ARCHIVED 2026-03-23 — Superseded by ultimate-claude-code-skills-playbook.md. Archived copy at 2026-03.

Solanasis Cowork Master Setup Plan

Date: March 15, 2026 Author: Claude (verified by senior review agent) Purpose: Comprehensive plan for skills, MCP servers, integrations, tool routing, and CLAUDE.md configuration Status: Planning Phase — No changes made yet

Critical Issue: Web Research Tool Routing
CLAUDE.md Configuration Plan
MCP Servers & Integrations
Skills: Must-Install Now
Skills: Recommended for Later
Custom Skills to Build
Knowledge Architecture
Implementation Roadmap

1. Critical Issue: Web Research Tool Routing

The Problem

When both built-in WebSearch/WebFetch and Claude in Chrome MCP tools are available, Claude tends to default to Chrome for web research. This causes:

Slower execution — Chrome opens a browser, navigates, reads DOM trees. WebSearch returns results in one call.
Prompt injection risk — Anthropic self-reports ~1% attack success rate on Claude in Chrome from malicious web content. WebSearch/WebFetch have built-in content restrictions.
Context bloat — Chrome tools return full DOM trees (50,000+ chars). WebSearch returns concise search results.
Unnecessary complexity — Opening tabs, taking screenshots, reading page text for something a simple search query would solve.

Why This Happens

There is NO built-in priority system between WebSearch and Chrome MCP tools. When Claude sees Chrome tools available, it often selects them because:

They appear to provide “richer” results (full page content vs. search snippets)
Claude doesn’t distinguish between “research a topic” (→ WebSearch) and “interact with a website” (→ Chrome)
No CLAUDE.md instructions currently exist to guide tool selection

The Fix: Multi-Layer Enforcement (Strongest → Softest)

Critical insight (verified via Anthropic docs [R3]): CLAUDE.md is treated as context, not enforced configuration. It guides behavior but cannot prevent tool calls.

Design principle: Solanasis is an AI-native agency where Claude is the primary worker. Restrictions that require constant human approval defeat the purpose. Start trusted, monitor, tighten only if data shows a problem.

Layer 1: Browser Permissions — Allow Mode (TRUST FIRST)

Chrome tools should be set to Allow (usually the default). Claude needs full browser access for logins, dashboards, forms, screenshots, site testing, and all interactive work.

How: In Claude Code CLI, run /permissions and verify Chrome tools are set to Allow.

Why Allow: Claude does 50+ tasks/day autonomously. Ask mode creates constant interruptions. Monitor Chrome usage weekly; tighten to Ask only if Chrome is being used for basic Google searches > 20% of the time.

Layer 2: Add Better MCP Research Tools (MAKES CHROME FOR RESEARCH UNNECESSARY)

Give Claude high-quality non-browser research tools so Chrome becomes the least attractive option.

Recommended research MCP stack (in priority order):

MCP Server	What It Does	Cost	Setup
Exa MCP (remote)	8 tools: `web_search_exa`, `web_search_advanced_exa`, `company_research_exa`, `people_search_exa`, `get_code_context_exa`, `crawling_exa`, `deep_researcher_start`, `deep_researcher_check` (+ optional `deep_search_exa` with own API key)	Free (hosted remote MCP; `deep_search_exa` needs own API key)	`claude mcp add --transport http exa "https://mcp.exa.ai/mcp?tools=web_search_exa,web_search_advanced_exa,company_research_exa,people_search_exa,get_code_context_exa,crawling_exa,deep_researcher_start,deep_researcher_check"`
DuckDuckGo MCP	Web, news, image search	Free (unlimited, no API key)	`npm install -g duckduckgo-mcp`
Brave Search API	Classic index search	$5/1 k re q u es t s,$ 5 free credit	Backup if Exa + DDG insufficient

Start with Exa + DuckDuckGo. Only add Brave or others if search quality is insufficient.

Layer 3: CLAUDE.md Tool Routing Instructions (GUIDANCE)

CLAUDE.md provides persistent guidance that survives /clear and is read at session start. It makes Chrome-for-research less likely but cannot prevent it.

Source: Trail of Bits’ claude-code-config uses this exact pattern. Full recommended CLAUDE.md content is in the Architecture doc (Section 4).

Layer 4: Research-First Skill (OPTIONAL — TEACHES PREFERRED WORKFLOW)

A manual-only skill that encodes the preferred research sequence: MCP search → WebFetch → Chrome fallback. Build this during Phase 1 using skill-creator. See Custom Skills section for full definition.

Layer 5: Hooks (SKIP FOR NOW — Add Only If Monitoring Shows Problems)

PreToolUse hooks can programmatically deny Chrome calls for research. See Architecture doc (Section 5) for configuration. Do not add during initial setup. Only add after 2+ weeks of monitoring if Chrome misuse is > 20%.

Brave Search MCP — Step-by-Step Setup

Get API key: Go to https://brave.com/search/api/ → Sign up for free tier → Copy API key
Store API key: Add to your environment or .env file — NEVER in CLAUDE.md or settings.json

Configure in .mcp.json (project-level) or ~/.claude.json (user-level):

{
  "mcpServers": {
    "brave-search": {
      "command": "npx",
      "args": ["-y", "@anthropic-ai/brave-search-mcp"],
      "env": {
        "BRAVE_API_KEY": "${BRAVE_API_KEY}"
      }
    }
  }
}

Note: Exact package name may vary — verify at https://github.com/anthropics before installing. The pattern above follows Anthropic’s standard MCP server format.

Verify: Ask Claude “search for something using Brave” and confirm it uses the Brave tool, not Chrome
Update CLAUDE.md: Add “Prefer Brave Search (mcp__brave-search__*) for web research when available”
Rate limit: 2,000 queries/month (~65/day). More than enough for current Solanasis scale.

Settings.json Deny Rules — Full Reference

File location options:

User-level (global): ~/.claude/settings.json
Project-level (shared): .claude/settings.json in the project root
Local-only: .claude/settings.local.json (gitignored, personal overrides)

Recommended starting config (add to whichever settings file makes sense):

{
  "permissions": {
    "deny": []
  }
}

Start with an EMPTY deny list. Let CLAUDE.md instructions handle tool routing first. Only add deny rules if Chrome is still being used for research after 1 week of CLAUDE.md being active. If needed, add:
"deny": [
  "mcp__Claude_in_Chrome__get_page_text(*)",
  "mcp__Claude_in_Chrome__read_page(*)"
]
Caution: Blocking these tools will also prevent Chrome from reading pages during legitimate browser automation tasks. Only use if CLAUDE.md instructions aren’t sufficient.

2. CLAUDE.md Configuration Plan

Where CLAUDE.md Files Should Live

File	Location	Scope	Purpose
User-level	`~/.claude/CLAUDE.md`	All projects	Dmitri’s personal preferences, tool routing, global instructions
Project-level	`/solanasis-docs/.claude/CLAUDE.md`	This vault only	Solanasis-specific context, security rules, doc conventions
Memory files	`/solanasis-docs/memory/`	Persistent knowledge	People, glossary, project context (via productivity plugin memory-management)

Recommended User-Level CLAUDE.md Content

This would apply to ALL Cowork sessions, not just the Solanasis docs folder:

# Global Claude Instructions — Dmitri / Solanasis
 
## Identity
- You are working with Dmitri Zasage, CEO of Solanasis LLC
- Solanasis is a fractional CIO/CSIO/COO (fCIO/fCSIO/fCOO) firm targeting SMBs and nonprofits
- Core offerings: Security Assessments, Disaster Recovery Verification, Data Migrations, CRM Setup, Systems Integration, Responsible AI Implementation
 
## Tool Preferences — Web Research vs Chrome
 
### Default Research Tools (use FIRST):
1. WebSearch — For finding info, searching topics, current events, docs
2. WebFetch — For reading a specific URL when you have it
 
### Chrome Extension (use ONLY for):
- Logging into authenticated websites
- Filling out forms requiring interaction
- Multi-step website workflows requiring clicks
- Taking screenshots
- Browser automation tasks explicitly requested
 
### NEVER use Chrome for:
- General web searches (use WebSearch)
- Reading public webpages (use WebFetch)
- Research tasks (use WebSearch)
- Fact-checking (use WebSearch)
 
## Communication Style
- Bullet points and numbered lists preferred over long paragraphs
- Always include full name with acronyms (unless super common)
- Include "pro tips" for learning
- Use MD artifacts for clarifying questions with multiple choice
- Option A = recommended answer
 
## Technical Preferences
- SQL: lowercase keywords, snake_case for tables/cols/procs
- C#: snake_case for variables matching DB names
- Codebehind pattern for Blazor

Recommended Project-Level CLAUDE.md Updates

The existing /solanasis-docs/CLAUDE.md is good but should be extended:

# Additions to existing CLAUDE.md:
 
## Active Connectors
- ClickUp (project management)
- Google Calendar
- Gmail
- Canva (design)
 
## Key Context
- Tech stack: ClickUp, Xero, Coda wiki, Google Workspace, Google Voice
- Website: solanasis.com (cPanel/Namecheap hosting)
- Brevo for email marketing (List ID: 2)
- Payment: 50% upfront / 50% on delivery (full upfront under $2,500)
 
## Document Organization
- Playbooks are in /playbooks/ — action-oriented guides
- Brand materials in /brand-style/
- Meeting notes in /meeting-notes/
- Outreach materials in /outreach/

3. MCP Servers & Integrations

Currently Connected

Integration	Type	Status	Notes
ClickUp	MCP Connector	Active	Project management — tasks, docs, time tracking
Google Calendar	MCP Connector	Active	Event management, scheduling
Gmail	MCP Connector	Active	Email search, drafts, reading
Canva	MCP Connector	Active	Design creation and management
Claude in Chrome	MCP Extension	Active	Browser automation

Recommended Additions — Priority Order

Must-Add Now (Phase 1)

DuckDuckGo MCP — P1 (RECOMMENDED OVER BRAVE)
- What: Free web, news, and image search with no API key required
- Why NOW: Unlimited free queries, zero setup friction, no API key needed, reduces Chrome overuse for research
- Setup: npm install -g duckduckgo-mcp or Docker — no API key, no account needed
- GitHub: nickclyde/duckduckgo-mcp
- Cost: Completely free (unlimited queries)
- CLAUDE.md instruction: “Prefer DuckDuckGo MCP for web research when available”
Brave Search MCP — P1 (BACKUP OPTION)
- What: Independent search engine with API
- Why: Higher quality results than DuckDuckGo for technical queries
- Setup: API key from brave.com/search/api → configure in .mcp.json
- Cost: ⚠️ Pricing has changed — verify current free tier at brave.com/search/api before setup. Was 2,000 free queries/month, may now be credit-based (~$5/1,000 queries)
- Note: Only add if DuckDuckGo search quality is insufficient
GitHub MCP — P1 (IF USING GITHUB)
- What: Interact with GitHub repos, issues, PRs, code search
- Why: If managing infrastructure-as-code, SOP repos, or client documentation in GitHub
- Setup: One-click OAuth via GitHub’s official MCP server
- GitHub: github/github-mcp-server
- Cost: Free for all GitHub users
- When: Add now if using GitHub; defer if not

Should-Add Soon (Phase 2)

Google Drive MCP — P1
- What: Search and read Google Drive files directly from Claude
- Why: Solanasis uses Google Workspace. Docs, sheets, and presentations should be accessible without Chrome
- How to add: Settings → Connectors → Google Drive
- Cost: Free (part of Google Workspace)
- Note: Enterprise-only for full cataloging/RAG. Standard tier uses API search.
Slack MCP — P2 (when using Slack)
- What: Search messages, channels, send messages
- Why: If communicating with clients via Slack
- How to add: Settings → Connectors → Slack
HubSpot MCP — P2 (when CRM selected)
- What: Full CRM read/write — contacts, deals, companies, activities
- Why: If HubSpot is chosen as Solanasis CRM, direct integration eliminates Chrome CRM navigation
- How to add: Settings → Connectors → HubSpot
Exa MCP — P1 (RECOMMENDED — verified free, no API key needed)
- What: Semantic search engine with code search, company research, people research, live crawl, and deep-research tools
- Why: Remote MCP path requires no API key and is documented as free to use. Higher quality than DuckDuckGo for technical/business research. Returns LLM-optimized content.
- Setup: Add remote MCP endpoint (no API key required for basic use). Add API key later to lift rate limits.
- Docs: exa.ai/mcp and exa.ai/docs/reference/exa-mcp
- Cost: Free (remote MCP, no API key). 1,000 requests/month free with API key. Paid: $7/1k search requests.
- Also provides: Official Claude-oriented skills for company research, people research, papers, code search
- Source: Verified in [R25] of companion research doc

Evaluate Later (Phase 3+)

Filesystem MCP — P2 (EVALUATE)
- What: Official Anthropic MCP server for secure local file read/write with access controls
- Why: More granular file access than Cowork’s workspace scope
- GitHub: modelcontextprotocol/servers
- Cost: Free (official, open source)
- When: If you need Claude to access files outside the Cowork workspace folder
Memory MCP — P2 (EVALUATE)
- What: Official Anthropic MCP server providing a knowledge graph for persistent context across sessions
- Why: Could provide memory persistence between Cowork sessions (currently context resets)
- GitHub: modelcontextprotocol/servers
- Cost: Free (official, open source)
- When: When session-to-session context loss becomes a pain point
Wyre Technology MSP MCP — P2 (EVALUATE)
- What: 24+ MSP platform integrations (Autotask, ConnectWise, Datto, IT Glue, NinjaOne, etc.)
- Why: Direct integration with PSA/RMM tools clients use
- Setup: /plugin marketplace add wyre-technology/msp-claude-plugins
- Cost: Free (open source, hosted gateway or self-hosted)
- Risk: Unproven — needs dedicated evaluation session
- When: When first MSP/IT client engagement begins
Claude Code as MCP Server — P2 (EVALUATE)
- What: Claude Code CLI can run as an MCP server (claude mcp serve), exposing file editing and command execution to other MCP clients
- Why: If you want Cowork to delegate coding tasks to a Claude Code instance, or vice versa
- GitHub: steipete/claude-code-mcp
- Cost: Free (included with Claude Code CLI)
- Setup: Medium — requires JSON config in ~/.config/Claude/claude_desktop_config.json
- Note: This is the “Codex” integration — Claude Code IS the local coding agent. No separate “Codex” product exists on the Anthropic side. If you’re running Claude Code locally, this MCP bridge lets it communicate with Cowork.
Notion MCP — P3
- What: Search and read Notion pages and databases
- Why: Only if Solanasis or clients use Notion
- Cost: Free (OAuth, no API key purchase needed)
- Setup: Easy (OAuth flow via Notion’s official MCP)
Atlassian MCP (Jira + Confluence) — P3
- What: Query/create Jira tickets, search Confluence docs
- Why: If clients use Atlassian for project management or documentation
- GitHub: sooperset/mcp-atlassian
- Cost: Free (requires Atlassian Cloud account with PAT)
- Setup: Medium (Personal Access Token auth)

MCP Discovery Resources

When evaluating new MCP servers, use these directories:

mcpservers.org — 1,000+ indexed servers
mcp.so — Community-driven platform
Glama.ai MCP Directory — 19,000+ servers

4. Skills: Must-Install Now

UPDATE (2026-03-15 Verification): The 6 plugins below (Operations, Sales, Marketing, Engineering, Customer Support, Data) are Cowork-UI-only features. They do not exist in the Claude Code CLI plugin marketplace and cannot be installed or used in Claude Code sessions. These skills only work when using the Cowork web interface. For Claude Code CLI, equivalent workflows must be built as custom subagents in ~/.claude/agents/ or handled via CLAUDE.md instructions. See verification-report-2026-03-15.md for full details.

These are the skills that directly support what Solanasis is doing RIGHT NOW based on the playbooks, blog posts, outreach work, and operational needs I found in the docs folder.

Current Activity Assessment (from reading the docs vault)

Activity	Evidence	Skills Needed
Cold outreach to SMBs	7-day sprint playbook, CPA/broker/attorney outreach kits, MSP outreach	Sales: account-research, draft-outreach, call-prep
Content marketing	4+ blog posts, LinkedIn campaigns, social media posts	Marketing: content-creation, campaign-planning
GTM (Go-To-Market) strategy	Master GTM playbook, vertical analysis, pricing research	Operations: process-optimization, risk-assessment
Client deliverable design	Security assessment templates, ORB pack, FAQ library	Engineering: documentation, incident-response
Compliance positioning	Credential security playbook, compliance references	Operations: compliance-tracking, vendor-management
Data/CRM work	Clay/Earth CRM research, data references	Data: data-exploration, sql-queries

Phase 1 Must-Installs — Checkbox List

Operations Plugin (ALL 6 skills — this IS the business)

Sales Plugin (ALL 6 skills — growth engine)

Marketing Plugin (2 of 4 — supporting current content work)

content-creation
campaign-planning

Engineering Plugin (2 of 6 — client deliverables)

documentation
incident-response

Customer Support Plugin (1 of 5 — SOP building)

knowledge-management

Data Plugin (3 of 7 — migration wedge service)

data-exploration
data-validation
sql-queries

Total Phase 1: 20 skills from 6 marketplace plugins

Important: The Skills Acquisition Plan (companion doc) originally scoped Phase 1 as 12 skills (Operations + Sales only). This master plan expanded to 20 skills across 6 plugins. This document (master setup plan) is authoritative — use the Model Invocation Mapping below to manage context window budget. Set 8 of the 20 to manual-only invocation to stay under the comfortable threshold.

Context window impact: ~20 skill descriptions × ~200 chars = ~4,000 chars. This exceeds the comfortable threshold (~2,560 chars), which is why Model Invocation Mapping below sets 8 skills to manual-only — bringing auto-invoke descriptions to ~12 × ~200 = ~2,400 chars (under budget).

Model Invocation Mapping (Which Skills Auto-Fire vs. Manual-Only)

Skill	Auto-Invoke?	Rationale
compliance-tracking	YES	Triggers on “SOC 2”, “GDPR”, etc. — frequent
risk-assessment	YES	Triggers on “risk”, “what could go wrong” — frequent
vendor-management	YES	Triggers on “evaluate vendor”, “compare” — frequent
process-optimization	YES	Triggers on “bottleneck”, “streamline” — frequent
change-management	Manual	Less frequent — invoke when planning migrations
resource-planning	Manual	Less frequent — invoke for staffing/capacity
account-research	YES	Triggers on “research [company]” — daily use
draft-outreach	YES	Triggers on “draft outreach to” — daily use
call-prep	YES	Triggers on “prep me for my call” — daily use
create-an-asset	Manual	Invoke explicitly for proposal/demo generation
competitive-intelligence	Manual	Invoke explicitly for battlecard generation
daily-briefing	Manual	Invoke explicitly each morning
content-creation	YES	Triggers on “write a blog post”, “social media” — frequent
campaign-planning	Manual	Invoke explicitly for campaign planning sessions
documentation	YES	Triggers on “write docs”, “create runbook” — frequent
incident-response	YES	Triggers on “incident”, “production down” — critical
knowledge-management	Manual	Invoke after resolving client issues
data-exploration	YES	Triggers on “profile this dataset” — migration work
data-validation	Manual	Invoke explicitly during migration QA
sql-queries	YES	Triggers on “write a query” — migration work

Auto-invoke: 12 skills | Manual-only: 8 skills This keeps the active context budget manageable while ensuring the most-used skills fire automatically.

5. Skills: Recommended for Later

Phase 2 (Weeks 3-4) — Growth & Depth

Marketing Plugin completion:

competitive-analysis
performance-analytics

Engineering Plugin expansion:

code-review
system-design
tech-debt

Data Plugin expansion:

data-visualization
interactive-dashboard-builder
data-context-extractor (meta-skill for client engagements)

Customer Support Plugin expansion:

customer-research
escalation
response-drafting

GitHub: Marketing Skills Collection (coreyhaines31)

32 tactical growth skills — cherry-pick: positioning-angle, lead-magnet, direct-response-copy, email-sequences, keyword-research

GitHub: Universal SEO Skill (AgriciDaniel)

13 SEO sub-skills — seo-audit, seo-content, seo-technical, seo-schema, seo-plan

Phase 3 (Month 2) — Scaling

HR Plugin (when scaling contractors):

interview-prep
compensation-benchmarking
org-planning

Finance Plugin (when compliance work grows):

audit-support

Product Management Plugin:

feature-spec (for client requirement specs)
stakeholder-comms (for client status updates)

Partner Plugins (when accounts active):

Apollo (enrich-lead, prospect, sequence-load)
Common Room (if using signal-based selling)

GitHub: Trail of Bits Security Skills

Code security auditing — for integration/migration code review

GitHub: SOP Structure Skill (TheBushidoCollective)

Standard Operating Procedure templates

GitHub: Alireza Rezvani C-Level Advisory Skills

CEO/CFO/CTO/COO advisor roles — for fCIO positioning

Phase 4+ (Month 3+) — Specialization

Enterprise Search Plugin — When document sprawl becomes real Design Plugin — If reviewing client web assets Bio-Research Plugin — Skip entirely (not relevant) GitHub: Wyre MSP Plugins — When first MSP client engagement GitHub: SEO Machine — When blog content needs a publishing pipeline

6. Custom Skills to Build

These are Solanasis-specific skills that don’t exist anywhere. Build using the skill-creator skill already installed.

Priority 0 — Build Immediately (Part of Initial Setup)

Research-First Skill (COMPLEMENTS the research-agent subagent)
- Purpose: A lightweight skill for quick research tasks invoked manually via /research-first. For deep research, the research-agent subagent (defined in Architecture doc Section 3) is preferred — it runs in its own context with 15 turns and full tool access.
- How they work together:
  - /research-first = Quick, focused research on a specific topic (skill, runs in forked context)
  - research-agent subagent = Deep, multi-source research with structured reports (subagent, own context window)
  - The main agent decides which to use based on depth needed
- Start as: disable-model-invocation: true (manual-only, invoke with /research-first)
- Upgrade to: auto-invoke once proven
- Key behavior: Require source citation, require explanation if browser is used, distinguish facts from inference
- Template:
```
---
name: research-first
description: Use for quick external research. Search with MCP tools first, then fetch/extract, and use browser only when auth, JS rendering, or interactivity makes it necessary. For deep multi-source research, use the research-agent subagent instead.
disable-model-invocation: true
context: fork
agent: Explore
---
Research $ARGUMENTS thoroughly.
Required workflow:
1. Search with MCP tools first (Exa, DuckDuckGo, WebSearch).
2. Retrieve page content with WebFetch or extraction tools second.
3. Use browser tools only as a fallback.
4. State why browser was required if you use it.
5. Prefer official sources where possible.
6. Distinguish facts, inference, and uncertainty.
7. Return citations and concise evidence notes.
```
- Source: Recommended in companion research doc, pattern verified via Anthropic skill docs [R5]

Exa MCP Full Tool List (verified March 2026):

web_search_exa — Neural semantic web search (enabled by default)

web_search_advanced_exa — Advanced search with full filter controls

company_research_exa — Crawls company websites for business info, news, insights (enabled by default)

people_search_exa — Find people and professional profiles via LinkedIn

get_code_context_exa — Code examples, docs, and solutions from GitHub/SO (enabled by default)

crawling_exa — Extract full content from specific URLs

deep_researcher_start — AI research agent that searches, reads, and writes detailed reports

deep_researcher_check — Check status of deep research tasks

deep_search_exa — Deep search with query expansion (requires your own API key)

Recommended install command (enable all research tools except deep_search which needs separate API key):
claude mcp add --transport http exa "https://mcp.exa.ai/mcp?tools=web_search_exa,web_search_advanced_exa,company_research_exa,people_search_exa,get_code_context_exa,crawling_exa,deep_researcher_start,deep_researcher_check"
Note: deep_search_exa requires your own Exa API key configured separately. Add it later if needed:
claude mcp add --transport http exa-deep "https://mcp.exa.ai/mcp?tools=deep_search_exa&exaApiKey=YOUR_KEY"

Priority 1 — Build During Phase 1

Security Assessment Report Generator
- Input: Assessment findings (checklist results, vulnerability scan output, interview notes)
- Output: Professional .docx report with executive summary, risk matrix, detailed findings, remediation roadmap, compliance mapping (NIST CSF, CIS Controls)
- References: NIST Cybersecurity Framework (CSF), CIS Controls v8, OWASP Top 10
- Trigger: “generate security assessment report”, “write up assessment findings”
Disaster Recovery Verification Report
- Input: DR test results, RTO/RPO measurements, gap observations
- Output: .docx DR verification report with pass/fail by category, gap analysis, remediation priorities
- Test categories: Backup restoration, failover testing, communication plan, data integrity, RTO/RPO
- Trigger: “write DR report”, “document disaster recovery test results”
Client Onboarding Package Generator
- Input: Client name, industry, primary service, contact info
- Output: Discovery questionnaire, systems inventory template, stakeholder map template, engagement kickoff agenda, initial scope document
- Trigger: “onboard new client”, “create client package for [company]“

Build Time Estimates & QA Process

Custom Skill	Estimated Build Time	QA Method
Security Assessment Report Generator	2-3 hours	Run against sample findings, verify .docx output quality
DR Verification Report	1-2 hours	Run against mock DR test results, verify completeness
Client Onboarding Package Generator	1-2 hours	Generate package for a fictional client, review all outputs
Data Migration Planner	2-3 hours	Run against a sample migration scenario, verify runbook
Contractor Onboarding SOP	1 hour	Walk through the checklist manually
Responsible AI Assessment	2 hours	Run against a sample client AI inventory
Proposal Generator	2-3 hours	Generate 3 proposals for different service lines, review

QA process: For each custom skill, generate output for 2-3 test scenarios. Review for: completeness, professional tone, accurate framework references, proper formatting. Iterate SKILL.md until output consistently meets client-delivery quality.

Priority 2 — Build During Phase 2

Data Migration Planner
- Phases: Discovery → Planning → Extraction → Transformation → Loading → Validation → Cutover
- Output: Migration plan + runbook + rollback procedures
- Trigger: “plan data migration”, “create migration runbook”
Contractor Onboarding SOP
- Output: Provisioning checklist, training plan, SOP delivery schedule, competency verification
- Trigger: “onboard new contractor”, “create contractor setup checklist”
Responsible AI Assessment
- References: NIST AI RMF (Risk Management Framework), ISO 42001, EU AI Act
- Output: AI readiness assessment report
- Trigger: “AI assessment for [client]”, “responsible AI review”
Solanasis Proposal Generator
- Input: Client name, services requested, assessment findings
- Output: Branded .docx proposal with scope, timeline, pricing structure, team bios, references
- Trigger: “create proposal for [client]”, “generate SOW for [service]“

7. Knowledge Architecture

Based on the RAG playbook already in the vault and current best practices.

Recommended Layer Stack

Layer 1: CLAUDE.md (navigation + instructions)
  → Who we are, what we do, tool preferences, conventions
  → Read at every session start

Layer 2: Memory files (productivity plugin)
  → memory/people.md — key contacts, clients, partners
  → memory/glossary.md — Solanasis terminology, acronyms
  → memory/projects.md — active client engagements
  → CLAUDE.md hot cache — top ~100 lines of working context

Layer 3: Cowork workspace (active work)
  → solanasis-docs/ folder mounted
  → Direct file access for playbooks, templates, brand materials
  → Skills operate on these files

Layer 4: Claude Projects (stable reference — FUTURE)
  → When stable: playbooks, SOPs, assessment templates
  → Benefits: Native RAG, caching, 10x context expansion
  → Action: Create "Solanasis Core Knowledge" project with top 20 stable docs

Layer 5: MCP connectors (external data)
  → ClickUp tasks, Google Calendar, Gmail, Google Drive
  → Future: HubSpot CRM, Slack, MSP tools

Knowledge Map File (Create This)

Create /solanasis-docs/knowledge-map.md as a navigation layer:

# Solanasis Knowledge Map
 
## Playbooks (Action-Oriented Guides)
| Document | Purpose | Last Updated |
|---|---|---|
| Master_7Day_GTM_Sprint_2026-03-16.md | Current outreach sprint | Mar 16 |
| Solanasis_Master_GTM_Playbook_2026.md | Full GTM strategy | Mar 2026 |
| AI_Native_Outreach_Playbook_v1.md | Outreach methodology | Mar 2026 |
| ... | ... | ... |
 
## Client Delivery Templates
| Document | Purpose | Service Line |
|---|---|---|
| (to be created) | Security Assessment Report | Security Assessment |
| (to be created) | DR Verification Report | Disaster Recovery |
| ... | ... | ... |
 
## Brand & Voice
| Document | Purpose |
|---|---|
| solanasis-voice-profile.md | Brand voice guide |
| brand-style/ | Visual brand assets |
| ... | ... |

8. Implementation Roadmap

UPDATE (2026-03-15): The “Install X plugin” tasks below apply to Cowork UI only, not Claude Code CLI. For Claude Code, skip all marketplace plugin installs and focus on: CLAUDE.md config, Exa MCP, custom subagents, and knowledge architecture. The 3 custom subagents (research-agent, senior-reviewer, planner) are already installed and verified in Claude Code. See verification-report-2026-03-15.md.

Week 1: Foundation

Day	Task	Type	Details
1	Create/update CLAUDE.md files	Config	User-level + project-level with tool routing instructions
1	Install Operations plugin	Marketplace	6 skills — core business delivery
1	Install Sales plugin	Marketplace	6 skills — growth engine
2	Install Engineering (2 skills)	Marketplace	documentation + incident-response
2	Install Marketing (2 skills)	Marketplace	content-creation + campaign-planning
2	Install Customer Support (1 skill)	Marketplace	knowledge-management
3	Install Data (3 skills)	Marketplace	data-exploration + validation + sql-queries
3	Test tool routing	Validation	Run 5 research tasks, verify WebSearch is used instead of Chrome
3-5	Create knowledge-map.md	Doc	Navigation layer for the docs vault

Week 2: Enhancement

Day	Task	Type	Details
1	Set browser permissions to Ask	Permissions	Strongest enforcement layer
1	Install Exa MCP (remote, no API key)	MCP	Free, highest-quality search
1	Install DuckDuckGo MCP	MCP	Free unlimited backup search
1	Update CLAUDE.md	Config	Add tool routing + research preferences
2	Connect Google Drive	MCP	Direct file access without Chrome
2-3	Build Security Assessment skill	Custom	Using skill-creator
3-4	Build DR Verification skill	Custom	Using skill-creator
5	Build Client Onboarding skill	Custom	Using skill-creator

Week 3: Growth & Content

Day	Task	Type	Details
1-2	Install remaining Marketing skills	Marketplace	competitive-analysis + performance-analytics
2	Install GitHub SEO skill	GitHub	AgriciDaniel/claude-seo
3-4	Install GitHub Marketing skills	GitHub	Cherry-pick from coreyhaines31/marketingskills
5	Install remaining Engineering skills	Marketplace	code-review + system-design + tech-debt

Month 2: Scale

Week	Task	Type
1	Evaluate Wyre MSP MCP platform	MCP
1	Install HR plugin (if scaling contractors)	Marketplace
2	Build Data Migration Planner skill	Custom
2	Build Proposal Generator skill	Custom
3	Install Apollo/Common Room (if accounts active)	Partner
4	Add Exa API key if rate limits are hit	MCP

Validation & Rollback

How to Know Phase 1 Is Working

Check	Method	Expected Result
Tool routing	Ask Claude 5 research questions	WebSearch used, NOT Chrome navigate/read_page
Skills auto-invoke	Say “research Acme Corp before my call”	account-research + call-prep fire automatically
Skills manual-invoke	Say “create a battlecard”	competitive-intelligence fires only when explicitly asked
Context budget	Check for “Excluded skills” warnings	No warnings in normal operation
Custom skills	Generate a security assessment report	Output is professional, complete, and formatted

Rollback Plan

If something breaks after Phase 1 installation:

Skills causing context warnings: Set problematic skills to disable-model-invocation: true in the plugin’s local config
CLAUDE.md causing unexpected behavior: Comment out the tool routing section temporarily (wrap in )
Brave Search MCP not working: Remove the server entry from .mcp.json — falls back to WebSearch automatically
Entire plugin causing issues: Uninstall via /plugin uninstall [name]@knowledge-work-plugins
Nuclear option: Reset to current state by removing all new .claude/settings.json entries and uninstalling plugins

Quarterly Review Checkpoint

Every 3 months, validate:

Tool routing still correct (CLAUDE.md rules haven’t been overridden by updates)
Active skill count is manageable (no “Excluded skills” warnings)
Custom skills still produce quality output
MCP servers are connected and functional
Knowledge-map.md is current

Summary: What Gets Done When

Immediate (This Week)

Browser permissions → Ask — Hard enforcement (strongest layer)
Exa MCP (remote, no API key) — Best free research backend
DuckDuckGo MCP — Unlimited free backup search
CLAUDE.md tool routing — Guidance layer for research behavior
Research-first skill — Teaches preferred search sequence
Operations + Sales plugins — Core business + growth engine
3 more marketplace plugins (Marketing/Engineering/CS/Data) — Client delivery support

Soon (Next 2 Weeks)

Google Drive MCP — Direct doc access
3 custom skills — Security Assessment, DR Verification, Client Onboarding
Hooks (optional) — Add if permissions + CLAUDE.md aren’t sufficient

Later (Month 2+)

GitHub skills — SEO, marketing, security
Partner integrations — Apollo, CRM, MSP tools
Remaining custom skills — Migration Planner, Proposal Generator, AI Assessment

Subscription & Spend Strategy

Based on verified research from companion doc: claude-code-browser-last-research-stack_handoff_2026-03-15.md

Current Free Stack (No Additional Spend)

Tool	Purpose	Cost	Status
Claude Max plan	Core AI platform	Already paid	Active
Exa MCP (remote)	Pro-grade semantic search	Free (no API key)	Add now
DuckDuckGo MCP	Backup web search	Free (unlimited)	Add now
WebSearch/WebFetch	Built-in search tools	Free (included)	Active
Chrome extension	Interactive browser tasks	Free (included)	Active, gated by permissions

Tier 1 — Best Immediate Value (Minimal Spend)

Install Exa MCP — free, highest quality, no API key
Install DuckDuckGo MCP — free unlimited backup search
CLAUDE.md tool routing guidance — free, teaches efficient tool selection
Chrome permissions: Allow — let Claude work autonomously
Use Codex as parallel verifier — already available locally

Tier 2 — If Research Quality Needs Improvement

Exa API key — $7/1k search requests, 1,000 free/month
Firecrawl — If web extraction/scraping depth is needed (subscription-based)
Brave Search API — $5/1 k re q u es t s w i t h$ 5 free monthly credit

Tier 3 — Human-Led Research Seat (Optional)

Perplexity Pro — $17/month billed annually
- Great for: human-led deep research, report drafting, executive-facing answers
- Does NOT include: API access for Claude Code (API is separately billed, pay-as-you-go)
- Fireflies promotion: Fireflies Pro ($10/seat/month annual) includes 1 year free Perplexity Pro
  - Worth it ONLY if you also want Fireflies for meeting transcripts/intelligence
  - Does NOT make Perplexity API free — product seat only
  - Auto-renews unless cancelled before promo period ends
- Decision: Claim if free via Fireflies and you want meeting intelligence. Don’t buy just for Claude Code research.

What NOT to Buy

Perplexity Pro/Max expecting it to power Claude Code MCP research — API is separately billed
Multiple search MCPs simultaneously — Start with Exa, add others only if insufficient
Firecrawl before proving Exa is insufficient — Avoid subscription commitment before validation

Codex Integration Strategy

Start simple, upgrade later:

Phase 1 (Now): Use Codex as a separate verification window
- Paste key claims or research findings into Codex
- Ask Codex to verify independently using its built-in web search
- No integration setup required — just use it as a second-opinion tool
Phase 2 (When proven useful): Evaluate MCP integration
- Codex can run as MCP server via codex mcp-server
- This would let Claude delegate verification tasks to Codex programmatically
- Status: Technically plausible but operationally unproven [Source: R17 in companion research doc]
- Don’t invest setup time until Phase 1 proves the verifier workflow is valuable

Why not integrate immediately: The Claude→Codex MCP bridge hasn’t been proven turnkey in practice. Starting with a separate window costs nothing and gives you the same verification benefit.

Appendix: Key References

Claude Code Settings Documentation — Official settings reference
Trail of Bits claude-code-config — CLAUDE.md best practices and tool preference patterns
Cowork Safety Guide — Chrome injection risks
Brave Search API — Free search MCP setup
Exa MCP Server — Semantic search alternative
Wyre Technology MSP Plugins — MSP platform integrations
Solanasis RAG Playbook — Internal knowledge architecture guide

Operating Modes: Local vs Remote Control vs Cloud Web

Important context for understanding where configurations apply.

Mode	Config Source	Local Tools?	Plugins?	Best For
Local CLI / Desktop	`~/.claude/` + `.claude/`	Yes	Yes	Primary development — all configs work
Remote Control	Local machine (session stays local)	Yes	No	Mobile/browser access while keeping local MCP servers, filesystem, and project config
Cloud Web Sessions	Repo-level only	No	No	Quick access — user settings don’t carry over, repo hooks do

If you want browser/mobile access while keeping local tools: Use Remote Control, not cloud web sessions. This preserves your local MCP servers, filesystem access, and ~/.claude/ config.

Source: Verified in Anthropic docs [R13][R14][R15] of companion research doc.

Success Metrics

Phase 1 Success Criteria (After 1 Week)

Metric	Target	How to Measure
Research tool routing	80%+ of research queries use WebSearch/Exa/DDG instead of Chrome	Track Chrome permission Ask prompts — if rare, it’s working
Planning before execution	Multi-step tasks show plan before starting	Observe in first 10 multi-step tasks
Verification firing	Senior reviewer runs on documents and deliverables	Check if review verdicts appear before final output
Chrome for legitimate use	Chrome still works for logins, dashboards, site previews	Test 3 interactive tasks (login, form fill, site check)
Context window health	No “Excluded skills” warnings	Monitor during first week of plugin use

When to Escalate Enforcement

Week 1: Permissions (Ask) + CLAUDE.md + skills — observe behavior
Week 2: If Chrome still used for research > 20% of the time → add hooks
Week 3: If hooks aren’t sufficient → switch specific Chrome tools from Ask to Deny
Month 2: If all layers working → consider relaxing hooks (save tokens)

Pro Tips

Permissions are the strongest layer, not CLAUDE.md. CLAUDE.md is guidance (context); permissions are enforcement. Always set browser tools to Ask first.
The 1% Chrome injection risk is real. Anthropic publishes this number. For a cybersecurity firm, this matters for credibility — we should practice what we preach.
Don’t install all plugins at once. Each plugin’s skill descriptions consume context window. Start with Operations + Sales, validate they work, then add more.
Custom skills > marketplace skills for client deliverables. A Solanasis-branded security assessment template will always outperform a generic “risk-assessment” skill.
Knowledge map before knowledge dump. The RAG playbook in your vault already says this. Create knowledge-map.md before adding more docs.
Exa MCP remote path = zero-friction test. No API key, no account, no credit card. Just add the remote endpoint and start searching.
Start research-first skill as manual-only. Use disable-model-invocation: true. After 1 week, promote to auto-invoke if it works well.
The data-context-extractor skill is a sleeper hit — for each client engagement, build a skill that understands THEIR specific data. Massive differentiation.
Skills are composable — Chain account-research → call-prep → draft-outreach as one prospecting workflow.
Codex as separate verifier window is the safest starting approach. Use it as a second-opinion tool (paste key claims, ask Codex to verify) rather than trying to integrate as MCP server immediately. Upgrade to MCP integration later once the basic workflow is proven.
ENABLE_CLAUDEAI_MCP_SERVERS=false — Use this env var if unwanted Claude.ai MCP servers are auto-flowing into your Claude Code sessions.
Wyre Technology MSP MCP could be the highest-ROI integration if it works — direct PSA/RMM access. But it’s unproven. Dedicate a session to evaluate before depending on it.

This is a living document. Update as skills are installed, MCP servers connected, and configurations validated.

Solanasis Docs

Explorer

solanasis-cowork-master-setup-plan