Handbook
Enterprise — incident response (notebook)
Treat this chapter as evidence scaffolding: it aligns with sample-audit-notification.json payloads under docs/examples/ so automation teams can correlate JSON fixtures with narratives.
Updated
Scenario
Someone widened binds, flipped OIDC proxies, or installed a Fleet shim and now /studio/ flashes blank shells / Wizard sessions silently fail.
Prerequisites
| Input | Detail |
|---|---|
| Time window | Narrow to last change that touched LENSES_* vars |
| Backups | Snapshots rooted per Enterprise — backup and upgrades |
| Telemetry | Decide whether Forge Fleet exposes job ids via Fleet integration |
Step-by-step
- Freeze configuration — archive
/proc/<pid>/cmdlineequivalents + sanitized env deltas (omit secrets). - Route signal — categorize UI vs networking vs
/apiusing Troubleshooting. - Replay minimal GET-only flows (Docs Health panels) before re-enabling
POST/ mutation allowlists.
Verify
Captured notes include timestamps, impacted routes, remediation owner, plus whether LLM boundaries were involved.
Recover
Restore known-good env files, rerun pytest tests/test_env_matrix_docs.py locally prior to widening trust again.
Next steps:
sample-audit-notification.jsonillustrates how JSON fixtures align with SOC-friendly narratives (docs/schemas/audit-notification.schema.json).