Developer self-service

Stop being the bottleneck. /agentcy spin up a staging env for PR-412 from Slack, and the agent does it — bounded by policy, gated by approvals where it matters, audit-logged for compliance. The platform team writes the rules; engineers self-serve within them.

12PlatformDeveloper self-service

Context Graph tribal knowledge

team → namespace map · runbooks · audit history

Sources

GitHub

k8s

AWS

/agentcy ...

Agentcy

Agentcy

Platform agent + policy

action result

Output

Slack thread

TriggerSlack slash command

OutboundSlack thread + audit log

ConnectorsGitHub · Kubernetes · AWS · Vault

At a glance

• Inputs: Slack slash commands + threads, GitHub (PR / branch context), Kubernetes (cluster ops), AWS (EC2/RDS), Vault (secret rotation).
• Trigger: Slack slash command (/agentcy ...) or @agentcy mention in #ask-platform.
• Output: Slack thread with action results + audit log entry.
• Gates: every write call goes through policy → approval (configurable per command).

Stack

Layer	What we use
Channel	Slack bindings
Connectors	Kubernetes, GitHub, AWS, Vault (via openapi connector)
Agent	Platform agent with skills for org-specific runbooks
Policies	Rego per-command — see Worked example
Audit	Every action logged with the Slack user as the principal — visible in the audit log

What you'll build

A set of high-trust capabilities engineers can invoke from Slack:

• /agentcy spin up a preview env for PR-412 — clone staging, deploy the PR branch, return URL
• /agentcy restart checkout-svc — kubectl rollout restart with approval if outside business hours
• /agentcy rotate db credentials for staging — Vault rotation + redeploy
• /agentcy show me logs for the failing canary — fetch and excerpt
• /agentcy nuke preview-pr-412 — tear down a preview env

Each capability is a single agent prompt + policy. Adding a new one is a config change, not a deploy.

Prerequisites

• Slack channel binding with slash command support
• Kubernetes connector with namespace-scoped permissions for the dev cluster
• AWS connector for any infra capabilities you enable
• Vault connector if rotating secrets
• Realm dev-platform

Worked example

# policies/dev-self-service.rego
package agentcy

# Reads always allowed.
allow if {
    input.tool in {
      "kubernetes.list_pods",
      "kubernetes.logs_for_pod",
      "kubernetes.describe_deployment",
      "github.get_pr",
    }
}

# Restarts require approval outside 9-18 UTC weekdays.
allow if {
    input.tool == "kubernetes.rollout_restart"
    business_hours
}

allow if {
    input.tool == "kubernetes.rollout_restart"
    not business_hours
    input.approval.granted
}

business_hours if {
    h := time.clock([time.now_ns(), "UTC"])[0]
    d := time.weekday(time.now_ns())
    h >= 9
    h < 18
    d != "Saturday"
    d != "Sunday"
}

# Preview env teardown — always require approval. Never auto-delete prod.
deny[msg] if {
    input.tool == "kubernetes.delete_namespace"
    input.args.namespace == "production"
    msg := "deleting the production namespace is never allowed via self-service"
}

allow if {
    input.tool == "kubernetes.delete_namespace"
    startswith(input.args.namespace, "preview-")
    input.approval.granted
}

# Secret rotation always requires approval.
allow if {
    input.tool == "vault.rotate_secret"
    input.approval.granted
}

Task / channel binding:

name: dev-self-service
trigger:
  channel: slack
  bindings:
    - mention: "@agentcy"
      channel: "#ask-platform"
    - command: "/agentcy"
      channel: "any"
realm: dev-platform
agent: platform-agent
enabled_skills: [k8s-runbooks, vault-rotation]
prompt: |
  You're the platform self-service bot. Engineers ask for env spin-ups, restarts, log fetches.
  Always:
    1. Identify the user (it's in input.user) and use their team's namespaces by default.
    2. Echo the action you're about to take before doing it.
    3. Cite policy decisions (deny → quote the rule).
    4. After the action, post a thread reply with what changed and a link to the audit entry.

What good looks like

shaked  /agentcy spin up a preview env for PR-412
agentcy ⚙ Spinning up preview env for PR-412 (acme/checkout)…
        — cloning staging into preview-pr-412
        — applying overlay with image checkout:abc123 (built 12 min ago)
        — waiting for healthy pods (3/3) ✓
        — exposing ingress preview-pr-412.dev.acme.com
        ✅ Done in 2m 14s
        🔗 https://preview-pr-412.dev.acme.com
        📜 Audit: aud_01HK… (pinned in #platform-audit)

Variations

• Per-team channels — bind the same agent to #team-foo-platform, scope the realm to that team's resources.
• Cost-aware spin-up — hand the agent the FinOps recipe's output so it can refuse to spin up a 32-core preview if the team is already over budget.
• PR-bot integration — when a PR is opened, automatically post "spin up a preview? React 🚀 to confirm" to a thread; the reaction triggers the slash command.

Troubleshooting

• Slow spin-ups. Delegate the long pull to a worker job and have the agent stream status into the thread instead of blocking.
• Wrong namespace. The agent infers team from the Slack user's directory mapping. If that's missing, set up realms explicitly per Slack channel.
• Policy errors confuse engineers. Make sure your Rego rules' msg strings are human-friendly — the agent surfaces them verbatim.

Next

• Concept: Channels & Triggers
• Concept: Zero-Trust Policies
• Connector: Kubernetes