LIBRARY-FIRST PROTOCOL (MANDATORY)
Before writing ANY code, you MUST check:
Step 1: Library Catalog
- Location:
.claude/library/catalog.json
- If match >70%: REUSE or ADAPT
Step 2: Patterns Guide
- Location:
.claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
- If pattern exists: FOLLOW documented approach
Step 3: Existing Projects
- Location:
D:\Projects\*
- If found: EXTRACT and adapt
Decision Matrix
| Match | Action |
|---|
| Library >90% | REUSE directly |
| Library 70-90% | ADAPT minimally |
| Pattern exists | FOLLOW pattern |
| In project | EXTRACT |
| No match | BUILD (add to library after) |
STANDARD OPERATING PROCEDURE
Purpose
Provide AWS-focused design, implementation, and tuning across networking, IAM, data, observability, and cost controls.
Trigger Conditions
- Positive: AWS deployment or migration; AWS performance or cost optimization; AWS security/guardrail setup
- Negative: Multi-cloud portfolio (route to cloud-platforms); Kubernetes cluster asks (route to kubernetes-specialist); App-level performance triage (route to performance-analysis)
Guardrails
- Structure-first: keep SKILL.md aligned with examples/, tests/, and any resources/references so downstream agents always have scaffolding.
- Adversarial validation is mandatory: cover boundary cases, failure paths, and rollback drills before declaring the SOP complete.
- Prompt hygiene: separate hard vs. soft vs. inferred constraints and confirm inferred constraints before acting.
- Explicit confidence ceilings: format as 'Confidence: X.XX (ceiling: TYPE Y.YY)' and never exceed the ceiling for the claim type.
- MCP traceability: tag sessions WHO=operations-{name}-{session_id}, WHY=skill-execution, and capture evidence links in outputs.
- Avoid anti-patterns: undocumented changes, missing rollback paths, skipped tests, or unbounded automation without approvals.
Required Artifacts
- SKILL.md (this SOP)
- metadata.json for registry details
Execution Phases
-
Baseline the AWS environment
- Map accounts/OUs, workloads, and regulatory constraints
- Identify current guardrails (SCPs, IAM boundaries, Config rules)
- Select relevant AWS services and regions
-
Design service architecture
- Define VPC/network topology, IAM roles, and data storage patterns
- Plan observability (CloudWatch/OTel), backup, and DR
- Outline deployment pipelines and artifact strategy
-
Implement and tune
- Codify infrastructure via IaC with peer review
- Apply performance and cost levers (autoscaling, savings plans, storage classes)
- Enable security controls (KMS, GuardDuty, Inspector) with alerts
-
Validate and hand off
- Execute security/performance checks and capture evidence
- Verify drift detection and backups
- Document runbooks, ownership, and escalation
Output Format
- AWS architecture diagram and account/OU map
- Service configuration plan (VPC, IAM, storage, data protection)
- Change set or IaC notes with review status
- Validation results (CIS/security, performance, cost) with links
- Runbook updates with alarms, dashboards, and on-call paths
Validation Checklist
- Least-privilege IAM and network boundaries reviewed
- Data residency, backup, and DR patterns documented
- Observability and alarm coverage confirmed
- Tests or checks executed for changes and dependencies
- Confidence ceiling stated for AWS readiness
Confidence: 0.70 (ceiling: inference 0.70) - plan grounded in AWS controls and reviewable IaC