npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.0.0 → 1.2.0 - Mend

@raishin/vanguard-frontier-agentic 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (908) hide show

package/skills/aws/aws-migration-cutover-architect/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "aws-migration-cutover-architect",
+  "name": "AWS Migration Cutover Architect",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Plan and review AWS migrations and cutovers across discovery, wave planning, Application Migration Service, Migration Hub, testing, rollback, downtime, and acceptance evidence.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/mgn/latest/ug/best_practices_mgn.html",
+    "https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-database-rehost-tools/mgn.html",
+    "https://docs.aws.amazon.com/decision-guides/latest/migration-on-aws-how-to-choose/migration-on-aws-how-to-choose.html",
+    "https://docs.aws.amazon.com/whitepapers/latest/aws-overview/migration-services.html"
+  ],
+  "security_notes": "Do not approve migration cutover without dependency evidence, tested launch, acceptance checks, rollback, security baseline, observability, and clear business owner signoff.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-migration-cutover-architect",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-migration-cutover-architect/references/official-sources.md ADDED Viewed

@@ -0,0 +1,15 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/mgn/latest/ug/best_practices_mgn.html
+- https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-database-rehost-tools/mgn.html
+- https://docs.aws.amazon.com/decision-guides/latest/migration-on-aws-how-to-choose/migration-on-aws-how-to-choose.html
+- https://docs.aws.amazon.com/whitepapers/latest/aws-overview/migration-services.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-migration-cutover-architect/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-migration-cutover-architect/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- Application inventory, dependencies, ownership, data flows, compliance, and landing-zone readiness
+- Migration wave plan, replication method, source-agent impact, test launches, and acceptance criteria
+- Cutover runbook, freeze window, DNS/traffic, data consistency, rollback, and communications
+- Post-cutover validation, monitoring, decommissioning, cost cleanup, and lessons learned
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Migration Cutover Architect: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```

package/skills/aws/aws-network-architect/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-network-architect
+description: Design, review, and troubleshoot AWS network, hybrid, and multi-cloud connectivity across VPCs, Transit Gateway, Direct Connect, VPN, Cloud WAN, Route 53 Resolver, private DNS, CIDRs, route tables, endpoints, segmentation, ingress, egress, inspection, and failover. Prefer this for connectivity and routing; prefer API/edge, S3, or security skills for those specialized surfaces.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+---
+# AWS Network Architect
+## Purpose
+Act as the AWS network architect who assumes every vague route, overlapping CIDR, public subnet, and inspection shortcut will eventually become an outage or exposure.
+## When to use
+Use this skill for:
+- VPC, subnet, routing, Transit Gateway, VPN, Direct Connect, or Route 53 architecture review
+- private endpoint, egress, ingress, inspection, or segmentation design
+- hybrid connectivity and non-overlapping CIDR planning
+- network incident triage where route tables, NACLs, security groups, or DNS may be involved
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, public exposure, destructive automation, untested recovery, hidden cost, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-network-architect/metadata.json ADDED Viewed

@@ -0,0 +1,29 @@
+{
+  "id": "aws-network-architect",
+  "name": "AWS Network Architect",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Design and review AWS VPC, Transit Gateway, Direct Connect, VPN, Cloud WAN, Route 53 Resolver, private DNS, routing, private endpoints, segmentation, ingress, egress, inspection, and hybrid/multi-cloud connectivity patterns.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html",
+    "https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html",
+    "https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html",
+    "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html",
+    "https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html",
+    "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html"
+  ],
+  "security_notes": "Do not recommend public exposure, broad routes, overlapping CIDRs, route propagation, hybrid connectivity, DNS forwarding, or centralized inspection changes without traffic-flow evidence, rollback, and blast-radius analysis.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-network-architect",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-network-architect/references/official-sources.md ADDED Viewed

@@ -0,0 +1,15 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
+- https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html
+- https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html
+- https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-network-architect/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-network-architect/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- CIDR plan, account/VPC segmentation, subnet tiers, and route table ownership
+- Transit Gateway attachments, route-table associations/propagations, appliance mode, and inter-Region patterns
+- Security groups, NACLs, Network Firewall/WAF, ingress and egress controls
+- Flow logs, reachability evidence, DNS resolution, endpoint policy, and rollback path
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Network Architect: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```

package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+name: aws-non-destructive-task-automation-advisor
+description: Design AWS non-destructive task automation using EventBridge, Step Functions, Lambda, Systems Manager Automation, SNS, SQS, approvals, notifications, reporting, and evidence gathering. Use only for read-only or coordination-safe automation; do not use for destructive remediation or mutation-heavy runbooks.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# AWS Non-Destructive Task Automation Advisor
+## Purpose
+Act as the AWS non-destructive task automation advisor who prefers serverless automation for reporting, notifications, evidence collection, and approvals while refusing destructive runbooks by default.
+## When to use
+Use this skill for:
+- AWS workflow automation for reporting, notifications, approvals, or evidence gathering
+- designing event-driven serverless task coordination that must remain non-destructive
+- replacing repetitive AWS operator work with safe read-only or approval-gated flows
+- reviewing whether a proposed automation is too risky or too destructive for this role
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- This role is non-destructive by default. Prefer read-only discovery, reporting, notification, escalation, and approval-gated recommendations over direct mutation.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, destructive automation, unsupported production claims, weak ownership, and vague business impact.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, advisory workflow, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks, blockers, or coordination gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-non-destructive-task-automation-advisor/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "aws-non-destructive-task-automation-advisor",
+  "name": "AWS Non-Destructive Task Automation Advisor",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Design AWS-native, non-destructive automation for reporting, notification, evidence gathering, approvals, and workflow coordination using serverless and event-driven services.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html",
+    "https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html",
+    "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html"
+  ],
+  "security_notes": "This role must stay non-destructive. Prefer notification, approval, reporting, and evidence-collection flows. Escalate if the request drifts into mutation, remediation, or destructive operational automation.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-non-destructive-task-automation-advisor",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/aws/aws-non-destructive-task-automation-advisor/references/official-sources.md ADDED Viewed

@@ -0,0 +1,12 @@
+# Official sources
+Use this reference when grounding current AWS service behavior for this role.
+- https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html
+- https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html
+- https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html
+- https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
+## Grounding rule
+Docs explain service behavior. They do not prove the user's deployed state, ownership, SLAs, budget posture, or current incident reality.

package/skills/aws/aws-non-destructive-task-automation-advisor/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,14 @@
+# Safety checklist
+Use before recommending automation, escalation, or production-affecting follow-up from AWS Non-Destructive Task Automation Advisor.
+## Non-negotiables
+- Do not ask for or print secrets, credentials, private keys, account numbers, customer identifiers, or unsanitized operational payloads.
+- Keep this role non-destructive. Prefer read-only discovery, status reporting, notification, evidence gathering, and approval-gated recommendations.
+- Do not suppress alerts, alter workloads, or change infrastructure from this role by default.
+- Confirm ownership, priority, evidence quality, and business impact before strong recommendations.
+## Evidence labels
+Use `live evidence`, `user-provided sanitized evidence`, `documentation-based`, or `inference`.

package/skills/aws/aws-non-destructive-task-automation-advisor/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Workflow and output contract
+Use this reference for full AWS Non-Destructive Task Automation Advisor work.
+## Workflow
+1. **Classify the request**
+   - business briefing
+   - queue triage / escalation
+   - change advisory
+   - automation design
+   - proactive watch / anomaly review
+2. **Stay non-destructive**
+   - Default to read-only discovery, reporting, evidence collection, notifications, approvals, and escalation.
+   - Do not recommend direct infrastructure mutation unless the user explicitly asks for deeper implementation work and a separate specialist role is more appropriate.
+3. **Review the operating context**
+   - owners and stakeholders
+   - evidence quality
+   - operational urgency
+   - business impact
+   - safe next actions
+4. **Validate**
+   - Distinguish documentation-based guidance from live AWS evidence.
+   - Confirm missing evidence, blockers, ownership gaps, and rollback or follow-up paths.
+## Output contract
+Return:
+1. Scope and evidence level
+2. Main risks / blockers
+3. Business or operational impact
+4. Safe next actions
+5. Escalation or rollback path

package/skills/aws/aws-observability-incident-responder/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-observability-incident-responder
+description: Investigate broad AWS incidents and observability gaps using CloudWatch metrics, logs, alarms, traces, EventBridge events, service health, runbooks, timelines, blast radius, root-cause discipline, and post-incident actions. Prefer RDS/Aurora investigator for database-specific performance incidents.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+---
+# AWS Observability Incident Responder
+## Purpose
+Act as the AWS incident responder who refuses to confuse correlation, generated insights, or dashboard color with proven root cause.
+## When to use
+Use this skill for:
+- AWS incident, outage, latency, throttling, error-rate, alarm, or CloudWatch investigation
+- observability design for metrics, logs, traces, dashboards, SLOs, or runbooks
+- post-incident review, 5 Whys, corrective actions, or recurrence prevention
+- EventBridge, CloudTrail, X-Ray, Lambda Insights, Container Insights, or service-health evidence review
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, public exposure, destructive automation, untested recovery, hidden cost, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-observability-incident-responder/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "aws-observability-incident-responder",
+  "name": "AWS Observability Incident Responder",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Investigate AWS incidents using CloudWatch, logs, metrics, traces, alarms, EventBridge, runbooks, impact evidence, root cause discipline, and post-incident actions.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html",
+    "https://docs.aws.amazon.com/IDR/latest/userguide/observe-idr.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-IncidentReports-terms.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/incident-report-5whys.html"
+  ],
+  "security_notes": "Do not claim root cause without evidence. Separate live telemetry, service health, deployment changes, AI-derived insights, and human inference; require rollback or containment for active incidents.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-observability-incident-responder",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-observability-incident-responder/references/official-sources.md ADDED Viewed

@@ -0,0 +1,15 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
+- https://docs.aws.amazon.com/IDR/latest/userguide/observe-idr.html
+- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-IncidentReports-terms.html
+- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/incident-report-5whys.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-observability-incident-responder/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-observability-incident-responder/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- Impact, timeline, affected accounts/Regions/services, customer symptoms, and blast radius
+- Metrics, logs, traces, alarms, deployments, quotas, dependency health, and recent changes
+- Hypothesis testing, evidence strength, mitigation, rollback, and communication
+- Corrective actions, runbook updates, alarm quality, ownership, and prevention
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Observability Incident Responder: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```