/silver:incident

SB-orchestrated production incident response for active runtime failures, release regressions, and customer-impacting defects — assess blast radius, diagnose, secure, verify recovery, and document the postmortem.

Overview

/silver:incident is the Silver Bullet orchestrator for production incident response. It extends forensic reconstruction with impact assessment, containment decisions, security review, recovery verification, and corrective-action ownership.

It never treats ad hoc firefighting as the workflow. Severity is established first, blast radius is assessed before deep investigation, and every mitigation step produces traceable evidence before the incident is closed.

/silver:incident maps to WF-SILVER-INCIDENT in the v0.48.3 APO catalog. Standard composition:

BLAST_RADIUS → DEBUG → SECURE → VERIFY → DOCUMENT

Primary artifact: .planning/INCIDENT.md. See Composable Flows for catalog authority and V-loop rollup rules.

Live failure vs reconstruction: For an active error with a known cause, prefer /silver:debug (AF-DEBUG in isolation). Invoke /silver:forensics when the failure path is unclear and must be reconstructed from evidence.

When to Use

Entry trigger signals for /silver:incident:

  • Production outage, degraded service, or customer-impacting regression
  • Release rollback or hotfix decision under time pressure
  • Security incident requiring containment before root-cause analysis
  • Post-incident documentation and corrective-action filing

Not for: routine bug fixes in development (/silver:bugfix), historical session reconstruction without active impact (/silver:forensics), or process retrospectives after closure (/silver:retro).

Catalog Composition

Atomic flowCommandOutcome
AF-BLAST-RADIUS/silver:blast-radiusImpact scope, affected surfaces, rollback/containment options
AF-DEBUG/silver:debugRoot-cause diagnosis from logs, deploy history, monitoring, and changed files
AF-SECURE/silver:secureSecurity boundary review and LLM-safety checks on incident artifacts
AF-VERIFY/silver:verifyRecovery verification and canary evidence after mitigation
AF-DOCUMENT/silver:ensure-docsDurable incident record and timeline in .planning/INCIDENT.md

Domain audit packs (incident-retro, runtime/API/data/security) may be applied during AF-DEBUG and AF-SECURE. Corrective actions are filed through /silver:add; recurring process gaps feed /silver:retro.

Atomic Flow Execution

AF-BLAST-RADIUS — Establish impact before investigation

Invoke /silver:blast-radius. Assess severity, affected users/systems, and whether mitigation or rollback is required before investigation continues. Produces ART-BLAST_RADIUS with rollback/risk controls.

AF-DEBUG — Diagnose and contain

Invoke /silver:debug. Capture evidence from logs, CI/deploy history, release notes, user reports, monitoring, and changed files. When the failure path is unclear, apply /silver:forensics for root-cause reconstruction.

AF-SECURE — Security review

Invoke /silver:secure. Review incident artifacts and changed code for security implications. Required when the incident involves credentials, data exposure, or supply-chain risk.

AF-VERIFY — Confirm recovery

Invoke /silver:verify. Produce verification and canary evidence that the user-impacting state is mitigated or explicitly accepted.

AF-DOCUMENT — Postmortem and corrective actions

Invoke /silver:ensure-docs. Write or update .planning/INCIDENT.md with impact summary, timeline, root cause, contributing process gaps, and tracked corrective actions.

Artifacts & Exit Gate

.planning/INCIDENT.md must include:

  • Impact summary and affected users/systems
  • Timeline with detection, mitigation, and recovery timestamps
  • Current status and rollback/containment decision
  • Root cause and contributing process gaps (evidence-backed)
  • Corrective actions filed through /silver:add with owner and priority
  • Verification and canary evidence after recovery

The incident workflow is complete only when user-impacting state is mitigated or explicitly accepted, root cause is evidenced, and corrective actions are tracked.

Example Invocation

/silver:incident Production API returning 503s after deploy v2.4.1 — assess impact and contain

Silver Bullet routes to WF-SILVER-INCIDENT. AF-BLAST-RADIUS scopes customer impact and rollback options. AF-DEBUG traces the regression to a config change. AF-SECURE confirms no credential exposure. AF-VERIFY validates recovery on canary. AF-DOCUMENT writes .planning/INCIDENT.md and files follow-up work through /silver:add.