Operations

Incident Timeline Reconstruction

Turn incident noise into a usable timeline before the story hardens into folklore.

Use when

An outage, degraded workflow, or operational scare has evidence scattered across alerts, logs, chats, dashboards, and human memory.

Intermediatedifficulty
Operationscategory
Mia daily expansionsource

Cadence

During incidents, after outages, or before writing a postmortem

Verification

A timestamped timeline separates facts from guesses, names owners for open questions, and gates any customer-facing update for approval.

Structured loop spec

FieldValue
NameIncident Timeline Reconstruction
CategoryOperations
TriggerDuring incidents, after outages, or before writing a postmortem
ObjectiveTurn incident noise into a usable timeline before the story hardens into folklore.
Allowed inputsRelevant files, source notes, logs, tests, screenshots, metrics, or task state for this loop
Allowed actionsCollect alerts, deploys, logs, dashboards, support reports, chat messages, and human observations for the agreed time window.; Build a timestamped sequence that labels each item as observed fact, likely inference, decision, mitigation, or open question.; Identify the first bad signal, customer impact window, attempted fixes, current status, and owners for unresolved evidence gaps.; Draft internal status, postmortem notes, or customer-update candidates with confidence levels and source links.; Do not publish customer-facing statements, assign blame, disclose sensitive infrastructure details, or claim root cause until approved and evidenced.
VerificationA timestamped timeline separates facts from guesses, names owners for open questions, and gates any customer-facing update for approval.
Stop conditionStop when the verifier passes, the budget is exhausted, no progress is made, a blocker appears, or approval is required.
BudgetSet a time, turn, token, retry, file, or dollar cap before running the loop.
Approval boundaryHuman approval required before publishing, sending, deleting, spending, changing accounts, touching production, or making reputational/legal/financial commitments.
Safe outputDraft, report, checklist, table, or approval-gated recommendation
Works withClaude, ChatGPT, Gemini, any tool-using AI assistant

Steps

  1. Collect alerts, deploys, logs, dashboards, support reports, chat messages, and human observations for the agreed time window.
  2. Build a timestamped sequence that labels each item as observed fact, likely inference, decision, mitigation, or open question.
  3. Identify the first bad signal, customer impact window, attempted fixes, current status, and owners for unresolved evidence gaps.
  4. Draft internal status, postmortem notes, or customer-update candidates with confidence levels and source links.
  5. Do not publish customer-facing statements, assign blame, disclose sensitive infrastructure details, or claim root cause until approved and evidenced.

Prompt

Run the Incident Timeline Reconstruction loop. Given an incident window, collect alerts, deploys, logs, dashboards, support reports, chat messages, and observations. Create a timestamped timeline that separates facts from inferences, decisions, mitigations, and open questions. Identify impact window, current status, evidence gaps, and owners. Draft internal notes or customer-update candidates, but do not publish external statements, disclose sensitive infrastructure, assign blame, or claim root cause without approval and evidence.

Run in Claude Code

Paste this into Claude Code (or any tool-using agent) to run the loop bounded: one change per round, the same verification every round, durable state files, and explicit stop conditions.

Run the "Incident Timeline Reconstruction" loop from AI Loop Library (https://ailooplibrary.com/loops/incident-timeline-reconstruction/) as a bounded loop.
Goal: Turn incident noise into a usable timeline before the story hardens into folklore.
Rules: one change per round; run the same verification every round (A timestamped timeline separates facts from guesses, names owners for open questions, and gates any customer-facing update for approval.); append each round to docs/loops/incident-timeline-reconstruction/progress.md and update docs/loops/incident-timeline-reconstruction/state.json; stop on verifier pass, 8 rounds, 3 consecutive failed verifications, no progress, a blocker, or anything needing human approval (money, production, outbound, deletion). Finish with a proof report: rounds used, changes made, verification output, remaining risk, and the next human decision.

Get the MCP server + agent pack

Tags

incident responsetimelinelogspostmortem

Related

Back to all examples