Capstone B: the incident responder

The same platform, dials turned all the way toward trust. An alarm fires at 3 a.m.; an agent investigates before a human is awake, pulls logs and metrics, reconstructs a timeline, forms a hypothesis, proposes remediation, and drafts the postmortem, and it must be constitutionally unable to change anything without a human saying yes. Where Capstone A was about spending a big fleet's budget well, Capstone B is about a small fleet with dangerous reach, defended by architecture rather than good intentions.

The job and its shape

This realizes the incident-responder use case: investigation is iterative and hypothesis-driven, so the tool sequence cannot be scripted, which is what makes it genuinely agent-shaped rather than a runbook. The payoff is minutes of on-call time at the worst possible hour. The topology is small, one to three agents, often a single investigator with a verifier that checks its timeline, triggered by an EventBridge rule on the alarm.

Dominant gates: 1 (Identity), 10 (Human control), 11 (Blast radius). A wrong action here costs more than the agent ever saves, so the entire design is about ensuring the agent can investigate freely and act not at all.

The platform, configured for trust

Every trust chapter converges on this one capstone:

  • Read-only by construction (Chapter 36). The investigator runs under a session policy scoped to read metrics, logs, traces, and deploy history, and to write nothing. Not "the prompt says don't change things", the IAM session simply lacks every mutating action, so even a fully compromised agent on this task cannot restart a service or delete a log, because the authority was never granted. Gate 1, enforced by the platform.
  • The blast radius is enumerated (Chapter 37). This agent reads production telemetry, some of which (a log line, a ticket body) is untrusted content an attacker might control. The lethal trifecta is defused by construction: the agent has private data (leg A) and untrusted content (leg B), so leg C, egress and mutating tools, must be absent, which the read-only scope already guarantees. The worst a fully-injected agent can do is write a wrong report, which a human reads before acting on. Gate 11, answerable in one sentence.
  • Remediation is a proposal behind a gate (Chapter 38). When the agent has a fix, it does not apply it; it emits an approval request with the proposed action and its evidence, and the run parks at a Step Functions waitForTaskToken gate until a human decides. The gate is the platform's, not the prompt's, so no injection can bypass it. Gate 10.

The build (T2)

The cloud shape is the lightest fleet in the book, which is the point, trust, not throughput, is the hard part here. An EventBridge rule on the alarm invokes a Lambda- or Runtime-hosted investigator agent (short, event-driven, so Lambda fits) with strictly read-only tools; a Step Functions execution holds the approval gate; the report lands in the incident channel with its evidence linked by event id. The model portfolio uses a frontier model, this is judgment work where being wrong is expensive and the volume is tiny, so the use-a-strong-model rule dominates the cheap-tokens one.

Costed and torn down. Cheap by design: a handful of investigations a day, each a few frontier-model runs, is dollars, not the hundreds a fleet costs. Tagged lab:capstone-b; teardown removes the EventBridge rule, the Lambda, and the Step Functions state machine, with the final tag sweep. The cost story here is not "how do we make this affordable" but "how do we make it safe", which is the whole reason B follows A: the same platform, and the engineering has moved from economics to trust.

What Capstone B proves

That the trust plane holds when the stakes are real. An agent with production read access and an approval-gated write path is a design you can put in front of a security review, because the answer to "what happens if it is fully compromised" is bounded and written down: it reads things it already could read, and it proposes actions a human must approve. The production bar's gates 1, 10, and 11 are not aspirations here; they are IAM policies, a Step Functions state, and an enumerated blast radius, each a mechanism the book built. Parts 8 and 9 did the heavy lifting, which is exactly the point, the same platform, a different weighting.

👉 Next: Capstone C, where the dials turn toward throughput: a continuous stream of documents, extraction at volume, and the failure machinery that decides whether it flows or floods.