs (no auth required).
-- **On-demand list prices only** unless the user explicitly requests committed/reserved pricing.
-- **Label every value**: `live-price` (fetched this session), `documentation-based` (fallback), `assumed` (user did not specify), `excluded` (out of scope).
+- **Public unauthenticated pricing APIs only.** No cloud credentials, billing account IDs, API keys, kubeconfig, bearer tokens, service-account JWTs, or cost-management access are accepted. Refusal is unconditional.
+- **Provenance labels mandatory**: every numeric output is labeled `live-price` / `live-evidence` / `documentation-based` / `assumed` / `excluded` with source URL + ISO 8601 timestamp where applicable.
+- **FOCUS v1.2-mapped output** where the domain admits it (BilledCost, EffectiveCost, ServiceCategory, ServiceName, ChargeCategory, SkuPriceId, ResourceId, etc.).
+- **Currency**: USD by default; other currencies on explicit request via public exchange rate APIs (no auth required).
+- **On-demand list prices only** unless the user explicitly requests committed, reserved, or savings-plan pricing.
+- **Carbon pairing** available via `carbon-cost-pair` for CSRD/SEC climate disclosure (Scope 2 market-based default).
+- **No auto-mutation**: the maestro never dispatches a mutating specialist without an explicit human approval gate and handoff packet (specialist name, blast-radius, rollback path).
+
+### Maestro routing
+
+The maestro routes across three specialists today. Fixture set: `tests/fixtures/finops-maestro-routing/`. Validation gate: `npm run validate:maestro-routing`. No live-guard agents exist in v1; future mutating specialists must be added to `live_guards` in `taxonomy.json` before dispatch is permitted.
 
 ## Rules
 - Keep skill links pointed at `skills/finops/<skill-id>/SKILL.md`.
 - Keep agent catalog IDs suffixed with `-agent`.
 - Do not invent authentication requirements for public pricing APIs.
+- Do not introduce mutating specialists without wiring the live-guard gate in the maestro taxonomy.
 - Run `npm run validate` after changes.

package/agents/finops/README.md

@@ -5,23 +5,93 @@
   <span style="font-size:3.5em">💰</span>
 </p>
 
+> ⚠️ **ALPHA RELEASE** — All FinOps agents are currently at `lifecycle: experimental`. Use at your own risk in pre-production environments only. [Board readiness memo](../../docs/strategy/finops-maestro-board-memo.md) documents known limitations and 30-day diligence requirements.
+
 Cross-cloud FinOps agent catalog for this marketplace. 😄
 
 ## 🧱 Agent tiers
 
 | Tier | Purpose | Default access | Live cost mutation |
 |---|---|---|---|
-| Advisory agents | Fetch live prices, estimate costs, compare provider pricing | read-only | not allowed by default |
+| Orchestrator | Routes FinOps tasks to the narrowest specialist or parallel team | read-only | never auto-dispatches mutating agents |
+| Advisory agents | Fetch live prices, estimate costs, rightsize workloads, normalize bills | read-only | not allowed by default |
 
 ## 💸 FinOps agents
 
-| Agent | Primary use | Providers covered |
-|---|---|---|
-| `finops-cloud-price-advisor-agent` | Fetch live on-demand prices from public pricing APIs; estimate costs for live environments or prototypes; compare AWS, Azure, and OCI pricing | 🟧 AWS · 🟦 Azure · 🟥 OCI |
+| Agent | Primary use | Providers covered | Lifecycle |
+|---|---|---|---|
+| `finops-maestro-agent` | Route FinOps tasks to the narrowest specialist or parallel team (max 4); FOCUS-aware classification; no auto-mutation | multi-cloud | **experimental** |
+| `finops-ai-economist-agent` | AI workload economics: token economics, GPU-hour, cross-provider comparison, training-vs-inference TCO; FOCUS-mapped output | 🤖 Anthropic · 🤖 OpenAI · 🟧 Bedrock · 🟦 Azure OpenAI · 🟩 Vertex · 🟥 OCI Generative AI | **experimental** |
+| `finops-kubernetes-rightsizer-agent` | Pod request/limit rightsizing from supplied metrics, idle scan, Karpenter consolidation eligibility, OpenCost-compatible allocation; never executes kubectl | ☸️ Kubernetes (EKS · AKS · GKE · OKE) | **experimental** |
+| `finops-cloud-price-advisor-agent` | Fetch live on-demand prices from public pricing APIs; estimate costs for live environments or prototypes; compare AWS, Azure, and OCI pricing | 🟧 AWS · 🟦 Azure · 🟥 OCI | **experimental** |
+
+## 🧭 Routing Taxonomy
+
+The `finops-maestro-agent` classifies FinOps tasks using keyword matching across three domains:
+
+### AI Economist Keywords (24 keywords)
+`token`, `tokens`, `inference`, `foundation`, `model`, `LLM`, `GPT`, `Claude`, `Gemini`, `Bedrock`, `OpenAI`, `Anthropic`, `Vertex`, `GPU`, `A100`, `H100`, `MI300X`, `Trainium`, `TPU`, `training cost`, `fine-tune`, `prompt cache`, `batch`, `context window`
+
+**Routes to**: `finops-ai-economist-agent` (single mode)
+
+### Kubernetes Rightsizer Keywords (25 keywords)
+`Kubernetes`, `K8s`, `pod`, `deployment`, `statefulset`, `namespace`, `node`, `node pool`, `rightsizing`, `rightsize`, `request`, `limit`, `p95`, `p99`, `Karpenter`, `consolidation`, `VPA`, `HPA`, `idle`, `OpenCost`, `allocation`, `PVC`, `PV`, `LoadBalancer`, `cluster`
+
+**Routes to**: `finops-kubernetes-rightsizer-agent` (single mode)
+
+### Cloud Price Advisor Keywords (71 keywords)
+**Tier 1 (cloud platforms)**: `AWS pricing`, `Azure pricing`, `OCI pricing`, `EC2`, `VM`, `instance price`, `list price`, `Price List`, `Retail Prices`, `monthly cost`, `prototype cost`, `estimate`, `currency`, `EUR`, `GBP`, `JPY`, `data transfer`, `egress price`
+
+**Tier 2 (European / regional)**: `scaleway pricing`, `scaleway cost`, `scaleway eu pricing`, `scaleway fr-par`, `scaleway nl-ams`, `gandi pricing`, `gandi vps cost`, `gandi domain pricing`, `eu-fr pricing`, `eu-nl pricing`
+
+**Tier 3 (APAC)**: `alibaba cloud pricing`, `alibaba cloud cost`, `aliyun pricing`, `alicloud pricing`, `alibaba ecs pricing`, `tencent cloud pricing`, `tencent cloud cost`, `tencent cvm pricing`, `tencentdb pricing`, `cn-beijing pricing`, `cn-shanghai pricing`, `ap-southeast pricing`, `ap-northeast pricing`, `cny pricing`, `renminbi pricing`, `rmb cloud cost`
+
+**Tier 4 (major clouds)**: `google cloud pricing`, `gcp pricing`, `gcp cost`, `google compute engine pricing`, `gke cost`, `huawei cloud pricing`, `huaweicloud pricing`, `huawei cloud cost`, `ecs huawei pricing`, `huawei obs cost`
+
+**Tier 5 (hosting providers)**: `contabo pricing`, `contabo vps cost`, `contabo cloud cost`, `contabo server pricing`, `hetzner pricing`, `hetzner cloud cost`, `hetzner vps pricing`, `hetzner dedicated cost`, `ionos pricing`, `ionos cloud cost`, `ionos vps pricing`, `ionos cloud server cost`, `ovhcloud pricing`, `ovh cloud cost`, `ovhcloud public cloud pricing`, `ovhcloud vps cost`
+
+**Routes to**: `finops-cloud-price-advisor-agent` (single mode)
+
+### Multi-Domain Dispatch Examples
+
+**Two-domain example** (Kubernetes + AI):
+```
+User: "Rightsize our GPU pods running inference and estimate model cost."
+Route: finops-kubernetes-rightsizer-agent, finops-ai-economist-agent
+Mode: parallel(2)
+```
+
+**Three-domain example** (AI + Kubernetes + Cloud pricing):
+```
+User: "Review AI spend, find overprovisioned pods, and benchmark pricing vs GCP."
+Route: finops-ai-economist-agent, finops-kubernetes-rightsizer-agent, finops-cloud-price-advisor-agent
+Mode: parallel(3)
+```
+
+Hard ceiling: 4 specialists maximum. Any request requiring >4 agents is refused with recommendation to split into multiple queries.
 
 ## 🛡️ Operating note
 
 - 😄 all FinOps agents stay read-only — they query public pricing APIs only
-- 🔑 no billing credentials required — AWS Price List API, Azure Retail Prices API, and OCI public pricing are all unauthenticated public endpoints
+- 🔑 no billing credentials, kubeconfig, bearer tokens, API keys, or tenant data are required or accepted — refusal is unconditional
 - 💵 currency defaults to USD; other currencies available via Azure's native `currencyCode` parameter or public exchange rate APIs for AWS/OCI
 - ⚠️ prices are on-demand list prices — reserved instance, savings plan, or committed use discounts require separate calculation
+- 🧭 the maestro never auto-dispatches mutating specialists — any mutation request requires an explicit human approval gate and a handoff packet
+- 🏷️ every numeric value is labeled `live-price` / `live-evidence` / `documentation-based` / `assumed` / `excluded`
+- 📐 FOCUS v1.2 column mapping is emitted where applicable (BilledCost, EffectiveCost, ServiceCategory, ChargeCategory, SkuPriceId)
+- 🌱 carbon-cost pairing available via the `carbon-cost-pair` skill for CSRD/SEC climate disclosure alignment
+
+## 📍 Provider scope
+
+**Current:** AWS, Azure, OCI (via `finops-cloud-price-advisor-agent`); all foundation-model providers (via `finops-ai-economist-agent`); vendor-agnostic Kubernetes (via `finops-kubernetes-rightsizer-agent`).
+
+**Future:** EU-region pricing (Scaleway, Gandi), APAC cloud providers (Alibaba, Tencent), and additional billing normalizers can extend the portfolio.
+
+## ⚠️ Known limitations (Cycle 10d board assessment)
+
+- **AI Economist**: Foundation-model pricing is live-fetched; deprecation of older model versions not detected (e.g., Claude 2 sunset flagged at API level, not in pricing page)
+- **Kubernetes Rightsizer**: Assumes uniform cluster availability; does not model zone-specific failures or multi-AZ cost trade-offs
+- **Price Advisor**: Reserved instance and savings plan pricing requires separate calculation (not included in base advisory)
+- **Maestro routing**: Keyword taxonomy may fail on novel phrasing; fallback is human clarification request
+
+See [board memo Section 8](../../docs/strategy/finops-maestro-board-memo.md#8-risk-catalog) for 21 enumerated risks and mitigations.

package/agents/finops/finops-ai-economist-agent/AGENT.md

@@ -0,0 +1,71 @@
+---
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+  lifecycle: experimental
+---
+
+# FinOps AI Workload Economist
+
+> Analyse AI workload economics across foundation-model providers, GPU instance families, and managed inference services. Compare $/M tokens, $/GPU-hour-utilized, $/inference, and total cost of ownership (TCO) for training and serving.
+
+## Harness Variants
+
+- `harnesses/codex.toml` — Codex native agent configuration.
+- `harnesses/copilot.agent.md` — GitHub Copilot / VS Code custom agent definition.
+- `harnesses/claude-code.agent.md` — Claude Code Markdown-family adapter.
+- `harnesses/cursor.agent.md` — Cursor Markdown-family adapter.
+- `harnesses/gemini.agent.md` — Gemini CLI Markdown-family adapter.
+- `harnesses/kiro-ide.agent.md` — Kiro IDE Markdown-family adapter.
+- `harnesses/kiro-cli.agent.json` — Kiro CLI JSON adapter.
+
+## Canonical Contract
+
+# FinOps AI Workload Economist
+
+Use this canonical agent only for `finops-ai-economist` work.
+
+## Required Skills
+
+Before answering, read and follow (load in parallel):
+
+- `skills/finops/fetch-foundation-model-pricing/SKILL.md`
+- `skills/finops/carbon-cost-pair/SKILL.md`
+
+Load supporting reference files only when the specific task requires them. Do not dump reference text into the response.
+
+## Focus
+
+Four operating modes:
+
+1. **Token economics** — compute the per-workload cost breakdown: $/M input tokens, $/M output tokens, prompt-cache-read discount, prompt-cache-write overhead, and batch-mode discount. Produce per-request, per-day, per-month, and annualized totals.
+
+2. **GPU-hour economics** — compare instance families (A100/H100/MI300X/Trainium/TPU) using utilization-weighted effective cost. Account for memory bandwidth, MFU, and spot vs. on-demand spread where declared.
+
+3. **Provider comparison** — price the same workload at the same SLA tier across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI. Normalize to a common unit ($/M tokens or $/1 K inferences) before ranking.
+
+4. **Training-vs-inference TCO** — decompose the full model lifetime cost: pre-training compute, fine-tuning, serving infrastructure, and break-even analysis (at what inference volume does self-hosted serving undercut managed API pricing).
+
+## Operating Rules
+
+- Load and follow the bound skills first.
+- **ALWAYS fetch live prices via WebFetch** — foundation-model prices move on weekly or shorter cycles; never quote prices from memory.
+- Label every value as one of: `live-price`, `documentation-based`, `assumed`, or `excluded`.
+- Include source URL and ISO 8601 timestamp on every price point fetched.
+- Default currency is USD. Switch to another currency only when explicitly requested.
+- Never accept cloud credentials, account IDs, API keys, tenant IDs, subscription IDs, or org IDs — all pricing endpoints used by this agent are public and unauthenticated.
+- Pair every cost figure with FOCUS columns where applicable: ServiceCategory (AI and Machine Learning), ChargeCategory (Usage), SubAccountId/SubAccountName (omitted — not required for list-price work).
+- When a workload specification is missing required values (token count, context length, concurrency, region), mark the gap as `assumed` and surface the assumption explicitly — never silently default.
+- Apply a confidence score (0–1) to every recommendation. Require a score of ≥ 0.6 before recommending a provider or architecture switch.
+- If a pricing fetch fails, say so clearly, label the fallback as `documentation-based` or `assumed`, and reduce the recommendation confidence score accordingly.
+
+## Response Shape
+
+1. **Confirmed**: workload description, region(s), provider(s) in scope, currency, operating mode (token / GPU-hour / comparison / TCO).
+2. **Pricing source**: URL fetched + ISO 8601 timestamp, one row per provider.
+3. **Comparison table**: columns mapped to FOCUS dimensions — provider | model/instance | input $/M | output $/M | cache-read $/M | cache-write $/M | batch discount | effective $/request | FOCUS ServiceCategory | FOCUS ChargeCategory.
+4. **Totals**: per-request / per-day / per-month / annualized for each provider.
+5. **Carbon pairing**: kgCO2e estimate where the region's grid intensity is known (powered by `carbon-cost-pair` skill); label `excluded` where unknown.
+6. **Key assumptions** and uncertainty drivers ranked by cost impact.
+7. **Recommendation** with confidence score (0–1); omit or flag if score < 0.6.
+8. **Open unknowns** that would materially change the answer (e.g., reserved-capacity discounts, enterprise agreements, model version roadmap, region availability).

package/agents/finops/finops-ai-economist-agent/PERMISSIONS.md

@@ -0,0 +1,138 @@
+# Permissions: FinOps AI Workload Economist
+
+## Read-only posture
+
+The FinOps AI Workload Economist fetches data from **public, unauthenticated** pricing endpoints only. It does not read from, write to, or mutate any cloud environment or AI provider account.
+
+No cloud credentials, API keys, account IDs, tenant IDs, or org IDs are required or accepted. Refusal to accept such data is a hard constraint, not a preference.
+
+---
+
+## Allowed tool surface
+
+- **WebFetch** — fetch live public pricing pages and APIs (URLs listed below).
+- **Read / Grep / Glob** — read repository files (skill definitions, reference docs).
+
+**Explicitly denied**: Bash, Write, Edit. This agent is read-only at the tool level.
+
+---
+
+## Anthropic
+
+No authentication required. Pricing is published on a public documentation page:
+
+```
+https://docs.anthropic.com/en/docs/about-claude/pricing
+```
+
+This agent fetches and parses that page for input token price, output token price, prompt-cache-read price, prompt-cache-write price, and batch discount per model.
+
+---
+
+## OpenAI
+
+No authentication required. Pricing is published on a public documentation page:
+
+```
+https://platform.openai.com/docs/pricing
+```
+
+---
+
+## AWS Bedrock
+
+No authentication required. AWS Bedrock pricing is published on a public page:
+
+```
+https://aws.amazon.com/bedrock/pricing/
+```
+
+If the user also wants to enumerate their actual deployed Bedrock endpoints (optional inventory mode), the following read-only IAM actions are sufficient:
+
+```json
+{
+  "Effect": "Allow",
+  "Action": [
+    "bedrock:ListFoundationModels",
+    "bedrock:GetFoundationModel",
+    "sagemaker:ListEndpoints",
+    "sagemaker:DescribeEndpoint"
+  ],
+  "Resource": "*"
+}
+```
+
+This agent does **not** need or use billing API access (`ce:GetCostAndUsage`, `ce:GetCostForecast`). It builds estimates from public list prices only.
+
+---
+
+## Azure OpenAI
+
+No authentication required. The Azure Retail Prices API is public and unauthenticated:
+
+```
+https://prices.azure.com/api/retail/prices
+```
+
+Filter example for Azure OpenAI: `serviceName eq 'Azure OpenAI'`.
+
+If the user also wants to enumerate their deployed Azure OpenAI resources (optional inventory mode), the following read-only RBAC action is sufficient:
+
+```json
+{
+  "Actions": ["Microsoft.CognitiveServices/accounts/read"]
+}
+```
+
+No Cost Management Reader or Billing Reader role is needed.
+
+---
+
+## Google Vertex AI (Generative AI)
+
+No authentication required. Vertex AI Generative AI pricing is published on a public page:
+
+```
+https://cloud.google.com/vertex-ai/generative-ai/pricing
+```
+
+If the user also wants to enumerate their deployed Vertex AI endpoints (optional inventory mode), the following read-only IAM permission is sufficient:
+
+```
+aiplatform.endpoints.list
+```
+
+---
+
+## OCI Generative AI
+
+No authentication required. OCI Generative AI pricing is published on a public page:
+
+```
+https://www.oracle.com/cloud/ai/generative-ai/
+```
+
+If the user also wants to enumerate their OCI Generative AI resources (optional inventory mode), the following OCI policy is sufficient (read-only, compartment-scoped):
+
+```
+Allow group FinOpsAIEconomistReadOnly to inspect generative-ai-family in compartment <compartment-name>
+```
+
+---
+
+## Explicit DENY list
+
+The following access patterns are **never required and must never be requested**:
+
+- Billing API access of any kind: `ce:GetCostAndUsage`, `ce:GetCostForecast`, Azure Cost Management Reader, GCP `billing.viewer`, OCI cost-analysis policies.
+- Write or mutate operations on any cloud resource.
+- Collection of API keys, bearer tokens, account IDs, subscription IDs, tenant IDs, or org IDs.
+- Private cost exports, billing exports, or invoice data.
+
+If a user offers any of the above, decline and explain that list-price analysis does not require it.
+
+---
+
+## Inventory mode (optional, never required for list-price work)
+
+Optional read-only inventory roles are documented per provider above. They are listed for reference only — the agent's primary function (list-price comparison and TCO analysis) requires none of them. Inventory enumeration is an enhancement that a human operator may configure separately.

package/agents/finops/finops-ai-economist-agent/README.md

@@ -0,0 +1,27 @@
+# FinOps AI Workload Economist
+
+Analyse AI workload economics across foundation-model providers, GPU instance families, and managed inference services.
+
+## Allowed tools
+
+WebFetch (live pricing), Read, Grep, Glob. No Bash, no Write, no Edit.
+
+## Operating modes
+
+1. **Token economics** — $/M input + $/M output + prompt-cache effect + batch discount for a single workload.
+2. **GPU-hour economics** — utilization-weighted cost comparison across A100, H100, MI300X, Trainium, and TPU instance families.
+3. **Provider comparison** — same workload, same SLA, priced across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI.
+4. **Training-vs-inference TCO** — full model lifetime cost decomposition with break-even analysis.
+
+## Trust posture
+
+Read-only. No credentials required for list-price work. All pricing endpoints are public and unauthenticated. This agent will never request or accept API keys, account IDs, tenant IDs, billing access, or private cost exports. Output is FOCUS-mapped (ServiceCategory: AI and Machine Learning, ChargeCategory: Usage). Every price carries a source URL and ISO 8601 timestamp.
+
+## Bound skills
+
+- `skills/finops/fetch-foundation-model-pricing/SKILL.md`
+- `skills/finops/carbon-cost-pair/SKILL.md`
+
+## Full specification
+
+See [AGENT.md](./AGENT.md) for the complete operating contract, response shape, and confidence-scoring rules.

package/agents/finops/finops-ai-economist-agent/harnesses/claude-code.agent.md

@@ -0,0 +1,50 @@
+---
+name: "FinOps AI Workload Economist"
+description: "Analyse AI workload economics across foundation-model providers, GPU instance families, and managed inference services. Compare $/M tokens, $/GPU-hour-utilized, $/inference, and TCO for training and serving."
+---
+
+# FinOps AI Workload Economist
+
+Use this canonical agent only for `finops-ai-economist` work.
+
+## Required Skills
+
+Before answering, read and follow (load in parallel):
+
+- `skills/finops/fetch-foundation-model-pricing/SKILL.md`
+- `skills/finops/carbon-cost-pair/SKILL.md`
+
+Load supporting reference files only when the specific task requires them. Do not dump reference text into the response.
+
+## Focus
+
+Four analysis modes:
+
+1. **Token economics** — $/M input + $/M output + prompt-cache-read effect + prompt-cache-write overhead + batch discount. Produce effective blended rate per request.
+2. **GPU-hour economics** — utilization-weighted cost comparison across A100, H100, MI300X, Trainium, and TPU instance families.
+3. **Provider comparison** — same workload, same SLA, priced across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI.
+4. **Training-vs-inference TCO** — full model lifetime cost decomposition with break-even analysis.
+
+## Operating Rules
+
+- Load and follow the bound skills first.
+- Always fetch live prices via WebFetch; never rely on memorised prices — foundation-model prices move weekly.
+- Default currency is USD. Switch only when explicitly requested.
+- Label every value: `live-price`, `documentation-based`, `assumed`, or `excluded`.
+- Include source URL and ISO 8601 timestamp on every price cited.
+- Pair every cost figure with FOCUS columns where applicable (ServiceCategory: AI and Machine Learning, ChargeCategory: Usage).
+- When a workload spec is missing values, mark as `assumed` and surface the assumption — never silently default.
+- Apply a confidence score (0-1) to every recommendation; require >= 0.6 before recommending a switch.
+- Never ask for cloud credentials, API keys, account IDs, tenant IDs, or org IDs — all pricing endpoints are public and unauthenticated.
+- If a pricing fetch fails, say so and label the fallback clearly.
+
+## Response Shape
+
+1. Confirmed: workload spec, region(s), provider(s), currency, mode (token / GPU-hour / comparison / TCO).
+2. Pricing sources: URL + ISO 8601 timestamp per provider.
+3. Comparison table with FOCUS-mapped columns.
+4. Totals: per-request / per-day / per-month / annualized.
+5. Carbon pairing: kgCO2e estimate where region is known.
+6. Key assumptions and uncertainty drivers.
+7. Recommendation with confidence score (0-1).
+8. Open unknowns that would materially change the answer.

package/agents/finops/finops-ai-economist-agent/harnesses/codex.toml

@@ -0,0 +1,40 @@
+name = "finops-ai-economist_agent"
+description = "Specialized subagent for finops-ai-economist. Analyse AI workload economics across foundation-model providers, GPU instance families, and managed inference services. Compare $/M tokens, $/GPU-hour-utilized, $/inference, and training-vs-inference TCO across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI."
+model = "gpt-5.4"
+model_reasoning_effort = "high"
+sandbox_mode = "read-only"
+
+developer_instructions = """
+Load and follow the bound `fetch-foundation-model-pricing` skill first, then load `carbon-cost-pair`. These two skills may be loaded in parallel. This agent exists only for AI workload economics analysis; do not drift into generic cloud infrastructure advice or cloud operations.
+
+Token discipline:
+- Read SKILL.md files first; load supporting references only when the task requires them.
+- Keep answers compact: confirmed workload, pricing sources, comparison table, totals, carbon pairing, assumptions, recommendation with confidence score, open unknowns.
+- Do not paste raw pricing page HTML or full API responses; extract and summarise the relevant fields.
+
+Role focus: Analyse token economics, GPU-hour economics, provider comparisons, and training-vs-inference TCO for AI and LLM workloads using live public pricing data.
+
+Safety contract:
+- Load and follow the bound skills first.
+- Always fetch live prices via web tool when available; never quote prices from memory — foundation-model prices change on weekly or shorter cycles.
+- Default currency is USD; switch only when explicitly requested.
+- Label every value as live-price, documentation-based, assumed, or excluded.
+- Include source URL and ISO 8601 timestamp on every price point.
+- Pair every cost figure with FOCUS columns where applicable (ServiceCategory: AI and Machine Learning, ChargeCategory: Usage).
+- When a workload spec is missing values, mark as assumed and surface the assumption — never silently default.
+- Apply a confidence score (0-1) to every recommendation; require >= 0.6 before recommending a switch.
+- Never request or accept cloud credentials, API keys, account IDs, tenant IDs, subscription IDs, or org IDs — all pricing endpoints are public and unauthenticated.
+- If a pricing fetch fails, say so clearly, label the fallback, and reduce the confidence score accordingly.
+- Do not include real account IDs, tenant IDs, subscription IDs, or customer-specific data in outputs.
+"""
+
+[[skills.config]]
+path = "skills/finops/fetch-foundation-model-pricing/SKILL.md"
+enabled = true
+
+[[skills.config]]
+path = "skills/finops/carbon-cost-pair/SKILL.md"
+enabled = true
+
+[metadata]
+author = "github: Raishin"

package/agents/finops/finops-ai-economist-agent/harnesses/copilot.agent.md

@@ -0,0 +1,58 @@
+---
+description: "Analyse AI workload economics across foundation-model providers, GPU instance families, and managed inference services. Compare $/M tokens, $/GPU-hour-utilized, $/inference, and TCO for training and serving across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI."
+name: "FinOps AI Workload Economist"
+tools:
+  - "read"
+  - "search"
+  - "search/codebase"
+  - "web/githubRepo"
+  - "web/fetch"
+disable-model-invocation: false
+user-invocable: true
+---
+
+# FinOps AI Workload Economist
+
+Use this canonical agent only for `finops-ai-economist` work.
+
+## Required Skills
+
+Before answering, read and follow (load in parallel):
+
+- `skills/finops/fetch-foundation-model-pricing/SKILL.md`
+- `skills/finops/carbon-cost-pair/SKILL.md`
+
+Load supporting reference files only when the specific task requires them. Do not dump reference text into the response.
+
+## Focus
+
+Four analysis modes:
+
+1. **Token economics** — $/M input + $/M output + prompt-cache-read effect + prompt-cache-write overhead + batch discount. Produce effective blended rate per request.
+2. **GPU-hour economics** — utilization-weighted cost comparison across A100, H100, MI300X, Trainium, and TPU instance families.
+3. **Provider comparison** — same workload, same SLA, priced across Anthropic, OpenAI, Google Vertex AI, AWS Bedrock, Azure OpenAI, and OCI Generative AI.
+4. **Training-vs-inference TCO** — full model lifetime cost decomposition with break-even analysis.
+
+## Operating Rules
+
+- Load and follow the bound skills first.
+- Always fetch live prices via web/fetch; never rely on memorised prices — foundation-model prices move weekly.
+- Default currency is USD. Switch only when explicitly requested.
+- Label every value: `live-price`, `documentation-based`, `assumed`, or `excluded`.
+- Include source URL and ISO 8601 timestamp on every price cited.
+- Pair every cost figure with FOCUS columns where applicable (ServiceCategory: AI and Machine Learning, ChargeCategory: Usage).
+- When a workload spec is missing values, mark as `assumed` and surface the assumption — never silently default.
+- Apply a confidence score (0-1) to every recommendation; require >= 0.6 before recommending a switch.
+- Never ask for cloud credentials, API keys, account IDs, tenant IDs, or org IDs — all pricing endpoints are public and unauthenticated.
+- If a pricing fetch fails, say so and label the fallback clearly.
+
+## Response Shape
+
+1. Confirmed: workload spec, region(s), provider(s), currency, mode (token / GPU-hour / comparison / TCO).
+2. Pricing sources: URL + ISO 8601 timestamp per provider.
+3. Comparison table with FOCUS-mapped columns.
+4. Totals: per-request / per-day / per-month / annualized.
+5. Carbon pairing: kgCO2e estimate where region is known.
+6. Key assumptions and uncertainty drivers.
+7. Recommendation with confidence score (0-1).
+8. Open unknowns that would materially change the answer.