Incident Response

Faramesh provides a structured incident workflow: declare an incident, isolate the agent, collect evidence, and resolve. All incident actions are recorded in the DPR chain for audit.

Incident workflow

The four-phase incident lifecycle.

DeclareCreate an incident record with severity and description

IsolateKill-switch the agent and quarantine its sessions

EvidenceAttach audit exports, logs, and context to the incident

ResolveClose the incident with a resolution summary

Declare an incident

Create a new incident with severity and description.

bash

faramesh incident declare \
  --severity high \
  --agent support-bot \
  --reason "Agent issuing refunds without customer request"

Isolate the agent

Immediately deny all actions from the agent and quarantine its sessions.

bash

faramesh incident isolate <agent-id>

Attach evidence

Attach audit exports, screenshots, or other evidence to the incident record.

bash

faramesh incident evidence <incident-id>

Resolve the incident

Close the incident with a resolution summary. The agent remains isolated until explicitly unkilled.

bash

faramesh incident resolve <incident-id>

Run a playbook

Playbooks automate common incident response workflows.

bash

faramesh incident playbook <incident-id>

All incident actions (declare, isolate, evidence, resolve) are recorded in the DPR chain. The incident ID links all related audit records together.

Need help? Use any of these support options.

open an issue join slack community/forum

MIT License

docs github community get started →