en un clic
incident-response
Structured incident investigation and resolution
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Menu
Structured incident investigation and resolution
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
Create Architecture Decision Record
Design API contracts with OpenAPI specifications
Assess architecture decisions tradeoffs and edge cases
Design database schemas with migrations and repository interfaces
Break requests into parallel tasks for team execution
Audit dependencies for vulnerabilities and plan upgrades
| name | incident-response |
| description | Structured incident investigation and resolution |
| allowed-tools | Read, Edit, Write, Bash, Glob, Grep |
Structured workflow for investigating production incidents, identifying root causes, implementing fixes, and writing post-mortems. Speed matters -- follow the steps in order but don't over-analyze before acting.
Immediately determine the scope and severity of the incident:
| Question | How to Answer |
|---|---|
| Which tenants are affected? | Check error logs filtered by tenant_id, check monitoring dashboards |
| What functionality is broken? | Check health endpoints, test critical paths, review error types |
| When did it start? | Check deploy timestamps, metric anomaly detection, first error log |
| Is it getting worse? | Check error rate trend over last 15 minutes |
| Is there a workaround? | Assess if affected users can use alternative paths |
Severity Classification:
| Severity | Criteria | Response |
|---|---|---|
| SEV-1 | Service down, data loss, security breach, all tenants affected | All hands, continuous updates every 15 min |
| SEV-2 | Major feature broken, significant tenant subset affected | Dedicated team, updates every 30 min |
| SEV-3 | Minor feature degraded, few tenants affected | Next business day, update on resolution |
| SEV-4 | Cosmetic issue, no functionality impact | Backlog, fix in next sprint |
Output: Impact assessment with severity, affected tenants/features, and timeline.
Gather all available diagnostic data BEFORE making changes:
Logs:
# Recent error logs (adjust for your logging system)
# Filter by time window, error level, and affected service
Look for:
Metrics:
Traces:
Recent Changes:
# Recent deployments
git log --oneline --since="24 hours ago"
# Recent config changes
# Check deployment pipeline logs
# Recent infrastructure changes
# Check Terraform/Kubernetes change logs
Output: Evidence document with logs, metrics, traces, and timeline.
Use the 5 Whys methodology to dig past symptoms to the root cause:
Problem: Users getting 500 errors on /api/v1/projects
Why? -> Project service is returning errors
Why? -> Database queries are timing out
Why? -> Connection pool is exhausted
Why? -> A migration added a long-running query without an index
Why? -> Migration review process didn't include EXPLAIN ANALYZE
Root Cause: Missing index on new column, migration review gap
Rules:
Common root cause categories:
Output: Root cause analysis with 5 Whys chain and contributing factors.
Apply the MINIMUM change needed to resolve the incident:
Rules:
Fix Checklist:
[ ] Fix is minimal and targeted (no refactoring, no extra changes)
[ ] Fix addresses the root cause (not just the symptom)
[ ] Test suite passes with the fix
[ ] Fix has been tested in staging
[ ] Rollback plan documented
Before deploying to production:
If the fix can't be verified in staging (data-specific issue), document the risk and get approval before deploying to production.
Deploy the fix to production with enhanced monitoring:
Deployment Checklist:
[ ] Fix deployed to production
[ ] Enhanced monitoring in place (watch error rate, latency)
[ ] Watch for 15 minutes post-deploy
[ ] Error rate returned to baseline
[ ] Latency returned to baseline
[ ] No new error types appearing
[ ] Affected tenants verified working
Watch period: Minimum 15 minutes for SEV-1/SEV-2, 5 minutes for SEV-3/SEV-4.
Create a blameless post-mortem document:
## Post-Mortem: [Incident Title]
### Date: YYYY-MM-DD
### Severity: SEV-X
### Duration: X hours Y minutes
### Author: [Name]
### Summary
[1-2 sentence description of what happened]
### Impact
- **Tenants affected**: X (Y% of total)
- **Duration**: HH:MM to HH:MM UTC
- **User-facing impact**: [What users experienced]
- **Data impact**: [Any data loss or corruption]
### Timeline (UTC)
| Time | Event |
|------|-------|
| HH:MM | First error logged |
| HH:MM | Alert fired |
| HH:MM | Investigation started |
| HH:MM | Root cause identified |
| HH:MM | Fix deployed to staging |
| HH:MM | Fix deployed to production |
| HH:MM | Incident resolved |
### Root Cause
[5 Whys analysis]
### Contributing Factors
- [Factor 1]
- [Factor 2]
### What Went Well
- [Positive aspect 1: e.g., "Alerting caught the issue within 2 minutes"]
- [Positive aspect 2]
### What Could Be Improved
- [Improvement 1]
- [Improvement 2]
### Action Items
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Add missing index | @dev | YYYY-MM-DD | TODO |
| Add EXPLAIN ANALYZE to migration review checklist | @team | YYYY-MM-DD | TODO |
| Add monitoring for connection pool exhaustion | @devops | YYYY-MM-DD | TODO |
| Add integration test for this scenario | @tester | YYYY-MM-DD | TODO |
### Lessons Learned
[Key takeaways for the team]
Write post-mortem to docs/spec/.llm/completed/postmortem-YYYY-MM-DD-short-description.md.