| { |
| "name": "Incident response", |
| "objective": "Turn a fresh alert into a triaged, evidence-backed incident with a clear owner and a postmortem trail, without an engineer doing the mechanical correlation by hand.", |
| "trigger": { |
| "type": "event", |
| "cadence_or_event": "A pager alert fires or an error budget burn crosses a threshold; then refresh every 2-5 minutes while the incident is open." |
| }, |
| "intake": { |
| "sources": ["alert payload", "dashboards and logs", "traces", "recent deploys and config changes", "pager and ownership state"], |
| "selection_rule": "Triage the alerting service only; correlate signals and assign severity from impact evidence, not the alert text alone." |
| }, |
| "workspace": { |
| "isolation": "Read-only access to observability systems, change logs, and pager state; no remediation surface.", |
| "allowed_actions": ["read metrics, logs, and traces", "open or update an incident record", "post status", "page the on-call owner"], |
| "disallowed_actions": ["roll back", "restart services", "change config", "run remediation"] |
| }, |
| "context": { |
| "required_files": ["incident runbook", "service ownership map", "severity policy"], |
| "runtime_sources": ["live metrics", "log queries", "trace samples", "recent change log", "pager state"] |
| }, |
| "agents": [ |
| { |
| "role": "Observer", |
| "responsibility": "Gather metrics, logs, traces, and the recent change timeline." |
| }, |
| { |
| "role": "Correlator", |
| "responsibility": "Link the alert to likely causes such as a deploy, dependency, or saturation." |
| }, |
| { |
| "role": "Reporter", |
| "responsibility": "Write a concise incident summary with severity, impact, and hypothesis." |
| }, |
| { |
| "role": "Escalator", |
| "responsibility": "Page the right owner and hand off when mitigation is required." |
| } |
| ], |
| "verification": { |
| "gates": ["severity is backed by concrete impact evidence", "the correlated cause cites specific deploys, logs, traces, or metrics", "missing telemetry is reported as unknown, never healthy"], |
| "receipts": ["incident ID and severity", "signal timeline", "correlated cause with evidence links", "owner handoff record"] |
| }, |
| "state": { |
| "artifacts": ["incident record", "postmortem seed timeline"], |
| "update_rule": "Append signals, hypotheses, and handoffs each interval so the timeline can seed the postmortem." |
| }, |
| "budget": { |
| "max_retries": 2, |
| "max_runtime_minutes": 120 |
| }, |
| "escalation": { |
| "conditions": ["customer-facing outage", "data loss risk", "security signal", "missing telemetry", "mitigation requires production action"], |
| "destination": "On-call owner via pager with the evidence timeline" |
| }, |
| "exit": { |
| "success": "A human owner accepts the incident, or it auto-resolves with a recorded evidence trail.", |
| "stop_without_success": "Mitigation is required, telemetry is missing, or correlation cannot be grounded in evidence." |
| } |
| } |
|
|
