TL;DR
A great agent answer is a one-off.
I designed Playbooks (save a proven agent workflow as a reusable intent) and Triggers (let an external tool fire a playbook via an inbound webhook), turning ad-hoc conversations into repeatable, governed automation without giving up human control.
The problem
Value leaked out of every thread: people re-typed the same investigation, good prompts lived in one head, and nothing ran automatically when an alert fired.
The insight
The unit of reuse is a playbook (a saved intent); the unit of automation is a trigger (one event fires one playbook).
Creation should meet users wherever a playbook took shape, whether from a live thread, a single message, or from scratch.
I considered letting one trigger fan out to several playbooks and rejected it, because it made outcomes hard to predict; a trigger fires exactly one playbook, and replacing it goes through a confirm step.
The solution
- Playbooks are creatable from scratch, from a whole thread, or from a single message, with the agent synthesizing a draft in-thread (
composing your playbook).
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9Composing a playbook from a live thread
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9Running a playbook on demand
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9Editing a saved playbook
- Built-in playbooks provide safe on-ramps.
- Triggers use a uniform inbound-webhook model: any tool posts JSON to a per-trigger URL to fire one playbook, with a two-step create, a one-time secret reveal, and a single-playbook contract.
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
planstate
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }vpc
deny
state
+ ~
terraform
module
ingest
lock
0 1
apply
drift
graph
{ }
9fa3
plan
iam
helm
=>
b4f
aws_s3
allow
k8s
==
2f9
- The real design work was the transitions (connect, disconnect, replace) with consequence-aware confirmation copy and a soft notice (
N trigger(s) will run the updated playbook on their next fire), so automation always makes the consequence of a change unmissable.
Impact
Reframed the agent from reactive chat into a governed automation platform, with a human gate on anything that touches production.
Reflection
Automation trust lives in the transitions and their consequence copy, not in the pages.