What should teams capture before and after an AI agent incident?

Answer

Before a session: note agent and model version, branch, deploy environment, blast radius, and who approves destructive commands. During: watch for production shell access, bulk deletes, schema changes, and force pushes; record wall-clock time when symptoms start. After: export full JSONL (not chat screenshots), run `incidentscribe render` or upload to the free viewer, filter critical events into the ticket, fill a blameless postmortem using the pack's filled sample as reference, and attach timeline MD/JSON to the incident issue. The pack's FORENSIC-CHECKLIST.md expands this into a printable checklist.

Related workflows

Start with the free IncidentScribe timeline viewer or CLI to validate JSONL exports. The Postmortem Pack adds blameless, executive-summary, and security-incident templates, a two-week team rollout guide, forensic checklist, and a GitHub Action that uploads rendered timelines as workflow artifacts or issue comments.

Next steps

Install the pack from Hermes Plant, run `incidentscribe render session.jsonl --template blameless -o postmortem.md`, and copy `github-action/attach-timeline/` into your repo for CI. Pair with DestructGuard audit logs when approve-or-abort decisions matter for the timeline.

FAQ

What should teams capture before and after an AI agent incident?

Before a session: note agent and model version, branch, deploy environment, blast radius, and who approves destructive commands. During: watch for production shell access, bulk deletes, schema changes, and force pushes; record wall-clock time when symptoms start. After: export full JSONL (not chat screenshots), run `incidentscribe render` or upload to the free viewer, filter critical events into the ticket, fill a blameless postmortem using the pack's filled sample as reference, and attach timeline MD/JSON to the incident issue. The pack's FORENSIC-CHECKLIST.md expands this into a printable checklist.

Try IncidentScribe free Postmortem Pack