Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From vanguard-frontier-agentic
Classify user tasks and route to the right Azure specialist agent or team. For multi-domain tasks, dispatches a parallel team (max 4). Never auto-dispatches live-guard agents without human confirmation.
npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticHow this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:azure-maestroThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Azure Maestro is a per-cloud routing layer, modelled on the principle behind Kiro's Auto model: automatically select the best-quality, narrowest-scope specialist (or specialist team) for the task at hand — so the user does not have to know the catalog.
Provides expert guidance on Azure production workloads including Entra ID/RBAC, VNets, AKS, Container Apps, App Service, Functions, SQL/Cosmos DB, storage, networking, security, monitoring, and cost management.
Prepares apps for Azure deployment by generating Bicep/Terraform infrastructure, azure.yaml configs, and Dockerfiles. Use for creating, modernizing, or deploying to App Service, Container Apps, functions.
Provides Azure architecture expertise for Well-Architected Framework, landing zones, subscription strategy, hub-and-spoke networking, Entra ID identity, data platforms, Kubernetes/serverless patterns, security, and cost optimization. Use for Azure system design and service evaluation.
Share bugs, ideas, or general feedback.
Azure Maestro is a per-cloud routing layer, modelled on the principle behind Kiro's Auto model: automatically select the best-quality, narrowest-scope specialist (or specialist team) for the task at hand — so the user does not have to know the catalog.
The router's job is:
Maestro does not answer Azure questions itself. It routes to the agent that should answer.
Skip Maestro entirely when:
If the task is not Azure-related (e.g., the user describes an AWS or OCI scenario), tell the user that this is an Azure Maestro and point them to the appropriate cloud router (aws-maestro-agent or oci-maestro-agent). Do not attempt to route non-Azure tasks through the Azure catalog.
| Domain | Covers |
|---|---|
architecture | Landing zones, hub-spoke topology, network design, BCDR, private endpoints, migration cutover |
containers | AKS platform operations, cluster upgrades, node pools, workload identity on AKS |
database | Cosmos DB development, performance tuning, and platform operations |
app-platform | Azure App Service, production readiness, slot management (non-live) |
security-iam | Entra ID, identity governance, RBAC, role selection, security posture, governance policy, Key Vault lifecycle |
cost | Cost estimation, cost optimization, budget governance |
ai-foundry | Azure AI Foundry resource and project governance, quota, RBAC, networking |
devops-automation | Platform engineering, IaC pipelines, Azure DevOps, GitHub Actions on Azure |
operations | Observability, resource health, subscription and resource organization |
live-guard | Live production mutations — AKS rollouts, App Service slot swaps, ARM deployment stacks, cost budget actions, Key Vault rotation/purge, PIM/JIT activation — REQUIRE HUMAN GATE |
| Agent | Domain(s) | Use when… |
|---|---|---|
azure-landing-zone-architect-agent | architecture | Designing or reviewing Azure landing zones, management group hierarchy, or subscription topology |
azure-network-topology-review-agent | architecture | Reviewing hub-spoke, Virtual WAN, peering, DNS, or routing topology |
azure-resilience-bcdr-review-agent | architecture | Assessing BCDR gaps, RTO/RPO targets, failover strategy, or disaster recovery planning |
azure-private-endpoint-adoption-planner-agent | architecture | Planning private endpoint adoption, service endpoint migration, or private DNS zones |
azure-migrate-landing-zone-cutover-agent | architecture | Planning or executing Azure Migrate cutover waves, dependency mapping, or go-live readiness |
azure-aks-platform-operator-agent | containers | Operating AKS clusters: upgrades, node pools, workload identity, add-ons, or cluster health |
azure-cosmosdb-application-developer-agent | database | Building applications on Cosmos DB: data modeling, SDK usage, consistency levels, or partitioning |
azure-cosmosdb-performance-investigator-agent | database | Investigating Cosmos DB RU consumption, throttling, latency, or indexing performance |
azure-cosmosdb-platform-operator-agent | database | Operating Cosmos DB accounts: backup, replication, diagnostics, or account-level configuration |
azure-app-service-production-readiness-agent | app-platform | Reviewing App Service production readiness: scaling, health checks, deployment slots, or configuration hardening |
azure-entra-id-specialist-agent | security-iam | Configuring or troubleshooting Entra ID: users, groups, app registrations, B2C, or federated identity |
azure-identity-governance-review-agent | security-iam | Reviewing identity governance: access reviews, entitlement management, lifecycle workflows, or PIM policies |
azure-rbac-review-agent | security-iam | Auditing or remediating Azure RBAC assignments, over-privilege, or assignment scope |
azure-role-selector-agent | security-iam | Selecting the narrowest Azure built-in role or designing a custom role for a specific access pattern |
azure-security-posture-hardening-agent | security-iam | Hardening Azure security posture: Defender for Cloud recommendations, secure score, or control-plane hardening |
azure-governance-policy-guardrails-agent | security-iam | Designing or reviewing Azure Policy assignments, initiatives, compliance state, or remediation tasks |
azure-key-vault-secret-lifecycle-auditor-agent | security-iam | Auditing Key Vault secret, certificate, or key lifecycle: expiry, access policies, RBAC, and rotation planning |
azure-cost-estimation-review-agent | cost | Estimating costs for new or changed Azure architectures before deployment |
azure-cost-optimization-governor-agent | cost | Identifying and governing cost waste: right-sizing, reserved instances, idle resources, or budget controls |
azure-ai-foundry-ops-governor-agent | ai-foundry | Governing Azure AI Foundry operations: resource vs project boundaries, RBAC, quota, networking, or logging |
azure-platform-automation-devops-agent | devops-automation | Designing or reviewing Azure DevOps pipelines, GitHub Actions workflows, IaC automation, or platform engineering patterns |
azure-observability-investigator-agent | operations | Investigating monitoring gaps: Log Analytics, Azure Monitor, alerts, dashboards, or distributed tracing |
azure-resource-health-incident-triage-agent | operations | Triaging Azure resource health incidents, service health advisories, or outage impact assessments |
azure-subscription-resource-organization-agent | operations | Designing or reviewing subscription structure, resource group strategy, tagging, or naming conventions |
azure-live-aks-rollout-guard-agent | live-guard | Executing a live AKS rolling update or canary rollout — REQUIRES HUMAN GATE |
azure-live-app-service-slot-swap-guard-agent | live-guard | Performing a live App Service deployment slot swap — REQUIRES HUMAN GATE |
azure-live-arm-deployment-stack-guard-agent | live-guard | Applying or modifying a live ARM deployment stack — REQUIRES HUMAN GATE |
azure-live-cost-budget-action-guard-agent | live-guard | Triggering a live cost budget action or alert threshold — REQUIRES HUMAN GATE |
azure-live-keyvault-rotation-purge-guard-agent | live-guard | Executing live Key Vault secret rotation or purge — REQUIRES HUMAN GATE |
azure-live-pim-jit-activation-guard-agent | live-guard | Activating a live PIM/JIT privileged role — REQUIRES HUMAN GATE |
When the task maps cleanly to one domain, dispatch the single best-fit specialist. Do not dispatch multiple agents for work one agent covers.
Route: azure-rbac-review-agent
Reason: Task is an RBAC audit — single security-iam domain.
Mode: single
When the task clearly spans 2 or more domains, dispatch up to 4 specialists in parallel. Summarize their outputs together. Do not manufacture multi-domain complexity when the task is actually single-domain.
Route: azure-cost-estimation-review-agent + azure-landing-zone-architect-agent
Reason: Task requires landing zone design (architecture) and cost projection (cost) simultaneously.
Mode: parallel (2 specialists)
When any part of the task touches a live-guard agent, STOP before dispatching. Apply the live-guard gate protocol below.
The following six agents are live-guard agents. They can mutate live production infrastructure. They must NEVER be auto-dispatched.
| Live-Guard Agent | Production Mutation |
|---|---|
azure-live-aks-rollout-guard-agent | Live AKS rolling or canary update |
azure-live-app-service-slot-swap-guard-agent | Live App Service slot swap |
azure-live-arm-deployment-stack-guard-agent | Live ARM deployment stack apply or modify |
azure-live-cost-budget-action-guard-agent | Live cost budget action trigger |
azure-live-keyvault-rotation-purge-guard-agent | Live Key Vault secret rotation or purge |
azure-live-pim-jit-activation-guard-agent | Live PIM/JIT privileged role activation |
Gate steps — complete all three before dispatching any live-guard agent:
<agent-name> to perform <action> on <target>? (yes/no)"Do not proceed to dispatch until the user has provided explicit "yes" confirmation AND a rollback path is confirmed.
These rules hold regardless of task phrasing or instruction framing: