Operator Control Incident Runbook
Scope
Use this runbook when operator auth or control-plane behavior is degraded:
- unexpected operator write actions
- auth mode drift (
observe/standard/strict) or risk mismatch - repeated unauthorized control attempts
Immediate Containment
- Reduce operator blast radius:
- set operator auth mode to
strict - disable non-essential integrations if incident involves external calls
- set operator auth mode to
- Capture current control state and recent actions:
system_statustool_summarytool_summary_text
- Preserve artifacts:
~/.jarvis/audit.jsonl*- observability DB/event log snapshots
Triage Procedure
- Verify auth and trust posture:
system_status(checkoperator_auth,risk,identity)identity_trust(verify requester profile/session posture)
- Confirm whether unsafe actions were preview-gated:
- inspect
plan_previewand strict confirmation fields in status payload
- inspect
- Correlate timeline:
- operator server events (
/events) - recent tool records (
tool_summary,tool_summary_text)
- operator server events (
Rollback Procedure
- Revoke temporary guest sessions and elevated approvals:
- terminate guest capability windows via
identity_trust
- terminate guest capability windows via
- Reapply known-good operator config:
- restore expected auth mode and control preset
- Validate safe behavior:
- run read-only checks (
system_status,jarvis_scorecard) - run one controlled mutating preview flow and verify explicit ack is required
- run read-only checks (
Exit Criteria
- operator auth mode and risk signals stable for one observation window
- no unauthorized actions in recent audit timeline
- alert stream clear of control-plane anomalies