一键导入
incident-response
Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | incident-response |
| description | Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes |
Announce at start: "Following the incident-response skill — stabilize, contain, communicate."
Stabilize first, speculate later. During an incident, the fastest safe path is containment, not cleverness.
Before changing anything, establish:
Choose the smallest safe action that reduces harm:
| Trigger | Containment action |
|---|---|
| Recent deploy caused regression | Roll back or disable via feature flag |
| Traffic spike or bad client behavior | Rate-limit, shed load, or block source |
| Broken dependency or integration | Fail closed or switch to degraded mode |
| Data corruption risk | Freeze writes before attempting repair |
Capture enough evidence to debug and review later:
Use short status updates with a next update time:
Severity: SEV-2
Impact: Checkout errors for ~35% of requests in us-east
Current action: Rolling back deployment `2026.04.20-3`
Owner: platform-oncall
Next update: 15 minutes
After containment, apply the minimal change that restores service:
Recovery is not complete until the system is stable:
After service is stable:
| Signal | Action |
|---|---|
| Multiple responders pushing unrelated fixes at once | Assign a single incident owner and sequence actions |
| No one can state current user impact | Reassess severity and scope before more changes |
| Deleting logs or rotating evidence before capture | Preserve evidence first |
| Rewriting broad areas of code during outage | Prefer rollback or minimal mitigation |
| Silent status gap longer than agreed cadence | Send an update immediately |
| When | Invoke |
|---|---|
| Need root cause after stabilization | debugging |
| Incident requires rollback or traffic control | deployment |
| Need better incident logging or redaction | logging |
| Response touches security-sensitive systems | secure-coding |
For principles, rationale, anti-patterns, and examples:
guides/incident-response/incident-response.mdguides/observability-patterns/observability-patterns.mdguides/logging-practices/logging-practices.mdExecute safe Git workflows — branching, committing, resolving conflicts, and managing PRs
Use when controlling AI spend, token budgets, model routing, or workflow efficiency before scaling usage
Use when investigating latency, throughput, resource saturation, or performance regressions before changing implementation details
Use when reviewing code, preparing a PR for review, or processing review feedback
Use when diagnosing bugs, test failures, or unexpected behavior before attempting any fix
Plan and execute safe deployments with rollback procedures, verification, and monitoring