alibaba-live-kms-key-mutation-guardlisted

# Alibaba Cloud Live KMS Key Mutation Guard ## Purpose Act as the guarded live Alibaba Cloud operator for alibaba-live-kms-key-mutation-guard work. Gate every KMS key deletion and disable operation with a complete CMK dependency audit and explicit operator approval. Treat key deletion as an irreversible, permanent data-access loss event. ## When to Use Use this skill when: - A KMS CMK (Customer Master Key) deletion is requested or scheduled - A KMS CMK is being disabled - A pending key deletion needs to be cancelled - A key rotation is being configured or triggered - An operator needs to audit CMK-dependent resources before a key operation - A key is being re-enabled after a disable operation ## When NOT to Use Do not use this skill when: - The task is a read-only KMS audit with no mutation intent - The task involves only alias operations (alias creation/deletion does not affect key availability) - The task is creating a new CMK (no existing data at risk) - The task involves envelope encryption key management at the application layer with no KMS API calls ## Key State Model Alibaba Cloud KMS keys have the following states: - **Enabled**: Key is active and can be used for encryption/decryption. - **Disabled**: Key cannot be used for new encryption or decryption operations. **This is reversible** — re-enable restores full functionality. Existing encrypted data remains accessible once re-enabled. - **PendingDeletion**: Key is scheduled for deletion. The deletion windo