# floci - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for floci. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **Users who want to understand an open-source project's value and boundaries before installing**: Current evidence comes mainly from project documentation. Evidence: `README.md` Claim: `clm_0002` supported 0.86

## What It Can Do

- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `README.md` Claim: `clm_0001` supported 0.86

## How to Start

- `npm install --save-dev @floci/testcontainers` Evidence: `README.md` Claim: `clm_0003` supported 0.86
- `pip install testcontainers-floci` Evidence: `README.md` Claim: `clm_0004` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Needs admin / security approval
- **Why**: Continuing may involve secrets, accounts, external services, or sensitive context; get admin or security approval first.

### 30-Second Read

- **What to do now**: Needs admin / security approval
- **Minimum safe next step**: Run Prompt Preview first; if credentials or an enterprise environment are involved, get approval before trialing
- **Do not trust yet**: Role quality and task fit cannot be trusted directly.
- **Continuing will touch**: Role selection bias, Command execution, Host AI configuration

### What You Can Trust Now

- **Target-audience signal: Users who want to understand an open-source project's value and boundaries before installing** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `README.md` Claim: `clm_0001` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0003` supported 0.86

### What You Cannot Trust Yet

- **Role quality and task fit cannot be trusted directly.** (unverified): A role library proves there are many roles; it does not prove each one fits your specific task or that a role produces high-quality results.
- **Do not treat role copy as real execution capability.** (unverified): Before install you can only judge whether the role description and task profile match; you cannot prove it can complete the task inside the host AI.
- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior. Evidence: `AGENTS.md`
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.

### What Continuing Will Touch

- **Role selection bias**: The user's judgment about which expert role should handle the task. Why: Picking the wrong role makes the AI answer from the wrong expert perspective, wasting time or misleading decisions.
- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `README.md`
- **Host AI configuration**: The plugin, Skill, or rule-loading config of hosts like Claude/Codex/Cursor/Gemini/OpenCode. Why: Host configuration changes how the AI works afterward and may conflict with the user's existing rules. Evidence: `AGENTS.md`
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `README.md`
- **Environment variables / API keys**: Project entry docs explicitly showing API key, token, secret, or account credential configuration. Why: If a real install needs credentials, use test credentials first and go through a permission/compliance review. Evidence: `README.md`, `compatibility-tests/README.md`, `compatibility-tests/compat-cdk/run.sh`, `compatibility-tests/compat-opentofu/run.sh` et al.
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use an interactive trial to verify the task profile and role match first; do not import the whole role library up front. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **Back up your host AI configuration first**: Skill, plugin, and rule files may change the default behavior of Claude/Cursor/Codex. (applies when: When there is a plugin manifest, a Skill, or a host rule entrypoint.)
- **Do not use real production credentials**: Once an environment variable / API key enters the host or toolchain, it can create account and compliance risk. (applies when: When environment signals like API, TOKEN, KEY, or SECRET appear.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Be ready to remove the host plugin / Skill / rule entrypoint**: If behavior is off after the trial install, you can restore the host AI to its pre-trial state.
- **Keep a record of the original role selection**: If output goes off-topic, you can return to the task-profiling stage and reselect a role instead of pushing on with the wrong one.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **Be ready to revoke test API keys or tokens**: If test credentials leak or are misused, you can cut losses quickly.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0005` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `README.md` Claim: `clm_0006` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `README.md` Claim: `clm_0001` supported 0.86

### Context Scale

- Total files: 1971
- Important-file coverage: 40/1971
- Evidence index entries: 80
- Role / Skill entries: 77

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for floci, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat floci as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for floci, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 77 role / Skill / project-doc entries.

- **What is Floci?** (project_doc): Light, fluffy, and always free No account. No auth token. No feature gates. Just docker compose up . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `README.md`
- **floci-compatibility-tests** (project_doc): Compatibility test suite for Floci https://github.com/hectorvent/floci — a local AWS emulator. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/README.md`
- **sdk-test-awscli** (project_doc): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS CLI v2 2.22.35 . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/sdk-test-awscli/README.md`
- **sdk-test-go** (project_doc): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for Go v2 1.41.4 . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/sdk-test-go/README.md`
- **sdk-test-java** (project_doc): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for Java v2 2.31.8 . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/sdk-test-java/README.md`
- **sdk-test-node** (project_doc): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for JavaScript v3 3.1003.0 . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/sdk-test-node/README.md`
- **sdk-test-python** (project_doc): Compatibility tests for Floci https://github.com/hectorvent/floci using boto3 1.37.1 . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `compatibility-tests/sdk-test-python/README.md`
- **Contributing** (project_doc): Floci is MIT licensed and welcomes contributions of all kinds. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/contributing.md`
- **Project Overview** (project_doc): Guidance for AI coding agents working in the Floci repository. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `AGENTS.md`
- **Floci** (project_doc): Floci is a fast, free, and open-source local AWS service emulator built for developers who need reliable AWS services in development and CI without cost, complexity, or vendor lock-in. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/index.md`
- **Installation** (project_doc): Floci can be run three ways: as a Docker image, as a pre-built native binary, or built from source. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/getting-started/installation.md`
- **Quick Start** (project_doc): This guide gets Floci running and verifies that AWS CLI commands work against it in under five minutes. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/getting-started/quick-start.md`
- **Services Overview** (project_doc): Floci emulates 68 AWS services on a single port 4566 . All services use the real AWS wire protocol, your existing AWS CLI commands and SDK clients work without modification. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/index.md`
- **Contributing to Floci** (project_doc): Thank you for your interest in contributing! Floci is a community-driven project and all contributions are welcome. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `CONTRIBUTING.md`
- **Testcontainers** (project_doc): Floci has first-class Testcontainers modules for every major SDK language. Each module starts a real Floci container before your tests run and tears it down after — no running daemon, no shared state, no port conflicts. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/testcontainers/index.md`
- **application.yml Reference** (project_doc): !!! note "Source builds only" This page is for users who build Floci from source or mount a custom application.yml into the container. If you run the published Docker image, you don't need this file — all settings are configured through FLOCI environment variables. See the Environment Variables Reference ../environment-variables.md for the complete list. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/advanced/application-yml.md`
- **application.yml Reference** (project_doc): !!! note "Moved" This page has moved to Advanced → application.yml Reference ./advanced/application-yml.md . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/application-yml.md`
- **Running with Docker** (project_doc): Floci is distributed as a Docker image. All configuration is done through environment variables — no config files or volume-mounted YAML is required. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/docker-compose.md`
- **Docker Images** (project_doc): Floci publishes images to Docker Hub floci/floci https://hub.docker.com/r/floci/floci . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/docker-images.md`
- **Docker Configuration** (project_doc): Floci spawns real Docker containers for services that need them: Lambda, RDS, ElastiCache, OpenSearch, MSK, and ECS. All of these share the same Docker client configuration, controlled under floci.docker . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/docker.md`
- **Environment Variables Reference** (project_doc): Floci is configured exclusively through environment variables. Every option below maps directly to a FLOCI variable — no YAML file is needed when running the published Docker image. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/environment-variables.md`
- **Initialization Hooks** (project_doc): Floci supports init hook scripts that run at defined points in the startup and shutdown lifecycle. Use them to seed resources, configure state, or clean up after a run — before or after the AWS APIs are available. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/initialization-hooks.md`
- **Multi-Account Isolation** (project_doc): Floci supports full per-account resource isolation out of the box. Resources created by one account are invisible to all others — no configuration flag required. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/multi-account.md`
- **Ports Reference** (project_doc): Port / Range Protocol Purpose docker-compose mapping required? --- --- --- --- 4566 HTTP All AWS API calls every service Yes 5100–5199 HTTP ECR Registry sidecar — bound directly by the registry:2 container No see note 6379–6399 TCP ElastiCache Redis proxy inside Floci Yes 6500–6599 HTTPS EKS k3s API server — bound directly by each k3s container No 7001–7099 TCP RDS proxy inside Floci Yes 9200–9299 HTTP Lambda Runtim… Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/ports.md`
- **Storage Modes** (project_doc): Floci supports four storage backends. You can set a global default and override it per service. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/storage.md`
- **TLS / HTTPS** (project_doc): Floci supports optional TLS, enabling https:// for all REST/JSON/Query endpoints and wss:// for WebSocket connections. Both HTTP and HTTPS are served simultaneously LocalStack parity . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/configuration/tls.md`
- **AWS CLI & SDK Setup** (project_doc): Floci accepts any non-empty credentials — no real AWS account is needed. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/getting-started/aws-setup.md`
- **Migrate from LocalStack** (project_doc): Floci is a drop-in replacement for LocalStack Community. The wire protocol, port, credentials, and SDK configuration are identical, so most migrations require only an image swap. This page documents every change and provides a compatibility mode for projects that need a gentler transition. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/getting-started/migrate-from-localstack.md`
- **ACM** (project_doc): Protocol: JSON 1.1 X-Amz-Target: CertificateManager. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/acm.md`
- **Amazon MQ RabbitMQ** (project_doc): Protocol: REST-JSON Endpoint: http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/amazonmq.md`
- **API Gateway** (project_doc): Floci supports both API Gateway v1 REST APIs and API Gateway v2 HTTP APIs . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/api-gateway.md`
- **AppConfig** (project_doc): Floci supports AWS AppConfig and AppConfigData for local configuration management. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/appconfig.md`
- **AppSync** (project_doc): Protocol: REST JSON Endpoint: http://localhost:4566/v1/apis/... Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/appsync.md`
- **Athena** (project_doc): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/athena.md`
- **Auto Scaling** (project_doc): Floci implements the EC2 Auto Scaling API — stored-state management for launch configurations, auto scaling groups, lifecycle hooks, and scaling policies, plus a real capacity reconciler that launches and terminates EC2 instances to maintain desired capacity. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/autoscaling.md`
- **AWS Backup** (project_doc): Protocol: REST JSON Endpoint: http://localhost:4566/ Credential scope: backup Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/backup.md`
- **AWS Batch** (project_doc): Protocol: REST JSON Endpoint: http://localhost:4566/v1/... Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/batch.md`
- **BCM Data Exports bcm-data-exports:** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: AWSBillingAndCostManagementDataExports. Endpoint prefix: bcm-data-exports Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/bcm-data-exports.md`
- **Bedrock Runtime** (project_doc): Protocol: REST JSON Endpoint: POST http://localhost:4566/model/{modelId}/... Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/bedrock-runtime.md`
- **Cost Explorer ce:** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: AWSInsightsIndexService. Endpoint prefix: ce Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/ce.md`
- **CloudFormation** (project_doc): Protocol: Query XML — POST http://localhost:4566/ with Action= parameter Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cloudformation.md`
- **CloudFront** (project_doc): CloudFront management-plane emulation. Supports distribution lifecycle, cache policies, origin request policies, response headers policies, origin access controls, origin access identities, CloudFront Functions, invalidations, and tagging. Actual content delivery is not emulated — this is a management-plane-only implementation. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cloudfront.md`
- **AWS Cloud Map** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: Route53AutoNaming v20170314. Endpoint prefix: servicediscovery Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cloudmap.md`
- **CloudTrail** (project_doc): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Target prefix: X-Amz-Target: com.amazonaws.cloudtrail.v20131101.CloudTrail 20131101. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cloudtrail.md`
- **CloudWatch** (project_doc): Floci supports both CloudWatch Logs and CloudWatch Metrics. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cloudwatch.md`
- **CodeBuild** (project_doc): Floci implements the CodeBuild API — stored-state management plus real build execution inside Docker containers. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/codebuild.md`
- **CodeDeploy** (project_doc): Floci implements the CodeDeploy API — stored-state management for applications, deployment groups, and configs, plus real Lambda and ECS deployment execution with traffic shifting and lifecycle hooks. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/codedeploy.md`
- **CodePipeline** (project_doc): Floci implements the AWS CodePipeline JSON 1.1 API and a local pipeline execution engine. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/codepipeline.md`
- **Cognito** (project_doc): Protocol: JSON 1.1 X-Amz-Target: AWSCognitoIdentityProviderService. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cognito.md`
- **AWS Config** (project_doc): Protocol: JSON 1.1 X-Amz-Target: StarlingDoveService. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/config.md`
- **Cost and Usage Reports cur:** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: AWSOrigamiServiceGatewayService. Endpoint prefix: cur Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/cur.md`
- **DynamoDB** (project_doc): Protocol: JSON 1.1 X-Amz-Target: DynamoDB 20120810. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/dynamodb.md`
- **EC2** (project_doc): Protocol: EC2 Query XML — POST http://localhost:4566/ with Action= parameter Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/ec2.md`
- **ECR** (project_doc): Protocol: JSON 1.1 X-Amz-Target: AmazonEC2ContainerRegistry V20150921. for the control plane. Data plane: OCI Distribution Spec v2 /v2/... , served by a real registry:2 container managed by Floci. Endpoint: POST http://localhost:4566/ for the control plane; .dkr.ecr. .localhost: / for docker push / docker pull . Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/ecr.md`
- **ECS Elastic Container Service** (project_doc): Protocol: JSON 1.1 Endpoint: POST / + X-Amz-Target: AmazonEC2ContainerServiceV20141113. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/ecs.md`
- **EKS Elastic Kubernetes Service** (project_doc): Protocol: REST-JSON Endpoint: http://localhost:4566/ path-routed via JAX-RS Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/eks.md`
- **Elastic Beanstalk** (project_doc): Floci implements the AWS Elastic Beanstalk management API as a Query-protocol service with stored application, application version, and environment state. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/elastic-beanstalk.md`
- **ElastiCache** (project_doc): Protocol: Query XML for management API + Redis RESP protocol for data plane Management Endpoint: POST http://localhost:4566/ Data Endpoint: localhost: TCP Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/elasticache.md`
- **Elastic Load Balancing v2** (project_doc): Protocol: Query XML — POST http://localhost:4566/ with Action= parameter Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/elb.md`
- **EMR** (project_doc): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Target prefix: X-Amz-Target: ElasticMapReduce. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/emr.md`
- **EventBridge** (project_doc): Protocol: JSON 1.1 X-Amz-Target: AmazonEventBridge. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/eventbridge.md`
- **Data Firehose** (project_doc): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/firehose.md`
- **Glue** (project_doc): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/glue.md`
- **IAM** (project_doc): Protocol: Query XML — POST http://localhost:4566/ with Action= parameter Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/iam.md`
- **AWS IoT Core** (project_doc): Floci's IoT service emulates the AWS IoT Core control plane, IoT Data shadow APIs, and MQTT data-plane behavior used by local device and SDK tests. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/iot.md`
- **Kinesis** (project_doc): Protocol: JSON 1.1 X-Amz-Target: Kinesis 20131202. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/kinesis.md`
- **KMS** (project_doc): Protocol: JSON 1.1 X-Amz-Target: TrentService. Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/kms.md`
- **Lambda** (project_doc): Protocol: REST JSON Endpoint: http://localhost:4566/2015-03-31/functions/... Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/lambda.md`
- **MemoryDB** (project_doc): Protocol: JSON 1.1 X-Amz-Target: AmazonMemoryDB. for management API + Redis RESP protocol for data plane Management Endpoint: POST http://localhost:4566/ Data Endpoint: localhost: TCP Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/memorydb.md`
- **MSK Managed Streaming for Kafka** (project_doc): Protocol: REST-JSON Endpoint: http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/msk.md`
- **Neptune** (project_doc): Protocol: Query XML for management API + Gremlin / HTTP / Bolt for data plane Management Endpoint: POST http://localhost:4566/ Data Endpoint: localhost: TCP / WebSocket / Bolt Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/neptune.md`
- **OpenSearch Service** (project_doc): Protocol: REST JSON Endpoint: http://localhost:4566/2021-01-01/... Credential scope: es Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/opensearch.md`
- **EventBridge Pipes** (project_doc): Protocol: REST-JSON Endpoint: POST http://localhost:4566/ Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/pipes.md`
- **Pricing AWS Price List Service** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: AWSPriceListService. Endpoint prefix: api.pricing Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/pricing.md`
- **RDS Data API** (project_doc): Protocol: REST JSON Endpoint: POST http://localhost:4566/{operation} Backing data plane: Local RDS MySQL / MariaDB / PostgreSQL containers Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/rds-data.md`
- **RDS** (project_doc): Protocol: Query XML for management API + PostgreSQL / MySQL wire protocol for data plane Management Endpoint: POST http://localhost:4566/ Data Endpoint: localhost: TCP Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/rds.md`
- **Resource Groups Tagging API** (project_doc): Protocol: JSON 1.1 Header: X-Amz-Target: ResourceGroupsTaggingAPI 20170126. Endpoint prefix: tagging Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/services/resource-groups-tagging.md`

## Evidence Index

- Indexed 80 evidence entries.

- **What is Floci?** (documentation): Light, fluffy, and always free No account. No auth token. No feature gates. Just docker compose up . Evidence: `README.md`
- **floci-compatibility-tests** (documentation): Compatibility test suite for Floci https://github.com/hectorvent/floci — a local AWS emulator. Evidence: `compatibility-tests/README.md`
- **sdk-test-awscli** (documentation): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS CLI v2 2.22.35 . Evidence: `compatibility-tests/sdk-test-awscli/README.md`
- **sdk-test-go** (documentation): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for Go v2 1.41.4 . Evidence: `compatibility-tests/sdk-test-go/README.md`
- **sdk-test-java** (documentation): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for Java v2 2.31.8 . Evidence: `compatibility-tests/sdk-test-java/README.md`
- **sdk-test-node** (documentation): Compatibility tests for Floci https://github.com/hectorvent/floci using the AWS SDK for JavaScript v3 3.1003.0 . Evidence: `compatibility-tests/sdk-test-node/README.md`
- **sdk-test-python** (documentation): Compatibility tests for Floci https://github.com/hectorvent/floci using boto3 1.37.1 . Evidence: `compatibility-tests/sdk-test-python/README.md`
- **Contributing** (documentation): Floci is MIT licensed and welcomes contributions of all kinds. Evidence: `docs/contributing.md`
- **Project Overview** (documentation): Guidance for AI coding agents working in the Floci repository. Evidence: `AGENTS.md`
- **Floci** (documentation): Floci is a fast, free, and open-source local AWS service emulator built for developers who need reliable AWS services in development and CI without cost, complexity, or vendor lock-in. Evidence: `docs/index.md`
- **Installation** (documentation): Floci can be run three ways: as a Docker image, as a pre-built native binary, or built from source. Evidence: `docs/getting-started/installation.md`
- **Quick Start** (documentation): This guide gets Floci running and verifies that AWS CLI commands work against it in under five minutes. Evidence: `docs/getting-started/quick-start.md`
- **Services Overview** (documentation): Floci emulates 68 AWS services on a single port 4566 . All services use the real AWS wire protocol, your existing AWS CLI commands and SDK clients work without modification. Evidence: `docs/services/index.md`
- **Contributing to Floci** (documentation): Thank you for your interest in contributing! Floci is a community-driven project and all contributions are welcome. Evidence: `CONTRIBUTING.md`
- **Package** (package_manifest): { "name": "compat-cdk", "version": "1.0.0", "private": true, "bin": { "app": "bin/app.js" }, "scripts": { "build": "tsc", "cdk": "cdk" }, "dependencies": { "aws-cdk-lib": "2.171.1", "constructs": "^10.0.0" }, "devDependencies": { "@types/node": "^25.5.2", "aws-cdk": "2.171.1", "aws-cdk-local": "^2.0.0", "typescript": "~5.7.0" } } Evidence: `compatibility-tests/compat-cdk/package.json`
- **Package** (package_manifest): { "name": "floci-compatibility-tests-typescript", "version": "1.0.0", "type": "module", "scripts": { "test": "vitest run", "test:watch": "vitest" }, "dependencies": { "@aws-sdk/client-acm": "^3.500.0", "@aws-sdk/client-api-gateway": "^3.500.0", "@aws-sdk/client-apigatewaymanagementapi": "^3.500.0", "@aws-sdk/client-apigatewayv2": "^3.500.0", "@aws-sdk/client-cloudformation": "^3.500.0", "@aws-sdk/client-cloudwatch": "^3.500.0", "@aws-sdk/client-cognito-identity-provider": "^3.500.0", "@aws-sdk/client-dynamodb": "^3.500.0", "@aws-sdk/client-ecr": "^3.500.0", "@aws-sdk/client-eventbridge": "^3.500.0", "@aws-sdk/client-iam": "^3.500.0", "@aws-sdk/client-kinesis": "^3.500.0", "@aws-sdk/client-k… Evidence: `compatibility-tests/sdk-test-node/package.json`
- **Testcontainers** (documentation): Floci has first-class Testcontainers modules for every major SDK language. Each module starts a real Floci container before your tests run and tears it down after — no running daemon, no shared state, no port conflicts. Evidence: `docs/testcontainers/index.md`
- **License** (source_file): Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files the "Software" , to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Evidence: `LICENSE`
- **application.yml Reference** (documentation): !!! note "Source builds only" This page is for users who build Floci from source or mount a custom application.yml into the container. If you run the published Docker image, you don't need this file — all settings are configured through FLOCI environment variables. See the Environment Variables Reference ../environment-variables.md for the complete list. Evidence: `docs/configuration/advanced/application-yml.md`
- **application.yml Reference** (documentation): !!! note "Moved" This page has moved to Advanced → application.yml Reference ./advanced/application-yml.md . Evidence: `docs/configuration/application-yml.md`
- **Running with Docker** (documentation): Floci is distributed as a Docker image. All configuration is done through environment variables — no config files or volume-mounted YAML is required. Evidence: `docs/configuration/docker-compose.md`
- **Docker Images** (documentation): Floci publishes images to Docker Hub floci/floci https://hub.docker.com/r/floci/floci . Evidence: `docs/configuration/docker-images.md`
- **Docker Configuration** (documentation): Floci spawns real Docker containers for services that need them: Lambda, RDS, ElastiCache, OpenSearch, MSK, and ECS. All of these share the same Docker client configuration, controlled under floci.docker . Evidence: `docs/configuration/docker.md`
- **Environment Variables Reference** (documentation): Floci is configured exclusively through environment variables. Every option below maps directly to a FLOCI variable — no YAML file is needed when running the published Docker image. Evidence: `docs/configuration/environment-variables.md`
- **Initialization Hooks** (documentation): Floci supports init hook scripts that run at defined points in the startup and shutdown lifecycle. Use them to seed resources, configure state, or clean up after a run — before or after the AWS APIs are available. Evidence: `docs/configuration/initialization-hooks.md`
- **Multi-Account Isolation** (documentation): Floci supports full per-account resource isolation out of the box. Resources created by one account are invisible to all others — no configuration flag required. Evidence: `docs/configuration/multi-account.md`
- **Ports Reference** (documentation): Port / Range Protocol Purpose docker-compose mapping required? --- --- --- --- 4566 HTTP All AWS API calls every service Yes 5100–5199 HTTP ECR Registry sidecar — bound directly by the registry:2 container No see note 6379–6399 TCP ElastiCache Redis proxy inside Floci Yes 6500–6599 HTTPS EKS k3s API server — bound directly by each k3s container No 7001–7099 TCP RDS proxy inside Floci Yes 9200–9299 HTTP Lambda Runtime API internal, Docker-network only No 9400–9499 HTTP OpenSearch data-plane — bound directly by each OpenSearch container No Evidence: `docs/configuration/ports.md`
- **Storage Modes** (documentation): Floci supports four storage backends. You can set a global default and override it per service. Evidence: `docs/configuration/storage.md`
- **TLS / HTTPS** (documentation): Floci supports optional TLS, enabling https:// for all REST/JSON/Query endpoints and wss:// for WebSocket connections. Both HTTP and HTTPS are served simultaneously LocalStack parity . Evidence: `docs/configuration/tls.md`
- **AWS CLI & SDK Setup** (documentation): Floci accepts any non-empty credentials — no real AWS account is needed. Evidence: `docs/getting-started/aws-setup.md`
- **Migrate from LocalStack** (documentation): Floci is a drop-in replacement for LocalStack Community. The wire protocol, port, credentials, and SDK configuration are identical, so most migrations require only an image swap. This page documents every change and provides a compatibility mode for projects that need a gentler transition. Evidence: `docs/getting-started/migrate-from-localstack.md`
- **ACM** (documentation): Protocol: JSON 1.1 X-Amz-Target: CertificateManager. Endpoint: POST http://localhost:4566/ Evidence: `docs/services/acm.md`
- **Amazon MQ RabbitMQ** (documentation): Protocol: REST-JSON Endpoint: http://localhost:4566/ Evidence: `docs/services/amazonmq.md`
- **API Gateway** (documentation): Floci supports both API Gateway v1 REST APIs and API Gateway v2 HTTP APIs . Evidence: `docs/services/api-gateway.md`
- **AppConfig** (documentation): Floci supports AWS AppConfig and AppConfigData for local configuration management. Evidence: `docs/services/appconfig.md`
- **AppSync** (documentation): Protocol: REST JSON Endpoint: http://localhost:4566/v1/apis/... Evidence: `docs/services/appsync.md`
- **Athena** (documentation): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Evidence: `docs/services/athena.md`
- **Auto Scaling** (documentation): Floci implements the EC2 Auto Scaling API — stored-state management for launch configurations, auto scaling groups, lifecycle hooks, and scaling policies, plus a real capacity reconciler that launches and terminates EC2 instances to maintain desired capacity. Evidence: `docs/services/autoscaling.md`
- **AWS Backup** (documentation): Protocol: REST JSON Endpoint: http://localhost:4566/ Credential scope: backup Evidence: `docs/services/backup.md`
- **AWS Batch** (documentation): Protocol: REST JSON Endpoint: http://localhost:4566/v1/... Evidence: `docs/services/batch.md`
- **BCM Data Exports bcm-data-exports:** (documentation): Protocol: JSON 1.1 Header: X-Amz-Target: AWSBillingAndCostManagementDataExports. Endpoint prefix: bcm-data-exports Evidence: `docs/services/bcm-data-exports.md`
- **Bedrock Runtime** (documentation): Protocol: REST JSON Endpoint: POST http://localhost:4566/model/{modelId}/... Evidence: `docs/services/bedrock-runtime.md`
- **Cost Explorer ce:** (documentation): Protocol: JSON 1.1 Header: X-Amz-Target: AWSInsightsIndexService. Endpoint prefix: ce Evidence: `docs/services/ce.md`
- **CloudFormation** (documentation): Protocol: Query XML — POST http://localhost:4566/ with Action= parameter Endpoint: POST http://localhost:4566/ Evidence: `docs/services/cloudformation.md`
- **CloudFront** (documentation): CloudFront management-plane emulation. Supports distribution lifecycle, cache policies, origin request policies, response headers policies, origin access controls, origin access identities, CloudFront Functions, invalidations, and tagging. Actual content delivery is not emulated — this is a management-plane-only implementation. Evidence: `docs/services/cloudfront.md`
- **AWS Cloud Map** (documentation): Protocol: JSON 1.1 Header: X-Amz-Target: Route53AutoNaming v20170314. Endpoint prefix: servicediscovery Evidence: `docs/services/cloudmap.md`
- **CloudTrail** (documentation): Protocol: JSON 1.1 Endpoint: http://localhost:4566/ Target prefix: X-Amz-Target: com.amazonaws.cloudtrail.v20131101.CloudTrail 20131101. Evidence: `docs/services/cloudtrail.md`
- **CloudWatch** (documentation): Floci supports both CloudWatch Logs and CloudWatch Metrics. Evidence: `docs/services/cloudwatch.md`
- **CodeBuild** (documentation): Floci implements the CodeBuild API — stored-state management plus real build execution inside Docker containers. Evidence: `docs/services/codebuild.md`
- **CodeDeploy** (documentation): Floci implements the CodeDeploy API — stored-state management for applications, deployment groups, and configs, plus real Lambda and ECS deployment execution with traffic shifting and lifecycle hooks. Evidence: `docs/services/codedeploy.md`
- **CodePipeline** (documentation): Floci implements the AWS CodePipeline JSON 1.1 API and a local pipeline execution engine. Evidence: `docs/services/codepipeline.md`
- **Cognito** (documentation): Protocol: JSON 1.1 X-Amz-Target: AWSCognitoIdentityProviderService. Endpoint: POST http://localhost:4566/ Evidence: `docs/services/cognito.md`
- **AWS Config** (documentation): Protocol: JSON 1.1 X-Amz-Target: StarlingDoveService. Endpoint: POST http://localhost:4566/ Evidence: `docs/services/config.md`
- **Cost and Usage Reports cur:** (documentation): Protocol: JSON 1.1 Header: X-Amz-Target: AWSOrigamiServiceGatewayService. Endpoint prefix: cur Evidence: `docs/services/cur.md`
- **DynamoDB** (documentation): Protocol: JSON 1.1 X-Amz-Target: DynamoDB 20120810. Endpoint: POST http://localhost:4566/ Evidence: `docs/services/dynamodb.md`
- **EC2** (documentation): Protocol: EC2 Query XML — POST http://localhost:4566/ with Action= parameter Evidence: `docs/services/ec2.md`
- **ECR** (documentation): Protocol: JSON 1.1 X-Amz-Target: AmazonEC2ContainerRegistry V20150921. for the control plane. Data plane: OCI Distribution Spec v2 /v2/... , served by a real registry:2 container managed by Floci. Endpoint: POST http://localhost:4566/ for the control plane; .dkr.ecr. .localhost: / for docker push / docker pull . Evidence: `docs/services/ecr.md`
- **ECS Elastic Container Service** (documentation): Protocol: JSON 1.1 Endpoint: POST / + X-Amz-Target: AmazonEC2ContainerServiceV20141113. Evidence: `docs/services/ecs.md`
- **EKS Elastic Kubernetes Service** (documentation): Protocol: REST-JSON Endpoint: http://localhost:4566/ path-routed via JAX-RS Evidence: `docs/services/eks.md`
- **Elastic Beanstalk** (documentation): Floci implements the AWS Elastic Beanstalk management API as a Query-protocol service with stored application, application version, and environment state. Evidence: `docs/services/elastic-beanstalk.md`
- The remaining 20 evidence entries are in `AI_CONTEXT_PACK.json` or `EVIDENCE_INDEX.json`.

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `README.md`, `compatibility-tests/README.md`, `compatibility-tests/sdk-test-awscli/README.md`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `README.md`, `compatibility-tests/README.md`, `compatibility-tests/sdk-test-awscli/README.md`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Introduction, Quick Start, and Supported Services**: importance `high`
  - source_paths: README.md, docs/index.md, docs/services/index.md, bin/awslocal, docs/getting-started/quick-start.md
- **System Architecture: HTTP Router, Service Registry, and Lifecycle**: importance `high`
  - source_paths: src/main/java/io/github/hectorvent/floci/core/common/ServiceRegistry.java, src/main/java/io/github/hectorvent/floci/core/common/ServiceCatalog.java, src/main/java/io/github/hectorvent/floci/core/common/ResolvedServiceCatalog.java, src/main/java/io/github/hectorvent/floci/core/common/ProtocolClaimer.java, src/main/java/io/github/hectorvent/floci/core/common/AwsProtocolClaimFilter.java
- **AWS Wire Protocol Support and Service Compatibility**: importance `high`
  - source_paths: src/main/java/io/github/hectorvent/floci/core/common/AwsJsonController.java, src/main/java/io/github/hectorvent/floci/core/common/AwsJson11Controller.java, src/main/java/io/github/hectorvent/floci/core/common/AwsJsonCborController.java, src/main/java/io/github/hectorvent/floci/core/common/AwsJsonMessageBodyWriter.java, src/main/java/io/github/hectorvent/floci/core/common/AwsQueryController.java
- **Storage Backends, Persistence Modes, and Multi-Account Isolation**: importance `high`
  - source_paths: src/main/java/io/github/hectorvent/floci/core/storage/StorageBackend.java, src/main/java/io/github/hectorvent/floci/core/storage/InMemoryStorage.java, src/main/java/io/github/hectorvent/floci/core/storage/PersistentStorage.java, src/main/java/io/github/hectorvent/floci/core/storage/HybridStorage.java, src/main/java/io/github/hectorvent/floci/core/storage/WalStorage.java

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `f5d8748703a06c89714bb758eddaf0edc969cade`
- inspected_files: `README.md`, `docker-compose.yml`, `docs/configuration/advanced/application-yml.md`, `docs/configuration/application-yml.md`, `docs/configuration/docker-compose.md`, `docs/configuration/docker-images.md`, `docs/configuration/docker.md`, `docs/configuration/environment-variables.md`, `docs/configuration/initialization-hooks.md`, `docs/configuration/multi-account.md`, `docs/configuration/ports.md`, `docs/configuration/storage.md`, `docs/configuration/tls.md`, `docs/contributing.md`, `docs/getting-started/aws-setup.md`, `docs/getting-started/installation.md`, `docs/getting-started/migrate-from-localstack.md`, `docs/getting-started/quick-start.md`, `docs/index.md`, `docs/services/acm.md`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: [BUG] ACL grant is not honoured
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: [BUG] ACL grant is not honoured. Context: Observed when using docker
- Why it matters: Developers may expose sensitive permissions or credentials: [BUG] ACL grant is not honoured
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1767
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: [BUG] ECS services with load balancers fail to register ELBv2 targets when multiple tasks use container port 80
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: [BUG] ECS services with load balancers fail to register ELBv2 targets when multiple tasks use container port 80. Context: Observed when using docker
- Why it matters: Developers may expose sensitive permissions or credentials: [BUG] ECS services with load balancers fail to register ELBv2 targets when multiple tasks use container port 80
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1778
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: [BUG] Lambda execution role is not assumed; runtime always authenticates as root
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: [BUG] Lambda execution role is not assumed; runtime always authenticates as root. Context: Observed when using docker
- Why it matters: Developers may expose sensitive permissions or credentials: [BUG] Lambda execution role is not assumed; runtime always authenticates as root
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1777
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: [BUG] SAM transform drops `PackageType` on `AWS::Serverless::Function` — a container-image function deploys as a broken Zip function
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: [BUG] SAM transform drops `PackageType` on `AWS::Serverless::Function` — a container-image function deploys as a broken Zip function. Context: Observed when using docker
- Why it matters: Developers may expose sensitive permissions or credentials: [BUG] SAM transform drops `PackageType` on `AWS::Serverless::Function` — a container-image function deploys as a broken Zip function
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1770
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: [BUG] s3: PHP fopen on S3 objects fails with "Stream is not seekable"
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: [BUG] s3: PHP fopen on S3 objects fails with "Stream is not seekable". Context: Observed during installation or first-run setup.
- Why it matters: Developers may expose sensitive permissions or credentials: [BUG] s3: PHP fopen on S3 objects fails with "Stream is not seekable"
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1632
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
