npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.7.1 → 2.9.0 - Mend

@raishin/vanguard-frontier-agentic 2.7.1 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2104) hide show

package/catalog/skills.json CHANGED Viewed

@@ -1275,7 +1275,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Build, test, migrate, and deploy Amazon Bedrock AgentCore code-based agents and harness workflows with runtime, policy, environment/skills, Memory, Gateway, Identity, Observability, Browser, Code Interpreter, and security guidance loaded progressively.",
+    "summary": "Build, test, migrate, and deploy Amazon Bedrock AgentCore code-based agents and harness workflows with runtime, policy, environment/skills/filesystems, Memory, Gateway, Identity, Observability, Browser, Code Interpreter, Evaluations, Registry, Payments, and security guidance loaded progressively.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/develop-agents.html",
@@ -1290,19 +1290,31 @@
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-service-provided.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/browser-tool.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/evaluations.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/registry.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/payments.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-tools.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-filesystem-configurations.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-header-allowlist.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-sessions.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-elicitation.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-sampling.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-progress.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-logging.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/long-term-memory-metadata.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-create-policies.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-core-concepts.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-operations.html"
     ],
-    "security_notes": "Do not hardcode credentials, tokens, client secrets, account IDs, or customer data. Prefer AgentCore Identity/Gateway for managed credentials, enforce Cedar policy where Gateway is used, verify region and preview-feature constraints, keep least-privilege roles, and require explicit approval before deployment or tool-exposure changes.",
+    "security_notes": "Do not hardcode credentials, tokens, client secrets, account IDs, or customer data. Prefer AgentCore Identity/Gateway for managed credentials, enforce Cedar policy where Gateway is used, govern MCP sessions/streaming/elicitation/sampling, verify region/API and preview-feature constraints, keep least-privilege roles, review filesystem mounts and payment spending controls, and require explicit approval before deployment or tool-exposure changes.",
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-agentcore",
     "author": "github: Raishin",
-    "version": "0.1.6"
+    "version": "0.1.8"
   },
   {
     "id": "aws-api-edge-delivery-review",
@@ -1329,7 +1341,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-api-edge-delivery-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-bedrock-agent-security-governor",
@@ -1356,7 +1368,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-bedrock-agent-security-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-change-impact-advisor",
@@ -1383,7 +1395,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-change-impact-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-ci-cd-release-engineer",
@@ -1410,7 +1422,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ci-cd-release-engineer",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-compliance-evidence-mapper",
@@ -1437,7 +1449,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-compliance-evidence-mapper",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-cost-anomaly-watch-coordinator",
@@ -1464,7 +1476,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-cost-anomaly-watch-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-cost-optimization-governor",
@@ -1491,7 +1503,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-cost-optimization-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-daily-operations-briefing-coordinator",
@@ -1518,7 +1530,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-daily-operations-briefing-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-data-protection-backup-steward",
@@ -1545,7 +1557,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-data-protection-backup-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-deployment-hotfix-operator",
@@ -1570,7 +1582,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-deployment-hotfix-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-devops-agent-skill-designer",
@@ -1597,7 +1609,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-devops-agent-skill-designer",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-dynamodb-data-modeling-performance-review",
@@ -1624,7 +1636,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-dynamodb-data-modeling-performance-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ec2-compute-operations-steward",
@@ -1651,7 +1663,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ec2-compute-operations-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ecs-fargate-platform-operator",
@@ -1678,7 +1690,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ecs-fargate-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ecs-service-remediation-operator",
@@ -1704,7 +1716,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ecs-service-remediation-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-eks-platform-operator",
@@ -1731,7 +1743,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-eks-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-event-driven-architecture-review",
@@ -1758,7 +1770,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-event-driven-architecture-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-generative-ai-developer",
@@ -1789,7 +1801,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-generative-ai-developer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-iac-change-safety-review",
@@ -1816,7 +1828,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iac-change-safety-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-iac-patch-executor",
@@ -1842,7 +1854,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iac-patch-executor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-iam-least-privilege-review",
@@ -1869,7 +1881,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iam-least-privilege-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-kms-secrets-lifecycle-steward",
@@ -1896,7 +1908,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-kms-secrets-lifecycle-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-landing-zone-governor",
@@ -1923,7 +1935,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-landing-zone-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-live-deployment-guarded-operator",
@@ -1950,7 +1962,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-deployment-guarded-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-ecs-rollout-guard",
@@ -1977,7 +1989,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-ecs-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-iac-change-guard",
@@ -2005,7 +2017,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-iac-change-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-pipeline-approval-operator",
@@ -2032,7 +2044,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-pipeline-approval-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-serverless-release-guard",
@@ -2059,7 +2071,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-serverless-release-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-maestro",
@@ -2087,7 +2099,7 @@
     "last_verified": "2026-04-30",
     "path": "skills/aws/aws-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-migration-cutover-architect",
@@ -2114,7 +2126,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-migration-cutover-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-network-architect",
@@ -2143,7 +2155,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-network-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-non-destructive-task-automation-advisor",
@@ -2170,7 +2182,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-non-destructive-task-automation-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-observability-incident-responder",
@@ -2197,7 +2209,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-observability-incident-responder",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-pipeline-fix-operator",
@@ -2223,7 +2235,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-pipeline-fix-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-private-ca-issuer-review",
@@ -2250,7 +2262,7 @@
     "security_notes": "Using a Root CA ARN in AWSPCAIssuer exposes the root of trust directly to cert-manager. A SubordinateCACertificate template allows cert-manager to issue intermediate CAs, enabling an attacker with cert-manager IRSA access to create a shadow CA trusted by the entire corporate PKI. IRSA role must exclude acm-pca:DeleteCertificateAuthority and acm-pca:CreateCertificateAuthority.",
     "last_verified": "2026-05-02",
     "path": "skills/aws/aws-private-ca-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.4",
     "author": "github: Raishin"
   },
   {
@@ -2278,7 +2290,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-rds-aurora-performance-investigator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-resilience-bcdr-review",
@@ -2305,7 +2317,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-resilience-bcdr-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-s3-data-perimeter-governor",
@@ -2332,7 +2344,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-s3-data-perimeter-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-security-posture-hardening",
@@ -2359,7 +2371,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-security-posture-hardening",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-serverless-production-readiness",
@@ -2386,7 +2398,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-serverless-production-readiness",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-serverless-rollout-corrector",
@@ -2412,7 +2424,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-serverless-rollout-corrector",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-solution-architect",
@@ -2440,7 +2452,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-solution-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ticket-triage-escalation-coordinator",
@@ -2467,7 +2479,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ticket-triage-escalation-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-waf-cost-optimization-review",
@@ -2492,7 +2504,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-waf-reliability-review",
@@ -2517,7 +2529,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-waf-security-review",
@@ -2542,7 +2554,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "azure-ai-foundry-ops-governor",
@@ -2569,13 +2581,16 @@
       "https://learn.microsoft.com/en-us/azure/foundry/how-to/quota",
       "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/quotas-limits",
       "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/how-to/monitor-models",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/azure/foundry/mcp/security-best-practices",
+      "https://learn.microsoft.com/azure/foundry/mcp/available-tools",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/azure-ai-foundry-security-baseline"
     ],
-    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat MCP mutations as higher risk than read-only discovery, especially because hosted Foundry MCP security guidance documents preview and public-endpoint limitations.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat tool-backed mutations as higher risk than read-only discovery, especially because hosted Foundry MCP capability security guidance documents preview and public-endpoint limitations.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-ai-foundry-ops-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-aks-platform-operator",
@@ -2599,13 +2614,15 @@
       "https://learn.microsoft.com/en-us/azure/aks/upgrade-options",
       "https://learn.microsoft.com/en-us/azure/aks/upgrade-conceptual",
       "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
-      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices"
+      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices",
+      "https://learn.microsoft.com/en-us/azure/aks/best-practices-app-cluster-reliability",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-kubernetes-service"
     ],
     "security_notes": "Do not wave through AKS as production ready without explicit upgrade, rollback, workload identity, traffic-control, subnet-capacity, and observability evidence. Treat flat pod networking, static secrets, and untested drain behavior as high-risk.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-aks-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-app-service-production-readiness",
@@ -2638,18 +2655,19 @@
       "https://learn.microsoft.com/en-us/azure/app-service/configure-zone-redundancy",
       "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service",
+      "https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/baseline-zone-redundant"
     ],
-    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported Azure MCP namespaces or operations.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported configured Azure evidence namespaces or operations.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-app-service-production-readiness",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-cosmosdb-application-developer",
     "name": "Azure Cosmos DB Application Developer",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2673,17 +2691,19 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
       "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/transactional-batch",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge"
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/optimize-cost-reads-writes",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/request-units"
     ],
     "security_notes": "Do not recommend data models, query patterns, transactional assumptions, or SDK usage that ignore partition scope, RU cost, consistency semantics, or least-privilege access boundaries.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-application-developer",
     "author": "github: Raishin"
   },
   {
     "id": "azure-cosmosdb-performance-investigator",
     "name": "Azure Cosmos DB Performance Investigator",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2706,17 +2726,19 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/use-metrics",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-redistribute-throughput-across-partitions",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/performance-tips-dotnet-sdk-v3",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db"
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-normalized-request-units",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/autoscale-faq"
     ],
     "security_notes": "Do not recommend throughput increases, repartitioning, indexing changes, or SDK tuning before separating RU cost, latency, partition skew, and query-shape evidence. Avoid speculative fixes that hide workload design defects.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-performance-investigator",
     "author": "github: Raishin"
   },
   {
     "id": "azure-cosmosdb-platform-operator",
     "name": "Azure Cosmos DB Platform Operator",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2739,10 +2761,13 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
       "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys"
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys",
+      "https://learn.microsoft.com/en-us/azure/reliability/reliability-cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys-unlimited-scale",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/failover-considerations-for-private-endpoints"
     ],
     "security_notes": "Do not approve a partition key, indexing posture, consistency change, or cross-partition query strategy without checking workload shape, RU impact, transactional scope, and least-privilege access implications.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-platform-operator",
     "author": "github: Raishin"
   },
@@ -2768,13 +2793,15 @@
       "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
       "https://learn.microsoft.com/en-us/azure/cost-management-billing/savings-plan/manage-savings-plan",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-automation-scenarios"
     ],
-    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported Azure MCP pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported configured Azure evidence pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cost-estimation-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-cost-optimization-governor",
@@ -2800,18 +2827,22 @@
       "https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-best-practices",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-opt-recommendations",
+      "https://learn.microsoft.com/en-us/azure/advisor/advisor-workbook-cost-optimization"
     ],
     "security_notes": "Do not promise savings without utilization evidence, treat budgets as alerts rather than enforcement, keep billing and export data sanitized, and require named ownership for alerts, tags, exports, and optimization follow-up before calling the FinOps posture credible.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cost-optimization-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-entra-id-specialist",
     "name": "Azure Entra ID Specialist",
-    "version": "0.1.0",
+    "version": "0.1.5",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2834,10 +2865,13 @@
       "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration",
       "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups",
       "https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview",
-      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk"
+      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk",
+      "https://learn.microsoft.com/en-us/entra/agent-id/security-for-ai-overview",
+      "https://learn.microsoft.com/en-us/entra/agent-id/what-is-microsoft-entra-agent-id",
+      "https://learn.microsoft.com/en-us/entra/id-governance/agent-id-governance-overview"
     ],
     "security_notes": "Do not recommend broad exclusions, unsafe break-glass patterns, blanket MFA bypasses, overprivileged app registrations, or risky Conditional Access changes without scoping blast radius, role ownership, and recovery paths.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-entra-id-specialist",
     "author": "github: Raishin"
   },
@@ -2866,13 +2900,15 @@
       "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure",
       "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/migrate-azure-landing-zone-policies",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/how-to/policy-safe-deployment-practices"
     ],
     "security_notes": "Do not recommend broad-scope deny or remediation-first rollout without blast-radius review, inheritance analysis, exception handling, and rollback notes.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-governance-policy-guardrails",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-identity-governance-review",
@@ -2887,26 +2923,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, and ownership gaps.",
+    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, emergency access, and ownership gaps.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones",
-      "https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles",
-      "https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/manage-access-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/entra/architecture/ops-guide-govern",
+      "https://learn.microsoft.com/entra/id-governance/scenarios/least-privileged",
+      "https://learn.microsoft.com/entra/id-governance/identity-governance-overview",
+      "https://learn.microsoft.com/entra/id-governance/access-reviews-overview",
+      "https://learn.microsoft.com/entra/id-governance/entitlement-management-overview",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
     ],
-    "security_notes": "Challenge standing privileged access by default. Do not treat PIM, access reviews, or entitlement management as sufficient unless scope, ownership, cadence, and removal behavior are explicit.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Challenge standing privileged access by default. PIM, access reviews, and entitlement management are not sufficient unless scope, owner, cadence, approval, expiration, and removal behavior are explicit.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-identity-governance-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-key-vault-secret-lifecycle-auditor",
@@ -2924,21 +2957,20 @@
     "summary": "Audit Azure Key Vault secret lifecycle posture across RBAC, soft delete, purge protection, expiration, rotation, metadata hygiene, eventing, and recovery readiness without exposing secret values.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault",
-      "https://learn.microsoft.com/en-us/azure/key-vault/secrets/secure-secrets",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/autorotation",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
-      "https://learn.microsoft.com/en-us/azure/key-vault/policy-reference"
-    ],
-    "security_notes": "Avoid retrieving secret values unless absolutely necessary. Treat purge authority, missing soft delete, missing purge protection, and unproven rotation or recovery paths as high-risk. Prefer RBAC least privilege and metadata-based audits over content access.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/key-vault/secrets/secure-secrets",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/azure/key-vault/general/rbac-guide",
+      "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+      "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation",
+      "https://learn.microsoft.com/azure/key-vault/general/event-grid-overview",
+      "https://learn.microsoft.com/azure/key-vault/policy-reference"
+    ],
+    "security_notes": "Avoid retrieving secret values. Treat purge authority, missing soft delete, missing purge protection, legacy access policies for critical workloads, and untested rotation or recovery paths as high-risk.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-key-vault-secret-lifecycle-auditor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-keyvault-certificate-issuer-review",
@@ -2953,18 +2985,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager, covering certificate policy alignment, Managed Identity authorization scope, exportability posture, private endpoint connectivity, integrated CA credential scoping, and cert-manager vs Key Vault auto-rotation race conditions.",
+    "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager and AKS, covering certificate policy alignment, managed identity authorization scope, exportability posture, private endpoint connectivity, issuer credential scoping, and renewal timing.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates",
-      "https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
+      "https://learn.microsoft.com/azure/key-vault/certificates/about-certificates",
+      "https://learn.microsoft.com/azure/key-vault/certificates/how-to-integrate-certificate-authority",
+      "https://learn.microsoft.com/azure/key-vault/certificates/create-certificate",
+      "https://learn.microsoft.com/azure/key-vault/certificates/secure-certificates"
     ],
-    "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs \u2014 a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
-    "last_verified": "2026-05-02",
+    "security_notes": "Use Key Vault certificate data-plane roles for certificate lifecycle tasks and avoid broad management-plane roles. Treat exportable private keys, unscoped CA requester credentials, missing renewal contacts, and untested renewal handoff as high-risk.",
+    "last_verified": "2026-06-06",
     "path": "skills/azure/azure-keyvault-certificate-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.4",
     "author": "github: Raishin"
   },
   {
@@ -2980,22 +3012,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, and operations dependencies.",
+    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, identity, management, and platform automation dependencies.",
     "source_type": "original",
     "official_docs": [
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke"
     ],
-    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or a production-ready verdict without governance, management, and recovery dependencies being addressed.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or production-ready verdict without identity, governance, security, management, network, subscription, cost, and recovery dependencies being addressed.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-landing-zone-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-live-aks-rollout-guard",
@@ -3010,19 +3043,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live AKS deployment rollouts with PDB audit, maxUnavailable/surge validation, rollout pause/undo gates, and post-rollout health verification.",
+    "summary": "Guard live AKS deployment and node-pool rollouts with PDB audit, maxUnavailable/surge validation, pause/undo gates, capacity checks, and post-rollout health verification.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security",
-      "https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads",
-      "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment",
-      "https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
+      "https://learn.microsoft.com/azure/aks/upgrade-aks-node-pools-rolling",
+      "https://learn.microsoft.com/azure/aks/upgrade-options",
+      "https://learn.microsoft.com/azure/aks/upgrade-conceptual",
+      "https://learn.microsoft.com/azure/aks/blue-green-node-pool-upgrade",
+      "https://learn.microsoft.com/azure/architecture/operator-guides/aks/aks-upgrade-practices",
+      "https://learn.microsoft.com/azure/aks/concepts-clusters-workloads",
+      "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security",
+      "https://kubernetes.io/docs/tasks/run-application/configure-pdb/",
+      "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment"
     ],
-    "security_notes": "Never advance an AKS rollout without PDB audit and replica health check. kubectl rollout undo is safe but must be confirmed before execution to avoid double-rollback churn.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never advance an AKS rollout without target, principal, approval, PDB audit, replica health, capacity, and rollback evidence. Treat undo, drain, cordon, scale, and node-pool upgrade operations as live mutations requiring explicit approval.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-aks-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "azure-live-app-service-slot-swap-guard",
@@ -3037,18 +3075,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.",
+    "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, activity-log checks, and immediate rollback posture.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
+      "https://learn.microsoft.com/azure/app-service/deploy-staging-slots",
+      "https://learn.microsoft.com/azure/app-service/reference-app-settings#deployment-slots",
+      "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+      "https://learn.microsoft.com/azure/app-service/configure-common",
+      "https://learn.microsoft.com/azure/app-service/overview-local-cache"
     ],
-    "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never perform a production slot swap without target-slot confirmation, sticky-settings diff, warm-up evidence, authentication limitation check, activity-log monitoring path, and immediate rollback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-app-service-slot-swap-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-live-arm-deployment-stack-guard",
@@ -3063,19 +3103,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
+    "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, deny-settings review, action-on-unmanage safety, managed-resource diff, rollback posture, and approval gates.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
+      "https://learn.microsoft.com/azure/azure-resource-manager/templates/deploy-what-if",
+      "https://learn.microsoft.com/azure/azure-resource-manager/bicep/deployment-stacks",
+      "https://learn.microsoft.com/azure/templates/microsoft.resources/deploymentstacks",
+      "https://learn.microsoft.com/azure/role-based-access-control/deny-assignments",
+      "https://learn.microsoft.com/azure/azure-resource-manager/templates/best-practices"
     ],
-    "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never execute an ARM, Bicep, or Deployment Stack change without confirmed scope, template/parameter provenance, what-if or managed-resource diff, deny-settings review, action-on-unmanage review, rollback constraints, and explicit human approval.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-arm-deployment-stack-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.5"
   },
   {
     "id": "azure-live-cost-budget-action-guard",
@@ -3090,19 +3131,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
+    "summary": "Gate Azure budget action changes, cost-alert automation, and quota-sensitive GPU/HPC provisioning against approved spend limits, cost data latency, action-group behavior, and emergency spend-stop playbooks.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
-      "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/cost-mgt-best-practices",
+      "https://learn.microsoft.com/cloud-computing/finops/framework/quantify/budgeting",
+      "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+      "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
     ],
-    "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never approve quota increases, budget threshold raises, automated cost actions, or high-cost SKU provisioning without explicit financial owner approval, cost data latency caveat, rollback or stop action, and scope confirmation.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-cost-budget-action-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.7"
   },
   {
     "id": "azure-live-entra-role-assignment-guard",
@@ -3117,20 +3160,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.",
+    "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, PIM preference, propagation caveats, and explicit approval gates before write.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-alert",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-alert",
+      "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting#azure-role-assignments",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-deployment-plan"
     ],
-    "security_notes": "Never create Owner, Contributor, or UAA assignments at subscription or management-group scope without CISO-level justification. Always prefer PIM eligible assignment. Block Guest principal assignments without Director-level sign-off. Token caching means deletion may take up to 5 minutes to propagate.",
-    "last_verified": "2026-05-01",
+    "security_notes": "Never create or delete privileged role assignments without confirmed tenant/scope, assignee identity, principal type, role definition, existing assignment evidence, PIM alternative review, explicit approval, propagation caveat, and rollback command.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-entra-role-assignment-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.7"
   },
   {
     "id": "azure-live-keyvault-rotation-purge-guard",
@@ -3145,19 +3189,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Key Vault key rotation, rotation policy changes, soft-delete enforcement, and purge-protection enablement with irreversibility warnings and rollback evidence.",
+    "summary": "Guard Key Vault key and secret rotation, rotation policy changes, soft-delete checks, purge-protection enablement, recover decisions, and purge attempts with irreversibility warnings and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
-      "https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details",
-      "https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices"
+      "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation",
+      "https://learn.microsoft.com/azure/key-vault/keys/secure-keys",
+      "https://learn.microsoft.com/azure/key-vault/policy-reference"
     ],
-    "security_notes": "Purge-protection enable is irreversible. Soft-deleted keys can be recovered within the retention window. HSM-backed hard-purged keys cannot be recovered. Never grant purge rights to routine rotation operators.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Purge protection enablement is irreversible, purge is permanent when allowed, and key/secret rotation can break dependent workloads. Never grant purge rights to routine rotation operators or mutate production vault lifecycle controls without owner approval and dependency evidence.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-keyvault-rotation-purge-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-live-pim-jit-activation-guard",
@@ -3172,19 +3218,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate Entra ID PIM eligible role activations with justification, MFA, ticket binding, time-bound scope, and approval workflow gates before any privileged Azure role becomes active.",
+    "summary": "Gate Microsoft Entra PIM eligible role activations with justification, MFA, reduced scope, ticket binding, time-bound duration, approval workflow checks, and cache/propagation caveats.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-configure",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-deployment-plan",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/best-practices"
     ],
-    "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf \u2014 only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never activate or approve PIM privileged access without confirming eligible principal, scope, role, activation duration, MFA/Conditional Access requirement, justification or ticket, approval status, and deactivation/expiry behavior.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-pim-jit-activation-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-maestro",
@@ -3199,20 +3247,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Route Azure tasks to the narrowest specialist or team of specialists from the 30-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
+    "summary": "Route Azure tasks to the narrowest specialist or bounded specialist team from the Azure catalog, with strict live-guard gates for production-change agents and no stale hard-coded catalog counts.",
     "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/",
-      "https://learn.microsoft.com/en-us/azure/architecture/",
-      "https://learn.microsoft.com/en-us/azure/well-architected/",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview"
+      "https://learn.microsoft.com/azure/architecture/",
+      "https://learn.microsoft.com/azure/well-architected/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/overview"
     ],
-    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never auto-dispatch live-guard agents. Any live Azure mutation path requires explicit human confirmation, blast-radius assessment, target confirmation, rollback or non-reversibility statement, and specialist handoff.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-migrate-landing-zone-cutover",
@@ -3227,21 +3275,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Stress-test Azure migration cutovers across assessment quality, landing-zone readiness, dependency sequencing, permissions, rollback, and post-cutover operating ownership.",
+    "summary": "Stress-test Azure migration cutovers across discovery quality, assessment freshness, dependency sequencing, landing-zone readiness, permissions, rollback, and post-cutover operating ownership.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/migrate/concepts-overview?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/assessment-prerequisites?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/review-application-assessment?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/platform-landing-zone?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ready-azure-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/migrate/whats-new?view=migrate"
+      "https://learn.microsoft.com/azure/migrate/migrate-services-overview?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/concepts-migration-planning?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/common-questions-discovery-dependency-analysis?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/overview?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/platform-landing-zone?view=migrate",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/"
     ],
     "security_notes": "Do not equate Azure readiness with cutover readiness. Treat stale assessments, weak dependency mapping, broad migration permissions, missing rollback checkpoints, and incomplete landing-zone connectivity or monitoring as high-risk blockers.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-migrate-landing-zone-cutover",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-network-topology-review",
@@ -3256,19 +3304,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security implications, and platform-versus-workload control ownership.",
+    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security inspection, private connectivity, regional blast radius, and platform-versus-workload ownership.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, and platform-versus-workload control boundaries before calling a topology safe.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke-virtual-wan-architecture",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/network-topology-and-connectivity",
+      "https://learn.microsoft.com/azure/architecture/networking/guide/private-link-hub-spoke-network",
+      "https://learn.microsoft.com/azure/dns/private-resolver-architecture",
+      "https://learn.microsoft.com/azure/virtual-network-manager/overview"
+    ],
+    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, inspection path, private connectivity, and platform-versus-workload control boundaries before calling a topology safe.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-network-topology-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-observability-investigator",
@@ -3283,30 +3333,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, and observability workflows with explicit evidence-versus-inference handling.",
+    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, workbooks, Grafana, and incident hypotheses with explicit evidence-versus-inference handling.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/application-insights",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/visualize-grafana-overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/monitor",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/overview",
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/best-practices-operation",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-processing-rules",
+      "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/logs/workspace-design",
+      "https://learn.microsoft.com/azure/azure-monitor/app/app-insights-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-overview",
+      "https://learn.microsoft.com/azure/managed-grafana/how-to-use-azure-monitor-alerts"
     ],
-    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, and bounded verification steps.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, query scope, and bounded verification steps.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-observability-investigator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-platform-automation-devops",
@@ -3321,25 +3366,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, validation gates, and safe rollout patterns.",
+    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, what-if validation, approval gates, and safe rollout patterns.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/en-us/azure/architecture/landing-zones/bicep/landing-zone-bicep",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots?view=azure-devops-2020",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-deploy",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-mcp-server",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/"
+      "https://learn.microsoft.com/azure/azure-resource-manager/bicep/deploy-what-if",
+      "https://learn.microsoft.com/training/modules/test-bicep-code-using-github-actions/",
+      "https://learn.microsoft.com/training/modules/test-bicep-code-using-azure-pipelines/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
+      "https://learn.microsoft.com/azure/architecture/landing-zones/bicep/landing-zone-bicep",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone"
     ],
-    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require preview, validation, approval, and rollback paths before production-impacting Azure changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require lint, validation, what-if, approval, and rollback paths before production-impacting Azure changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-platform-automation-devops",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-private-endpoint-adoption-planner",
@@ -3354,22 +3396,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, route implications, and centralized-versus-local trade-offs.",
+    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, DNS Private Resolver choices, route implications, and centralized-versus-local trade-offs.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns",
-      "https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/private-link/private-endpoint-dns-integration",
+      "https://learn.microsoft.com/azure/private-link/private-endpoint-dns",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale",
+      "https://learn.microsoft.com/azure/architecture/networking/guide/private-link-virtual-wan-dns-guide",
+      "https://learn.microsoft.com/azure/dns/private-resolver-endpoints-rulesets",
+      "https://learn.microsoft.com/azure/networking/foundations/network-foundations-overview"
     ],
-    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, DNS-zone ownership, VNet links, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, private DNS zone ownership, VNet links, DNS forwarding path, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-private-endpoint-adoption-planner",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-rbac-review",
@@ -3384,17 +3425,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure role assignments, custom roles, and scope choices for least privilege and operational safety.",
+    "summary": "Review Azure role assignments, custom roles, privileged administrator roles, conditions, PIM usage, group-based assignment, and scope choices for least privilege and operational safety.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices"
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/scope-overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/custom-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/conditions-overview",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-configure"
     ],
-    "security_notes": "Do not recommend Owner or User Access Administrator unless justified. Prefer narrow scopes and built-in roles before custom broad grants.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend Owner, Contributor, User Access Administrator, Role Based Access Control Administrator, wildcard custom roles, direct user grants, or broad scopes unless the business need is proven and safer job-function, group-based, conditioned, or time-bound alternatives are insufficient.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-rbac-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-resilience-bcdr-review",
@@ -3409,23 +3455,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure resilience and disaster-recovery posture for RTO/RPO realism, failover and failback assumptions, shared-responsibility gaps, and recovery runbook or drill quality.",
+    "summary": "Review Azure resilience and disaster-recovery posture for business criticality, RTO/RPO realism, failover and failback assumptions, backup/restore, region/zone strategy, recovery automation, runbooks, and drill evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/principles",
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/disaster-recovery",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/well-architected/reliability/disaster-recovery",
+      "https://learn.microsoft.com/azure/reliability/concept-business-continuity-high-availability-disaster-recovery",
+      "https://learn.microsoft.com/azure/well-architected/reliability/metrics",
+      "https://learn.microsoft.com/azure/well-architected/reliability/testing-strategy",
+      "https://learn.microsoft.com/azure/reliability/overview-reliability-guidance",
+      "https://learn.microsoft.com/azure/service-health/overview"
     ],
-    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, and single-region dependencies as material risks.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, inaccessible DR assets, and single-region dependencies as material risks.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-resilience-bcdr-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-resource-health-incident-triage",
@@ -3440,24 +3484,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, tenant-side changes, and unresolved evidence.",
+    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, resource-specific health, tenant-side changes, and unresolved evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule",
-      "https://learn.microsoft.com/en-us/azure/service-health/service-health-alert-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-resource-health",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://learn.microsoft.com/azure/service-health/resource-health-overview",
+      "https://learn.microsoft.com/azure/service-health/service-health-notifications-properties",
+      "https://learn.microsoft.com/azure/service-health/service-health-event-properties",
+      "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+      "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups"
     ],
-    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, invent unsupported MCP tools, or recommend broad remediation before blast radius and evidence are clear.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, expose sensitive incident payloads, invent unsupported tools, or recommend broad remediation before blast radius and evidence are clear.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-resource-health-incident-triage",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-role-selector",
@@ -3475,17 +3516,20 @@
     "summary": "Select the narrowest Azure built-in role, custom-role fallback, and assignment scope for a requested access pattern while separating control-plane and data-plane permissions.",
     "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Prefer built-in roles before custom roles, minimize assignment scope, and keep control-plane and data-plane permissions separate. Do not default to Owner or Contributor for routine access requests.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-definitions",
+      "https://learn.microsoft.com/azure/role-based-access-control/custom-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps",
+      "https://learn.microsoft.com/azure/role-based-access-control/scope-overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles"
+    ],
+    "security_notes": "Prefer built-in job-function roles before custom roles, minimize assignment scope, separate control-plane and data-plane permissions, and do not default to Owner, Contributor, or wildcard custom roles for routine access requests.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-role-selector",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-security-posture-hardening",
@@ -3500,26 +3544,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, and audit-ready logging expectations.",
+    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, Defender recommendations, and audit-ready logging expectations.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns",
-      "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault"
-    ],
-    "security_notes": "Do not recommend broad admin roles, stored secrets, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, and verified logging coverage.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/microsoft-defender-for-cloud-security-baseline",
+      "https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference-identity-access",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
+      "https://learn.microsoft.com/azure/governance/policy/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+      "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+      "https://learn.microsoft.com/azure/defender-for-cloud/review-security-recommendations"
+    ],
+    "security_notes": "Do not recommend broad admin roles, stored secrets, legacy Key Vault access policies, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, soft delete/purge protection, and verified logging coverage.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-security-posture-hardening",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-subscription-resource-organization",
@@ -3534,23 +3577,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, and landing-zone operating-model consequences.",
+    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, policy inheritance, scale-unit, and landing-zone operating-model consequences.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/subscription",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/resource-group"
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-application-environments",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/training/modules/design-governance/",
+      "https://learn.microsoft.com/azure/governance/management-groups/overview",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging",
+      "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-policies"
     ],
-    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, and operational blast-radius implications.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, RBAC, cost, quota, and operational blast-radius implications.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-subscription-resource-organization",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-cost-optimization-review",
@@ -3565,17 +3610,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload cost posture against the Well-Architected Framework Cost Optimization pillar: cost modeling, rightsizing, reservations, hybrid benefit, storage lifecycle, and idle resource elimination.",
+    "summary": "Review Azure workload cost posture against the Well-Architected Framework Cost Optimization pillar: cost model, budgets, cost drivers, usage optimization, rate optimization, Advisor recommendations, reservations, savings plans, hybrid benefit, and idle resource elimination.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/cost-optimization/",
-      "https://learn.microsoft.com/azure/cost-management-billing/"
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/principles",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/cost-model",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/get-best-rates",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/azure/advisor/advisor-workbook-cost-optimization",
+      "https://learn.microsoft.com/azure/advisor/advisor-how-to-calculate-total-cost-savings",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/checklist",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-opt-recommendations"
     ],
-    "security_notes": "Read-only advisory. Do not cancel Reservations, delete resources, or modify billing configurations without explicit approval and resource inventory confirmation.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not delete resources, cancel commitments, modify billing configuration, buy reservations or savings plans, or alter budgets without explicit approval, owner confirmation, and current inventory evidence.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-reliability-review",
@@ -3590,17 +3641,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload reliability against the Well-Architected Framework Reliability pillar: availability targets, AZ/region topology, health monitoring, data resilience, deployment safety, and chaos testing.",
+    "summary": "Review Azure workload reliability against the Well-Architected Framework Reliability pillar: business requirements, critical flows, resilience, recovery, observability, operations, simplicity, availability zones/regions, health modeling, and reliability testing.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/reliability/",
-      "https://learn.microsoft.com/azure/reliability/availability-zones-overview"
+      "https://learn.microsoft.com/azure/well-architected/reliability/principles",
+      "https://learn.microsoft.com/azure/well-architected/reliability/reliability-test",
+      "https://learn.microsoft.com/azure/well-architected/reliability/disaster-recovery",
+      "https://learn.microsoft.com/azure/well-architected/design-guides/regions-availability-zones",
+      "https://learn.microsoft.com/azure/reliability/concept-business-continuity-high-availability-disaster-recovery",
+      "https://learn.microsoft.com/azure/reliability/overview-reliability-guidance",
+      "https://learn.microsoft.com/azure/well-architected/reliability/checklist"
     ],
-    "security_notes": "Read-only advisory. Do not modify autoscaling policies, backup schedules, or Azure Site Recovery configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not modify autoscaling, backup, failover, traffic routing, deployment, or recovery settings without explicit approval, current-state evidence, blast-radius review, and rollback or failback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-security-review",
@@ -3615,17 +3671,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload security posture against the Well-Architected Framework Security pillar: identity and access, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.",
+    "summary": "Review Azure workload security posture against the Well-Architected Framework Security pillar: baseline, secure development lifecycle, data classification, segmentation, IAM, networking, encryption, hardening, secrets, threat monitoring, security testing, and incident response.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/security/",
-      "https://learn.microsoft.com/security/benchmark/azure/"
+      "https://learn.microsoft.com/azure/well-architected/security/principles",
+      "https://learn.microsoft.com/azure/well-architected/security/checklist",
+      "https://learn.microsoft.com/security/benchmark/azure/introduction",
+      "https://learn.microsoft.com/azure/defender-for-cloud/concept-regulatory-compliance",
+      "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+      "https://learn.microsoft.com/azure/defender-for-cloud/review-security-recommendations"
     ],
-    "security_notes": "Read-only advisory. Do not modify Entra ID policies, Conditional Access rules, Azure Policy, or Defender configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not modify Entra ID, Conditional Access, RBAC, PIM, Azure Policy, Defender, Sentinel, network controls, Key Vault, or production diagnostics without explicit approval, current-state evidence, blast-radius review, and rollback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "backstage-scaffolder-template-review",
@@ -8469,7 +8529,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
+    "summary": "Design and review OCI Autonomous Database and Autonomous AI Database deployments with explicit workload fit, security, networking, backup, DR, migration, and multicloud boundary checks.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
@@ -8477,11 +8537,11 @@
       "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Autonomous Database Architect changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-autonomous-database-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-certificates-issuer-review",
@@ -8496,18 +8556,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI Certificates Service issuer configurations for cert-manager on OKE, covering CA hierarchy safety, issuance rule enforcement, OKE Workload Identity vs Instance Principal authentication, IAM policy scope minimization, OCSP reachability, and certificate version lifecycle management.",
+    "summary": "Review OCI Certificates Service and OKE cert-manager issuer posture with CA hierarchy, issuance rules, workload identity, IAM scope, OCSP reachability, and certificate lifecycle safeguards.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/certificates/managing-certificate-authority.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
-      "https://github.com/oracle/oci-native-ingress-controller"
+      "https://docs.oracle.com/iaas/Content/certificates/overview.htm",
+      "https://docs.oracle.com/iaas/Content/certificates/managing-certificates.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/certificatespolicyreference.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm"
     ],
-    "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint \u2014 not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
-    "last_verified": "2026-05-02",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Certificates Issuer Review changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-certificates-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.1",
     "author": "github: Raishin"
   },
   {
@@ -8523,17 +8583,17 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
+    "summary": "Triage OCI Cloud Guard problems, targets, detector recipes, responder recipes, suppression, and remediation plans with evidence labels and approval gates.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/cg-concepts.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Cloud Guard Responder changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-cloud-guard-responder",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-compute-instance-agent-operator",
@@ -8548,17 +8608,16 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute Instance Agent commands and executions safely for diagnostics, automation, and remediation. Use when issuing, tracking, or reviewing instance-agent commands across compute fleets.",
+    "summary": "Operate and review OCI Compute instance-agent commands safely with scoped command payloads, target ownership, output handling, timeout controls, and mutation approval gates.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/instances.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Compute Instance Agent Operator changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-compute-instance-agent-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-compute-platform-operator",
@@ -8573,17 +8632,17 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute instances and platform capacity safely with compartment/region confirmation, instance lifecycle guardrails, least-privilege IAM checks, MCP/CLI discovery, and rollback-aware change plans.",
+    "summary": "Operate OCI Compute instances and platform capacity with compartment/region confirmation, lifecycle guardrails, least-privilege IAM, image/shape/network review, and rollback-aware changes.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/instances.htm",
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/launchinginstance.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Compute Platform Operator changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-compute-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-cost-finops-analyst",
@@ -8598,17 +8657,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Analyze Oracle Cloud Infrastructure cost, usage, budgets, tagging, rightsizing, commitment coverage, and FinOps governance. Use when asked to explain OCI spend, investigate cost spikes, build savings plans, review underused resources, de...",
+    "summary": "Analyze OCI cost, usage, budgets, tagging, forecasts, commitments, rightsizing, and FinOps governance without turning savings into reliability or security risk.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Billing/Concepts/costanalysisoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm",
+      "https://www.oracle.com/cloud/cost-management-and-governance/"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Cost FinOps Analyst changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-cost-finops-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-database-platform-dba",
@@ -8623,17 +8684,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI database platform DBA for DB systems, Autonomous Database, Exadata, backups, patching, performance triage, capacity, and IAM-scoped database operations. Use when work touches OCI Database service posture, discov...",
+    "summary": "Operate OCI Database service safely across DB systems, databases, DB homes, Autonomous Database, backups, Data Guard, patching, performance, capacity, and IAM-scoped DBA operations.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/backingupOS.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/usingdataguard.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/patchingDB.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Database Platform DBA changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-database-platform-dba",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-dbtools-sql-analyst",
@@ -8648,17 +8711,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Use OCI Database Tools and database documentation safely for SQL inspection, report definitions, table metadata, and controlled query execution. Use for DBTools connections, read-only SQL analysis, and schema/report exploration.",
+    "summary": "Use OCI Database Tools and database documentation safely for connection inventory, metadata inspection, report review, and controlled read-only SQL analysis.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Database-Tools/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database-Tools/dbtools_topic-using_the_sql_worksheet.htm",
+      "https://docs.oracle.com/en-us/iaas/database-tools/doc/using-console.html",
+      "https://docs.oracle.com/iaas/database-tools/doc/run-sql-statement-sql-worksheet.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Database Tools SQL Analyst changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-dbtools-sql-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-devops-container-platform-engineer",
@@ -8673,17 +8738,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Engineer and review Oracle Cloud Infrastructure DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform, and container runtime workflows. Use when asked to inspect OCI Container Engine clusters, DevOps projects, OCIR repositories,...",
+    "summary": "Engineer and review OCI DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform operations, image promotion, IAM, rollout safety, and container reliability.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/ContEng/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/environments.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/home.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI DevOps Container Platform Engineer changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-devops-container-platform-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-exadata-database-architect",
@@ -8698,20 +8765,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI, Cloud@Customer, and multicloud destinations with official-source grounding.",
+    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI Dedicated Infrastructure, Exascale, Cloud@Customer, and Oracle Database multicloud destinations with official-source grounding.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/exadatacloud/index.html",
+      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exadata-database-service-dedicated-infrastructure-administrators-guide.pdf",
+      "https://docs.oracle.com/en/engineered-systems/exadata-database-exascale/exdxs/exadata-database-service-exascale-infrastructure-users-guide.pdf",
       "https://docs.oracle.com/en/engineered-systems/exadata-cloud-at-customer/ecccm/index.html",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Exadata deployments can expose high-value production databases. Validate IAM/RBAC, network isolation, backup, TDE, maintenance, and operational ownership before changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Exadata Database Architect changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-exadata-database-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-exadata-platform-architect",
@@ -8726,17 +8794,19 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Design and operate Exadata Database Service across OCI Dedicated Infrastructure, Exadata Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS. Use for Exadata architecture, VM clusters, cloud E...",
+    "summary": "Design and review OCI Exadata Database Service platforms, VM clusters, Exascale, Cloud@Customer, multicloud database placements, capacity, network, backup, patching, and DR without overstating readiness.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/exadatacloud/exacs/exadata-cloud-service-overview.html",
+      "https://docs.oracle.com/en-us/iaas/exadatacloud/doc/exacs-tech-arch.html",
+      "https://docs.oracle.com/en-us/iaas/exadb-xs/index.html",
+      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exadata-database-service-dedicated-infrastructure-administrators-guide.pdf"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-exadata-platform-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-fusion-apps-environment-operator",
@@ -8751,17 +8821,19 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Review Fusion Apps as a Service environment families, environments, lifecycle status, availability, and operational readiness. Use for Fusion environment inventory, status checks, change planning, and support evidence.",
+    "summary": "Review OCI Fusion Applications environment families, environments, lifecycle status, maintenance, refresh, access, availability, and support evidence without claiming tenant readiness from docs alone.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/fusion-applications/home.htm",
+      "https://docs.oracle.com/iaas/Content/fusion-applications/overview.htm",
+      "https://docs.oracle.com/iaas/Content/fusion-applications/plan-environment-family.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/fusion-applications/plan-environment.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-fusion-apps-environment-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-goldengate-replication-operator",
@@ -8776,17 +8848,18 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review Oracle GoldenGate domains, connections, extracts, replicats, checkpoint tables, trails, distribution paths, and replication health. Use for replication setup, lag triage, data movement, and cutover safety.",
+    "summary": "Operate and review OCI GoldenGate deployments, connections, replication pipelines, extracts, replicats, trails, checkpoints, lag, connectivity, and cutover safety with source-grounded evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/overview-goldengate.html",
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/create-connection-goldengate.html",
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/overview.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-goldengate-replication-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-identity-access-governor",
@@ -8801,17 +8874,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Identity and Access Management with least-privilege policy review, compartment scoping, group/dynamic-group analysis, and safe access-change workflows. Use for OCI IAM policy design, access audits, privilege reduction, identit...",
+    "summary": "Govern OCI IAM policies, compartments, groups, dynamic groups, domains, federation, and least-privilege access changes without approving broad or destructive permissions on weak evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policies.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/Working_with_Dynamic_Groups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/managingdynamicgroups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-identity-access-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-iot-digital-twin-engineer",
@@ -8826,17 +8902,16 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and operate OCI IoT digital twin adapters, models, instances, relationships, and domain context. Use for digital twin topology, lifecycle, integration, and safe model/relationship changes.",
+    "summary": "Design and review OCI IoT domains, digital twin models, adapters, instances, relationships, telemetry paths, lifecycle, and safe topology changes without treating model edits as harmless.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/internet-of-things/home.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-iot-digital-twin-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-limits-capacity-planner",
@@ -8851,17 +8926,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI service limits, quotas, capacity availability, regional subscriptions, and growth risk. Use before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota increase requests.",
+    "summary": "Review OCI service limits, quotas, subscribed regions, capacity evidence, and growth risk before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota requests.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/General/service-limits/default.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas_topic-Available_Quotas_by_Service.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-limits-capacity-planner",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-autonomous-db-lifecycle-guard",
@@ -8876,19 +8952,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Autonomous Database lifecycle changes \u2014 scale, start, stop, clone, terminate \u2014 with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
+    "summary": "Guard Autonomous Database lifecycle changes such as scale, start, stop, clone, restore, wallet-impacting changes, and termination with backup, dependency, protection, approval, and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/scale-autonomous-database.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/start-stop-autonomous-database.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/autonomous-clone.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/backup-recovery-autonomous.html"
     ],
-    "security_notes": "ADB termination is permanent \u2014 the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-cost-budget-runaway-guard",
@@ -8903,19 +8979,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
+    "summary": "Gate OCI budget, alert, quota, and high-cost compute actions with spend evidence, owner approval, financial authority, rollback, and emergency stop boundaries.",
     "source_type": "original",
     "official_docs": [
+      "https://docs.oracle.com/iaas/Content/Billing/Concepts/budgetsoverview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
+      "https://docs.oracle.com/iaas/Content/Billing/Tasks/managingalertrules.htm",
       "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
     ],
-    "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights \u2014 escalate if not held.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-cost-budget-runaway-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-iam-policy-compartment-guard",
@@ -8930,19 +9006,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
+    "summary": "Guard live OCI IAM policy and dynamic-group changes with statement-level review, verb hierarchy, compartment scope, broad-principal detection, rollback capture, and explicit approval.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm",
+      "https://docs.oracle.com/iaas/Content/Identity/policyreference/policyreference_topic-Verbs.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/managingdynamicgroups.htm"
     ],
-    "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-iam-policy-compartment-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-network-security-rule-guard",
@@ -8957,20 +9033,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live OCI Security List and NSG rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress mutation.",
+    "summary": "Guard live OCI Security List and Network Security Group rule changes with current-state capture, open-internet detection, sensitive-port review, stateful/stateless assessment, approval, and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/securitylists.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
     ],
-    "security_notes": "oci network security-list update is a full replace \u2014 always capture complete current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change. Prefer NSGs over Security Lists for database VNICs.",
-    "last_verified": "2026-05-01",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-network-security-rule-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-oke-rollout-guard",
@@ -8985,19 +9060,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
+    "summary": "Guard OCI OKE and DevOps deployment rollouts with approval-stage, canary, blue-green, workload health, rollback, and Kubernetes safety evidence before promotion or rollback.",
     "source_type": "original",
     "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/devops_overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
       "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
     ],
-    "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact \u2014 confirm target revision before undo.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-oke-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-resource-manager-stack-guard",
@@ -9012,19 +9088,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
+    "summary": "Guard OCI Resource Manager stack plan, apply, destroy, import-state, drift, and state-version decisions with plan review, state-lock awareness, approval, rollback, and blast-radius evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
+      "https://docs.oracle.com/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resource-manager-and-terraform.htm",
+      "https://docs.oracle.com/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/list-drift.htm"
     ],
-    "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-resource-manager-stack-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-vault-key-destruction-guard",
@@ -9039,19 +9115,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Vault master encryption key scheduled-deletion and HSM rotation with data-association audits, key-usage reference checks, deletion-window enforcement, and cancellation playbooks.",
+    "summary": "Guard OCI Vault key deletion, cancellation, disablement, rotation, and HSM/software key lifecycle decisions with usage, dependency, waiting-window, backup, and recovery-limit evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
       "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys_topic-To_delete_a_key.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults_topic-To_delete_a_vault.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm"
     ],
-    "security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-vault-key-destruction-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-load-balancer-traffic-engineer",
@@ -9066,17 +9142,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, and failover. Use for L7/L4 traffic engineering and availability reviews.",
+    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, failover, and exposure risk.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Concepts/balanceoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingbackendsets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/Overview/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglisteners.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-load-balancer-traffic-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-maestro",
@@ -9091,19 +9169,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Route OCI tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
+    "summary": "Route OCI tasks to the narrowest specialist or explicitly approved team, enforce live-guard gates, preserve evidence labels, and refuse unsafe auto-dispatch for destructive or production-changing work.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/",
       "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
     ],
-    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path. OCI vault key destruction and IAM policy deletion are irreversible.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-migration-cutover-architect",
@@ -9118,17 +9196,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan OCI migrations and cutovers with Cloud Migrations, dependency discovery, waves, rollback, DNS, data sync, validation, and support readiness. Use for migration assessment, move groups, cutover runbooks, and go/no-go reviews.",
+    "summary": "Plan OCI migrations and cutovers with dependency discovery, waves, replication, DNS, identity, data validation, rollback, support readiness, and go/no-go evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-create-migration-project.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-migration-cutover-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-multi-cloud-architect",
@@ -9143,17 +9222,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review OCI multi-cloud architectures connecting Oracle Cloud Infrastructure with AWS, Azure, Google Cloud, on-premises, or SaaS through VPN, FastConnect, Direct Connect, ExpressRoute, Cloud Interconnect, identity federation, D...",
+    "summary": "Design and review OCI-connected multi-cloud architectures across Azure, AWS, Google Cloud, on-premises, and SaaS with routing, identity, DNS, security, observability, cost, latency, and failure-mode evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/fastconnect.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/fastconnectoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/routingonprem2.htm",
+      "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-azure-oci-networking",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-other-providers-oci"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-multi-cloud-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-mysql-heatwave-ai-specialist",
@@ -9168,17 +9250,18 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review MySQL HeatWave, MySQL AI, vector/RAG workflows, connection configs, object storage ingestion, and SQL safety. Use for MySQL AI questions, HeatWave ML, vector store loading, and MySQL operational reviews.",
+    "summary": "Review OCI MySQL HeatWave, HeatWave clusters, Lakehouse, AutoML, GenAI, vector/RAG workflows, object storage ingestion, SQL safety, and operational readiness with source-grounded evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/mysql-database/index.html",
+      "https://docs.oracle.com/en-us/iaas/mysql-database/doc/overview-heatwave.html",
+      "https://docs.oracle.com/en/database/mysql/heatwave-aws/database-vector-store.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-mysql-heatwave-ai-specialist",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-network-architect",
@@ -9193,17 +9276,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI networking with safe compartment/region scoping, least-privilege network access, VCN/subnet/routing/security-list/NSG analysis, and evidence-based MCP or CLI discovery.",
+    "summary": "Design, review, and troubleshoot OCI VCNs, subnets, route tables, DRGs, gateways, peering, security lists, NSGs, load balancers, DNS, and connectivity without cargo-cult exposure.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/securitylists.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/routingonprem2.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-network-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-observability-incident-responder",
@@ -9218,17 +9304,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI observability and incident responder for Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and IAM-scoped incident response. Use when work touches OCI alarms, telemetry, alert...",
+    "summary": "Triage OCI Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and responder permissions with scoped evidence and safe containment.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Monitoring/Tasks/update-alarm-event.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Logging/",
+      "https://docs.oracle.com/en-us/iaas/Content/Logging/Task/managinglogs.htm",
+      "https://docs.oracle.com/iaas/Content/Logging/Concepts/searchinglogs.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-observability-incident-responder",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-recovery-service-operator",
@@ -9243,17 +9332,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, and recovery metrics. Use for database recovery posture, protected database health, and restore readiness.",
+    "summary": "Operate and review OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, recovery windows, and restore readiness without confusing backup configuration with recoverability.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/recovery-service/doc/overview-protection-policy.html",
+      "https://docs.oracle.com/en-us/iaas/recovery-service/doc/protected-database-recovery-policy.html",
+      "https://docs.oracle.com/en-us/iaas/recovery-service/doc/supported-recovery-service-policies.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-recovery-service-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-registry-artifact-governor",
@@ -9268,17 +9358,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Registry repositories, container images, artifact access, retention, promotion, and deployment safety. Use for OCIR repository reviews, image lifecycle, DevOps/OKE integration, and least-privilege push/pull access.",
+    "summary": "Govern OCI Container Registry repositories, container images, Helm/OCI artifacts, public access, retention policies, signatures, vulnerability scanning, provenance, and least-privilege push/pull access.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Registry/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryconcepts.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Tasks/registrymanagingimageretention.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-registry-artifact-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-resource-search-inventory-analyst",
@@ -9293,17 +9385,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, and cross-service discovery. Use for tenancy inventory, ownership gaps, orphan detection, migration scoping, and architecture evidence collection.",
+    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, lifecycle states, and cross-service discovery without treating partial search visibility as complete tenancy truth.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Search/home.htm",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/search/resource/structured-search.html",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-resource-search-inventory-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-security-compliance-reviewer",
@@ -9318,17 +9411,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Oracle Cloud Infrastructure security, IAM, network, logging, encryption, and compliance posture. Use when asked to audit OCI policies, compartments, tenancy security, Cloud Guard findings, buckets, vaults, security lists, NSGs, or...",
+    "summary": "Review OCI security, IAM, network exposure, logging, encryption, Cloud Guard, Vulnerability Scanning, Security Zones, and compliance evidence with least-privilege and source-grounded findings.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-architecture.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/oci-core-landing-zone.htm",
+      "https://docs.oracle.com/en-us/iaas/cloud-guard/using/trouble.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/problems-page-about.htm",
+      "https://docs.oracle.com/en-us/iaas/scanning/using/scanning-with-cloud-guard.htm",
+      "https://docs.oracle.com/en-us/iaas/security-zone/using/security-zones.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-security-compliance-reviewer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-solution-architect",
@@ -9343,17 +9440,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and stress-test Oracle Cloud Infrastructure solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations. Use when asked for OCI...",
+    "summary": "Design and stress-test OCI solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations with evidence-backed tradeoffs.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/oci-core-landing-zone.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/iam-security-structure.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-architecture.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-solution-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-storage-backup-steward",
@@ -9368,17 +9468,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI storage and backup steward for Object Storage, Block Volume, File Storage, backup policies, retention, replication, lifecycle rules, restore readiness, and IAM-scoped storage operations. Use when work touches OC...",
+    "summary": "Steward OCI storage and backup posture with source-grounded checks for Object Storage, Block Volume, File Storage, retention, lifecycle rules, replication, restore testing, and least-privilege storage access.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Object/Tasks/usinglifecyclepolicies.htm",
+      "https://docs.oracle.com/iaas/Content/Block/Tasks/backingupavolume.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/how-disaster-recovery-works.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-storage-backup-steward",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-support-incident-coordinator",
@@ -9393,17 +9495,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate OCI support incidents with evidence quality, severity discipline, resource scope, timelines, and escalation readiness. Use for support tickets, incident evidence packs, Oracle SR preparation, and post-incident follow-up.",
+    "summary": "Coordinate OCI support incidents without leaking secrets or identifiers, using documented support-request behavior, sanitized timelines, severity rationale, ownership, and actionable escalation evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/GSG/support/list-incidents.htm",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.48.2/oci_cli_docs/cmdref/support/incident/list.html",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-support-incident-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-cost-optimization-review",
@@ -9418,18 +9521,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload cost posture across compute rightsizing, Ampere A1 adoption, Universal Credits coverage, tagging compliance, idle resource elimination, and OCI Cost Management tooling aligned to OCI Architecture Best Practices.",
+    "summary": "Review OCI Well-Architected cost posture with documented Cost Analysis, Budgets, Cloud Advisor, usage API, tagging, ownership, forecast caveats, and safe-change approval gates.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Billing/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/CloudAdvisor/home.htm",
-      "https://www.oracle.com/cloud/pricing/"
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/CloudAdvisor/Concepts/cloudadvisoroverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
     ],
-    "security_notes": "Read-only advisory. Do not delete resources, cancel commitments, or modify compartment structures without explicit approval and resource inventory confirmation.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-reliability-review",
@@ -9444,18 +9548,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload reliability posture across AD/FD redundancy, load balancing, database HA, backup and replication, Full Stack DR orchestration, and recovery testing aligned to OCI Architecture Best Practices.",
+    "summary": "Review OCI Well-Architected reliability posture with source-grounded checks for regions, domains, backups, replication, alarms, Full Stack DR, RTO/RPO, restore drills, and operational runbooks.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
-      "https://docs.oracle.com/en-us/iaas/disaster-recovery/index.html",
-      "https://docs.oracle.com/en-us/iaas/Content/ContEng/home.htm"
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/how-disaster-recovery-works.html",
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/overview-protection-groups.html",
+      "https://docs.oracle.com/iaas/Content/Block/Tasks/backingupavolume.htm"
     ],
-    "security_notes": "Read-only advisory. Do not modify backup policies, DR plans, or autoscaling configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-security-review",
@@ -9470,19 +9575,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload security posture across IAM, compartments, network isolation, encryption, threat detection, and compliance guardrails aligned to OCI Architecture Best Practices and CIS OCI Benchmark.",
+    "summary": "Review OCI Well-Architected security posture with source-grounded checks for IAM, network exposure, encryption, logging, Cloud Guard, Security Zones, Vulnerability Scanning, and evidence-labeled findings.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/security_guide.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/CloudGuard/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/SecurityZone/home.htm",
-      "https://www.cisecurity.org/benchmark/oracle_cloud"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/home.htm",
+      "https://docs.oracle.com/en-us/iaas/scanning/using/scanning-with-cloud-guard.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-strategy.htm"
     ],
-    "security_notes": "Read-only advisory. Do not modify IAM policies, compartment structures, Security Zones, or Cloud Guard configurations without explicit approval. Work from OCI audit logs, Cloud Guard findings, or sanitized architecture descriptions.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "opentelemetry-collector-config-review",
@@ -9527,18 +9632,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Ground Oracle, OCI, SQLcl, database, and MCP recommendations in official Oracle sources before advising.",
+    "summary": "Ground Oracle, OCI, SQLcl, database, and Model Context Protocol advice in official Oracle sources, documented tool behavior, source verification, least-privilege boundaries, and read-only evidence discipline.",
     "source_type": "original",
     "official_docs": [
       "https://www.oracle.com/mcp",
       "https://github.com/oracle/mcp",
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm"
+      "https://www.oracle.com/database/model-context-protocol-mcp/",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/"
     ],
-    "security_notes": "Oracle database and OCI MCP tools can expose sensitive data or mutate cloud resources. Verify auth model and permissions before recommending use.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-06",
     "path": "skills/oci/oracle-oci-mcp-grounded-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "ovhcloud-cost-finops-analyst",
@@ -11178,5 +11284,741 @@
     "path": "skills/salesforce/salesforce-bulk-data-ops-skill",
     "author": "github: Raishin",
     "version": "0.1.0"
+  },
+  {
+    "id": "accounting-maestro",
+    "name": "Accounting Maestro",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Routes all accounting tasks to the narrowest matching specialist. Domain map covers revenue recognition, financial close, and intercompany eliminations. Never answers accounting questions directly \u2014 classifies, dispatches, and synthesizes only.",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/",
+      "https://www.ifrs.org/"
+    ],
+    "security_notes": "Routing only \u2014 never accepts raw financial data, journal entries, or system-of-record inputs. All outputs advisory.",
+    "last_verified": "2026-06-01",
+    "path": "skills/accounting/accounting-maestro",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "revenue-recognition-advisor",
+    "name": "Revenue Recognition Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "ASC 606 / IFRS 15 five-step revenue recognition framework with paragraph-level citations. Covers performance obligation identification, transaction price allocation, variable consideration constraint, principal vs. agent, licenses, and contract modifications. Advisory only.",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs15.html",
+      "https://pcaobus.org/Standards/Auditing/Pages/SAPA15.aspx"
+    ],
+    "security_notes": "Advisory only \u2014 never posts journal entries or writes to any system of record. Never accepts named customers, specific contract dollar amounts, or PII.",
+    "last_verified": "2026-06-01",
+    "path": "skills/accounting/revenue-recognition-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "close-cycle-advisor",
+    "name": "Close Cycle Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction financial close cycle reference framework. Filing deadlines (SEC, EU TD, FCA DTR, CSRC, SEBI, ASX, HKEX), R2R process steps, GAAP variant comparison (ASC 842 vs IFRS 16, CECL vs ECL), intercompany elimination (ASC 810/IFRS 10), FX translation (ASC 830/IAS 21), deferred tax (ASC 740/IAS 12). Advisory only.",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2025/issued/ias34.html",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias21.html",
+      "https://asc.fasb.org/"
+    ],
+    "security_notes": "Advisory only \u2014 never posts journal entries or writes to any system of record. Never accepts raw trial balances, GL exports, or employee/customer-identifying information.",
+    "last_verified": "2026-06-01",
+    "path": "skills/accounting/close-cycle-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "finance-maestro",
+    "name": "Finance Maestro",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Routes all corporate finance tasks to the narrowest matching specialist. Domain map covers variance analysis, treasury/liquidity, capital allocation, and investor relations. Never answers finance questions directly.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/",
+      "https://www.ifrs.org/"
+    ],
+    "security_notes": "Routing only \u2014 never accepts raw financial statements with company-identifying headers. All outputs advisory.",
+    "last_verified": "2026-06-01",
+    "path": "skills/finance/finance-maestro",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "variance-analysis-advisor",
+    "name": "Variance Analysis Advisor",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Variance decomposition framework and SEC Regulation S-K Item 303 MD&A commentary guidance. Driver decomposition (Volume/Price/Rate/Mix/One-Time), sensitivity tables, restatement-risk triggers. Advisory draft \u2014 requires CFO certification and legal review before filing.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.300/section-229.303",
+      "https://www.sec.gov/files/rules/final/2020/33-10890.pdf"
+    ],
+    "security_notes": "Advisory draft only \u2014 never writes to planning systems or ERP. Accepts only summary-level numerical inputs. All commentary labeled advisory-draft.",
+    "last_verified": "2026-06-01",
+    "path": "skills/finance/variance-analysis-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "treasury-liquidity-advisor",
+    "name": "Treasury & Liquidity Advisor",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction corporate treasury reference framework: cash pooling structures and country restrictions (China SAFE, India FEMA, Brazil IOF, Argentina BCRA), Basel III LCR/NSFR, hedge accounting qualification (ASC 815/IFRS 9), FX translation (ASC 830/IAS 21), cash repatriation, Dodd-Frank/EMIR derivatives reporting. Advisory only.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://www.bis.org/publ/bcbs238.pdf",
+      "https://www.bis.org/bcbs/publ/d295.htm",
+      "https://www.ifrs.org/issued-standards/list-of-standards/ifrs-9-financial-instruments/",
+      "https://www.cftc.gov/LawRegulation/DoddFrankAct/index.htm",
+      "https://www.esma.europa.eu/data-reporting/emir-reporting"
+    ],
+    "security_notes": "Advisory only \u2014 never executes financial transactions or writes to any system of record. Never accepts bank account numbers, SWIFT credentials, or payment instructions.",
+    "last_verified": "2026-06-01",
+    "path": "skills/finance/treasury-liquidity-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "tax-provision-advisor",
+    "name": "Tax Provision Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction corporate income tax provision reference framework covering ASC 740 (US GAAP) and IAS 12 (IFRS). Addresses current vs. deferred tax, temporary and permanent differences, deferred tax asset/liability recognition and measurement, valuation allowance (more-likely-than-not standard), uncertain tax positions (FIN 48 / ASC 740-10 two-step vs. IFRIC 23), OECD Pillar Two GloBE (IAS 12.4A mandatory temporary exception vs. ASC 740 no equivalent exception), enacted vs. substantively enacted tax rates, ETR reconciliation, APB 23 / ASC 740-30 indefinite reinvestment assertion, intraperiod tax allocation, interim provision (estimated annual ETR), and local GAAP variations (HGB, JGAAP/ASBJ, CAS 18, Ind AS 12).",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/740",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias12.html",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifric23.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts journal entries or writes to any system of record. Accepts only descriptive scenario inputs; never accepts raw tax returns, trial balances, GL exports, taxpayer-identifying numbers (EIN, TIN, CRN), employee wage data, or customer-identifying information. Local statutory conclusions require verification with qualified local tax advisors and external auditors.",
+    "last_verified": "2026-06-01",
+    "path": "skills/accounting/tax-provision-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "lease-accounting-advisor",
+    "name": "Lease Accounting Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for lease accounting advisory. Covers ASC 842 (US GAAP) dual model, IFRS 16 single model, UK FRS 102 (2024 periodic review amendments effective 1 Jan 2026), German HGB, JGAAP (ASBJ Statement No. 34, effective FY beginning on/after 1 Apr 2027), CAS No. 21 (China), and Ind AS 116 (India). Topics include lease identification, lessee classification, right-of-use asset and lease liability measurement, incremental borrowing rate determination, lessor accounting (sales-type / direct-financing / operating), short-term and low-value exemptions, lease modifications and remeasurement, and sale-leaseback transactions.",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/842",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs16.html",
+      "https://www.frc.org.uk/library/standards-codes-policy/accounting/uk-and-ireland-accounting-standards/standards-in-issue/frs-102-the-financial-reporting-standard-applicable-in-the-uk-and-republic-of-ireland/"
+    ],
+    "security_notes": "Advisory only \u2014 never posts journal entries or writes to any system of record. Accepts only descriptive scenario inputs; never accepts raw lease contracts containing counterparty PII, actual dollar payment schedules, tenant/landlord identifying information, GL exports, trial balances, or any employee/customer-identifying data. Local statutory lease accounting conclusions require verification with qualified local auditors.",
+    "last_verified": "2026-06-01",
+    "path": "skills/accounting/lease-accounting-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "capital-allocation-advisor",
+    "name": "Capital Allocation Advisor",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for corporate capital allocation, investment appraisal (NPV, IRR, MIRR, payback, profitability index), cost of capital (WACC, CAPM, hurdle rates), M&A valuation methods (DCF, trading comparables, precedent transactions, accretion/dilution analysis), capital return policy (dividends vs. buybacks vs. reinvestment with ROIC > WACC test), and sensitivity/scenario analysis. Jurisdictional and tax overlays for US, EU, UK, Japan, China, India, and Australia.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/wacc.html",
+      "https://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/betas.html",
+      "https://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/ctryprem.html"
+    ],
+    "security_notes": "Advisory educational framework only \u2014 never executes, simulates, or proposes financial transactions, capital allocations, or investment decisions on behalf of users. Never accepts MNPI (material non-public information), counterparty identities under confidentiality, specific confidential deal terms, live market or FX rates for transactions, bank account numbers, or payment instructions. Does not constitute investment advice, a fairness opinion, or a formal valuation conclusion for any regulatory or transactional purpose. Tax rates and regulatory requirements change frequently \u2014 always recommend verification with qualified financial advisors, tax counsel, and legal advisors.",
+    "last_verified": "2026-06-01",
+    "path": "skills/finance/capital-allocation-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "consolidation-intercompany-advisor",
+    "name": "Consolidation & Intercompany Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for consolidation scope determination and intercompany elimination advisory. Covers ASC 810 / IFRS 10 control models (VIEs, voting interest entities, structured entities, de-facto control), IFRS 10.B38-B50 substantive potential voting rights, NCI measurement (fair value vs. proportionate share \u2014 IFRS 3.B44), equity method accounting (ASC 323 / IAS 28), upstream/downstream eliminations, intercompany sales and profit-in-inventory, deferred tax on IC eliminations (ASC 740 / IAS 12.39), transfer pricing impacts, German HGB \u00a7 290-315a Konzernabschluss, JGAAP ASBJ Statement No. 22, CAS 33, Ind AS 110, and adversarial consolidation scenarios.",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/810",
+      "https://asc.fasb.org/323",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs10.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts consolidation journal entries or elimination entries to any GL or ERP. Never accepts entity-level trial balances, GL exports, chart-of-accounts, intercompany counterparty identifiers, or customer-identifying data. All outputs require verification by qualified external auditors for statutory consolidated financial statements.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/consolidation-intercompany-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "fx-translation-advisor",
+    "name": "FX Translation Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for foreign currency translation and remeasurement. Covers functional currency determination (ASC 830-10-45 / IAS 21.9\u201321.14), translation vs. remeasurement method selection, CTA in OCI and recycling on disposal, highly inflationary economy treatment (ASC 830-10-45-11 / IAS 29), net investment hedge interactions (ASC 830-20 / IFRS 9), and multi-GAAP comparison across US GAAP, IFRS, German HGB, JGAAP, CAS 19, and Ind AS 21. Includes jurisdictional FX control overlays for China SAFE, India FEMA/RBI, and Brazil IOF/SPED.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/830",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias21.html",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias29.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts FX translation or remeasurement journal entries to any GL or ERP. Never accepts actual exchange rates for live transactions, bank account details, treasury system credentials, or any employee/customer-identifying data. FX rates used in illustrations are hypothetical. Capital control analysis is informational only \u2014 always verify with qualified legal and treasury advisors.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/fx-translation-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "transfer-pricing-pillar-two-advisor",
+    "name": "Transfer Pricing & Pillar Two Advisor",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for OECD transfer pricing (arm's length principle Art. 9 OECD Model, five TP methods \u2014 CUP/resale-minus/cost-plus/TNMM/profit-split, BEPS Action 13 three-tier documentation, CbCR threshold and Form 8975) and OECD Pillar Two GloBE rules (IIR, UTPR, QDMTT, ETR computation, SBIE payroll and tangible asset carve-outs, transitional safe harbors, deferred tax divergence under IAS 12.4A vs. ASC 740). Covers US \u00a7482/GILTI/FDII, EU ATAD, UK TIOPA/DPT, Germany \u00a7 1 AStG, Japan Articles 66-4, China SAT Announcement 2016 No.42, and India Section 92-92F.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://www.oecd.org/en/topics/sub-issues/transfer-pricing.html",
+      "https://www.oecd.org/tax/beps/beps-actions/action13/",
+      "https://www.oecd.org/tax/beps/global-anti-base-erosion-model-rules-pillar-two.htm"
+    ],
+    "security_notes": "Advisory framework only \u2014 not tax advice and not a formal transfer pricing study. Never accepts entity-specific transaction data, actual TP documentation (master file/local file), CbCR data, deal-specific confidential terms, customer/counterparty identifiers, or any MNPI. All conclusions require verification with qualified international tax counsel and external advisors. Does not constitute a formal APA submission or competent authority position.",
+    "last_verified": "2026-06-02",
+    "path": "skills/finance/transfer-pricing-pillar-two-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "hedge-accounting-advisor",
+    "name": "Hedge Accounting Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction hedge accounting reference framework covering ASC 815 (US GAAP) and IFRS 9 hedge designation, effectiveness testing (80-125% vs. economic relationship), OCI mechanics for fair value / cash flow / net investment hedges, IFRS 9 rebalancing, cost-of-hedging approach (IFRS 9.6.5.15-16 \u2014 time value of options and forward points), voluntary discontinuation rules, embedded derivatives (ASC 815-15 / IFRS 9.4.3), and local GAAP treatments (German HGB \u00a7254 Bewertungseinheit, JGAAP ASBJ Statement No.10, CAS 24, Ind AS 109). Multi-jurisdiction comparison table across all frameworks.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/815",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs9.html",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias39.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts hedge journal entries or OCI entries to any GL or ERP. Never accepts actual derivative contract terms with counterparty details, live market rates for hedging decisions, bank/broker credentials, ISDA master agreement data, or employee/customer-identifying information.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/hedge-accounting-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "indirect-tax-einvoicing-advisor",
+    "name": "Indirect Tax & E-Invoicing Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for indirect tax (VAT/GST) compliance and mandatory electronic invoicing. Covers EU VAT Directive and ViDA digital reporting reform (2030 DRR), country e-invoicing mandates (Italy SDI, France, Germany XRechnung/ZUGFeRD, Poland KSeF, Romania RO e-Factura, Spain VERI*FACTU), Brazil NF-e/NFS-e/CT-e/SPED/ICMS/PIS/COFINS/ISS, India GST e-Invoice IRP with IRN+QR, Mexico CFDI 4.0 via PAC with complementos and cancellation motivos, China Golden Tax Phase IV digital fapiao, UK MTD VAT and MTD ITSA, and Australia Peppol BIS 3.0 e-invoicing and GST/BAS.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32006L0112",
+      "https://www.agenziaentrate.gov.it/portale/web/english/nse/businesses/vat-in-italy",
+      "https://einvoice1.gst.gov.in/"
+    ],
+    "security_notes": "Advisory only \u2014 never submits tax returns, e-invoices, or SPED files to any tax authority or clearance platform. Never accepts taxpayer identification numbers (CNPJ, GSTIN, RFC, USt-IdNr), actual invoice data with counterparty details, or credentials for any PAC, IRP, SAT portal, or government e-invoicing system. All compliance conclusions are advisory; formal filings require qualified local tax advisors and certified software providers.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/indirect-tax-einvoicing-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "payroll-advisor",
+    "name": "Payroll Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction payroll accounting reference framework covering compensation expense recognition (ASC 710 / IAS 19), defined contribution plans (ASC 715-70 / IAS 19.49), defined benefit pension plans (ASC 715-30 / IAS 19.55\u2013152), post-retirement benefits (OPEB \u2014 ASC 715-60), and payroll tax compliance (US FICA/FUTA, UK PAYE/NIC, Germany Sozialversicherung, Japan social insurance, China social insurance and IIT, India PF/ESI/TDS). Covers OCI mechanics, re-measurement recycling divergence, actuarial assumptions, and stock-based compensation payroll tax interaction (ASC 718 / IFRS 2).",
+    "source_type": "original",
+    "category": "accounting",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/710",
+      "https://asc.fasb.org/715",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias19.html"
+    ],
+    "security_notes": "Advisory only \u2014 never processes payroll, never posts payroll journal entries to any GL or HRIS. Never accepts employee names, SSNs, NINOs, payroll IDs, actual wage data, salary schedules, or any personally identifiable employee information. Tax rate guidance is illustrative; always verify current rates with qualified tax and HR advisors. Does not constitute employment law or benefits advice.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/payroll-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "procure-to-pay-advisor",
+    "name": "Procure-to-Pay Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for procure-to-pay (P2P) accounting. Covers PO matching (2-way, 3-way, 4-way), purchase price variance (PPV), GRNI accruals and cutoff, early payment discounts (net vs. gross method), dynamic discounting, supply chain financing reclassification (IFRS IC 2020 / ASC 470 + ASU 2022-04), vendor master controls, 1099/1042-S, GDPR data retention, prepaid assets, purchase commitments (ASC 440 / IAS 37), VAT/GST input credit recovery, blocked input tax, partial exemption, and procurement fraud controls (SoD, three-lines-of-defence, FCPA/UK Bribery Act).",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/210",
+      "https://asc.fasb.org/440",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias37.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts AP journal entries or processes payments. Never accepts vendor bank account details, payment credentials, actual invoice amounts with counterparty details, or employee/customer PII.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/procure-to-pay-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "fixed-assets-advisor",
+    "name": "Fixed Assets & Impairment Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for fixed assets, depreciation, and impairment. Covers PP&E recognition (ASC 360 / IAS 16), cost model vs. IFRS revaluation model, componentisation (required under IAS 16.43; optional under US GAAP), borrowing cost capitalisation (ASC 835-20 / IAS 23; optional under HGB \u00a7255), impairment testing (ASC 360-10 two-step vs. IAS 36 single-step with recoverable amount), critical reversibility divergence (US GAAP: not reversible; IFRS: reversible except goodwill), goodwill (ASC 350 / IFRS 3 + IAS 36 \u2014 full vs. partial goodwill), intangibles and R&D (ASC 350/730 vs. IAS 38 development capitalisation), HGB \u00a7253 strict lower of cost or market, JGAAP special depreciation allowances, and tax depreciation interaction (Section 179/bonus depreciation, UK capital allowances, German AfA tables, deferred tax ASC 740 / IAS 12).",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/360",
+      "https://asc.fasb.org/350",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias16.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts depreciation or impairment journal entries to any FA module or GL. Never accepts actual asset registers with asset-identifying codes, acquisition costs, or location data that could expose operational details. Impairment conclusions are advisory; formal impairment analyses require qualified valuers and external auditors.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/fixed-assets-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "equity-compensation-advisor",
+    "name": "Equity Compensation Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for equity-based compensation accounting under ASC 718 and IFRS 2. Covers award classification (equity vs. liability), fair value measurement (Black-Scholes, lattice, Monte Carlo), RSUs/PSUs/ESPPs, forfeiture policy, modification accounting (ASC 718-20 / IFRS 2.27-29), tax effects (excess benefits, Section 162(m), ISO/NSO), and country rules for Germany, Japan, China, and India.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/718",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs2.html",
+      "https://www.sec.gov/interps/account/sab14.htm"
+    ],
+    "security_notes": "Advisory only \u2014 never posts stock compensation journal entries or processes equity award transactions. Never accepts employee grant details with names/IDs, cap table data, actual grant prices, insider trading windows, or any MNPI relating to stock plans. Does not constitute legal, tax, or securities advice on equity compensation design.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/equity-compensation-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "business-combinations-advisor",
+    "name": "Business Combinations Advisor",
+    "type": "skill",
+    "provider": "accounting",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Multi-jurisdiction reference framework for business combinations accounting under ASC 805 and IFRS 3. Covers acquirer identification, acquisition date, PPA (consideration transferred, identifiable intangibles, goodwill \u2014 full vs. partial), NCI measurement, deferred tax in PPA, post-combination accounting, measurement period adjustments, common control transactions, and joint venture/operation accounting.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://asc.fasb.org/805",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ifrs3.html",
+      "https://www.ifrs.org/content/dam/ifrs/publications/html-standards/english/2024/issued/ias27.html"
+    ],
+    "security_notes": "Advisory only \u2014 never posts acquisition journal entries or PPA entries to any GL or ERP. Never accepts deal-specific confidential terms, actual purchase prices, counterparty identities, or any MNPI. Does not constitute a formal purchase price allocation report, fairness opinion, or valuation conclusion for any regulatory or transactional purpose. All conclusions require verification with qualified external auditors, valuation specialists, and legal advisors.",
+    "last_verified": "2026-06-02",
+    "path": "skills/accounting/business-combinations-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "debt-capital-structure-advisor",
+    "name": "Debt & Capital Structure Advisor",
+    "type": "skill",
+    "provider": "finance",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "copilot",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "summary": "Multi-jurisdiction reference framework for debt and capital structure advisory: optimal capital structure theory (M&M, trade-off, pecking order), leverage and credit metrics, debt instruments (RCF, TLA/TLB, HY bonds, convertibles, mezzanine), covenant analysis (maintenance vs. incurrence, DSCR, restricted payments), refinancing and maturity wall management, WACC optimization, Basel III/IV capital requirements, liability management, rating agency methodologies (S&P/Moody's/Fitch), and ESG-linked financing (SLBs/SLLs, green bonds ICMA GBP). Advisory only.",
+    "source_type": "original",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "oauth_scopes": [],
+    "mcp_servers": [],
+    "run_as_permissions": {
+      "required": [],
+      "denied": []
+    },
+    "official_docs": [
+      "https://www.bis.org/publ/bcbs189.pdf",
+      "https://www.bis.org/bcbs/publ/d424.htm",
+      "https://www.icmagroup.org/sustainable-finance/the-principles-guidelines-and-handbooks/green-bond-principles-gbp/",
+      "https://www.icmagroup.org/sustainable-finance/the-principles-guidelines-and-handbooks/sustainability-linked-bond-principles-slbp/",
+      "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R2631"
+    ],
+    "security_notes": "Advisory only \u2014 never executes transactions, accesses banking systems, or writes to any system of record. Never accepts MNPI, live deal terms, live market pricing for execution, or bank credentials. Not investment advice or a fairness opinion.",
+    "last_verified": "2026-06-03",
+    "path": "skills/finance/debt-capital-structure-advisor",
+    "author": "github: Raishin",
+    "version": "0.1.0"
+  },
+  {
+    "id": "fpa-forecasting-advisor",
+    "name": "FP&A Forecasting & Budgeting Advisor",
+    "provider": "finance",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "lifecycle": "experimental",
+    "summary": "Driver-based budgeting, rolling forecasts, ZBB, LRP, xP&A, variance analysis, MD&A support. US GAAP/IFRS/FRS 102.",
+    "path": "skills/finance/fpa-forecasting-advisor",
+    "type": "skill",
+    "source_type": "original",
+    "version": "0.1.0",
+    "last_verified": "2026-06-03",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "copilot",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "official_docs": [
+      "https://asc.fasb.org/",
+      "https://www.ifrs.org/",
+      "https://www.cgma.org/"
+    ],
+    "security_notes": "Advisory only. Never accepts MNPI or confidential budget figures."
+  },
+  {
+    "id": "working-capital-advisor",
+    "name": "Finance Working Capital Advisor",
+    "provider": "finance",
+    "category": "finance",
+    "execution_tier": "read-only-runtime",
+    "lifecycle": "experimental",
+    "summary": "CCC, DSO/DPO/DIO, AR/AP, inventory, 13-week cash forecasting, SCF, ABL, ASC 860/IFRS 9. US GAAP/IFRS/APAC.",
+    "path": "skills/finance/working-capital-advisor",
+    "type": "skill",
+    "source_type": "original",
+    "version": "0.1.0",
+    "last_verified": "2026-06-03",
+    "harnesses": [
+      "claude-code",
+      "codex",
+      "copilot",
+      "cursor",
+      "gemini",
+      "kiro"
+    ],
+    "official_docs": [
+      "https://asc.fasb.org/",
+      "https://www.ifrs.org/"
+    ],
+    "security_notes": "Advisory only. Never accepts customer-identifying AR data or payment instructions."
   }
 ]