Scholarship Finder — Cloud Architecture

A scheduled, intelligence-assisted pipeline that finds scholarships, matches them to two student profiles, reports ranked matches for human review, then assists with submission — human-gated throughout.

github.com/rrittich/scholarship-finder · decided 2026-06-23

The pipeline

Discover

Search / scrape allowed sources

▸

Normalize

Extract to schema · dedupe

▸

Match

Score vs each son

▸

Report

Ranked, deadline-aware

▸

5 · you

Review ✋

Approve / reject

▸

Submit

Assisted · you send

Execution model — free brain · human gate · metered hands

🧠 Brain FREE under Max

Capabilities 1–4 · runs on a cron in Anthropic's cloud, independent of the Mac

Claude Code Routine

“Acts as you.” Draws normal Max subscription usage — no per-hour / API metering. Daily run cap during research preview.

▼ hydrates instructions & reads / writes memory ▼

GitHub (private repo) = memory · program · audit

instructions/*.md (the hydrated brain) · data/scholarships · data/matches · data/state.json · data/reports
Commits every run (heartbeat). Native GitHub App auth — no token injection.

✋

Human review

You approve via email / PR
between brain and hands.
Nothing submits without you.

🤖 Hands METERED

Capability 5 · fired only on approved items — pay where paying is fine

Claude Managed Agent

Anthropic brain + Cloudflare hands. $0.08 / session-hr + tokens.

Browser Run — fills proprietary web forms
send_email — email submissions + PDFs
Zero-trust encrypted secret injection

Alternative hands

VPS2 (Windows + Playwright) · Manus (prepaid agent)

Caveats & call-outs

⚠ load-bearing

Discovery needs open egress

The routine sandbox blocks arbitrary web fetch by default (allowlist only). Set the environment's network access to Full or capability 1 can't reach scholarship pages.

⚠ load-bearing · PII

Profiles never committed plaintext

Minors' particulars stored as encrypted *.enc.json; decrypted only in routine memory. Reports reference a son by id / first name only.

caution

Heartbeat every run

Every run commits something (even “0 new matches”) — a missing commit is itself the failure alarm. Ephemeral cron jobs fail silently.

resolved

No token injection

Native GitHub App auth (or /web-setup) — the routine inherits your identity. Don't stash a PAT in env vars; those are stored plaintext-readable.

cost

Routines ≠ Managed Agents

Routines are free under Max (“act as you”). The $0.08/hr + token metering is the separate Managed Agents product (“acts as a service”).

provisional

Billing is current-but-provisional

The June 15 2026 split (Agent SDK / claude -p off-subscription → metered credit) was paused. Programmatic usage still draws from Max “for now,” advance notice promised.

policy

Human-gated, always

Never auto-submits; never ghost-writes an essay submitted as a son's own work. Many scholarships require authentic student work — the system assists, you decide.

limits

Cadence

Routine cron minimum granularity is 1 hour (daily is plenty). Per-run ceiling ≈ 4 vCPU / 16 GB / 30 GB.

Free (Claude Max) Metered (only on approved) Human gate Load-bearing caveat

Considered & rejected spines: Arbol / Cloudflare Workers · Windows VPS2 (all-in-one) · Power Automate (cuts against Microsoft-Independence). Full rationale in the repo's ARCHITECTURE.md.