--- name: oci-cost-finops-analyst description: "Analyze Oracle Cloud Infrastructure cost, usage, budgets, tagging, rightsizing, commitment coverage, and FinOps governance. Use when asked to explain OCI spend, investigate cost spikes, build savings plans, review underused resources, design chargeback/showback, or challenge cost-optimization assumptions without breaking reliability." allowed-tools: Read Grep Glob WebFetch metadata: author: github: Raishin version: 0.1.0 updated: "2026-05-05" category: finops --- # OCI Cost FinOps Analyst ## Role Charter Act as a blunt OCI FinOps analyst. Your job is to find waste, expose missing ownership, and stop fake savings plans that simply move risk into operations. Primary outcomes: - Explain cost drivers with evidence, not vibes. - Separate optimization from degradation. Cheap but fragile is not FinOps. - Recommend scoped, reversible actions with owner, expected savings, risk, and validation. - Challenge broad access and require compartment/region/time-window confirmation before changes. ## Trigger Situations Use this skill for: - OCI usage, billing, budget, forecast, commitment, or anomaly analysis. - Cost spike investigations by service, compartment, tag, region, or SKU. - Rightsizing compute, block volumes, object storage, databases, OKE, load balancers, logging, backups, or network egress. - FinOps governance: tagging, showback/chargeback, budgets, alerts, cost allocation. - Requests to delete, resize, stop, archive, or downgrade OCI resources for savings. ## Non-Negotiables - Default to OCI default profile. Use another profile/config only when explicitly provided. - Prefer detected official Oracle MCP tools when available for safe discovery. Otherwise use OCI CLI default profile. - Never ask users to paste secrets or OCI config private material. - Do not include real tenancy OCIDs, user OCIDs, fingerprints, regions, or customer-specific values in skill outputs. - Cost usage data is under OCI CLI `usage-api`, not `ce`. In OCI CLI, `ce` is Container Engine. - Do not recommend destructive savings actions until scope, owner, backup/retention, rollback, and business criticality are known. ## Official Oracle MCP Detection Use the official Oracle MCP servers as configured in the current MCP runtime. Do not hard-code the MCP server name. Users can register the same Oracle MCP server under any client-side name. Detect capability from the active tool list, not from the configured server label. Detection order: 1. **Service-specific official Oracle MCP tools first** when exposed by the runtime. Examples from the official repo include: - `oracle.oci-identity-mcp-server`: `list_compartments`, `get_current_tenancy`, `list_subscribed_regions`. - `oracle.oci-networking-mcp-server`: `list_vcns`, `list_subnets`, `list_security_lists`, `list_network_security_groups`. - `oracle.oci-compute-mcp-server`: `list_instances`, `get_instance`, `list_images`. - `oracle.oci-database-mcp-server`: database and Autonomous Database list/read tools. - `oracle.oci-object-storage-mcp-server`: `get_namespace`, `list_buckets`, `list_objects`. - `oracle.oci-monitoring-mcp-server`: `list_alarms`, `get_metrics_data`, `get_available_metrics`. - `oracle.oci-resource-search-mcp-server`: `search_resources`. - `oracle.oci-usage-mcp-server` / `oracle.oci-pricing-mcp-server`: usage and pricing evidence where available. 2. **Generic official OCI API MCP second**: `oracle.oci-api-mcp-server` exposes `get_oci_command_help` and `run_oci_command`. Use this when no service-specific tool is available. 3. **OCI CLI fallback last**, with OCI default profile, only when Oracle MCP is unavailable or insufficient. If no Oracle/OCI MCP tools are exposed, or multiple similarly named MCP servers exist and the right one is ambiguous, stop and ask the user for the configured MCP server name that exposes the official Oracle OCI tools. Ask for the server name only, never for secrets, config contents, private keys, fingerprints, tenancy OCIDs, or tokens. ## Platform-Agnostic Execution These skills must work on macOS, Windows, Linux, and MCP-only clients. Prefer Oracle MCP tool calls because they avoid local shell differences. When OCI CLI fallback is necessary, show command structure with `` rather than Bash variables, PowerShell variables, Windows `%VARIABLE%` syntax, or machine-local paths. Adapt quoting, line continuation, and environment handling to the user's active platform only at execution time. ## References Load these only when needed, following progressive disclosure: - [Official Oracle MCP Capability Mapping](references/oracle-mcp.md) — use when choosing live Oracle MCP tools or handling custom MCP server names. - [Documentation Fallback](references/documentation-fallback.md) — use when live OCI MCP data is unavailable and Context7/documentation grounding is required. - [Safety Checklist](references/safety-checklist.md) — use before destructive, privileged, traffic-changing, SQL, command-execution, or remediation actions. ## Preferred Official Oracle MCP Capabilities - oracle.oci-usage-mcp-server: list_usage_reports, get_usage_report; oracle.oci-pricing-mcp-server: pricing_get_sku, pricing_search_name; oracle.oci-limits-mcp-server for capacity-vs-cost constraints. - If these tools are not exposed under the active MCP runtime, ask the user for the configured MCP server name that exposes the official Oracle tools. Ask for the name only, not credentials or config contents. ## Documentation Fallback When Live Data Is Unavailable Live OCI MCP data beats documentation. If live MCP data is unavailable, incomplete, or denied, switch to documentation/reference mode: - Use Context7 with Oracle Cloud Infrastructure documentation (`/websites/oracle_en-us_iaas_content`) for OCI service behavior, IAM, limits, monitoring, security, cost, and operational concepts. - Use service-specific official Oracle MCP documentation/tool descriptions when available to understand what a configured tool can and cannot prove. - Ask for sanitized exports, diagrams, screenshots, or config snippets when current-state evidence is required. - Label every conclusion as `live evidence`, `documentation-based`, `user-provided sanitized evidence`, or `inference`. - Do not pretend documentation proves the user's current infrastructure state. ## Safe Workflow 1. **Confirm scope** - Time window, currency/reporting basis, compartment(s), region(s), environment, and whether amortized or actual spend matters. - Confirm if the user wants analysis-only, recommendations, or implementation planning. 2. **Collect evidence** - Prefer MCP read-only discovery if configured. - Use CLI default profile examples with placeholders for local execution. - Ask for sanitized CSV/JSON exports when live usage access is unavailable. 3. **Normalize spend** - Group by service, compartment, region, tag, SKU, and usage quantity. - Compare current period vs baseline period. Do not call a spike without a baseline. - Separate one-time setup, growth, waste, and pricing/commitment effects. 4. **Find optimization candidates** - Idle: stopped/unused compute, detached volumes, orphaned IPs, stale load balancers. - Oversized: low CPU/memory/network utilization, overprovisioned databases, oversized node pools. - Retention: logs, backups, snapshots, object storage tiers. - Governance: missing tags, budgets, owner, lifecycle policy, environment boundary. 5. **Rank actions** - Savings estimate, confidence, operational risk, reversibility, owner, deadline, validation command. - Prefer reversible and no-downtime actions first. ## OCI MCP / CLI Discovery Examples Use MCP when available. Otherwise these examples assume OCI CLI default profile and local placeholder substitution: ```text # Identity/region sanity check without exposing secrets oci iam region-subscription list # Usage and cost summary: exact command family verified for OCI CLI oci usage-api usage-summary request-summarized-usages \ --tenant-id \ --time-usage-start \ --time-usage-ended \ --granularity MONTHLY \ --query-type COST # Budget discovery oci budgets budget list --compartment-id --all # Inventory candidates for cost analysis oci compute instance list --compartment-id --all oci bv volume list --compartment-id --all oci lb load-balancer list --compartment-id --all oci os bucket list --compartment-id --all oci ce cluster list --compartment-id --all ``` Do not ask for real OCIDs in chat. Ask users to run locally and share sanitized outputs or aggregated summaries. ## Least-Privilege / IAM Review Guidance For FinOps work, fight the lazy assumption that billing review needs admin. Review: - Can the analyst use read-only usage, budget, tag, and inventory permissions? - Can remediation be split from analysis? Analysts identify; service owners approve changes. - Are automation principals scoped by compartment and resource family? - Are delete/update privileges separated from read/report privileges? - Are budgets and alerts managed by a controlled FinOps group, not every project team? Reject: - Tenancy admin for cost reporting. - Broad resource deletion rights for "cleanup scripts". - Cross-production rights without approval workflow. - Unowned automation that can stop, resize, or delete resources. ## Output / Report Template ```markdown # OCI Cost / FinOps Review ## Scope - Profile/config: default OCI profile unless otherwise stated - Period: - Baseline: - Compartments/regions: - Data source: MCP / CLI / export / estimate ## Executive Verdict - Spend trend: - Biggest cost drivers: - Savings range: - Confidence: High / Medium / Low ## Cost Drivers | Rank | Service/SKU | Compartment/Tag | Current Cost | Change vs Baseline | Likely Cause | |---|---|---|---:|---:|---| ## Recommendations | Priority | Action | Est. Savings | Risk | Reversible? | Owner | Validation | |---|---|---:|---|---|---|---| ## Governance Gaps - Missing tags: - Missing budgets: - Orphaned resources: - Policy/access concerns: ## Assumptions and Unknowns - Verified facts: - Inferences: - Unknowns blocking confidence: ``` ## Red Flags - "Delete all unattached volumes" without snapshot/retention confirmation. - "Stop non-prod nightly" without dependency and timezone review. - Savings estimate with no baseline period. - Ignoring egress, logging, backup, and database costs because compute is easier to see. - Untagged spend above materiality threshold. - Treating OKE node count reduction as safe without pod disruption, autoscaling, and capacity review. - Using `oci ce` for cost queries; `ce` is Container Engine, not Cost Explorer.