diff --git a/.agents/plugins/marketplace.json b/.agents/plugins/marketplace.json
index a635cd93..19a840fe 100644
--- a/.agents/plugins/marketplace.json
+++ b/.agents/plugins/marketplace.json
@@ -1139,6 +1139,21 @@
       "description": "Generate compact first-pass repository briefings for coding agents before deeper exploration.",
       "icon": "./plugins/Rothschildiuk/context-pack/skills/context-pack/assets/context-pack-small.svg"
     },
+    {
+      "name": "costguard",
+      "displayName": "Maestro: Costguard",
+      "source": {
+        "source": "local",
+        "path": "./plugins/mbanderas/costguard"
+      },
+      "policy": {
+        "installation": "AVAILABLE",
+        "authentication": "ON_INSTALL"
+      },
+      "category": "Tools & Integrations",
+      "description": "Cost auditor for Codex that flags CI/cron and cloud-spend waste via read-only provider checks, then previews and applies surgical CI workflow fixes locally without writing to provider accounts or pushing git.",
+      "icon": "./plugins/mbanderas/costguard/assets/icon.png"
+    },
     {
       "name": "dataproduct-builder-dbt",
       "displayName": "Data Product Builder for dbt",
diff --git a/README.md b/README.md
index 63d31fb5..e3eba208 100644
--- a/README.md
+++ b/README.md
@@ -172,8 +172,8 @@ Third-party plugins built by the community. [PRs welcome](#contributing)!
 - [Flaky Detector](./plugins/mturac/flaky-detector) - Run a test command N times, report per-test flakiness %.
 - [Frappe Agent](https://github.com/Dkm0315/frappe-agent) - Frappe and ERPNext coding, customization, bench, and review intelligence for Codex.
 - [GCF Proxy](https://github.com/blackwell-systems/gcf-codex-plugin) - Save 71% on MCP tool call tokens by wrapping any server with GCF encoding, with session stats hook and setup skill.
-- [GrayMatter](https://github.com/ValkyrLabs/GrayMatter) - Durable memory and shared graph state for Codex and OpenClaw agents, with live ValkyrAI schema awareness.
 - [Generative Media Skills](https://github.com/SamurAIGPT/Generative-Media-Skills) - 13 skills for image, video, and audio generation using 100+ models - FLUX, Midjourney v7, Veo3, Kling 3.0, Suno, and HunyuanVideo via muapi.ai.
+- [GrayMatter](https://github.com/ValkyrLabs/GrayMatter) - Durable memory and shared graph state for Codex and OpenClaw agents, with live ValkyrAI schema awareness.
 - [HOL Guard Plugin](https://github.com/hashgraph-online/hol-guard-plugin) - AI antivirus workflow for Codex, Claude Code, Cursor, Gemini, OpenCode, MCP servers, skills, and plugin release checks with local approvals and receipts.
 - [HOTL Plugin](https://github.com/yimwoo/hotl-plugin) - Human-on-the-Loop AI coding workflow plugin for Codex, Claude Code, and Cline with structured planning, review, and verification guardrails.
 - [LLM Transpile](https://github.com/epicsagas/llm-transpile) - Auto-compress .md, .html, and .txt files via PostToolUse hook, cutting context usage by up to 40% with zero workflow change.
@@ -237,6 +237,7 @@ Third-party plugins built by the community. [PRs welcome](#contributing)!
 - [KiCad Happy](https://github.com/aklofas/kicad-happy) - KiCad EDA skills for schematic analysis, PCB layout review, component sourcing, BOM management, and manufacturing preparation.
 - [Langfuse Observability](https://github.com/avivsinai/langfuse-mcp) - Query traces, debug exceptions, analyze sessions, and manage prompts via MCP tools.
 - [Launch Fast](https://github.com/BlockchainHB/launchfast_codex_plugin) - Official Launch Fast plugin adapter for rapid SaaS deployment.
+- [Maestro: Costguard](https://github.com/mbanderas/costguard) - Cost auditor for Codex that flags CI/cron and cloud-spend waste via read-only provider checks, then previews and applies surgical CI workflow fixes locally without writing to provider accounts or pushing git.
 - [Mantis](./plugins/deonmenezes/mantishack) - Autonomous bug bounty hunter for authorized engagements — 7-phase FSM (RECON → AUTH → HUNT → CHAIN → VERIFY → GRADE → REPORT), parallel hunter sub-agents, cryptographic scope enforcement, and BLAKE3/Ed25519 Merkle event logs.
 - [Mobazha](https://github.com/mobazha/mobazha-skills) - Decentralized e-commerce skills — deploy self-hosted stores, import products from Shopify/Amazon, configure custom domains and Telegram bots, set up Tor privacy, and manage your store via MCP.
 - [MorningAI](https://github.com/octo-patch/MorningAI) - AI news tracking skill that monitors 80+ entities across 6 sources (Reddit, HN, GitHub, Hugging Face, arXiv, X) and generates scored daily reports with infographics and message digests.
@@ -249,8 +250,8 @@ Third-party plugins built by the community. [PRs welcome](#contributing)!
 - [PDF Monster](https://github.com/jbaehova/pdf-monster) - Analyzes PDFs as extracted text, OCR text, rendered page images, and embedded figures for coding agents.
 - [prompt-to-asset](https://github.com/MohamedAbdallah-14/prompt-to-asset) - Route image-generation prompts to 30+ models (DALL-E, Stable Diffusion, Flux, Midjourney, and more) through a single MCP interface. Install: `npm install -g prompt-to-asset`.
 - [Remotion Plugin](https://github.com/tim-osterhus/codex-remotion-plugin) - Build parameterized Remotion videos in Codex with the official Remotion docs MCP, composition scaffolding, and a data-driven launch-video workflow.
-- [ScrapeGraph AI](https://github.com/ScrapeGraphAI/just-scrape) - AI-powered web scraping CLI to search, scrape, extract structured JSON, crawl, and monitor web pages via the ScrapeGraph AI API.
 - [Rust Reverse Engineering](https://github.com/jingjing2222/rust-reverse-engineering-skill) - Reverse engineer Rust binaries and libraries: triage targets, demangle symbols, recover crate namespaces, and map panic, unwind, async, and FFI paths.
+- [ScrapeGraph AI](https://github.com/ScrapeGraphAI/just-scrape) - AI-powered web scraping CLI to search, scrape, extract structured JSON, crawl, and monitor web pages via the ScrapeGraph AI API.
 - [sitemd](https://github.com/sitemd-cc/sitemd) - Build websites from Markdown via MCP — 22 tools for creating pages, generating content, validating, running SEO audits, configuring settings, and deploying static sites to Cloudflare Pages.
 - [Synta MCP](https://github.com/Synta-ai/n8n-mcp-codex-plugin-synta) - Build, edit, validate, and self-heal n8n workflows with Synta MCP tools and Codex-ready workflow guidance.
 - [Task Scheduler](https://github.com/6Delta9/task-scheduler-codex-plugin) - OpenAI Codex plugin and local MCP server for turning task lists into realistic schedules with blocked dates, capacity overrides, overflow tracking, and markdown planning output.
diff --git a/plugins.json b/plugins.json
index d2d1f21e..8eb3a089 100644
--- a/plugins.json
+++ b/plugins.json
@@ -889,6 +889,16 @@
       "source": "awesome-codex-plugins",
       "install_url": "https://raw.githubusercontent.com/BlockchainHB/launchfast_codex_plugin/HEAD/plugins/launchfast/.codex-plugin/plugin.json"
     },
+    {
+      "name": "Maestro: Costguard",
+      "url": "https://github.com/mbanderas/costguard",
+      "owner": "mbanderas",
+      "repo": "costguard",
+      "description": "Cost auditor for Codex that flags CI/cron and cloud-spend waste via read-only provider checks, then previews and applies surgical CI workflow fixes locally without writing to provider accounts or pushing git.",
+      "category": "Tools & Integrations",
+      "source": "awesome-codex-plugins",
+      "install_url": "https://raw.githubusercontent.com/mbanderas/costguard/HEAD/.codex-plugin/plugin.json"
+    },
     {
       "name": "Mobazha",
       "url": "https://github.com/mobazha/mobazha-skills",
diff --git a/plugins/mbanderas/costguard/.codex-plugin/plugin.json b/plugins/mbanderas/costguard/.codex-plugin/plugin.json
new file mode 100644
index 00000000..4693ce72
--- /dev/null
+++ b/plugins/mbanderas/costguard/.codex-plugin/plugin.json
@@ -0,0 +1,30 @@
+{
+  "name": "costguard",
+  "version": "0.1.0",
+  "description": "Costguard cost auditor for Codex: read-only cloud + CI spend checks, dry-run-first CI auto-fixes, and a monthly digest, driven by a bundled skill.",
+  "author": {
+    "name": "Mark Laursen",
+    "url": "https://github.com/mbanderas"
+  },
+  "homepage": "https://github.com/mbanderas/costguard#readme",
+  "repository": "https://github.com/mbanderas/costguard",
+  "license": "MIT",
+  "keywords": ["cost-optimization", "ci-minutes", "cron", "cloud-spend", "finops", "audit", "codex"],
+  "skills": "./skills/",
+  "interface": {
+    "displayName": "Maestro: Costguard",
+    "shortDescription": "Find and quantify CI/cron and cloud-spend waste",
+    "composerIcon": "./assets/icon.png",
+    "longDescription": "Install Costguard in Codex as a plugin: a bundled skill drives the read-only cost auditor — CI/cron waste rules, GitHub/Supabase/Railway/Netlify/Neon billing checks, dry-run-first CI auto-fixes, and a monthly cost digest. Never writes to provider accounts, never pushes git, never prints secrets.",
+    "developerName": "Mark Laursen",
+    "category": "Productivity",
+    "capabilities": ["Interactive", "Write"],
+    "websiteURL": "https://github.com/mbanderas/costguard",
+    "brandColor": "#2E9E6B",
+    "defaultPrompt": [
+      "Audit web-app for CI and cron waste.",
+      "Preview costguard's CI fixes for web-app.",
+      "Show costguard provider billing checks for all workspaces."
+    ]
+  }
+}
diff --git a/plugins/mbanderas/costguard/.codexignore b/plugins/mbanderas/costguard/.codexignore
new file mode 100644
index 00000000..26a5cb36
--- /dev/null
+++ b/plugins/mbanderas/costguard/.codexignore
@@ -0,0 +1,22 @@
+# Files excluded from the Codex plugin bundle.
+# The plugin ships the prebuilt dist/, the costguard skill, the manifest,
+# and the icon — development and test sources are not needed at runtime.
+
+node_modules/
+src/
+tests/
+coverage/
+docs/
+
+# Tooling / CI config
+.github/
+.githooks/
+.actrc
+eslint.config.*
+tsconfig*.json
+vitest.config.*
+
+# Misc
+*.log
+*.tsbuildinfo
+.DS_Store
diff --git a/plugins/mbanderas/costguard/README.md b/plugins/mbanderas/costguard/README.md
new file mode 100644
index 00000000..9a299120
--- /dev/null
+++ b/plugins/mbanderas/costguard/README.md
@@ -0,0 +1,36 @@
+# Maestro: Costguard
+
+Cost auditor for Codex that flags CI/cron and cloud-spend waste via read-only
+provider checks, then previews and applies surgical CI workflow fixes locally —
+without writing to provider accounts or pushing git.
+
+- **Static half (zero credentials):** reads `.github/workflows/*.yml` and app code
+  to flag redundant CI triggers, missing `timeout-minutes`, missing concurrency
+  cancellation, `paths-ignore` gaps, and over-scheduled crons.
+- **Billing half (read-only, opt-in):** when a provider token is present,
+  reconciles live billed resources against a declared allowlist and flags
+  orphaned / over-provisioned resources across GitHub, Vercel, Supabase, Railway,
+  Netlify, Neon, Cloudflare, Fly, Render, Sentry, Upstash, MongoDB Atlas, Datadog.
+- **Fixes:** `fix` edits only `.github/workflows/*` files, dry-run by default,
+  applied locally with `--apply`. Never writes to provider accounts, never pushes.
+
+Part of the **Maestro** collection of agent tooling.
+
+- Source & docs: https://github.com/mbanderas/costguard
+- npm: `@costguard/costguard-mcp`
+
+## Install (Codex)
+
+```sh
+codex plugin marketplace add mbanderas/costguard
+codex plugin add costguard@costguard
+```
+
+Or run the CLI / MCP server directly with no checkout:
+
+```sh
+npx -y -p @costguard/costguard-mcp costguard audit <workspace>
+npx -y @costguard/costguard-mcp            # MCP server
+```
+
+License: MIT
diff --git a/plugins/mbanderas/costguard/assets/icon.png b/plugins/mbanderas/costguard/assets/icon.png
new file mode 100644
index 00000000..49b130c9
Binary files /dev/null and b/plugins/mbanderas/costguard/assets/icon.png differ
diff --git a/plugins/mbanderas/costguard/skills/costguard/SKILL.md b/plugins/mbanderas/costguard/skills/costguard/SKILL.md
new file mode 100644
index 00000000..4cae6c1e
--- /dev/null
+++ b/plugins/mbanderas/costguard/skills/costguard/SKILL.md
@@ -0,0 +1,221 @@
+---
+name: costguard
+description: Find and quantify CI/cron and cloud-spend waste. Audit repos, run read-only provider billing checks, preview or apply CI auto-fixes, and render a monthly cost digest.
+license: MIT
+---
+
+Drive **Costguard** — a read-only cost auditor for CI minutes, cron schedules,
+and cloud provider billing (GitHub Actions, Vercel, Supabase, Railway, Netlify, Neon, Cloudflare, and more).
+It finds waste, estimates the monthly dollar cost, and can surgically auto-fix
+CI workflow files. It never writes to provider accounts, never pushes git, and
+never prints tokens.
+
+Map the user's request to one Costguard CLI call and run it from the repo root.
+
+## Command launcher
+
+Costguard reads a `workspaces.json` registry from the **current working
+directory**, so run it from a project that has one (or run `registry init`
+first). Pick the launcher that matches your context; below, `costguard
+<subcommand>` means whichever you use.
+
+### If installed via plugin
+
+When this skill is loaded from the Costguard plugin, run the bundled build — it
+ships a prebuilt `dist/cli/index.js`, so no build step is needed. Locate the
+plugin root (the dir containing `dist/cli/index.js`):
+
+- **Claude Code** — it is `${CLAUDE_PLUGIN_ROOT}`:
+
+  ```bash
+  node "${CLAUDE_PLUGIN_ROOT}/dist/cli/index.js" <subcommand> ...
+  ```
+
+- **Codex** — walk up from this `SKILL.md` to the dir holding
+  `.codex-plugin/plugin.json`:
+
+  ```bash
+  node "<plugin-root>/dist/cli/index.js" <subcommand> ...
+  ```
+
+### If using npx (no plugin)
+
+No checkout and no build — run the published CLI directly:
+
+```bash
+npx -y -p @costguard/costguard-mcp costguard <subcommand> ...
+```
+
+Or, if `costguard` is on `PATH` (`npm i -g @costguard/costguard-mcp`), use it
+directly: `costguard <subcommand> ...`. Heads-up: `npx -y @costguard/costguard-mcp`
+(no `-p`, no subcommand) starts the MCP **server**, whereas `npx -y -p
+@costguard/costguard-mcp costguard <subcommand>` runs the **CLI**.
+
+## 1. Audit for waste (the main action)
+
+```bash
+costguard audit <workspace...>            # named workspaces
+costguard audit --all                     # every registered workspace
+costguard audit <ws> --providers all      # + read-only cloud billing checks
+costguard audit <ws> --ci-only            # static CI checks only
+costguard audit <ws> --crons-only         # cron checks only
+costguard audit <ws> --site               # + read-only live-site checks (site URL from registry)
+costguard audit <ws> --substitutions      # + cross-tool cheaper-alternative suggestions
+costguard audit <ws> --json               # JSON instead of Markdown
+```
+
+Prints a report: each finding has a severity, an estimated monthly USD cost, a
+detail, and a fix suggestion. Report stdout verbatim.
+
+## 2. Scan / registry / report
+
+```bash
+costguard scan                # discover CI + cron files under the registry root
+costguard registry list       # show registered workspaces
+costguard registry init       # create a workspaces.json in the cwd
+costguard report              # re-render the last saved audit run
+```
+
+## 3. Auto-fix CI files (dry-run first)
+
+```bash
+costguard fix <ws>            # dry-run: print a unified-diff preview, write nothing
+costguard fix <ws> --apply    # write the surgical edits to disk (idempotent)
+costguard fix <ws> --pr       # also emit local PR artifacts (no push)
+```
+
+Default is dry-run. Only deterministic ADD-rule fixers run (timeout,
+concurrency, paths-ignore). Costguard never pushes; `--open-pr` is gated and
+refuses without an explicit token.
+
+## 4. Monthly cost digest
+
+```bash
+costguard digest             # render the digest from the last run (dry-run)
+costguard digest --post      # delivery adapter (inert unless configured)
+```
+
+## 5. Auto-discover providers
+
+Detect which providers a repo uses — from config files, `package.json` deps, and
+env-var **names** (never values, never secrets). Covers all 13 wired providers
+plus inngest.
+
+```bash
+costguard discover [dir]     # list detected providers + evidence (default dir: .)
+costguard discover . --json  # JSON: { dir, providers, detections }
+costguard discover . --write # union-merge detected providers into ./workspaces.json (non-destructive)
+```
+
+## 6. Live-site cost checks
+
+Read-only, GET-only checks on a live URL (no browser, no form submit, no auth
+replay). Flags transfer weight, oversized images, missing compression, weak cache
+headers, and render-blocking scripts. The `$/mo` headline is the single
+`site/transfer-weight` line — sourced when the host bills transfer (Vercel/Netlify),
+or an explicit `$0` performance note (Cloudflare Pages static / unknown host).
+Per-asset findings (`oversized-image`, `missing-compression`) put their dollar share
+in `detail` and carry `estMonthlyUsd: 0` (no double-count); a `$0` performance-only
+page never raises a `high` finding, so it never fails CI on cost alone.
+
+```bash
+costguard site <url>         # Markdown report
+costguard site <url> --json  # JSON findings
+```
+
+`audit --site` runs the same checks for any workspace whose `workspaces.json`
+entry has a `site` URL. `audit --substitutions` adds cross-tool
+`<provider>/cheaper-alternative` suggestions (e.g. a static Vercel/Netlify Pro
+site → Cloudflare Pages), each with a sourced saving, migration effort, and
+lock-in caveat.
+
+## Provider billing checks
+
+`--providers <ids|all>` adds read-only billing checks for the providers listed
+on each workspace in `workspaces.json`. Tokens are read from the environment /
+`.env` only. A provider whose token env var is absent is **skipped**, not
+failed. Supported: `github`, `supabase`, `railway`, `netlify`, `neon`, `vercel`,
+`sentry`, `upstash`, `atlas`, `cloudflare`, `fly`, `render`, `datadog` (+ inngest
+detection).
+
+## 7. MCP tools (for AI coding agents)
+
+Costguard also ships a bundled **MCP server** that exposes the same engine over a
+host-agnostic tool surface (Claude Code, Codex, any MCP host). It wraps the same
+read-only engine functions — no new behavior, same posture. In Claude Code it is
+declared by `.claude-plugin/.mcp.json` and launched from the bundled build:
+
+```json
+{ "mcpServers": { "costguard": { "command": "node",
+  "args": ["${CLAUDE_PLUGIN_ROOT}/dist/mcp/server.js"] } } }
+```
+
+In the plugin, the server runs from the committed `dist/mcp/server.js` — no
+install step.
+
+### Codex MCP config
+
+For **Codex**, add one of these to `~/.codex/config.toml`. Use npx for a
+no-checkout install (pulls the published package), or the bundled build if you
+run Codex from the plugin:
+
+```toml
+# npx — no checkout
+[mcp_servers.costguard]
+command = "npx"
+args = ["-y", "@costguard/costguard-mcp"]
+```
+
+```toml
+# bundled plugin build
+[mcp_servers.costguard]
+command = "node"
+args = ["<plugin-root>/dist/mcp/server.js"]
+```
+
+Tools:
+
+| Tool | Posture |
+|---|---|
+| `audit_workspace` | read-only; returns a Findings envelope (`includeSite` adds site checks) |
+| `discover_providers` | read-only; env-var NAMES only, never values |
+| `audit_site` | read-only, GET-only |
+| `plan_fix` | dry-run; returns unified diffs only, writes nothing |
+| `apply_fix` | writes local CI files; REFUSES unless `confirmApply:true`; never pushes git |
+| `plan_live_checks` | plans a live billing read (see below); emits a snippet only with consent |
+| `ingest_live_reading` | parses a returned billing figure into a Finding |
+
+## 8. Live billing checks (`--live`) — opt-in, consent-gated
+
+`--live` **extends** the read-only posture above: it adds **browser-driven reads
+over your already-logged-in session**, performed by the **playwriter** MCP server
+under the agent's orchestration. This is a genuine posture change and is treated
+as one — **off by default, opt-in, and consent-gated.** costguard's own tools
+still never drive a browser and never see credentials: `plan_live_checks` only
+emits a **read-only** snippet (navigation + reading rendered billing figures — no
+clicks, typing, form submits, credential replay, cookies, localStorage,
+sessionStorage, or screenshots), and `ingest_live_reading` only parses the
+returned figure. The browser action is performed by playwriter, authorized by you.
+
+**API-first / browser-fallback:** `plan_live_checks` is API-first when a provider
+module exists and its API token resolves from the environment (a deterministic
+env-NAME check, no network probe) — in that case prefer `audit_workspace`. Only
+when there is no usable API token does it fall back to a browser playbook.
+
+**Three consent gates (all required):** (1) the host's MCP tool-call consent;
+(2) costguard's own per-run confirmation — `plan_live_checks` returns a
+`consentNotice` the agent MUST surface, and emits the actionable snippet only when
+called with `confirmLive:true`; (3) playwriter's own consent before it executes.
+
+**Graceful degrade:** if playwriter is not connected, the agent cannot run the
+snippet; `ingest_live_reading` returns a `kind:"diagnostic"` Finding (excluded
+from cost totals) and the audit never blocks.
+
+## Notes
+
+- All provider calls are read-only (GET / read-only GraphQL). No POST/PUT/PATCH/
+  DELETE to provider accounts.
+- Estimated dollar costs are best-effort and depend on plan/tier; treat them as
+  directional, not invoices.
+- Requires `node` on `PATH`. The bare `costguard` command is optional when the
+  skill runs from the plugin — use the plugin-root `node` launcher above.