Skip to content

Build a quick-deploy agent skill for an eval-grade single-account stack #449

Description

@philmerrell

Summary

Build an agent skill that stands up an eval-grade AgentCore Public Stack in a single AWS account with the fewest possible dependencies — domainless, no ACM certs, no Route 53, no GitHub fork — and, as a staged north star, eventually only the AWS CLI.

This tracks implementation of the proposal:

Why

The documented deploy (.github/docs/deploy/) is GitHub-Actions-driven and correct for production, but it requires a fork + repo admin + secrets before anything runs. We want a fast "see it running in my account today" path that is explicitly distinct from — and points back to — the production pipeline for multi-environment use.

Approach (from the proposal)

  • Strategic split: production stays on GitHub Actions; the quick path drives the same maintained scripts/*.sh locally (not a parallel deploy impl). Avoid the stale top-level scripts/deploy.sh.
  • Domainless: SPA uses a relative /api that CloudFront already routes to the ALB (platform-stack.ts:539), so the prebuilt SPA needs no per-deploy rebuild. The one wrinkle is the Cognito callback chicken-and-egg → two-pass finalize (deploy → read distributionDomainNameaws cognito-idp update-user-pool-client).
  • Docker multi-arch / Apple-Silicon: recommend local buildx + QEMU for v1; move to prebuilt published multi-arch images copied via crane as the end-state (removes emulation + unlocks AWS-CLI-only). See proposal §6.

Phased plan / acceptance

  • P0 — Spike: run the deploy sequence by hand on a fresh account, domainless; confirm chat works end-to-end; capture the exact Cognito-callback patch.
  • P1 — Enabling fixes: pin explicit per-service build platforms in scripts/build/build-one.sh (correct local builds on Apple Silicon). (See related rag-ingestion arch issue.)
  • P2 — Skill v1 (T0/D1): .claude/skills/quickstart-deploy/SKILL.md orchestrating the 5 stages, two-pass finalize, preflight gates, and the required preface (prereqs required; eval-grade single-account; multi-env → .github/docs/deploy/). ← suggested first useful release
  • P3 — Publish pipeline (T1/D2): multi-arch image publish + prebuilt SPA; skill prebuilt strategy via crane.
  • P4 — AWS-CLI-only (T2): pre-synthed CFN template + asset publish + CLI/Lambda seed path.

Notes / risks

  • Account must have Bedrock model access for the seeded default models or inference fails.
  • cdk bootstrap required once per account/region (a CDK dep for T0/T1).
  • ALB is HTTP behind CloudFront when domainless; MCP-Apps sandbox iframe is disabled domainless. Acceptable for eval; documented.
  • Related follow-up: latent rag-ingestion image arch mismatch (ARM_64 Lambda built amd64 in CI) — should be its own issue.

See the proposal doc and #448 for full detail.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions