# Operator Control Incident Runbook ## Scope Use this runbook when operator auth or control-plane behavior is degraded: - unexpected operator write actions - auth mode drift (`observe`/`standard`/`strict`) or risk mismatch - repeated unauthorized control attempts ## Immediate Containment 1. Reduce operator blast radius: - set operator auth mode to `strict` - disable non-essential integrations if incident involves external calls 2. Capture current control state and recent actions: - `system_status` - `tool_summary` - `tool_summary_text` 3. Preserve artifacts: - `~/.jarvis/audit.jsonl*` - observability DB/event log snapshots ## Triage Procedure 1. Verify auth and trust posture: - `system_status` (check `operator_auth`, `risk`, `identity`) - `identity_trust` (verify requester profile/session posture) 2. Confirm whether unsafe actions were preview-gated: - inspect `plan_preview` and strict confirmation fields in status payload 3. Correlate timeline: - operator server events (`/events`) - recent tool records (`tool_summary`, `tool_summary_text`) ## Rollback Procedure 1. Revoke temporary guest sessions and elevated approvals: - terminate guest capability windows via `identity_trust` 2. Reapply known-good operator config: - restore expected auth mode and control preset 3. Validate safe behavior: - run read-only checks (`system_status`, `jarvis_scorecard`) - run one controlled mutating preview flow and verify explicit ack is required ## Exit Criteria - operator auth mode and risk signals stable for one observation window - no unauthorized actions in recent audit timeline - alert stream clear of control-plane anomalies