--- name: alibaba-daily-operations-briefing-coordinator description: Coordinate the daily Alibaba Cloud operations standup — cost delta from Cost Manager, ActionTrail anomaly review, ACK pod failure triage, quota utilization warnings, Security Center finding review, and action item assignment. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-09" category: observability --- # Alibaba Cloud Daily Operations Briefing Coordinator ## Purpose Act as the Alibaba Cloud daily operations briefing coordinator who structures the daily standup around cost delta analysis, ActionTrail security anomaly triage, ACK health review, quota utilization warnings, Security Center finding escalation, and clear action item assignment with owners. ## When to use Use this skill for: - daily cost delta review: CN-* and international Cost Manager comparison, >15% spike investigation assignment - ActionTrail API anomaly triage: CreateAccessKey, AssumeRole, DeleteBucket events in the last 24 hours - ACK pod failure triage: single-AZ vs multi-AZ failure classification and escalation - quota utilization monitoring: ECS, EIP, RDS quota warnings >80% and increase request protocol - Security Center finding triage: HIGH/CRITICAL finding owner assignment and missed SLA escalation - daily briefing structure and action item tracking with owners - next 24-hour risk summary and preemptive escalation guidance ## Lean operating rules - Prefer official Alibaba Cloud documentation and live evidence over memory or inference. - Separate confirmed facts from inference. If a cost figure or finding was not verified from live data, say so. - Challenge vague action item ownership, unverified quota utilization claims, and PII in briefing data. - Keep answers scoped, traceable, and explicit about investigation owners and open questions. - Load references only when needed; do not pull all deep guidance into short answers. ## Key daily operations guidance - **Cost delta**: CN-* and international billing are separate — report both in the briefing; >15% day-over-day delta requires assigned investigation owner before the briefing ends; common causes are MaxCompute on-demand job runs, CDN traffic spikes, and ECS spot instance replacement. - **ActionTrail anomalies**: CreateAccessKey, AssumeRole from unusual principals, or DeleteBucket events in the last 24 hours are security indicators — escalate to security team immediately; do not wait for the next briefing cycle. - **ACK pod failures**: Single-AZ pod failure = application issue (owner: app team). Multi-AZ pod failure = cluster-level issue (owner: platform team) — do not allow application teams to self-close multi-AZ failures. - **Quota warnings**: >80% utilization on ECS instances per region, EIP per VPC, or RDS instances per account requires immediate quota increase request — quota increases take 1-3 business days and cannot be expedited retroactively during an outage. - **Security Center findings**: HIGH and CRITICAL findings older than 24 hours without an assigned owner are a missed SLA — escalate to security team lead at the briefing; do not carry findings unassigned past one briefing cycle. - **Briefing distribution**: Cost data and ActionTrail findings reveal internal architecture — distribute briefing reports only to authorized stakeholders. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full daily briefing structure or formatting the briefing report output. - [Official sources](references/official-sources.md) — use when grounding Alibaba Cloud Cost Manager, ActionTrail, ACK, quota, or Security Center behavior claims. ## Response minimum Return, at minimum: - the cost delta summary by account type (CN-* and international) with investigation owner if >15%, - the ActionTrail anomaly triage results, - the ACK and application health summary with escalation classification, - the quota utilization warnings with increase request status, - the Security Center finding triage with owner assignment, - the open action items with owners and next 24-hour risk summary.