---
name: crashcart
description: Incident response and emergency diagnostics workflow. Builds CrashCart IR procedures, tests triage scripts, and generates chain-of-custody documentation. Targets Syn_OS v25 "CrashCart" milestone.
argument-hint: [action: triage|build|test|doc]
allowed-tools: Bash, Read, Grep, Glob, Agent, WebSearch
---

CrashCart IR workflow for Syn_OS.

Action: $ARGUMENTS (default: triage)

## If action is "triage" (live system diagnostics):
Run rapid system assessment:
1. Disk health, memory pressure, CPU load
2. Network state (open ports, active connections, ARP table, routing)
3. Running processes (sorted by resource usage, flag unknowns)
4. Windows Defender / security status
5. ARCANUM mesh node reachability (<mesh-subnet>)
6. Recent event log entries (errors/warnings in last 24h)
Output: Compact triage report with severity flags.

## If action is "build" (develop CrashCart components):
Reference FEV.md v25 "CrashCart" spec at the Syn_OS repo:
- `synos-crashcart` crate — unified emergency response orchestrator
- Hardware triage mode (zero-dependency binary)
- Network forensics snapshot pipeline
- LUKS emergency recovery workflow
- Credential rotation daemon
- Chain-of-custody document generation (GPG-signed)
- IR checklist TUI
- Timeline builder (correlate syslog + eBPF + ALFRED logs)
Guide the user through implementing the next unfinished component.

## If action is "test" (test IR procedures):
Run a simulated incident response drill:
1. Snapshot current system state
2. Walk through IR checklist steps
3. Verify evidence collection procedures
4. Test recovery procedures
5. Generate drill report

## If action is "doc" (generate documentation):
Create CrashCart documentation:
- IR runbook (step-by-step triage procedures)
- Evidence chain-of-custody template
- Post-incident report template
- GRIMOIRE lab scenario ("CrashCart Incident Response")
Output as markdown, optionally save to Notion via Atlas agent.

## FEV.md Reference (v25 CrashCart Scope)
- CrashCart Core crate, IR Subsystem, Arcanum USB Integration, Hive-Aware Recovery
- Dead-man's switch integration
- Offline-first: all tools cached on USB, zero internet dependency
- One-command deploy: triage.sh auto-detects compromised state