npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.8.0 → 2.9.0 - Mend

@raishin/vanguard-frontier-agentic 2.8.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1724) hide show

package/catalog/skills.json CHANGED Viewed

@@ -1275,7 +1275,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Build, test, migrate, and deploy Amazon Bedrock AgentCore code-based agents and harness workflows with runtime, policy, environment/skills, Memory, Gateway, Identity, Observability, Browser, Code Interpreter, and security guidance loaded progressively.",
+    "summary": "Build, test, migrate, and deploy Amazon Bedrock AgentCore code-based agents and harness workflows with runtime, policy, environment/skills/filesystems, Memory, Gateway, Identity, Observability, Browser, Code Interpreter, Evaluations, Registry, Payments, and security guidance loaded progressively.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/develop-agents.html",
@@ -1290,19 +1290,31 @@
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-service-provided.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/browser-tool.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/evaluations.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/registry.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/payments.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-tools.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-filesystem-configurations.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-header-allowlist.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-sessions.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-elicitation.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-sampling.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-progress.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-mcp-logging.html",
+      "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/long-term-memory-metadata.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-create-policies.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-core-concepts.html",
       "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-operations.html"
     ],
-    "security_notes": "Do not hardcode credentials, tokens, client secrets, account IDs, or customer data. Prefer AgentCore Identity/Gateway for managed credentials, enforce Cedar policy where Gateway is used, verify region and preview-feature constraints, keep least-privilege roles, and require explicit approval before deployment or tool-exposure changes.",
+    "security_notes": "Do not hardcode credentials, tokens, client secrets, account IDs, or customer data. Prefer AgentCore Identity/Gateway for managed credentials, enforce Cedar policy where Gateway is used, govern MCP sessions/streaming/elicitation/sampling, verify region/API and preview-feature constraints, keep least-privilege roles, review filesystem mounts and payment spending controls, and require explicit approval before deployment or tool-exposure changes.",
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-agentcore",
     "author": "github: Raishin",
-    "version": "0.1.6"
+    "version": "0.1.8"
   },
   {
     "id": "aws-api-edge-delivery-review",
@@ -1329,7 +1341,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-api-edge-delivery-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-bedrock-agent-security-governor",
@@ -1356,7 +1368,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-bedrock-agent-security-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-change-impact-advisor",
@@ -1383,7 +1395,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-change-impact-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-ci-cd-release-engineer",
@@ -1410,7 +1422,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ci-cd-release-engineer",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-compliance-evidence-mapper",
@@ -1437,7 +1449,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-compliance-evidence-mapper",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-cost-anomaly-watch-coordinator",
@@ -1464,7 +1476,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-cost-anomaly-watch-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-cost-optimization-governor",
@@ -1491,7 +1503,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-cost-optimization-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-daily-operations-briefing-coordinator",
@@ -1518,7 +1530,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-daily-operations-briefing-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-data-protection-backup-steward",
@@ -1545,7 +1557,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-data-protection-backup-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-deployment-hotfix-operator",
@@ -1570,7 +1582,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-deployment-hotfix-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-devops-agent-skill-designer",
@@ -1597,7 +1609,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-devops-agent-skill-designer",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-dynamodb-data-modeling-performance-review",
@@ -1624,7 +1636,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-dynamodb-data-modeling-performance-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ec2-compute-operations-steward",
@@ -1651,7 +1663,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ec2-compute-operations-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ecs-fargate-platform-operator",
@@ -1678,7 +1690,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ecs-fargate-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ecs-service-remediation-operator",
@@ -1704,7 +1716,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ecs-service-remediation-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-eks-platform-operator",
@@ -1731,7 +1743,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-eks-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-event-driven-architecture-review",
@@ -1758,7 +1770,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-event-driven-architecture-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-generative-ai-developer",
@@ -1789,7 +1801,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-generative-ai-developer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-iac-change-safety-review",
@@ -1816,7 +1828,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iac-change-safety-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-iac-patch-executor",
@@ -1842,7 +1854,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iac-patch-executor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-iam-least-privilege-review",
@@ -1869,7 +1881,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-iam-least-privilege-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-kms-secrets-lifecycle-steward",
@@ -1896,7 +1908,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-kms-secrets-lifecycle-steward",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-landing-zone-governor",
@@ -1923,7 +1935,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-landing-zone-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-live-deployment-guarded-operator",
@@ -1950,7 +1962,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-deployment-guarded-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-ecs-rollout-guard",
@@ -1977,7 +1989,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-ecs-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-iac-change-guard",
@@ -2005,7 +2017,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-iac-change-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-pipeline-approval-operator",
@@ -2032,7 +2044,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-pipeline-approval-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-live-serverless-release-guard",
@@ -2059,7 +2071,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-live-serverless-release-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "aws-maestro",
@@ -2087,7 +2099,7 @@
     "last_verified": "2026-04-30",
     "path": "skills/aws/aws-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-migration-cutover-architect",
@@ -2114,7 +2126,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-migration-cutover-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-network-architect",
@@ -2143,7 +2155,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-network-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-non-destructive-task-automation-advisor",
@@ -2170,7 +2182,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-non-destructive-task-automation-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-observability-incident-responder",
@@ -2197,7 +2209,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-observability-incident-responder",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-pipeline-fix-operator",
@@ -2223,7 +2235,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-pipeline-fix-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-private-ca-issuer-review",
@@ -2250,7 +2262,7 @@
     "security_notes": "Using a Root CA ARN in AWSPCAIssuer exposes the root of trust directly to cert-manager. A SubordinateCACertificate template allows cert-manager to issue intermediate CAs, enabling an attacker with cert-manager IRSA access to create a shadow CA trusted by the entire corporate PKI. IRSA role must exclude acm-pca:DeleteCertificateAuthority and acm-pca:CreateCertificateAuthority.",
     "last_verified": "2026-05-02",
     "path": "skills/aws/aws-private-ca-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.4",
     "author": "github: Raishin"
   },
   {
@@ -2278,7 +2290,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-rds-aurora-performance-investigator",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-resilience-bcdr-review",
@@ -2305,7 +2317,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-resilience-bcdr-review",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-s3-data-perimeter-governor",
@@ -2332,7 +2344,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-s3-data-perimeter-governor",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-security-posture-hardening",
@@ -2359,7 +2371,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-security-posture-hardening",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-serverless-production-readiness",
@@ -2386,7 +2398,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-serverless-production-readiness",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-serverless-rollout-corrector",
@@ -2412,7 +2424,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-serverless-rollout-corrector",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-solution-architect",
@@ -2440,7 +2452,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-solution-architect",
     "author": "github: Raishin",
-    "version": "0.1.2"
+    "version": "0.1.4"
   },
   {
     "id": "aws-ticket-triage-escalation-coordinator",
@@ -2467,7 +2479,7 @@
     "last_verified": "2026-04-29",
     "path": "skills/aws/aws-ticket-triage-escalation-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "aws-waf-cost-optimization-review",
@@ -2492,7 +2504,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-waf-reliability-review",
@@ -2517,7 +2529,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "aws-waf-security-review",
@@ -2542,7 +2554,7 @@
     "last_verified": "2026-05-09",
     "path": "skills/aws/aws-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "azure-ai-foundry-ops-governor",
@@ -2569,13 +2581,16 @@
       "https://learn.microsoft.com/en-us/azure/foundry/how-to/quota",
       "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/quotas-limits",
       "https://learn.microsoft.com/en-us/azure/foundry/foundry-models/how-to/monitor-models",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
+      "https://learn.microsoft.com/azure/foundry/mcp/security-best-practices",
+      "https://learn.microsoft.com/azure/foundry/mcp/available-tools",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/azure-ai-foundry-security-baseline"
     ],
-    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat MCP mutations as higher risk than read-only discovery, especially because hosted Foundry MCP security guidance documents preview and public-endpoint limitations.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Keep Foundry resource governance separate from project developer isolation, prefer Entra ID over key-based auth, verify quota and diagnostics before rollout, and treat tool-backed mutations as higher risk than read-only discovery, especially because hosted Foundry MCP capability security guidance documents preview and public-endpoint limitations.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-ai-foundry-ops-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-aks-platform-operator",
@@ -2599,13 +2614,15 @@
       "https://learn.microsoft.com/en-us/azure/aks/upgrade-options",
       "https://learn.microsoft.com/en-us/azure/aks/upgrade-conceptual",
       "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
-      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices"
+      "https://learn.microsoft.com/en-us/azure/aks/network-policy-best-practices",
+      "https://learn.microsoft.com/en-us/azure/aks/best-practices-app-cluster-reliability",
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-kubernetes-service"
     ],
     "security_notes": "Do not wave through AKS as production ready without explicit upgrade, rollback, workload identity, traffic-control, subnet-capacity, and observability evidence. Treat flat pod networking, static secrets, and untested drain behavior as high-risk.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-aks-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-app-service-production-readiness",
@@ -2638,18 +2655,19 @@
       "https://learn.microsoft.com/en-us/azure/app-service/configure-zone-redundancy",
       "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-app-service",
+      "https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/baseline-zone-redundant"
     ],
-    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported Azure MCP namespaces or operations.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not confuse plan SKU with readiness, public access restrictions with true private ingress, or backup configuration with recovery readiness. Prefer managed identity and Key Vault references over embedded secrets, treat app settings as sensitive, and do not invent unsupported configured Azure evidence namespaces or operations.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-app-service-production-readiness",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-cosmosdb-application-developer",
     "name": "Azure Cosmos DB Application Developer",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2673,17 +2691,19 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
       "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/transactional-batch",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge"
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/find-request-unit-charge",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/optimize-cost-reads-writes",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/request-units"
     ],
     "security_notes": "Do not recommend data models, query patterns, transactional assumptions, or SDK usage that ignore partition scope, RU cost, consistency semantics, or least-privilege access boundaries.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-application-developer",
     "author": "github: Raishin"
   },
   {
     "id": "azure-cosmosdb-performance-investigator",
     "name": "Azure Cosmos DB Performance Investigator",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2706,17 +2726,19 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/use-metrics",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-redistribute-throughput-across-partitions",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/performance-tips-dotnet-sdk-v3",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db"
+      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-normalized-request-units",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/autoscale-faq"
     ],
     "security_notes": "Do not recommend throughput increases, repartitioning, indexing changes, or SDK tuning before separating RU cost, latency, partition skew, and query-shape evidence. Avoid speculative fixes that hide workload design defects.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-performance-investigator",
     "author": "github: Raishin"
   },
   {
     "id": "azure-cosmosdb-platform-operator",
     "name": "Azure Cosmos DB Platform Operator",
-    "version": "0.1.0",
+    "version": "0.1.3",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2739,10 +2761,13 @@
       "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency",
       "https://learn.microsoft.com/en-us/azure/cosmos-db/query-metrics",
       "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db",
-      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys"
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys",
+      "https://learn.microsoft.com/en-us/azure/reliability/reliability-cosmos-db",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/hierarchical-partition-keys-unlimited-scale",
+      "https://learn.microsoft.com/en-us/azure/cosmos-db/failover-considerations-for-private-endpoints"
     ],
     "security_notes": "Do not approve a partition key, indexing posture, consistency change, or cross-partition query strategy without checking workload shape, RU impact, transactional scope, and least-privilege access implications.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cosmosdb-platform-operator",
     "author": "github: Raishin"
   },
@@ -2768,13 +2793,15 @@
       "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
       "https://learn.microsoft.com/en-us/azure/cost-management-billing/savings-plan/manage-savings-plan",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-automation-scenarios"
     ],
-    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported Azure MCP pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not present calculator output as invoice truth, do not hide missing sizing assumptions, and do not imply unsupported configured Azure evidence pricing or billing capabilities. Treat negotiated pricing, discount posture, and future utilization as explicit uncertainty unless verified.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cost-estimation-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-cost-optimization-governor",
@@ -2800,18 +2827,22 @@
       "https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-cost-recommendations",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-pricing",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-advisor",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-best-practices",
+      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-opt-recommendations",
+      "https://learn.microsoft.com/en-us/azure/advisor/advisor-workbook-cost-optimization"
     ],
     "security_notes": "Do not promise savings without utilization evidence, treat budgets as alerts rather than enforcement, keep billing and export data sanitized, and require named ownership for alerts, tags, exports, and optimization follow-up before calling the FinOps posture credible.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-cost-optimization-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-entra-id-specialist",
     "name": "Azure Entra ID Specialist",
-    "version": "0.1.0",
+    "version": "0.1.5",
     "type": "skill",
     "provider": "azure",
     "harnesses": [
@@ -2834,10 +2865,13 @@
       "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration",
       "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-users-groups",
       "https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview",
-      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk"
+      "https://learn.microsoft.com/en-us/entra/id-protection/concept-workload-identity-risk",
+      "https://learn.microsoft.com/en-us/entra/agent-id/security-for-ai-overview",
+      "https://learn.microsoft.com/en-us/entra/agent-id/what-is-microsoft-entra-agent-id",
+      "https://learn.microsoft.com/en-us/entra/id-governance/agent-id-governance-overview"
     ],
     "security_notes": "Do not recommend broad exclusions, unsafe break-glass patterns, blanket MFA bypasses, overprivileged app registrations, or risky Conditional Access changes without scoping blast radius, role ownership, and recovery paths.",
-    "last_verified": "2026-04-28",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-entra-id-specialist",
     "author": "github: Raishin"
   },
@@ -2866,13 +2900,15 @@
       "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure",
       "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/migrate-azure-landing-zone-policies",
       "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy"
+      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-policy",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics",
+      "https://learn.microsoft.com/en-us/azure/governance/policy/how-to/policy-safe-deployment-practices"
     ],
     "security_notes": "Do not recommend broad-scope deny or remediation-first rollout without blast-radius review, inheritance analysis, exception handling, and rollback notes.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-governance-policy-guardrails",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-identity-governance-review",
@@ -2887,26 +2923,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, and ownership gaps.",
+    "summary": "Review Microsoft Entra identity governance posture for Azure operators, focusing on PIM, access reviews, entitlement management, standing access, emergency access, and ownership gaps.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones",
-      "https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles",
-      "https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/manage-access-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview",
-      "https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/entra/architecture/ops-guide-govern",
+      "https://learn.microsoft.com/entra/id-governance/scenarios/least-privileged",
+      "https://learn.microsoft.com/entra/id-governance/identity-governance-overview",
+      "https://learn.microsoft.com/entra/id-governance/access-reviews-overview",
+      "https://learn.microsoft.com/entra/id-governance/entitlement-management-overview",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
     ],
-    "security_notes": "Challenge standing privileged access by default. Do not treat PIM, access reviews, or entitlement management as sufficient unless scope, ownership, cadence, and removal behavior are explicit.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Challenge standing privileged access by default. PIM, access reviews, and entitlement management are not sufficient unless scope, owner, cadence, approval, expiration, and removal behavior are explicit.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-identity-governance-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-key-vault-secret-lifecycle-auditor",
@@ -2924,21 +2957,20 @@
     "summary": "Audit Azure Key Vault secret lifecycle posture across RBAC, soft delete, purge protection, expiration, rotation, metadata hygiene, eventing, and recovery readiness without exposing secret values.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault",
-      "https://learn.microsoft.com/en-us/azure/key-vault/secrets/secure-secrets",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/autorotation",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
-      "https://learn.microsoft.com/en-us/azure/key-vault/policy-reference"
-    ],
-    "security_notes": "Avoid retrieving secret values unless absolutely necessary. Treat purge authority, missing soft delete, missing purge protection, and unproven rotation or recovery paths as high-risk. Prefer RBAC least privilege and metadata-based audits over content access.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/key-vault/secrets/secure-secrets",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/azure/key-vault/general/rbac-guide",
+      "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+      "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/azure/key-vault/secrets/tutorial-rotation",
+      "https://learn.microsoft.com/azure/key-vault/general/event-grid-overview",
+      "https://learn.microsoft.com/azure/key-vault/policy-reference"
+    ],
+    "security_notes": "Avoid retrieving secret values. Treat purge authority, missing soft delete, missing purge protection, legacy access policies for critical workloads, and untested rotation or recovery paths as high-risk.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-key-vault-secret-lifecycle-auditor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-keyvault-certificate-issuer-review",
@@ -2953,18 +2985,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager, covering certificate policy alignment, Managed Identity authorization scope, exportability posture, private endpoint connectivity, integrated CA credential scoping, and cert-manager vs Key Vault auto-rotation race conditions.",
+    "summary": "Review Azure Key Vault certificate issuer configurations for cert-manager and AKS, covering certificate policy alignment, managed identity authorization scope, exportability posture, private endpoint connectivity, issuer credential scoping, and renewal timing.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates",
-      "https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
+      "https://learn.microsoft.com/azure/key-vault/certificates/about-certificates",
+      "https://learn.microsoft.com/azure/key-vault/certificates/how-to-integrate-certificate-authority",
+      "https://learn.microsoft.com/azure/key-vault/certificates/create-certificate",
+      "https://learn.microsoft.com/azure/key-vault/certificates/secure-certificates"
     ],
-    "security_notes": "Key Vault Contributor role assigned to cert-manager allows deletion of the Key Vault, management policy changes, and purge of soft-deleted certs \u2014 a full management plane compromise. Use Key Vault Certificate Officer (data plane RBAC) instead. Exportable certificates allow private key extraction from Key Vault; use non-exportable certs for cluster-internal mTLS.",
-    "last_verified": "2026-05-02",
+    "security_notes": "Use Key Vault certificate data-plane roles for certificate lifecycle tasks and avoid broad management-plane roles. Treat exportable private keys, unscoped CA requester credentials, missing renewal contacts, and untested renewal handoff as high-risk.",
+    "last_verified": "2026-06-06",
     "path": "skills/azure/azure-keyvault-certificate-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.4",
     "author": "github: Raishin"
   },
   {
@@ -2980,22 +3012,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, and operations dependencies.",
+    "summary": "Design or review Azure landing-zone architecture across management groups, subscriptions, governance, security, networking, identity, management, and platform automation dependencies.",
     "source_type": "original",
     "official_docs": [
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
       "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke"
     ],
-    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or a production-ready verdict without governance, management, and recovery dependencies being addressed.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not prescribe a one-size-fits-all hierarchy, broad admin grants, or production-ready verdict without identity, governance, security, management, network, subscription, cost, and recovery dependencies being addressed.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-landing-zone-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.3"
   },
   {
     "id": "azure-live-aks-rollout-guard",
@@ -3010,19 +3043,24 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live AKS deployment rollouts with PDB audit, maxUnavailable/surge validation, rollout pause/undo gates, and post-rollout health verification.",
+    "summary": "Guard live AKS deployment and node-pool rollouts with PDB audit, maxUnavailable/surge validation, pause/undo gates, capacity checks, and post-rollout health verification.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security",
-      "https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads",
-      "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment",
-      "https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
+      "https://learn.microsoft.com/azure/aks/upgrade-aks-node-pools-rolling",
+      "https://learn.microsoft.com/azure/aks/upgrade-options",
+      "https://learn.microsoft.com/azure/aks/upgrade-conceptual",
+      "https://learn.microsoft.com/azure/aks/blue-green-node-pool-upgrade",
+      "https://learn.microsoft.com/azure/architecture/operator-guides/aks/aks-upgrade-practices",
+      "https://learn.microsoft.com/azure/aks/concepts-clusters-workloads",
+      "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security",
+      "https://kubernetes.io/docs/tasks/run-application/configure-pdb/",
+      "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment"
     ],
-    "security_notes": "Never advance an AKS rollout without PDB audit and replica health check. kubectl rollout undo is safe but must be confirmed before execution to avoid double-rollback churn.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never advance an AKS rollout without target, principal, approval, PDB audit, replica health, capacity, and rollback evidence. Treat undo, drain, cordon, scale, and node-pool upgrade operations as live mutations requiring explicit approval.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-aks-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.4"
   },
   {
     "id": "azure-live-app-service-slot-swap-guard",
@@ -3037,18 +3075,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.",
+    "summary": "Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, activity-log checks, and immediate rollback posture.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/configure-common"
+      "https://learn.microsoft.com/azure/app-service/deploy-staging-slots",
+      "https://learn.microsoft.com/azure/app-service/reference-app-settings#deployment-slots",
+      "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+      "https://learn.microsoft.com/azure/app-service/configure-common",
+      "https://learn.microsoft.com/azure/app-service/overview-local-cache"
     ],
-    "security_notes": "Never perform a production slot swap without sticky-settings diff audit and warmup health confirmation. A bad swap with no rollback plan can take a production app offline instantly.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never perform a production slot swap without target-slot confirmation, sticky-settings diff, warm-up evidence, authentication limitation check, activity-log monitoring path, and immediate rollback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-app-service-slot-swap-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-live-arm-deployment-stack-guard",
@@ -3063,19 +3103,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, denySettings review, changeset diff, rollback posture, and approval gates.",
+    "summary": "Guard live ARM, Bicep, and Deployment Stack changes with what-if evidence, deny-settings review, action-on-unmanage safety, managed-resource diff, rollback posture, and approval gates.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices"
+      "https://learn.microsoft.com/azure/azure-resource-manager/templates/deploy-what-if",
+      "https://learn.microsoft.com/azure/azure-resource-manager/bicep/deployment-stacks",
+      "https://learn.microsoft.com/azure/templates/microsoft.resources/deploymentstacks",
+      "https://learn.microsoft.com/azure/role-based-access-control/deny-assignments",
+      "https://learn.microsoft.com/azure/azure-resource-manager/templates/best-practices"
     ],
-    "security_notes": "Never execute an ARM or Deployment Stack change without what-if evidence, confirmed target scope, denySettings review, and explicit human approval. Repo write access does not authorize live Azure mutations.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never execute an ARM, Bicep, or Deployment Stack change without confirmed scope, template/parameter provenance, what-if or managed-resource diff, deny-settings review, action-on-unmanage review, rollback constraints, and explicit human approval.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-arm-deployment-stack-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.5"
   },
   {
     "id": "azure-live-cost-budget-action-guard",
@@ -3090,19 +3131,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate Azure budget action changes and GPU/HPC SKU provisioning against approved spend limits, with quota audits and emergency spend-stop playbooks.",
+    "summary": "Gate Azure budget action changes, cost-alert automation, and quota-sensitive GPU/HPC provisioning against approved spend limits, cost data latency, action-group behavior, and emergency spend-stop playbooks.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits",
-      "https://learn.microsoft.com/en-us/azure/quotas/quickstart-increase-quota-portal",
-      "https://learn.microsoft.com/en-us/azure/cost-management-billing/finops/overview-finops"
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/cost-mgt-best-practices",
+      "https://learn.microsoft.com/cloud-computing/finops/framework/quantify/budgeting",
+      "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+      "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
     ],
-    "security_notes": "GPU/HPC SKUs (NDv5, H100, A100) can generate $50K+ daily costs. Never approve quota increases or budget threshold raises without explicit spend-approval sign-off from a financial authority.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never approve quota increases, budget threshold raises, automated cost actions, or high-cost SKU provisioning without explicit financial owner approval, cost data latency caveat, rollback or stop action, and scope confirmation.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-cost-budget-action-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.7"
   },
   {
     "id": "azure-live-entra-role-assignment-guard",
@@ -3117,20 +3160,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.",
+    "summary": "Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, PIM preference, propagation caveats, and explicit approval gates before write.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-alert",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-alert",
+      "https://learn.microsoft.com/azure/role-based-access-control/troubleshooting#azure-role-assignments",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-deployment-plan"
     ],
-    "security_notes": "Never create Owner, Contributor, or UAA assignments at subscription or management-group scope without CISO-level justification. Always prefer PIM eligible assignment. Block Guest principal assignments without Director-level sign-off. Token caching means deletion may take up to 5 minutes to propagate.",
-    "last_verified": "2026-05-01",
+    "security_notes": "Never create or delete privileged role assignments without confirmed tenant/scope, assignee identity, principal type, role definition, existing assignment evidence, PIM alternative review, explicit approval, propagation caveat, and rollback command.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-entra-role-assignment-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.7"
   },
   {
     "id": "azure-live-keyvault-rotation-purge-guard",
@@ -3145,19 +3189,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Key Vault key rotation, rotation policy changes, soft-delete enforcement, and purge-protection enablement with irreversibility warnings and rollback evidence.",
+    "summary": "Guard Key Vault key and secret rotation, rotation policy changes, soft-delete checks, purge-protection enablement, recover decisions, and purge attempts with irreversibility warnings and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery",
-      "https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details",
-      "https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices"
+      "https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery",
+      "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation",
+      "https://learn.microsoft.com/azure/key-vault/keys/secure-keys",
+      "https://learn.microsoft.com/azure/key-vault/policy-reference"
     ],
-    "security_notes": "Purge-protection enable is irreversible. Soft-deleted keys can be recovered within the retention window. HSM-backed hard-purged keys cannot be recovered. Never grant purge rights to routine rotation operators.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Purge protection enablement is irreversible, purge is permanent when allowed, and key/secret rotation can break dependent workloads. Never grant purge rights to routine rotation operators or mutate production vault lifecycle controls without owner approval and dependency evidence.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-keyvault-rotation-purge-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-live-pim-jit-activation-guard",
@@ -3172,19 +3218,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate Entra ID PIM eligible role activations with justification, MFA, ticket binding, time-bound scope, and approval workflow gates before any privileged Azure role becomes active.",
+    "summary": "Gate Microsoft Entra PIM eligible role activations with justification, MFA, reduced scope, ticket binding, time-bound duration, approval workflow checks, and cache/propagation caveats.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role",
-      "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure-azure-ad-roles"
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-configure",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-deployment-plan",
+      "https://learn.microsoft.com/entra/identity/role-based-access-control/best-practices"
     ],
-    "security_notes": "Never activate a PIM role without justification, ticket reference, and MFA confirmation. An agent cannot activate another user's PIM role on their behalf \u2014 only the eligible principal may submit. Requires Entra ID P2 or equivalent license.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never activate or approve PIM privileged access without confirming eligible principal, scope, role, activation duration, MFA/Conditional Access requirement, justification or ticket, approval status, and deactivation/expiry behavior.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-live-pim-jit-activation-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.6"
   },
   {
     "id": "azure-maestro",
@@ -3199,20 +3247,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Route Azure tasks to the narrowest specialist or team of specialists from the 30-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
+    "summary": "Route Azure tasks to the narrowest specialist or bounded specialist team from the Azure catalog, with strict live-guard gates for production-change agents and no stale hard-coded catalog counts.",
     "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/",
-      "https://learn.microsoft.com/en-us/azure/architecture/",
-      "https://learn.microsoft.com/en-us/azure/well-architected/",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/overview"
+      "https://learn.microsoft.com/azure/architecture/",
+      "https://learn.microsoft.com/azure/well-architected/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/overview"
     ],
-    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path.",
-    "last_verified": "2026-04-30",
+    "security_notes": "Never auto-dispatch live-guard agents. Any live Azure mutation path requires explicit human confirmation, blast-radius assessment, target confirmation, rollback or non-reversibility statement, and specialist handoff.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-migrate-landing-zone-cutover",
@@ -3227,21 +3275,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Stress-test Azure migration cutovers across assessment quality, landing-zone readiness, dependency sequencing, permissions, rollback, and post-cutover operating ownership.",
+    "summary": "Stress-test Azure migration cutovers across discovery quality, assessment freshness, dependency sequencing, landing-zone readiness, permissions, rollback, and post-cutover operating ownership.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/migrate/concepts-overview?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/assessment-prerequisites?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/review-application-assessment?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/migrate/platform-landing-zone?view=migrate",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ready-azure-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/migrate/whats-new?view=migrate"
+      "https://learn.microsoft.com/azure/migrate/migrate-services-overview?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/concepts-migration-planning?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/common-questions-discovery-dependency-analysis?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/overview?view=migrate",
+      "https://learn.microsoft.com/azure/migrate/platform-landing-zone?view=migrate",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/"
     ],
     "security_notes": "Do not equate Azure readiness with cutover readiness. Treat stale assessments, weak dependency mapping, broad migration permissions, missing rollback checkpoints, and incomplete landing-zone connectivity or monitoring as high-risk blockers.",
-    "last_verified": "2026-04-27",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-migrate-landing-zone-cutover",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-network-topology-review",
@@ -3256,19 +3304,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security implications, and platform-versus-workload control ownership.",
+    "summary": "Review Azure hub-spoke and related network topologies for routing, DNS, shared-services boundaries, security inspection, private connectivity, regional blast radius, and platform-versus-workload ownership.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke",
-      "https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, and platform-versus-workload control boundaries before calling a topology safe.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke",
+      "https://learn.microsoft.com/azure/architecture/networking/architecture/hub-spoke-virtual-wan-architecture",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/network-topology-and-connectivity",
+      "https://learn.microsoft.com/azure/architecture/networking/guide/private-link-hub-spoke-network",
+      "https://learn.microsoft.com/azure/dns/private-resolver-architecture",
+      "https://learn.microsoft.com/azure/virtual-network-manager/overview"
+    ],
+    "security_notes": "Do not recommend flat or over-centralized network patterns by default. Always address routing, DNS, shared-service blast radius, inspection path, private connectivity, and platform-versus-workload control boundaries before calling a topology safe.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-network-topology-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-observability-investigator",
@@ -3283,30 +3333,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, and observability workflows with explicit evidence-versus-inference handling.",
+    "summary": "Investigate Azure Monitor, Log Analytics, Application Insights, alerting, KQL triage, telemetry gaps, workbooks, Grafana, and incident hypotheses with explicit evidence-versus-inference handling.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-analysis",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
-      "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/application-insights",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/visualize-grafana-overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/monitor",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/overview",
+      "https://learn.microsoft.com/azure/azure-monitor/fundamentals/best-practices-operation",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-processing-rules",
+      "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/logs/workspace-design",
+      "https://learn.microsoft.com/azure/azure-monitor/app/app-insights-overview",
+      "https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-overview",
+      "https://learn.microsoft.com/azure/managed-grafana/how-to-use-azure-monitor-alerts"
     ],
-    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, and bounded verification steps.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not over-attribute symptoms as root cause, ignore missing telemetry, or recommend broad alerting changes without signal-quality review, routing checks, query scope, and bounded verification steps.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-observability-investigator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-platform-automation-devops",
@@ -3321,25 +3366,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, validation gates, and safe rollout patterns.",
+    "summary": "Design and review Azure platform automation delivery across landing-zone IaC choices, bootstrap-versus-run separation, infra-versus-app pipelines, secret handling, what-if validation, approval gates, and safe rollout patterns.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
-      "https://learn.microsoft.com/en-us/azure/architecture/landing-zones/bicep/landing-zone-bicep",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-best-practices",
-      "https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots?view=azure-devops-2020",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-deploy",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-mcp-server",
-      "https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/"
+      "https://learn.microsoft.com/azure/azure-resource-manager/bicep/deploy-what-if",
+      "https://learn.microsoft.com/training/modules/test-bicep-code-using-github-actions/",
+      "https://learn.microsoft.com/training/modules/test-bicep-code-using-azure-pipelines/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/implementation-options",
+      "https://learn.microsoft.com/azure/architecture/landing-zones/bicep/landing-zone-bicep",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/terraform-landing-zone"
     ],
-    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require preview, validation, approval, and rollback paths before production-impacting Azure changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Keep bootstrap and steady-state delivery separate, do not mix platform and application pipelines without control boundaries, never store secrets in repo or pipeline definitions, and require lint, validation, what-if, approval, and rollback paths before production-impacting Azure changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-platform-automation-devops",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-private-endpoint-adoption-planner",
@@ -3354,22 +3396,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, route implications, and centralized-versus-local trade-offs.",
+    "summary": "Plan Azure Private Link and private endpoint adoption with explicit hub-versus-spoke placement, private DNS zone linkage, DNS Private Resolver choices, route implications, and centralized-versus-local trade-offs.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/private-link-hub-spoke-network",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration",
-      "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns",
-      "https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/private-link/private-endpoint-dns-integration",
+      "https://learn.microsoft.com/azure/private-link/private-endpoint-dns",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale",
+      "https://learn.microsoft.com/azure/architecture/networking/guide/private-link-virtual-wan-dns-guide",
+      "https://learn.microsoft.com/azure/dns/private-resolver-endpoints-rulesets",
+      "https://learn.microsoft.com/azure/networking/foundations/network-foundations-overview"
     ],
-    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, DNS-zone ownership, VNet links, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend private endpoint placement without naming consumer networks, private DNS zone ownership, VNet links, DNS forwarding path, route implications, and rollback checks. Challenge both over-centralized hub designs and uncontrolled per-spoke duplication.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-private-endpoint-adoption-planner",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-rbac-review",
@@ -3384,17 +3425,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure role assignments, custom roles, and scope choices for least privilege and operational safety.",
+    "summary": "Review Azure role assignments, custom roles, privileged administrator roles, conditions, PIM usage, group-based assignment, and scope choices for least privilege and operational safety.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices"
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/scope-overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/custom-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/conditions-overview",
+      "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-configure"
     ],
-    "security_notes": "Do not recommend Owner or User Access Administrator unless justified. Prefer narrow scopes and built-in roles before custom broad grants.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend Owner, Contributor, User Access Administrator, Role Based Access Control Administrator, wildcard custom roles, direct user grants, or broad scopes unless the business need is proven and safer job-function, group-based, conditioned, or time-bound alternatives are insufficient.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-rbac-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-resilience-bcdr-review",
@@ -3409,23 +3455,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure resilience and disaster-recovery posture for RTO/RPO realism, failover and failback assumptions, shared-responsibility gaps, and recovery runbook or drill quality.",
+    "summary": "Review Azure resilience and disaster-recovery posture for business criticality, RTO/RPO realism, failover and failback assumptions, backup/restore, region/zone strategy, recovery automation, runbooks, and drill evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/principles",
-      "https://learn.microsoft.com/en-us/azure/well-architected/reliability/disaster-recovery",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/overview",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/overview",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
+      "https://learn.microsoft.com/azure/well-architected/reliability/disaster-recovery",
+      "https://learn.microsoft.com/azure/reliability/concept-business-continuity-high-availability-disaster-recovery",
+      "https://learn.microsoft.com/azure/well-architected/reliability/metrics",
+      "https://learn.microsoft.com/azure/well-architected/reliability/testing-strategy",
+      "https://learn.microsoft.com/azure/reliability/overview-reliability-guidance",
+      "https://learn.microsoft.com/azure/service-health/overview"
     ],
-    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, and single-region dependencies as material risks.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not accept zero-downtime or zero-data-loss claims without explicit architecture and test evidence. Separate Azure platform resilience from workload recovery obligations, and treat untested runbooks, undocumented failback, inaccessible DR assets, and single-region dependencies as material risks.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-resilience-bcdr-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-resource-health-incident-triage",
@@ -3440,24 +3484,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, tenant-side changes, and unresolved evidence.",
+    "summary": "Triage Azure Resource Health, Service Health, activity-log alerts, and first-pass cloud-health incidents with explicit separation between provider incidents, resource-specific health, tenant-side changes, and unresolved evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log",
-      "https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule",
-      "https://learn.microsoft.com/en-us/azure/service-health/service-health-alert-overview",
-      "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-resource-health",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/azure-monitor"
+      "https://learn.microsoft.com/azure/service-health/resource-health-overview",
+      "https://learn.microsoft.com/azure/service-health/service-health-notifications-properties",
+      "https://learn.microsoft.com/azure/service-health/service-health-event-properties",
+      "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+      "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+      "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups"
     ],
-    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, invent unsupported MCP tools, or recommend broad remediation before blast radius and evidence are clear.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not over-attribute platform health signals as root cause, ignore recent tenant-side changes, expose sensitive incident payloads, invent unsupported tools, or recommend broad remediation before blast radius and evidence are clear.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-resource-health-incident-triage",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-role-selector",
@@ -3475,17 +3516,20 @@
     "summary": "Select the narrowest Azure built-in role, custom-role fallback, and assignment scope for a requested access pattern while separating control-plane and data-plane permissions.",
     "source_type": "adapted",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/overview",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles",
-      "https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/"
-    ],
-    "security_notes": "Prefer built-in roles before custom roles, minimize assignment scope, and keep control-plane and data-plane permissions separate. Do not default to Owner or Contributor for routine access requests.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/role-based-access-control/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-definitions",
+      "https://learn.microsoft.com/azure/role-based-access-control/custom-roles",
+      "https://learn.microsoft.com/azure/role-based-access-control/role-assignments-steps",
+      "https://learn.microsoft.com/azure/role-based-access-control/scope-overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles"
+    ],
+    "security_notes": "Prefer built-in job-function roles before custom roles, minimize assignment scope, separate control-plane and data-plane permissions, and do not default to Owner, Contributor, or wildcard custom roles for routine access requests.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-role-selector",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-security-posture-hardening",
@@ -3500,26 +3544,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, and audit-ready logging expectations.",
+    "summary": "Review Azure security posture with least privilege, managed identities, Key Vault hardening, private access decisions, policy guardrails, Defender recommendations, and audit-ready logging expectations.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns",
-      "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging",
-      "https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/services/azure-mcp-server-for-key-vault"
-    ],
-    "security_notes": "Do not recommend broad admin roles, stored secrets, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, and verified logging coverage.",
-    "last_verified": "2026-04-27",
+      "https://learn.microsoft.com/azure/key-vault/general/secure-key-vault",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline",
+      "https://learn.microsoft.com/security/benchmark/azure/baselines/microsoft-defender-for-cloud-security-baseline",
+      "https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference-identity-access",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security",
+      "https://learn.microsoft.com/azure/governance/policy/overview",
+      "https://learn.microsoft.com/azure/role-based-access-control/best-practices",
+      "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+      "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+      "https://learn.microsoft.com/azure/defender-for-cloud/review-security-recommendations"
+    ],
+    "security_notes": "Do not recommend broad admin roles, stored secrets, legacy Key Vault access policies, or public exposure by default. Prefer managed identities, scoped RBAC, policy-enforced controls, private access where justified, soft delete/purge protection, and verified logging coverage.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-security-posture-hardening",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-subscription-resource-organization",
@@ -3534,23 +3577,25 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, and landing-zone operating-model consequences.",
+    "summary": "Design and review Azure management-group, subscription, and resource-group boundaries with explicit governance, ownership, policy inheritance, scale-unit, and landing-zone operating-model consequences.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-areas",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
-      "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/subscription",
-      "https://learn.microsoft.com/en-us/azure/developer/azure-mcp-server/tools/resource-group"
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-application-environments",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/governance",
+      "https://learn.microsoft.com/training/modules/design-governance/",
+      "https://learn.microsoft.com/azure/governance/management-groups/overview",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging",
+      "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-policies"
     ],
-    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, and operational blast-radius implications.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Do not recommend flat hierarchies, fake isolation via resource groups, or subscription moves without proving governance, ownership, policy inheritance, RBAC, cost, quota, and operational blast-radius implications.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-subscription-resource-organization",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-cost-optimization-review",
@@ -3565,17 +3610,23 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload cost posture against the Well-Architected Framework Cost Optimization pillar: cost modeling, rightsizing, reservations, hybrid benefit, storage lifecycle, and idle resource elimination.",
+    "summary": "Review Azure workload cost posture against the Well-Architected Framework Cost Optimization pillar: cost model, budgets, cost drivers, usage optimization, rate optimization, Advisor recommendations, reservations, savings plans, hybrid benefit, and idle resource elimination.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/cost-optimization/",
-      "https://learn.microsoft.com/azure/cost-management-billing/"
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/principles",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/cost-model",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/get-best-rates",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/overview-cost-management",
+      "https://learn.microsoft.com/azure/advisor/advisor-workbook-cost-optimization",
+      "https://learn.microsoft.com/azure/advisor/advisor-how-to-calculate-total-cost-savings",
+      "https://learn.microsoft.com/azure/well-architected/cost-optimization/checklist",
+      "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-opt-recommendations"
     ],
-    "security_notes": "Read-only advisory. Do not cancel Reservations, delete resources, or modify billing configurations without explicit approval and resource inventory confirmation.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not delete resources, cancel commitments, modify billing configuration, buy reservations or savings plans, or alter budgets without explicit approval, owner confirmation, and current inventory evidence.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-reliability-review",
@@ -3590,17 +3641,22 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload reliability against the Well-Architected Framework Reliability pillar: availability targets, AZ/region topology, health monitoring, data resilience, deployment safety, and chaos testing.",
+    "summary": "Review Azure workload reliability against the Well-Architected Framework Reliability pillar: business requirements, critical flows, resilience, recovery, observability, operations, simplicity, availability zones/regions, health modeling, and reliability testing.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/reliability/",
-      "https://learn.microsoft.com/azure/reliability/availability-zones-overview"
+      "https://learn.microsoft.com/azure/well-architected/reliability/principles",
+      "https://learn.microsoft.com/azure/well-architected/reliability/reliability-test",
+      "https://learn.microsoft.com/azure/well-architected/reliability/disaster-recovery",
+      "https://learn.microsoft.com/azure/well-architected/design-guides/regions-availability-zones",
+      "https://learn.microsoft.com/azure/reliability/concept-business-continuity-high-availability-disaster-recovery",
+      "https://learn.microsoft.com/azure/reliability/overview-reliability-guidance",
+      "https://learn.microsoft.com/azure/well-architected/reliability/checklist"
     ],
-    "security_notes": "Read-only advisory. Do not modify autoscaling policies, backup schedules, or Azure Site Recovery configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not modify autoscaling, backup, failover, traffic routing, deployment, or recovery settings without explicit approval, current-state evidence, blast-radius review, and rollback or failback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "azure-waf-security-review",
@@ -3615,17 +3671,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Azure workload security posture against the Well-Architected Framework Security pillar: identity and access, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.",
+    "summary": "Review Azure workload security posture against the Well-Architected Framework Security pillar: baseline, secure development lifecycle, data classification, segmentation, IAM, networking, encryption, hardening, secrets, threat monitoring, security testing, and incident response.",
     "source_type": "original",
     "official_docs": [
-      "https://learn.microsoft.com/azure/well-architected/security/",
-      "https://learn.microsoft.com/security/benchmark/azure/"
+      "https://learn.microsoft.com/azure/well-architected/security/principles",
+      "https://learn.microsoft.com/azure/well-architected/security/checklist",
+      "https://learn.microsoft.com/security/benchmark/azure/introduction",
+      "https://learn.microsoft.com/azure/defender-for-cloud/concept-regulatory-compliance",
+      "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+      "https://learn.microsoft.com/azure/defender-for-cloud/review-security-recommendations"
     ],
-    "security_notes": "Read-only advisory. Do not modify Entra ID policies, Conditional Access rules, Azure Policy, or Defender configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "Read-only advisory by default. Do not modify Entra ID, Conditional Access, RBAC, PIM, Azure Policy, Defender, Sentinel, network controls, Key Vault, or production diagnostics without explicit approval, current-state evidence, blast-radius review, and rollback plan.",
+    "last_verified": "2026-06-05",
     "path": "skills/azure/azure-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "backstage-scaffolder-template-review",
@@ -8469,7 +8529,7 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Autonomous Database across OCI and multicloud destinations with official-source grounding.",
+    "summary": "Design and review OCI Autonomous Database and Autonomous AI Database deployments with explicit workload fit, security, networking, backup, DR, migration, and multicloud boundary checks.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/adboverview.htm",
@@ -8477,11 +8537,11 @@
       "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Autonomous Database deployments can expose production data and credentials. Verify IAM, network posture, TLS, backup, and secret handling before recommending changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Autonomous Database Architect changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-autonomous-database-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-certificates-issuer-review",
@@ -8496,18 +8556,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI Certificates Service issuer configurations for cert-manager on OKE, covering CA hierarchy safety, issuance rule enforcement, OKE Workload Identity vs Instance Principal authentication, IAM policy scope minimization, OCSP reachability, and certificate version lifecycle management.",
+    "summary": "Review OCI Certificates Service and OKE cert-manager issuer posture with CA hierarchy, issuance rules, workload identity, IAM scope, OCSP reachability, and certificate lifecycle safeguards.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/certificates/managing-certificate-authority.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm",
-      "https://github.com/oracle/oci-native-ingress-controller"
+      "https://docs.oracle.com/iaas/Content/certificates/overview.htm",
+      "https://docs.oracle.com/iaas/Content/certificates/managing-certificates.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/certificatespolicyreference.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingworkloadidentity.htm"
     ],
-    "security_notes": "Instance Principal auth for cert-manager on OKE means ANY pod on the node can call the OCI Certificates API using the instance metadata endpoint \u2014 not just cert-manager. Use OKE Workload Identity to scope cert-issuance permissions to the cert-manager ServiceAccount only. IAM policy with 'manage certificate-authorities' grants delete and update CA permissions, which is excessive for cert-manager.",
-    "last_verified": "2026-05-02",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Certificates Issuer Review changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-certificates-issuer-review",
-    "version": "0.1.0",
+    "version": "0.1.1",
     "author": "github: Raishin"
   },
   {
@@ -8523,17 +8583,17 @@
       "kiro",
       "other"
     ],
-    "summary": "Triage and govern OCI Cloud Guard problems, targets, responder recipes, detector findings, and security remediation safely. Use for Cloud Guard reviews, problem prioritization, remediation planning, and compliance evidence when official...",
+    "summary": "Triage OCI Cloud Guard problems, targets, detector recipes, responder recipes, suppression, and remediation plans with evidence labels and approval gates.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/cg-concepts.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Cloud Guard Responder changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-cloud-guard-responder",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-compute-instance-agent-operator",
@@ -8548,17 +8608,16 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute Instance Agent commands and executions safely for diagnostics, automation, and remediation. Use when issuing, tracking, or reviewing instance-agent commands across compute fleets.",
+    "summary": "Operate and review OCI Compute instance-agent commands safely with scoped command payloads, target ownership, output handling, timeout controls, and mutation approval gates.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/instances.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Compute Instance Agent Operator changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-compute-instance-agent-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-compute-platform-operator",
@@ -8573,17 +8632,17 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Compute instances and platform capacity safely with compartment/region confirmation, instance lifecycle guardrails, least-privilege IAM checks, MCP/CLI discovery, and rollback-aware change plans.",
+    "summary": "Operate OCI Compute instances and platform capacity with compartment/region confirmation, lifecycle guardrails, least-privilege IAM, image/shape/network review, and rollback-aware changes.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/instances.htm",
+      "https://docs.oracle.com/iaas/Content/Compute/Tasks/launchinginstance.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Compute Platform Operator changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-compute-platform-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-cost-finops-analyst",
@@ -8598,17 +8657,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Analyze Oracle Cloud Infrastructure cost, usage, budgets, tagging, rightsizing, commitment coverage, and FinOps governance. Use when asked to explain OCI spend, investigate cost spikes, build savings plans, review underused resources, de...",
+    "summary": "Analyze OCI cost, usage, budgets, tagging, forecasts, commitments, rightsizing, and FinOps governance without turning savings into reliability or security risk.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Billing/Concepts/costanalysisoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm",
+      "https://www.oracle.com/cloud/cost-management-and-governance/"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Cost FinOps Analyst changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-cost-finops-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-database-platform-dba",
@@ -8623,17 +8684,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI database platform DBA for DB systems, Autonomous Database, Exadata, backups, patching, performance triage, capacity, and IAM-scoped database operations. Use when work touches OCI Database service posture, discov...",
+    "summary": "Operate OCI Database service safely across DB systems, databases, DB homes, Autonomous Database, backups, Data Guard, patching, performance, capacity, and IAM-scoped DBA operations.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/backingupOS.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/usingdataguard.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/patchingDB.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Database Platform DBA changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-database-platform-dba",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-dbtools-sql-analyst",
@@ -8648,17 +8711,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Use OCI Database Tools and database documentation safely for SQL inspection, report definitions, table metadata, and controlled query execution. Use for DBTools connections, read-only SQL analysis, and schema/report exploration.",
+    "summary": "Use OCI Database Tools and database documentation safely for connection inventory, metadata inspection, report review, and controlled read-only SQL analysis.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Database-Tools/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Database-Tools/dbtools_topic-using_the_sql_worksheet.htm",
+      "https://docs.oracle.com/en-us/iaas/database-tools/doc/using-console.html",
+      "https://docs.oracle.com/iaas/database-tools/doc/run-sql-statement-sql-worksheet.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Database Tools SQL Analyst changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-dbtools-sql-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-devops-container-platform-engineer",
@@ -8673,17 +8738,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Engineer and review Oracle Cloud Infrastructure DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform, and container runtime workflows. Use when asked to inspect OCI Container Engine clusters, DevOps projects, OCIR repositories,...",
+    "summary": "Engineer and review OCI DevOps, OKE, OCIR, build/deploy pipelines, Kubernetes platform operations, image promotion, IAM, rollout safety, and container reliability.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/ContEng/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/environments.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/home.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI DevOps Container Platform Engineer changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-devops-container-platform-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-exadata-database-architect",
@@ -8698,20 +8765,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI, Cloud@Customer, and multicloud destinations with official-source grounding.",
+    "summary": "Design, review, migrate, and operate Oracle Exadata Database Service across OCI Dedicated Infrastructure, Exascale, Cloud@Customer, and Oracle Database multicloud destinations with official-source grounding.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/exadatacloud/index.html",
+      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exadata-database-service-dedicated-infrastructure-administrators-guide.pdf",
+      "https://docs.oracle.com/en/engineered-systems/exadata-database-exascale/exdxs/exadata-database-service-exascale-infrastructure-users-guide.pdf",
       "https://docs.oracle.com/en/engineered-systems/exadata-cloud-at-customer/ecccm/index.html",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-azure/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-gcp/overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/database-at-aws/overview.htm"
     ],
-    "security_notes": "Exadata deployments can expose high-value production databases. Validate IAM/RBAC, network isolation, backup, TDE, maintenance, and operational ownership before changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "Read-only advisory by default. Use least privilege, sanitize evidence, and require explicit approval plus rollback for risky OCI Exadata Database Architect changes.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-exadata-database-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-exadata-platform-architect",
@@ -8726,17 +8794,19 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Design and operate Exadata Database Service across OCI Dedicated Infrastructure, Exadata Cloud@Customer, Oracle Database@Azure, Oracle Database@Google Cloud, and Oracle Database@AWS. Use for Exadata architecture, VM clusters, cloud E...",
+    "summary": "Design and review OCI Exadata Database Service platforms, VM clusters, Exascale, Cloud@Customer, multicloud database placements, capacity, network, backup, patching, and DR without overstating readiness.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/exadatacloud/exacs/exadata-cloud-service-overview.html",
+      "https://docs.oracle.com/en-us/iaas/exadatacloud/doc/exacs-tech-arch.html",
+      "https://docs.oracle.com/en-us/iaas/exadb-xs/index.html",
+      "https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exadata-database-service-dedicated-infrastructure-administrators-guide.pdf"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-exadata-platform-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-fusion-apps-environment-operator",
@@ -8751,17 +8821,19 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Review Fusion Apps as a Service environment families, environments, lifecycle status, availability, and operational readiness. Use for Fusion environment inventory, status checks, change planning, and support evidence.",
+    "summary": "Review OCI Fusion Applications environment families, environments, lifecycle status, maintenance, refresh, access, availability, and support evidence without claiming tenant readiness from docs alone.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/fusion-applications/home.htm",
+      "https://docs.oracle.com/iaas/Content/fusion-applications/overview.htm",
+      "https://docs.oracle.com/iaas/Content/fusion-applications/plan-environment-family.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/fusion-applications/plan-environment.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-fusion-apps-environment-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-goldengate-replication-operator",
@@ -8776,17 +8848,18 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review Oracle GoldenGate domains, connections, extracts, replicats, checkpoint tables, trails, distribution paths, and replication health. Use for replication setup, lag triage, data movement, and cutover safety.",
+    "summary": "Operate and review OCI GoldenGate deployments, connections, replication pipelines, extracts, replicats, trails, checkpoints, lag, connectivity, and cutover safety with source-grounded evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/overview-goldengate.html",
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/create-connection-goldengate.html",
+      "https://docs.oracle.com/en-us/iaas/goldengate/doc/overview.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-goldengate-replication-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-identity-access-governor",
@@ -8801,17 +8874,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Identity and Access Management with least-privilege policy review, compartment scoping, group/dynamic-group analysis, and safe access-change workflows. Use for OCI IAM policy design, access audits, privilege reduction, identit...",
+    "summary": "Govern OCI IAM policies, compartments, groups, dynamic groups, domains, federation, and least-privilege access changes without approving broad or destructive permissions on weak evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policies.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/Working_with_Dynamic_Groups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/managingdynamicgroups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-identity-access-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-iot-digital-twin-engineer",
@@ -8826,17 +8902,16 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and operate OCI IoT digital twin adapters, models, instances, relationships, and domain context. Use for digital twin topology, lifecycle, integration, and safe model/relationship changes.",
+    "summary": "Design and review OCI IoT domains, digital twin models, adapters, instances, relationships, telemetry paths, lifecycle, and safe topology changes without treating model edits as harmless.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/internet-of-things/home.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-iot-digital-twin-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-limits-capacity-planner",
@@ -8851,17 +8926,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI service limits, quotas, capacity availability, regional subscriptions, and growth risk. Use before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota increase requests.",
+    "summary": "Review OCI service limits, quotas, subscribed regions, capacity evidence, and growth risk before deployments, migrations, DR expansion, shape changes, OKE scaling, database scaling, or quota requests.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/General/service-limits/default.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas_topic-Available_Quotas_by_Service.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-limits-capacity-planner",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-autonomous-db-lifecycle-guard",
@@ -8876,19 +8952,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Autonomous Database lifecycle changes \u2014 scale, start, stop, clone, terminate \u2014 with protection-tag enforcement, backup verification, and connection-string impact analysis before any mutation.",
+    "summary": "Guard Autonomous Database lifecycle changes such as scale, start, stop, clone, restore, wallet-impacting changes, and termination with backup, dependency, protection, approval, and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbscaling.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbstopstart.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbcloning.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbbackingup.htm"
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/scale-autonomous-database.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/start-stop-autonomous-database.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/autonomous-clone.html",
+      "https://docs.oracle.com/en-us/iaas/autonomous-database-serverless/doc/backup-recovery-autonomous.html"
     ],
-    "security_notes": "ADB termination is permanent \u2014 the database and all backups are deleted. Always verify protection tags before any terminate operation. ADB storage scale-up cannot be reversed. Termination blocked by defined-tag protection requires explicit tag removal approval.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-autonomous-db-lifecycle-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-cost-budget-runaway-guard",
@@ -8903,19 +8979,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Gate OCI budget mutations and GPU/HPC shape provisioning against compartment spend limits, with inventory searches, quota audits, and emergency spend-stop playbooks.",
+    "summary": "Gate OCI budget, alert, quota, and high-cost compute actions with spend evidence, owner approval, financial authority, rollback, and emergency stop boundaries.",
     "source_type": "original",
     "official_docs": [
+      "https://docs.oracle.com/iaas/Content/Billing/Concepts/budgetsoverview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managinginstances.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm",
+      "https://docs.oracle.com/iaas/Content/Billing/Tasks/managingalertrules.htm",
       "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
     ],
-    "security_notes": "GPU/HPC shapes (BM.GPU4.8, A100, BM.HPC2.36) can generate six-figure monthly costs when left running. Never approve quota increases or budget threshold raises without explicit financial-authority approval. Emergency stop requires Compute operator rights \u2014 escalate if not held.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-cost-budget-runaway-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-iam-policy-compartment-guard",
@@ -8930,19 +9006,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.",
+    "summary": "Guard live OCI IAM policy and dynamic-group changes with statement-level review, verb hierarchy, compartment scope, broad-principal detection, rollback capture, and explicit approval.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/iampolicyreference.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm",
+      "https://docs.oracle.com/iaas/Content/Identity/policyreference/policyreference_topic-Verbs.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Identity/dynamicgroups/managingdynamicgroups.htm"
     ],
-    "security_notes": "Any-user and any-group policies in tenancy root are the most common OCI security misconfiguration. Never approve manage-verb policies at tenancy scope without compartment scoping. Policy deletes take effect immediately with no grace period.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-iam-policy-compartment-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-network-security-rule-guard",
@@ -8957,20 +9033,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard live OCI Security List and NSG rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress mutation.",
+    "summary": "Guard live OCI Security List and Network Security Group rule changes with current-state capture, open-internet detection, sensitive-port review, stateful/stateless assessment, approval, and rollback evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/securitylists.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/manage-nsg-security-rules.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/update-securitylist.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm",
       "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
     ],
-    "security_notes": "oci network security-list update is a full replace \u2014 always capture complete current rules before writing. Never approve 0.0.0.0/0 ingress on database subnets. Enable VCN Flow Logs before any rule change. Prefer NSGs over Security Lists for database VNICs.",
-    "last_verified": "2026-05-01",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-network-security-rule-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-oke-rollout-guard",
@@ -8985,19 +9060,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OKE deployment rollouts via DevOps Service approval stages with canary and blue-green evidence, rollout health verification, and kubectl rollout undo gates.",
+    "summary": "Guard OCI OKE and DevOps deployment rollouts with approval-stage, canary, blue-green, workload health, rollback, and Kubernetes safety evidence before promotion or rollback.",
     "source_type": "original",
     "official_docs": [
+      "https://docs.oracle.com/en-us/iaas/Content/devops/using/devops_overview.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/deploy_oke.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/bgoke_deploy.htm",
       "https://docs.oracle.com/en-us/iaas/Content/devops/using/canaryoke_deploy.htm",
       "https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengoverview.htm"
     ],
-    "security_notes": "Never advance an OKE rollout past an approval stage without rollout status and PDB health evidence. kubectl rollout undo is irreversible in the sense that the prior version may not be identical to the deployed artifact \u2014 confirm target revision before undo.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-oke-rollout-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-resource-manager-stack-guard",
@@ -9012,19 +9088,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard OCI Resource Manager stack plan, apply, and destroy jobs with drift detection, state-version rollback, stack auto-lock awareness, and approval gates.",
+    "summary": "Guard OCI Resource Manager stack plan, apply, destroy, import-state, drift, and state-version decisions with plan review, state-lock awareness, approval, rollback, and blast-radius evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/create-job-lock-file.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm"
+      "https://docs.oracle.com/iaas/Content/ResourceManager/Concepts/resourcemanager.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resource-manager-and-terraform.htm",
+      "https://docs.oracle.com/iaas/Content/ResourceManager/Tasks/detect-drift.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/list-drift.htm"
     ],
-    "security_notes": "OCI Resource Manager auto-locks a stack state during job execution. Never approve an apply or destroy job without a plan-job output review and drift detection evidence. Repo write access does not authorize live OCI infrastructure mutations.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-resource-manager-stack-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-live-vault-key-destruction-guard",
@@ -9039,19 +9115,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Guard Vault master encryption key scheduled-deletion and HSM rotation with data-association audits, key-usage reference checks, deletion-window enforcement, and cancellation playbooks.",
+    "summary": "Guard OCI Vault key deletion, cancellation, disablement, rotation, and HSM/software key lifecycle decisions with usage, dependency, waiting-window, backup, and recovery-limit evidence.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/deletingkeys.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm",
       "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys_topic-To_delete_a_key.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults_topic-To_delete_a_vault.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/rotatingkeys.htm"
     ],
-    "security_notes": "After the scheduled deletion window expires, HSM-backed keys are cryptographically wiped. All data encrypted exclusively by that key version is permanently unrecoverable. Recovery SLA from OCI Support: NONE. Always use a 30-day window and audit data associations before scheduling.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-live-vault-key-destruction-guard",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-load-balancer-traffic-engineer",
@@ -9066,17 +9142,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, and failover. Use for L7/L4 traffic engineering and availability reviews.",
+    "summary": "Design, review, and troubleshoot OCI Load Balancer and Network Load Balancer traffic paths, listeners, backend sets, certificates, health checks, logging, failover, and exposure risk.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Concepts/balanceoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingbackendsets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/Overview/overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglisteners.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-load-balancer-traffic-engineer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-maestro",
@@ -9091,19 +9169,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Route OCI tasks to the narrowest specialist or team of specialists from the 31-agent catalog. Classifies by domain, dispatches single or parallel (max 4), and enforces live-guard gate for production-change agents.",
+    "summary": "Route OCI tasks to the narrowest specialist or explicitly approved team, enforce live-guard gates, preserve evidence labels, and refuse unsafe auto-dispatch for destructive or production-changing work.",
     "source_type": "adapted",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/",
       "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/overview.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm"
+      "https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/securityoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
     ],
-    "security_notes": "Live-guard gate is non-negotiable: never auto-dispatch live-guard agents without explicit human confirmation, blast-radius assessment, and rollback path. OCI vault key destruction and IAM policy deletion are irreversible.",
-    "last_verified": "2026-04-30",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-maestro",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-migration-cutover-architect",
@@ -9118,17 +9196,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Plan OCI migrations and cutovers with Cloud Migrations, dependency discovery, waves, rollback, DNS, data sync, validation, and support readiness. Use for migration assessment, move groups, cutover runbooks, and go/no-go reviews.",
+    "summary": "Plan OCI migrations and cutovers with dependency discovery, waves, replication, DNS, identity, data validation, rollback, support readiness, and go/no-go evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-overview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-create-migration-project.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-migration-cutover-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-multi-cloud-architect",
@@ -9143,17 +9222,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design and review OCI multi-cloud architectures connecting Oracle Cloud Infrastructure with AWS, Azure, Google Cloud, on-premises, or SaaS through VPN, FastConnect, Direct Connect, ExpressRoute, Cloud Interconnect, identity federation, D...",
+    "summary": "Design and review OCI-connected multi-cloud architectures across Azure, AWS, Google Cloud, on-premises, and SaaS with routing, identity, DNS, security, observability, cost, latency, and failure-mode evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/fastconnect.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/fastconnectoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/routingonprem2.htm",
+      "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-azure-oci-networking",
+      "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-other-providers-oci"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-multi-cloud-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-mysql-heatwave-ai-specialist",
@@ -9168,17 +9250,18 @@
       "kiro",
       "other"
     ],
-    "summary": "OCI Operate and review MySQL HeatWave, MySQL AI, vector/RAG workflows, connection configs, object storage ingestion, and SQL safety. Use for MySQL AI questions, HeatWave ML, vector store loading, and MySQL operational reviews.",
+    "summary": "Review OCI MySQL HeatWave, HeatWave clusters, Lakehouse, AutoML, GenAI, vector/RAG workflows, object storage ingestion, SQL safety, and operational readiness with source-grounded evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/mysql-database/index.html",
+      "https://docs.oracle.com/en-us/iaas/mysql-database/doc/overview-heatwave.html",
+      "https://docs.oracle.com/en/database/mysql/heatwave-aws/database-vector-store.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-mysql-heatwave-ai-specialist",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-network-architect",
@@ -9193,17 +9276,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and troubleshoot OCI networking with safe compartment/region scoping, least-privilege network access, VCN/subnet/routing/security-list/NSG analysis, and evidence-based MCP or CLI discovery.",
+    "summary": "Design, review, and troubleshoot OCI VCNs, subnets, route tables, DRGs, gateways, peering, security lists, NSGs, load balancers, DNS, and connectivity without cargo-cult exposure.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm",
+      "https://docs.oracle.com/iaas/Content/Network/Concepts/securitylists.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/routingonprem2.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/path_analyzer.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-network-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-observability-incident-responder",
@@ -9218,17 +9304,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI observability and incident responder for Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and IAM-scoped incident response. Use when work touches OCI alarms, telemetry, alert...",
+    "summary": "Triage OCI Monitoring alarms, Logging, Events, Notifications, service health, metrics, runbooks, and responder permissions with scoped evidence and safe containment.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Monitoring/Tasks/update-alarm-event.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Logging/",
+      "https://docs.oracle.com/en-us/iaas/Content/Logging/Task/managinglogs.htm",
+      "https://docs.oracle.com/iaas/Content/Logging/Concepts/searchinglogs.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-observability-incident-responder",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-recovery-service-operator",
@@ -9243,17 +9332,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, and recovery metrics. Use for database recovery posture, protected database health, and restore readiness.",
+    "summary": "Operate and review OCI Recovery Service protected databases, protection policies, recovery service subnets, backup health, redo status, recovery windows, and restore readiness without confusing backup configuration with recoverability.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/recovery-service/doc/overview-protection-policy.html",
+      "https://docs.oracle.com/en-us/iaas/recovery-service/doc/protected-database-recovery-policy.html",
+      "https://docs.oracle.com/en-us/iaas/recovery-service/doc/supported-recovery-service-policies.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-recovery-service-operator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-registry-artifact-governor",
@@ -9268,17 +9358,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Govern OCI Registry repositories, container images, artifact access, retention, promotion, and deployment safety. Use for OCIR repository reviews, image lifecycle, DevOps/OKE integration, and least-privilege push/pull access.",
+    "summary": "Govern OCI Container Registry repositories, container images, Helm/OCI artifacts, public access, retention policies, signatures, vulnerability scanning, provenance, and least-privilege push/pull access.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Registry/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryconcepts.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Registry/Tasks/registrymanagingimageretention.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-registry-artifact-governor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-resource-search-inventory-analyst",
@@ -9293,17 +9385,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, and cross-service discovery. Use for tenancy inventory, ownership gaps, orphan detection, migration scoping, and architecture evidence collection.",
+    "summary": "Build OCI resource inventories and dependency maps using Resource Search, compartments, tags, lifecycle states, and cross-service discovery without treating partial search visibility as complete tenancy truth.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/Search/home.htm",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/search/resource/structured-search.html",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-resource-search-inventory-analyst",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-security-compliance-reviewer",
@@ -9318,17 +9411,21 @@
       "kiro",
       "other"
     ],
-    "summary": "Review Oracle Cloud Infrastructure security, IAM, network, logging, encryption, and compliance posture. Use when asked to audit OCI policies, compartments, tenancy security, Cloud Guard findings, buckets, vaults, security lists, NSGs, or...",
+    "summary": "Review OCI security, IAM, network exposure, logging, encryption, Cloud Guard, Vulnerability Scanning, Security Zones, and compliance evidence with least-privilege and source-grounded findings.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-architecture.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/oci-core-landing-zone.htm",
+      "https://docs.oracle.com/en-us/iaas/cloud-guard/using/trouble.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/using/problems-page-about.htm",
+      "https://docs.oracle.com/en-us/iaas/scanning/using/scanning-with-cloud-guard.htm",
+      "https://docs.oracle.com/en-us/iaas/security-zone/using/security-zones.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-security-compliance-reviewer",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-solution-architect",
@@ -9343,17 +9440,20 @@
       "kiro",
       "other"
     ],
-    "summary": "Design, review, and stress-test Oracle Cloud Infrastructure solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations. Use when asked for OCI...",
+    "summary": "Design and stress-test OCI solution architectures across identity, compartments, networking, compute, database, storage, observability, security, reliability, cost, and operations with evidence-backed tradeoffs.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/home.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/oci-core-landing-zone.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/iam-security-structure.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-architecture.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-solution-architect",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-storage-backup-steward",
@@ -9368,17 +9468,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Operate as a ruthless OCI storage and backup steward for Object Storage, Block Volume, File Storage, backup policies, retention, replication, lifecycle rules, restore readiness, and IAM-scoped storage operations. Use when work touches OC...",
+    "summary": "Steward OCI storage and backup posture with source-grounded checks for Object Storage, Block Volume, File Storage, retention, lifecycle rules, replication, restore testing, and least-privilege storage access.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/iaas/Content/Object/Tasks/usinglifecyclepolicies.htm",
+      "https://docs.oracle.com/iaas/Content/Block/Tasks/backingupavolume.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/how-disaster-recovery-works.html"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-storage-backup-steward",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-support-incident-coordinator",
@@ -9393,17 +9495,18 @@
       "kiro",
       "other"
     ],
-    "summary": "Coordinate OCI support incidents with evidence quality, severity discipline, resource scope, timelines, and escalation readiness. Use for support tickets, incident evidence packs, Oracle SR preparation, and post-incident follow-up.",
+    "summary": "Coordinate OCI support incidents without leaking secrets or identifiers, using documented support-request behavior, sanitized timelines, severity rationale, ownership, and actionable escalation evidence.",
     "source_type": "adapted",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm",
-      "https://www.oracle.com/cloud/"
+      "https://docs.oracle.com/en-us/iaas/Content/GSG/support/list-incidents.htm",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.48.2/oci_cli_docs/cmdref/support/incident/list.html",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm"
     ],
-    "security_notes": "OCI skills may inspect or mutate cloud resources. Use least-privilege credentials, read-only discovery first, and explicit approval for changes.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-support-incident-coordinator",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-cost-optimization-review",
@@ -9418,18 +9521,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload cost posture across compute rightsizing, Ampere A1 adoption, Universal Credits coverage, tagging compliance, idle resource elimination, and OCI Cost Management tooling aligned to OCI Architecture Best Practices.",
+    "summary": "Review OCI Well-Architected cost posture with documented Cost Analysis, Budgets, Cloud Advisor, usage API, tagging, ownership, forecast caveats, and safe-change approval gates.",
     "source_type": "original",
     "official_docs": [
-      "https://docs.oracle.com/en-us/iaas/Content/Billing/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/CloudAdvisor/home.htm",
-      "https://www.oracle.com/cloud/pricing/"
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Concepts/costanalysisoverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/managingbudgets.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/CloudAdvisor/Concepts/cloudadvisoroverview.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm"
     ],
-    "security_notes": "Read-only advisory. Do not delete resources, cancel commitments, or modify compartment structures without explicit approval and resource inventory confirmation.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-cost-optimization-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-reliability-review",
@@ -9444,18 +9548,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload reliability posture across AD/FD redundancy, load balancing, database HA, backup and replication, Full Stack DR orchestration, and recovery testing aligned to OCI Architecture Best Practices.",
+    "summary": "Review OCI Well-Architected reliability posture with source-grounded checks for regions, domains, backups, replication, alarms, Full Stack DR, RTO/RPO, restore drills, and operational runbooks.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm",
-      "https://docs.oracle.com/en-us/iaas/disaster-recovery/index.html",
-      "https://docs.oracle.com/en-us/iaas/Content/ContEng/home.htm"
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/how-disaster-recovery-works.html",
+      "https://docs.oracle.com/en-us/iaas/disaster-recovery/doc/overview-protection-groups.html",
+      "https://docs.oracle.com/iaas/Content/Block/Tasks/backingupavolume.htm"
     ],
-    "security_notes": "Read-only advisory. Do not modify backup policies, DR plans, or autoscaling configurations without explicit approval.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-reliability-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "oci-waf-security-review",
@@ -9470,19 +9575,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Review OCI workload security posture across IAM, compartments, network isolation, encryption, threat detection, and compliance guardrails aligned to OCI Architecture Best Practices and CIS OCI Benchmark.",
+    "summary": "Review OCI Well-Architected security posture with source-grounded checks for IAM, network exposure, encryption, logging, Cloud Guard, Security Zones, Vulnerability Scanning, and evidence-labeled findings.",
     "source_type": "original",
     "official_docs": [
       "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/security_guide.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/CloudGuard/home.htm",
-      "https://docs.oracle.com/en-us/iaas/Content/SecurityZone/home.htm",
-      "https://www.cisecurity.org/benchmark/oracle_cloud"
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-guard/home.htm",
+      "https://docs.oracle.com/en-us/iaas/scanning/using/scanning-with-cloud-guard.htm",
+      "https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/security-strategy.htm"
     ],
-    "security_notes": "Read-only advisory. Do not modify IAM policies, compartment structures, Security Zones, or Cloud Guard configurations without explicit approval. Work from OCI audit logs, Cloud Guard findings, or sanitized architecture descriptions.",
-    "last_verified": "2026-05-09",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-05",
     "path": "skills/oci/oci-waf-security-review",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.1"
   },
   {
     "id": "opentelemetry-collector-config-review",
@@ -9527,18 +9632,19 @@
       "kiro",
       "other"
     ],
-    "summary": "Ground Oracle, OCI, SQLcl, database, and MCP recommendations in official Oracle sources before advising.",
+    "summary": "Ground Oracle, OCI, SQLcl, database, and Model Context Protocol advice in official Oracle sources, documented tool behavior, source verification, least-privilege boundaries, and read-only evidence discipline.",
     "source_type": "original",
     "official_docs": [
       "https://www.oracle.com/mcp",
       "https://github.com/oracle/mcp",
-      "https://docs.oracle.com/en-us/iaas/Content/home.htm"
+      "https://www.oracle.com/database/model-context-protocol-mcp/",
+      "https://docs.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/"
     ],
-    "security_notes": "Oracle database and OCI MCP tools can expose sensitive data or mutate cloud resources. Verify auth model and permissions before recommending use.",
-    "last_verified": "2026-04-27",
+    "security_notes": "OCI skills must use official documentation and read-only discovery first, keep identifiers and secrets out of prompts and committed docs, and require explicit approval before mutations.",
+    "last_verified": "2026-06-06",
     "path": "skills/oci/oracle-oci-mcp-grounded-advisor",
     "author": "github: Raishin",
-    "version": "0.1.0"
+    "version": "0.1.2"
   },
   {
     "id": "ovhcloud-cost-finops-analyst",
@@ -11915,4 +12021,4 @@
     ],
     "security_notes": "Advisory only. Never accepts customer-identifying AR data or payment instructions."
   }
-]
+]