Incident response lab
Configure the incident response contract
Production rule: Configure the runtime contract for a citation-producing RAG API; no stage is complete until another operator can reproduce its evidence and reverse its risky action.
Before you start
Why this matters
In two minutes, write the user-visible outcome this page protects, one numerical threshold, and the first signal you expect to move. Then name an observation that would prove your initial theory wrong. Keep the answer beside your terminal; this lab rewards prediction before inspection rather than explanations invented after the graph changes.
1Learn the idea
Read
Lab target
You own a citation-producing RAG API at POST /v1/research. The goal is to coordinate detection, severity, roles, mitigation, evidence, and communication during a user-visible correctness incident. The measurable target is declare SEV-1 within 8 minutes when more than 5% of answers cite nonexistent documents, assign commander/comms/operations roles, disable the faulty reranker within 12 minutes, and preserve a timestamped evidence bundle. The known production tension is fast rollback limits harm but may erase runtime evidence; broad shutdown is simple but denies service to unaffected tenants that could safely remain online.
Read
Build a reproducible environment
The contract for Incident response must survive a clean checkout. Pin tool and image versions, provide sample inputs, and fail startup on malformed configuration. The service boundary is POST /v1/research on a citation-producing RAG API. Before starting dependencies, list required ports, identities, secrets, storage, and cleanup steps. Use synthetic credentials and redacted fixtures; production tokens do not make a staging lab more realistic.
Create the configuration as a reviewed artifact:
severity_rules:
sev1:
any:
- citation_failure_rate: "> 0.05 for 5m"
- regulated_tenant_affected: true
roles: [incident_commander, operations, communications, scribe]
mitigations:
- disable_flag: reranker_v2
- rollback: reranker
evidence_retention_days: 90
For every field, document type, valid range, default, reload behavior, and failure behavior. Numbers are incomplete without units. A timeout of 40 could mean milliseconds or seconds; a ratio of 0.005 could be a fraction or percentage. Reject unknown keys so a typo cannot silently select a permissive default. If live reload is supported, expose a configuration revision in telemetry and keep the previous valid revision for rollback.
Read
Verify interfaces and state
Run the setup workflow:
./ops/incident roles check --policy ops/incident-policy.yaml
./ops/flags get reranker_v2 --environment production
The expected result is not merely exit code zero. Confirm the process identity, dependency reachability, effective configuration, and one health or introspection response. Then restart the component and prove durable state remains correct. Run the setup twice to expose non-idempotent creation, conflicting ports, or duplicate policy entries. Capture the exact versions in the evidence bundle.
The production objective remains declare SEV-1 within 8 minutes when more than 5% of answers cite nonexistent documents, assign commander/comms/operations roles, disable the faulty reranker within 12 minutes, and preserve a timestamped evidence bundle. Therefore setup must expose citation_validation_failures_total, affected_answers_total{tenant}, incident_mttd_seconds, incident_mttm_seconds, deployment_version, and feature_flag_state before meaningful traffic arrives. Query each metric by its stable labels and verify an idle system is distinguishable from a broken scraper. Generate one event and check that the relevant counter changes by exactly one. Reject high-cardinality labels and ensure sensitive configuration values are redacted from startup logs.
Read
Contract review and rollback
Model a bad configuration: remove one required field, set one threshold just outside its range, and reference an unavailable dependency. Each case should fail predictably, explain the field, and avoid partial state. Next, apply the previous good revision and time recovery. A rollback that requires undocumented shell history is not a rollback plan.
The central design tension is fast rollback limits harm but may erase runtime evidence; broad shutdown is simple but denies service to unaffected tenants that could safely remain online. Record the chosen default, its operational owner, and a date for reevaluation. Complete setup only after a teammate can run it from the repository instructions, produce the same effective configuration, and cleanly tear it down without affecting shared environments.