Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From oci-administrator
Administers, audits, and troubleshoots OCI tenancies across IAM, networking, security, observability, and compute. Routes deep OKE, GenAI, and database work to domain skills.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oci-administrator:oci-administratorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Operate any OCI tenancy safely. This skill routes administrative requests to one
Operate any OCI tenancy safely. This skill routes administrative requests to one of ten domain skills (plus the oci-project lifecycle orchestrator for project-wide work), all sharing one tenancy-safety core.
Scope: this pack is the default entry point for OCI tenancy administration — broad infrastructure and control-plane work across the ten domains below, all gated by the safety core. It is complementary to the official oracle/skills collection, which goes deep on a few capabilities. Catch the request here (so tenancy preflight, redaction, and the destructive-op guard apply), then hand off the deep work:
oracle/skills oci/oke. We own OKE provisioning, IAM, and
network basics.oracle/skills oci/enterprise-ai. We observe agent
traces and provision the surrounding guardrails.oracle/skills db/. We handle the OCI services around the database (DBM,
OPSI, Data Safe, ADB provisioning).oracle/skills fusion/ only when that domain grows beyond its current
placeholder skeleton.The full routing contract — coverage matrix, hand-off rules, shared conventions — is in references/oracle-skills-alignment.md.
dev, prod, etc. resolve to a
profile + compartment + region (see
references/named-contexts.md):
eval "$(scripts/oci_context.py use dev)" # sets profile/region/compartment
./scripts/oci_preflight.sh -c "${OCI_SKILLS_COMPARTMENT:-<COMPARTMENT_OCID>}"
python3 scripts/kb_lookup.py "symptom words"
When installed as a plugin, these wrap the safety core so the user works by name:
| Command | Does |
|---|---|
/oci-administrator:context | Manage named contexts (name → profile + compartment + region). |
/oci-administrator:preflight | Confirm the target tenancy/compartment by name (read-only gate). |
/oci-administrator:audit | Read-only IAM posture snapshot. |
/oci-administrator:cost | Read-only cost, usage & budget summary. |
/oci-administrator:logan | Read-only Log Analytics (OCL) query with a time window. |
/oci-administrator:orm | Read-only Resource Manager overview (stacks + latest job). |
/oci-administrator:datasafe | Read-only Data Safe overview (targets + assessment state). |
/oci-administrator:kb | Search the KB for a known fix. |
/oci-administrator:troubleshoot | KB-first, route to domain, propose a gated fix. |
| Request mentions… | Plugin | Reference |
|---|---|---|
| users, groups, dynamic groups, policies, compartments, budgets, quotas, service limit, tags, regions, named context | oci-iam-admin | references/iam-tenancy.md |
| Cloud Guard, Vault/KMS, Security Zones, WAF, CIS, ISO-42001, compliance, policy review, audit logs, credential, instance principal, auth mode | oci-security-compliance | references/security-compliance.md |
| APM, Monitoring, alarm, dashboard, Database Management, Operations Insights, metric, autonomous database, GenAI, agent trace, trace integrity, OpenTelemetry, agent episode | oci-observability-db | references/observability-db.md |
| ADB/ADW/ATP lifecycle, provision, create autonomous database, start/stop/scale, wallet, generate-wallet, rotate wallet, TNS_ADMIN, whitelisted-ips/ACL, DSN service level, oracledb, SQLAlchemy oracle+oracledb, Alembic on Oracle, clone, restore, SQLcl, execute SQL, blocking sessions, wait events, top SQL, SQL plan, DBMS_XPLAN | oci-autonomous-db | references/autonomous-db.md |
| VCN, subnet, NSG, network security group, route table, gateway, load balancer, OKE, kubectl, compute, instance, image, OCIR | oci-networking-compute | references/networking-compute.md |
| cost, spend, usage, billing, invoice, forecast, FinOps, cost-tracking tag, Usage API | oci-cost | references/cost-management.md |
| Log Analytics, Logan, OCL/LQL query, Log Source, parser, log group, entity, saved/scheduled search, detection, Sigma→OCI | oci-log-analytics | references/log-analytics.md |
| Resource Manager, ORM, RMS, Terraform stack, plan/apply/destroy job, tfstate, drift, schema.yaml, "deploy to Oracle Cloud" | oci-resource-manager | references/resource-manager.md |
| Data Safe, target database registration, security/user assessment, activity auditing, data discovery, data masking | oci-data-safe | references/data-safe.md |
| Functions, fn deploy, Events rule, eventType, Notifications/ONS, Service Connector Hub, SCH, serverless, event-driven | oci-events-functions | references/events-functions.md |
| new project, bootstrap, scaffold, set up a project, project status, project health, deploy a project, tear down, decommission, project guardrails, project lifecycle | oci-project | references/project-workflow.md |
Each domain skill lives in skills/<name>/SKILL.md and leans on this shared core.
oci-project sits above the ten domains: it sequences them for whole-project
work (bootstrap → status → deploy → teardown), scoped to one project compartment.
Designing a new solution for a customer? When the request is a requirement
("the customer needs a PCI-scoped 3-tier web app", "a landing zone for three
teams") rather than a service operation, start at Stage 0 — Design:
references/solution-authoring.md walks
discovery → Well-Architected requirements → reference architecture → guardrail
design → cost → build → validate, producing a Solution Blueprint that feeds
oci-project bootstrap. It is read-only (writes a blueprint, not resources) and
grounded in Oracle's Architecture Center / Cloud Adoption Framework.
Related: MCP gateway (non-official). This pack is the authoritative,
safety-gated CLI/SDK path. The oci-mcp-gateway is community / self-hosted
glue, not an Oracle product — no docs.oracle.com page, no support path. When
an agent runtime already speaks MCP it can use the gateway (an OKE-deployed
aggregator of the logan / oci / security / finops / db-observatory backends
behind one authenticated /mcp endpoint, tools namespaced backendname_toolname)
as an optional read-surface only. Rule of thumb: route mutations, preflight,
and redaction through these skills, and ground all claims in official docs;
never treat the gateway as a source of truth — see
references/mcp-gateway.md.
Many requests span domains. Sequence them; each domain skill has its own intra-domain flow table.
| Task | Sequence |
|---|---|
| "What's going on in this tenancy?" | oci_preflight.sh → iam_audit.py (posture) → oci_cost.sh (spend) → oci-security-compliance cloud-guard problem list (open risks) |
| Investigate a cost spike | oci-cost spend-by-service → localize by compartment → oci-log-analytics Audit query for who created it → oci-iam-admin budget + alert |
| Triage a security finding | oci-security-compliance Cloud Guard problem → oci-log-analytics audit trail around the event → remediate in the owning domain → re-scan |
| Stand up a guardrailed workload | oci-iam-admin (compartment + scoped policy + budget) → oci-networking-compute (VCN/subnet/NSG) → oci-resource-manager (reviewed stack apply) |
| Onboard a database for observability | oci-observability-db (enable DBM/OPSI) → oci-data-safe (register + Security Assessment) → oci-observability-db (alarms on the DB) |
get/list first; treat 409 Conflict as "exists".confirm / run_mutating from common.sh.
Honor OCI_SKILLS_DRY_RUN=true and OCI_SKILLS_FORCE=true.redact /
scripts/redact.py; use <PLACEHOLDER> tokens in docs.oci_cli. It negotiates auth mode, profile, and region.| Script | Purpose |
|---|---|
scripts/common.sh | Shared helpers (auth, validation, dry-run, redaction). |
scripts/oci_context.py | Named contexts (name → profile + compartment + region); no OCIDs to memorize. |
scripts/oci_preflight.sh | Confirm tenancy/compartment before mutating. |
scripts/iam_audit.py | Read-only IAM posture snapshot (SDK). |
scripts/oci_cost.sh | Read-only cost/usage by service + budgets (FinOps). |
scripts/oci_logan.sh | Read-only Log Analytics (OCL) query with a friendly time window. |
scripts/oci_orm.sh | Read-only Resource Manager overview (stacks + latest job state). |
scripts/oci_datasafe.sh | Read-only Data Safe overview (targets + assessment state). |
scripts/oci_cli_help.py | Fetch the EXACT flags/subcommands of an oci command (never invent them). |
scripts/redact.py | Mask OCIDs/IPs/secrets in text or JSON (CI gate). |
scripts/kb_lookup.py | Search references/KB.md for a known fix. |
**Finding** — concrete state/issue and the domain + tenancy (names, not OCIDs).
**Evidence** — file/line, redacted CLI/API result, or log line.
**Action** — exact command(s); destructive ones gated by confirm/dry-run.
**Verification** — checks run and result.
**KB** — KB entry used, or new KB-<n> added.
OCI Documentation (home) · OCI CLI / SDK configuration.
Open Knowledge Format grounding — every doc link across this pack is registered and liveness-checked in the oracle-docs.md index (the single source of truth, patterned on the Open Knowledge Format). It routes to ten domain skills, each of which carries the same grounding contract. When building a new OCI customer solution on this pack, cite the most specific official page through that index so every claim stays verifiable; the non-official MCP gateway is never a source of truth.
npx claudepluginhub adibirzu/oci-skills --plugin oci-administratorBlocks Edit/Write/Bash actions until Claude investigates importers, data schemas, and user instructions. Improves output quality by forcing concrete facts before edits.