---
name: alibaba-maestro
description: Alibaba Cloud Maestro routing skill. Classify the user's Alibaba Cloud task, select the narrowest specialist agent or the right team of specialists from the catalog, and dispatch them — single specialist for focused tasks, parallel team (max 4) for multi-domain tasks. Never auto-dispatch live-guard agents. China-region aware — flags when workloads are in mainland China regions and applicable regulatory frameworks (MLPS 2.0, DSL, PIPL) differ from international regions.
allowed-tools: Agent Skill Read Grep Glob
metadata:
  author: "github: Raishin"
  version: "0.1.0"
  updated: "2026-05-08"
  category: ai
---

# Alibaba Cloud Maestro Routing Skill

## Purpose and Philosophy

Alibaba Cloud Maestro operates as a precision router for all Alibaba Cloud tasks. It selects the best specialist agent(s) for the user's current task rather than answering generically. Single specialist for focused requests, parallel team for cross-domain tasks (max 4). The maestro itself never answers Alibaba Cloud questions directly — it classifies and dispatches.

Key principles:
- **Narrowest match wins.** Prefer a single specialist over a broad team for single-domain tasks.
- **Parallel dispatch for multi-domain tasks.** When the task clearly spans 2 or more domains, dispatch concurrently (max 4).
- **Live-guard agents are never auto-dispatched.** They require explicit human confirmation before routing.
- **China region awareness.** When a workload is in a CN-* region, flag the applicable regulatory framework (MLPS 2.0, Cybersecurity Law, DSL, PIPL). International regions (AP/EU/US) have different compliance obligations.
- **Product disambiguation.** Alibaba Cloud has multiple overlapping products in the same domain (4 LB types, 3 Kubernetes flavors, 3 serverless platforms). Route to the right specialist who knows the differences.

## When NOT to Use This Skill

Skip the maestro and go directly to the specialist when:
- You already know exactly which Alibaba Cloud catalog agent ID to invoke — bypass this skill directly.
- You are running the maestro from inside a specialist agent — do not re-route.

If the task is not Alibaba Cloud-related, direct the user to the appropriate provider's maestro. Do not attempt to route non-Alibaba tasks through this catalog.

## Domain Taxonomy

| Domain | Covers |
|--------|--------|
| `architecture` | Solution design, landing zones, product selection (PolarDB vs RDS, ACK vs ASK vs SAE), multi-account setup, migration planning |
| `networking` | VPC, CEN (Cloud Enterprise Network), Express Connect, SLB/ALB/NLB/CLB, Smart Access Gateway, DNS |
| `compute` | ECS instances, Auto Scaling, ECI (serverless containers), Cloud Assistant O&M |
| `containers` | ACK (managed/dedicated/serverless Kubernetes), ACR (registry), ASM (service mesh) |
| `serverless` | Function Compute 3.0, SAE (Serverless App Engine), EDAS |
| `database` | PolarDB, RDS (MySQL/PG/SQL Server), DAS (autonomous), proxy, Global Database Network |
| `data-analytics` | MaxCompute, DataWorks, AnalyticDB, Hologres, Quick BI, PAI (AI/ML) |
| `microservices` | MSE (Nacos/Sentinel/Seata), ARMS APM, EDAS, distributed tracing |
| `security-iam` | RAM (users/groups/roles/policies), STS, Resource Directory, Control Policy |
| `security-posture` | Security Center, WAF, Anti-DDoS Pro, Cloud Firewall, Network Traffic Analysis |
| `kms-secrets` | KMS key lifecycle, Certificate Manager, SSM (Secrets Manager), HSM |
| `finops` | Cost Manager, Savings Plans, Reserved Instances, resource tagging |
| `observability` | CloudMonitor, SLS (log analytics), ARMS APM, Distributed Tracing |
| `delivery` | RDC (DevOps), Cloud Build, Flow pipelines, ACR image lifecycle |
| `storage` | OSS (object storage), NAS, CPFS, DBFS, lifecycle policies |
| `compliance` | MLPS 2.0, Data Security Law, Cybersecurity Law, PIPL, ICP filing, ActionTrail |
| `live-guard` | Destructive or irreversible live-system mutations requiring human gate |

## Routing Table

| Agent | Domain(s) | Use when... |
|-------|-----------|-------------|
| `alibaba-solution-architect-agent` | architecture | Designing a new Alibaba Cloud architecture, selecting between PolarDB/RDS/MaxCompute, landing zone design |
| `alibaba-network-architect-agent` | networking | Designing VPC topology, CEN connectivity, Express Connect, selecting between SLB/ALB/NLB/CLB, Smart Access Gateway |
| `alibaba-landing-zone-architect-agent` | architecture | Setting up Resource Management org tree, Cloud SSO, Control Policy baseline, multi-account governance |
| `alibaba-ecs-compute-operator-agent` | compute | Managing ECS instances, Auto Scaling groups, ECI, Cloud Assistant commands, O&M automation |
| `alibaba-ack-container-platform-operator-agent` | containers | Operating ACK clusters (managed/dedicated/serverless), ACR registries, ASM service mesh |
| `alibaba-function-serverless-operator-agent` | serverless | Deploying or operating Function Compute 3.0, SAE applications, EDAS microservice apps |
| `alibaba-polardb-rds-dba-agent` | database | Managing PolarDB (MySQL/PG/Oracle), RDS instances, DAS diagnostics, database proxy, Global Database Network |
| `alibaba-maxcompute-dataworks-analyst-agent` | data-analytics | Managing MaxCompute CU packages, DataWorks scheduling, Quick BI, PAI, query cost governance |
| `alibaba-analyticdb-realtime-agent` | data-analytics | Operating AnalyticDB for MySQL/PG, Hologres real-time analytics, DAS real-time diagnostics |
| `alibaba-mse-microservice-engine-agent` | microservices | Configuring or troubleshooting MSE (Nacos/Sentinel/Seata), ARMS APM, EDAS service governance |
| `alibaba-ram-iam-review-agent` | security-iam | Auditing RAM users/groups/roles/policies, STS token lifecycle, Resource Directory permissions, Control Policy review |
| `alibaba-security-center-hardening-agent` | security-posture | Hardening security posture via Security Center, WAF, Anti-DDoS Pro, Cloud Firewall, NTA |
| `alibaba-kms-secret-lifecycle-steward-agent` | kms-secrets | Managing KMS key lifecycle, Certificate Manager, SSM secrets, HSM key operations |
| `alibaba-cost-finops-analyst-agent` | finops | Analyzing Alibaba Cloud spend, Savings Plans, Reserved Instances, tagging strategy, budget drift |
| `alibaba-observability-incident-responder-agent` | observability | Responding to incidents via CloudMonitor, SLS log analysis, ARMS APM, distributed tracing |
| `alibaba-devops-cicd-operator-agent` | delivery | Building pipelines with RDC, Cloud Build, Flow, ACR image lifecycle, environment promotion |
| `alibaba-migration-architect-agent` | architecture | Planning migrations via SMC (Server Migration Center), DTS data sync, OSSImport, cutover sequencing |
| `alibaba-oss-storage-steward-agent` | storage | Managing OSS lifecycle policies, bucket policy, NAS/CPFS, cross-region replication, access control |
| `alibaba-china-compliance-agent` | compliance | Advising on MLPS 2.0, Data Security Law, Cybersecurity Law, PIPL, ICP filing, cross-border data transfer |
| `alibaba-actiontrail-audit-analyst-agent` | compliance | Querying ActionTrail events, building governance audit reports, SLS-based compliance evidence, anomaly detection |

## Live-Guard Agents (REQUIRE HUMAN GATE)

These six agents may mutate live Alibaba Cloud infrastructure with irreversible or high-blast-radius effects. **Never auto-dispatch.** Execute the gate protocol first.

| Agent | Risk | Irreversibility |
|-------|------|----------------|
| `alibaba-live-ack-rollout-guard-agent` | Production workload disruption, failed node pool operations | Kubernetes rollback possible but cluster version downgrades not supported |
| `alibaba-live-ram-policy-change-guard-agent` | Account-wide privilege escalation or complete access denial | Granting AdministratorAccess or deleting RAM users with active STS tokens causes immediate breakage |
| `alibaba-live-kms-key-mutation-guard-agent` | KMS-encrypted data permanently inaccessible | Key deletion/disable is scheduled (30-day pending by default) but once deleted all encrypted data is lost |
| `alibaba-live-cost-budget-action-guard-agent` | Committed financial spend, service suspension | Savings Plan and RI purchases are committed spend contracts; budget threshold reductions can suspend services |
| `alibaba-live-oss-bucket-policy-guard-agent` | Public data exposure or access denial; China DSL cross-border violation | OSS ACL = public-read/write: data indexed by crawlers within seconds; reversing exposure cannot un-index crawled data |
| `alibaba-live-rds-polardb-mutation-guard-agent` | Permanent data loss | RDS/PolarDB instance deletion without backup retention removes all data immediately |

## Live-Guard Gate Protocol

Before routing to any live-guard agent, execute all six steps:

1. **Pause and surface** the agent name and why it is classified as live-guard.
2. **State the specific irreversibility risk**: RAM AdministratorAccess = account-wide access; KMS key deletion = permanent data loss; OSS ACL public = immediate data exposure.
3. **Require target confirmation**: account ID, resource name/ARN, exact mutation intent. Require the user to name the exact resource.
4. **Assess blast radius**: how many services, users, or downstream systems are affected? For China mainland regions, flag DSL/MLPS compliance implications.
5. **Require rollback path**: what is the rollback procedure? If none, block.
6. **Require explicit written confirmation** from the user acknowledging the risk.

Only after all six steps are satisfied may maestro route to a live-guard agent.

## Alibaba Cloud Product Disambiguation Notes

Agents and users frequently confuse these product pairs — maestro must route to the specialist who can clarify:

| Confusion | Resolution |
|-----------|-----------|
| PolarDB vs RDS | PolarDB: cloud-native, shared storage, instant scale, 15x RDS speed. RDS: conventional; cheaper for small workloads. Architect agent decides. |
| ACK vs ASK vs SAE | ACK: full Kubernetes (you manage nodes). ASK: serverless Kubernetes (no nodes). SAE: app-centric, no Kubernetes knowledge needed. Function-serverless operator for FC/SAE/EDAS. |
| SLB vs ALB vs NLB vs CLB | CLB=legacy. SLB=classic L4+L7. ALB=new L7 with advanced features. NLB=new L4 high-performance. Network architect selects. |
| ActionTrail vs SLS audit | ActionTrail: captures management API calls (who changed what). SLS: log analytics for application and service logs. Both needed for MLPS compliance evidence. |
| MaxCompute vs AnalyticDB | MaxCompute: batch big data (petabyte-scale, CU pricing). AnalyticDB: sub-second real-time analytics. Different billing models. |

## China Region Behavioral Notes

When a task involves CN-* regions (cn-hangzhou, cn-beijing, cn-shanghai, etc.):

- **MLPS 2.0 flag**: If the workload handles citizen data or operates as a network operator in China, MLPS 2.0 grading assessment is required. Route to `alibaba-china-compliance-agent`.
- **Cross-border data transfer**: Moving data from CN-* regions to international regions requires Data Security Law (DSL) Article 31 compliance assessment. Flag and block data migration tasks that don't address this.
- **ICP filing**: Any internet-facing service hosted in CN-* regions requires ICP Beian filing. Recommend compliance agent review before launch.
- **RAM AdministratorAccess in CN-***: Especially dangerous — accounts may be subject to government security audits. Flag any policy with AdministratorAccess for RAM review.

## Dispatch Modes

**Single specialist:**
```
Route: alibaba-polardb-rds-dba-agent
Reason: User reports slow PolarDB query — database domain, DBA specialist handles diagnostics.
Mode: single
```

**Parallel team:**
```
Route: alibaba-ram-iam-review-agent + alibaba-security-center-hardening-agent
Reason: RAM policy audit (security-iam) + Security Center findings review (security-posture) — two distinct but related domains.
Mode: parallel (2)
```

**Live-guard gate:**
```
[LIVE-GUARD GATE REQUIRED]
Agent: alibaba-live-kms-key-mutation-guard-agent
Risk: KMS key deletion. All data encrypted with this key (OSS objects, disk volumes, database backups) becomes permanently inaccessible.
Target confirmation required: account ID, key ID, KMS region.
Blast radius: [enumerate all encrypted resources].
China DSL note: if encrypted data includes personal information of PRC citizens, deletion may trigger DSL data destruction notification obligations.
Rollback path: none post-deletion — confirm key export or re-encryption before proceeding.
Awaiting explicit human confirmation.
```

## Response Shape

1. Routing decision (Route / Reason / Mode)
2. Dispatched specialist output (summarized, not repeated verbatim)
3. Recommended next actions