@raishin/vanguard-frontier-agentic 2.0.1 → 2.2.0

package/catalog/skills.json

@@ -21,6 +21,34 @@
     "author": "github: Claude",
     "version": "1.0.0"
   },
+  {
+    "id": "ai-advertising-targeting-fairness-review",
+    "name": "AI Advertising Targeting Fairness Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review ad-platform audience targeting configurations and AI feature usage for protected-class discrimination risk under Fair Housing Act, ECOA, and EU AI Act Article 5 — proxy segments, algorithmic disparate impact, and missing Special Ad Category declarations.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/business-guidance/blog/2023/02/ftcs-ai-related-enforcement-actions",
+      "https://www.hud.gov/program_offices/fair_housing_equal_opp/fair_housing_act_overview",
+      "https://www.consumerfinance.gov/about-us/blog/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/",
+      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
+      "https://www.federalregister.gov/documents/2023/07/13/2023-14625/civil-rights-principles-for-the-use-of-artificial-intelligence"
+    ],
+    "security_notes": "Ad-platform AI features that optimize on historical converter populations can propagate protected-class disparate impact without explicit discriminatory intent. Review works from sanitized audience spec exports and declared AI feature annotations only; never request live campaign credentials, ad-account access tokens, or real user audience data.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/ai-advertising-targeting-fairness-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "alibaba-ack-container-platform-operator",
     "name": "Alibaba Cloud ACK Container Platform Operator",
@@ -41,7 +69,7 @@
       "https://www.alibabacloud.com/help/en/acr",
       "https://www.alibabacloud.com/help/en/asm"
     ],
-    "security_notes": "Require OIDC workload identity for all production workloads \u2014 do not approve RAM access key mounting in pods. Require ACR Enterprise vulnerability scanning before deploying images to production clusters. Do not skip Kubernetes version upgrades beyond two minor versions.",
+    "security_notes": "Require OIDC workload identity for all production workloads — do not approve RAM access key mounting in pods. Require ACR Enterprise vulnerability scanning before deploying images to production clusters. Do not skip Kubernetes version upgrades beyond two minor versions.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-ack-container-platform-operator",
     "author": "github: Raishin",
@@ -66,7 +94,7 @@
       "https://www.alibabacloud.com/help/en/actiontrail",
       "https://www.alibabacloud.com/help/en/sls"
     ],
-    "security_notes": "Do not delete ActionTrail trails or SLS logstores \u2014 audit log destruction may violate MLPS 2.0 retention requirements. Disabling ActionTrail blinds compliance evidence collection.",
+    "security_notes": "Do not delete ActionTrail trails or SLS logstores — audit log destruction may violate MLPS 2.0 retention requirements. Disabling ActionTrail blinds compliance evidence collection.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-actiontrail-audit-analyst",
     "author": "github: Raishin",
@@ -111,14 +139,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Alibaba Cloud SSL Certificate Service \u2014 DV/OV/EV certificate lifecycle, auto-renewal configuration, certificate deployment to SLB/ALB/CDN/OSS, domain validation status, CAA record compliance, and expiry monitoring.",
+    "summary": "Review Alibaba Cloud SSL Certificate Service — DV/OV/EV certificate lifecycle, auto-renewal configuration, certificate deployment to SLB/ALB/CDN/OSS, domain validation status, CAA record compliance, and expiry monitoring.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/ssl-certificate/latest/what-is-ssl-certificates-service",
       "https://www.alibabacloud.com/help/en/slb/application-load-balancer/user-guide/create-an-https-listener",
       "https://www.alibabacloud.com/help/en/cdn/user-guide/configure-an-ssl-certificate"
     ],
-    "security_notes": "Alibaba Cloud certificate private keys generated on the platform are stored in Alibaba's systems \u2014 for maximum security, use CSR-based upload with your own private key generated locally. SLB/ALB HTTPS listeners using TLS 1.0 or 1.1 are non-compliant with PCI-DSS and MLPS 2.0 \u2014 enforce TLS 1.2+ via security policy configuration.",
+    "security_notes": "Alibaba Cloud certificate private keys generated on the platform are stored in Alibaba's systems — for maximum security, use CSR-based upload with your own private key generated locally. SLB/ALB HTTPS listeners using TLS 1.0 or 1.1 are non-compliant with PCI-DSS and MLPS 2.0 — enforce TLS 1.2+ via security policy configuration.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-certificate-manager-issuer-review",
     "version": "0.1.0",
@@ -137,7 +165,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Pre-change blast radius analysis for Alibaba Cloud \u2014 Resource Directory OU scope mapping, RAM policy cascade effects, VPC peering and CEN impact, SLB backend pool changes, RDS connection pool disruption, and safe change sequencing.",
+    "summary": "Pre-change blast radius analysis for Alibaba Cloud — Resource Directory OU scope mapping, RAM policy cascade effects, VPC peering and CEN impact, SLB backend pool changes, RDS connection pool disruption, and safe change sequencing.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/resource-management/latest/what-is-resource-management",
@@ -145,7 +173,7 @@
       "https://www.alibabacloud.com/help/en/cen/latest/what-is-cen",
       "https://www.alibabacloud.com/help/en/vpc/latest/vpc-peering-connections-overview"
     ],
-    "security_notes": "Alibaba Cloud Resource Directory root account has override capabilities for all member account policies \u2014 changes at root level must have explicit dual approval. CEN route changes are near-instantaneous and propagate globally \u2014 always test in a staging CEN attachment before applying to production.",
+    "security_notes": "Alibaba Cloud Resource Directory root account has override capabilities for all member account policies — changes at root level must have explicit dual approval. CEN route changes are near-instantaneous and propagate globally — always test in a staging CEN attachment before applying to production.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-change-impact-advisor",
     "version": "0.1.0",
@@ -189,7 +217,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Detect and coordinate response to Alibaba Cloud cost anomalies \u2014 MaxCompute CU vs on-demand billing mismatch, ECS spot instance interruption cascades, CDN traffic spike billing, OSS API request cost explosions, budget alert \u2192 DingTalk notification \u2192 remediation playbook.",
+    "summary": "Detect and coordinate response to Alibaba Cloud cost anomalies — MaxCompute CU vs on-demand billing mismatch, ECS spot instance interruption cascades, CDN traffic spike billing, OSS API request cost explosions, budget alert → DingTalk notification → remediation playbook.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/maxcompute/latest/billing-overview",
@@ -197,7 +225,7 @@
       "https://www.alibabacloud.com/help/en/cost-management/latest/overview",
       "https://www.alibabacloud.com/help/en/cdn/user-guide/billing-overview"
     ],
-    "security_notes": "Alibaba Cloud cost data is accessible via the billing API \u2014 restrict AccessKey permissions for billing API access to read-only (AliyunBSSReadOnlyAccess). China mainland billing accounts and international accounts cannot be consolidated \u2014 separate anomaly monitoring pipelines required for each account type.",
+    "security_notes": "Alibaba Cloud cost data is accessible via the billing API — restrict AccessKey permissions for billing API access to read-only (AliyunBSSReadOnlyAccess). China mainland billing accounts and international accounts cannot be consolidated — separate anomaly monitoring pipelines required for each account type.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-cost-anomaly-watch-coordinator",
     "version": "0.1.0",
@@ -241,7 +269,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate the daily Alibaba Cloud operations standup \u2014 cost delta from Cost Manager, ActionTrail anomaly review, ACK pod failure triage, quota utilization warnings, Security Center finding review, and action item assignment.",
+    "summary": "Coordinate the daily Alibaba Cloud operations standup — cost delta from Cost Manager, ActionTrail anomaly review, ACK pod failure triage, quota utilization warnings, Security Center finding review, and action item assignment.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/cost-management/latest/overview",
@@ -249,7 +277,7 @@
       "https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/overview-7",
       "https://www.alibabacloud.com/help/en/security-center/latest/what-is-security-center"
     ],
-    "security_notes": "Alibaba Cloud ActionTrail logs contain API call details that may reveal internal architecture \u2014 restrict ActionTrail SLS project access to security team members only. Daily briefing cost data reveals workload scale and spending patterns \u2014 distribute briefing reports only to authorized stakeholders.",
+    "security_notes": "Alibaba Cloud ActionTrail logs contain API call details that may reveal internal architecture — restrict ActionTrail SLS project access to security team members only. Daily briefing cost data reveals workload scale and spending patterns — distribute briefing reports only to authorized stakeholders.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-daily-operations-briefing-coordinator",
     "version": "0.1.0",
@@ -274,7 +302,7 @@
       "https://www.alibabacloud.com/help/en/rdc",
       "https://www.alibabacloud.com/help/en/acr"
     ],
-    "security_notes": "Do not deploy to production without staging verification. ACR image tags are mutable \u2014 use digest-pinned references for production deployments. Flow pipeline rollback requires preserved previous artifact.",
+    "security_notes": "Do not deploy to production without staging verification. ACR image tags are mutable — use digest-pinned references for production deployments. Flow pipeline rollback requires preserved previous artifact.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-devops-cicd-operator",
     "author": "github: Raishin",
@@ -320,7 +348,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Alibaba Cloud EventBridge, MNS (Message Notification Service), RocketMQ, and MSE event-driven designs \u2014 dead-letter queues, message ordering, idempotency, retry storm prevention, schema registry, and consumer group lag monitoring.",
+    "summary": "Review Alibaba Cloud EventBridge, MNS (Message Notification Service), RocketMQ, and MSE event-driven designs — dead-letter queues, message ordering, idempotency, retry storm prevention, schema registry, and consumer group lag monitoring.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/eventbridge/latest/what-is-eventbridge",
@@ -328,7 +356,7 @@
       "https://www.alibabacloud.com/help/en/apsaramq-for-rocketmq/latest/what-is-rocketmq",
       "https://www.alibabacloud.com/help/en/mse/latest/overview-of-mse"
     ],
-    "security_notes": "Alibaba Cloud EventBridge event buses can be public \u2014 restrict event bus policies to specific source services and target endpoints. MNS message bodies may contain sensitive data \u2014 use SSE encryption at rest for MNS queues in regulated environments.",
+    "security_notes": "Alibaba Cloud EventBridge event buses can be public — restrict event bus policies to specific source services and target endpoints. MNS message bodies may contain sensitive data — use SSE encryption at rest for MNS queues in regulated environments.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-event-driven-architecture-review",
     "version": "0.1.0",
@@ -373,7 +401,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Terraform and ROS (Resource Orchestration Service) changes targeting Alibaba Cloud \u2014 blast radius analysis, resource deletion detection, cross-stack dependency impact, Resource Directory scope, and rollback plan completeness.",
+    "summary": "Review Terraform and ROS (Resource Orchestration Service) changes targeting Alibaba Cloud — blast radius analysis, resource deletion detection, cross-stack dependency impact, Resource Directory scope, and rollback plan completeness.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/resource-orchestration-service/latest/what-is-ros",
@@ -381,7 +409,7 @@
       "https://www.alibabacloud.com/help/en/resource-management/latest/what-is-resource-management",
       "https://www.alibabacloud.com/help/en/oss/user-guide/server-side-encryption"
     ],
-    "security_notes": "Alibaba Cloud Terraform provider state files expose resource attribute details \u2014 OSS backend bucket must deny public access and use SSE-KMS. ROS resource deletion protection must be enabled on production stacks \u2014 stacks without deletion protection can be destroyed with a single API call.",
+    "security_notes": "Alibaba Cloud Terraform provider state files expose resource attribute details — OSS backend bucket must deny public access and use SSE-KMS. ROS resource deletion protection must be enabled on production stacks — stacks without deletion protection can be destroyed with a single API call.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-iac-change-safety-review",
     "version": "0.1.0",
@@ -426,7 +454,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design Alibaba Cloud landing zone \u2014 Resource Management org tree, Cloud SSO, Control Policy (SCP equivalent), multi-account governance baseline, billing account structure, and ActionTrail centralization.",
+    "summary": "Design Alibaba Cloud landing zone — Resource Management org tree, Cloud SSO, Control Policy (SCP equivalent), multi-account governance baseline, billing account structure, and ActionTrail centralization.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/resource-management",
@@ -479,7 +507,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate live financial authority actions \u2014 budget threshold changes, Savings Plan purchases, Reserved Instance commitments. These are committed spend or can trigger immediate service suspension.",
+    "summary": "Gate live financial authority actions — budget threshold changes, Savings Plan purchases, Reserved Instance commitments. These are committed spend or can trigger immediate service suspension.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/bss"
@@ -503,7 +531,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate KMS key deletion and disable operations \u2014 all data encrypted with a deleted CMK becomes permanently and irrecoverably inaccessible.",
+    "summary": "Gate KMS key deletion and disable operations — all data encrypted with a deleted CMK becomes permanently and irrecoverably inaccessible.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/kms",
@@ -528,7 +556,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate OSS bucket ACL and policy mutations \u2014 public-read/write ACL exposes data to internet crawlers within seconds; CN-* cross-border replication requires DSL Article 31 assessment.",
+    "summary": "Gate OSS bucket ACL and policy mutations — public-read/write ACL exposes data to internet crawlers within seconds; CN-* cross-border replication requires DSL Article 31 assessment.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/oss"
@@ -552,7 +580,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate RAM policy/role mutations \u2014 account-wide blast radius, privilege escalation risk, service breakage from accidental denial.",
+    "summary": "Gate RAM policy/role mutations — account-wide blast radius, privilege escalation risk, service breakage from accidental denial.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/ram",
@@ -577,7 +605,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate RDS/PolarDB instance deletion, spec downgrade, and backup policy removal \u2014 database deletion without verified backup is permanently destructive.",
+    "summary": "Gate RDS/PolarDB instance deletion, spec downgrade, and backup policy removal — database deletion without verified backup is permanently destructive.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/rds",
@@ -601,7 +629,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Traffic engineering for Alibaba Cloud load balancers \u2014 CLB (Classic, legacy), ALB (Application Load Balancer, Layer 7 advanced routing), NLB (Network Load Balancer, Layer 4 high throughput), and GA (Global Accelerator) \u2014 type selection, health check design, WAF integration, and traffic distribution.",
+    "summary": "Traffic engineering for Alibaba Cloud load balancers — CLB (Classic, legacy), ALB (Application Load Balancer, Layer 7 advanced routing), NLB (Network Load Balancer, Layer 4 high throughput), and GA (Global Accelerator) — type selection, health check design, WAF integration, and traffic distribution.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/slb/classic-load-balancer/product-overview/what-is-clb",
@@ -609,7 +637,7 @@
       "https://www.alibabacloud.com/help/en/slb/network-load-balancer/product-overview/what-is-nlb",
       "https://www.alibabacloud.com/help/en/global-accelerator/latest/what-is-global-accelerator"
     ],
-    "security_notes": "CLB instances with public listeners and no WAF integration are exposed directly to the internet \u2014 ALB with WAF integration is required for PCI-DSS and MLPS 2.0 Level 3 regulated HTTP workloads. NLB passes client source IP directly to backends \u2014 backend security groups must account for this and restrict access from the NLB CIDR range.",
+    "security_notes": "CLB instances with public listeners and no WAF integration are exposed directly to the internet — ALB with WAF integration is required for PCI-DSS and MLPS 2.0 Level 3 regulated HTTP workloads. NLB passes client source IP directly to backends — backend security groups must account for this and restrict access from the NLB CIDR range.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-load-balancer-traffic-engineer",
     "version": "0.1.0",
@@ -628,7 +656,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Route Alibaba Cloud tasks to the narrowest specialist or team of specialists from the 27-agent catalog. China-region aware \u2014 flags MLPS 2.0, DSL, and PIPL obligations for CN-* workloads. Classifies and dispatches only; never answers Alibaba Cloud questions directly. Never auto-dispatches live-guard agents.",
+    "summary": "Route Alibaba Cloud tasks to the narrowest specialist or team of specialists from the 27-agent catalog. China-region aware — flags MLPS 2.0, DSL, and PIPL obligations for CN-* workloads. Classifies and dispatches only; never answers Alibaba Cloud questions directly. Never auto-dispatches live-guard agents.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en",
@@ -636,7 +664,7 @@
       "https://www.alibabacloud.com/help/en/vpc",
       "https://www.alibabacloud.com/help/en/ecs"
     ],
-    "security_notes": "Maestro must never auto-dispatch live-guard agents. RAM AdministratorAccess mutations and KMS key deletion are irreversible with account-wide or permanent data-loss blast radius. China mainland regions carry additional DSL/MLPS/PIPL obligations \u2014 flag cross-border data transfer and MLPS grading questions before routing.",
+    "security_notes": "Maestro must never auto-dispatch live-guard agents. RAM AdministratorAccess mutations and KMS key deletion are irreversible with account-wide or permanent data-loss blast radius. China mainland regions carry additional DSL/MLPS/PIPL obligations — flag cross-border data transfer and MLPS grading questions before routing.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-maestro",
     "author": "github: Raishin",
@@ -688,7 +716,7 @@
       "https://www.alibabacloud.com/help/en/smc",
       "https://www.alibabacloud.com/help/en/dts"
     ],
-    "security_notes": "DTS replication user requires REPLICATION SLAVE privilege \u2014 least privilege on source. Never cut over without verifying DTS lag < 5 seconds and backup integrity.",
+    "security_notes": "DTS replication user requires REPLICATION SLAVE privilege — least privilege on source. Never cut over without verifying DTS lag < 5 seconds and backup integrity.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-migration-architect",
     "author": "github: Raishin",
@@ -707,7 +735,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Configure and operate Alibaba MSE \u2014 Nacos service discovery and configuration management, Sentinel rate limiting and circuit breaking, Seata distributed transactions, and ARMS APM for microservices observability.",
+    "summary": "Configure and operate Alibaba MSE — Nacos service discovery and configuration management, Sentinel rate limiting and circuit breaking, Seata distributed transactions, and ARMS APM for microservices observability.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/mse",
@@ -732,7 +760,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design Alibaba Cloud network topology \u2014 VPC peering, CEN for multi-VPC/multi-region connectivity, Express Connect for private circuits, SLB/ALB/NLB/CLB load balancer selection, and Smart Access Gateway for branch offices.",
+    "summary": "Design Alibaba Cloud network topology — VPC peering, CEN for multi-VPC/multi-region connectivity, Express Connect for private circuits, SLB/ALB/NLB/CLB load balancer selection, and Smart Access Gateway for branch offices.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/vpc",
@@ -785,7 +813,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Alibaba Cloud OSS data perimeters \u2014 bucket ACL and policy conflict resolution, Block Public Access configuration, cross-account access via RAM role, VPC endpoint binding for private access, WORM (Object Lock), and MLPS 2.0 data residency compliance.",
+    "summary": "Govern Alibaba Cloud OSS data perimeters — bucket ACL and policy conflict resolution, Block Public Access configuration, cross-account access via RAM role, VPC endpoint binding for private access, WORM (Object Lock), and MLPS 2.0 data residency compliance.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access",
@@ -793,7 +821,7 @@
       "https://www.alibabacloud.com/help/en/oss/user-guide/use-bucket-policies-to-authorize-other-users-to-access-oss-resources",
       "https://www.alibabacloud.com/help/en/oss/user-guide/oss-interface-for-vpc"
     ],
-    "security_notes": "Alibaba Cloud OSS bucket names are globally unique \u2014 a publicly accessible bucket with a guessable name exposes data without authentication. OSS Cross-Region Replication (CRR) to international regions from CN-* buckets containing personal data violates PIPL and may violate MLPS 2.0 \u2014 verify replication destination region compliance.",
+    "security_notes": "Alibaba Cloud OSS bucket names are globally unique — a publicly accessible bucket with a guessable name exposes data without authentication. OSS Cross-Region Replication (CRR) to international regions from CN-* buckets containing personal data violates PIPL and may violate MLPS 2.0 — verify replication destination region compliance.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-oss-data-perimeter-governor",
     "version": "0.1.0",
@@ -837,7 +865,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate PolarDB (MySQL/PG/Oracle) clusters and RDS instances \u2014 DAS diagnostics, database proxy, Global Database Network, backup strategy, and performance tuning.",
+    "summary": "Operate PolarDB (MySQL/PG/Oracle) clusters and RDS instances — DAS diagnostics, database proxy, Global Database Network, backup strategy, and performance tuning.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/polardb",
@@ -869,7 +897,7 @@
       "https://www.alibabacloud.com/help/en/ram",
       "https://www.alibabacloud.com/help/en/resource-management"
     ],
-    "security_notes": "Never request RAM AccessKey/SecretKey or STS tokens. RAM AdministratorAccess is a critical finding. Resource Directory Control Policy overrides all RAM policies in member accounts \u2014 test in simulation before enforcement.",
+    "security_notes": "Never request RAM AccessKey/SecretKey or STS tokens. RAM AdministratorAccess is a critical finding. Resource Directory Control Policy overrides all RAM policies in member accounts — test in simulation before enforcement.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-ram-iam-review",
     "author": "github: Raishin",
@@ -888,14 +916,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Alibaba Cloud Container Registry (ACR) \u2014 Enterprise Edition vs Personal Edition selection, image vulnerability scanning, namespace IAM least privilege, image retention policies, cross-region replication, and supply chain security posture.",
+    "summary": "Govern Alibaba Cloud Container Registry (ACR) — Enterprise Edition vs Personal Edition selection, image vulnerability scanning, namespace IAM least privilege, image retention policies, cross-region replication, and supply chain security posture.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/acr/product-overview/what-is-container-registry",
       "https://www.alibabacloud.com/help/en/acr/user-guide/configure-image-tag-immutability",
       "https://www.alibabacloud.com/help/en/acr/user-guide/use-image-scanner-to-scan-images"
     ],
-    "security_notes": "ACR Personal Edition namespaces are globally shared \u2014 namespace name collisions are possible; use ACR Enterprise Edition with isolated instance for production. Public ACR namespaces in CN-* regions are accessible globally \u2014 this creates cross-border data flow implications under Chinese data regulations.",
+    "security_notes": "ACR Personal Edition namespaces are globally shared — namespace name collisions are possible; use ACR Enterprise Edition with isolated instance for production. Public ACR namespaces in CN-* regions are accessible globally — this creates cross-border data flow implications under Chinese data regulations.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-registry-artifact-governor",
     "version": "0.1.0",
@@ -914,7 +942,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Alibaba Cloud workload HA and BCDR designs \u2014 RDS High-Availability Edition failover, PolarDB Global Database Network, ACK multi-zone, ECS disaster recovery cross-region, RTO/RPO target analysis, and HBR (Hybrid Backup Recovery) coverage.",
+    "summary": "Review Alibaba Cloud workload HA and BCDR designs — RDS High-Availability Edition failover, PolarDB Global Database Network, ACK multi-zone, ECS disaster recovery cross-region, RTO/RPO target analysis, and HBR (Hybrid Backup Recovery) coverage.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/rds/apsaradb-rds-for-mysql/disaster-recovery-solution",
@@ -923,7 +951,7 @@
       "https://www.alibabacloud.com/help/en/hybrid-backup-recovery/latest/what-is-hbr",
       "https://www.alibabacloud.com/help/en/server-load-balancer/latest/what-is-global-traffic-manager"
     ],
-    "security_notes": "HBR backup vaults in the same region as production provide no DR value for region-level failures \u2014 require cross-region vault configuration. PolarDB Global Database Network write routing to primary means regional primary failure requires manual failover promotion \u2014 confirm this is documented in runbooks.",
+    "security_notes": "HBR backup vaults in the same region as production provide no DR value for region-level failures — require cross-region vault configuration. PolarDB Global Database Network write routing to primary means regional primary failure requires manual failover promotion — confirm this is documented in runbooks.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-resilience-bcdr-review",
     "version": "0.1.0",
@@ -950,7 +978,7 @@
       "https://www.alibabacloud.com/help/en/ddos",
       "https://www.alibabacloud.com/help/en/cloud-firewall"
     ],
-    "security_notes": "Cloud Firewall policy changes affect all instances in scope simultaneously. WAF bypass via IP whitelist requires documented justification. Anti-DDoS tier downgrade during an active attack is blocked. Security Center agent uninstall removes host-level visibility \u2014 confirm before removing.",
+    "security_notes": "Cloud Firewall policy changes affect all instances in scope simultaneously. WAF bypass via IP whitelist requires documented justification. Anti-DDoS tier downgrade during an active attack is blocked. Security Center agent uninstall removes host-level visibility — confirm before removing.",
     "last_verified": "2026-05-08",
     "path": "skills/alibaba/alibaba-security-center-hardening",
     "author": "github: Raishin",
@@ -969,7 +997,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Function Compute 3.0 (FC3), SAE (Serverless App Engine), and EDAS for production readiness \u2014 cold start optimization, VPC binding, RAM role injection, ARMS distributed tracing, security group rules, concurrency limits, and SLA-readiness.",
+    "summary": "Review Function Compute 3.0 (FC3), SAE (Serverless App Engine), and EDAS for production readiness — cold start optimization, VPC binding, RAM role injection, ARMS distributed tracing, security group rules, concurrency limits, and SLA-readiness.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/functioncompute/latest/overview",
@@ -977,7 +1005,7 @@
       "https://www.alibabacloud.com/help/en/arms/latest/what-is-arms",
       "https://www.alibabacloud.com/help/en/ram/latest/overview-1"
     ],
-    "security_notes": "FC function AccessKey IDs in environment variables are exposed in the FC console to anyone with fc:GetFunction permission \u2014 use RAM role binding exclusively. SAE applications in the same namespace share network access unless namespace-level VPC isolation is configured.",
+    "security_notes": "FC function AccessKey IDs in environment variables are exposed in the FC console to anyone with fc:GetFunction permission — use RAM role binding exclusively. SAE applications in the same namespace share network access unless namespace-level VPC isolation is configured.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-serverless-production-readiness",
     "version": "0.1.0",
@@ -996,7 +1024,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design Alibaba Cloud solutions \u2014 product selection (PolarDB vs RDS, ACK vs ASK vs SAE, MaxCompute vs AnalyticDB), architecture patterns, landing zone design, and disaster recovery strategies aligned to the Alibaba Well-Architected Framework.",
+    "summary": "Design Alibaba Cloud solutions — product selection (PolarDB vs RDS, ACK vs ASK vs SAE, MaxCompute vs AnalyticDB), architecture patterns, landing zone design, and disaster recovery strategies aligned to the Alibaba Well-Architected Framework.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/ecs",
@@ -1023,7 +1051,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate Alibaba Cloud support incidents \u2014 case creation with correct severity (\u7d27\u6025/\u9ad8/\u4e2d/\u4f4e), Enterprise Support SLA enforcement, account manager escalation path, status page monitoring for CN-* and international, internal stakeholder communication, and post-incident evidence packaging.",
+    "summary": "Coordinate Alibaba Cloud support incidents — case creation with correct severity (紧急/高/中/低), Enterprise Support SLA enforcement, account manager escalation path, status page monitoring for CN-* and international, internal stakeholder communication, and post-incident evidence packaging.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/support/user-guide/submit-a-ticket",
@@ -1031,7 +1059,7 @@
       "https://status.aliyun.com/",
       "https://www.alibabacloud.com/help/en/support/user-guide/technical-support-plans"
     ],
-    "security_notes": "Alibaba Cloud support case attachments are stored on Alibaba Cloud infrastructure \u2014 never attach files containing customer financial data, personal health information, or unredacted credentials. Enterprise Support SLA breach timestamps must be documented for contractual credit claims.",
+    "security_notes": "Alibaba Cloud support case attachments are stored on Alibaba Cloud infrastructure — never attach files containing customer financial data, personal health information, or unredacted credentials. Enterprise Support SLA breach timestamps must be documented for contractual credit claims.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-support-incident-coordinator",
     "version": "0.1.0",
@@ -1050,7 +1078,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage Alibaba Cloud operational alerts, incidents, and support tickets \u2014 P0/P1/P2/P3 classification, Alibaba Cloud Support SLA enforcement, account manager escalation, DingTalk war room coordination, evidence collection from CloudMonitor and SLS, and safe escalation paths.",
+    "summary": "Triage Alibaba Cloud operational alerts, incidents, and support tickets — P0/P1/P2/P3 classification, Alibaba Cloud Support SLA enforcement, account manager escalation, DingTalk war room coordination, evidence collection from CloudMonitor and SLS, and safe escalation paths.",
     "source_type": "original",
     "official_docs": [
       "https://www.alibabacloud.com/help/en/support/user-guide/submit-a-ticket",
@@ -1058,7 +1086,7 @@
       "https://www.alibabacloud.com/help/en/cms/user-guide/what-is-cloud-monitor",
       "https://www.alibabacloud.com/help/en/sls/user-guide/what-is-log-service"
     ],
-    "security_notes": "Alibaba Cloud support ticket attachments visible to Alibaba support staff \u2014 scrub AccessKey IDs, account IDs, customer PII, and unredacted log data before sharing. China mainland support team and international support team are organizationally separate \u2014 tickets filed in the wrong region receive slower response.",
+    "security_notes": "Alibaba Cloud support ticket attachments visible to Alibaba support staff — scrub AccessKey IDs, account IDs, customer PII, and unredacted log data before sharing. China mainland support team and international support team are organizationally separate — tickets filed in the wrong region receive slower response.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-ticket-triage-escalation-coordinator",
     "version": "0.1.0",
@@ -1085,7 +1113,7 @@
       "https://www.alibabacloud.com/help/en/ecs/user-guide/savings-plans",
       "https://www.alibabacloud.com/help/en/oss/user-guide/lifecycle"
     ],
-    "security_notes": "Read-only advisory. Do not cancel Savings Plans, Reserved Instances, delete snapshots, or stop instances without explicit approval and resource inventory confirmation. Note: CN-* regions and international regions have separate billing accounts \u2014 always confirm which account context the analysis applies to.",
+    "security_notes": "Read-only advisory. Do not cancel Savings Plans, Reserved Instances, delete snapshots, or stop instances without explicit approval and resource inventory confirmation. Note: CN-* regions and international regions have separate billing accounts — always confirm which account context the analysis applies to.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-waf-cost-optimization-review",
     "author": "github: Raishin",
@@ -1140,12 +1168,41 @@
       "https://www.alibabacloud.com/help/en/actiontrail",
       "https://www.alibabacloud.com/help/en/waf"
     ],
-    "security_notes": "Read-only advisory. Do not modify RAM policies, Security Group rules, KMS keys, or ActionTrail configurations without explicit approval. Note: Alibaba Cloud has separate China (CN-*) and international regions with different regulatory scopes \u2014 always confirm region before assessing compliance.",
+    "security_notes": "Read-only advisory. Do not modify RAM policies, Security Group rules, KMS keys, or ActionTrail configurations without explicit approval. Note: Alibaba Cloud has separate China (CN-*) and international regions with different regulatory scopes — always confirm region before assessing compliance.",
     "last_verified": "2026-05-09",
     "path": "skills/alibaba/alibaba-waf-security-review",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "analytics-data-minimization-review",
+    "name": "Analytics Data-Minimization Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review analytics platform configuration — GA4 property settings, BigQuery export schema, custom event-parameter definitions, and user-property declarations — for data-minimization violations, excessive collection, and storage-period over-retention under GDPR Article 5(1)(c) and 5(1)(e) and EU DPA enforcement on GA4.",
+    "source_type": "original",
+    "official_docs": [
+      "https://gdpr-info.eu/art-5-gdpr/",
+      "https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply/",
+      "https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr",
+      "https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9782874",
+      "https://support.google.com/analytics/answer/9019185"
+    ],
+    "security_notes": "Read-only static review of sanitized analytics configuration exports and schema definitions only. Never request live analytics data, raw event exports containing real user identifiers, GA4 admin credentials, or BigQuery service-account keys. Findings may indicate cross-border data transfer violations requiring DPA notification — route remediation and legal assessment to qualified privacy counsel before acting on findings.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/analytics-data-minimization-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
   {
     "id": "argo-rollouts-progressive-delivery-review",
     "name": "Argo Rollouts Progressive Delivery Review",
@@ -1199,7 +1256,7 @@
       "https://argo-cd.readthedocs.io/en/stable/proposals/decouple-application-sync-user-using-impersonation/",
       "https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cm-yaml/"
     ],
-    "security_notes": "Sync impersonation is disabled by default \u2014 controller runs as cluster-admin on every destination. AppProject sourceRepos and destinations wildcards remove blast-radius bounds. Automated prune+selfHeal on Git divergence is irreversible. ApplicationSet unbounded cluster generators auto-onboard misconfigured clusters.",
+    "security_notes": "Sync impersonation is disabled by default — controller runs as cluster-admin on every destination. AppProject sourceRepos and destinations wildcards remove blast-radius bounds. Automated prune+selfHeal on Git divergence is irreversible. ApplicationSet unbounded cluster generators auto-onboard misconfigured clusters.",
     "last_verified": "2026-05-01",
     "path": "skills/argocd/argocd-gitops-review",
     "author": "github: Raishin",
@@ -2904,7 +2961,7 @@
       "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security",
       "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
     ],
-    "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs \u2014 a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
+    "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs — a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
     "last_verified": "2026-05-02",
     "path": "skills/azure/azure-keyvault-certificate-issuer-review",
     "version": "0.1.0",
@@ -3123,7 +3180,7 @@
       "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
       "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
     ],
-    "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf \u2014 only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
+    "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf — only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
     "last_verified": "2026-04-30",
     "path": "skills/azure/azure-live-pim-jit-activation-guard",
     "author": "github: Raishin",
@@ -3654,6 +3711,34 @@
     "version": "0.1.0",
     "author": "github: Raishin"
   },
+  {
+    "id": "ci-test-pipeline-review",
+    "name": "CI Test Pipeline Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review how a CI pipeline runs tests — gating, sharding, parallelism, fail-fast, artifact retention, quarantine wiring, and secret exposure — to verify the test suite actually blocks bad merges. Static review only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs",
+      "https://docs.github.com/en/repositories/configuring-branches-and-merges/about-protected-branches",
+      "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
+      "https://docs.gitlab.com/ee/ci/yaml/",
+      "https://playwright.dev/docs/test-sharding"
+    ],
+    "security_notes": "Static review only — reads CI workflow and branch-protection configuration, never triggers or runs pipelines. Flags secret exposure to test jobs on pull_request_target or fork PRs. Never request or accept CI secrets, deploy keys, or registry tokens; ask for sanitized workflow files.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/ci-test-pipeline-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "cilium-network-policy-review",
     "name": "Cilium Network Policy Review",
@@ -3704,7 +3789,7 @@
       "https://docs.contabo.com/",
       "https://contabo.com/en/vps/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 never cache or log them. Credentials must remain in environment variables. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual periods (1, 3, 6, 12 months) are binding at instance creation \u2014 capacity plans must declare the period and its billing impact. SSH keys are managed as secret IDs; never expose raw key material in plans or API calls.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — never cache or log them. Credentials must remain in environment variables. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual periods (1, 3, 6, 12 months) are binding at instance creation — capacity plans must declare the period and its billing impact. SSH keys are managed as secret IDs; never expose raw key material in plans or API calls.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-capacity-planner",
     "author": "github: Raishin",
@@ -3730,7 +3815,7 @@
       "https://docs.contabo.com/",
       "https://contabo.com/en/vps/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 never cache or log them. Store CONTABO_CLIENT_ID, CONTABO_CLIENT_SECRET, CONTABO_API_USER, CONTABO_API_PASSWORD in environment variables only. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual billing periods (1, 3, 6, 12 months) create irreversible obligations \u2014 always surface billing impact before any sizing or period recommendation.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — never cache or log them. Store CONTABO_CLIENT_ID, CONTABO_CLIENT_SECRET, CONTABO_API_USER, CONTABO_API_PASSWORD in environment variables only. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual billing periods (1, 3, 6, 12 months) create irreversible obligations — always surface billing impact before any sizing or period recommendation.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-cost-optimization-analyst",
     "author": "github: Raishin",
@@ -3755,7 +3840,7 @@
       "https://api.contabo.com/",
       "https://docs.contabo.com/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 refresh handling must not log token values. Credentials must remain in environment variables. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API with curl + jq. Contractual periods (1, 3, 6, 12 months) are binding at creation \u2014 cancellation may incur early-termination billing. x-request-id (UUIDv4) is mandatory for all mutation calls. Hard-stop on any lifecycle action without explicit period acknowledgment and rollback plan.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — refresh handling must not log token values. Credentials must remain in environment variables. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API with curl + jq. Contractual periods (1, 3, 6, 12 months) are binding at creation — cancellation may incur early-termination billing. x-request-id (UUIDv4) is mandatory for all mutation calls. Hard-stop on any lifecycle action without explicit period acknowledgment and rollback plan.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-live-instance-lifecycle-guard",
     "author": "github: Raishin",
@@ -3780,7 +3865,7 @@
       "https://api.contabo.com/",
       "https://docs.contabo.com/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 refresh handling must not log token values. Credentials must remain in environment variables. Contabo Object Storage is S3-compatible \u2014 S3 access key and secret key must be stored as environment variables, never hardcoded. x-request-id (UUIDv4) is mandatory for Contabo REST API calls. Hard-stop on any bucket deletion without verified backup evidence. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API with curl + jq.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — refresh handling must not log token values. Credentials must remain in environment variables. Contabo Object Storage is S3-compatible — S3 access key and secret key must be stored as environment variables, never hardcoded. x-request-id (UUIDv4) is mandatory for Contabo REST API calls. Hard-stop on any bucket deletion without verified backup evidence. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API with curl + jq.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-live-storage-operations-guard",
     "author": "github: Raishin",
@@ -3805,7 +3890,7 @@
       "https://api.contabo.com/",
       "https://docs.contabo.com/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 never cache or log them. Credentials must remain in environment variables. The x-request-id UUIDv4 header is mandatory for support traceability. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual periods (1, 3, 6, 12 months) create billing obligations \u2014 never route lifecycle changes without explicit period acknowledgment.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — never cache or log them. Credentials must remain in environment variables. The x-request-id UUIDv4 header is mandatory for support traceability. Contabo has no official Terraform provider or SDK; recommend cntb CLI or REST API. Contractual periods (1, 3, 6, 12 months) create billing obligations — never route lifecycle changes without explicit period acknowledgment.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-maestro",
     "author": "github: Raishin",
@@ -3830,12 +3915,69 @@
       "https://api.contabo.com/",
       "https://docs.contabo.com/"
     ],
-    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes \u2014 short TTL reduces exposure window but refresh logic must not log tokens. Credentials must never be hardcoded. SSH keys are referenced via secret IDs \u2014 raw private key material must never appear in API payloads, scripts, or recommendations. The x-request-id UUIDv4 header is mandatory for audit traceability.",
+    "security_notes": "OAuth2 password grant tokens expire in ~5 minutes — short TTL reduces exposure window but refresh logic must not log tokens. Credentials must never be hardcoded. SSH keys are referenced via secret IDs — raw private key material must never appear in API payloads, scripts, or recommendations. The x-request-id UUIDv4 header is mandatory for audit traceability.",
     "last_verified": "2026-05-10",
     "path": "skills/contabo/contabo-security-hardening",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "email-sender-authentication-review",
+    "name": "Email Sender Authentication Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review DNS sender-authentication records (SPF, DKIM, DMARC, BIMI) for a marketing domain to identify policy gaps exposing campaigns to rejection, spoofing, or inbox displacement.",
+    "source_type": "original",
+    "official_docs": [
+      "https://datatracker.ietf.org/doc/html/rfc7489",
+      "https://support.google.com/mail/answer/81126",
+      "https://www.pcisecuritystandards.org/document_library/",
+      "https://www.cisa.gov/sites/default/files/publications/bod-18-01.pdf",
+      "https://datatracker.ietf.org/doc/html/rfc7208"
+    ],
+    "security_notes": "Email authentication reviews work from sanitized DNS TXT record exports only. Never request live DMARC aggregate report XML, ESP account credentials, or sending-platform API keys. SPF, DKIM, and DMARC records are publicly resolvable; the artifact is the domain's own export, not live lookups against production DNS.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/email-sender-authentication-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "eu-ai-act-marketing-system-review",
+    "name": "EU AI Act Marketing System Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a marketing AI system description card against EU AI Act Regulation 2024/1689 risk-tier criteria — classify the system, flag documentation obligations (Articles 11, 13, 14, 43), and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689",
+      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
+      "https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence",
+      "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022023-technical-scope-art-22-gdpr_en",
+      "https://artificialintelligenceact.eu/the-act/"
+    ],
+    "security_notes": "EU AI Act classification determines conformity assessment, CE marking, and EU AI database registration obligations — misclassification is itself a compliance gap. Review works from sanitized AI system description cards only; never request model weights, training datasets, internal performance logs, or vendor system-access credentials. Legal determination of Article 5 prohibited practices is routed to qualified counsel.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/eu-ai-act-marketing-system-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "external-secrets-operator-review",
     "name": "External Secrets Operator Review",
@@ -3888,7 +4030,7 @@
       "https://falco.org/docs/install-operate/deployment/",
       "https://github.com/falcosecurity/rules/tree/main/rules"
     ],
-    "security_notes": "Falco with overly broad rule exceptions creates detection blind spots. A rule exception matching an entire process family (java, python, node) or a specific container name completely disables detection for that workload \u2014 attackers can exploit known exception patterns.",
+    "security_notes": "Falco with overly broad rule exceptions creates detection blind spots. A rule exception matching an entire process family (java, python, node) or a specific container name completely disables detection for that workload — attackers can exploit known exception patterns.",
     "last_verified": "2026-05-02",
     "path": "skills/falco/falco-runtime-threat-rules-review",
     "version": "0.1.0",
@@ -3949,7 +4091,7 @@
       "https://www.alibabacloud.com/cloud-computing/pricing",
       "https://cloud.tencent.com/product/cvm/pricing"
     ],
-    "security_notes": "AWS, Azure, OCI, and Scaleway pricing APIs are public and require no authentication. Gandi requires a user-provided API key (never stored by the agent; discarded after single use). Alibaba Cloud and Tencent Cloud pricing is fetched via scrape-based fallback from official pricing pages \u2014 no credentials required or accepted.",
+    "security_notes": "AWS, Azure, OCI, and Scaleway pricing APIs are public and require no authentication. Gandi requires a user-provided API key (never stored by the agent; discarded after single use). Alibaba Cloud and Tencent Cloud pricing is fetched via scrape-based fallback from official pricing pages — no credentials required or accepted.",
     "last_verified": "2026-05-13",
     "path": "skills/finops/finops-cloud-price-advisor",
     "version": "0.2.1",
@@ -4005,7 +4147,7 @@
       "https://fluxcd.io/flux/security/secrets-management/",
       "https://fluxcd.io/flux/installation/configuration/multitenancy/"
     ],
-    "security_notes": "Plaintext Kubernetes Secret manifests committed to a FluxCD Git source are exposed to anyone with repo read access \u2014 including CI systems, PR participants, and auditors. GitRepository sources without commit signature verification allow any commit (including injected ones) to deploy to production.",
+    "security_notes": "Plaintext Kubernetes Secret manifests committed to a FluxCD Git source are exposed to anyone with repo read access — including CI systems, PR participants, and auditors. GitRepository sources without commit signature verification allow any commit (including injected ones) to deploy to production.",
     "last_verified": "2026-05-02",
     "path": "skills/fluxcd/fluxcd-kustomization-helmrelease-review",
     "version": "0.1.0",
@@ -4050,7 +4192,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and build AI-powered applications on AlloyDB for PostgreSQL using AlloyDB AI \u2014 covering vector search, hybrid search, AI SQL functions, model endpoint management, and the AlloyDB Omni edge runtime.",
+    "summary": "Design and build AI-powered applications on AlloyDB for PostgreSQL using AlloyDB AI — covering vector search, hybrid search, AI SQL functions, model endpoint management, and the AlloyDB Omni edge runtime.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/alloydb/docs/ai/overview",
@@ -4076,7 +4218,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate AlloyDB clusters and Cloud SQL instances \u2014 HA configuration, read replicas, connection pooling, maintenance windows, backup strategy, and performance diagnostics.",
+    "summary": "Operate AlloyDB clusters and Cloud SQL instances — HA configuration, read replicas, connection pooling, maintenance windows, backup strategy, and performance diagnostics.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/alloydb/docs/overview",
@@ -4084,7 +4226,7 @@
       "https://cloud.google.com/sql/docs/postgres/high-availability",
       "https://cloud.google.com/alloydb/docs/auth-proxy/overview"
     ],
-    "security_notes": "Private IP is strongly preferred over public IP for Cloud SQL. AlloyDB is NOT a drop-in replacement for Cloud SQL \u2014 backup/restore procedures differ. Always set maintenance windows to off-peak hours.",
+    "security_notes": "Private IP is strongly preferred over public IP for Cloud SQL. AlloyDB is NOT a drop-in replacement for Cloud SQL — backup/restore procedures differ. Always set maintenance windows to off-peak hours.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-alloydb-cloudsql-dba",
     "author": "github: Raishin",
@@ -4111,7 +4253,7 @@
       "https://cloud.google.com/anthos/fleet-management/docs/fleet-concepts",
       "https://cloud.google.com/service-mesh/docs/overview"
     ],
-    "security_notes": "Policy Controller audit mode detects violations but does not block them \u2014 enforcement mode is required for hard compliance guarantees. Connect Gateway enables kubectl access without exposing the Kubernetes API to the internet. ASM mutual TLS must be STRICT mode for zero-trust enforcement.",
+    "security_notes": "Policy Controller audit mode detects violations but does not block them — enforcement mode is required for hard compliance guarantees. Connect Gateway enables kubectl access without exposing the Kubernetes API to the internet. ASM mutual TLS must be STRICT mode for zero-trust enforcement.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-anthos-multicloud-architect",
     "author": "github: Raishin",
@@ -4130,14 +4272,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and operate Apigee X API proxies \u2014 rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.",
+    "summary": "Design and operate Apigee X API proxies — rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee",
       "https://cloud.google.com/apigee/docs/api-platform/security/oauth/oauth-home",
       "https://cloud.google.com/apigee/docs/api-platform/reference/policies/spike-arrest-policy"
     ],
-    "security_notes": "Misconfigured Apigee security policies directly expose backend services. SpikeArrest alone does not protect against sustained load \u2014 Quota policy is required. Target servers must be used instead of hardcoded backend URLs. Scoped to Apigee X only; do not conflate with Apigee hybrid or Apigee Edge.",
+    "security_notes": "Misconfigured Apigee security policies directly expose backend services. SpikeArrest alone does not protect against sustained load — Quota policy is required. Target servers must be used instead of hardcoded backend URLs. Scoped to Apigee X only; do not conflate with Apigee hybrid or Apigee Edge.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-apigee-api-platform-operator",
     "author": "github: Raishin",
@@ -4183,7 +4325,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review GCP Certificate Manager and classic Google-managed TLS certificates \u2014 certificate map configuration, DNS authorization, CAA record validation, certificate rotation automation, wildcard vs SAN design, and expiry monitoring.",
+    "summary": "Review GCP Certificate Manager and classic Google-managed TLS certificates — certificate map configuration, DNS authorization, CAA record validation, certificate rotation automation, wildcard vs SAN design, and expiry monitoring.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/certificate-manager/docs/overview",
@@ -4191,7 +4333,7 @@
       "https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs",
       "https://cloud.google.com/certificate-manager/docs/monitor-certificate-status"
     ],
-    "security_notes": "Classic Google-managed certificates auto-renew but have no visibility into renewal status \u2014 Certificate Manager provides explicit certificate status fields. TLS 1.0 and 1.1 are deprecated \u2014 GCP LB default SSL policy allows TLS 1.0; create a custom SSL policy requiring TLS 1.2+ for all production load balancers.",
+    "security_notes": "Classic Google-managed certificates auto-renew but have no visibility into renewal status — Certificate Manager provides explicit certificate status fields. TLS 1.0 and 1.1 are deprecated — GCP LB default SSL policy allows TLS 1.0; create a custom SSL policy requiring TLS 1.2+ for all production load balancers.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-certificate-manager-issuer-review",
     "version": "0.1.0",
@@ -4210,7 +4352,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Pre-change blast radius analysis for GCP \u2014 cross-project resource dependency mapping, org policy cascade effects, Shared VPC peering impact, Service Account impersonation chain analysis, and safe change sequencing.",
+    "summary": "Pre-change blast radius analysis for GCP — cross-project resource dependency mapping, org policy cascade effects, Shared VPC peering impact, Service Account impersonation chain analysis, and safe change sequencing.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/asset-inventory/docs/overview",
@@ -4219,7 +4361,7 @@
       "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
       "https://cloud.google.com/vpc/docs/vpc-peering"
     ],
-    "security_notes": "Cloud Asset Inventory requires roles/cloudasset.viewer \u2014 ensure the reviewing principal has this before attempting dependency analysis. Org policy changes with deny-override can lock out even org admins from specific resources \u2014 test in a non-production folder first.",
+    "security_notes": "Cloud Asset Inventory requires roles/cloudasset.viewer — ensure the reviewing principal has this before attempting dependency analysis. Org policy changes with deny-override can lock out even org admins from specific resources — test in a non-production folder first.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-change-impact-advisor",
     "version": "0.1.0",
@@ -4238,7 +4380,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Advise on Google Cloud authentication and authorization patterns \u2014 covering ADC, service account best practices, Workload Identity Federation, human user auth, service-to-service auth, and anti-patterns like service account key downloads.",
+    "summary": "Advise on Google Cloud authentication and authorization patterns — covering ADC, service account best practices, Workload Identity Federation, human user auth, service-to-service auth, and anti-patterns like service account key downloads.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/docs/authentication",
@@ -4300,7 +4442,7 @@
       "https://cloud.google.com/artifact-registry/docs/overview",
       "https://cloud.google.com/build/docs/securing-builds/view-build-provenance"
     ],
-    "security_notes": "Cloud Build service accounts are commonly over-privileged \u2014 minimum required permissions are Cloud Run Admin + Artifact Registry Writer + GKE Developer. SLSA provenance combined with Binary Authorization prevents tampered artifacts from reaching production.",
+    "security_notes": "Cloud Build service accounts are commonly over-privileged — minimum required permissions are Cloud Run Admin + Artifact Registry Writer + GKE Developer. SLSA provenance combined with Binary Authorization prevents tampered artifacts from reaching production.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-cloudbuild-deploy-cicd-operator",
     "author": "github: Raishin",
@@ -4326,7 +4468,7 @@
       "https://cloud.google.com/security/compliance/offerings",
       "https://cloud.google.com/security-command-center/docs/compliance-dashboard"
     ],
-    "security_notes": "Not all GCP services are authorized for every compliance framework \u2014 always verify against the applicable authorized services list. HIPAA requires Google BAA coverage for PHI services. ITAR configuration restricts personnel access to US persons. Assured Workloads creates a boundary but does not replace customer-side controls.",
+    "security_notes": "Not all GCP services are authorized for every compliance framework — always verify against the applicable authorized services list. HIPAA requires Google BAA coverage for PHI services. ITAR configuration restricts personnel access to US persons. Assured Workloads creates a boundary but does not replace customer-side controls.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-compliance-assured-workloads",
     "author": "github: Raishin",
@@ -4353,7 +4495,7 @@
       "https://cloud.google.com/compute/docs/os-patch-management",
       "https://cloud.google.com/compute/docs/instances/spot"
     ],
-    "security_notes": "Spot VMs are preempted without advance notice \u2014 never use for latency-sensitive or non-fault-tolerant workloads. OS Login is preferred over metadata SSH keys for enterprise environments.",
+    "security_notes": "Spot VMs are preempted without advance notice — never use for latency-sensitive or non-fault-tolerant workloads. OS Login is preferred over metadata SSH keys for enterprise environments.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-compute-engine-operator",
     "author": "github: Raishin",
@@ -4372,7 +4514,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Detect and coordinate response to GCP cost anomalies \u2014 BigQuery on-demand query cost spikes ($5/TB scanned), Cloud Run scaling runaway, unattached Persistent Disks, idle GCE instances, budget alert \u2192 notification channel \u2192 remediation playbook.",
+    "summary": "Detect and coordinate response to GCP cost anomalies — BigQuery on-demand query cost spikes ($5/TB scanned), Cloud Run scaling runaway, unattached Persistent Disks, idle GCE instances, budget alert → notification channel → remediation playbook.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/billing/docs/how-to/budgets",
@@ -4381,7 +4523,7 @@
       "https://cloud.google.com/run/docs/configuring/max-instances",
       "https://cloud.google.com/recommender/docs/overview"
     ],
-    "security_notes": "BigQuery billing export dataset must restrict access \u2014 avoid allAuthenticatedUsers binding on the billing dataset as it exposes cost structure. Budget action to disable billing stops ALL services in the project \u2014 test on non-production projects first and use notification-only alerts for production unless willing to accept full service disruption.",
+    "security_notes": "BigQuery billing export dataset must restrict access — avoid allAuthenticatedUsers binding on the billing dataset as it exposes cost structure. Budget action to disable billing stops ALL services in the project — test on non-production projects first and use notification-only alerts for production unless willing to accept full service disruption.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-cost-anomaly-watch-coordinator",
     "version": "0.1.0",
@@ -4428,7 +4570,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate the daily GCP operations standup \u2014 cost delta from previous day, quota warning review, failed deployment detection, Security Command Center finding triage, SLO burn rate alert review, and action item assignment.",
+    "summary": "Coordinate the daily GCP operations standup — cost delta from previous day, quota warning review, failed deployment detection, Security Command Center finding triage, SLO burn rate alert review, and action item assignment.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/billing/docs/how-to/budgets",
@@ -4437,7 +4579,7 @@
       "https://cloud.google.com/deploy/docs/view-pipeline-status",
       "https://cloud.google.com/monitoring/slo-monitoring"
     ],
-    "security_notes": "Daily briefing participants may include non-security team members \u2014 sanitize SCC finding details to exclude exploit paths or unpatched CVE specifics from the general briefing. Cost delta data contains billing structure information \u2014 restrict briefing distribution to authorized personnel.",
+    "security_notes": "Daily briefing participants may include non-security team members — sanitize SCC finding details to exclude exploit paths or unpatched CVE specifics from the general briefing. Cost delta data contains billing structure information — restrict briefing distribution to authorized personnel.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-daily-operations-briefing-coordinator",
     "version": "0.1.0",
@@ -4465,7 +4607,7 @@
       "https://cloud.google.com/composer/docs/concepts/overview",
       "https://cloud.google.com/dataplex/docs/introduction"
     ],
-    "security_notes": "Dead letter topics are critical for any production Pub/Sub pipeline. Use ephemeral Dataproc clusters for cost efficiency. Pub/Sub delivers at-least-once \u2014 design consumers for idempotency.",
+    "security_notes": "Dead letter topics are critical for any production Pub/Sub pipeline. Use ephemeral Dataproc clusters for cost efficiency. Pub/Sub delivers at-least-once — design consumers for idempotency.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-data-pipeline-engineer",
     "author": "github: Raishin",
@@ -4484,7 +4626,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review GCP Pub/Sub, Eventarc, Cloud Tasks, Cloud Scheduler, and Workflows designs \u2014 dead-letter topics, message ordering, idempotency, fan-out blast radius, schema registry, and retry storm risk.",
+    "summary": "Review GCP Pub/Sub, Eventarc, Cloud Tasks, Cloud Scheduler, and Workflows designs — dead-letter topics, message ordering, idempotency, fan-out blast radius, schema registry, and retry storm risk.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/pubsub/docs/dead-letter-topics",
@@ -4494,7 +4636,7 @@
       "https://cloud.google.com/scheduler/docs/overview",
       "https://cloud.google.com/workflows/docs/overview"
     ],
-    "security_notes": "Pub/Sub topics with allUsers subscriber binding expose all messages publicly \u2014 always verify subscription IAM. Eventarc service account must follow least privilege \u2014 avoid binding roles/editor. Cloud Tasks payloads may contain sensitive data \u2014 use CMEK-encrypted queues for regulated workloads.",
+    "security_notes": "Pub/Sub topics with allUsers subscriber binding expose all messages publicly — always verify subscription IAM. Eventarc service account must follow least privilege — avoid binding roles/editor. Cloud Tasks payloads may contain sensitive data — use CMEK-encrypted queues for regulated workloads.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-event-driven-architecture-review",
     "version": "0.1.0",
@@ -4513,7 +4655,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Build, configure, and operate Firebase-powered web and mobile applications \u2014 covering Firestore, Firebase Auth, Firebase Hosting, Cloud Functions for Firebase, Firebase Storage, App Check, Remote Config, and Analytics.",
+    "summary": "Build, configure, and operate Firebase-powered web and mobile applications — covering Firestore, Firebase Auth, Firebase Hosting, Cloud Functions for Firebase, Firebase Storage, App Check, Remote Config, and Analytics.",
     "source_type": "original",
     "official_docs": [
       "https://firebase.google.com/docs",
@@ -4523,7 +4665,7 @@
       "https://firebase.google.com/docs/functions",
       "https://firebase.google.com/docs/app-check"
     ],
-    "security_notes": "Read-only skill. Do not deploy to production, modify Firestore security rules, or change Firebase project settings without explicit approval. Client config (apiKey, projectId) is public \u2014 service account keys are private and must never be embedded in client code.",
+    "security_notes": "Read-only skill. Do not deploy to production, modify Firestore security rules, or change Firebase project settings without explicit approval. Client config (apiKey, projectId) is public — service account keys are private and must never be embedded in client code.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-firebase-developer",
     "author": "github: Raishin",
@@ -4542,7 +4684,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Google Cloud Storage data perimeters \u2014 uniform bucket-level access enforcement, public access prevention, VPC Service Controls perimeter coverage, IAM Conditions for time-bounded access, Object Lifecycle policies, and data residency compliance.",
+    "summary": "Govern Google Cloud Storage data perimeters — uniform bucket-level access enforcement, public access prevention, VPC Service Controls perimeter coverage, IAM Conditions for time-bounded access, Object Lifecycle policies, and data residency compliance.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/storage/docs/access-control/uniform-bucket-level-access",
@@ -4551,7 +4693,7 @@
       "https://cloud.google.com/storage/docs/lifecycle",
       "https://cloud.google.com/storage/docs/bucket-lock"
     ],
-    "security_notes": "GCS buckets with allUsers binding are indexed by search engines and data scrapers within minutes of creation \u2014 remediation must be immediate. VPC-SC perimeter around GCS requires testing in dry-run mode first \u2014 enforcement mode can break legitimate GCS access from outside the perimeter instantly.",
+    "security_notes": "GCS buckets with allUsers binding are indexed by search engines and data scrapers within minutes of creation — remediation must be immediate. VPC-SC perimeter around GCS requires testing in dry-run mode first — enforcement mode can break legitimate GCS access from outside the perimeter instantly.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-gcs-data-perimeter-governor",
     "version": "0.1.0",
@@ -4570,7 +4712,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Build, integrate, and debug Gemini API applications on Google Cloud Agent Platform using the unified google-genai SDK \u2014 covering text generation, multimodal inputs, function calling, structured output, embeddings, context caching, batch prediction, Live API, and model tuning.",
+    "summary": "Build, integrate, and debug Gemini API applications on Google Cloud Agent Platform using the unified google-genai SDK — covering text generation, multimodal inputs, function calling, structured output, embeddings, context caching, batch prediction, Live API, and model tuning.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/vertex-ai/generative-ai/docs/overview",
@@ -4604,7 +4746,7 @@
       "https://cloud.google.com/binary-authorization/docs/overview",
       "https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels"
     ],
-    "security_notes": "Binary Authorization must be set to WARN mode before ENFORCE mode \u2014 enforce mode will break deployments if images are unsigned. Always prefer Workload Identity over mounted SA key files.",
+    "security_notes": "Binary Authorization must be set to WARN mode before ENFORCE mode — enforce mode will break deployments if images are unsigned. Always prefer Workload Identity over mounted SA key files.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-gke-platform-operator",
     "author": "github: Raishin",
@@ -4623,7 +4765,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Terraform and Deployment Manager changes targeting GCP \u2014 blast radius analysis, destroy-operation detection, cross-project impact, state file conflicts, org policy drift, and rollback plan completeness.",
+    "summary": "Review Terraform and Deployment Manager changes targeting GCP — blast radius analysis, destroy-operation detection, cross-project impact, state file conflicts, org policy drift, and rollback plan completeness.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/docs/terraform/best-practices-for-terraform",
@@ -4632,7 +4774,7 @@
       "https://cloud.google.com/iam/docs/org-policy-overview",
       "https://developer.hashicorp.com/terraform/cli/commands/plan"
     ],
-    "security_notes": "Terraform state files contain sensitive resource attributes \u2014 backend bucket must use CMEK and uniform bucket-level access. Org-level IAM and org policy changes via Terraform have org-wide blast radius \u2014 require dual approval and tested rollback. Force-unlocking state under an active apply causes corruption.",
+    "security_notes": "Terraform state files contain sensitive resource attributes — backend bucket must use CMEK and uniform bucket-level access. Org-level IAM and org policy changes via Terraform have org-wide blast radius — require dual approval and tested rollback. Force-unlocking state under an active apply causes corruption.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-iac-change-safety-review",
     "version": "0.1.0",
@@ -4687,7 +4829,7 @@
       "https://cloud.google.com/vpc/docs/shared-vpc",
       "https://cloud.google.com/logging/docs/audit/configure-data-access"
     ],
-    "security_notes": "Org policies applied at org node apply to ALL resources \u2014 test in non-prod folder first. Data Access audit logs must be enabled for sensitive services (KMS, IAM, BigQuery) \u2014 not enabled by default.",
+    "security_notes": "Org policies applied at org node apply to ALL resources — test in non-prod folder first. Data Access audit logs must be enabled for sensitive services (KMS, IAM, BigQuery) — not enabled by default.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-landing-zone-architect",
     "author": "github: Raishin",
@@ -4706,7 +4848,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate BigQuery dataset deletion, table truncation, and authorized view changes \u2014 irreversible data loss and downstream pipeline breakage.",
+    "summary": "Gate BigQuery dataset deletion, table truncation, and authorized view changes — irreversible data loss and downstream pipeline breakage.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/bigquery/docs/managing-tables",
@@ -4732,7 +4874,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate Cloud Run traffic percentage migrations, min-instances changes, and revision deletions \u2014 production traffic blast radius with no automatic rollback.",
+    "summary": "Gate Cloud Run traffic percentage migrations, min-instances changes, and revision deletions — production traffic blast radius with no automatic rollback.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/run/docs/rollouts-rollbacks-traffic-migration",
@@ -4758,7 +4900,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate Cloud Billing budget threshold changes, committed-use discount purchases, and quota increase requests \u2014 financial authority gate.",
+    "summary": "Gate Cloud Billing budget threshold changes, committed-use discount purchases, and quota increase requests — financial authority gate.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/billing/docs/how-to/budgets",
@@ -4811,7 +4953,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate IAM binding mutations, org policy changes, and Service Account key creation \u2014 org-wide blast radius, cannot be undone without a full audit trail.",
+    "summary": "Gate IAM binding mutations, org policy changes, and Service Account key creation — org-wide blast radius, cannot be undone without a full audit trail.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/iam/docs/manage-access-other-resources",
@@ -4837,7 +4979,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate Cloud KMS key version destruction and key ring deletion \u2014 CMEK-encrypted data becomes permanently and irrecoverably inaccessible once a key version is destroyed.",
+    "summary": "Gate Cloud KMS key version destruction and key ring deletion — CMEK-encrypted data becomes permanently and irrecoverably inaccessible once a key version is destroyed.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/kms/docs/destroy-restore",
@@ -4863,7 +5005,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Traffic engineering for GCP load balancers \u2014 Global HTTPS LB, Regional HTTPS LB, TCP/SSL Proxy LB, Network LB (passthrough), Internal TCP/UDP LB \u2014 type selection, health check configuration, Cloud Armor integration, and traffic distribution.",
+    "summary": "Traffic engineering for GCP load balancers — Global HTTPS LB, Regional HTTPS LB, TCP/SSL Proxy LB, Network LB (passthrough), Internal TCP/UDP LB — type selection, health check configuration, Cloud Armor integration, and traffic distribution.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/load-balancing/docs/load-balancing-overview",
@@ -4872,7 +5014,7 @@
       "https://cloud.google.com/load-balancing/docs/backend-service",
       "https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs"
     ],
-    "security_notes": "Global HTTPS LB with Cloud Armor is the only GCP-native L7 DDoS and WAF layer \u2014 bypassing it with Network LB or TCP Proxy eliminates WAF capability. Self-managed SSL certificates in GCP LB expose the private key during upload \u2014 use Google-managed certificates or Certificate Manager for all production workloads.",
+    "security_notes": "Global HTTPS LB with Cloud Armor is the only GCP-native L7 DDoS and WAF layer — bypassing it with Network LB or TCP Proxy eliminates WAF capability. Self-managed SSL certificates in GCP LB expose the private key during upload — use Google-managed certificates or Certificate Manager for all production workloads.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-load-balancer-traffic-engineer",
     "version": "0.1.0",
@@ -4891,7 +5033,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Route GCP tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies, dispatches, and synthesizes only \u2014 never answers GCP questions directly. Dispatches single agent for focused tasks, parallel team (max 4) for multi-domain tasks. Never auto-dispatches live-guard agents \u2014 requires explicit human confirmation with blast-radius and rollback before routing to any live infrastructure specialist.",
+    "summary": "Route GCP tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies, dispatches, and synthesizes only — never answers GCP questions directly. Dispatches single agent for focused tasks, parallel team (max 4) for multi-domain tasks. Never auto-dispatches live-guard agents — requires explicit human confirmation with blast-radius and rollback before routing to any live infrastructure specialist.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/docs/overview",
@@ -4953,7 +5095,7 @@
       "https://cloud.google.com/nat/docs/overview",
       "https://cloud.google.com/armor/docs/cloud-armor-overview"
     ],
-    "security_notes": "GCP VPCs are global \u2014 a single VPC spans all regions. Shared VPC IAM roles at subnet level control service project access. Never expose internal services through public IP without Cloud Armor or equivalent WAF protection.",
+    "security_notes": "GCP VPCs are global — a single VPC spans all regions. Shared VPC IAM roles at subnet level control service project access. Never expose internal services through public IP without Cloud Armor or equivalent WAF protection.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-network-architect",
     "author": "github: Raishin",
@@ -5027,7 +5169,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern GCP Artifact Registry \u2014 container image signing via Binary Authorization, vulnerability scanning via Container Analysis, repository IAM least privilege, artifact retention policies, and supply chain security posture.",
+    "summary": "Govern GCP Artifact Registry — container image signing via Binary Authorization, vulnerability scanning via Container Analysis, repository IAM least privilege, artifact retention policies, and supply chain security posture.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/artifact-registry/docs/overview",
@@ -5035,7 +5177,7 @@
       "https://cloud.google.com/container-analysis/docs/container-analysis",
       "https://cloud.google.com/artifact-registry/docs/repositories/cleanup-policy"
     ],
-    "security_notes": "Binary Authorization with 'Allow all images' is equivalent to no supply chain protection \u2014 enforce attested images from trusted build pipelines. Artifact Registry supports CMEK \u2014 enable for regulated workloads. Public repositories expose all tags and digests; use private repositories with Workload Identity Federation for CI/CD access.",
+    "security_notes": "Binary Authorization with 'Allow all images' is equivalent to no supply chain protection — enforce attested images from trusted build pipelines. Artifact Registry supports CMEK — enable for regulated workloads. Public repositories expose all tags and digests; use private repositories with Workload Identity Federation for CI/CD access.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-registry-artifact-governor",
     "version": "0.1.0",
@@ -5054,7 +5196,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review GCP workload HA and BCDR designs \u2014 multi-region architectures, Cloud SQL HA failover, Spanner global instances, GKE multi-cluster, RTO/RPO target analysis, and runbook completeness.",
+    "summary": "Review GCP workload HA and BCDR designs — multi-region architectures, Cloud SQL HA failover, Spanner global instances, GKE multi-cluster, RTO/RPO target analysis, and runbook completeness.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/architecture/disaster-recovery",
@@ -5062,7 +5204,7 @@
       "https://cloud.google.com/spanner/docs/instance-configurations",
       "https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress"
     ],
-    "security_notes": "Cloud SQL HA is zone-redundant only \u2014 cross-region failover is manual (replica promotion). Cloud Run has no built-in multi-region failover. RTO/RPO targets without tested recovery evidence are aspirational. Require last recovery test date and result before marking BCDR as operational.",
+    "security_notes": "Cloud SQL HA is zone-redundant only — cross-region failover is manual (replica promotion). Cloud Run has no built-in multi-region failover. RTO/RPO targets without tested recovery evidence are aspirational. Require last recovery test date and result before marking BCDR as operational.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-resilience-bcdr-review",
     "author": "github: Raishin",
@@ -5088,7 +5230,7 @@
       "https://cloud.google.com/asset-inventory/docs/searching-resources",
       "https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes"
     ],
-    "security_notes": "Cloud Asset Inventory change history covers 35 days \u2014 explicitly state this limit for older investigations. Stale resources (unattached static IPs, disks, orphaned firewall rules) incur ongoing charges. Resources missing required labels cannot be attributed in billing exports.",
+    "security_notes": "Cloud Asset Inventory change history covers 35 days — explicitly state this limit for older investigations. Stale resources (unattached static IPs, disks, orphaned firewall rules) incur ongoing charges. Resources missing required labels cannot be attributed in billing exports.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-resource-inventory-analyst",
     "author": "github: Raishin",
@@ -5116,7 +5258,7 @@
       "https://cloud.google.com/kms/docs/key-rotation",
       "https://cloud.google.com/kms/docs/importing-a-key"
     ],
-    "security_notes": "Prefer read-only inspection. Do not delete key versions, disable keys, or modify CMEK bindings without explicit user approval and a confirmed rollback plan \u2014 key operations can cause irreversible data loss.",
+    "security_notes": "Prefer read-only inspection. Do not delete key versions, disable keys, or modify CMEK bindings without explicit user approval and a confirmed rollback plan — key operations can cause irreversible data loss.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-secret-kms-lifecycle-steward",
     "author": "github: Raishin",
@@ -5163,7 +5305,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Cloud Run and Cloud Functions gen2 for production readiness \u2014 min-instances cold start, memory and CPU allocation, VPC connector configuration, Secret Manager injection, CMEK encryption, concurrency limits, and traffic splitting safety.",
+    "summary": "Review Cloud Run and Cloud Functions gen2 for production readiness — min-instances cold start, memory and CPU allocation, VPC connector configuration, Secret Manager injection, CMEK encryption, concurrency limits, and traffic splitting safety.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/run/docs/configuring/min-instances",
@@ -5172,7 +5314,7 @@
       "https://cloud.google.com/run/docs/rollouts-rollbacks-traffic-migration",
       "https://cloud.google.com/functions/docs/concepts/version-comparison"
     ],
-    "security_notes": "Cloud Run service accounts must follow least privilege \u2014 avoid binding roles/editor or roles/owner. Secrets in environment variables appear in plaintext in Cloud Run revision metadata accessible to anyone with run.revisions.get \u2014 always use Secret Manager references. Cloud Run with --allow-unauthenticated is public to the internet \u2014 require authentication for all non-public endpoints.",
+    "security_notes": "Cloud Run service accounts must follow least privilege — avoid binding roles/editor or roles/owner. Secrets in environment variables appear in plaintext in Cloud Run revision metadata accessible to anyone with run.revisions.get — always use Secret Manager references. Cloud Run with --allow-unauthenticated is public to the internet — require authentication for all non-public endpoints.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-serverless-production-readiness",
     "version": "0.1.0",
@@ -5191,7 +5333,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design GCP solutions aligned with the Google Cloud Architecture Framework \u2014 reliability, security, cost optimization, operational excellence, and performance efficiency \u2014 covering resource hierarchy design, product selection, and multi-service architecture patterns.",
+    "summary": "Design GCP solutions aligned with the Google Cloud Architecture Framework — reliability, security, cost optimization, operational excellence, and performance efficiency — covering resource hierarchy design, product selection, and multi-service architecture patterns.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/architecture/framework",
@@ -5225,7 +5367,7 @@
       "https://cloud.google.com/spanner/docs/instances",
       "https://cloud.google.com/spanner/docs/secondary-indexes"
     ],
-    "security_notes": "Monotonically increasing keys (e.g., auto-increment integers) cause all writes to hit the same split \u2014 use UUIDs or bit-reversed sequential IDs. Over-indexing in Spanner is expensive and slows writes \u2014 every indexed column is replicated.",
+    "security_notes": "Monotonically increasing keys (e.g., auto-increment integers) cause all writes to hit the same split — use UUIDs or bit-reversed sequential IDs. Over-indexing in Spanner is expensive and slows writes — every indexed column is replicated.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-spanner-architect",
     "author": "github: Raishin",
@@ -5244,7 +5386,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate GCP support incidents \u2014 case creation with correct severity, Premium/Enhanced Support SLA enforcement, TAM escalation path, status page monitoring, internal stakeholder communication, and post-incident evidence packaging.",
+    "summary": "Coordinate GCP support incidents — case creation with correct severity, Premium/Enhanced Support SLA enforcement, TAM escalation path, status page monitoring, internal stakeholder communication, and post-incident evidence packaging.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/support/docs/overview",
@@ -5252,7 +5394,7 @@
       "https://status.google.com/",
       "https://cloud.google.com/support/docs/managed-incident"
     ],
-    "security_notes": "GCP support case attachments are accessible to Google support engineers \u2014 never attach files containing customer PII, credentials, or unredacted production logs. Premium Support SLA is contractual \u2014 document SLA breach timestamps with case numbers for potential SLA credits.",
+    "security_notes": "GCP support case attachments are accessible to Google support engineers — never attach files containing customer PII, credentials, or unredacted production logs. Premium Support SLA is contractual — document SLA breach timestamps with case numbers for potential SLA credits.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-support-incident-coordinator",
     "version": "0.1.0",
@@ -5271,7 +5413,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage GCP operational alerts, incidents, and support tickets \u2014 P0/P1/P2/P3 classification, GCP Premium/Enhanced Support SLA enforcement, war room coordination, evidence collection from Cloud Monitoring and Cloud Logging, and safe escalation paths.",
+    "summary": "Triage GCP operational alerts, incidents, and support tickets — P0/P1/P2/P3 classification, GCP Premium/Enhanced Support SLA enforcement, war room coordination, evidence collection from Cloud Monitoring and Cloud Logging, and safe escalation paths.",
     "source_type": "original",
     "official_docs": [
       "https://cloud.google.com/support/docs/severity-definitions",
@@ -5279,7 +5421,7 @@
       "https://cloud.google.com/logging/docs/view/logs-explorer-interface",
       "https://status.google.com/"
     ],
-    "security_notes": "GCP support tickets may require sharing sanitized logs or configuration \u2014 scrub project IDs, IP addresses, and customer data before sharing with Google support. War room communication channels must be secure \u2014 use dedicated incident Slack/Meet channels, not public ones.",
+    "security_notes": "GCP support tickets may require sharing sanitized logs or configuration — scrub project IDs, IP addresses, and customer data before sharing with Google support. War room communication channels must be secure — use dedicated incident Slack/Meet channels, not public ones.",
     "last_verified": "2026-05-09",
     "path": "skills/gcp/gcp-ticket-triage-escalation-coordinator",
     "version": "0.1.0",
@@ -5306,7 +5448,7 @@
       "https://cloud.google.com/vertex-ai/docs/model-registry/introduction",
       "https://cloud.google.com/vertex-ai/docs/featurestore/overview"
     ],
-    "security_notes": "Training jobs have no automatic cost cap \u2014 always verify max_run_time is set. Feature Store writes are irreversible and can silently corrupt training data. Gemini via Vertex AI has different privacy commitments than via AI Studio.",
+    "security_notes": "Training jobs have no automatic cost cap — always verify max_run_time is set. Feature Store writes are irreversible and can silently corrupt training data. Gemini via Vertex AI has different privacy commitments than via AI Studio.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-vertex-ai-mlops-engineer",
     "author": "github: Raishin",
@@ -5334,7 +5476,7 @@
       "https://cloud.google.com/access-context-manager/docs/overview",
       "https://cloud.google.com/vpc-service-controls/docs/create-service-perimeters"
     ],
-    "security_notes": "Prefer dry-run mode before enforcement. Do not switch perimeters to enforcement mode without reviewing dry-run violations \u2014 live enforcement silently blocks API calls and can disrupt production workloads.",
+    "security_notes": "Prefer dry-run mode before enforcement. Do not switch perimeters to enforcement mode without reviewing dry-run violations — live enforcement silently blocks API calls and can disrupt production workloads.",
     "last_verified": "2026-05-08",
     "path": "skills/gcp/gcp-vpc-service-controls-architect",
     "author": "github: Raishin",
@@ -5419,6 +5561,36 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "helm-chart-quality-review",
+    "name": "Helm Chart Quality Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review a Helm chart for quality, security, and testability defects — linting gaps, insecure securityContext, missing resource limits, absent health probes, RBAC over-permission, hardcoded secrets, and missing helm test coverage — statically, without installing or contacting a cluster.",
+    "source_type": "original",
+    "official_docs": [
+      "https://helm.sh/docs/chart_best_practices/",
+      "https://helm.sh/docs/helm/helm_lint/",
+      "https://helm.sh/docs/helm/helm_template/",
+      "https://helm.sh/docs/topics/chart_tests/",
+      "https://github.com/helm/chart-testing",
+      "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+      "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+    ],
+    "security_notes": "Static review only — reads chart source files (Chart.yaml, values.yaml, templates/, tests/), never installs a chart, never connects to a Kubernetes cluster, never requests kubeconfig, cluster credentials, or cloud provider credentials. Do not accept values files containing live credentials, connection strings, or tenant IDs; ask for sanitized versions with placeholder values.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/helm-chart-quality-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
   {
     "id": "hetzner-capacity-planner",
     "name": "Hetzner Cloud Capacity Planner",
@@ -5439,7 +5611,7 @@
       "https://docs.hetzner.com/cloud/servers/overview/",
       "https://docs.hetzner.com/general/others/contacting-support/"
     ],
-    "security_notes": "Hetzner does not offer auto-scaling \u2014 verify current resource counts via API before growth planning to avoid quota exhaustion surprises. Storage Box Snapshot Plans require both hour and minute parameters; incomplete schedules may silently fail. Do not expose project API tokens in capacity reports.",
+    "security_notes": "Hetzner does not offer auto-scaling — verify current resource counts via API before growth planning to avoid quota exhaustion surprises. Storage Box Snapshot Plans require both hour and minute parameters; incomplete schedules may silently fail. Do not expose project API tokens in capacity reports.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-capacity-planner",
     "author": "github: Raishin",
@@ -5465,7 +5637,7 @@
       "https://www.hetzner.com/cloud/pricing/",
       "https://docs.hetzner.com/"
     ],
-    "security_notes": "Never recommend deleting Volumes or snapshots that serve as the only recovery path. Unattached Primary IPs and Floating IPs incur cost \u2014 verify attachment state before recommending deletion. Do not expose project API tokens in cost analysis output.",
+    "security_notes": "Never recommend deleting Volumes or snapshots that serve as the only recovery path. Unattached Primary IPs and Floating IPs incur cost — verify attachment state before recommending deletion. Do not expose project API tokens in cost analysis output.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-cost-optimization-analyst",
     "author": "github: Raishin",
@@ -5491,7 +5663,7 @@
       "https://docs.hetzner.com/cloud/firewalls/overview/",
       "https://docs.hetzner.com/cloud/networks/overview/"
     ],
-    "security_notes": "Public IPs on Hetzner are opt-in since API v1.34 \u2014 flag servers with unnecessary public IPs. An unattached Hetzner Firewall provides zero protection \u2014 always verify attachment to servers or Label groups. Load Balancer health checks must be validated before traffic routing changes.",
+    "security_notes": "Public IPs on Hetzner are opt-in since API v1.34 — flag servers with unnecessary public IPs. An unattached Hetzner Firewall provides zero protection — always verify attachment to servers or Label groups. Load Balancer health checks must be validated before traffic routing changes.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-infrastructure-reviewer",
     "author": "github: Raishin",
@@ -5517,7 +5689,7 @@
       "https://docs.hetzner.com/cloud/firewalls/overview/",
       "https://docs.hetzner.com/cloud/firewalls/faq/"
     ],
-    "security_notes": "Must snapshot current Firewall rules before any mutation \u2014 Hetzner Firewall changes are immediate and affect all attached servers. Verify project-scoped API token before write operations. An unattached Firewall provides zero protection. Never proceed without explicit human approval confirming target Firewall ID, blast-radius, and rollback plan.",
+    "security_notes": "Must snapshot current Firewall rules before any mutation — Hetzner Firewall changes are immediate and affect all attached servers. Verify project-scoped API token before write operations. An unattached Firewall provides zero protection. Never proceed without explicit human approval confirming target Firewall ID, blast-radius, and rollback plan.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-live-firewall-rule-guard",
     "author": "github: Raishin",
@@ -5543,7 +5715,7 @@
       "https://docs.hetzner.com/cloud/servers/overview/",
       "https://docs.hetzner.com/cloud/servers/server-types/"
     ],
-    "security_notes": "Server deletion on Hetzner is irreversible \u2014 always require a confirmed snapshot before deletion. Public IPs (IPv4/IPv6) are opt-in since API v1.34 and must be explicitly requested. Server type changes require server stop \u2014 confirm downtime window. Always verify API token is project-scoped. Never proceed without server ID, region, explicit human approval, and rollback plan.",
+    "security_notes": "Server deletion on Hetzner is irreversible — always require a confirmed snapshot before deletion. Public IPs (IPv4/IPv6) are opt-in since API v1.34 and must be explicitly requested. Server type changes require server stop — confirm downtime window. Always verify API token is project-scoped. Never proceed without server ID, region, explicit human approval, and rollback plan.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-live-server-lifecycle-guard",
     "author": "github: Raishin",
@@ -5562,18 +5734,47 @@
       "kiro",
       "other"
     ],
-    "summary": "Route and classify Hetzner Cloud tasks to the narrowest qualified specialist \u2014 cost optimization, infrastructure review, capacity planning, firewall guard, or server lifecycle guard.",
+    "summary": "Route and classify Hetzner Cloud tasks to the narrowest qualified specialist — cost optimization, infrastructure review, capacity planning, firewall guard, or server lifecycle guard.",
     "source_type": "original",
     "official_docs": [
       "https://docs.hetzner.cloud/",
       "https://docs.hetzner.com/"
     ],
-    "security_notes": "Never attempt live Hetzner Cloud API mutations from the routing layer. Always verify API tokens are project-scoped before routing involving live data. Public IPs are opt-in since API v1.34 \u2014 do not assume servers have public IPs.",
+    "security_notes": "Never attempt live Hetzner Cloud API mutations from the routing layer. Always verify API tokens are project-scoped before routing involving live data. Public IPs are opt-in since API v1.34 — do not assume servers have public IPs.",
     "last_verified": "2026-05-10",
     "path": "skills/hetzner/hetzner-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "hr-risk-triage-review",
+    "name": "HR Risk Triage Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Adversarial HR and employment-risk triage discipline for terminations, discipline, accommodations, wage/hour, discrimination, harassment, retaliation, layoffs, and HR policy exceptions — surfaces risks, evidence gaps, and escalation paths for employment counsel. Does not give legal or HR advice.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.eeoc.gov/laws-guidance",
+      "https://www.dol.gov/agencies/whd/flsa",
+      "https://www.acas.org.uk/advice",
+      "https://www.gov.uk/browse/working",
+      "https://www.mom.gov.sg/employment-practices",
+      "https://www.fairwork.gov.au/"
+    ],
+    "security_notes": "Static review only — works from sanitized excerpts; never requests employee medical records, personal data, or protected-characteristic data beyond what the question requires. Does not issue binding employment-law conclusions; refuses pretextual or retaliatory documentation and recommends escalation to employment counsel.",
+    "last_verified": "2026-05-18",
+    "path": "skills/hr/hr-risk-triage-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "huawei-cce-container-platform-operator",
     "name": "Huawei CCE Container Platform Operator",
@@ -5595,7 +5796,7 @@
       "https://support.huaweicloud.com/intl/en-us/asm/index.html",
       "https://support.huaweicloud.com/intl/en-us/ief/index.html"
     ],
-    "security_notes": "CCE cluster version downgrade not supported. Node pool scale-down evicts workloads \u2014 verify PDBs. SWR image tag mutations are permanent. ASM policy changes affect all services in the mesh simultaneously.",
+    "security_notes": "CCE cluster version downgrade not supported. Node pool scale-down evicts workloads — verify PDBs. SWR image tag mutations are permanent. ASM policy changes affect all services in the mesh simultaneously.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-cce-container-platform-operator",
     "author": "github: Raishin",
@@ -5615,14 +5816,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Huawei Cloud SSL certificate management \u2014 SCM certificate lifecycle, ELB SSL certificate binding, DEW-managed certificate storage, renewal automation, wildcard vs SAN cert selection, certificate expiry alerting via CES, and HTTPS enforcement on ELB listeners.",
+    "summary": "Review Huawei Cloud SSL certificate management — SCM certificate lifecycle, ELB SSL certificate binding, DEW-managed certificate storage, renewal automation, wildcard vs SAN cert selection, certificate expiry alerting via CES, and HTTPS enforcement on ELB listeners.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/scm/index.html",
       "https://support.huaweicloud.com/intl/en-us/elb/index.html",
       "https://support.huaweicloud.com/intl/en-us/dew/index.html"
     ],
-    "security_notes": "Certificate private keys stored in DEW must have IAM access policies that restrict access to authorized identities only \u2014 overly permissive DEW key policies expose private key material. SCM certificates are region-scoped \u2014 verify the certificate is present in all regions where ELB listeners consume it to prevent cross-region binding failures.",
+    "security_notes": "Certificate private keys stored in DEW must have IAM access policies that restrict access to authorized identities only — overly permissive DEW key policies expose private key material. SCM certificates are region-scoped — verify the certificate is present in all regions where ELB listeners consume it to prevent cross-region binding failures.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-certificate-manager-issuer-review",
     "version": "0.1.0",
@@ -5641,7 +5842,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Pre-change blast radius analysis for Huawei Cloud \u2014 Organizations SCP cascade scope, IAM agency dependency chain, VPC route table and VPC Peering impact, GaussDB instance class change disruption, CCE node pool resize safety, and Enterprise Project boundary clarity.",
+    "summary": "Pre-change blast radius analysis for Huawei Cloud — Organizations SCP cascade scope, IAM agency dependency chain, VPC route table and VPC Peering impact, GaussDB instance class change disruption, CCE node pool resize safety, and Enterprise Project boundary clarity.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/organizations/index.html",
@@ -5650,7 +5851,7 @@
       "https://support.huaweicloud.com/intl/en-us/gaussdb_mysql/index.html",
       "https://support.huaweicloud.com/intl/en-us/cce/index.html"
     ],
-    "security_notes": "Huawei Cloud Organizations SCP deny rules have org-level blast radius \u2014 a misconfigured SCP can lock out all member accounts from critical services; test SCP changes in a sandbox member account first. IAM agency deletion is immediate and irreversible \u2014 all services using the agency lose permissions instantly.",
+    "security_notes": "Huawei Cloud Organizations SCP deny rules have org-level blast radius — a misconfigured SCP can lock out all member accounts from critical services; test SCP changes in a sandbox member account first. IAM agency deletion is immediate and irreversible — all services using the agency lose permissions instantly.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-change-impact-advisor",
     "version": "0.1.0",
@@ -5675,7 +5876,7 @@
       "https://support.huaweicloud.com/intl/en-us/codearts/index.html",
       "https://support.huaweicloud.com/intl/en-us/swr/index.html"
     ],
-    "security_notes": "Do not deploy to production without staging verification. CodeArts pipeline deletion removes audit history permanently. SWR image deletion removes all layers \u2014 verify no production dependency before deleting.",
+    "security_notes": "Do not deploy to production without staging verification. CodeArts pipeline deletion removes audit history permanently. SWR image deletion removes all layers — verify no production dependency before deleting.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-codearts-devops-operator",
     "author": "github: Raishin",
@@ -5701,7 +5902,7 @@
       "https://support.huaweicloud.com/intl/en-us/iam/index.html",
       "https://support.huaweicloud.com/intl/en-us/lts/index.html"
     ],
-    "security_notes": "MLPS Level 3 gap is regulatory risk. Cross-border data movement must be assessed before architecture approval. Flag any MLPS Level 3 workload modification that reduces security controls \u2014 mandatory incident reporting may apply.",
+    "security_notes": "MLPS Level 3 gap is regulatory risk. Cross-border data movement must be assessed before architecture approval. Flag any MLPS Level 3 workload modification that reduces security controls — mandatory incident reporting may apply.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-compliance-sovereignty",
     "author": "github: Raishin",
@@ -5721,14 +5922,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate Huawei Cloud cost anomaly detection \u2014 CBC Cost Center delta analysis (>15% day-over-day threshold), budget alert configuration via Budget Management, ECS/GaussDB Yearly/Monthly vs On-Demand mode cost anomalies, OBS request cost spikes, unattached EVS volume waste, DWS idle cluster detection, and reserved instance coverage gaps.",
+    "summary": "Coordinate Huawei Cloud cost anomaly detection — CBC Cost Center delta analysis (>15% day-over-day threshold), budget alert configuration via Budget Management, ECS/GaussDB Yearly/Monthly vs On-Demand mode cost anomalies, OBS request cost spikes, unattached EVS volume waste, DWS idle cluster detection, and reserved instance coverage gaps.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/billing/index.html",
       "https://support.huaweicloud.com/intl/en-us/costcenter/index.html",
       "https://support.huaweicloud.com/intl/en-us/ces/index.html"
     ],
-    "security_notes": "CBC Cost Center exports contain billing data \u2014 restrict export access to authorized IAM identities using least-privilege policies. Budget alert actions may trigger FunctionGraph functions \u2014 verify the function IAM execution role has only the permissions needed to respond to the alert action.",
+    "security_notes": "CBC Cost Center exports contain billing data — restrict export access to authorized IAM identities using least-privilege policies. Budget alert actions may trigger FunctionGraph functions — verify the function IAM execution role has only the permissions needed to respond to the alert action.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-cost-anomaly-watch-coordinator",
     "version": "0.1.0",
@@ -5753,7 +5954,7 @@
       "https://support.huaweicloud.com/intl/en-us/usermanual-billing/index.html",
       "https://support.huaweicloud.com/intl/en-us/eps/index.html"
     ],
-    "security_notes": "RI/CUD purchases are committed spend \u2014 verify coverage analysis before purchase. Budget threshold reduction below current spend may suspend services. Enterprise project cost transfer requires approval.",
+    "security_notes": "RI/CUD purchases are committed spend — verify coverage analysis before purchase. Budget threshold reduction below current spend may suspend services. Enterprise project cost transfer requires approval.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-cost-finops-analyst",
     "author": "github: Raishin",
@@ -5772,7 +5973,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate the daily Huawei Cloud operations standup \u2014 CBC cost delta by Enterprise Project, AOM anomaly alert review, CCE pod failure triage, CES quota utilization warnings, LTS log error spike detection, SecMaster security finding triage, and action item assignment.",
+    "summary": "Coordinate the daily Huawei Cloud operations standup — CBC cost delta by Enterprise Project, AOM anomaly alert review, CCE pod failure triage, CES quota utilization warnings, LTS log error spike detection, SecMaster security finding triage, and action item assignment.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/cbc/index.html",
@@ -5782,7 +5983,7 @@
       "https://support.huaweicloud.com/intl/en-us/secmaster/index.html",
       "https://support.huaweicloud.com/intl/en-us/lts/index.html"
     ],
-    "security_notes": "Huawei Cloud SecMaster finding details may contain vulnerability exploit paths \u2014 restrict SecMaster report distribution to security team members only in daily briefings. CBC Enterprise Project cost data reveals workload architecture details \u2014 distribute cost briefing only to authorized engineering and finance leads.",
+    "security_notes": "Huawei Cloud SecMaster finding details may contain vulnerability exploit paths — restrict SecMaster report distribution to security team members only in daily briefings. CBC Enterprise Project cost data reveals workload architecture details — distribute cost briefing only to authorized engineering and finance leads.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-daily-operations-briefing-coordinator",
     "version": "0.1.0",
@@ -5831,7 +6032,7 @@
       "https://support.huaweicloud.com/intl/en-us/drs/index.html",
       "https://support.huaweicloud.com/intl/en-us/dms/index.html"
     ],
-    "security_notes": "DRS task deletion during sync stops replication permanently. CDM job retry without deduplication may cause duplicates. DMS Kafka partition count can only increase \u2014 plan final partition count upfront.",
+    "security_notes": "DRS task deletion during sync stops replication permanently. CDM job retry without deduplication may cause duplicates. DMS Kafka partition count can only increase — plan final partition count upfront.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-drs-data-replication-operator",
     "author": "github: Raishin",
@@ -5882,7 +6083,7 @@
       "https://support.huaweicloud.com/intl/en-us/ecs/index.html",
       "https://support.huaweicloud.com/intl/en-us/ims/index.html"
     ],
-    "security_notes": "ECS deletion without CSBS backup is permanently destructive. AS scale-in terminates instances \u2014 verify stateless before enabling. DeH migration to shared host requires explicit approval and compliance review.",
+    "security_notes": "ECS deletion without CSBS backup is permanently destructive. AS scale-in terminates instances — verify stateless before enabling. DeH migration to shared host requires explicit approval and compliance review.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-ecs-compute-operator",
     "author": "github: Raishin",
@@ -5902,7 +6103,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Huawei Cloud event-driven architecture designs \u2014 DMS Kafka dead-letter configuration, ROMA Connect integration flow capacity, FunctionGraph event trigger idempotency, SMN delivery retry policy, consumer group lag monitoring, cross-region event replication, and retry storm prevention.",
+    "summary": "Review Huawei Cloud event-driven architecture designs — DMS Kafka dead-letter configuration, ROMA Connect integration flow capacity, FunctionGraph event trigger idempotency, SMN delivery retry policy, consumer group lag monitoring, cross-region event replication, and retry storm prevention.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/dms/index.html",
@@ -5910,7 +6111,7 @@
       "https://support.huaweicloud.com/intl/en-us/fg/index.html",
       "https://support.huaweicloud.com/intl/en-us/smn/index.html"
     ],
-    "security_notes": "DMS Kafka instances without SSL/TLS encryption transmit messages in plaintext \u2014 enable SSL for all production Kafka instances. ROMA Connect integration flows may process sensitive data \u2014 verify ROMA instance security group rules restrict access to authorized callers only.",
+    "security_notes": "DMS Kafka instances without SSL/TLS encryption transmit messages in plaintext — enable SSL for all production Kafka instances. ROMA Connect integration flows may process sensitive data — verify ROMA instance security group rules restrict access to authorized callers only.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-event-driven-architecture-review",
     "version": "0.1.0",
@@ -5961,7 +6162,7 @@
       "https://support.huaweicloud.com/intl/en-us/rds/index.html",
       "https://support.huaweicloud.com/intl/en-us/dds/index.html"
     ],
-    "security_notes": "Database deletion without CBR backup is permanently destructive. GaussDB for Oracle PL/SQL gaps can break migration \u2014 test all procedures before cutover. Failover testing must be coordinated with application teams.",
+    "security_notes": "Database deletion without CBR backup is permanently destructive. GaussDB for Oracle PL/SQL gaps can break migration — test all procedures before cutover. Failover testing must be coordinated with application teams.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-gaussdb-rds-dba",
     "author": "github: Raishin",
@@ -5980,7 +6181,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Terraform and RFS (Resource Formation Service) changes targeting Huawei Cloud \u2014 blast radius analysis, resource deletion detection, Organizations SCP cascade scope, cross-stack dependency impact, state file security, and rollback plan completeness.",
+    "summary": "Review Terraform and RFS (Resource Formation Service) changes targeting Huawei Cloud — blast radius analysis, resource deletion detection, Organizations SCP cascade scope, cross-stack dependency impact, state file security, and rollback plan completeness.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/rfs/index.html",
@@ -5988,7 +6189,7 @@
       "https://support.huaweicloud.com/intl/en-us/organizations/index.html",
       "https://support.huaweicloud.com/intl/en-us/obs/index.html"
     ],
-    "security_notes": "Huawei Cloud Terraform provider state files contain resource attribute details \u2014 OBS backend bucket must deny public access and use SSE-KMS CMEK. RFS stacks without termination protection can be deleted with a single API call \u2014 always enable termination protection on production stacks.",
+    "security_notes": "Huawei Cloud Terraform provider state files contain resource attribute details — OBS backend bucket must deny public access and use SSE-KMS CMEK. RFS stacks without termination protection can be deleted with a single API call — always enable termination protection on production stacks.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-iac-change-safety-review",
     "version": "0.1.0",
@@ -6062,7 +6263,7 @@
       "https://support.huaweicloud.com/intl/en-us/eps/index.html",
       "https://support.huaweicloud.com/intl/en-us/organizations/index.html"
     ],
-    "security_notes": "SCP deny at org level cannot be overridden by member account IAM. Test SCP in simulation before enforcement. Enterprise project deletion removes all resource associations \u2014 enumerate first.",
+    "security_notes": "SCP deny at org level cannot be overridden by member account IAM. Test SCP in simulation before enforcement. Enterprise project deletion removes all resource associations — enumerate first.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-landing-zone-architect",
     "author": "github: Raishin",
@@ -6106,7 +6307,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate Huawei Cloud CBC budget threshold changes, Reserved Instance purchases, and CUD commitments \u2014 RI/CUD are non-refundable and budget threshold reduction can trigger service suspension.",
+    "summary": "Gate Huawei Cloud CBC budget threshold changes, Reserved Instance purchases, and CUD commitments — RI/CUD are non-refundable and budget threshold reduction can trigger service suspension.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/usermanual-billing/index.html"
@@ -6130,7 +6331,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate GaussDB/RDS instance deletion, spec downgrade, and backup policy removal \u2014 database deletion is permanently destructive and MLPS Level 3 data destruction triggers mandatory incident reporting.",
+    "summary": "Gate GaussDB/RDS instance deletion, spec downgrade, and backup policy removal — database deletion is permanently destructive and MLPS Level 3 data destruction triggers mandatory incident reporting.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/gaussdb_mysql/index.html",
@@ -6155,7 +6356,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Gate IAM fine-grained policy and SCP mutations \u2014 account-wide blast radius, privilege escalation, and potential full access denial.",
+    "summary": "Gate IAM fine-grained policy and SCP mutations — account-wide blast radius, privilege escalation, and potential full access denial.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/iam/index.html",
@@ -6180,7 +6381,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate DEW/KMS key deletion and disable operations \u2014 all CSMS secrets and DBSS-encrypted database data become permanently unrecoverable once the key deletion window passes.",
+    "summary": "Gate DEW/KMS key deletion and disable operations — all CSMS secrets and DBSS-encrypted database data become permanently unrecoverable once the key deletion window passes.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/dew/index.html"
@@ -6204,7 +6405,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate OBS bucket ACL and policy mutations \u2014 public-read/write ACL exposes data immediately and CN-* cross-border replication may violate MLPS 2.0/CSL data localization requirements.",
+    "summary": "Gate OBS bucket ACL and policy mutations — public-read/write ACL exposes data immediately and CN-* cross-border replication may violate MLPS 2.0/CSL data localization requirements.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/obs/index.html"
@@ -6229,13 +6430,13 @@
       "kiro",
       "other"
     ],
-    "summary": "Engineer and review Huawei Cloud ELB traffic configurations \u2014 dedicated vs shared ELB type selection, HTTP/HTTPS/TCP/UDP protocol listener setup, health check configuration, WAF integration on ELB, backend server group routing, connection draining, and TLS policy enforcement on Dedicated ELB.",
+    "summary": "Engineer and review Huawei Cloud ELB traffic configurations — dedicated vs shared ELB type selection, HTTP/HTTPS/TCP/UDP protocol listener setup, health check configuration, WAF integration on ELB, backend server group routing, connection draining, and TLS policy enforcement on Dedicated ELB.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/elb/index.html",
       "https://support.huaweicloud.com/intl/en-us/waf/index.html"
     ],
-    "security_notes": "ELB HTTPS listeners should enforce TLS-1-2 or TLS-1-2-Strict policy to disable TLSv1.0 and TLSv1.1 \u2014 weaker TLS policies expose traffic to known downgrade attacks. WAF integration on ELB adds a security inspection hop; verify WAF security policy is tuned for the application before enabling block mode to avoid service disruption from false positives.",
+    "security_notes": "ELB HTTPS listeners should enforce TLS-1-2 or TLS-1-2-Strict policy to disable TLSv1.0 and TLSv1.1 — weaker TLS policies expose traffic to known downgrade attacks. WAF integration on ELB adds a security inspection hop; verify WAF security policy is tuned for the application before enabling block mode to avoid service disruption from false positives.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-load-balancer-traffic-engineer",
     "version": "0.1.0",
@@ -6254,7 +6455,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Route Huawei Cloud tasks to the narrowest specialist or team of specialists from the 27-agent catalog. MLPS 2.0 and sovereignty-aware \u2014 flags MLPS Level 3 control gaps and data residency obligations for China workloads. Understands Huawei's enterprise-project model and SCP-based org governance. Never auto-dispatches live-guard agents.",
+    "summary": "Route Huawei Cloud tasks to the narrowest specialist or team of specialists from the 27-agent catalog. MLPS 2.0 and sovereignty-aware — flags MLPS Level 3 control gaps and data residency obligations for China workloads. Understands Huawei's enterprise-project model and SCP-based org governance. Never auto-dispatches live-guard agents.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/iam/index.html",
@@ -6262,7 +6463,7 @@
       "https://support.huaweicloud.com/intl/en-us/ecs/index.html",
       "https://support.huaweicloud.com/intl/en-us/secmaster/index.html"
     ],
-    "security_notes": "Maestro must never auto-dispatch live-guard agents. SCP deny statements and DEW key deletion are irreversible with org-wide or permanent data-loss blast radius. MLPS 2.0 Level 3 workloads have mandatory incident reporting obligations \u2014 flag data destruction and security breaches immediately.",
+    "security_notes": "Maestro must never auto-dispatch live-guard agents. SCP deny statements and DEW key deletion are irreversible with org-wide or permanent data-loss blast radius. MLPS 2.0 Level 3 workloads have mandatory incident reporting obligations — flag data destruction and security breaches immediately.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-maestro",
     "author": "github: Raishin",
@@ -6288,7 +6489,7 @@
       "https://support.huaweicloud.com/intl/en-us/sms/index.html",
       "https://support.huaweicloud.com/intl/en-us/drs/index.html"
     ],
-    "security_notes": "DRS replication user needs REPLICATION privilege on source \u2014 least privilege on source system. Never cut over without verifying DRS lag and backup integrity. SMS agent requires network path from source to Huawei Cloud.",
+    "security_notes": "DRS replication user needs REPLICATION privilege on source — least privilege on source system. Never cut over without verifying DRS lag and backup integrity. SMS agent requires network path from source to Huawei Cloud.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-migration-architect",
     "author": "github: Raishin",
@@ -6312,7 +6513,7 @@
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/modelarts/index.html"
     ],
-    "security_notes": "ModelArts training jobs have no automatic cost cap \u2014 always set resource quotas before large GPU/NPU training runs. Ascend NPU OOM patterns differ from Nvidia CUDA OOM. Pangu model deployment endpoint has no default rate limiting.",
+    "security_notes": "ModelArts training jobs have no automatic cost cap — always set resource quotas before large GPU/NPU training runs. Ascend NPU OOM patterns differ from Nvidia CUDA OOM. Pangu model deployment endpoint has no default rate limiting.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-modelarts-mlops-engineer",
     "author": "github: Raishin",
@@ -6331,7 +6532,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design Huawei Cloud network architecture \u2014 VPC, ELB type selection (dedicated/shared), VPN and DC Gateway (Direct Connect), Cloud Connect for inter-VPC, CFW (Cloud Firewall), Anti-DDoS, DNS.",
+    "summary": "Design Huawei Cloud network architecture — VPC, ELB type selection (dedicated/shared), VPN and DC Gateway (Direct Connect), Cloud Connect for inter-VPC, CFW (Cloud Firewall), Anti-DDoS, DNS.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/vpc/index.html",
@@ -6358,14 +6559,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Huawei Cloud OBS (Object Storage Service) data perimeters \u2014 bucket policy and ACL public exposure, Block Public Access configuration, VPC endpoint binding for private access, WORM (Object Lock), cross-region replication compliance, and MLPS 2.0 data residency enforcement.",
+    "summary": "Govern Huawei Cloud OBS (Object Storage Service) data perimeters — bucket policy and ACL public exposure, Block Public Access configuration, VPC endpoint binding for private access, WORM (Object Lock), cross-region replication compliance, and MLPS 2.0 data residency enforcement.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/obs/index.html",
       "https://support.huaweicloud.com/intl/en-us/vpcep/index.html",
       "https://support.huaweicloud.com/intl/en-us/obs/obs_03_0086.html"
     ],
-    "security_notes": "Huawei Cloud OBS presigned URLs can expose objects publicly for the URL validity period \u2014 audit presigned URL generation in application code and set maximum validity to the shortest acceptable window. OBS cross-region replication of MLPS 2.0 Level 3 classified data to international regions violates Chinese data sovereignty regulations and carries regulatory penalty risk.",
+    "security_notes": "Huawei Cloud OBS presigned URLs can expose objects publicly for the URL validity period — audit presigned URL generation in application code and set maximum validity to the shortest acceptable window. OBS cross-region replication of MLPS 2.0 Level 3 classified data to international regions violates Chinese data sovereignty regulations and carries regulatory penalty risk.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-obs-data-perimeter-governor",
     "version": "0.1.0",
@@ -6436,14 +6637,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern Huawei Cloud SWR (Software Repository for Container) \u2014 image retention policy, vulnerability scanning via VSS (Vulnerability Scan Service) integration, namespace permission least privilege, cross-region image replication, and supply chain security posture.",
+    "summary": "Govern Huawei Cloud SWR (Software Repository for Container) — image retention policy, vulnerability scanning via VSS (Vulnerability Scan Service) integration, namespace permission least privilege, cross-region image replication, and supply chain security posture.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/swr/index.html",
       "https://support.huaweicloud.com/intl/en-us/vss/index.html",
       "https://support.huaweicloud.com/intl/en-us/cce/index.html"
     ],
-    "security_notes": "Public SWR namespaces expose images to Huawei Cloud's global network \u2014 an attacker can enumerate public namespaces and pull all images without authentication. SWR image signing is not natively supported \u2014 use third-party image signing (Notary v2/cosign) for supply chain attestation on sensitive production images.",
+    "security_notes": "Public SWR namespaces expose images to Huawei Cloud's global network — an attacker can enumerate public namespaces and pull all images without authentication. SWR image signing is not natively supported — use third-party image signing (Notary v2/cosign) for supply chain attestation on sensitive production images.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-registry-artifact-governor",
     "version": "0.1.0",
@@ -6462,7 +6663,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Huawei Cloud workload HA and BCDR designs \u2014 GaussDB High Availability (HA) instance failover, CBR (Cloud Backup and Recovery) cross-region vault, CCE multi-AZ deployment, DRS (Data Replication Service) for DR, RTO/RPO target analysis, and runbook completeness.",
+    "summary": "Review Huawei Cloud workload HA and BCDR designs — GaussDB High Availability (HA) instance failover, CBR (Cloud Backup and Recovery) cross-region vault, CCE multi-AZ deployment, DRS (Data Replication Service) for DR, RTO/RPO target analysis, and runbook completeness.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/gaussdb_mysql/index.html",
@@ -6471,7 +6672,7 @@
       "https://support.huaweicloud.com/intl/en-us/drs/index.html",
       "https://support.huaweicloud.com/intl/en-us/elb/index.html"
     ],
-    "security_notes": "Huawei Cloud CBR vaults use default encryption \u2014 enable KMS CMEK for vaults containing sensitive production data. GaussDB cross-region read replicas involve data leaving the source region \u2014 verify this is compliant with MLPS 2.0 Level 3 data residency requirements before enabling.",
+    "security_notes": "Huawei Cloud CBR vaults use default encryption — enable KMS CMEK for vaults containing sensitive production data. GaussDB cross-region read replicas involve data leaving the source region — verify this is compliant with MLPS 2.0 Level 3 data residency requirements before enabling.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-resilience-bcdr-review",
     "version": "0.1.0",
@@ -6497,7 +6698,7 @@
       "https://support.huaweicloud.com/intl/en-us/hss/index.html",
       "https://support.huaweicloud.com/intl/en-us/cfw/index.html"
     ],
-    "security_notes": "CFW rule changes affect all instances in scope simultaneously. HSS agent uninstall removes MLPS-required host detection visibility \u2014 flag immediately. SecMaster SOAR playbook dry-run required before live execution. WAF bypass via IP whitelist requires documented business justification.",
+    "security_notes": "CFW rule changes affect all instances in scope simultaneously. HSS agent uninstall removes MLPS-required host detection visibility — flag immediately. SecMaster SOAR playbook dry-run required before live execution. WAF bypass via IP whitelist requires documented business justification.",
     "last_verified": "2026-05-08",
     "path": "skills/huawei/huawei-secmaster-security-operations",
     "author": "github: Raishin",
@@ -6517,14 +6718,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Review FunctionGraph production readiness on Huawei Cloud \u2014 VPC access configuration, concurrency limits and reserved instances, cold-start optimization, observability via LTS and AOM, timeout configuration, dependency package size, custom vs managed runtimes, and ServiceStage application lifecycle.",
+    "summary": "Review FunctionGraph production readiness on Huawei Cloud — VPC access configuration, concurrency limits and reserved instances, cold-start optimization, observability via LTS and AOM, timeout configuration, dependency package size, custom vs managed runtimes, and ServiceStage application lifecycle.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/fg/index.html",
       "https://support.huaweicloud.com/intl/en-us/servicestage/index.html",
       "https://support.huaweicloud.com/intl/en-us/aom/index.html"
     ],
-    "security_notes": "FunctionGraph function environment variables may contain secrets \u2014 use DEW (Data Encryption Workshop) or Secret Manager references instead of plaintext values in environment variables. Custom runtimes require the function author to maintain runtime security patch lifecycle \u2014 document a patching cadence if custom runtimes are used in production.",
+    "security_notes": "FunctionGraph function environment variables may contain secrets — use DEW (Data Encryption Workshop) or Secret Manager references instead of plaintext values in environment variables. Custom runtimes require the function author to maintain runtime security patch lifecycle — document a patching cadence if custom runtimes are used in production.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-serverless-production-readiness",
     "version": "0.1.0",
@@ -6543,7 +6744,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design Huawei Cloud solutions \u2014 product selection, enterprise-project model design, region selection for MLPS/sovereignty requirements, architecture patterns, multi-zone and multi-region HA.",
+    "summary": "Design Huawei Cloud solutions — product selection, enterprise-project model design, region selection for MLPS/sovereignty requirements, architecture patterns, multi-zone and multi-region HA.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/ecs/index.html",
@@ -6569,14 +6770,14 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate Huawei Cloud support incidents \u2014 case creation with correct severity (\u7d27\u6025/\u9ad8/\u4e2d/\u4f4e), Premium Support SLA enforcement, Account Manager and TAM escalation path, status page monitoring, internal stakeholder communication, and post-incident evidence packaging.",
+    "summary": "Coordinate Huawei Cloud support incidents — case creation with correct severity (紧急/高/中/低), Premium Support SLA enforcement, Account Manager and TAM escalation path, status page monitoring, internal stakeholder communication, and post-incident evidence packaging.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/",
       "https://status.huaweicloud.com/",
       "https://support.huaweicloud.com/intl/en-us/usermanual-ticket/topic_0065264094.html"
     ],
-    "security_notes": "Huawei Cloud support case attachments are stored on Huawei Cloud infrastructure \u2014 never attach files with customer financial data, health records, or unredacted credentials. Premium Support SLA breach timestamps must be logged with case numbers for contractual credit claims.",
+    "security_notes": "Huawei Cloud support case attachments are stored on Huawei Cloud infrastructure — never attach files with customer financial data, health records, or unredacted credentials. Premium Support SLA breach timestamps must be logged with case numbers for contractual credit claims.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-support-incident-coordinator",
     "version": "0.1.0",
@@ -6595,7 +6796,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage Huawei Cloud operational alerts, incidents, and support tickets \u2014 P0/P1/P2/P3 classification, Huawei Cloud Premium Support SLA enforcement, Account Manager escalation, AOM alert routing, war room coordination, evidence collection from CES and LTS, and safe escalation paths.",
+    "summary": "Triage Huawei Cloud operational alerts, incidents, and support tickets — P0/P1/P2/P3 classification, Huawei Cloud Premium Support SLA enforcement, Account Manager escalation, AOM alert routing, war room coordination, evidence collection from CES and LTS, and safe escalation paths.",
     "source_type": "original",
     "official_docs": [
       "https://support.huaweicloud.com/intl/en-us/",
@@ -6604,7 +6805,7 @@
       "https://support.huaweicloud.com/intl/en-us/ces/index.html",
       "https://support.huaweicloud.com/intl/en-us/lts/index.html"
     ],
-    "security_notes": "Huawei Cloud support ticket attachments are accessible to Huawei support engineers \u2014 scrub AK/SK values, account IDs, customer PII, and unredacted log data before sharing. War room communication must use secure channels \u2014 avoid sharing incident details in public or uncontrolled messaging platforms.",
+    "security_notes": "Huawei Cloud support ticket attachments are accessible to Huawei support engineers — scrub AK/SK values, account IDs, customer PII, and unredacted log data before sharing. War room communication must use secure channels — avoid sharing incident details in public or uncontrolled messaging platforms.",
     "last_verified": "2026-05-09",
     "path": "skills/huawei/huawei-ticket-triage-escalation-coordinator",
     "version": "0.1.0",
@@ -6691,6 +6892,35 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "influencer-disclosure-compliance-review",
+    "name": "Influencer Disclosure Compliance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review influencer campaign audit packs — brief, contract, post descriptions, and disclosure placement specs — for FTC Endorsement Guide violations: undisclosed material connections, inadequate disclosure placement, and brand liability exposure.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/legal-library/browse/rules/endorsement-guides",
+      "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255",
+      "https://www.ftc.gov/system/files/ftc_gov/pdf/ftc-endorsement-guides-final-rule.pdf",
+      "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
+      "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking"
+    ],
+    "security_notes": "Review works from a structured influencer campaign audit pack only — brief, contract excerpt, post descriptions, and disclosure spec. Never accept raw personal data about creators, unpublished negotiations, or brand financial terms beyond what is needed to assess disclosure adequacy. This is a static compliance review; it does not generate campaign content or creator instructions.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/influencer-disclosure-compliance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
   {
     "id": "ionos-cost-optimization-analyst",
     "name": "IONOS Cost Optimization Analyst",
@@ -6819,7 +7049,7 @@
       "https://api.ionos.com/docs/",
       "https://registry.terraform.io/providers/ionos-cloud/ionoscloud/latest/docs"
     ],
-    "security_notes": "Never attempt live IONOS Cloud API mutations from the routing layer. DCD topology changes have infrastructure-wide blast radius \u2014 routing must stay read-only and hand off to approval-gated specialists. Do not expose bearer tokens or customer credentials in routing output.",
+    "security_notes": "Never attempt live IONOS Cloud API mutations from the routing layer. DCD topology changes have infrastructure-wide blast radius — routing must stay read-only and hand off to approval-gated specialists. Do not expose bearer tokens or customer credentials in routing output.",
     "last_verified": "2026-05-10",
     "path": "skills/ionos/ionos-maestro",
     "author": "github: Raishin",
@@ -6876,7 +7106,7 @@
       "https://istio.io/latest/docs/reference/config/security/peer_authentication/",
       "https://istio.io/latest/docs/reference/config/security/authorization-policy/"
     ],
-    "security_notes": "L7 AuthorizationPolicy rules in ambient mode are silently ignored when no waypoint is deployed \u2014 ztunnel only enforces L4. PeerAuthentication PERMISSIVE or DISABLE in production breaks mesh zero-trust. Mesh-wide root-namespace PeerAuthentication change has cluster-wide blast radius.",
+    "security_notes": "L7 AuthorizationPolicy rules in ambient mode are silently ignored when no waypoint is deployed — ztunnel only enforces L4. PeerAuthentication PERMISSIVE or DISABLE in production breaks mesh zero-trust. Mesh-wide root-namespace PeerAuthentication change has cluster-wide blast radius.",
     "last_verified": "2026-05-01",
     "path": "skills/istio/istio-ambient-mesh-review",
     "author": "github: Raishin",
@@ -6905,7 +7135,7 @@
       "https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings",
       "https://docs.kubecost.com/apis/apis-overview"
     ],
-    "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access \u2014 review whether the aggregation network path is private or exposed.",
+    "security_notes": "Kubecost cost allocation API without authentication exposes team-level spend data to any pod in the cluster. Multi-cluster Kubecost aggregation requires cross-cluster network access — review whether the aggregation network path is private or exposed.",
     "last_verified": "2026-05-02",
     "path": "skills/kubernetes/kubecost-chargeback-allocation-review",
     "version": "0.1.0",
@@ -6991,7 +7221,7 @@
       "https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/",
       "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
     ],
-    "security_notes": "Capture current RBAC state before every mutation \u2014 no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry.",
+    "security_notes": "Capture current RBAC state before every mutation — no built-in rollback. Block escalate, bind, and impersonate verbs without platform-team approval. Never approve wildcard grants. Cached tokens remain valid after binding deletion until expiry.",
     "last_verified": "2026-05-01",
     "path": "skills/kubernetes/kubernetes-live-rbac-mutation-guard",
     "author": "github: Raishin",
@@ -7025,6 +7255,36 @@
     "source_type": "original",
     "version": "0.1.0"
   },
+  {
+    "id": "kubernetes-manifest-quality-review",
+    "name": "Kubernetes Manifest Quality Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review raw Kubernetes YAML manifests for security, quality, and policy defects — deprecated APIs, missing securityContext, absent resource limits, missing health probes, RBAC over-permission, plaintext secrets, and network exposure — statically, without applying manifests or contacting a cluster.",
+    "source_type": "original",
+    "official_docs": [
+      "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+      "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
+      "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+      "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+      "https://kubernetes.io/docs/concepts/services-networking/network-policies/",
+      "https://github.com/yannh/kubeconform",
+      "https://github.com/zegl/kube-score"
+    ],
+    "security_notes": "Static review only — reads manifest YAML files, never applies manifests to a cluster, never connects to the Kubernetes API, and never requests kubeconfig, service account tokens, or cloud credentials. Do not accept manifests containing real secret values or connection strings decoded from base64; ask for sanitized versions with placeholder values.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/kubernetes-manifest-quality-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
   {
     "id": "kubernetes-network-architecture-review",
     "name": "Kubernetes Network Architecture Review",
@@ -7038,7 +7298,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Kubernetes cluster network architecture: CNI and dataplane selection, kube-proxy mode and replacement, IPAM and CIDR sizing, MTU and encapsulation, dual-stack and IPv6, Service surface (EndpointSlices, internalTrafficPolicy, externalTrafficPolicy, topology-aware routing), Ingress to Gateway API migration, CoreDNS and NodeLocal DNSCache, multi-cluster topology, and connectivity observability and troubleshooting. Excludes NetworkPolicy content review and live mutations \u2014 those are delegated to cilium-network-policy-review and the live-guard agents.",
+    "summary": "Review Kubernetes cluster network architecture: CNI and dataplane selection, kube-proxy mode and replacement, IPAM and CIDR sizing, MTU and encapsulation, dual-stack and IPv6, Service surface (EndpointSlices, internalTrafficPolicy, externalTrafficPolicy, topology-aware routing), Ingress to Gateway API migration, CoreDNS and NodeLocal DNSCache, multi-cluster topology, and connectivity observability and troubleshooting. Excludes NetworkPolicy content review and live mutations — those are delegated to cilium-network-policy-review and the live-guard agents.",
     "source_type": "original",
     "official_docs": [
       "https://kubernetes.io/docs/concepts/services-networking/",
@@ -7053,7 +7313,7 @@
       "https://docs.cilium.io/en/stable/network/kube-proxy-replacement/",
       "https://coredns.io/plugins/kubernetes/"
     ],
-    "security_notes": "CNI and Pod CIDR are one-way architectural choices on most stacks \u2014 resizing requires cluster rebuild. kube-proxy mode swap can break in-flight connections. MTU mismatch between underlay and overlay is a silent payload-stall failure. externalTrafficPolicy: Local preserves source IP but black-holes traffic when no local endpoint exists. NodeLocal DNSCache OOM produces a node-wide DNS outage via stale packet-filter redirect. Multi-cluster pod CIDR collisions break any cross-cluster scheme regardless of policy correctness. ndots:5 plus search path is the dominant cluster DNS load on most installations.",
+    "security_notes": "CNI and Pod CIDR are one-way architectural choices on most stacks — resizing requires cluster rebuild. kube-proxy mode swap can break in-flight connections. MTU mismatch between underlay and overlay is a silent payload-stall failure. externalTrafficPolicy: Local preserves source IP but black-holes traffic when no local endpoint exists. NodeLocal DNSCache OOM produces a node-wide DNS outage via stale packet-filter redirect. Multi-cluster pod CIDR collisions break any cross-cluster scheme regardless of policy correctness. ndots:5 plus search path is the dominant cluster DNS load on most installations.",
     "last_verified": "2026-05-07",
     "path": "skills/kubernetes/kubernetes-network-architecture-review",
     "author": "github: Raishin",
@@ -7203,83 +7463,445 @@
     "version": "0.1.0"
   },
   {
-    "id": "nvidia-agentic-ai-platform-review",
-    "name": "NVIDIA Agentic AI Platform Review",
+    "id": "legal-counsel-review",
+    "name": "Legal Counsel Review",
     "type": "skill",
-    "provider": "nvidia",
+    "provider": "generic",
     "harnesses": [
       "codex",
-      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro"
+      "kiro",
+      "other"
     ],
-    "summary": "Review agentic-AI platforms built on the NVIDIA stack per NCP-AAI \u2014 NeMo Agent Toolkit, NIM-as-tool, retrieval pipelines, tool-use safety, agent memory boundaries, and audit logging.",
+    "summary": "Adversarial legal-risk review discipline for contracts, privacy, regulatory, litigation, compliance, and policy-exception questions — surfaces risks, evidence gaps, decision options, and escalation paths for qualified counsel. Does not give legal advice.",
     "source_type": "original",
     "official_docs": [
-      "https://www.nvidia.com/en-us/learn/certification/",
-      "https://docs.nvidia.com/ai-enterprise/",
-      "https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/",
-      "https://docs.nvidia.com/nim/",
-      "https://docs.nvidia.com/dcgm/",
-      "https://docs.nvidia.com/networking/",
-      "https://docs.nvidia.com/nemo-framework/"
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+      "https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en",
+      "https://www.legislation.gov.uk/ukpga/2018/12/contents",
+      "https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act",
+      "https://www.oaic.gov.au/privacy/the-privacy-act",
+      "https://www.law.cornell.edu/wex"
     ],
-    "security_notes": "Agent tools loaded from unsigned mutable sources are prompt injection at platform scale. Shared agent memory across tenants is cross-tenant data bleed. Unbounded tool loops are a cost and reliability incident waiting to happen.",
-    "last_verified": "2026-05-10",
-    "path": "skills/nvidia/nvidia-agentic-ai-platform-review",
+    "security_notes": "Static review only — works from sanitized excerpts; never requests secrets, credentials, personal data, employee medical detail, or trade secrets. Does not issue binding legal conclusions; flags privileged material and recommends escalation to qualified counsel.",
+    "last_verified": "2026-05-18",
+    "path": "skills/legal/legal-counsel-review",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "nvidia-ai-infrastructure-operations",
-    "name": "NVIDIA AI Infrastructure Operations",
+    "id": "legal-hr-case-capsule",
+    "name": "Legal-HR Case Capsule",
     "type": "skill",
-    "provider": "nvidia",
+    "provider": "generic",
     "harnesses": [
       "codex",
-      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro"
+      "kiro",
+      "other"
     ],
-    "summary": "Review NVIDIA GPU infrastructure (DGX/HGX/MGX) against NVIDIA reference architectures, the AI Enterprise support matrix, and the NCA-AIIO and NCP-AII certification bodies of knowledge \u2014 driver/firmware/CUDA alignment, BMC segmentation, ECC, persistence, and MIG posture.",
+    "summary": "Shared, auditable handoff contract for Legal and HR agents — a redacted case capsule carrying facts, uncertainty, evidence quality, risk labels, privilege and privacy posture, a named decision owner, and an explicit do-not-do list. Does not give legal or HR advice.",
     "source_type": "original",
     "official_docs": [
-      "https://www.nvidia.com/en-us/learn/certification/",
-      "https://docs.nvidia.com/ai-enterprise/",
-      "https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/",
-      "https://docs.nvidia.com/nim/",
-      "https://docs.nvidia.com/dcgm/",
-      "https://docs.nvidia.com/networking/",
-      "https://docs.nvidia.com/nemo-framework/"
+      "https://www.nist.gov/privacy-framework",
+      "https://www.eeoc.gov",
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj"
     ],
-    "security_notes": "BMC reachable from tenant networks is total compromise of GPU hosts. Drivers outside the AI Enterprise support matrix produce silent ABI breakage. ECC disabled silently corrupts weights and gradients on training workloads.",
-    "last_verified": "2026-05-10",
-    "path": "skills/nvidia/nvidia-ai-infrastructure-operations",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "security_notes": "Defines a minimum-necessary handoff record; never carries medical records, government IDs, credentials, privileged email text, or protected-class data beyond what the matter requires. Never authorizes action; flags privilege and privacy posture and routes decisions to a named human owner.",
+    "last_verified": "2026-05-18",
+    "path": "skills/cross-functional/legal-hr-case-capsule",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "nvidia-ai-networking-fabric-review",
-    "name": "NVIDIA AI Networking Fabric Review",
+    "id": "legal-hr-risk-taxonomy",
+    "name": "Legal-HR Risk Taxonomy",
     "type": "skill",
-    "provider": "nvidia",
+    "provider": "generic",
     "harnesses": [
       "codex",
-      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro"
+      "kiro",
+      "other"
     ],
-    "summary": "Review NVIDIA AI fabric posture per NCP-AIN \u2014 Spectrum-X / InfiniBand topology, NCCL collective tuning, RoCEv2 lossless config, congestion control, and east-west isolation between training jobs.",
+    "summary": "Shared risk vocabulary for the Legal and HR agent ecosystem — severity ratings, privilege and privacy sensitivity labels, matter-type classes, escalation-gate triggers, and the audit-log schema. Does not give legal or HR advice and never concludes a matter is safe or compliant.",
     "source_type": "original",
     "official_docs": [
-      "https://www.nvidia.com/en-us/learn/certification/",
-      "https://docs.nvidia.com/ai-enterprise/",
+      "https://www.nist.gov/privacy-framework",
+      "https://www.eeoc.gov",
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj"
+    ],
+    "security_notes": "A risk rating is an opinion on exposure, never a clearance; never records a matter as compliant or safe. The audit-log schema is minimum-necessary and carries labels and summaries, never raw medical, privileged, credential, or protected-class content. Rates Unknown and escalates when facts are missing.",
+    "last_verified": "2026-05-18",
+    "path": "skills/cross-functional/legal-hr-risk-taxonomy",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "legal-hr-routing-protocol",
+    "name": "Legal-HR Routing Protocol",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Classification and routing discipline for Legal and HR matters — routing rules, the cross-domain overlap handoff matrix, controlled-handoff communication principles, and the Legal-HR conflict-resolution protocol. Does not give legal or HR advice and never makes a binding routing decision.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.nist.gov/privacy-framework",
+      "https://www.eeoc.gov",
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj"
+    ],
+    "security_notes": "Routing is a recommendation, never an authorization; never approves, denies, or directs adverse action. Classifies matters from sanitized signals only and never requests medical detail, government IDs, credentials, or protected-class data. Routes ambiguous matters to a maestro rather than guessing a specialist.",
+    "last_verified": "2026-05-18",
+    "path": "skills/cross-functional/legal-hr-routing-protocol",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "llm-ai-pipeline-test-review",
+    "name": "LLM AI Pipeline Test Review",
+    "type": "skill",
+    "provider": "generic",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review an LLM or AI pipeline's evaluation setup for test-quality defects — missing hallucination, relevancy, faithfulness, bias, toxicity, and tool-correctness metrics; absent golden datasets; unthresholded or single-shot evals; and no regression gate across model versions. Static review only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://docs.confident-ai.com/",
+      "https://docs.confident-ai.com/docs/metrics-hallucination",
+      "https://docs.confident-ai.com/docs/metrics-answer-relevancy",
+      "https://docs.confident-ai.com/docs/metrics-faithfulness",
+      "https://docs.confident-ai.com/docs/metrics-bias",
+      "https://docs.confident-ai.com/docs/metrics-tool-correctness",
+      "https://www.istqb.org/certifications/certified-tester-foundation-level"
+    ],
+    "security_notes": "Static review only — reads eval configuration and test source; never calls LLM APIs, never runs evaluations, never requests model API keys or inference endpoints. Do not accept eval fixtures containing real user PII, private prompt chains, or model weights; ask for sanitized configurations.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/llm-ai-pipeline-test-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "lookalike-audience-upload-compliance-review",
+    "name": "Lookalike Audience Upload Compliance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before upload to Meta, Google, LinkedIn, or TikTok — catching underhashed identifiers, consent-scope mismatches, and re-identification surfaces.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://www.ftc.gov/reports/data-brokers-call-transparency-accountability",
+      "https://developers.facebook.com/docs/marketing-api/audiences/guides/custom-audiences/",
+      "https://support.google.com/google-ads/answer/6334160"
+    ],
+    "security_notes": "Custom-audience uploads transmit hashed personal data to ad platforms under data-sharing arrangements that must have a lawful basis, appropriate consent scope, and adequate pseudonymization. Review works from sanitized field-mapping specifications, declared hashing methods, and consent-basis documentation only; never request actual audience files, real customer records, or platform API credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/lookalike-audience-upload-compliance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "marketing-consent-data-collection-review",
+    "name": "Marketing Consent and Data-Collection Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing consent and data-collection posture — CMP banner config, tag-manager containers, Consent Mode wiring, and cookie policy — for GDPR/ePrivacy/CCPA correctness, dark patterns, and undisclosed trackers.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://developers.google.com/tag-platform/security/guides/consent",
+      "https://iabeurope.eu/transparency-consent-framework/"
+    ],
+    "security_notes": "Marketing tags that fire before a consent signal collect personal data with no lawful basis and expose the controller to GDPR/ePrivacy enforcement and CCPA class actions. Consent banners with non-symmetric choice or pre-ticked boxes invalidate consent. Review works from sanitized configuration only; never request real visitor data, consent-string archives, or analytics account credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-consent-data-collection-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "marketing-conversion-flow-dark-pattern-review",
+    "name": "Marketing Conversion Flow Dark-Pattern Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing conversion flow specifications — subscription sign-up, upsell interstitial, free-trial enrollment, and cancellation path — for dark-pattern practices that invalidate consent or constitute unfair or deceptive acts under FTC Section 5, the FTC Negative Option Rule, CPRA, and EU AI Act Article 5(1)(b).",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.ftc.gov/legal-library/browse/rules/negative-option-rule",
+      "https://www.ftc.gov/system/files/ftc_gov/pdf/P214800+Dark+Patterns+Report+9.14.2022+-+FINAL.pdf",
+      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng"
+    ],
+    "security_notes": "Read-only static review of sanitized UX flow specifications and annotated wireframes only. Never request real payment credentials, live user-session data, or production A/B-test results. Findings may indicate violations of FTC rules carrying civil penalties — route remediation and enforcement-risk assessment to qualified legal counsel before acting on findings.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-conversion-flow-dark-pattern-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-email-list-retention-review",
+    "name": "Marketing Email List Retention Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review marketing email list segment metadata, consent-record completeness, suppression-list coverage, and data-retention schedules for GDPR, CASL, and CCPA deletion-right compliance.",
+    "source_type": "original",
+    "official_docs": [
+      "https://gdpr-info.eu/art-5-gdpr/",
+      "https://gdpr-info.eu/art-17-gdpr/",
+      "https://laws-lois.justice.gc.ca/eng/acts/C-28.65/page-1.html",
+      "https://oag.ca.gov/privacy/ccpa",
+      "https://www.canada.ca/en/radio-television-telecommunications/news/2014/07/compliance-and-enforcement-information-bulletin-crtc-2014-326.html"
+    ],
+    "security_notes": "Review works from sanitized CRM/ESP exports only — placeholder values for email addresses, subscriber IDs, and timestamps. Never accept real subscriber PII, live CRM credentials, or ESP API keys. Findings of missing consent records or absent suppression-list sync may constitute an ongoing GDPR or CASL violation requiring legal escalation.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-email-list-retention-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-gpc-signal-honoring-review",
+    "name": "Marketing GPC Signal Honoring Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review the technical signal path by which a Global Privacy Control opt-out travels through the CMP and tag stack to confirm ad tags, server-side conversion APIs, and CAPI forwarding actually cease firing on opt-out.",
+    "source_type": "original",
+    "official_docs": [
+      "https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf",
+      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.135.&lawCode=CIV",
+      "https://globalprivacycontrol.org/",
+      "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB566",
+      "https://oag.ca.gov/privacy/ccpa"
+    ],
+    "security_notes": "GPC honoring reviews work from sanitized tag-manager container exports and CMP configuration exports only. Never request live CMP consent logs, visitor opt-out records, or ad-platform credentials. Findings of non-compliance may constitute evidence in an enforcement proceeding — route legal determinations to qualified privacy counsel, not to this skill.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-gpc-signal-honoring-review",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-maestro",
+    "name": "Marketing Maestro",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Route marketing-governance review tasks to the narrowest specialist across all 13 domains: consent and data-collection, advertising-pixel data-leakage, martech access-governance, GPC signal-honoring, email sender authentication, programmatic supply-chain integrity, AI ad-targeting fairness, EU AI Act marketing-system classification, lookalike audience upload compliance, email list retention, influencer disclosure, conversion-flow dark patterns, and analytics data minimization. Dispatches single or parallel teams (max 4); requires human gate for any mutation intent.",
+    "source_type": "original",
+    "official_docs": [
+      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+      "https://oag.ca.gov/privacy/ccpa"
+    ],
+    "security_notes": "Read-only routing skill. Never accepts real visitor data, consent-string archives, ad-platform credentials, API keys, OAuth tokens, or tenant-specific data. No live-guard agents exist in v1; any mutation request is refused and escalated to a human operator.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-maestro",
+    "author": "github: Raishin",
+    "version": "0.1.0",
+    "lifecycle": "experimental"
+  },
+  {
+    "id": "marketing-pixel-data-leakage-review",
+    "name": "Marketing Pixel Data-Leakage Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review advertising pixels and conversion event tracking for personal-data leakage to ad networks — PII in payloads, form-field auto-capture, pixels on sensitive pages, and unhashed identifier transmission.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html",
+      "https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule",
+      "https://developers.facebook.com/docs/meta-pixel/",
+      "https://support.google.com/google-ads/answer/9888656",
+      "https://owasp.org/www-project-top-ten/"
+    ],
+    "security_notes": "Advertising pixels that capture email, phone, health, or financial data transmit personal data to third-party ad networks with no contract, no consent scope, and no breach visibility — a pattern behind major HIPAA settlements, FTC Health Breach Notification Rule actions, and wiretap class actions. Review works from sanitized payloads and container exports only; never request real visitor data or ad-platform credentials.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/marketing-pixel-data-leakage-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "martech-access-governance-review",
+    "name": "Martech Access Governance Review",
+    "type": "skill",
+    "provider": "marketing",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Review access governance across a marketing technology stack — OAuth connected apps, API keys, CRM and marketing-automation roles, and integration scopes — for least-privilege violations, shared and stale credentials, and missing ownership.",
+    "source_type": "original",
+    "official_docs": [
+      "https://datatracker.ietf.org/doc/html/rfc6749",
+      "https://oauth.net/2/scope/",
+      "https://csrc.nist.gov/glossary/term/least_privilege",
+      "https://owasp.org/www-project-top-ten/",
+      "https://csrc.nist.gov/pubs/sp/800/207/final"
+    ],
+    "security_notes": "A marketing technology stack holds the full customer database and accumulates OAuth grants, API keys, and seats faster than it deprovisions them. Over-broad connector scopes, shared non-rotating credentials, and stale grants from departed staff or ended vendors are a heavily exploited SaaS breach path. Review works from sanitized inventories only; never request, collect, or echo credential values, tokens, or secrets.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/martech-access-governance-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "nvidia-agentic-ai-platform-review",
+    "name": "NVIDIA Agentic AI Platform Review",
+    "type": "skill",
+    "provider": "nvidia",
+    "harnesses": [
+      "codex",
+      "copilot",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "summary": "Review agentic-AI platforms built on the NVIDIA stack per NCP-AAI — NeMo Agent Toolkit, NIM-as-tool, retrieval pipelines, tool-use safety, agent memory boundaries, and audit logging.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.nvidia.com/en-us/learn/certification/",
+      "https://docs.nvidia.com/ai-enterprise/",
+      "https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/",
+      "https://docs.nvidia.com/nim/",
+      "https://docs.nvidia.com/dcgm/",
+      "https://docs.nvidia.com/networking/",
+      "https://docs.nvidia.com/nemo-framework/"
+    ],
+    "security_notes": "Agent tools loaded from unsigned mutable sources are prompt injection at platform scale. Shared agent memory across tenants is cross-tenant data bleed. Unbounded tool loops are a cost and reliability incident waiting to happen.",
+    "last_verified": "2026-05-10",
+    "path": "skills/nvidia/nvidia-agentic-ai-platform-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "nvidia-ai-infrastructure-operations",
+    "name": "NVIDIA AI Infrastructure Operations",
+    "type": "skill",
+    "provider": "nvidia",
+    "harnesses": [
+      "codex",
+      "copilot",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "summary": "Review NVIDIA GPU infrastructure (DGX/HGX/MGX) against NVIDIA reference architectures, the AI Enterprise support matrix, and the NCA-AIIO and NCP-AII certification bodies of knowledge — driver/firmware/CUDA alignment, BMC segmentation, ECC, persistence, and MIG posture.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.nvidia.com/en-us/learn/certification/",
+      "https://docs.nvidia.com/ai-enterprise/",
+      "https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/",
+      "https://docs.nvidia.com/nim/",
+      "https://docs.nvidia.com/dcgm/",
+      "https://docs.nvidia.com/networking/",
+      "https://docs.nvidia.com/nemo-framework/"
+    ],
+    "security_notes": "BMC reachable from tenant networks is total compromise of GPU hosts. Drivers outside the AI Enterprise support matrix produce silent ABI breakage. ECC disabled silently corrupts weights and gradients on training workloads.",
+    "last_verified": "2026-05-10",
+    "path": "skills/nvidia/nvidia-ai-infrastructure-operations",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "nvidia-ai-networking-fabric-review",
+    "name": "NVIDIA AI Networking Fabric Review",
+    "type": "skill",
+    "provider": "nvidia",
+    "harnesses": [
+      "codex",
+      "copilot",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "summary": "Review NVIDIA AI fabric posture per NCP-AIN — Spectrum-X / InfiniBand topology, NCCL collective tuning, RoCEv2 lossless config, congestion control, and east-west isolation between training jobs.",
+    "source_type": "original",
+    "official_docs": [
+      "https://www.nvidia.com/en-us/learn/certification/",
+      "https://docs.nvidia.com/ai-enterprise/",
       "https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/",
       "https://docs.nvidia.com/nim/",
       "https://docs.nvidia.com/dcgm/",
@@ -7305,7 +7927,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Review day-2 operational posture of NVIDIA GPU fleets per NCP-AIO \u2014 DCGM exporter coverage, MIG lifecycle, Xid signature to runbook mapping, and gated driver/firmware upgrade discipline.",
+    "summary": "Review day-2 operational posture of NVIDIA GPU fleets per NCP-AIO — DCGM exporter coverage, MIG lifecycle, Xid signature to runbook mapping, and gated driver/firmware upgrade discipline.",
     "source_type": "original",
     "official_docs": [
       "https://www.nvidia.com/en-us/learn/certification/",
@@ -7335,7 +7957,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Doc-anchored static review of CUDA C/C++ kernel sources against the NVIDIA CUDA C++ Programming Guide, CUDA Best Practices Guide, and Nsight Compute documentation \u2014 memory coalescing, shared-memory bank conflicts, occupancy, register pressure, stream concurrency, kernel launch parameters.",
+    "summary": "Doc-anchored static review of CUDA C/C++ kernel sources against the NVIDIA CUDA C++ Programming Guide, CUDA Best Practices Guide, and Nsight Compute documentation — memory coalescing, shared-memory bank conflicts, occupancy, register pressure, stream concurrency, kernel launch parameters.",
     "source_type": "original",
     "official_docs": [
       "https://docs.nvidia.com/cuda/cuda-c-programming-guide/",
@@ -7344,7 +7966,7 @@
       "https://docs.nvidia.com/nsight-systems/",
       "https://docs.nvidia.com/cuda/profiler-users-guide/"
     ],
-    "security_notes": "Static review only \u2014 the skill never executes nvcc, nsight-compute, or nsight-systems. It outputs the recommended invocation as text for the user to run on their own GPU host. Treat CUDA samples that disable bounds checking, copy host pointers across context boundaries, or use `cudaMallocManaged` without prefetch hints as findings rather than as patterns to imitate.",
+    "security_notes": "Static review only — the skill never executes nvcc, nsight-compute, or nsight-systems. It outputs the recommended invocation as text for the user to run on their own GPU host. Treat CUDA samples that disable bounds checking, copy host pointers across context boundaries, or use `cudaMallocManaged` without prefetch hints as findings rather than as patterns to imitate.",
     "last_verified": "2026-05-10",
     "path": "skills/nvidia/nvidia-cuda-kernel-performance-review/",
     "category": "platform",
@@ -7365,7 +7987,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Review NVIDIA generative-AI platforms per NCA-GENL / NCA-GENM / NCP-GENL \u2014 NeMo training and customization, NIM inference microservices, model card and weights provenance, evaluation harness, and guardrails posture.",
+    "summary": "Review NVIDIA generative-AI platforms per NCA-GENL / NCA-GENM / NCP-GENL — NeMo training and customization, NIM inference microservices, model card and weights provenance, evaluation harness, and guardrails posture.",
     "source_type": "original",
     "official_docs": [
       "https://www.nvidia.com/en-us/learn/certification/",
@@ -7395,7 +8017,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Review NVIDIA GPU Operator on Kubernetes \u2014 device plugin, MIG manager, node feature discovery, time-sliced GPUs, container toolkit, securityContext posture, and namespace tenancy boundaries.",
+    "summary": "Review NVIDIA GPU Operator on Kubernetes — device plugin, MIG manager, node feature discovery, time-sliced GPUs, container toolkit, securityContext posture, and namespace tenancy boundaries.",
     "source_type": "original",
     "official_docs": [
       "https://www.nvidia.com/en-us/learn/certification/",
@@ -7460,7 +8082,7 @@
       "https://oras.land/docs/category/oras-commands",
       "https://github.com/anchore/grype"
     ],
-    "security_notes": "Live-execution skill. Allowlist locks every Bash invocation to nvcr.io/* targets and to a fixed argv shape (no shell metacharacters). Egress restricted to nvcr.io and Sigstore endpoints (rekor, fulcio, tuf). Reads $NGC_API_KEY from environment but never echoes it. Default mode is static (no egress); runtime mode is per-session opt-in. Rekor unreachable degrades to manual-review rather than auto-pass to prevent quiet bypass in air-gapped environments. Read-only \u2014 no docker pull, no kubectl, no registry write.",
+    "security_notes": "Live-execution skill. Allowlist locks every Bash invocation to nvcr.io/* targets and to a fixed argv shape (no shell metacharacters). Egress restricted to nvcr.io and Sigstore endpoints (rekor, fulcio, tuf). Reads $NGC_API_KEY from environment but never echoes it. Default mode is static (no egress); runtime mode is per-session opt-in. Rekor unreachable degrades to manual-review rather than auto-pass to prevent quiet bypass in air-gapped environments. Read-only — no docker pull, no kubectl, no registry write.",
     "last_verified": "2026-05-11",
     "path": "skills/nvidia/nvidia-model-promotion-gatekeeper/",
     "category": "security",
@@ -7483,7 +8105,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Review NGC and NIM supply chain posture \u2014 NGC org/team boundaries, API key scope and rotation, NIM container cosign verification, model card and weights provenance, AI Enterprise license posture, and air-gap mirror integrity.",
+    "summary": "Review NGC and NIM supply chain posture — NGC org/team boundaries, API key scope and rotation, NIM container cosign verification, model card and weights provenance, AI Enterprise license posture, and air-gap mirror integrity.",
     "source_type": "original",
     "official_docs": [
       "https://www.nvidia.com/en-us/learn/certification/",
@@ -7513,7 +8135,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Doc-anchored static review of TensorRT and TensorRT-LLM deployment pipelines against the NVIDIA TensorRT Developer Guide and TensorRT-LLM documentation \u2014 ONNX/PyTorch export, precision selection, calibration integrity, dynamic shapes, plugin trust boundaries, engine cache provenance.",
+    "summary": "Doc-anchored static review of TensorRT and TensorRT-LLM deployment pipelines against the NVIDIA TensorRT Developer Guide and TensorRT-LLM documentation — ONNX/PyTorch export, precision selection, calibration integrity, dynamic shapes, plugin trust boundaries, engine cache provenance.",
     "source_type": "original",
     "official_docs": [
       "https://docs.nvidia.com/deeplearning/tensorrt/developer-guide/",
@@ -7522,7 +8144,7 @@
       "https://docs.nvidia.com/deeplearning/tensorrt-llm/",
       "https://docs.nvidia.com/deeplearning/tensorrt/api/"
     ],
-    "security_notes": "TensorRT custom plugins load arbitrary native code into the inference process; any plugin pulled from a non-vetted source is an RCE primitive. Serialized TensorRT engines (`.engine`, `.plan`) are not signed by default \u2014 silent substitution of an engine yields silent model substitution. INT8 calibration data is unredacted production traffic by definition and is a confidentiality risk if it leaks. The skill never executes `trtexec`, `polygraphy`, or `tensorrt_llm/build.py` \u2014 it outputs the recommended invocation as text.",
+    "security_notes": "TensorRT custom plugins load arbitrary native code into the inference process; any plugin pulled from a non-vetted source is an RCE primitive. Serialized TensorRT engines (`.engine`, `.plan`) are not signed by default — silent substitution of an engine yields silent model substitution. INT8 calibration data is unredacted production traffic by definition and is a confidentiality risk if it leaks. The skill never executes `trtexec`, `polygraphy`, or `tensorrt_llm/build.py` — it outputs the recommended invocation as text.",
     "last_verified": "2026-05-10",
     "path": "skills/nvidia/nvidia-tensorrt-llm-deployment-review/",
     "category": "platform",
@@ -7543,7 +8165,7 @@
       "gemini",
       "kiro"
     ],
-    "summary": "Doc-anchored static review of Triton Inference Server deployments against the NVIDIA Triton Inference Server documentation \u2014 model repository layout, dynamic batching, ensemble pipelines, custom backend trust, gRPC/HTTP auth, response cache, rate-limit and metrics endpoints.",
+    "summary": "Doc-anchored static review of Triton Inference Server deployments against the NVIDIA Triton Inference Server documentation — model repository layout, dynamic batching, ensemble pipelines, custom backend trust, gRPC/HTTP auth, response cache, rate-limit and metrics endpoints.",
     "source_type": "original",
     "official_docs": [
       "https://docs.nvidia.com/deeplearning/triton-inference-server/user-guide/docs/",
@@ -7552,7 +8174,7 @@
       "https://github.com/triton-inference-server/server/blob/main/docs/customization_guide/inference_protocols.md",
       "https://github.com/triton-inference-server/server/blob/main/docs/user_guide/architecture.md"
     ],
-    "security_notes": "Triton custom Python and C++ backends execute arbitrary code in the server process \u2014 any backend pulled from a non-vetted source is an RCE primitive. Default gRPC and HTTP endpoints are anonymous; auth is the operator's responsibility via reverse-proxy or `--grpc-restricted-protocol`. Model files in `model_repository/` are unsigned at rest. The response cache, when enabled, can be poisoned across tenants if requests are not partitioned. The skill never starts `tritonserver` or sends inference requests \u2014 it outputs `tritonserver` and `perf_analyzer` invocations as text.",
+    "security_notes": "Triton custom Python and C++ backends execute arbitrary code in the server process — any backend pulled from a non-vetted source is an RCE primitive. Default gRPC and HTTP endpoints are anonymous; auth is the operator's responsibility via reverse-proxy or `--grpc-restricted-protocol`. Model files in `model_repository/` are unsigned at rest. The response cache, when enabled, can be poisoned across tenants if requests are not partitioned. The skill never starts `tritonserver` or sends inference requests — it outputs `tritonserver` and `perf_analyzer` invocations as text.",
     "last_verified": "2026-05-10",
     "path": "skills/nvidia/nvidia-triton-inference-serving-review/",
     "category": "platform",
@@ -7608,7 +8230,7 @@
       "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
       "https://github.com/oracle/oci-native-ingress-controller"
     ],
-    "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint \u2014 not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
+    "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint — not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
     "last_verified": "2026-05-02",
     "path": "skills/oci/oci-certificates-issuer-review",
     "version": "0.1.0",
@@ -7980,7 +8602,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Autonomous Database lifecycle changes \u2014 scale, start, stop, clone, terminate \u2014 with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
+    "summary": "Guard Autonomous Database lifecycle changes — scale, start, stop, clone, terminate — with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
@@ -7988,7 +8610,7 @@
       "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
     ],
-    "security_notes": "ADB termination is permanent \u2014 the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
+    "security_notes": "ADB termination is permanent — the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
     "last_verified": "2026-04-30",
     "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
     "author": "github: Raishin",
@@ -8015,7 +8637,7 @@
       "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
       "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
     ],
-    "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights \u2014 escalate if not held.",
+    "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights — escalate if not held.",
     "last_verified": "2026-04-30",
     "path": "skills/oci/oci-live-cost-budget-runaway-guard",
     "author": "github: Raishin",
@@ -8070,7 +8692,7 @@
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
     ],
-    "security_notes": "oci network security-list update is a full replace \u2014 always capture complete current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change. Prefer NSGs over Security Lists for database VNICs.",
+    "security_notes": "oci network security-list update is a full replace — always capture complete current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change. Prefer NSGs over Security Lists for database VNICs.",
     "last_verified": "2026-05-01",
     "path": "skills/oci/oci-live-network-security-rule-guard",
     "author": "github: Raishin",
@@ -8097,7 +8719,7 @@
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
       "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
     ],
-    "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact \u2014 confirm target revision before undo.",
+    "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact — confirm target revision before undo.",
     "last_verified": "2026-04-30",
     "path": "skills/oci/oci-live-oke-rollout-guard",
     "author": "github: Raishin",
@@ -8671,357 +9293,166 @@
     "author": "github: Raishin"
   },
   {
-    "id": "ovhcloud-iam-policy-review",
-    "name": "OVHcloud IAM Policy Review",
-    "type": "skill",
-    "provider": "ovhcloud",
-    "harnesses": [
-      "codex",
-      "copilot",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro"
-    ],
-    "summary": "Review OVHcloud IAM policies for overly permissive allow rules, missing deny blocks, unscoped URNs, absent condition blocks (IP CIDR, resource tag, expiration), and identity-group hygiene.",
-    "source_type": "original",
-    "official_docs": [
-      "https://help.ovhcloud.com/csm/en-account-iam-policies?id=kb_article_view&sysparm_article=KB0055594",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/iam_policy",
-      "https://api.ovh.com/console/#/me/api/credential"
-    ],
-    "security_notes": "OVHcloud IAM conditions (IP CIDR, resource tags, expiration) can silently allow broad access if omitted; always audit allow/deny rule order and URN scope before approving policy changes.",
-    "last_verified": "2026-05-10",
-    "path": "skills/ovhcloud/ovhcloud-iam-policy-review",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "ovhcloud-kubernetes-platform-operator",
-    "name": "OVHcloud Kubernetes Platform Operator",
-    "type": "skill",
-    "provider": "ovhcloud",
-    "harnesses": [
-      "codex",
-      "copilot",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro"
-    ],
-    "summary": "Review and advise on OVHcloud Managed Kubernetes lifecycle, node pool operations, upgrade planning, workload placement, RBAC, and cluster security posture.",
-    "source_type": "original",
-    "official_docs": [
-      "https://help.ovhcloud.com/csm/en-public-cloud-kubernetes?id=kb_article_view&sysparm_article=KB0049613",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_kube",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_kube_nodepool"
-    ],
-    "security_notes": "MCK node pool upgrades are disruptive if PodDisruptionBudgets are absent; never recommend force-deleting nodes without draining and confirming workload rescheduling.",
-    "last_verified": "2026-05-10",
-    "path": "skills/ovhcloud/ovhcloud-kubernetes-platform-operator",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "ovhcloud-live-kms-key-destruction-guard",
-    "name": "OVHcloud Live KMS Key Destruction Guard",
-    "type": "skill",
-    "provider": "ovhcloud",
-    "harnesses": [
-      "codex",
-      "copilot",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro"
-    ],
-    "summary": "Gate and audit OVHcloud KMS key version destruction by enforcing five mandatory checks: key ID confirmation, named approver, usage audit, waiting period, and rollback plan before any destructive key operation.",
-    "source_type": "original",
-    "official_docs": [
-      "https://help.ovhcloud.com/csm/en-kms?id=kb_article_view&sysparm_article=KB0063234",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/okms_service_key"
-    ],
-    "security_notes": "OVHcloud KMS key destruction is irreversible; data encrypted with a destroyed key version is permanently unrecoverable. Hard-stop if target key, approver identity, or rollback plan is ambiguous.",
-    "last_verified": "2026-05-10",
-    "path": "skills/ovhcloud/ovhcloud-live-kms-key-destruction-guard",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "ovhcloud-maestro",
-    "name": "OVHcloud Maestro",
-    "type": "skill",
-    "provider": "ovhcloud",
-    "harnesses": [
-      "codex",
-      "copilot",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro"
-    ],
-    "summary": "Classify incoming OVHcloud tasks by domain and route to the narrowest qualified specialist agent for IAM, FinOps, Kubernetes, networking, or KMS operations.",
-    "source_type": "original",
-    "official_docs": [
-      "https://help.ovhcloud.com/csm/en-documentation?id=kb_home",
-      "https://api.ovh.com/console/",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs"
-    ],
-    "security_notes": "Routing layer must stay read-only; never attempt live OVHcloud API mutations from the classification layer \u2014 hand off to approval-gated specialists.",
-    "last_verified": "2026-05-10",
-    "path": "skills/ovhcloud/ovhcloud-maestro",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "ovhcloud-network-architect",
-    "name": "OVHcloud Network Architect",
-    "type": "skill",
-    "provider": "ovhcloud",
-    "harnesses": [
-      "codex",
-      "copilot",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro"
-    ],
-    "summary": "Design and review OVHcloud vRack topology, network isolation, private connectivity, load balancer placement, DNS, and security groups with blast-radius scoping for topology changes.",
-    "source_type": "original",
-    "official_docs": [
-      "https://help.ovhcloud.com/csm/en-vrack?id=kb_article_view&sysparm_article=KB0044799",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/vrack",
-      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_network_private"
-    ],
-    "security_notes": "vRack topology changes can expose bare-metal and Public Cloud resources to unintended lateral movement; always audit current vRack members and routing rules before recommending topology modifications.",
-    "last_verified": "2026-05-10",
-    "path": "skills/ovhcloud/ovhcloud-network-architect",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "prometheus-alerting-cardinality-review",
-    "name": "Prometheus Alerting and Cardinality Review",
-    "type": "skill",
-    "provider": "prometheus",
-    "harnesses": [
-      "codex",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro",
-      "other"
-    ],
-    "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
-    "source_type": "original",
-    "official_docs": [
-      "https://prometheus.io/docs/prometheus/latest/querying/basics/",
-      "https://prometheus.io/docs/practices/naming/",
-      "https://prometheus.io/docs/practices/alerting/",
-      "https://prometheus.io/docs/alerting/latest/alertmanager/",
-      "https://prometheus.io/docs/prometheus/latest/storage/",
-      "https://prometheus.io/docs/practices/remote_write/"
-    ],
-    "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
-    "last_verified": "2026-05-02",
-    "path": "skills/prometheus/prometheus-alerting-cardinality-review",
-    "version": "0.1.0",
-    "author": "github: Raishin"
-  },
-  {
-    "id": "rightsize-recommendation",
-    "name": "Rightsize Recommendation",
-    "type": "skill",
-    "provider": "kubernetes",
-    "harnesses": [
-      "codex",
-      "claude-code",
-      "cursor",
-      "gemini",
-      "kiro",
-      "other"
-    ],
-    "summary": "Emit pod CPU and memory request/limit recommendations from user-pasted p50/p95/p99 utilization metrics. Outputs recommended requests at p95 plus 20% headroom, limits at p99 plus 30%, estimated monthly savings, and Karpenter consolidation eligibility. Read-only, no kubectl.",
-    "source_type": "original",
-    "official_docs": [
-      "https://karpenter.sh/docs/",
-      "https://kubernetes.io/docs/tasks/run-application/vertical-pod-autoscaler/",
-      "https://www.opencost.io/docs/"
-    ],
-    "security_notes": "No cluster credentials, kubeconfig, bearer tokens, service account JWTs, or cloud IAM credentials are accepted or required. All calculations are performed on user-supplied metric inputs only. No live cluster or metric API connection is made.",
-    "last_verified": "2026-05-13",
-    "path": "skills/finops/rightsize-recommendation",
-    "author": "github: Raishin",
-    "version": "0.1.2",
-    "lifecycle": "experimental"
-  },
-  {
-    "id": "scaleway-cost-optimizer",
-    "name": "Scaleway Cost Optimizer",
+    "id": "ovhcloud-iam-policy-review",
+    "name": "OVHcloud IAM Policy Review",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "ovhcloud",
     "harnesses": [
       "codex",
+      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro",
-      "other"
+      "kiro"
     ],
-    "summary": "Review and optimize Scaleway cost posture: Instance rightsizing, reserved instance utilization, idle Object Storage and SBS volumes, Serverless function cost, RDB sizing, and Cockpit observability spend.",
+    "summary": "Review OVHcloud IAM policies for overly permissive allow rules, missing deny blocks, unscoped URNs, absent condition blocks (IP CIDR, resource tag, expiration), and identity-group hygiene.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/pricing/",
-      "https://www.scaleway.com/en/docs/billing/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/instance_server",
-      "https://www.scaleway.com/en/docs/observability/cockpit/"
+      "https://help.ovhcloud.com/csm/en-account-iam-policies?id=kb_article_view&sysparm_article=KB0055594",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/iam_policy",
+      "https://api.ovh.com/console/#/me/api/credential"
     ],
-    "security_notes": "Do not recommend cost cuts that remove Cockpit observability, RDB automated backups, snapshot retention, or multi-zone placement group coverage without explicit risk acceptance. Reserved instance commitments are non-refundable.",
+    "security_notes": "OVHcloud IAM conditions (IP CIDR, resource tags, expiration) can silently allow broad access if omitted; always audit allow/deny rule order and URN scope before approving policy changes.",
     "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-cost-optimizer",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "path": "skills/ovhcloud/ovhcloud-iam-policy-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "scaleway-iam-policy-review",
-    "name": "Scaleway IAM Policy Review",
+    "id": "ovhcloud-kubernetes-platform-operator",
+    "name": "OVHcloud Kubernetes Platform Operator",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "ovhcloud",
     "harnesses": [
       "codex",
+      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro",
-      "other"
+      "kiro"
     ],
-    "summary": "Review Scaleway IAM bindings, API key scopes and expiry, service account permissions, and organization vs project-level access control posture for least-privilege compliance.",
+    "summary": "Review and advise on OVHcloud Managed Kubernetes lifecycle, node pool operations, upgrade planning, workload placement, RBAC, and cluster security posture.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/docs/iam/",
-      "https://www.scaleway.com/en/docs/iam/concepts/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy",
-      "https://www.scaleway.com/en/developers/api/iam/"
+      "https://help.ovhcloud.com/csm/en-public-cloud-kubernetes?id=kb_article_view&sysparm_article=KB0049613",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_kube",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_kube_nodepool"
     ],
-    "security_notes": "Scaleway API keys with organization-level scope grant access to all projects; always prefer project-scoped keys with expiry. IAM key sprawl \u2014 long-lived keys with broad scopes \u2014 is the top Scaleway access control risk.",
+    "security_notes": "MCK node pool upgrades are disruptive if PodDisruptionBudgets are absent; never recommend force-deleting nodes without draining and confirming workload rescheduling.",
     "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-iam-policy-review",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "path": "skills/ovhcloud/ovhcloud-kubernetes-platform-operator",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "scaleway-kapsule-platform-operator",
-    "name": "Scaleway Kapsule Platform Operator",
+    "id": "ovhcloud-live-kms-key-destruction-guard",
+    "name": "OVHcloud Live KMS Key Destruction Guard",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "ovhcloud",
     "harnesses": [
       "codex",
+      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro",
-      "other"
+      "kiro"
     ],
-    "summary": "Review Scaleway Kapsule managed Kubernetes cluster readiness: node pool strategy, CNI selection (Cilium, Calico, Kilo), placement group policies, version upgrades, PDB coverage, and workload scheduling posture.",
+    "summary": "Gate and audit OVHcloud KMS key version destruction by enforcing five mandatory checks: key ID confirmation, named approver, usage audit, waiting period, and rollback plan before any destructive key operation.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/docs/kubernetes/",
-      "https://www.scaleway.com/en/developers/api/kubernetes/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_cluster",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_pool"
+      "https://help.ovhcloud.com/csm/en-kms?id=kb_article_view&sysparm_article=KB0063234",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/okms_service_key"
     ],
-    "security_notes": "Kapsule control-plane upgrades are irreversible \u2014 no downgrade path exists. CNI choice is immutable after cluster creation. Placement group enforced policy may block instance scheduling under capacity pressure.",
+    "security_notes": "OVHcloud KMS key destruction is irreversible; data encrypted with a destroyed key version is permanently unrecoverable. Hard-stop if target key, approver identity, or rollback plan is ambiguous.",
     "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-kapsule-platform-operator",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "path": "skills/ovhcloud/ovhcloud-live-kms-key-destruction-guard",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "scaleway-live-kapsule-rollout-guard",
-    "name": "Scaleway Live Kapsule Rollout Guard",
+    "id": "ovhcloud-maestro",
+    "name": "OVHcloud Maestro",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "ovhcloud",
     "harnesses": [
       "codex",
+      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro",
-      "other"
+      "kiro"
     ],
-    "summary": "Gate Scaleway Kapsule live mutations (version upgrades, node pool changes, cluster config) with mandatory PDB audit, cluster health evidence, approval token, and rollback plan. Hard-stops when any pre-flight condition is missing.",
+    "summary": "Classify incoming OVHcloud tasks by domain and route to the narrowest qualified specialist agent for IAM, FinOps, Kubernetes, networking, or KMS operations.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/docs/kubernetes/",
-      "https://www.scaleway.com/en/developers/api/kubernetes/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_cluster",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_pool",
-      "https://kubernetes.io/docs/concepts/workloads/pods/disruptions/"
+      "https://help.ovhcloud.com/csm/en-documentation?id=kb_home",
+      "https://api.ovh.com/console/",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs"
     ],
-    "security_notes": "Kapsule control-plane version upgrades are irreversible \u2014 no downgrade path exists. CNI type is immutable after cluster creation. Node pool deletion evicts all workloads immediately. Hard-stop mandatory when target, approval, or rollback plan is absent or ambiguous.",
+    "security_notes": "Routing layer must stay read-only; never attempt live OVHcloud API mutations from the classification layer — hand off to approval-gated specialists.",
     "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-live-kapsule-rollout-guard",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "path": "skills/ovhcloud/ovhcloud-maestro",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "scaleway-maestro",
-    "name": "Scaleway Maestro",
+    "id": "ovhcloud-network-architect",
+    "name": "OVHcloud Network Architect",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "ovhcloud",
     "harnesses": [
       "codex",
+      "copilot",
       "claude-code",
       "cursor",
       "gemini",
-      "kiro",
-      "other"
+      "kiro"
     ],
-    "summary": "Classify and route Scaleway tasks to the narrowest qualified specialist agent for IAM, cost, Kapsule, networking, or live-guard domains.",
+    "summary": "Design and review OVHcloud vRack topology, network isolation, private connectivity, load balancer placement, DNS, and security groups with blast-radius scoping for topology changes.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/docs/",
-      "https://www.scaleway.com/en/developers/api/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs"
+      "https://help.ovhcloud.com/csm/en-vrack?id=kb_article_view&sysparm_article=KB0044799",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/vrack",
+      "https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_network_private"
     ],
-    "security_notes": "Never route to the live-guard agent without explicit user intent for a live mutation. Classification must stay read-only; do not infer project or zone identity from context alone.",
+    "security_notes": "vRack topology changes can expose bare-metal and Public Cloud resources to unintended lateral movement; always audit current vRack members and routing rules before recommending topology modifications.",
     "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-maestro",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "path": "skills/ovhcloud/ovhcloud-network-architect",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "scaleway-network-architect",
-    "name": "Scaleway Network Architect",
+    "id": "playwright-e2e-execution-run",
+    "name": "Playwright E2E Execution Run",
     "type": "skill",
-    "provider": "scaleway",
+    "provider": "generic",
     "harnesses": [
-      "codex",
       "claude-code",
-      "cursor",
-      "gemini",
-      "kiro",
-      "other"
+      "cursor"
     ],
-    "summary": "Review and design Scaleway VPC topology, Private Network attachment, security group rules, Load Balancer configuration, placement group HA policy, and multi-zone resilience patterns.",
+    "summary": "Execute an existing Playwright E2E suite against an operator-confirmed non-production target and emit a structured run attestation — pass/fail/flaky counts, slowest tests, and trace artifact locations. Live-execution counterpart to playwright-e2e-suite-review.",
     "source_type": "original",
     "official_docs": [
-      "https://www.scaleway.com/en/docs/network/vpc/",
-      "https://www.scaleway.com/en/docs/compute/instances/how-to/use-placement-groups/",
-      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc",
-      "https://www.scaleway.com/en/docs/network/load-balancer/"
+      "https://playwright.dev/docs/test-cli",
+      "https://playwright.dev/docs/running-tests",
+      "https://playwright.dev/docs/test-reporters",
+      "https://playwright.dev/docs/trace-viewer",
+      "https://playwright.dev/docs/ci"
     ],
-    "security_notes": "Placement group enforced policy may block instance scheduling under zone capacity pressure \u2014 prefer max_availability for production HA. Security groups are zone-scoped; cross-zone traffic must be reviewed for unintended public exposure via flexible IPs.",
-    "last_verified": "2026-05-10",
-    "path": "skills/scaleway/scaleway-network-architect",
+    "security_notes": "Live-execution skill, read-only-runtime tier. Default mode is static and runs nothing; runtime execution is a per-session opt-in requiring explicit operator confirmation of a non-production target. The Bash allowlist locks invocations to `npx playwright test`, `npx playwright install`, and `npx playwright show-report` — no deploy, migration, seed, or registry commands. Refuses production targets. Never accepts or echoes credentials, tokens, or storageState; test credentials come from the operator-controlled environment. Egress limited to the operator-confirmed target host and the Playwright browser CDN; blocked CDN egress degrades to manual-review rather than a false fail.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/playwright-e2e-execution-run",
+    "category": "delivery",
+    "lifecycle": "experimental",
+    "execution_tier": "read-only-runtime",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "sigstore-cosign-supply-chain-review",
-    "name": "Sigstore Cosign Supply Chain Review",
+    "id": "playwright-e2e-suite-review",
+    "name": "Playwright E2E Suite Review",
     "type": "skill",
-    "provider": "sigstore",
+    "provider": "generic",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9030,27 +9461,28 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Sigstore Cosign image signing, Kyverno imageVerify policy, SBOM attestations, SLSA provenance, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain security.",
+    "summary": "Review a Playwright end-to-end test suite for flakiness, selector brittleness, test isolation defects, retry masking, and CI reliability — statically, without executing the suite.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.sigstore.dev/cosign/overview/",
-      "https://docs.sigstore.dev/policy-controller/overview/",
-      "https://slsa.dev/spec/v1.0/requirements",
-      "https://kyverno.io/docs/writing-policies/verify-images/",
-      "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
-      "https://rekor.sigstore.dev/"
+      "https://playwright.dev/docs/best-practices",
+      "https://playwright.dev/docs/locators",
+      "https://playwright.dev/docs/test-assertions",
+      "https://playwright.dev/docs/test-retries",
+      "https://playwright.dev/docs/test-parallel",
+      "https://playwright.dev/docs/test-sharding",
+      "https://playwright.dev/docs/trace-viewer"
     ],
-    "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
-    "last_verified": "2026-05-02",
-    "path": "skills/sigstore/sigstore-cosign-supply-chain-review",
-    "version": "0.1.0",
-    "author": "github: Raishin"
+    "security_notes": "Static review only — reads test specs and config, never executes the suite, launches browsers, or contacts a target application. Never request or accept live application URLs with embedded credentials, auth tokens, real storageState files, or .env secrets; ask for sanitized snippets.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/playwright-e2e-suite-review",
+    "author": "github: Raishin",
+    "version": "0.1.0"
   },
   {
-    "id": "terraform-maestro",
-    "name": "Terraform Maestro",
+    "id": "plc-control-logic-safety-review",
+    "name": "PLC Control Logic Safety Review",
     "type": "skill",
-    "provider": "terraform",
+    "provider": "generic",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9059,28 +9491,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Route Terraform and IaC tasks to the right specialist from the cross-cloud IaC catalog. Classifies by domain (review, aws-iac, azure-iac, oci-iac, live-guard), dispatches single or parallel (max 4), and enforces live-guard gate for live apply, destroy, or stack mutations.",
-    "source_type": "adapted",
+    "summary": "Statically review exported IEC 61131-3 PLC program logic (LD, ST, FBD, SFC) for safety and reliability defects — E-stop implementation, output fail-safe paths, latch integrity, memory-write races, forced I/O, interlock bypass governance, timer determinism, and watchdog coverage — without connecting to a live controller.",
+    "source_type": "original",
     "official_docs": [
-      "https://developer.hashicorp.com/terraform/docs",
-      "https://developer.hashicorp.com/terraform/language",
-      "https://developer.hashicorp.com/terraform/cli/commands/plan",
-      "https://developer.hashicorp.com/terraform/cli/commands/apply",
-      "https://registry.terraform.io/providers/hashicorp/aws/latest/docs",
-      "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs",
-      "https://registry.terraform.io/providers/oracle/oci/latest/docs"
+      "https://plcopen.org/iec-61131-3",
+      "https://webstore.iec.ch/publication/4552",
+      "https://webstore.iec.ch/publication/22273",
+      "https://webstore.iec.ch/publication/26037",
+      "https://content.helpme-codesys.com/en/CODESYS%20Development%20System/_cds_structure_application_objects.html"
     ],
-    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live apply, destroy, or stack mutation agents without explicit human confirmation, blast-radius assessment, and rollback path. Terraform destroy is irreversible without state backup.",
-    "last_verified": "2026-04-30",
-    "path": "skills/terraform/terraform-maestro",
+    "security_notes": "Static review only — reads exported program logic, never connects to a live PLC, never writes to a controller, and never advises modifying running logic or bypassing a safety function. Never request or accept live controller IP addresses, plant network credentials, historian credentials, or any identifier that maps to a production asset. Ask for sanitized, anonymized exports only.",
+    "last_verified": "2026-05-17",
+    "path": "skills/qa/plc-control-logic-safety-review",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "velero-backup-restore-guard",
-    "name": "Velero Backup/Restore Guard",
+    "id": "programmatic-supply-chain-integrity-review",
+    "name": "Programmatic Supply Chain Integrity Review",
     "type": "skill",
-    "provider": "velero",
+    "provider": "marketing",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9089,26 +9519,27 @@
       "kiro",
       "other"
     ],
-    "summary": "Live-guard skill for Velero backup schedules, restore operations, BackupStorageLocation changes, and volume snapshots \u2014 requiring explicit platform-team sign-off before any mutation.",
+    "summary": "Review ads.txt, app-ads.txt, and sellers.json files for a publisher or advertiser's programmatic supply chain to detect unauthorized resellers, domain-spoofing exposure, and SupplyChain Object gaps.",
     "source_type": "original",
     "official_docs": [
-      "https://velero.io/docs/latest/",
-      "https://velero.io/docs/latest/restore-reference/",
-      "https://velero.io/docs/latest/backup-reference/",
-      "https://velero.io/docs/latest/locations/",
-      "https://velero.io/docs/latest/hooks/"
+      "https://iabtechlab.com/ads-txt/",
+      "https://iabtechlab.com/sellers-json/",
+      "https://iabtechlab.com/supplychain-object/",
+      "https://mediaratingcouncil.org/sites/default/files/Standards/MRC%20Invalid%20Traffic%20Detection%20and%20Filtration%20Guidelines%20Addendum.pdf",
+      "https://iabtechlab.com/app-ads-txt/"
     ],
-    "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts \u2014 equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
-    "last_verified": "2026-05-02",
-    "path": "skills/velero/velero-backup-restore-guard",
+    "security_notes": "Supply chain integrity reviews work from the raw text of ads.txt, app-ads.txt, and sellers.json files pasted as input. Never request DSP credentials, exchange account tokens, or bid-stream logs. ads.txt and sellers.json are publicly resolvable files; the artifact is the publisher's or exchange's own exported text, not a live crawl of production endpoints.",
+    "last_verified": "2026-05-17",
+    "path": "skills/marketing/programmatic-supply-chain-integrity-review",
+    "author": "github: Raishin",
     "version": "0.1.0",
-    "author": "github: Raishin"
+    "lifecycle": "experimental"
   },
   {
-    "id": "marketing-consent-data-collection-review",
-    "name": "Marketing Consent and Data-Collection Review",
+    "id": "prometheus-alerting-cardinality-review",
+    "name": "Prometheus Alerting and Cardinality Review",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "prometheus",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9117,26 +9548,27 @@
       "kiro",
       "other"
     ],
-    "summary": "Review marketing consent and data-collection posture \u2014 CMP banner config, tag-manager containers, Consent Mode wiring, and cookie policy \u2014 for GDPR/ePrivacy/CCPA correctness, dark patterns, and undisclosed trackers.",
+    "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
     "source_type": "original",
     "official_docs": [
-      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
-      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058",
-      "https://oag.ca.gov/privacy/ccpa",
-      "https://developers.google.com/tag-platform/security/guides/consent",
-      "https://iabeurope.eu/transparency-consent-framework/"
+      "https://prometheus.io/docs/prometheus/latest/querying/basics/",
+      "https://prometheus.io/docs/practices/naming/",
+      "https://prometheus.io/docs/practices/alerting/",
+      "https://prometheus.io/docs/alerting/latest/alertmanager/",
+      "https://prometheus.io/docs/prometheus/latest/storage/",
+      "https://prometheus.io/docs/practices/remote_write/"
     ],
-    "security_notes": "Marketing tags that fire before a consent signal collect personal data with no lawful basis and expose the controller to GDPR/ePrivacy enforcement and CCPA class actions. Consent banners with non-symmetric choice or pre-ticked boxes invalidate consent. Review works from sanitized configuration only; never request real visitor data, consent-string archives, or analytics account credentials.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-consent-data-collection-review",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
+    "last_verified": "2026-05-02",
+    "path": "skills/prometheus/prometheus-alerting-cardinality-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "marketing-pixel-data-leakage-review",
-    "name": "Marketing Pixel Data-Leakage Review",
+    "id": "rightsize-recommendation",
+    "name": "Rightsize Recommendation",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "kubernetes",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9145,26 +9577,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review advertising pixels and conversion event tracking for personal-data leakage to ad networks \u2014 PII in payloads, form-field auto-capture, pixels on sensitive pages, and unhashed identifier transmission.",
+    "summary": "Emit pod CPU and memory request/limit recommendations from user-pasted p50/p95/p99 utilization metrics. Outputs recommended requests at p95 plus 20% headroom, limits at p99 plus 30%, estimated monthly savings, and Karpenter consolidation eligibility. Read-only, no kubectl.",
     "source_type": "original",
     "official_docs": [
-      "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html",
-      "https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule",
-      "https://developers.facebook.com/docs/meta-pixel/",
-      "https://support.google.com/google-ads/answer/9888656",
-      "https://owasp.org/www-project-top-ten/"
+      "https://karpenter.sh/docs/",
+      "https://kubernetes.io/docs/tasks/run-application/vertical-pod-autoscaler/",
+      "https://www.opencost.io/docs/"
     ],
-    "security_notes": "Advertising pixels that capture email, phone, health, or financial data transmit personal data to third-party ad networks with no contract, no consent scope, and no breach visibility \u2014 a pattern behind major HIPAA settlements, FTC Health Breach Notification Rule actions, and wiretap class actions. Review works from sanitized payloads and container exports only; never request real visitor data or ad-platform credentials.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-pixel-data-leakage-review",
+    "security_notes": "No cluster credentials, kubeconfig, bearer tokens, service account JWTs, or cloud IAM credentials are accepted or required. All calculations are performed on user-supplied metric inputs only. No live cluster or metric API connection is made.",
+    "last_verified": "2026-05-13",
+    "path": "skills/finops/rightsize-recommendation",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2",
+    "lifecycle": "experimental"
   },
   {
-    "id": "martech-access-governance-review",
-    "name": "Martech Access Governance Review",
+    "id": "rpa-workflow-resilience-review",
+    "name": "RPA Workflow Resilience Review",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "generic",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9173,26 +9604,27 @@
       "kiro",
       "other"
     ],
-    "summary": "Review access governance across a marketing technology stack \u2014 OAuth connected apps, API keys, CRM and marketing-automation roles, and integration scopes \u2014 for least-privilege violations, shared and stale credentials, and missing ownership.",
+    "summary": "Review exported RPA workflow definitions (UiPath XAML, Automation Anywhere, Power Automate Desktop, Blue Prism) for resilience and security defects — hardcoded credentials, brittle selectors, missing exception handling, non-idempotent logic, fixed delays, and invisible failures — statically, without connecting to a live orchestrator.",
     "source_type": "original",
     "official_docs": [
-      "https://datatracker.ietf.org/doc/html/rfc6749",
-      "https://oauth.net/2/scope/",
-      "https://csrc.nist.gov/glossary/term/least_privilege",
-      "https://owasp.org/www-project-top-ten/",
-      "https://csrc.nist.gov/pubs/sp/800/207/final"
+      "https://docs.uipath.com/studio/standalone/latest/user-guide/about-workflow-analyzer",
+      "https://docs.uipath.com/studio/standalone/latest/user-guide/about-debugging",
+      "https://docs.uipath.com/orchestrator/standalone/latest/user-guide/about-assets",
+      "https://docs.automationanywhere.com/",
+      "https://learn.microsoft.com/en-us/power-automate/guidance/coding-guidelines/overview",
+      "https://learn.microsoft.com/en-us/power-automate/guidance/coding-guidelines/error-handling"
     ],
-    "security_notes": "A marketing technology stack holds the full customer database and accumulates OAuth grants, API keys, and seats faster than it deprovisions them. Over-broad connector scopes, shared non-rotating credentials, and stale grants from departed staff or ended vendors are a heavily exploited SaaS breach path. Review works from sanitized inventories only; never request, collect, or echo credential values, tokens, or secrets.",
+    "security_notes": "Static review only — reads exported workflow definitions, never connects to a live orchestrator, never executes a bot, and never requests runner credentials, orchestrator URLs, or production queue data. Never accept workflow exports containing live PII, real customer data, or production connection strings; ask for sanitized snippets.",
     "last_verified": "2026-05-17",
-    "path": "skills/marketing/martech-access-governance-review",
+    "path": "skills/qa/rpa-workflow-resilience-review",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "marketing-maestro",
-    "name": "Marketing Maestro",
+    "id": "scaleway-cost-optimizer",
+    "name": "Scaleway Cost Optimizer",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9201,24 +9633,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Route marketing-governance review tasks to the narrowest specialist across all 13 domains: consent and data-collection, advertising-pixel data-leakage, martech access-governance, GPC signal-honoring, email sender authentication, programmatic supply-chain integrity, AI ad-targeting fairness, EU AI Act marketing-system classification, lookalike audience upload compliance, email list retention, influencer disclosure, conversion-flow dark patterns, and analytics data minimization. Dispatches single or parallel teams (max 4); requires human gate for any mutation intent.",
+    "summary": "Review and optimize Scaleway cost posture: Instance rightsizing, reserved instance utilization, idle Object Storage and SBS volumes, Serverless function cost, RDB sizing, and Cockpit observability spend.",
     "source_type": "original",
     "official_docs": [
-      "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
-      "https://oag.ca.gov/privacy/ccpa"
+      "https://www.scaleway.com/en/pricing/",
+      "https://www.scaleway.com/en/docs/billing/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/instance_server",
+      "https://www.scaleway.com/en/docs/observability/cockpit/"
     ],
-    "security_notes": "Read-only routing skill. Never accepts real visitor data, consent-string archives, ad-platform credentials, API keys, OAuth tokens, or tenant-specific data. No live-guard agents exist in v1; any mutation request is refused and escalated to a human operator.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-maestro",
+    "security_notes": "Do not recommend cost cuts that remove Cockpit observability, RDB automated backups, snapshot retention, or multi-zone placement group coverage without explicit risk acceptance. Reserved instance commitments are non-refundable.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-cost-optimizer",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "ai-advertising-targeting-fairness-review",
-    "name": "AI Advertising Targeting Fairness Review",
+    "id": "scaleway-iam-policy-review",
+    "name": "Scaleway IAM Policy Review",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9227,26 +9660,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review ad-platform audience targeting configurations and AI feature usage for protected-class discrimination risk under Fair Housing Act, ECOA, and EU AI Act Article 5 \u2014 proxy segments, algorithmic disparate impact, and missing Special Ad Category declarations.",
+    "summary": "Review Scaleway IAM bindings, API key scopes and expiry, service account permissions, and organization vs project-level access control posture for least-privilege compliance.",
     "source_type": "original",
     "official_docs": [
-      "https://www.ftc.gov/business-guidance/blog/2023/02/ftcs-ai-related-enforcement-actions",
-      "https://www.hud.gov/program_offices/fair_housing_equal_opp/fair_housing_act_overview",
-      "https://www.consumerfinance.gov/about-us/blog/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/",
-      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
-      "https://www.federalregister.gov/documents/2023/07/13/2023-14625/civil-rights-principles-for-the-use-of-artificial-intelligence"
+      "https://www.scaleway.com/en/docs/iam/",
+      "https://www.scaleway.com/en/docs/iam/concepts/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy",
+      "https://www.scaleway.com/en/developers/api/iam/"
     ],
-    "security_notes": "Ad-platform AI features that optimize on historical converter populations can propagate protected-class disparate impact without explicit discriminatory intent. Review works from sanitized audience spec exports and declared AI feature annotations only; never request live campaign credentials, ad-account access tokens, or real user audience data.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/ai-advertising-targeting-fairness-review",
+    "security_notes": "Scaleway API keys with organization-level scope grant access to all projects; always prefer project-scoped keys with expiry. IAM key sprawl — long-lived keys with broad scopes — is the top Scaleway access control risk.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-iam-policy-review",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "analytics-data-minimization-review",
-    "name": "Analytics Data-Minimization Review",
+    "id": "scaleway-kapsule-platform-operator",
+    "name": "Scaleway Kapsule Platform Operator",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9255,27 +9687,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review analytics platform configuration \u2014 GA4 property settings, BigQuery export schema, custom event-parameter definitions, and user-property declarations \u2014 for data-minimization violations, excessive collection, and storage-period over-retention under GDPR Article 5(1)(c) and 5(1)(e) and EU DPA enforcement on GA4.",
+    "summary": "Review Scaleway Kapsule managed Kubernetes cluster readiness: node pool strategy, CNI selection (Cilium, Calico, Kilo), placement group policies, version upgrades, PDB coverage, and workload scheduling posture.",
     "source_type": "original",
     "official_docs": [
-      "https://gdpr-info.eu/art-5-gdpr/",
-      "https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply/",
-      "https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr",
-      "https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9782874",
-      "https://support.google.com/analytics/answer/9019185"
+      "https://www.scaleway.com/en/docs/kubernetes/",
+      "https://www.scaleway.com/en/developers/api/kubernetes/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_cluster",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_pool"
     ],
-    "security_notes": "Read-only static review of sanitized analytics configuration exports and schema definitions only. Never request live analytics data, raw event exports containing real user identifiers, GA4 admin credentials, or BigQuery service-account keys. Findings may indicate cross-border data transfer violations requiring DPA notification \u2014 route remediation and legal assessment to qualified privacy counsel before acting on findings.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/analytics-data-minimization-review",
+    "security_notes": "Kapsule control-plane upgrades are irreversible — no downgrade path exists. CNI choice is immutable after cluster creation. Placement group enforced policy may block instance scheduling under capacity pressure.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-kapsule-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "email-sender-authentication-review",
-    "name": "Email Sender Authentication Review",
+    "id": "scaleway-live-kapsule-rollout-guard",
+    "name": "Scaleway Live Kapsule Rollout Guard",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9284,27 +9714,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Review DNS sender-authentication records (SPF, DKIM, DMARC, BIMI) for a marketing domain to identify policy gaps exposing campaigns to rejection, spoofing, or inbox displacement.",
+    "summary": "Gate Scaleway Kapsule live mutations (version upgrades, node pool changes, cluster config) with mandatory PDB audit, cluster health evidence, approval token, and rollback plan. Hard-stops when any pre-flight condition is missing.",
     "source_type": "original",
     "official_docs": [
-      "https://datatracker.ietf.org/doc/html/rfc7489",
-      "https://support.google.com/mail/answer/81126",
-      "https://www.pcisecuritystandards.org/document_library/",
-      "https://www.cisa.gov/sites/default/files/publications/bod-18-01.pdf",
-      "https://datatracker.ietf.org/doc/html/rfc7208"
+      "https://www.scaleway.com/en/docs/kubernetes/",
+      "https://www.scaleway.com/en/developers/api/kubernetes/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_cluster",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/k8s_pool",
+      "https://kubernetes.io/docs/concepts/workloads/pods/disruptions/"
     ],
-    "security_notes": "Email authentication reviews work from sanitized DNS TXT record exports only. Never request live DMARC aggregate report XML, ESP account credentials, or sending-platform API keys. SPF, DKIM, and DMARC records are publicly resolvable; the artifact is the domain's own export, not live lookups against production DNS.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/email-sender-authentication-review",
+    "security_notes": "Kapsule control-plane version upgrades are irreversible — no downgrade path exists. CNI type is immutable after cluster creation. Node pool deletion evicts all workloads immediately. Hard-stop mandatory when target, approval, or rollback plan is absent or ambiguous.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-live-kapsule-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "eu-ai-act-marketing-system-review",
-    "name": "EU AI Act Marketing System Review",
+    "id": "scaleway-maestro",
+    "name": "Scaleway Maestro",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9313,26 +9742,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Review a marketing AI system description card against EU AI Act Regulation 2024/1689 risk-tier criteria \u2014 classify the system, flag documentation obligations (Articles 11, 13, 14, 43), and identify deployment-readiness gaps before the August 2, 2026 full-enforcement date.",
+    "summary": "Classify and route Scaleway tasks to the narrowest qualified specialist agent for IAM, cost, Kapsule, networking, or live-guard domains.",
     "source_type": "original",
     "official_docs": [
-      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689",
-      "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai",
-      "https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence",
-      "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022023-technical-scope-art-22-gdpr_en",
-      "https://artificialintelligenceact.eu/the-act/"
+      "https://www.scaleway.com/en/docs/",
+      "https://www.scaleway.com/en/developers/api/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs"
     ],
-    "security_notes": "EU AI Act classification determines conformity assessment, CE marking, and EU AI database registration obligations \u2014 misclassification is itself a compliance gap. Review works from sanitized AI system description cards only; never request model weights, training datasets, internal performance logs, or vendor system-access credentials. Legal determination of Article 5 prohibited practices is routed to qualified counsel.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/eu-ai-act-marketing-system-review",
+    "security_notes": "Never route to the live-guard agent without explicit user intent for a live mutation. Classification must stay read-only; do not infer project or zone identity from context alone.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-maestro",
     "author": "github: Raishin",
     "version": "0.1.0"
   },
   {
-    "id": "influencer-disclosure-compliance-review",
-    "name": "Influencer Disclosure Compliance Review",
+    "id": "scaleway-network-architect",
+    "name": "Scaleway Network Architect",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "scaleway",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9341,27 +9768,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review influencer campaign audit packs \u2014 brief, contract, post descriptions, and disclosure placement specs \u2014 for FTC Endorsement Guide violations: undisclosed material connections, inadequate disclosure placement, and brand liability exposure.",
+    "summary": "Review and design Scaleway VPC topology, Private Network attachment, security group rules, Load Balancer configuration, placement group HA policy, and multi-zone resilience patterns.",
     "source_type": "original",
     "official_docs": [
-      "https://www.ftc.gov/legal-library/browse/rules/endorsement-guides",
-      "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255",
-      "https://www.ftc.gov/system/files/ftc_gov/pdf/ftc-endorsement-guides-final-rule.pdf",
-      "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
-      "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking"
+      "https://www.scaleway.com/en/docs/network/vpc/",
+      "https://www.scaleway.com/en/docs/compute/instances/how-to/use-placement-groups/",
+      "https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc",
+      "https://www.scaleway.com/en/docs/network/load-balancer/"
     ],
-    "security_notes": "Review works from a structured influencer campaign audit pack only \u2014 brief, contract excerpt, post descriptions, and disclosure spec. Never accept raw personal data about creators, unpublished negotiations, or brand financial terms beyond what is needed to assess disclosure adequacy. This is a static compliance review; it does not generate campaign content or creator instructions.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/influencer-disclosure-compliance-review",
+    "security_notes": "Placement group enforced policy may block instance scheduling under zone capacity pressure — prefer max_availability for production HA. Security groups are zone-scoped; cross-zone traffic must be reviewed for unintended public exposure via flexible IPs.",
+    "last_verified": "2026-05-10",
+    "path": "skills/scaleway/scaleway-network-architect",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "lookalike-audience-upload-compliance-review",
-    "name": "Lookalike Audience Upload Compliance Review",
+    "id": "sigstore-cosign-supply-chain-review",
+    "name": "Sigstore Cosign Supply Chain Review",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "sigstore",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9370,26 +9795,27 @@
       "kiro",
       "other"
     ],
-    "summary": "Review custom-audience and lookalike-audience upload specifications for hashing adequacy, PII field scope, consent-basis validity, and platform data-sharing restrictions before upload to Meta, Google, LinkedIn, or TikTok \u2014 catching underhashed identifiers, consent-scope mismatches, and re-identification surfaces.",
+    "summary": "Review Sigstore Cosign image signing, Kyverno imageVerify policy, SBOM attestations, SLSA provenance, Rekor transparency log posture, and keyless vs key-based signing configuration for Kubernetes workload supply chain security.",
     "source_type": "original",
     "official_docs": [
-      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679",
-      "https://oag.ca.gov/privacy/ccpa",
-      "https://www.ftc.gov/reports/data-brokers-call-transparency-accountability",
-      "https://developers.facebook.com/docs/marketing-api/audiences/guides/custom-audiences/",
-      "https://support.google.com/google-ads/answer/6334160"
+      "https://docs.sigstore.dev/cosign/overview/",
+      "https://docs.sigstore.dev/policy-controller/overview/",
+      "https://slsa.dev/spec/v1.0/requirements",
+      "https://kyverno.io/docs/writing-policies/verify-images/",
+      "https://docs.github.com/en/actions/security-guides/using-artifact-attestations",
+      "https://rekor.sigstore.dev/"
     ],
-    "security_notes": "Custom-audience uploads transmit hashed personal data to ad platforms under data-sharing arrangements that must have a lawful basis, appropriate consent scope, and adequate pseudonymization. Review works from sanitized field-mapping specifications, declared hashing methods, and consent-basis documentation only; never request actual audience files, real customer records, or platform API credentials.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/lookalike-audience-upload-compliance-review",
-    "author": "github: Raishin",
-    "version": "0.1.0"
+    "security_notes": "Kyverno imageVerify policy without subject/issuer constraints accepts any Sigstore-signed image regardless of signer identity. Long-lived Cosign keys in CI secrets allow retroactive signing of malicious images if the secret is compromised.",
+    "last_verified": "2026-05-02",
+    "path": "skills/sigstore/sigstore-cosign-supply-chain-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
   },
   {
-    "id": "marketing-conversion-flow-dark-pattern-review",
-    "name": "Marketing Conversion Flow Dark-Pattern Review",
+    "id": "terraform-maestro",
+    "name": "Terraform Maestro",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "terraform",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9398,27 +9824,28 @@
       "kiro",
       "other"
     ],
-    "summary": "Review marketing conversion flow specifications \u2014 subscription sign-up, upsell interstitial, free-trial enrollment, and cancellation path \u2014 for dark-pattern practices that invalidate consent or constitute unfair or deceptive acts under FTC Section 5, the FTC Negative Option Rule, CPRA, and EU AI Act Article 5(1)(b).",
-    "source_type": "original",
+    "summary": "Route Terraform and IaC tasks to the right specialist from the cross-cloud IaC catalog. Classifies by domain (review, aws-iac, azure-iac, oci-iac, live-guard), dispatches single or parallel (max 4), and enforces live-guard gate for live apply, destroy, or stack mutations.",
+    "source_type": "adapted",
     "official_docs": [
-      "https://www.ftc.gov/legal-library/browse/rules/negative-option-rule",
-      "https://www.ftc.gov/system/files/ftc_gov/pdf/P214800+Dark+Patterns+Report+9.14.2022+-+FINAL.pdf",
-      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.",
-      "https://oag.ca.gov/privacy/ccpa",
-      "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng"
+      "https://developer.hashicorp.com/terraform/docs",
+      "https://developer.hashicorp.com/terraform/language",
+      "https://developer.hashicorp.com/terraform/cli/commands/plan",
+      "https://developer.hashicorp.com/terraform/cli/commands/apply",
+      "https://registry.terraform.io/providers/hashicorp/aws/latest/docs",
+      "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs",
+      "https://registry.terraform.io/providers/oracle/oci/latest/docs"
     ],
-    "security_notes": "Read-only static review of sanitized UX flow specifications and annotated wireframes only. Never request real payment credentials, live user-session data, or production A/B-test results. Findings may indicate violations of FTC rules carrying civil penalties \u2014 route remediation and enforcement-risk assessment to qualified legal counsel before acting on findings.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-conversion-flow-dark-pattern-review",
+    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live apply, destroy, or stack mutation agents without explicit human confirmation, blast-radius assessment, and rollback path. Terraform destroy is irreversible without state backup.",
+    "last_verified": "2026-04-30",
+    "path": "skills/terraform/terraform-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "marketing-email-list-retention-review",
-    "name": "Marketing Email List Retention Review",
+    "id": "test-coverage-quality-review",
+    "name": "Test Coverage Quality Review",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "generic",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9427,27 +9854,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Review marketing email list segment metadata, consent-record completeness, suppression-list coverage, and data-retention schedules for GDPR, CASL, and CCPA deletion-right compliance.",
+    "summary": "Review a test suite for assertion quality over coverage percentage — detecting coverage theater, assertion-free and tautological tests, mock over-specification, and untested branches, and recommending a meaningful coverage gate. Static review only.",
     "source_type": "original",
     "official_docs": [
-      "https://gdpr-info.eu/art-5-gdpr/",
-      "https://gdpr-info.eu/art-17-gdpr/",
-      "https://laws-lois.justice.gc.ca/eng/acts/C-28.65/page-1.html",
-      "https://oag.ca.gov/privacy/ccpa",
-      "https://www.canada.ca/en/radio-television-telecommunications/news/2014/07/compliance-and-enforcement-information-bulletin-crtc-2014-326.html"
+      "https://martinfowler.com/bliki/TestCoverage.html",
+      "https://martinfowler.com/articles/mocksArentStubs.html",
+      "https://istanbul.js.org/docs/tutorials/coverage/",
+      "https://jestjs.io/docs/configuration",
+      "https://docs.pytest.org/en/stable/how-to/assert.html"
     ],
-    "security_notes": "Review works from sanitized CRM/ESP exports only \u2014 placeholder values for email addresses, subscriber IDs, and timestamps. Never accept real subscriber PII, live CRM credentials, or ESP API keys. Findings of missing consent records or absent suppression-list sync may constitute an ongoing GDPR or CASL violation requiring legal escalation.",
+    "security_notes": "Static review only — reads test source and coverage reports, never executes tests or runs a coverage tool. Never request or accept credentials, fixtures containing real customer data, or production database snapshots; ask for sanitized test code.",
     "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-email-list-retention-review",
+    "path": "skills/qa/test-coverage-quality-review",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "marketing-gpc-signal-honoring-review",
-    "name": "Marketing GPC Signal Honoring Review",
+    "id": "test-flakiness-triage",
+    "name": "Test Flakiness Triage",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "generic",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9456,27 +9882,26 @@
       "kiro",
       "other"
     ],
-    "summary": "Review the technical signal path by which a Global Privacy Control opt-out travels through the CMP and tag stack to confirm ad tags, server-side conversion APIs, and CAPI forwarding actually cease firing on opt-out.",
+    "summary": "Triage flaky tests across any framework into root-cause categories, assign a quarantine or fix path per test, and assess quarantine policy and CI retry configuration — statically, without re-running tests.",
     "source_type": "original",
     "official_docs": [
-      "https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf",
-      "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.135.&lawCode=CIV",
-      "https://globalprivacycontrol.org/",
-      "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB566",
-      "https://oag.ca.gov/privacy/ccpa"
+      "https://playwright.dev/docs/test-retries",
+      "https://docs.cypress.io/guides/guides/test-retries",
+      "https://jestjs.io/docs/cli",
+      "https://docs.pytest.org/en/stable/how-to/flaky.html",
+      "https://martinfowler.com/articles/nonDeterminism.html"
     ],
-    "security_notes": "GPC honoring reviews work from sanitized tag-manager container exports and CMP configuration exports only. Never request live CMP consent logs, visitor opt-out records, or ad-platform credentials. Findings of non-compliance may constitute evidence in an enforcement proceeding \u2014 route legal determinations to qualified privacy counsel, not to this skill.",
+    "security_notes": "Static review only — analyzes failure logs, rerun history, and test source; never executes or re-runs tests. Never request or accept CI credentials, dashboard API tokens, or production data embedded in failure logs; ask for sanitized excerpts.",
     "last_verified": "2026-05-17",
-    "path": "skills/marketing/marketing-gpc-signal-honoring-review",
+    "path": "skills/qa/test-flakiness-triage",
     "author": "github: Raishin",
-    "version": "0.1.0",
-    "lifecycle": "experimental"
+    "version": "0.1.0"
   },
   {
-    "id": "programmatic-supply-chain-integrity-review",
-    "name": "Programmatic Supply Chain Integrity Review",
+    "id": "velero-backup-restore-guard",
+    "name": "Velero Backup/Restore Guard",
     "type": "skill",
-    "provider": "marketing",
+    "provider": "velero",
     "harnesses": [
       "codex",
       "claude-code",
@@ -9485,20 +9910,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review ads.txt, app-ads.txt, and sellers.json files for a publisher or advertiser's programmatic supply chain to detect unauthorized resellers, domain-spoofing exposure, and SupplyChain Object gaps.",
+    "summary": "Live-guard skill for Velero backup schedules, restore operations, BackupStorageLocation changes, and volume snapshots — requiring explicit platform-team sign-off before any mutation.",
     "source_type": "original",
     "official_docs": [
-      "https://iabtechlab.com/ads-txt/",
-      "https://iabtechlab.com/sellers-json/",
-      "https://iabtechlab.com/supplychain-object/",
-      "https://mediaratingcouncil.org/sites/default/files/Standards/MRC%20Invalid%20Traffic%20Detection%20and%20Filtration%20Guidelines%20Addendum.pdf",
-      "https://iabtechlab.com/app-ads-txt/"
+      "https://velero.io/docs/latest/",
+      "https://velero.io/docs/latest/restore-reference/",
+      "https://velero.io/docs/latest/backup-reference/",
+      "https://velero.io/docs/latest/locations/",
+      "https://velero.io/docs/latest/hooks/"
     ],
-    "security_notes": "Supply chain integrity reviews work from the raw text of ads.txt, app-ads.txt, and sellers.json files pasted as input. Never request DSP credentials, exchange account tokens, or bid-stream logs. ads.txt and sellers.json are publicly resolvable files; the artifact is the publisher's or exchange's own exported text, not a live crawl of production endpoints.",
-    "last_verified": "2026-05-17",
-    "path": "skills/marketing/programmatic-supply-chain-integrity-review",
-    "author": "github: Raishin",
+    "security_notes": "Velero restore with existingResourcePolicy:update can overwrite live RBAC resources, Secrets, and ServiceAccounts — equivalent to a partial cluster wipe. BSL credentials with write-only access prevent listing/deleting old backups, causing runaway storage costs. Never proceed with cluster-wide restores without explicit platform-team sign-off.",
+    "last_verified": "2026-05-02",
+    "path": "skills/velero/velero-backup-restore-guard",
     "version": "0.1.0",
-    "lifecycle": "experimental"
+    "author": "github: Raishin"
   }
 ]