Agent JSONL postmortem playbook
When a Cursor or Claude Code session causes an outage, export the agent session as JSONL before closing the IDE. The file contains tool calls, shell commands, and file edits in arrival order — the raw material IncidentSc…
Capture the session export, Validate before you share, Build and review the timeline
Capture the session export
When a Cursor or Claude Code session causes an outage, export the agent session as JSONL before closing the IDE. The file contains tool calls, shell commands, and file edits in arrival order — the raw material IncidentScribe needs. If DestructGuard was active, also export its JSONL audit log for approve-or-abort decisions.
Validate before you share
Run `incidentscribe validate session.jsonl` locally to catch malformed lines before posting timelines in Slack or a ticket. The validator exits non-zero on parse errors so broken exports do not silently produce incomplete timelines. In the browser viewer you can paste JSONL directly; tolerant parsing warns on unknown lines instead of crashing the run.
Build and review the timeline
Open https://incidentscribe.hermesplant.com/timeline, upload the file, or use `incidentscribe render session.jsonl -o timeline.md`. IncidentScribe sorts events chronologically and flags critical patterns — DROP DATABASE, force pushes, recursive deletes — so reviewers see destructive commands without manual grep. Scan the highlighted rows first, then read backward for context.
Export and attach to the incident
Download Markdown, standalone HTML, or JSON from the web viewer, or pass `--format html` or `--format json` on the CLI. For recurring incidents, `incidentscribe render --batch ./exports/ -o ./timelines/` renders every JSONL in a directory. Postmortem Pack buyers can run `incidentscribe render session.jsonl --template blameless -o postmortem.md` or use the bundled GitHub Action to attach a timeline to an issue.
Close the loop
Feed findings back into prevention: add new DestructGuard blocklist rules for commands that should never run unattended, update the team blocklist policy, and link the timeline in your incident ticket. The goal is a repeatable path from JSONL export to stakeholder-ready facts — not another manual grep spiral.