Blameless agent postmortem rollout for engineering teams
Assign one export owner per incident (usually the on-call engineer or incident commander). Export the full agent session JSONL as soon as an incident is declared — before the IDE session buffer clears or the machine is r…
Week 1 — capture JSONL before context is lost, Validate and store the evidence, Pick the right template
Week 1 — capture JSONL before context is lost
Assign one export owner per incident (usually the on-call engineer or incident commander). Export the full agent session JSONL as soon as an incident is declared — before the IDE session buffer clears or the machine is reimaged. Triggers include production outages tied to an agent run, destructive shell commands (DROP, rm -rf, force-push), security reviews of agent tool use, and customer-impacting misconfigurations. Save DestructGuard JSONL audit logs alongside the session export when approve-or-abort decisions are part of the story.
Validate and store the evidence
Run `incidentscribe validate session.jsonl` to catch malformed lines before sharing timelines in Slack or a ticket. Store the raw JSONL in your incident ticket or object storage per retention policy — chat screenshots alone are weak evidence. The export owner produces the draft timeline; the service owner completes narrative sections. Do not ask the agent operator to reconstruct commands from memory when JSONL is available.
Pick the right template
Use `--template blameless` for standard internal reviews with Summary, Impact, Timeline, Root Cause, and Action Items. Use `--template exec-summary` when leadership or customers need duration, critical commands, and a compact timeline without root-cause depth. Use `--template security-incident` when InfoSec is engaged or the incident involves credentials, data exfiltration, or unauthorized production access. Default to blameless; switch templates before the review meeting, not after.
Render and walk the timeline in review
Run `incidentscribe render session.jsonl --template blameless -o postmortem.md` or use the free web viewer to confirm critical rows are highlighted. In the review meeting, walk the rendered timeline table line by line (about 15 minutes). Mark critical rows — they appear in exec-summary and security-incident outputs. Complete blank narrative sections in the Markdown draft; do not edit table rows by hand. Re-render if the JSONL is updated.
Week 2 — CI and template maintenance
Copy `github-action/attach-timeline/` from the pack into `.github/actions/` and call it after committing agent JSONL to a known path. The action installs IncidentScribe, renders with your chosen template, uploads a workflow artifact, and optionally posts Markdown as a GitHub issue comment. Customize `templates/*.md` wording for your org but keep `{{placeholders}}` unchanged so renders succeed. Link the final postmortem and archived JSONL in the incident ticket.