This agent should be used when a skill needs to generate a phased infrastructure implementation plan from a change specification. It reasons about provisioning dependencies, blast radius classification, rollback checkpoint placement, environment promotion strategy, cost budgeting per phase, and parallel execution opportunities. It produces plans structured in infrastructure terms, not application development terms. <example> Context: Invoked by arn-infra-change-plan to generate an initial plan from a change spec user: "plan infra change migrate-database-managed" assistant: (invokes arn-infra-change-planner with the INFRA_CHANGE spec, provider config, and environment config) </example> <example> Context: Invoked by arn-infra-change-plan to revise a plan based on user feedback user: "combine phases 2 and 3, and add a rollback checkpoint before the DNS cutover" assistant: (resumes or re-invokes arn-infra-change-planner with user feedback and the current plan) </example> <example> Context: Invoked by arn-infra-change-plan to plan infrastructure teardown or cleanup user: "plan infra change decommission-legacy-api" assistant: (invokes arn-infra-change-planner with the INFRA_CHANGE spec for resource destruction, dependency-reverse ordering, and data backup checkpoints) </example>

This agent should be used when the arn-infra-review-change skill or arn-infra-execute-change skill needs a structured quality review of completed infrastructure changes. It evaluates security posture, cost compliance, blast radius adherence, rollback documentation, environment parity, state consistency, and resource tagging. <example> Context: Post-execution review of a completed multi-phase infrastructure change user: "review infra change" assistant: (invokes arn-infra-change-reviewer with all phase reports, spec, and plan) </example> <example> Context: Mid-execution phase review gate during arn-infra-execute-change user: (automatic invocation after phase deployment and verification) assistant: (invokes arn-infra-change-reviewer with single phase report for gate check) </example> <example> Context: User wants to re-review a previously completed infrastructure change user: "re-review infra change for the migration project" assistant: (invokes arn-infra-change-reviewer with existing reports for fresh review) </example>

This agent should be used when infrastructure changes need cost estimation before deployment, when the user wants to understand the cost impact of their current or planned infrastructure, or when spend thresholds need enforcement. It integrates with Infracost when available and provides usage-based pricing estimates with clear caveats. <example> Context: Invoked by arn-infra-deploy before Level 3+ deployment operations user: "deploy to staging" assistant: (invokes arn-infra-cost-analyst to estimate cost impact before proceeding) </example> <example> Context: User asks for a cost estimate of their current infrastructure plan user: "how much will this infrastructure cost per month?" assistant: (invokes arn-infra-cost-analyst with the IaC files and provider context) </example> <example> Context: Invoked during infrastructure assessment to estimate total deployment cost user: "assess my app's infrastructure needs" assistant: (invokes arn-infra-cost-analyst with the proposed resource list) </example>

This agent should be used when the arn-infra-report skill needs diagnostic investigation of an Arness Infra workflow issue. Analyzes infrastructure configuration, directory structure, and skill behavior against expected patterns documented in the infra knowledge base. Reports only Infra-specific issues — never reads or reports user project code or business logic. <example> Context: Invoked by arn-infra-report skill during investigation phase user: "infra report" assistant: (invokes arn-infra-doctor with user description + config context) </example> <example> Context: User reports deployment failure user: "deployment to staging keeps failing with permission denied" assistant: (invokes arn-infra-doctor to check cloud CLI auth, IAM, provider config, deploy artifacts) </example> <example> Context: User reports containerization issue user: "arn-infra-containerize generated a Dockerfile that ignores my multi-stage setup" assistant: (invokes arn-infra-doctor to check Project topology, Application path, Dockerfile patterns reference) </example> <example> Context: User reports execute-change phase failure user: "execute-change failed on phase 2 and didn't create a rollback checkpoint" assistant: (invokes arn-infra-doctor to check PROGRESS_TRACKER.json, phase reports, rollback artifacts, plan structure) </example>

This agent should be used when CI/CD pipeline configurations need to be generated or extended for infrastructure deployment. It produces GitHub Actions workflows, GitLab CI configs, and other pipeline definitions. It detects existing CI/CD setups and extends them rather than replacing them. <example> Context: Invoked by arn-infra-pipeline to generate CI/CD pipeline configs user: "set up deployment pipelines" assistant: (invokes arn-infra-pipeline-builder with provider context, environment config, and existing CI detection) </example> <example> Context: User asks to add infrastructure deployment to their existing CI/CD user: "add terraform plan and apply steps to my GitHub Actions workflow" assistant: (invokes arn-infra-pipeline-builder with existing workflow files and IaC context) </example> <example> Context: Invoked to generate environment-specific pipeline stages user: "create a staging deployment pipeline" assistant: (invokes arn-infra-pipeline-builder with environment config and deployment strategy) </example>

This agent should be used when the arn-infra-refresh skill needs to research online for the latest versions of infrastructure tools, MCP servers, CLI tools, base images, and patterns. It compares against current reference file content and produces a structured update report. <example> Context: Invoked by arn-infra-refresh during Step 3 to check for MCP registry updates user: "refresh registries" assistant: (invokes arn-infra-reference-researcher with current mcp-registry.md content and registry research strategy) </example> <example> Context: Invoked by arn-infra-refresh to check for IaC pattern updates user: "update infra patterns" assistant: (invokes arn-infra-reference-researcher with current opentofu-patterns.md content and IaC research strategy) </example> <example> Context: Invoked by arn-infra-refresh to check a single file for updates user: "refresh dockerfile-patterns.md" assistant: (invokes arn-infra-reference-researcher with current dockerfile-patterns.md content and container research strategy) </example>

This agent should be used when an infrastructure request issue needs analysis to determine what cloud resources, configuration changes, and infrastructure work are required. It navigates to the application project, reads Arness Core artifacts (feature specs, plans, codebase patterns, source code), and produces a structured infrastructure implications brief. It serves as the bridge between application features and infrastructure changes. Receives the user's infrastructure experience level (expert/intermediate/beginner), derived from their user profile using the experience derivation mapping. The calling skill is responsible for reading the profile and performing the derivation — the agent receives the derived value as input. <example> Context: Invoked by arn-infra-triage to analyze an incoming infrastructure request issue user: "triage infra request #42" assistant: (invokes arn-infra-request-analyzer with the parsed issue context and application path) </example> <example> Context: User asks to assess infrastructure implications of a specific feature user: "what infrastructure does the user authentication feature need?" assistant: (invokes arn-infra-request-analyzer with the feature spec path and application context) </example> <example> Context: Invoked by arn-infra-assess for a full application infrastructure analysis user: "assess my app's infrastructure needs" assistant: (invokes arn-infra-request-analyzer with the full application context for comprehensive analysis) </example>

This agent should be used when generated infrastructure code, container configurations, or cloud resource definitions need security review. It scans for misconfigurations, secrets exposure, OWASP cloud security risks, overly permissive IAM policies, and network exposure issues. It integrates with Checkov, Trivy, TruffleHog, and Gitleaks when available. <example> Context: Invoked by arn-infra-define after generating IaC modules user: "define infrastructure" assistant: (invokes arn-infra-security-auditor to scan the generated OpenTofu modules) </example> <example> Context: Invoked by arn-infra-secrets to audit secrets configuration user: "audit my secrets setup" assistant: (invokes arn-infra-security-auditor to review secrets management patterns) </example> <example> Context: User asks directly for a security review of their infrastructure code user: "review my Terraform files for security issues" assistant: (invokes arn-infra-security-auditor with the IaC file paths) </example>

This agent should be used when a skill needs to generate infrastructure-as-code configurations, Dockerfiles, deployment scripts, or cloud resource definitions for any provider. It adapts to the user's chosen IaC tool and cloud provider(s) by reading the tooling manifest and provider configuration from the project's Arness Infra config. It is the primary workhorse agent for all infrastructure generation tasks. <example> Context: Invoked by arn-infra-define to generate IaC for a project user: "define infrastructure" assistant: (invokes arn-infra-specialist with application context, provider config, and tooling manifest) </example> <example> Context: Invoked by arn-infra-containerize to generate Docker configurations user: "containerize my app" assistant: (invokes arn-infra-specialist with codebase patterns and container requirements) </example> <example> Context: User asks directly how to deploy their application to a specific provider user: "how should I deploy this app to AWS?" assistant: (invokes arn-infra-specialist with application context and provider details) </example>

This agent should be used when a deployment needs post-deployment verification to confirm that infrastructure is healthy, endpoints are reachable, DNS resolves correctly, SSL certificates are valid, and resource state matches the expected topology. It recommends rollback when verification checks fail. <example> Context: Invoked by arn-infra-verify after a deployment to staging user: "verify staging deployment" assistant: (invokes arn-infra-verifier with expected resource state and endpoint list) </example> <example> Context: User wants to check if their deployed infrastructure is healthy user: "check the health of my deployment" assistant: (invokes arn-infra-verifier with the active resources manifest and endpoint URLs) </example> <example> Context: Invoked after a production promotion to confirm the promotion succeeded user: "verify production" assistant: (invokes arn-infra-verifier with production endpoints and expected state) </example>

This skill should be used when the user says "assess infrastructure", "infra assess", "arn infra assess", "infrastructure assessment", "analyze infrastructure needs", "what infrastructure do I need", "infrastructure audit", "app infrastructure assessment", "full infra assessment", "infrastructure review", "assess my app", "un-defer infrastructure", "infra backlog", or wants a comprehensive analysis of their application's infrastructure needs, including processing deferred infrastructure backlogs, to produce a prioritized infrastructure backlog published as issues.

This skill should be used when the user says "plan infra change", "arn-infra-change-plan", "infra change plan", "plan this infrastructure change", "create infra plan", "arn infra plan", "plan the infra spec", "infrastructure implementation plan", "infra plan from spec", "generate infra plan", "plan infrastructure", or wants to generate a phased implementation plan from an infrastructure change specification, structured by provisioning order, blast radius, rollback checkpoints, and environment promotion gates.

This skill should be used when the user says "infra change spec", "infrastructure change", "specify infrastructure change", "change spec", "arn infra spec", "describe infra change", "what infrastructure needs to change", "infra spec", "spec this infra change", "write infra spec", "infrastructure change specification", "create infra change spec", "upgrade to pipeline", "convert to pipeline", or wants to iteratively develop an infrastructure change idea into a well-formed specification through guided conversation, or wants to upgrade existing interactive IaC artifacts into the structured change pipeline.

This skill should be used when the user says "cleanup", "infra cleanup", "arn infra cleanup", "clean up resources", "destroy expired resources", "check ttl", "check expired", "ttl cleanup", "remove old deployments", "destroy dev environment", "tear down", "teardown infra", "destroy resources", "cleanup ephemeral", "check for expired resources", "clean up infra", "resource cleanup", "destroy old resources", "prune resources", "delete expired deployments", "decommission", or wants to check for and destroy expired ephemeral infrastructure resources. This skill also supports periodic monitoring via `/loop 6h /arn-infra-cleanup` for session-duration TTL enforcement.

This skill should be used when the user says "containerize", "dockerize", "create dockerfile", "docker setup", "container setup", "arn infra containerize", "infra containerize", "generate docker", "docker compose", "compose setup", "containerize my app", "docker configuration", "create docker-compose", "multi-stage docker", "container config", "dockerize my application", "infra docker", "set up containers", or wants to generate Dockerfiles, docker-compose configurations, and .dockerignore files for their application with security auditing and multi-stage build best practices.

This skill should be used when the user says "define infrastructure", "generate IaC", "infra define", "arn infra define", "generate terraform", "generate opentofu", "generate pulumi", "generate cdk", "generate bicep", "create kubernetes manifests", "provision cloud resources", "create IaC", "infrastructure as code", or wants to generate infrastructure-as-code in their chosen IaC tool for configured cloud provider(s). It produces provider-specific infrastructure code, validates it through a multi-level validation ladder, and writes an infrastructure architecture spec.

This skill should be used when the user says "deploy", "deploy to staging", "deploy to production", "promote to production", "infra deploy", "arn infra deploy", "deploy infrastructure", "apply infrastructure", "push to prod", "go live", "tofu apply", "terraform apply", "pulumi up", "cdk deploy", "fly deploy", "deploy to railway", "release to prod", "promote environment", or wants to execute a deployment of their infrastructure to a target environment. This skill handles environment promotion, CI/CD enforcement, cost gates, safety layers, and resource tracking.

This skill should be used when the user says "discover tools", "infra discover", "arn infra discover", "arn-infra-discover", "audit tools", "check installed tools", "what tools do I have", "scan for MCPs", "check provider tools", "tool discovery", "discover infrastructure tools", "check my setup", "infra tooling", or wants to audit their installed infrastructure tools (MCPs, CLIs, Claude Code plugins), check authentication state, search for new official tools online, and produce a tooling manifest for the infrastructure workflow.

This skill should be used when the user says "document infra change", "infrastructure documentation", "generate runbook", "infra docs", "arn infra document", "create infra changelog", "document infrastructure", "generate infrastructure docs", "infra documentation", "create runbook", "generate changelog", "arn-infra-document-change", or wants to generate operational documentation (runbooks, architecture updates, changelogs, environment docs) from completed infrastructure changes.

This skill should be used when the user says "ensure config", "check arn infra config", "arn-infra-ensure-config", "verify arn infra setup", or wants to verify that Arness Infra configuration is present for the current project. This skill is primarily consumed as a reference by entry-point skills (arn-infra-wizard, arn-infra-assess) which read the ensure-config reference as Step 0 before proceeding with their workflow.

This skill should be used when the user says "manage environments", "arn infra env", "infra env", "environment setup", "configure environments", "set up staging", "set up production", "environment management", "create environment", "environment promotion", "promote to staging", "promote to production", "environment isolation", "configure dev staging prod", "environment-specific config", "tfvars per environment", "arn-infra-env", or wants to configure, create, or manage infrastructure environments (dev/staging/production) with isolation strategies, variable overrides, and promotion rules.

This skill should be used when the user says "execute infra change", "run infra plan", "apply infrastructure change", "execute change", "arn infra execute", "deploy infra plan", "execute infrastructure plan", "run infrastructure change", "apply infra plan", "infra execute", "arn-infra-execute-change", or wants to orchestrate the phased execution of a structured infrastructure change plan, invoking agents for IaC generation, security gates, cost gates, deployment, verification, and review.

This skill should be used when the user says "infra help", "arn infra help", "where am I in the pipeline", "what's next for infra", "infra status", "pipeline status", "infra pipeline", "arn-infra-help", "show infra pipeline", "what step am I on for infra", "infra workflow", "infrastructure status", "show infrastructure pipeline", or wants to see their current position in the Arness Infra workflow and get guidance on the next step. This skill detects whether the user is in Quick (interactive) mode or Full Pipeline mode and renders an ASCII diagram with the active stage marked.

Optional customization tool for infrastructure projects. This skill should be used when the user says "infra init", "arn infra init", "initialize infra", "setup infrastructure", "arn-infra-init", "configure infra", "init infra", "infrastructure setup", "set up infrastructure", "infra setup", "start infra", "configure arn infra", "add infrastructure to this project", "review infra config", "customize infra config", "infra settings", or wants to configure providers, environments, IaC tools, CI/CD platform, or review current infrastructure settings. Arness Infra auto-configures with sensible defaults on first skill invocation — this init is optional for basic usage but required for provider/environment configuration.

This skill should be used when the user says "migrate infrastructure", "arn infra migrate", "infra migrate", "move to AWS", "move to GCP", "move to Azure", "switch providers", "change cloud provider", "graduate from PaaS", "move from heroku", "move from fly.io", "consolidate providers", "infrastructure migration", "provider migration", "partial migration", "move database", "move services", "arn-infra-migrate", "infrastructure move", "cloud migration", or wants to migrate infrastructure between providers, graduate from PaaS to IaC, consolidate providers, or partially move specific services.

This skill should be used when the user says "set up monitoring", "arn infra monitor", "infra monitor", "configure monitoring", "set up observability", "add logging", "configure alerting", "set up alerts", "infrastructure monitoring", "add metrics", "set up cloudwatch", "configure grafana", "observability setup", "logging setup", "alerting setup", "health checks", "monitor infrastructure", "arn-infra-monitor", "set up cloud monitoring", "configure notifications", "prometheus", "datadog", "new relic", "sentry", or wants to set up logging, metrics collection, and alerting for their deployed infrastructure.

This skill should be used when the user says "infra pipeline", "arn infra pipeline", "create CI/CD pipeline", "set up deployment pipeline", "generate pipeline", "infra CI/CD", "deployment pipeline", "setup cicd", "generate github actions", "generate gitlab ci", "generate bitbucket pipeline", "infrastructure pipeline", "pipeline setup", "create deployment workflow", "cicd for infrastructure", "infra deployment pipeline", "set up infrastructure CI/CD", "arn-infra-pipeline", or wants to generate infrastructure-specific CI/CD pipelines with SOC 2 alignment, OIDC authentication, and environment-aware deployment stages.

This skill should be used when the user says "refresh infra references", "update tool versions", "check for new MCPs", "update infra patterns", "refresh registries", "arn infra refresh", "infra refresh", "update references", "check for updates", "refresh infrastructure tools", "update MCP servers", "refresh CLI versions", "update base images", "arn-infra-refresh", or wants to update the version-sensitive infrastructure reference files (tool versions, MCP packages, CLI commands, base image tags, IaC patterns) using online research.

This skill should be used when the user says "infra report", "report infra issue", "infra broke", "arn-infra-report", "infrastructure issue", "report deployment problem", "report infrastructure problem", "diagnose infra", "infra doctor", or wants to report a problem with an Arness Infra workflow skill. Invokes the arn-infra-doctor agent to diagnose the issue, then files a GitHub issue on the Arness plugin repository. Do NOT use this for filing issues on the user's own project — use /arn-code-create-issue for that.

This skill should be used when the user says "review infra change", "infrastructure review", "review infrastructure", "infra quality review", "arn infra review", "check infra change", "review infrastructure change", "infra change review", "quality check infrastructure", "arn-infra-review-change", "post-deployment review", or wants to perform a comprehensive post-execution quality review of completed infrastructure changes, producing a structured review report with a PASS/WARN/NEEDS_FIXES verdict.

This skill should be used when the user says "save infra plan", "save infrastructure plan", "structure infra plan", "create infra project", "finalize infra plan", "arn infra save plan", "infra save plan", "save change plan", "structure infrastructure plan", "finalize infrastructure plan", "arn-infra-save-plan", or wants to convert a PLAN_PREVIEW_INFRA_*.md into a structured project directory with infrastructure-specific templates, report templates, and progress tracking.

This skill should be used when the user says "manage secrets", "arn infra secrets", "infra secrets", "secrets management", "set up secrets", "configure secrets", "audit secrets", "secrets audit", "rotate secrets", "secret storage", "vault setup", "key management", "credential management", "secrets scan", "check for exposed secrets", "secrets provider", "arn-infra-secrets", "set up secret manager", "configure secret injection", "environment variables", "env vars", "secure env vars", or wants to set up, configure, audit, or manage secrets and credential storage for their infrastructure deployment.

This skill should be used when the user says "triage infra request", "infra triage", "arn infra triage", "process infra issue", "handle infra request", "infrastructure request", "triage infrastructure", "analyze infra issue", "infra request analysis", "process infrastructure request", or wants to process an incoming infrastructure request issue created by Arness Core or manually, analyze its infrastructure implications, and produce a structured implications brief.

This skill should be used when the user says "verify deployment", "verify infra", "check deployment", "arn infra verify", "infra verify", "health check", "check health", "verify staging", "verify production", "is my deployment healthy", "check if deployment worked", "run health checks", "deployment verification", "check infrastructure", "validate deployment", "verify environment", "post-deployment check", "infra health", "check dns", "check ssl", "verify endpoints", "smoke test", "integration test", or wants to validate that a deployed environment is healthy and its resources match the expected state. This skill runs health checks, DNS verification, SSL validation, resource state comparison, and updates issue labels and environments.md with verification results.

This skill should be used when the user says "infra wizard", "arn infra wizard", "guided infra", "walk me through infrastructure", "infrastructure pipeline", "full infra pipeline", "infra flow", "run the infra pipeline", "guide me through infrastructure", "infra guided mode", "infrastructure wizard", "end to end infrastructure", "deploy everything", "set up my infrastructure", "infra start to finish", "arn infra guided", "run infra wizard", "set up everything", "complete infra setup", or wants to be walked through the entire Arness infrastructure pipeline in a single continuous session with guided decision gates instead of invoking each skill manually.