{ "name": "Incident Management Suite", "slug": "incident-management-suite", "version": "1.0.1", "license": "MIT", "license_url": "https://opensource.org/licenses/MIT", "manifest": { "schema_version": "1", "toolkit_prompt": "You are an incident response facilitator helping SRE and engineering teams manage incidents effectively. When generating content:\n\n1. Use blameless language ā€” focus on systems and processes, not individuals\n2. Maintain precise timelines with timestamps in UTC\n3. Apply severity classifications consistently (SEV1 = critical, SEV2 = high, SEV3 = medium, SEV4 = low)\n4. Track contributing factors, not just 'the' root cause\n5. Connect corrective actions to owners with clear deadlines\n6. Emphasize learning and prevention over blame\n\nUse ICS-style role assignments (Incident Commander, Comms Lead, Tech Lead, Scribe) when applicable. Prioritize clarity and actionability in all outputs.", "templates": [ { "spec": { "$id": "mt-war-room", "name": "Incident War Room", "slug": "incident-war-room", "description": "Active incident response coordination for real-time troubleshooting, role assignment, and stakeholder communication", "meeting_duration_seconds": 3600, "detail_level": "BULLET_POINTS", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Incident Status", "description": "## šŸšØ Current Incident Status\n\n| Field | Value |\n|-------|-------|\n| **Incident ID** | INC- |\n| **Severity** | ā˜ SEV1 ā˜ SEV2 ā˜ SEV3 ā˜ SEV4 |\n| **Status** | ā˜ Investigating ā˜ Identified ā˜ Mitigating ā˜ Resolved |\n| **Started** | [time UTC] |\n| **Duration** | [auto-calculate] |\n\n---\n\n### Impact Summary\n- **Users Affected**: \n- **Services Affected**: \n- **Business Impact**: \n\n---\n\n### Current Hypothesis\n> [What we think is happening]", "content": "**Incident Commander Script**\n\n1. \"Let's confirm the current state. What's the severity and status?\"\n2. \"What services are affected? How many users?\"\n3. \"What's our current hypothesis for root cause?\"\n\n**Severity Definitions:**\n- **SEV1**: Complete outage, all users affected, revenue impact\n- **SEV2**: Major functionality impaired, significant user impact\n- **SEV3**: Partial degradation, workaround available\n- **SEV4**: Minor issue, minimal impact\n\n**Status Definitions:**\n- **Investigating**: Identifying scope and cause\n- **Identified**: Root cause known, working on fix\n- **Mitigating**: Fix in progress or applied\n- **Resolved**: Normal operations restored", "time_allocation_minutes": 5, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Role Assignments", "description": "## šŸ‘„ Incident Roles\n\n| Role | Assigned | Backup |\n|------|----------|--------|\n| **Incident Commander (IC)** | | |\n| **Communications Lead** | | |\n| **Tech Lead** | | |\n| **Scribe** | | |\n\n---\n\n### Active Workstreams\n\n| Workstream | Owner | Status | Last Update |\n|------------|-------|--------|-------------|\n| | | šŸ”“ šŸŸ” šŸŸ¢ | |\n| | | šŸ”“ šŸŸ” šŸŸ¢ | |\n| | | šŸ”“ šŸŸ” šŸŸ¢ | |", "content": "**IC Script**\n\n1. \"Let's confirm roles. Who's IC? Comms? Tech Lead? Scribe?\"\n2. \"Each role owner ā€” confirm you're tracking your responsibilities.\"\n3. \"Any role gaps we need to fill?\"\n\n**Role Responsibilities:**\n- **IC**: Overall coordination, decisions, escalations\n- **Comms Lead**: Status page, stakeholder updates, exec comms\n- **Tech Lead**: Technical investigation, fix implementation\n- **Scribe**: Timeline documentation, notes, action tracking", "time_allocation_minutes": 3, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Timeline & Actions", "description": "## šŸ“‹ Incident Timeline\n\n| Time (UTC) | Event | Source |\n|------------|-------|--------|\n| | Incident detected | |\n| | | |\n| | | |\n\n---\n\n## āš” Active Actions\n\n| Action | Owner | Status | ETA |\n|--------|-------|--------|-----|\n| | | šŸ”„ In Progress | |\n| | | ā³ Pending | |\n| | | āœ… Complete | |", "content": "**IC Script**\n\n1. \"Scribe, what's on the timeline so far?\"\n2. \"Tech Lead, what actions are in flight?\"\n3. \"What's the ETA on current mitigation?\"\n\n**Timeline Best Practices:**\n- Use UTC timestamps consistently\n- Note the source (monitoring, user report, etc.)\n- Capture all significant events, even false leads", "time_allocation_minutes": 10, "sequence": "3" }, { "item_type": "DISCUSSION", "title": "Communication Check", "description": "## šŸ“¢ Stakeholder Communications\n\n| Audience | Last Update | Channel | Next Update |\n|----------|-------------|---------|-------------|\n| Status Page | | | |\n| Internal Slack | | | |\n| Executive | | | |\n| Customers | | | |\n\n---\n\n### Draft Status Update\n> [Current status message for external communication]", "content": "**Comms Lead Script**\n\n1. \"When was our last status page update?\"\n2. \"Do we need to escalate to executives?\"\n3. \"What's our next external communication?\"\n\n**Communication Cadence:**\n- **SEV1**: Update every 15-30 minutes\n- **SEV2**: Update every 30-60 minutes\n- **SEV3/4**: Update at key milestones", "time_allocation_minutes": 5, "sequence": "4" }, { "item_type": "ADJOURN", "title": "Next Steps & Sync", "description": "## šŸ”œ Next Steps\n\n| Action | Owner | By When |\n|--------|-------|---------|\n| | | |\n\n**Next sync**: [time] or when [condition]", "content": "**IC Script**\n\n1. \"Let's summarize: What are the next three actions?\"\n2. \"When should we reconvene?\"\n3. \"Any blockers before we break?\"", "time_allocation_minutes": 2, "sequence": "5" } ] }, "next_steps": [ { "next_step": { "$ref": "ns-stakeholder-update" }, "sort_order": 1, "autopilot": true }, { "next_step": { "$ref": "ns-incident-report" }, "sort_order": 2, "autopilot": false } ] }, { "spec": { "$id": "mt-triage", "name": "Incident Triage", "slug": "incident-triage", "description": "Initial severity assessment, scope definition, and role assignment for new incidents", "meeting_duration_seconds": 1800, "detail_level": "BULLET_POINTS", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Incident Overview", "description": "## šŸ”” Incident Alert\n\n| Field | Value |\n|-------|-------|\n| **Alert Source** | |\n| **Time Detected** | [UTC] |\n| **Reporter** | |\n| **Initial Description** | |", "content": "**Facilitator Script**\n\n1. \"What triggered this triage call?\"\n2. \"When was the issue first detected?\"\n3. \"Who reported it ā€” monitoring, customer, internal?\"\n\n**Key Questions:**\n- What exactly is failing or degraded?\n- When did it start?\n- Is it ongoing or intermittent?", "time_allocation_minutes": 5, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Impact Assessment", "description": "## šŸ“Š Impact Assessment\n\n| Dimension | Assessment |\n|-----------|------------|\n| **Users Affected** | ā˜ All ā˜ Subset ā˜ None |\n| **Revenue Impact** | ā˜ Direct ā˜ Indirect ā˜ None |\n| **Data Risk** | ā˜ Loss ā˜ Exposure ā˜ None |\n| **SLA Breach** | ā˜ Imminent ā˜ At Risk ā˜ Safe |\n\n**Severity Recommendation**: SEV__", "content": "**Assessment Framework:**\n\n- **SEV1**: All users affected, revenue loss, SLA breach\n- **SEV2**: Many users affected, significant functionality loss\n- **SEV3**: Some users affected, workaround exists\n- **SEV4**: Few users affected, cosmetic or minor\n\n**Questions:**\n- How many users are impacted?\n- Is there financial impact?\n- Are we at risk of SLA breach?", "time_allocation_minutes": 5, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Initial Hypothesis", "description": "## šŸ” Initial Investigation\n\n**Working Hypothesis**:\n> [What we think is happening]\n\n**Evidence**:\n- \n\n**Systems to Check**:\n- [ ] \n- [ ] ", "content": "**Investigation Start:**\n\n1. \"What's our initial hypothesis?\"\n2. \"What evidence do we have?\"\n3. \"What should we check first?\"", "time_allocation_minutes": 10, "sequence": "3" }, { "item_type": "ADJOURN", "title": "Mobilize Response", "description": "## šŸš€ Response Plan\n\n| Role | Assigned |\n|------|----------|\n| IC | |\n| Tech Lead | |\n| Comms | |\n\n**Decision**: ā˜ War Room ā˜ Async investigation ā˜ Monitoring", "content": "**Close Out:**\n\n1. Assign IC and key roles\n2. Decide: War Room, async, or monitor?\n3. Set first check-in time", "time_allocation_minutes": 5, "sequence": "4" } ] }, "next_steps": [ { "next_step": { "$ref": "ns-incident-report" }, "sort_order": 1, "autopilot": true } ] }, { "spec": { "$id": "mt-post-mortem", "name": "Incident Post-Mortem", "slug": "incident-post-mortem", "description": "Blameless after-action review focusing on timeline reconstruction, root cause analysis, and corrective actions", "meeting_duration_seconds": 3600, "detail_level": "STANDARD", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Incident Recap", "description": "## šŸ“‹ Incident Summary\n\n| Field | Value |\n|-------|-------|\n| **Incident ID** | INC- |\n| **Severity** | SEV |\n| **Duration** | [start] ā†’ [end] |\n| **Impact** | |\n| **Resolution** | |", "content": "**Facilitator Script**\n\n1. \"Let's start with facts. What happened, when, and how was it resolved?\"\n2. Set the tone: \"This is a blameless review. We're here to learn.\"\n3. Focus on timeline and impact summary.", "time_allocation_minutes": 10, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Timeline Review", "description": "## ā±ļø Detailed Timeline\n\n| Time (UTC) | Event | Actor | Impact |\n|------------|-------|-------|--------|\n| | Detection | | |\n| | Escalation | | |\n| | Mitigation | | |\n| | Resolution | | |", "content": "**Timeline Construction:**\n\n1. Walk through events chronologically\n2. Note delays or gaps\n3. Identify when key decisions were made\n4. Mark what worked well vs. friction points", "time_allocation_minutes": 15, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Root Cause Analysis", "description": "## šŸ”¬ 5 Whys Analysis\n\n1. **Why** did [symptom] occur?\n ā†’ \n\n2. **Why** did [cause 1] happen?\n ā†’ \n\n3. **Why** did [cause 2] happen?\n ā†’ \n\n4. **Why** did [cause 3] happen?\n ā†’ \n\n5. **Why** did [cause 4] happen?\n ā†’ \n\n**Root Cause(s)**:\n> ", "content": "**Analysis Framework:**\n\n1. Apply 5 Whys iteratively\n2. Look for systemic issues, not individual errors\n3. Consider contributing factors (not just ONE root cause)\n4. Categorize: Process / Technology / People / Environment", "time_allocation_minutes": 20, "sequence": "3" }, { "item_type": "DISCUSSION", "title": "Corrective Actions", "description": "## āœ… Corrective Actions\n\n| # | Action | Owner | Priority | Due Date | Status |\n|---|--------|-------|----------|----------|--------|\n| 1 | | | P0/P1/P2 | | ā¬œ |\n| 2 | | | P0/P1/P2 | | ā¬œ |\n| 3 | | | P0/P1/P2 | | ā¬œ |\n\n### Prevent Recurrence\n- [ ] Detection improvement\n- [ ] Process improvement\n- [ ] Technical fix\n- [ ] Documentation update", "content": "**Action Planning:**\n\n1. What can we do to prevent this specific issue?\n2. What can we do to detect it faster?\n3. What can we do to respond better?\n\n**Prioritization:**\n- **P0**: Immediate, high risk of recurrence\n- **P1**: This sprint, significant improvement\n- **P2**: Backlog, good to have", "time_allocation_minutes": 15, "sequence": "4" }, { "item_type": "ADJOURN", "title": "Lessons Learned", "description": "## šŸ“š Lessons Learned\n\n### What Went Well\n- \n\n### What Could Improve\n- \n\n### Action Item Follow-Up\n- Review date: [date]\n- Owner: [name]", "content": "**Close Out:**\n\n1. Summarize key lessons\n2. Assign action item follow-up owner\n3. Schedule review checkpoint\n4. Thank participants for blameless participation", "time_allocation_minutes": 5, "sequence": "5" } ] }, "next_steps": [ { "next_step": { "$ref": "ns-post-mortem-doc" }, "sort_order": 1, "autopilot": true }, { "next_step": { "$ref": "ns-corrective-actions" }, "sort_order": 2, "autopilot": false } ], "workflow_ref": { "$ref": "wf-post-mortem-review" } }, { "spec": { "$id": "mt-incident-review", "name": "Incident Review", "slug": "incident-review", "description": "Recurring review of recent incidents to identify patterns, systemic issues, and improvement opportunities", "meeting_duration_seconds": 2700, "detail_level": "STANDARD", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Recent Incidents Summary", "description": "## šŸ“Š Incidents This Period\n\n| ID | Date | Severity | Duration | Category | Status |\n|----|------|----------|----------|----------|--------|\n| | | SEV | mins | | PM Complete ā˜ |", "content": "**Review Script:**\n\n1. \"Let's review incidents from the past [period].\"\n2. Walk through each incident briefly\n3. Note: Severity distribution, resolution times, PM completion", "time_allocation_minutes": 10, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Pattern Analysis", "description": "## šŸ”„ Pattern Detection\n\n| Pattern | Frequency | Examples | Root Cause Category |\n|---------|-----------|----------|--------------------|\n| | | INC-X, INC-Y | Process / Tech / People |\n\n### Recurring Issues\n- \n\n### Emerging Trends\n- ", "content": "**Analysis Questions:**\n\n1. Are there repeated failure modes?\n2. Same service / team / time of day?\n3. What's the trend vs. last period?\n4. Any systemic issues across incidents?", "time_allocation_minutes": 15, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Action Item Status", "description": "## āœ… Corrective Action Tracker\n\n| From | Action | Owner | Due | Status |\n|------|--------|-------|-----|--------|\n| INC-X | | | | šŸ”“ šŸŸ” šŸŸ¢ |", "content": "**Accountability Check:**\n\n1. Review open action items from past post-mortems\n2. Escalate overdue items\n3. Close completed items\n4. Reassess priorities if needed", "time_allocation_minutes": 10, "sequence": "3" }, { "item_type": "ADJOURN", "title": "Recommendations", "description": "## šŸŽÆ Recommendations\n\n| Priority | Recommendation | Owner | Impact |\n|----------|----------------|-------|--------|\n| | | | |", "content": "**Close Out:**\n\n1. Summarize key patterns identified\n2. Prioritize systemic improvements\n3. Assign owners for new initiatives\n4. Set next review date", "time_allocation_minutes": 10, "sequence": "4" } ] }, "next_steps": [ { "next_step": { "$ref": "ns-trend-report" }, "sort_order": 1, "autopilot": true } ] }, { "spec": { "$id": "mt-shift-handoff", "name": "IC Shift Handoff", "slug": "incident-shift-handoff", "description": "Structured handoff between Incident Commanders during long-running incidents to preserve context and maintain continuity", "meeting_duration_seconds": 1800, "detail_level": "BULLET_POINTS", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Incident State Transfer", "description": "## šŸ“‹ Current Incident State\n\n| Field | Value |\n|-------|-------|\n| **Incident ID** | |\n| **Severity** | SEV |\n| **Status** | |\n| **Duration** | hours |\n| **Outgoing IC** | |\n| **Incoming IC** | |\n\n---\n\n### Executive Summary\n> [3-4 sentence summary of what's happening, what we've tried, current state]", "content": "**Outgoing IC Script**\n\n1. \"Here's where we are: [summary]\"\n2. \"The current severity is SEV[X] because [reason]\"\n3. \"We've been at this for [X] hours\"\n4. \"Current status is [Investigating/Identified/Mitigating]\"", "time_allocation_minutes": 5, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Timeline & Key Events", "description": "## ā±ļø Key Timeline Events\n\n| Time (UTC) | Event | Impact | Notes |\n|------------|-------|--------|-------|\n| | Initial detection | | |\n| | | | |\n| | | | |\n| | Current state | | |\n\n---\n\n### Critical Context\n- **Root cause hypothesis**: \n- **What we've ruled out**: \n- **Key findings**: ", "content": "**Outgoing IC Script**\n\n1. Walk through major timeline events\n2. Highlight any dead ends or ruled-out hypotheses\n3. Share key findings that informed current approach\n4. Note any patterns or anomalies observed", "time_allocation_minutes": 5, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Active Workstreams", "description": "## šŸ”„ Active Workstreams\n\n| Workstream | Owner | Status | Last Update | Next Step |\n|------------|-------|--------|-------------|----------|\n| | | šŸ”“ šŸŸ” šŸŸ¢ | | |\n| | | šŸ”“ šŸŸ” šŸŸ¢ | | |\n\n---\n\n### Blocked Items\n| Item | Blocker | Escalation Needed? |\n|------|---------|-------------------|\n| | | |", "content": "**Outgoing IC Script**\n\n1. Review each active workstream\n2. Identify owners and their current status\n3. Flag any blockers that need escalation\n4. Note expected completion times", "time_allocation_minutes": 5, "sequence": "3" }, { "item_type": "DISCUSSION", "title": "Stakeholder & Comms Status", "description": "## šŸ“¢ Communication Status\n\n| Audience | Last Update | Channel | Next Update Due |\n|----------|-------------|---------|----------------|\n| Status Page | | | |\n| Internal Slack | | | |\n| Executive | | | |\n| Customers | | | |\n\n---\n\n### Key Stakeholders Engaged\n- [ ] Engineering leadership\n- [ ] Customer Success\n- [ ] Executive team\n- [ ] Legal/Compliance (if needed)", "content": "**Outgoing IC Script**\n\n1. Review communication cadence and channels\n2. Note any executive attention or escalations\n3. Flag upcoming communication deadlines\n4. Transfer any stakeholder relationships", "time_allocation_minutes": 3, "sequence": "4" }, { "item_type": "DISCUSSION", "title": "Role Handoff", "description": "## šŸ‘„ Current Role Assignments\n\n| Role | Current | Continuing? | Handoff To |\n|------|---------|-------------|------------|\n| **Incident Commander** | | āž”ļø | |\n| **Communications Lead** | | | |\n| **Tech Lead** | | | |\n| **Scribe** | | | |\n\n---\n\n### Team Fatigue Check\n- Who needs a break?\n- Who's been on longest?", "content": "**Handoff Script**\n\n1. Confirm role continuity or handoffs\n2. Check for team fatigue ā€” anyone on > 4 hours?\n3. Identify backup coverage if needed\n4. Ensure no single points of failure", "time_allocation_minutes": 3, "sequence": "5" }, { "item_type": "ADJOURN", "title": "Handoff Confirmation", "description": "## āœ… Handoff Checklist\n\n- [ ] Incoming IC has full context\n- [ ] All active workstreams understood\n- [ ] Communication channels transferred\n- [ ] Next update times confirmed\n- [ ] Escalation paths clear\n\n**Handoff Time**: [timestamp UTC]\n**Incoming IC Confirmed**: [ ]", "content": "**Incoming IC Script**\n\n1. \"Let me summarize back: [repeat understanding]\"\n2. \"My immediate priorities are: [list]\"\n3. \"Next status update at [time]\"\n4. \"I'm taking command. Thank you [outgoing IC].\"", "time_allocation_minutes": 4, "sequence": "6" } ] }, "next_steps": [] }, { "spec": { "$id": "mt-security-incident", "name": "Security Incident Response", "slug": "security-incident-response", "description": "Security-specific incident handling with evidence preservation, breach notification checklist, and legal/compliance coordination", "meeting_duration_seconds": 3600, "detail_level": "BULLET_POINTS", "agenda_items": [ { "item_type": "DISCUSSION", "title": "Security Incident Classification", "description": "## šŸ”’ Security Incident Classification\n\n| Field | Value |\n|-------|-------|\n| **Incident ID** | SEC- |\n| **Classification** | ā˜ Confidentiality ā˜ Integrity ā˜ Availability |\n| **Severity** | ā˜ Critical ā˜ High ā˜ Medium ā˜ Low |\n| **Data Involved** | ā˜ PII ā˜ Financial ā˜ Credentials ā˜ IP ā˜ None confirmed |\n| **Breach Confirmed** | ā˜ Yes ā˜ No ā˜ Under investigation |\n\n---\n\n### Incident Summary\n> [What happened, what's at risk, current containment status]\n\n---\n\n### āš ļø COMMUNICATION RESTRICTIONS\n- [ ] Legal has approved external communications\n- [ ] PR/Comms is coordinating messaging\n- [ ] Need-to-know list established", "content": "**Security IC Script**\n\n1. \"This is a SECURITY incident. Communication restrictions apply.\"\n2. \"Let's classify: Confidentiality, Integrity, or Availability?\"\n3. \"Is customer data potentially involved? PII? Financial?\"\n4. \"Has Legal been notified?\"\n\n**IMPORTANT**: Do not discuss specifics in non-secure channels. Assume adversary may have access to internal comms.", "time_allocation_minutes": 10, "sequence": "1" }, { "item_type": "DISCUSSION", "title": "Evidence Preservation", "description": "## šŸ” Evidence Preservation\n\n| Evidence Type | Location | Preserved? | Chain of Custody |\n|--------------|----------|------------|------------------|\n| Logs | | ā˜ | |\n| System snapshots | | ā˜ | |\n| Network captures | | ā˜ | |\n| Memory dumps | | ā˜ | |\n| Access records | | ā˜ | |\n\n---\n\n### āš ļø DO NOT\n- Delete or modify logs\n- Reboot affected systems (unless necessary for containment)\n- Communicate incident details on potentially compromised channels\n- Make changes that could alert the adversary", "content": "**Evidence Script**\n\n1. \"Have we preserved logs before any remediation?\"\n2. \"Do we need forensic images of affected systems?\"\n3. \"Who is maintaining chain of custody documentation?\"\n4. \"Are we working with external forensics?\"\n\n**Chain of Custody**: Document who touched what evidence and when.", "time_allocation_minutes": 10, "sequence": "2" }, { "item_type": "DISCUSSION", "title": "Containment Actions", "description": "## šŸ›”ļø Containment Status\n\n| Action | Status | Owner | Notes |\n|--------|--------|-------|-------|\n| Isolate affected systems | ā˜ | | |\n| Revoke compromised credentials | ā˜ | | |\n| Block malicious IPs/domains | ā˜ | | |\n| Disable affected accounts | ā˜ | | |\n| Enable additional logging | ā˜ | | |\n\n---\n\n### Blast Radius Assessment\n- **Systems potentially affected**: \n- **Accounts potentially compromised**: \n- **Data potentially accessed**: ", "content": "**Containment Script**\n\n1. \"What containment actions have we taken?\"\n2. \"What's the blast radius ā€” worst case?\"\n3. \"Do we need to isolate additional systems?\"\n4. \"Have we cut off attacker access without alerting them?\"", "time_allocation_minutes": 15, "sequence": "3" }, { "item_type": "DISCUSSION", "title": "Breach Notification Assessment", "description": "## šŸ“‹ Breach Notification Checklist\n\n### Regulatory Requirements\n| Regulation | Applies? | Notification Deadline | Status |\n|------------|----------|----------------------|--------|\n| GDPR (72 hrs) | ā˜ Yes ā˜ No | | ā˜ N/A ā˜ Pending ā˜ Notified |\n| CCPA | ā˜ Yes ā˜ No | | ā˜ N/A ā˜ Pending ā˜ Notified |\n| HIPAA | ā˜ Yes ā˜ No | | ā˜ N/A ā˜ Pending ā˜ Notified |\n| SOC 2 | ā˜ Yes ā˜ No | | ā˜ N/A ā˜ Pending ā˜ Notified |\n| PCI-DSS | ā˜ Yes ā˜ No | | ā˜ N/A ā˜ Pending ā˜ Notified |\n\n### Notification Stakeholders\n- [ ] Legal counsel\n- [ ] Data Protection Officer\n- [ ] Cyber insurance carrier\n- [ ] Law enforcement (if required)\n- [ ] Affected customers\n- [ ] Board/Executive team", "content": "**Legal/Compliance Script**\n\n1. \"Based on data involved, which regulations apply?\"\n2. \"What's our notification deadline? (GDPR = 72 hours)\"\n3. \"Has Legal drafted notification language?\"\n4. \"Do we need to notify law enforcement?\"\n\n**CRITICAL**: Document the timeline of discovery for notification deadlines.", "time_allocation_minutes": 10, "sequence": "4" }, { "item_type": "ADJOURN", "title": "Next Steps & Secure Channels", "description": "## šŸ”œ Immediate Next Steps\n\n| Action | Owner | Deadline | Secure Channel |\n|--------|-------|----------|---------------|\n| | | | |\n\n---\n\n### Secure Communication Channels\n- **War Room**: [secure channel]\n- **Document Repository**: [secure location]\n- **Next Sync**: [time] via [secure method]\n\n---\n\nāš ļø **REMINDER**: All incident communications should use approved secure channels only.", "content": "**Close Script**\n\n1. \"Summarize: containment status, next forensic steps, notification timeline\"\n2. \"Confirm secure channels for ongoing communication\"\n3. \"Next sync at [time] ā€” mandatory attendance: [names]\"\n4. \"Do NOT discuss this incident outside secure channels\"", "time_allocation_minutes": 5, "sequence": "5" } ] }, "next_steps": [ { "next_step": { "$ref": "ns-incident-report" }, "sort_order": 1 }, { "next_step": { "$ref": "ns-customer-notification" }, "sort_order": 2 } ] } ], "next_steps": [ { "spec": { "$id": "ns-stakeholder-update", "name": "Stakeholder Update", "slug": "incident-stakeholder-update", "description": "Generates a concise status update for executives and affected teams during an active incident.", "icon_name": "bullhorn", "color": "#EF4444", "type": "ai", "ai_prompt": "Generate a concise stakeholder status update suitable for executives and affected teams.\n\n---\n\n# Incident Status Update\n\n**Incident**: [ID] ā€” [Brief title]\n**Severity**: [SEV level]\n**Status**: [Investigating / Identified / Mitigating / Resolved]\n**Last Updated**: [timestamp UTC]\n\n---\n\n## Current Situation\n\n[2-3 sentences describing what's happening, impact, and current status]\n\n## Impact\n\n- **Users Affected**: [number/scope]\n- **Services Affected**: [list]\n- **Duration**: [time since start]\n\n## Actions Underway\n\n1. [Current action being taken]\n2. [Next planned action]\n\n## ETA\n\n[Estimated time to resolution or next update]\n\n---\n\n*Next update in [X] minutes or when status changes.*" }, "action_buttons": [ { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-send-slack" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-send-slack" } }, { "spec": { "$id": "ns-incident-report", "name": "Incident Report", "slug": "incident-report", "description": "Produces a formal incident report summarizing impact, timeline, and resolution for records and compliance.", "icon_name": "file-lines", "color": "#F97316", "type": "ai", "ai_prompt": "Generate a formal Incident Report suitable for records and compliance.\n\n---\n\n# Incident Report\n\n**Incident ID**: INC-[extracted or generated]\n**Report Date**: [today]\n**Prepared By**: [meeting organizer]\n\n---\n\n## Executive Summary\n\n[3-4 sentence summary: what happened, impact, resolution, current status]\n\n---\n\n## Incident Details\n\n| Field | Value |\n|-------|-------|\n| **Severity** | [SEV level with justification] |\n| **Start Time** | [UTC timestamp] |\n| **Detection Time** | [UTC timestamp] |\n| **Resolution Time** | [UTC timestamp or N/A] |\n| **Total Duration** | [calculated] |\n| **Status** | [Final status] |\n\n---\n\n## Impact Assessment\n\n### Users Affected\n[Number and description of affected users/customers]\n\n### Services Affected\n- [Service 1]: [Impact description]\n- [Service 2]: [Impact description]\n\n### Business Impact\n[Revenue, reputation, compliance implications]\n\n---\n\n## Timeline of Events\n\n| Time (UTC) | Event | Actor |\n|------------|-------|-------|\n| [time] | [First detection] | [who/what] |\n| [time] | [Key event] | [who/what] |\n| [time] | [Resolution] | [who/what] |\n\n---\n\n## Root Cause Summary\n\n[Brief description of root cause ā€” full analysis in post-mortem]\n\n---\n\n## Resolution\n\n[What was done to resolve the incident]\n\n---\n\n## Follow-Up Actions\n\n| Action | Owner | Due Date | Priority |\n|--------|-------|----------|----------|\n| [action] | [name] | [date] | P0/P1/P2 |\n\n---\n\n## Lessons Learned\n\n### What Went Well\n- [positive observation]\n\n### What Could Improve\n- [improvement area]\n\n---\n\n*Full post-mortem analysis: [link or scheduled date]*" }, "action_buttons": [ { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-download-pdf" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-download-pdf" } }, { "spec": { "$id": "ns-post-mortem-doc", "name": "Blameless Post-Mortem", "slug": "incident-post-mortem-doc", "description": "Creates a comprehensive blameless post-mortem document focusing on systemic improvements and root cause analysis.", "icon_name": "microscope", "color": "#8B5CF6", "type": "ai", "ai_prompt": "Generate a blameless post-mortem document focusing on systems improvement.\n\n---\n\n# Blameless Post-Mortem\n\n**Incident**: INC-[ID]\n**Date**: [incident date]\n**Post-Mortem Date**: [today]\n**Author**: [meeting organizer]\n**Status**: Draft ā€” Pending Review\n\n---\n\n## Executive Summary\n\n[4-5 sentence summary using blameless language. Focus on systems, processes, and circumstances ā€” not individuals.]\n\n---\n\n## Incident Overview\n\n| Metric | Value |\n|--------|-------|\n| **Severity** | [SEV level] |\n| **Time to Detect (TTD)** | [minutes] |\n| **Time to Mitigate (TTM)** | [minutes] |\n| **Time to Resolve (TTR)** | [minutes] |\n| **User Impact** | [scope] |\n\n---\n\n## Detailed Timeline\n\n| Time (UTC) | Event | Impact | Notes |\n|------------|-------|--------|-------|\n| [time] | [event] | [impact] | [context] |\n\n---\n\n## 5 Whys Analysis\n\n**Symptom**: [What users/systems experienced]\n\n1. **Why** did [symptom] occur?\n ā†’ [cause 1]\n\n2. **Why** did [cause 1] happen?\n ā†’ [cause 2]\n\n3. **Why** did [cause 2] happen?\n ā†’ [cause 3]\n\n4. **Why** did [cause 3] happen?\n ā†’ [cause 4]\n\n5. **Why** did [cause 4] happen?\n ā†’ [root cause]\n\n---\n\n## Contributing Factors\n\n| Factor | Category | Contribution |\n|--------|----------|-------------|\n| [factor] | Process / Technology / Environment | [how it contributed] |\n\n---\n\n## What Went Well\n\n- [positive observation about response]\n- [effective process or tool]\n- [good decision made]\n\n---\n\n## What Could Improve\n\n- [improvement area with specific suggestion]\n- [process gap identified]\n- [tooling limitation]\n\n---\n\n## Corrective Actions\n\n| # | Action | Owner | Priority | Due Date | Status |\n|---|--------|-------|----------|----------|--------|\n| 1 | [Prevent recurrence] | [name] | P0 | [date] | ā¬œ Open |\n| 2 | [Improve detection] | [name] | P1 | [date] | ā¬œ Open |\n| 3 | [Process improvement] | [name] | P2 | [date] | ā¬œ Open |\n\n---\n\n## Follow-Up\n\n- **Action Item Review Date**: [date]\n- **Next Incident Review**: [date]\n\n---\n\n## Approvals\n\n| Role | Name | Approved |\n|------|------|----------|\n| Incident Commander | [name] | ā˜ |\n| Engineering Lead | [name] | ā˜ |\n| SRE Lead | [name] | ā˜ |\n\n---\n\n*This post-mortem was generated using blameless principles. The goal is learning and improvement, not blame.*" }, "action_buttons": [ { "action_button": { "$ref": "ab-download-pdf" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-download-pdf" } }, { "spec": { "$id": "ns-corrective-actions", "name": "Corrective Actions", "slug": "incident-corrective-actions", "description": "Extracts and categorizes all actionable follow-up items and preventative measures from the incident discussion.", "icon_name": "clipboard-check", "color": "#10B981", "type": "ai", "ai_prompt": "Extract all corrective actions from this post-mortem discussion.\n\n---\n\n# Corrective Action Plan\n\n**Incident**: INC-[ID]\n**Generated**: [today]\n\n---\n\n## Action Items\n\n| # | Action | Owner | Priority | Due Date | Category | Status |\n|---|--------|-------|----------|----------|----------|--------|\n| 1 | [action] | [name] | P0 | [date] | Prevention | ā¬œ |\n| 2 | [action] | [name] | P1 | [date] | Detection | ā¬œ |\n| 3 | [action] | [name] | P2 | [date] | Process | ā¬œ |\n\n---\n\n## Categories\n\n### Prevention (Stop it from happening)\n- [actions that address root cause]\n\n### Detection (Find it faster)\n- [monitoring, alerting improvements]\n\n### Response (Fix it quicker)\n- [runbook, tooling improvements]\n\n### Process (Work better)\n- [communication, coordination improvements]\n\n---\n\n## Tracking\n\n- **Review Checkpoint**: [date]\n- **Owner for Follow-Up**: [name]\n- **Escalation Path**: [if overdue, escalate to]" }, "action_buttons": [ { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-send-jira" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-send-jira" } }, { "spec": { "$id": "ns-trend-report", "name": "Incident Trend Report", "slug": "incident-trend-report", "description": "Synthesizes incident data into a trend analysis report to identify recurring patterns and systemic risks.", "icon_name": "chart-line", "color": "#6366F1", "type": "ai", "ai_prompt": "Generate an incident trend analysis based on this review session.\n\n---\n\n# Incident Trend Report\n\n**Period**: [date range]\n**Generated**: [today]\n**Reviewed By**: [participants]\n\n---\n\n## Summary Statistics\n\n| Metric | This Period | Previous | Trend |\n|--------|-------------|----------|-------|\n| **Total Incidents** | [N] | [N] | ā†‘ ā†“ ā†’ |\n| **SEV1/2 Count** | [N] | [N] | ā†‘ ā†“ ā†’ |\n| **Avg TTR (mins)** | [N] | [N] | ā†‘ ā†“ ā†’ |\n| **PM Completion** | [%] | [%] | ā†‘ ā†“ ā†’ |\n\n---\n\n## Severity Distribution\n\n| Severity | Count | % of Total |\n|----------|-------|------------|\n| SEV1 | [N] | [%] |\n| SEV2 | [N] | [%] |\n| SEV3 | [N] | [%] |\n| SEV4 | [N] | [%] |\n\n---\n\n## Patterns Identified\n\n### Recurring Issues\n| Pattern | Frequency | Examples | Root Category |\n|---------|-----------|----------|---------------|\n| [pattern] | [N] times | INC-X, INC-Y | [category] |\n\n### Emerging Trends\n- [new pattern observed]\n\n### Positive Trends\n- [improvement observed]\n\n---\n\n## Top Contributors\n\n| Category | Incidents | Actions |\n|----------|-----------|--------|\n| [category] | [N] | [recommended action] |\n\n---\n\n## Recommendations\n\n| Priority | Recommendation | Expected Impact | Owner |\n|----------|----------------|-----------------|-------|\n| 1 | [rec] | [impact] | [team] |\n| 2 | [rec] | [impact] | [team] |\n\n---\n\n## Action Item Status (from Previous PMs)\n\n| Status | Count |\n|--------|-------|\n| āœ… Completed | [N] |\n| šŸŸ” In Progress | [N] |\n| šŸ”“ Overdue | [N] |\n| ā¬œ Not Started | [N] |" }, "action_buttons": [ { "action_button": { "$ref": "ab-download-pdf" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-download-pdf" } }, { "spec": { "$id": "ns-customer-notification", "name": "Customer Notification", "slug": "incident-customer-notification", "description": "Drafts a clear, non-technical incident notification suitable for external status pages or customer emails.", "icon_name": "users", "color": "#0EA5E9", "type": "ai", "ai_prompt": "Generate a customer-facing incident notification suitable for email or status page. Use clear, non-technical language appropriate for end users.\n\n---\n\n# Service Incident Notification\n\n**Subject**: [Service Name] ā€” Service Disruption [Resolved/Update]\n\n---\n\nDear Valued Customer,\n\nWe want to inform you about a service issue that [is affecting / affected] [service description].\n\n## What Happened\n\n[2-3 sentences in plain language. Avoid technical jargon. Focus on user-visible impact.]\n\n## Impact\n\n**Affected Services**: [list services in user-friendly terms]\n**Duration**: [start time] to [end time or \"ongoing\"]\n**Affected Regions**: [if applicable]\n\n## Current Status\n\n[Status in plain language: \"We have identified the issue and are working on a fix\" / \"The issue has been resolved\"]\n\n## What We're Doing\n\n[1-2 sentences about remediation steps, in plain language]\n\n## What You Can Do\n\n[Any user actions, workarounds, or \"no action needed\"]\n\n## Next Update\n\nWe will provide another update [at specific time / when status changes].\n\n---\n\nWe sincerely apologize for any inconvenience this may have caused. Our team is committed to providing reliable service, and we are taking steps to prevent similar issues in the future.\n\nIf you have questions, please contact [support channel].\n\nThank you for your patience and understanding.\n\n[Company Name] Support Team\n\n---\n\n*Incident Reference: [ID]*" }, "action_buttons": [ { "action_button": { "$ref": "ab-email-stakeholders" }, "sort_order": 1 }, { "action_button": { "$ref": "ab-copy-clipboard" }, "sort_order": 2 }, { "action_button": { "$ref": "ab-send-slack" }, "sort_order": 3 } ], "default_action_button": { "$ref": "ab-email-stakeholders" } } ], "action_buttons": [ { "spec": { "$id": "ab-copy-clipboard", "name": "Copy to Clipboard", "slug": "incident-copy-clipboard", "delivery_mechanism": "clipboard", "content_format": "plain_text", "sort_order": 1 } }, { "spec": { "$id": "ab-email-stakeholders", "name": "Email Stakeholders", "slug": "incident-email-stakeholders", "delivery_mechanism": "email", "content_format": "rich_text", "sort_order": 2 } }, { "spec": { "$id": "ab-send-slack", "name": "Post to Incident Channel", "slug": "incident-send-slack", "delivery_mechanism": "integration", "content_format": "rich_text", "integration_type": "slack", "sort_order": 3 } }, { "spec": { "$id": "ab-send-jira", "name": "Create Jira Tickets", "slug": "incident-send-jira", "delivery_mechanism": "integration", "content_format": "rich_text", "integration_type": "jira", "sort_order": 4 } }, { "spec": { "$id": "ab-download-pdf", "name": "Download PDF", "slug": "incident-download-pdf", "delivery_mechanism": "file_download", "content_format": "rich_text", "file_format": "pdf", "sort_order": 5 } }, { "spec": { "$id": "ab-send-pagerduty", "name": "Update PagerDuty", "slug": "incident-send-pagerduty", "delivery_mechanism": "webhook", "content_format": "plain_text", "webhook_url": "{{pagerduty_webhook_url}}", "sort_order": 6 } } ], "shortcuts": [ { "spec": { "$id": "sc-classify-severity", "name": "Classify Severity", "slug": "incident-classify-severity", "description": "AI assesses incident severity (SEV1-4) based on impact and urgency from discussion", "icon_name": "bolt", "color": "#EF4444", "surfaces": [ { "surface": "MEETING_RUN", "position": 1 } ], "prompt": "You are an incident classification assistant. Analyze the LAST 3-5 MINUTES of transcript to assess incident severity.\n\n**Severity Criteria:**\n\n| Level | User Impact | Revenue | SLA | Response |\n|-------|-------------|---------|-----|----------|\n| **SEV1** | All users affected | Direct loss | Breach imminent | All hands |\n| **SEV2** | Many users, major feature | Significant risk | At risk | Immediate |\n| **SEV3** | Some users, workaround exists | Minimal | Safe | Same day |\n| **SEV4** | Few users, cosmetic | None | Safe | Scheduled |\n\n**Your task:**\n1. Listen for impact indicators (users, revenue, features affected)\n2. Identify urgency signals (escalation, exec attention, customer complaints)\n3. Note any explicit severity assessments mentioned\n4. Recommend a severity level with justification\n\n**Write to meeting notes:**\n\nšŸšØ **SEVERITY ASSESSMENT**\n\n**Recommended**: SEV[level]\n\n**Justification**:\n- User impact: [assessment]\n- Revenue risk: [assessment]\n- SLA status: [assessment]\n\n**Evidence from discussion**:\n> [relevant quotes]\n\n**Confirm with team**: \"Based on the discussion, I recommend SEV[level] because [reason]. Does the team agree?\"" } }, { "spec": { "$id": "sc-build-timeline", "name": "Build Timeline", "slug": "incident-build-timeline", "description": "AI extracts timestamps and events from chaotic real-time discussion to build incident timeline", "icon_name": "clock-rotate-left", "color": "#F97316", "surfaces": [ { "surface": "MEETING_RUN", "position": 2 } ], "prompt": "You are the incident scribe. Analyze the ENTIRE transcript to extract and organize the incident timeline.\n\n**Your task:**\n1. Find ALL timestamps mentioned (explicit times, relative times like '30 minutes ago')\n2. Identify key events: detection, escalation, actions taken, status changes\n3. Note WHO reported or discovered each event\n4. Convert relative times to absolute UTC if possible\n\n**Write to meeting notes:**\n\nā±ļø **INCIDENT TIMELINE** (auto-extracted)\n\n| Time (UTC) | Event | Source | Notes |\n|------------|-------|--------|-------|\n| [time] | [First detection] | [who/what] | [context] |\n| [time] | [Next event] | [who/what] | [context] |\n\n**Timeline Quality**:\n- Gaps identified: [any missing time periods]\n- Conflicting accounts: [any discrepancies]\n\n**Confirm**: \"I've extracted [N] timeline events. Please review for accuracy.\"" } }, { "spec": { "$id": "sc-assign-roles", "name": "Assign Roles", "slug": "incident-assign-roles", "description": "AI identifies incident roles (IC, Comms, Tech Lead, Scribe) from discussion", "icon_name": "user-question", "color": "#8B5CF6", "surfaces": [ { "surface": "MEETING_RUN", "position": 3 } ], "prompt": "You are the incident coordination assistant. Analyze the transcript to identify and confirm role assignments.\n\n**ICS-Style Roles:**\n- **Incident Commander (IC)**: Overall coordination, decision authority\n- **Communications Lead**: Status page, stakeholder updates\n- **Tech Lead**: Technical investigation, fix implementation\n- **Scribe**: Timeline, notes, action tracking\n\n**Your task:**\n1. Listen for explicit role assignments ('I'll be IC', 'Can you handle comms?')\n2. Infer roles from actions ('I'll update the status page' = likely Comms)\n3. Identify gaps (roles not yet assigned)\n\n**Write to meeting notes:**\n\nšŸ‘„ **ROLE ASSIGNMENTS** (extracted)\n\n| Role | Assigned | Status |\n|------|----------|--------|\n| Incident Commander | [name or TBD] | āœ… / āš ļø Needed |\n| Communications Lead | [name or TBD] | āœ… / āš ļø Needed |\n| Tech Lead | [name or TBD] | āœ… / āš ļø Needed |\n| Scribe | [name or TBD] | āœ… / āš ļø Needed |\n\n**Gaps**: [list unfilled roles]\n\n**Confirm**: \"Role assignments captured. [Names of gaps] still need to be assigned.\"" } }, { "spec": { "$id": "sc-status-update", "name": "Status Update", "slug": "incident-status-update", "description": "AI synthesizes current incident state for stakeholder communication", "icon_name": "message-question", "color": "#10B981", "surfaces": [ { "surface": "MEETING_RUN", "position": 4 } ], "prompt": "You are the communications assistant. Generate a stakeholder-ready status update based on the current discussion.\n\n**Your task:**\n1. Summarize current status (Investigating/Identified/Mitigating/Resolved)\n2. Describe impact in business terms (not technical jargon)\n3. List active mitigation efforts\n4. Provide realistic ETA or next update time\n\n**Write to meeting notes:**\n\nšŸ“¢ **STATUS UPDATE DRAFT** [{timestamp}]\n\n**Status**: [Investigating / Identified / Mitigating / Resolved]\n\n**Summary**: [2-3 sentences for stakeholders]\n\n**Impact**: [User-facing description]\n\n**Actions**: [What we're doing now]\n\n**ETA/Next Update**: [Time or 'in X minutes']\n\n---\n\n**Confirm**: \"Draft status update ready. Comms Lead, please review and post.\"" } }, { "spec": { "$id": "sc-five-whys", "name": "5 Whys Analysis", "slug": "incident-five-whys", "description": "AI facilitates root cause analysis by tracing causal chain from symptoms", "icon_name": "bullseye", "color": "#6366F1", "surfaces": [ { "surface": "MEETING_RUN", "position": 5 } ], "prompt": "You are a root cause analysis facilitator. Guide the team through 5 Whys analysis based on the discussion.\n\n**5 Whys Framework:**\n- Start with the symptom (what users/systems experienced)\n- Ask 'Why?' iteratively until you reach systemic causes\n- Look for process/technology/environment factors, NOT individual blame\n- Multiple branches are OK if there are multiple contributing causes\n\n**Your task:**\n1. Identify the symptom from discussion\n2. Extract each 'why' level from the conversation\n3. Flag where analysis stopped or needs more depth\n4. Highlight systemic vs. surface causes\n\n**Write to meeting notes:**\n\nšŸ”¬ **5 WHYS ANALYSIS**\n\n**Symptom**: [What users/systems experienced]\n\n1. **Why** did [symptom] occur?\n ā†’ [cause 1] *(from discussion)*\n\n2. **Why** did [cause 1] happen?\n ā†’ [cause 2] *(from discussion)*\n\n3. **Why** did [cause 2] happen?\n ā†’ [cause 3 or 'needs investigation']*\n\n4. **Why** did [cause 3] happen?\n ā†’ [cause 4 or 'needs investigation']*\n\n5. **Why** did [cause 4] happen?\n ā†’ [root cause or 'needs investigation']*\n\n**Root Cause Category**: [Process / Technology / Environment]\n\n**Analysis Gaps**: [Where more investigation is needed]\n\n**Confirm**: \"5 Whys captured through level [N]. Continue digging into [specific area]?\"" } }, { "spec": { "$id": "sc-contributing-factors", "name": "Contributing Factors", "slug": "incident-contributing-factors", "description": "AI extracts all contributing factors using multi-factor analysis", "icon_name": "chart-line-up", "color": "#EC4899", "surfaces": [ { "surface": "MEETING_RUN", "position": 6 } ], "prompt": "You are a multi-factor analysis facilitator. Extract ALL contributing factors (not just one root cause).\n\n**Factor Categories:**\n- **Process**: Missing runbooks, unclear ownership, communication gaps\n- **Technology**: Bugs, capacity limits, configuration errors, monitoring gaps\n- **People**: Training gaps, fatigue, handoff issues (blameless!)\n- **Environment**: Third-party dependencies, network issues, external factors\n\n**Your task:**\n1. Listen for ALL factors mentioned, even minor ones\n2. Categorize each factor\n3. Assess contribution level (primary, secondary, contributing)\n4. Note interactions between factors\n\n**Write to meeting notes:**\n\nšŸ”€ **CONTRIBUTING FACTORS**\n\n| Factor | Category | Contribution | Notes |\n|--------|----------|--------------|-------|\n| [factor] | Process/Tech/People/Env | Primary | [context] |\n| [factor] | Process/Tech/People/Env | Secondary | [context] |\n| [factor] | Process/Tech/People/Env | Contributing | [context] |\n\n**Factor Interactions**: [How factors combined to cause incident]\n\n**Primary Focus for Prevention**: [Most impactful factor to address]\n\n**Confirm**: \"Identified [N] contributing factors. Any factors I missed?\"" } }, { "spec": { "$id": "sc-blameless-summary", "name": "Blameless Summary", "slug": "incident-blameless-summary", "description": "AI generates post-mortem summary focused on systems improvement", "icon_name": "lightbulb", "color": "#059669", "surfaces": [ { "surface": "MEETING_RUN", "position": 7 } ], "prompt": "You are a blameless post-mortem facilitator. Generate a summary focused entirely on SYSTEMS and PROCESSES, not individuals.\n\n**Blameless Principles:**\n- Focus on 'what' and 'how', not 'who'\n- Treat human error as a symptom, not a cause\n- Ask 'why did the system allow this?' not 'why did they do this?'\n- Look for systemic improvements, not individual training\n\n**Your task:**\n1. Reframe any blame-oriented statements as system questions\n2. Identify systemic improvements that would prevent recurrence\n3. Highlight process and tooling gaps\n4. Celebrate what worked well in the response\n\n**Write to meeting notes:**\n\nāœ… **BLAMELESS SUMMARY**\n\n**What happened** (systems perspective):\n[Description without naming individuals or assigning blame]\n\n**Why the system allowed this**:\n- [Systemic factor 1]\n- [Systemic factor 2]\n\n**What worked well**:\n- [Positive aspect of response]\n- [Effective process or tool]\n\n**Systemic improvements**:\n| Area | Current State | Recommended Change |\n|------|--------------|--------------------|\n| [area] | [current] | [improvement] |\n\n**Confirm**: \"Blameless summary generated. Review for any remaining blame language.\"" } }, { "spec": { "$id": "sc-action-tracker", "name": "Extract Actions", "slug": "incident-action-tracker", "description": "AI extracts corrective action items with owners, due dates, and priority", "icon_name": "square-list", "color": "#3B82F6", "surfaces": [ { "surface": "MEETING_RUN", "position": 8 } ], "prompt": "You are the action item tracker. Extract ALL corrective actions from the post-mortem discussion.\n\n**Action Categories:**\n- **Prevention**: Stop this from happening again\n- **Detection**: Find it faster next time\n- **Response**: Fix it quicker\n- **Process**: Improve coordination and communication\n\n**Your task:**\n1. Listen for commitments: 'We should...', 'Action item:', 'I'll create a ticket for...'\n2. Identify owners (explicit or implied)\n3. Extract deadlines (explicit or infer from context: P0=immediate, P1=this sprint, P2=backlog)\n4. Categorize each action\n\n**Write to meeting notes:**\n\nšŸ“‹ **CORRECTIVE ACTIONS**\n\n| # | Action | Owner | Priority | Category | Due |\n|---|--------|-------|----------|----------|-----|\n| 1 | [action] | [name] | P0/P1/P2 | [category] | [date] |\n| 2 | [action] | [name] | P0/P1/P2 | [category] | [date] |\n\n**Actions by Category:**\n- Prevention: [count]\n- Detection: [count]\n- Response: [count]\n- Process: [count]\n\n**Unassigned Actions**: [list any without owners]\n\n**Confirm**: \"Captured [N] corrective actions. [M] still need owners.\"" } }, { "spec": { "$id": "sc-change-correlation", "name": "Change Correlation", "slug": "incident-change-correlation", "description": "AI prompts for and correlates recent deployments, config changes, and feature flags with incident timing", "icon_name": "briefcase-arrow-right", "color": "#F59E0B", "surfaces": [ { "surface": "MEETING_RUN", "position": 9 } ], "prompt": "You are a change correlation analyst. Help the team identify if recent changes may have caused or contributed to this incident.\n\n**Change Categories:**\n- **Deployments**: Code releases, container updates, infrastructure changes\n- **Configuration**: Environment variables, feature flags, database migrations\n- **Dependencies**: Third-party service updates, library upgrades\n- **Infrastructure**: Scaling events, network changes, DNS updates\n\n**Your task:**\n1. Listen for mentions of recent changes (\"we deployed yesterday\", \"that feature flag\", etc.)\n2. Prompt the team to check: \"Were there any deployments in the last 24 hours?\"\n3. Document all changes mentioned with timestamps\n4. Correlate change timing with incident start time\n5. Identify potential rollback options\n\n**Write to meeting notes:**\n\nšŸ”€ **CHANGE CORRELATION**\n\n**Incident Start**: [time UTC]\n\n### Recent Changes (72-hour window)\n\n| Time | Type | Change | Owner | Potential Correlation |\n|------|------|--------|-------|----------------------|\n| | Deploy | | | šŸ”“ High / šŸŸ” Medium / šŸŸ¢ Low |\n| | Config | | | šŸ”“ High / šŸŸ” Medium / šŸŸ¢ Low |\n| | Dependency | | | šŸ”“ High / šŸŸ” Medium / šŸŸ¢ Low |\n\n### Feature Flags Changed\n| Flag | Previous | Current | Changed By | When |\n|------|----------|---------|------------|------|\n| | | | | |\n\n### Rollback Options\n- [ ] [Change 1]: Can rollback via [method]\n- [ ] [Change 2]: Cannot rollback because [reason]\n\n**Highest Correlation**: [Most likely change contributor]\n\n**Confirm**: \"Identified [N] recent changes. [Change X] has highest correlation with incident timing.\"" } } ], "workflows": [ { "spec": { "$id": "wf-post-mortem-review", "name": "Post-Mortem Review & Distribution", "slug": "incident-pm-review", "description": "Multi-step workflow: Generate post-mortem ā†’ Tech Lead review ā†’ IC approval ā†’ Distribute to team", "spec": { "schema_version": "1.0", "entry": "generate-postmortem", "nodes": [ { "id": "generate-postmortem", "type": "next_step", "data": { "label": "Generate Post-Mortem", "next_step_id": "$ref:ns-post-mortem-doc", "notes": "Automatically generates a structured post-mortem document from the incident timeline, transcript, and resolution notes. Includes root cause analysis, impact assessment, and corrective action recommendations." } }, { "id": "tech-lead-review", "type": "review", "data": { "label": "Tech Lead Review", "assignee": { "ref": "specific_role", "role": "Tech Lead" }, "notes": "Review technical accuracy of timeline, root cause analysis, and corrective actions. Ensure blameless language is used throughout." } }, { "id": "ic-approval", "type": "review", "data": { "label": "IC Approval", "assignee": { "ref": "specific_role", "role": "Incident Commander" }, "notes": "Approve post-mortem for distribution. Verify all corrective actions have owners and due dates." } }, { "id": "distribute", "type": "deliver", "data": { "label": "Distribute Post-Mortem", "destination_type": "email", "destination_config": { "to": [ "{{all_participants}}" ], "subject": "Post-Mortem Report: {{.title}}" }, "input_from": "generate-postmortem", "payload_template": "{{.step.generated_text}}", "notes": "Emails the approved post-mortem to all meeting participants. The email subject includes the meeting title and the body contains the AI-generated post-mortem rendered from markdown." } }, { "id": "revision-needed", "type": "alert", "data": { "label": "Revision Needed", "recipient": { "ref": "object_owner" }, "include_reject_reason": true, "notes": "Notifies the meeting owner that the post-mortem was rejected with the reviewer's feedback. The owner should revise and re-trigger the workflow." } } ], "edges": [ { "id": "e1", "source": "generate-postmortem", "target": "tech-lead-review", "type": "default" }, { "id": "e2", "source": "tech-lead-review", "target": "ic-approval", "type": "approve", "label": "Approved" }, { "id": "e3", "source": "tech-lead-review", "target": "revision-needed", "type": "reject", "label": "Needs Revision" }, { "id": "e4", "source": "ic-approval", "target": "distribute", "type": "approve", "label": "Approved" }, { "id": "e5", "source": "ic-approval", "target": "revision-needed", "type": "reject", "label": "Needs Revision" } ] } } } ], "canvas_templates": [ { "spec": { "$id": "ct-incident-report", "name": "Incident Report", "slug": "incident-report-canvas", "description": "Structured incident record for compliance and historical reference", "usage_guidance": "Created automatically when an incident is declared. Updated throughout the incident lifecycle.", "content_schema_version": "1.0", "content": "# Incident Report\n\n## Overview\n\n| Field | Value |\n|-------|-------|\n| **Incident ID** | {{incident_id}} |\n| **Severity** | {{severity}} |\n| **Status** | {{status}} |\n| **Start Time** | {{start_time}} |\n| **Resolution Time** | {{resolution_time}} |\n| **Duration** | {{duration}} |\n\n---\n\n## Impact Summary\n\n| Dimension | Details |\n|-----------|--------|\n| **Users Affected** | |\n| **Services Affected** | |\n| **Revenue Impact** | |\n| **SLA Status** | |\n\n---\n\n## Timeline\n\n| Time (UTC) | Event | Actor |\n|------------|-------|-------|\n| | Detection | |\n| | Escalation | |\n| | Mitigation | |\n| | Resolution | |\n\n---\n\n## Root Cause Summary\n\n> [Brief description ā€” full analysis in post-mortem]\n\n---\n\n## Resolution\n\n[What was done to resolve the incident]\n\n---\n\n## Corrective Actions\n\n| Action | Owner | Due | Status |\n|--------|-------|-----|--------|\n| | | | ā¬œ |\n\n---\n\n*Post-mortem: {{postmortem_link}}*" } }, { "spec": { "$id": "ct-post-mortem", "name": "Blameless Post-Mortem", "slug": "incident-postmortem-canvas", "description": "Collaborative post-mortem document for root cause analysis and corrective actions", "usage_guidance": "Populated during post-mortem meeting. Tech Lead and IC review before distribution.", "content_schema_version": "1.0", "content": "# Blameless Post-Mortem\n\n**Incident**: {{incident_id}}\n**Date**: {{incident_date}}\n**Status**: Draft\n\n---\n\n## Executive Summary\n\n[4-5 sentence summary using blameless language]\n\n---\n\n## Metrics\n\n| Metric | Value |\n|--------|-------|\n| **Time to Detect (TTD)** | mins |\n| **Time to Mitigate (TTM)** | mins |\n| **Time to Resolve (TTR)** | mins |\n\n---\n\n## Detailed Timeline\n\n| Time (UTC) | Event | Impact | Notes |\n|------------|-------|--------|-------|\n| | | | |\n\n---\n\n## 5 Whys Analysis\n\n**Symptom**: [What users experienced]\n\n1. **Why?** ā†’\n2. **Why?** ā†’\n3. **Why?** ā†’\n4. **Why?** ā†’\n5. **Why?** ā†’ [Root cause]\n\n---\n\n## Contributing Factors\n\n| Factor | Category | Contribution |\n|--------|----------|-------------|\n| | Process/Tech/People/Env | |\n\n---\n\n## What Went Well\n\n- \n\n## What Could Improve\n\n- \n\n---\n\n## Corrective Actions\n\n| # | Action | Owner | Priority | Due | Status |\n|---|--------|-------|----------|-----|--------|\n| 1 | | | P0/P1/P2 | | ā¬œ |\n\n---\n\n## Approvals\n\n| Role | Name | Date | Approved |\n|------|------|------|----------|\n| Tech Lead | | | ā˜ |\n| IC | | | ā˜ |" } }, { "spec": { "$id": "ct-war-room-board", "name": "War Room Status Board", "slug": "incident-warroom-canvas", "description": "Live status board for active incident coordination", "usage_guidance": "Keep open during war room calls. Update status and actions in real-time.", "content_schema_version": "1.0", "content": "# šŸšØ War Room Status Board\n\n## Current Status\n\n| Field | Value |\n|-------|-------|\n| **Incident** | {{incident_id}} |\n| **Severity** | {{severity}} |\n| **Status** | ā˜ Investigating ā˜ Identified ā˜ Mitigating ā˜ Resolved |\n| **Last Update** | {{last_update}} |\n\n---\n\n## Role Assignments\n\n| Role | Name | Contact |\n|------|------|--------|\n| **Incident Commander** | | |\n| **Communications Lead** | | |\n| **Tech Lead** | | |\n| **Scribe** | | |\n\n---\n\n## Active Workstreams\n\n| Workstream | Owner | Status | Notes |\n|------------|-------|--------|-------|\n| | | šŸ”“ šŸŸ” šŸŸ¢ | |\n| | | šŸ”“ šŸŸ” šŸŸ¢ | |\n\n---\n\n## Timeline (Latest First)\n\n| Time | Event |\n|------|-------|\n| | |\n\n---\n\n## Communication Log\n\n| Time | Channel | Message | Sender |\n|------|---------|---------|--------|\n| | | | |\n\n---\n\n## Pending Actions\n\n- [ ] \n- [ ] \n\n---\n\n**Next Sync**: [time] or [condition]" } } ] } }