Incident Manager

Track and manage security incidents with severity levels, SLA tracking, escalation, and resolution.

The incident manager provides a complete incident lifecycle: open, acknowledge, resolve, suppress, and escalate. Includes SLA tracking with automatic breach detection.

Setup

import { createIncidentManager } from '@lua-ai-global/governance-enterprise';

const incidents = createIncidentManager({
  tenantId: 'org_acme',
  slaMsOverrides: {
    critical: 30 * 60_000,  // 30 minutes (default)
    high: 2 * 3_600_000,    // 2 hours (default)
    medium: 8 * 3_600_000,  // 8 hours (default)
    low: 24 * 3_600_000,    // 24 hours (default)
  },
});

Open an Incident

const incident = await incidents.open({
  title: 'Unauthorized data access detected',
  agentId: 'rogue-agent-42',
  severity: 'critical',
  description: 'Agent attempted to access PII export endpoint outside approved workflow',
});

// incident:
// {
//   id: 'inc_abc123',
//   tenantId: 'org_acme',
//   title: 'Unauthorized data access detected',
//   agentId: 'rogue-agent-42',
//   severity: 'critical',
//   status: 'open',
//   slaDeadline: '2026-03-10T15:00:00Z',  // 30 min from now
//   openedAt: '2026-03-10T14:30:00Z',
// }

Incident Lifecycle

Open: Incident created with severity and SLA deadline. Status: open.
Acknowledge: Responder takes ownership. SLA clock continues. Status: acknowledged.
Resolve: Investigation complete, resolution documented. Status: resolved.

await incidents.acknowledge('inc_abc123', 'user_bob');

await incidents.resolve('inc_abc123', {
  resolvedBy: 'user_bob',
  resolution: 'Agent was running outdated policy set. Updated and re-certified.',
});

Severity Levels

Severity	Default SLA	Description
critical	30 minutes	Active security incident, data breach, fleet-wide failure
high	2 hours	Single agent compromised, policy bypass, compliance violation
medium	8 hours	Unusual enforcement patterns, score regressions, non-critical policy violations
low	24 hours	Informational, minor policy adjustments, routine alerts

Escalation

Escalation bumps severity and resets the SLA window:

await incidents.escalate('inc_abc123');
// severity: medium → high
// SLA deadline: reset to now + 2h (high SLA)

Suppression

Suppress false positives or known issues:

await incidents.suppress('inc_abc123');
// status: 'suppressed'
// Excluded from active incident counts and SLA tracking

Query and Stats

const allOpen = await incidents.list({ status: 'open' });
const criticals = await incidents.list({ severity: 'critical' });
const agentIncidents = await incidents.list({ agentId: 'rogue-agent-42' });

const incident = await incidents.get('inc_abc123');

const stats = incidents.stats();
// {
//   byStatus: { open: 3, acknowledged: 1, resolved: 42, suppressed: 2 },
//   bySeverity: { critical: 1, high: 3, medium: 12, low: 32 },
//   slaBreaches: 2,
//   avgResolutionMs: 1_234_567,
// }

Auto-Incident Creation

The enforcement pipeline automatically creates incidents when policy blocks occur. This is configurable:

const pipeline = createEnforcementPipeline({
  ...config,
  autoIncidentSeverity: 'medium',  // default severity for auto-created incidents
});

// Or disable per-call:
await pipeline.enforce({
  ...input,
  noAutoIncident: true,
});