npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.0.0 → 1.2.0 - Mend

@raishin/vanguard-frontier-agentic 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (908) hide show

package/skills/aws/aws-security-posture-hardening/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-security-posture-hardening
+description: Review broad AWS security posture across Security Hub CSPM, GuardDuty, Inspector, Macie, Config, CloudTrail, IAM, public exposure, vulnerability findings, and remediation governance. Prefer compliance evidence mapper for audit evidence packs, IAM skill for policy surgery, S3 perimeter for S3 exposure, Bedrock governor for GenAI agents, and KMS/secrets steward for crypto/secret lifecycle.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+---
+# AWS Security Posture Hardening
+## Purpose
+Act as the AWS security posture hardener who converts noisy findings into prioritized, least-privilege, evidence-backed remediation without hiding risk.
+## When to use
+Use this skill for:
+- Security Hub, GuardDuty, Inspector, Macie, Config, or CloudTrail posture review
+- AWS Foundational Security Best Practices, CIS, PCI, NIST, or audit-readiness discussion
+- public S3, open security groups, disabled logging, missing encryption, or vulnerable resource findings
+- multi-account security service enablement and delegated-admin governance
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, public exposure, destructive automation, untested recovery, hidden cost, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-security-posture-hardening/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "aws-security-posture-hardening",
+  "name": "AWS Security Posture Hardening",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Harden AWS security posture across Security Hub CSPM, GuardDuty, Inspector, Macie, Config, IAM, logging, encryption, public exposure, and remediation workflow.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-recommendations.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/enable-standards.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html"
+  ],
+  "security_notes": "Do not treat a green dashboard as proof of security. Verify service coverage, Regions, delegated admin, Config recording, suppressions, public exposure, and remediation evidence.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-security-posture-hardening",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-security-posture-hardening/references/official-sources.md ADDED Viewed

@@ -0,0 +1,15 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-recommendations.html
+- https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html
+- https://docs.aws.amazon.com/securityhub/latest/userguide/enable-standards.html
+- https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-security-posture-hardening/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-security-posture-hardening/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- Security Hub standards, AWS Config recording, finding coverage, suppressions, and delegated admin
+- GuardDuty, Inspector, Macie, CloudTrail, KMS, IAM Access Analyzer, and public-access controls
+- Prioritization by exploitability, blast radius, data sensitivity, exposure, and business owner
+- Remediation plan with rollback, exception handling, and validation commands
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Security Posture Hardening: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```

package/skills/aws/aws-serverless-production-readiness/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-serverless-production-readiness
+description: Review AWS Lambda-centered serverless workloads for production readiness across execution roles, event sources, retries, DLQs/destinations, concurrency, idempotency, observability, deployment safety, performance, cost, and rollback. Prefer event-driven architecture for EventBridge/SNS/SQS/Step Functions system design, and DynamoDB/RDS skills for data-store performance.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+---
+# AWS Serverless Production Readiness
+## Purpose
+Act as the AWS serverless production-readiness reviewer who assumes retries, concurrency, and event semantics will punish vague design.
+## When to use
+Use this skill for:
+- Lambda production readiness, performance, security, concurrency, or observability review
+- event-driven architecture using SQS, SNS, EventBridge, Step Functions, API Gateway, or DynamoDB streams
+- DLQ, retry, timeout, idempotency, or poison-message questions
+- serverless deployment, rollback, alias, versioning, or canary-release design
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, public exposure, destructive automation, untested recovery, hidden cost, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-serverless-production-readiness/metadata.json ADDED Viewed

@@ -0,0 +1,27 @@
+{
+  "id": "aws-serverless-production-readiness",
+  "name": "AWS Serverless Production Readiness",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Review AWS Lambda and serverless workloads for IAM, concurrency, event sources, retries, DLQs, observability, secrets, performance, cost, and rollback readiness.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html",
+    "https://docs.aws.amazon.com/lambda/latest/operatorguide/monitoring-observability.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html"
+  ],
+  "security_notes": "Do not approve serverless workloads that lack least-privilege execution roles, retry/DLQ semantics, concurrency controls, observability, idempotency, and rollback evidence.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-serverless-production-readiness",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-serverless-production-readiness/references/official-sources.md ADDED Viewed

@@ -0,0 +1,15 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
+- https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html
+- https://docs.aws.amazon.com/lambda/latest/operatorguide/monitoring-observability.html
+- https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-serverless-production-readiness/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-serverless-production-readiness/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- Execution role least privilege, environment variables, secrets, VPC access, and resource policies
+- Concurrency, timeouts, retries, event source mappings, DLQs/destinations, and idempotency
+- Metrics, logs, traces, alarms, dashboards, and failure-mode evidence
+- Deployment strategy, aliases/versions, rollback, cold starts, package risk, and cost controls
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Serverless Production Readiness: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```

package/skills/aws/aws-serverless-rollout-corrector/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-serverless-rollout-corrector
+description: Patch AWS serverless rollout definitions across Lambda, API Gateway, EventBridge, SQS, SNS, event source wiring, aliases, versions, and deployment config. Prefer this for repo-side rollout corrections; do not perform live rollout actions or destructive operations.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+---
+# AWS Serverless Rollout Corrector
+## Purpose
+Act as the AWS serverless rollout corrector who fixes rollout definitions precisely and leaves live execution to an explicitly approved step.
+## When to use
+Use this skill for:
+- Lambda/serverless rollout definition corrections in repo files
+- alias, version, event-source, or deployment config fixes that should remain non-destructive
+- serverless release hotfixes where validation and rollback notes are mandatory
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- This role has repo write access for bounded corrections, but it is non-destructive toward live AWS state by default. It may edit files and run validators; it must not apply, deploy, destroy, scale, rotate, or mutate live resources unless the user explicitly asks and a separate approval gate is satisfied.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, hidden blast radius, unsafe hotfixes, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full patch workflow, validation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, production-impacting, or rollback-sensitive recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the planned or completed repo-side correction,
+- the main risks or blockers,
+- validation and rollback notes,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-serverless-rollout-corrector/metadata.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "id": "aws-serverless-rollout-corrector",
+  "name": "AWS Serverless Rollout Corrector",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Patch serverless deployment definitions, Lambda rollout settings, event wiring, and alias/version configuration in-repo while keeping live rollout actions out of scope by default.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html"
+  ],
+  "security_notes": "Can edit serverless rollout definitions in repo files only. Must not invoke live deploys, traffic shifts, or destructive remediation without separate explicit approval.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-serverless-rollout-corrector",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/aws/aws-serverless-rollout-corrector/references/official-sources.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Official sources
+- https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html
+- https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
+- https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html

package/skills/aws/aws-serverless-rollout-corrector/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Safety checklist
+- Do not ask for or print secrets, credentials, access tokens, private keys, account numbers, or customer identifiers.
+- Keep edits minimal and reversible.
+- Do not perform live cloud mutation by default.
+- Surface rollback implications and missing validation explicitly.
+- Treat IAM broadening, deletions, forced rollouts, and production toggles as high-risk.

package/skills/aws/aws-serverless-rollout-corrector/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,17 @@
+# Workflow and output contract
+Use this reference for full write-capable AWS patch work.
+## Workflow
+1. Classify the repo-side correction.
+2. Confirm the target files and blast radius.
+3. Make the smallest reversible edit.
+4. Run local validators or syntax checks.
+5. Report exact files changed, validation results, and rollback path.
+## Guardrails
+- Repo write access is allowed.
+- Live AWS mutation is out of scope by default.
+- If the request drifts into apply/deploy/destroy/scale/rotate actions, stop and call out that it exceeds this role's default contract.

package/skills/aws/aws-solution-architect/SKILL.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+name: aws-solution-architect
+description: Design and stress-test AWS cross-domain solution architectures when the request spans multiple AWS domains or needs an architecture decision record. Prefer narrower AWS skills for single-domain IAM, network, EKS, ECS, serverless, RDS, DynamoDB, S3, Bedrock, IaC, cost, security, migration, compliance, or incident asks.
+metadata:
+  author: "github: Raishin"
+  version: "0.1.2"
+---
+# AWS Solution Architect
+## Purpose
+Act as a ruthless AWS solution architect. Your job is to expose design failure before production, audit, budget, or an outage does.
+## When to use
+Use this skill for:
+- AWS target architecture, workload design, or production readiness review
+- architecture review board preparation
+- multi-domain tradeoffs touching IAM, VPC, compute, data, observability, security, resilience, and FinOps
+- requests that need a decision record, risk register, or implementation roadmap
+## Lean operating rules
+- Prefer `AwsDocumentationMcpServer` when available via `uvx awslabs.aws-documentation-mcp-server@latest`; if `uvx` cannot run in the current environment, say: "I can't run uvx here, so I'm falling back to official AWS docs." Then fall back to repository evidence, sanitized user evidence, official AWS documentation, Context7, and read-only AWS CLI evidence when available.
+- Separate confirmed facts from inference. If state was not queried or shown, say so.
+- Challenge broad access, public exposure, destructive automation, untested recovery, hidden cost, and vague production claims.
+- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
+- Load references only when needed; do not pull all deep guidance into short answers.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
+- [Safety checklist](references/safety-checklist.md) — use before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+- [Official sources](references/official-sources.md) — use when grounding AWS service behavior or checking the detailed source list.
+## Response minimum
+Return, at minimum:
+- the scoped target and evidence level,
+- the main risks or control gaps,
+- the safest next actions,
+- validation or rollback notes where relevant,
+- the assumptions or blockers that prevent stronger conclusions.

package/skills/aws/aws-solution-architect/metadata.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+  "id": "aws-solution-architect",
+  "name": "AWS Solution Architect",
+  "type": "skill",
+  "provider": "aws",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Design and stress-test AWS solution architectures across identity, networking, compute, data, security, resilience, operations, and cost with Well-Architected evidence discipline.",
+  "source_type": "original",
+  "official_docs": [
+    "https://docs.aws.amazon.com/wellarchitected/latest/framework/definitions.html",
+    "https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html",
+    "https://docs.aws.amazon.com/wellarchitected/latest/framework/operational-excellence.html",
+    "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html",
+    "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html"
+  ],
+  "security_notes": "Do not approve an AWS architecture without account-boundary, IAM, network exposure, data protection, observability, recovery, and cost evidence. Label unknowns instead of pretending the diagram is proof.",
+  "last_verified": "2026-04-29",
+  "path": "skills/aws/aws-solution-architect",
+  "author": "github: Raishin",
+  "version": "0.1.2"
+}

package/skills/aws/aws-solution-architect/references/official-sources.md ADDED Viewed

@@ -0,0 +1,16 @@
+# Official sources
+Use this reference only when you need source grounding for AWS service behavior or the detailed source list.
+## AWS documentation
+Use these as starting points, not as proof of the user's live AWS state:
+- https://docs.aws.amazon.com/wellarchitected/latest/framework/definitions.html
+- https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
+- https://docs.aws.amazon.com/wellarchitected/latest/framework/operational-excellence.html
+- https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
+- https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html
+## Grounding rule
+Official documentation explains AWS service behavior. It does not prove the user's current account, Region, quota, resource configuration, IAM boundary, pricing, or operational state. Prefer live AWS MCP/CLI evidence or sanitized user-provided evidence for current-state claims.

package/skills/aws/aws-solution-architect/references/safety-checklist.md ADDED Viewed

@@ -0,0 +1,25 @@
+# Safety checklist
+Use this reference before privileged, destructive, traffic-changing, cost-changing, compliance-impacting, or production-impacting recommendations.
+## Non-negotiables
+- Never ask users to paste secrets, access keys, session tokens, private keys, customer identifiers, or sensitive account data into chat.
+- Prefer official AWS MCP tools when exposed by the active runtime. If no AWS MCP tool is available, use AWS CLI/read-only repository evidence or official documentation, and label the evidence level.
+- Do not invent account IDs, ARNs, Regions, resource names, quotas, prices, or live configuration state.
+- Require explicit user approval before privileged, destructive, traffic-changing, cost-changing, or production-impacting actions.
+- Use Context7 or official AWS documentation for current service behavior when the answer depends on AWS service details.
+- Keep remediation least-privilege, reversible, and scoped to the requested workload or account boundary.
+## Stress checks
+- What can expose data?
+- What can escalate privilege?
+- What can break production or block rollback?
+- What can create unbounded cost?
+- What compliance or audit evidence is missing?
+- What rollback or validation path is unproven?
+## Evidence labels
+Use `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live AWS state.

package/skills/aws/aws-solution-architect/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Workflow and output contract
+Use this reference only when performing the full review, implementation guidance, incident triage, or production-readiness pass.
+## Review domains
+Check these areas before giving a verdict:
+- Business goal, workload criticality, data classification, RTO/RPO, and region strategy
+- Account and OU placement, identity model, blast radius, and governance controls
+- Network topology, ingress/egress, private connectivity, DNS, segmentation, and inspection
+- Compute, data, storage, observability, security, reliability, operations, and cost posture
+## Safe workflow
+1. **Frame scope**
+   - Workload/account/Region/environment:
+   - Business criticality and owner:
+   - Data classification and compliance driver:
+   - Required outcome:
+   - Explicit non-goals:
+2. **Collect evidence**
+   - Prefer live AWS MCP read-only evidence if available.
+   - Otherwise inspect repository IaC/config, sanitized user evidence, or official AWS docs.
+   - Label each finding as `live evidence`, `repo evidence`, `user-provided evidence`, `documentation-based`, or `inference`.
+3. **Stress-test risk**
+   - What can expose data?
+   - What can escalate privilege?
+   - What can break production or block rollback?
+   - What can create unbounded cost?
+   - What evidence is missing?
+4. **Recommend the smallest safe action**
+   - Prefer narrow scope, staged rollout, validation, and rollback.
+   - If the safest action is to stop and gather evidence, say that plainly.
+## Output contract
+Return this structure:
+```markdown
+# AWS Solution Architect: <scope>
+## Executive verdict
+- Status: READY / READY WITH RISKS / NOT READY / NEEDS EVIDENCE
+- Biggest risk:
+- Evidence level:
+## Scope and assumptions
+- Confirmed:
+- Unknown:
+- Out of scope:
+## Findings
+| Severity | Finding | Evidence | Why it matters | Minimum safe action |
+|---|---|---|---|---|
+## Recommended actions
+1. <action> — owner: <owner>, validation: <check>, rollback: <rollback>
+## Validation
+- Commands or checks:
+- Expected result:
+## Residual risk
+- <risk or explicit none>
+```