一键导入
incident
Incident response orchestrator for production outages and degradation. Handles triage, evidence, mitigation, code-fix gating, verification, and postmortem.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Incident response orchestrator for production outages and degradation. Handles triage, evidence, mitigation, code-fix gating, verification, and postmortem.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Initialize Flowbit with intelligent project analysis and documentation generation
Creates Mermaid diagrams for planning flows, component communication, and architecture views with adaptive detail selection (including C4 levels). This skill should be used when the user asks for a workflow, interaction, or architecture visualization from provided task context.
Internal engine for managing project documentation and technical standards in .flowbit/docs/. Handles file operations, INDEX.md generation, and .github/copilot-instructions.md integration. Invoked by flowbit-init, standards-update, and standards-discover skills.
Quick bug fix with TDD red/green gates and complexity escalation
Implement task directly with AI SDLC standards awareness (no planning mode)
Enter planning mode with AI SDLC standards awareness
| name | incident |
| description | Incident response orchestrator for production outages and degradation. Handles triage, evidence, mitigation, code-fix gating, verification, and postmortem. |
| user-invocable | true |
Run this workflow for active production incidents, SEV events, major regressions, and high-risk operational failures.
Read:
../orchestrator-framework/references/orchestrator-patterns.mdAccept either:
/flowbit:incident "SEV-1 ..."),.flowbit/tasks/incidents/YYYY-MM-DD-incident-slug).If resume path includes orchestrator-state.yml, restore state and continue from the next incomplete phase.
TaskCreate and link dependencies using TaskUpdate addBlockedBy..flowbit/tasks/incidents/YYYY-MM-DD-incident-slug/.orchestrator-state.yml with incident context and options.analysis/, implementation/, verification/, documentation/.Use for:
Do not use for:
/flowbit:work or /flowbit:development),/flowbit:quick-bugfix).| Phase | content | activeForm | Activation |
|---|---|---|---|
| 1 | "Intake and severity assessment" | "Assessing incident severity" | Always |
| 2 | "Triage and containment decision" | "Triaging and deciding containment" | Always |
| 3 | "Evidence collection and timeline correlation" | "Collecting incident evidence" | Always |
| 4 | "Root cause hypotheses and mitigation strategy" | "Analyzing root cause hypotheses" | Always |
| 5 | "Mitigation planning and execution" | "Mitigating incident" | Always |
| 6 | "Verification and stabilization checks" | "Verifying stabilization" | Always |
| 7 | "Postmortem and follow-up actions" | "Authoring postmortem and follow-ups" | Always |
| 8 | "Finalize incident workflow" | "Finalizing incident workflow" | Always |
flowchart TD
incidentCmd["/flowbit:incident"] --> incidentSkill["flowbit-incident orchestrator"]
incidentSkill --> intake["Phase 1: IntakeAndSeverity"]
intake --> triage["Phase 2: TriageAndContainment"]
triage --> evidence["Phase 3: EvidenceCollection"]
evidence --> hypotheses["Phase 4: HypothesisAndRCA"]
hypotheses --> decision{MitigationType}
decision -->|"config/ops"| opsFix["Phase 5A: OperationalMitigation"]
decision -->|"code_fix"| implPlan["Phase 5B: ImplementationPlan"]
implPlan --> askGate["ask_user: approve implementation plan"]
askGate --> implExec["implementation-plan-executor"]
opsFix --> verify["Phase 6: VerificationAndStability"]
implExec --> verify
verify --> postmortem["Phase 7: PostmortemAndFollowups"]
Purpose: Normalize incident brief, classify severity, define initial impact.
Execute:
flowbit-incident-intakeanalysis/incident-brief.mdanalysis/impact-assessment.mdincident_context.severityincident_context.impact_summaryincident_context.incident_status = "active"Output: analysis/incident-brief.md, analysis/impact-assessment.md
→ Pause
ask_user: show severity + impact summary and ask:
Purpose: Decide immediate operational posture (contain now vs continue diagnosis).
Execute:
flowbit-incident-triageanalysis/triage-decision.mdask_user confirmation before execution.incident_context.containment_strategyincident_context.current_statusincident_context.blast_radiusOutput: analysis/triage-decision.md
→ Pause
ask_user:
Purpose: Build evidence pack and timeline before selecting mitigation path.
Execute:
flowbit-incident-evidenceanalysis/evidence-pack.mdanalysis/timeline.mdincident_context.evidence_collected = trueincident_context.timeline_ready = trueOutput: analysis/evidence-pack.md, analysis/timeline.md
→ Pause
ask_user:
Purpose: Convert evidence into ranked hypotheses and decide mitigation type.
Execute:
flowbit-gap-analyzer (focused on mismatch symptoms vs expected behavior)flowbit-mitigation-selector (incident-specific options ranking)analysis/hypotheses.mdimplementation/mitigation-plan.mdincident_context.mitigation_type:
operational (config/flags/rollback),code_fix,hybrid.Output: analysis/hypotheses.md, implementation/mitigation-plan.md
→ Pause
ask_user:
Purpose: Execute approved mitigation path.
Execute:
implementation/execution-log.md.flowbit-implementation-planner to generate implementation/implementation-plan.md.flowbit-implementation-plan-executor only if user explicitly approves.implementation/execution-log.md.Critical rule: Never invoke flowbit-implementation-plan-executor before explicit approval in Step 3.
Output: implementation/implementation-plan.md (when code fix), implementation/execution-log.md
→ Pause
ask_user:
Purpose: Validate incident is mitigated and service is stable.
Execute:
operational mitigation pathflowbit-reality-assessor
task_path and context of applied operational mitigations.verification/incident-verification.md.code_fix or hybrid mitigation pathSkill tool - flowbit-implementation-verifier
orchestrator-state.yml options for review scope.verification/implementation-verification.md.Update state:
incident_context.verified_atincident_context.current_status = "stabilized" when checks pass.Output: verification/implementation-verification.md (code_fix/hybrid) or verification/incident-verification.md (operational)
→ Pause
ask_user:
Purpose: Create structured postmortem and actionable next steps.
Execute:
flowbit-incident-postmortemdocumentation/postmortem.mddocumentation/followups.mdincident_context.postmortem_status = "completed"incident_context.followup_countOutput: documentation/postmortem.md, documentation/followups.md
→ Pause
ask_user:
Purpose: Close incident workflow with clear handoff.
Execute:
task.status = "completed"incident_context.incident_status = "closed"→ End of workflow
orchestrator:
options:
code_fix_enabled: null
allow_operational_mitigation: true
allow_rollback: true
require_plan_approval: true
incident_context:
severity: null
impact_summary: null
blast_radius: null
incident_status: active
current_status: triage
containment_strategy: null
mitigation_type: null
evidence_collected: false
timeline_ready: false
verified_at: null
postmortem_status: pending
followup_count: 0
.flowbit/tasks/incidents/YYYY-MM-DD-incident-slug/
├── orchestrator-state.yml
├── analysis/
│ ├── incident-brief.md
│ ├── impact-assessment.md
│ ├── triage-decision.md
│ ├── evidence-pack.md
│ ├── timeline.md
│ └── hypotheses.md
├── implementation/
│ ├── mitigation-plan.md
│ ├── implementation-plan.md # conditional, when code_fix/hybrid
│ └── execution-log.md
├── verification/
│ └── incident-verification.md
└── documentation/
├── postmortem.md
└── followups.md
Invoked via:
/flowbit:incident [description]/flowbit:incident [task-path] --from=PHASE (resume)ask_user confirmation.