[HINT] Download the complete skill directory including SKILL.md and all related files
| name | forensics |
| description | Post-mortem diagnostic analysis of failed workflows. |
| user-invocable | false |
| command | /forensics |
| allowed-tools | ["Read","Grep","Glob"] |
| routing | {"triggers":["forensics","what went wrong","why did this fail","stuck loop","diagnose workflow","post-mortem","workflow failure","session crashed","why is this stuck","investigate failure","why did this break","incident review"],"pairs_with":["workflow","planning"],"complexity":"Medium","category":"process"} |
Investigate failed or stuck workflows through post-mortem analysis of git history, plan files, and session artifacts. Forensics answers "what went wrong and why" -- it detects workflow-level failures that individual tool errors don't reveal.
Key distinction: A tool error is "ruff found 3 lint errors." A workflow failure is "the agent entered a fix/retry loop editing the same file 5 times and never progressed." The error-learner handles tool-level errors. Forensics handles workflow-level patterns.
| Task | Load |
|---|---|
| Collecting git evidence, running git log commands, scrubbing credentials | references/evidence-collection.md |
| Identifying failure type from symptoms, causal chain analysis | references/failure-signatures.md |
| Running any of the 5 anomaly detectors, scoring confidence | references/detectors.md |
| Signal | Load These Files | Why |
|---|---|---|
| tasks related to this reference | detectors.md | Loads detailed guidance from detectors.md. |
| tasks related to this reference | evidence-collection.md | Loads detailed guidance from evidence-collection.md. |
| tasks related to this reference | failure-signatures.md | Loads detailed guidance from failure-signatures.md. |
This is a read-only diagnostic. The tool restriction to Read/Grep/Glob enforces this at the platform level. A diagnostic tool that modifies state destroys the evidence it needs to analyze -- forensics examines, it does not fix. Even when the user asks you to fix what you find, complete the report and recommend remediation instead. The wrong fix applied automatically can destroy work.
Goal: Collect the raw evidence needed for anomaly detection. Determine what branch, plan, and time range to analyze.
Step 1: Identify the investigation target
Accept the target from one of these sources (in priority order):
task_plan.mdBefore analysis, read the repository's CLAUDE.md if present. Repository conventions inform what "normal" looks like (e.g., expected branch patterns, required artifacts).
Step 2: Locate the plan file
Search for the plan that governed the workflow:
task_plan.md in the repository root.feature/state/plan/ for feature plansplan/active/ for workflow-orchestrator plansRecord whether a plan exists. If no plan is found, note this -- it limits scope drift and abandoned work detection but does not block the investigation. Three of the five detectors (stuck loop, crash/interruption, and degraded abandoned work) still function without a plan, so never skip analysis because no plan file was found.
Step 3: Collect git history
Read the git log for the target branch. Extract:
Use Grep to search git log output for patterns. Focus on:
If the branch has hundreds of commits, focus on the most recent 50 and note the truncation in the final report.
Step 4: Check working tree state
Examine the current state:
.claude/worktrees/ directories?task_plan.md with incomplete phases?See
references/evidence-collection.mdfor concrete git commands for each evidence type: log extraction, loop detection queries, timestamp analysis, and credential scrubbing patterns.
GATE: Evidence collected. At minimum: git history available, branch identified. Proceed to DETECT only when evidence gathering is complete.
Goal: Run all 5 anomaly detectors against the collected evidence. Always run every detector -- anomalies are often correlated (a stuck loop causes missing artifacts causes abandoned work), so partial analysis misses the causal chain. Each detector produces zero or more findings, and every finding must include a confidence level (High/Medium/Low) because false positives erode trust.
See
references/detectors.mdfor full detector specifications: confidence scoring tables, false positive guidance, and per-detector skip conditions when no plan file exists. Seereferences/failure-signatures.mdfor observable patterns per failure type, detection commands, and causal chain analysis when multiple detectors fire.
Run detectors 1-5 in order: Stuck Loop, Missing Artifacts, Abandoned Work, Scope Drift, Crash/Interruption.
GATE: All 5 detectors have run. Each produced zero or more findings with confidence levels. Proceed to REPORT.
Goal: Compile findings into a structured diagnostic report with root cause hypothesis and remediation recommendations. Every claim in the report must trace to specific evidence -- a forensics report without evidence is an opinion piece, not a diagnostic.
Step 1: Scrub sensitive content
Before assembling the report, scan all evidence strings for:
sk-, ghp_, token=, password=, secret=, key=, bearer tokens, base64-encoded credentials)Replace sensitive values with [REDACTED] and home paths with ~/. Treat all credential-shaped strings as real -- you cannot determine whether a credential is live from its format alone. Reports may be shared or logged, so a leaked credential in a forensics report is worse than the original workflow failure. Redact paths in every report regardless of audience; it costs nothing and prevents future exposure.
Step 2: Compile anomaly table
Order findings by confidence (High first, then by detector number) so the reader gets the strongest signals first:
## Forensics Report: [branch name or session identifier]
### Anomalies Detected
| # | Type | Confidence | Description |
|---|------|------------|-------------|
| 1 | [type] | [High/Medium/Low] | [description with evidence] |
| 2 | [type] | [High/Medium/Low] | [description with evidence] |
If no anomalies detected:
### Anomalies Detected
No anomalies detected. The workflow appears to have executed normally.
Step 3: Synthesize root cause hypothesis
Connect the anomalies into a coherent narrative. Look for causal chains:
The hypothesis must be specific, testable, and grounded in evidence from the anomaly findings -- never speculate beyond what the data supports:
Step 4: Recommend remediation
Provide specific, actionable recommendations. Each recommendation should reference the anomaly it addresses. Remediation is advisory text only -- never execute fixes, even if the user asks. Remediation requires understanding intent, not just detecting anomalies.
| Anomaly Type | Typical Remediation |
|---|---|
| Stuck loop | Identify the root cause of the loop (often a lint/type error the agent can't resolve). Fix manually, then resume from the last successful phase. |
| Missing artifacts | Re-run the phase that failed to produce artifacts. Check if the phase definition is clear enough for the executor. |
| Abandoned work | Resume from the last completed phase. Check .debug-session.md or plan status for where to pick up. |
| Scope drift | Review out-of-scope changes for necessity. Revert unrelated changes. Re-scope the plan if the drift was needed. |
| Crash/interruption | Check for uncommitted changes worth preserving. Clean up orphaned worktrees. Resume from last committed state. |
Step 5: Format final report
Include relevant git log excerpts, file snippets, and timestamps as evidence for every anomaly. Show git hashes, timestamps, and file paths rather than making unsupported assertions.
================================================================
FORENSICS REPORT: [branch/session identifier]
================================================================
Scan completed: [timestamp]
Branch: [branch name]
Commits analyzed: [count]
Plan file: [path or "not found"]
================================================================
ANOMALIES
================================================================
| # | Type | Confidence | Description |
|---|------|------------|-------------|
| ... | ... | ... | ... |
================================================================
ROOT CAUSE HYPOTHESIS
================================================================
[Narrative connecting anomalies into causal explanation]
================================================================
RECOMMENDED REMEDIATION
================================================================
1. [Specific action referencing anomaly #N]
2. [Specific action referencing anomaly #N]
================================================================
EVIDENCE
================================================================
[Relevant git log excerpts, file snippets, timestamps]
[All paths redacted, credentials scrubbed]
================================================================
GATE: Report is complete, scrubbed, and formatted. Deliver to user.
| Error | Cause | Solution |
|---|---|---|
| No git history on branch | Branch has zero commits or just forked | Report "insufficient evidence" -- forensics needs commit history to analyze |
| No plan file found | Workflow ran without a plan | Note limitation in report. Detectors 2 (missing artifacts), 3 (abandoned work), and 4 (scope drift) operate in degraded mode or skip. Detectors 1 (stuck loop) and 5 (crash) still function. |
| Worktree access fails | Orphaned worktree with broken symlinks | Report the orphaned worktree as crash/interruption evidence. Do not attempt cleanup. |
| Git log too large | Long-lived branch with hundreds of commits | Focus analysis on the most recent 50 commits. Note truncation in report. |
| Ambiguous branch target | User request doesn't clearly identify which branch | Ask: "Which branch should I investigate? Current branch is [X]." |