Fix stale grafana references in aws-access skill

habdelra · claude · habdelra · commit 360d09518217 · 2026-04-28T18:37:55.000-04:00
Two leftover phrases from before the grafana → claude_readonly_user
switch:

- "the AWS-side complement to the grafana-only DB rule below" — the
  rule itself was renamed to require claude_readonly_user; the
  cross-reference now matches.
- "authenticated as the read-only grafana DB user" — the Path A lead-in
  sentence; now says claude_readonly_user, consistent with the section
  heading and example procedure.

Other grafana mentions in the file are correct in context (they
describe what the role explicitly cannot read, or reference
1751981407344_setup-grafana-db-user.js as the source of truth for
readonly_role).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.claude/skills/aws-access/SKILL.md b/.claude/skills/aws-access/SKILL.md
@@ -114,11 +114,11 @@ aws --profile claude-staging ecs list-clusters --query 'clusterArns' --output te
 
 Claude operates against staging and prod **only as the `boxel-claude-readonly` IAM role**. The role's policy is the entire AWS-side permission surface Claude has — there is no path for Claude to access anything the role doesn't grant, regardless of what the user's own IAM groups allow. This is symmetric across staging and prod: the role exists in both accounts under the same name and is intended to grant the same permissions in both.
 
-The role is provisioned by infra-side configuration tracked under CS-10962. Anything that would require a permission outside the role's policy is out of scope for Claude — the user should run that operation themselves through whatever channel the team uses for it. This is by design: the role is the AWS-side complement to the grafana-only DB rule below, and together they make accidental writes structurally hard to issue.
+The role is provisioned by infra-side configuration tracked under CS-10962. Anything that would require a permission outside the role's policy is out of scope for Claude — the user should run that operation themselves through whatever channel the team uses for it. This is by design: the role is the AWS-side complement to the claude-readonly-only DB rule below, and together they make accidental writes structurally hard to issue.
 
 ## Connecting to the boxel RDS database
 
-The staging/prod boxel Postgres instances are **private** (`PubliclyAccessible: false`) and live inside the cardstack VPC. They are not directly reachable from a developer laptop. The only path Claude uses is SSM port-forwarding through the realm-server ECS task, authenticated as the read-only `grafana` DB user.
+The staging/prod boxel Postgres instances are **private** (`PubliclyAccessible: false`) and live inside the cardstack VPC. They are not directly reachable from a developer laptop. The only path Claude uses is SSM port-forwarding through the realm-server ECS task, authenticated as the read-only `claude_readonly_user` DB user.
 
 ### Path A — SSM port-forward → psql on localhost as the `claude_readonly_user` DB user
 
