一键导入
incident-response
Use when production is broken, a service is down, or a critical bug is affecting users — structured incident management and postmortem
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when production is broken, a service is down, or a critical bug is affecting users — structured incident management and postmortem
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when the user wants to free disk space, investigate disk usage, clean caches, remove unused artifacts, or when disk capacity is high. Also use when asked to "clean up", "free space", "disk full", or "what's using disk space". Always uses AskUserQuestion for every deletion decision.
Use at the start of every conversation and for every user message — orchestrates the full engineering skills suite by understanding intent, clarifying requirements interactively, and invoking the right skills
Use when refactoring Go code, cleaning up legacy codebases, optimizing performance, or enforcing clean architecture boundaries in a Go/Fiber backend
Use when refactoring Python code, cleaning up legacy codebases, optimizing performance, enforcing type safety, or improving clean architecture in a FastAPI backend
Use when refactoring React components, cleaning up legacy frontends, optimizing performance, improving component architecture, or reducing bundle size
Use when reviewing changed code before committing or after completing a feature — checks performance, architecture, type safety, and code quality against project standards
| name | incident-response |
| description | Use when production is broken, a service is down, or a critical bug is affecting users — structured incident management and postmortem |
When production breaks, follow a structured process. Don't panic, don't guess, don't push hot fixes without understanding.
Core principle: Restore service first, investigate root cause second, prevent recurrence third.
| Severity | Definition | Response Time | Examples |
|---|---|---|---|
| SEV1 | Service down, all users affected | Immediate | Database crashed, API 500s on all routes, auth broken |
| SEV2 | Major feature broken, many users affected | < 30 min | Payment processing fails, search returns no results |
| SEV3 | Minor feature broken, some users affected | < 2 hours | Export fails for large datasets, specific edge case error |
| SEV4 | Cosmetic or minor, workaround exists | Next business day | UI alignment issue, non-critical notification delay |
## Incident Report
- **Severity:** SEV[1-4]
- **Detected:** [timestamp]
- **Detected by:** [monitoring alert / user report / engineer]
- **Affected:** [what users/features are impacted]
- **Symptom:** [what's broken, error messages]
REQUIRED: Invoke debug skill for hands-on investigation tools.
# Quick triage checklist — run in parallel
docker compose ps # containers running?
curl -s http://localhost:8000/health | jq . # API healthy?
docker compose logs --tail=50 api # recent errors?
docker compose exec postgres pg_isready # DB reachable?
Decision: Can we restore quickly?
| Situation | Action |
|---|---|
| Bad deploy caused it | Rollback to last good version |
| Database migration broke it | migrate down 1 or alembic downgrade -1 |
| Config/env change | Revert config |
| Resource exhaustion | Scale up / restart |
| Unknown cause | Continue investigation |
Priority is restoring service, NOT fixing the bug.
# Rollback deployment
git revert HEAD && git push
# Or redeploy last known good
git checkout <last-good-tag>
docker compose up -d --build
# Or restart crashed service
docker compose restart api
# Or scale up if resource issue
docker compose up -d --scale api=3
Log every action taken:
## Timeline
- [HH:MM] Detected: API returning 500 on all routes
- [HH:MM] Triaged: Database connection pool exhausted
- [HH:MM] Mitigated: Restarted API service, connections recovered
- [HH:MM] Confirmed: Service restored, monitoring for recurrence
Only after service is restored. Use superpowers:systematic-debugging methodology.
## Root Cause Analysis
- **What happened:** [technical description]
- **Why it happened:** [root cause, not just symptom]
- **Why it wasn't caught:** [gap in testing/monitoring/process]
- **Evidence:** [logs, metrics, traces that confirm the root cause]
## Fix
- **PR:** [link]
- **What changed:** [description]
- **How verified:** [test that covers this case]
Write within 24 hours of resolution:
# Postmortem: [Incident Title]
**Date:** [date]
**Duration:** [detect to resolve]
**Severity:** SEV[N]
**Author:** [name]
## Summary
[1-2 sentences: what happened and impact]
## Timeline
[Chronological list of events with timestamps]
## Root Cause
[Technical explanation of why this happened]
## Impact
- Users affected: [count or percentage]
- Duration: [how long users were impacted]
- Data loss: [yes/no, details]
## What Went Well
- [Quick detection because of monitoring]
- [Fast rollback process]
## What Went Wrong
- [No alert for this failure mode]
- [Missing integration test for this case]
## Action Items
| Action | Owner | Priority | Status |
|--------|-------|----------|--------|
| Add monitoring for [X] | [name] | P0 | TODO |
| Add integration test for [Y] | [name] | P0 | TODO |
| Improve deploy rollback docs | [name] | P1 | TODO |
For recurring operational tasks, create runbooks:
# Runbook: [Service Name] — [Scenario]
## Symptoms
- [What alerts fire]
- [What users see]
- [What logs show]
## Diagnosis Steps
1. Check [X]
2. If [condition], go to step 3
3. Check [Y]
## Resolution Steps
1. [Exact command to run]
2. [Verification command]
3. [Monitoring to confirm]
## Escalation
- If unresolved after 15 min: [who to contact]
debug for hands-on toolssuperpowers:systematic-debugging for methodologysuperpowers:test-driven-development for the fixreview-code before deploying the fix