Overview
/silver:incident is the Silver Bullet orchestrator for production incident response. It extends forensic reconstruction with impact assessment, containment decisions, security review, recovery verification, and corrective-action ownership.
It never treats ad hoc firefighting as the workflow. Severity is established first, blast radius is assessed before deep investigation, and every mitigation step produces traceable evidence before the incident is closed.
/silver:incident maps to WF-SILVER-INCIDENT in the v0.48.3 APO catalog. Standard composition:
Primary artifact: .planning/INCIDENT.md. See Composable Flows for catalog authority and V-loop rollup rules.
/silver:debug (AF-DEBUG in isolation). Invoke /silver:forensics when the failure path is unclear and must be reconstructed from evidence.
When to Use
Entry trigger signals for /silver:incident:
- Production outage, degraded service, or customer-impacting regression
- Release rollback or hotfix decision under time pressure
- Security incident requiring containment before root-cause analysis
- Post-incident documentation and corrective-action filing
Not for: routine bug fixes in development (/silver:bugfix), historical session reconstruction without active impact (/silver:forensics), or process retrospectives after closure (/silver:retro).
Catalog Composition
| Atomic flow | Command | Outcome |
|---|---|---|
AF-BLAST-RADIUS | /silver:blast-radius | Impact scope, affected surfaces, rollback/containment options |
AF-DEBUG | /silver:debug | Root-cause diagnosis from logs, deploy history, monitoring, and changed files |
AF-SECURE | /silver:secure | Security boundary review and LLM-safety checks on incident artifacts |
AF-VERIFY | /silver:verify | Recovery verification and canary evidence after mitigation |
AF-DOCUMENT | /silver:ensure-docs | Durable incident record and timeline in .planning/INCIDENT.md |
Domain audit packs (incident-retro, runtime/API/data/security) may be applied during AF-DEBUG and AF-SECURE. Corrective actions are filed through /silver:add; recurring process gaps feed /silver:retro.
Atomic Flow Execution
AF-BLAST-RADIUS — Establish impact before investigation
Invoke /silver:blast-radius. Assess severity, affected users/systems, and whether mitigation or rollback is required before investigation continues. Produces ART-BLAST_RADIUS with rollback/risk controls.
AF-DEBUG — Diagnose and contain
Invoke /silver:debug. Capture evidence from logs, CI/deploy history, release notes, user reports, monitoring, and changed files. When the failure path is unclear, apply /silver:forensics for root-cause reconstruction.
AF-SECURE — Security review
Invoke /silver:secure. Review incident artifacts and changed code for security implications. Required when the incident involves credentials, data exposure, or supply-chain risk.
AF-VERIFY — Confirm recovery
Invoke /silver:verify. Produce verification and canary evidence that the user-impacting state is mitigated or explicitly accepted.
AF-DOCUMENT — Postmortem and corrective actions
Invoke /silver:ensure-docs. Write or update .planning/INCIDENT.md with impact summary, timeline, root cause, contributing process gaps, and tracked corrective actions.
Artifacts & Exit Gate
.planning/INCIDENT.md must include:
- Impact summary and affected users/systems
- Timeline with detection, mitigation, and recovery timestamps
- Current status and rollback/containment decision
- Root cause and contributing process gaps (evidence-backed)
- Corrective actions filed through
/silver:addwith owner and priority - Verification and canary evidence after recovery
The incident workflow is complete only when user-impacting state is mitigated or explicitly accepted, root cause is evidenced, and corrective actions are tracked.
Example Invocation
Silver Bullet routes to WF-SILVER-INCIDENT. AF-BLAST-RADIUS scopes customer impact and rollback options. AF-DEBUG traces the regression to a config change. AF-SECURE confirms no credential exposure. AF-VERIFY validates recovery on canary. AF-DOCUMENT writes .planning/INCIDENT.md and files follow-up work through /silver:add.