← Home
CopaMigo · Operational Runbook

Deployment Guide: From Prototype to GCC Pilot

Companion to the CopaMigo PRD · May 2026

What this document is. The PRD describes what CopaMigo is and why it works the way it does. This document describes what taking it from a prototype on GitHub Pages to a production pilot at GCC actually requires. It is operational, not strategic. It is meant to answer the question, “what would the next sixty days of work look like?”

Architecture assumed. This guide describes the path for Scenario B in PRD Section 08b, AWS Bedrock with Claude as the model layer. Other scenarios (direct Anthropic API, Azure OpenAI, Salesforce Agentforce, hybrid) require different operational steps and are out of scope for this document.

01. Pilot Scope

The pilot is a single-college deployment at GCC, intentionally bounded in size so that operational issues surface before they scale. Specifically:

What pilot success looks like

Pilot success is not “a lot of students used it.” Pilot success is whether the students who needed CopaMigo most found it, whether the routed contact info actually got them to a person, and whether the per-office chat fallback (R-14) found a sustainable staffing model. Specific metrics live in PRD Section 10. This deployment guide is about getting to a pilot that can produce honest data, not about hitting a usage target.

02. Pre-Launch Checklist

The following items must be in place before any student can interact with the pilot. Each is described in detail in later sections of this document.

Infrastructure and architecture

Knowledge base and content

Compliance and accessibility

Operational readiness

03. Infrastructure Setup (AWS Bedrock Path)

AWS account and IAM

The pilot lives in a Maricopa-owned AWS account. New IAM roles needed at minimum:

Bedrock model access

Claude models on Bedrock require explicit per-region enablement. The pilot should:

  1. Choose a region (us-west-2 is the default for Bedrock + Claude availability)
  2. Request model access in the AWS console for the specific Claude version that will be used in production. Pin the model version explicitly in application code; do not use “latest” pointers
  3. Test the model with a representative system prompt and verify token usage matches expectations
  4. Set CloudWatch billing alarms at expected and 2x-expected monthly token spend so cost overruns get caught early

Application hosting

For pilot scale (one college, single semester), the simplest viable hosting is AWS Lambda behind API Gateway:

Why Lambda instead of a long-running server: the pilot’s traffic is bursty (peaks at semester start, between class periods, late at night before assignments are due) and Lambda’s per-request billing matches that pattern more cleanly than an always-on server. If the pilot demonstrates sustained traffic that would be cheaper on Fargate or EC2, the migration is straightforward and not pilot-blocking.

Secrets management

The application server needs the Bedrock API access to call Claude. AWS Secrets Manager holds anything sensitive; nothing lives in code or environment variables baked into the deployment artifact.

04. Application Architecture

The architectural shift between prototype and production is that the application becomes a server-side proxy. The student’s browser never holds an API key, never calls Bedrock directly, and never has access to the system prompt. This is a meaningful security improvement and is also what makes anonymous request logging, rate limiting, and cost control possible.

Request flow

  1. Student types or speaks a question in the browser. Voice transcription happens client-side via Web Speech API (no audio is sent to the server).
  2. The browser POSTs the conversation history (current and previous messages in this session) to copamigo.gccaz.edu/api/respond.
  3. API Gateway applies rate limiting (per-IP and global). Excess requests return a polite throttling message.
  4. The Lambda function adds the system prompt, calls Bedrock, receives the response, and returns it to the browser.
  5. The browser renders the response (empathy message + service cards + linkified contact info).
  6. A redacted log entry is written to CloudWatch: timestamp, query category (inferred from response routing), routing decision, response time, token count, and a hash of the IP for rate limiting. Not logged: the question text, the response text, any student-identifying information.

Anonymous logging principles

The logging design respects the data sovereignty position described in PRD Section 08b. The principle: log enough to operate the service, not enough to identify a student or reconstruct what they asked.

Rate limiting and abuse prevention

05. Knowledge Base Maintenance Pipeline

The system prompt is the knowledge base. Updating it correctly is the single most important operational discipline of the pilot. The advisor-submission form (R-17) handles content collection from departments; this section describes how that content actually becomes part of the deployed bot.

The submission-to-deployment pipeline

Step 1
Department fills out the submission form

The advisor submission form at /copamigo/advisor-form/ generates a structured submission containing the office’s plain-language label, what the service actually does, contact info (email, phone, building map URL, hours, walk-in policy), what to say or bring when arriving, and any service-specific knowledge (typical wait times, peak periods, who handles what). The output is a copyable text block.

Step 2
Pilot lead reviews the submission

The pilot lead reviews each submission for completeness and verifies all URLs and phone numbers actually work. URL verification: every URL in the submission is opened in a fresh browser to confirm it doesn’t 404 and points to the right page. Phone verification: a test call confirms the number reaches the right office.

Step 3
Submission integrated into system prompt

The verified content gets pasted into the appropriate section of the system prompt source file. The system prompt lives in source control alongside the application code; updates are commits, not console edits. This makes every change reviewable, reversible, and auditable.

Step 4
Tested in staging

Before any system prompt change reaches production, it runs against a fixed set of test questions in a staging environment. Test questions cover representative scenarios per service: stigma-aware routing, crisis escalation, multilingual response, edge cases like instructor-first routing. The same test set runs every deployment to catch regressions.

Step 5
Deployed to production

After staging tests pass, the change is deployed to production. CloudWatch monitoring confirms response latency and error rates remain in normal ranges in the hour following deployment. If they don’t, automatic rollback to the previous version.

A note on system-prompt versioning

The system prompt is a piece of software. Treating it that way (source control, code review, automated testing, controlled deployment) is not over-engineering; it is the difference between a tool that gives reliable answers and a tool that drifts unpredictably as people make ad-hoc edits. The PRD describes departments owning their content; this guide describes how that content becomes deployed code without sacrificing the department’s editorial control.

06. Per-Office Chat Platform (Phase 2)

R-14 and PRD Section 07 describe the per-office chat fallback as the safety net. The prototype does not have this wired up; the pilot does. This section describes what the production chat layer requires.

Platform options to evaluate

Recommendation: start with LibAnswers for offices that already use it (library, ask-a-librarian) and extend to a single additional platform (likely Intercom or Zendesk) for the other participating offices. Keep the chat platform decision reversible during the pilot, multi-vendor for the pilot is acceptable; consolidation can happen post-pilot once volume and staffing patterns are known.

Per-office staffing and onboarding

Each participating office identifies the existing staff member who will receive chats. Most offices have an obvious person: the front-desk admin, the program coordinator, the social work intern who already triages walk-ins. Onboarding for that person is approximately 30 minutes and includes:

Removing the prototype chat shim

The prototype includes a placeholder modal that fires when a student taps “Still stuck? Chat with this office” on any non-crisis card. The modal explains the chat is not yet live and tells the student to use the contact options on the card instead. This shim must come out before production launch, it would be confusing or alarming to a real student in a real deployment.

Specific cleanup in index.html:

Smoke test before launch: tap the chat link on at least three different service cards and confirm the real chat opens, lands in the right office’s queue, and the staff member on the other side actually receives it. Also confirm that the four excluded cards (crisis, Title IX, instructor, campus police) still do NOT show a chat link, those should stay phone- or website-routed per the design intent in PRD Section 07.

07. Monitoring and Incident Response

Dashboards

The pilot lead needs three dashboards visible at all times:

Alarms

Incident response

The pilot needs a single on-call rotation across the engineering team with a runbook covering the most likely incidents:

08. Cost Estimates

These are pilot-scope estimates only. They assume one college, one semester, conservative traffic projections (5,000 student conversations during the pilot window, average 2,500 tokens per conversation including system prompt and response). District-scale projections require a Maricopa-specific AWS pricing conversation that has not happened yet (PRD Open Questions appendix).

Line itemNotesPilot cost
Bedrock token usage5,000 conversations × 2,500 tokens × Claude pricing$300 – $600
Lambda executionBursty traffic, well within free tier most months< $50
API GatewayRequest count for pilot scale< $50
S3 + CloudFrontStatic assets, low traffic< $25
Secrets Manager2-3 secrets, monthly fee< $15
CloudWatch logs and dashboardsLog retention 90 days$25 – $75
Domain and certificateIf new domain; existing subdomain free via ACM$0 – $20
Chat platform (Phase 2)LibAnswers + one additional vendor for participating offices$300 – $1,200
Pilot total (semester)Excluding labor; excluding WCAG audit (one-time)$700 – $2,000
One-time costs not in the table: WCAG 2.1 audit ($3,000 – $8,000 depending on vendor); legal review of crisis routing and FERPA position (institutional, no out-of-pocket if district counsel handles it); pilot lead time (institutional). District-scale operating cost would be roughly proportional to conversation volume; the cost model is not the limiting factor at any plausible Maricopa scale.

09. Pilot Launch Checklist

The week before the pilot opens to students, walk this list. Anything still open is a launch-blocker.

10. Post-Pilot Evaluation Gate

The pilot ends with a formal evaluation conversation, not an automatic rollover into district scale. The gate is a deliberate decision point: based on what the pilot showed, does Maricopa want to keep this tool, change it, scale it, or not?

Evidence the pilot needs to produce

Decisions on the table at the gate

The honest framing

A pilot that produces a clear “no” is a successful pilot. The point is to find out whether this works at GCC’s scale and culture before committing to district-wide deployment. The architecture, the data sovereignty position, and the operational runbook all support a decision either way; what they prevent is a year-from-now situation where Maricopa is stuck with a tool that drifted into use without anyone deciding it was a good idea.