50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
CI — CoM Config Validation / Secret Detection (push) Waiting to run
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Public, sanitized mirror of an AI orchestration command center: agents, skills, MCP servers, slash-command workflows. All infrastructure identifiers, hostnames, mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics scrubbed to <placeholders>; session debug logs and host-specific memory removed. No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md. churchofmalware.org . authorized research only
55 lines
2.2 KiB
Markdown
55 lines
2.2 KiB
Markdown
---
|
|
name: crashcart
|
|
description: Incident response and emergency diagnostics workflow. Builds CrashCart IR procedures, tests triage scripts, and generates chain-of-custody documentation. Targets Syn_OS v25 "CrashCart" milestone.
|
|
argument-hint: [action: triage|build|test|doc]
|
|
allowed-tools: Bash, Read, Grep, Glob, Agent, WebSearch
|
|
---
|
|
|
|
CrashCart IR workflow for Syn_OS.
|
|
|
|
Action: $ARGUMENTS (default: triage)
|
|
|
|
## If action is "triage" (live system diagnostics):
|
|
Run rapid system assessment:
|
|
1. Disk health, memory pressure, CPU load
|
|
2. Network state (open ports, active connections, ARP table, routing)
|
|
3. Running processes (sorted by resource usage, flag unknowns)
|
|
4. Windows Defender / security status
|
|
5. ARCANUM mesh node reachability (<mesh-subnet>)
|
|
6. Recent event log entries (errors/warnings in last 24h)
|
|
Output: Compact triage report with severity flags.
|
|
|
|
## If action is "build" (develop CrashCart components):
|
|
Reference FEV.md v25 "CrashCart" spec at the Syn_OS repo:
|
|
- `synos-crashcart` crate — unified emergency response orchestrator
|
|
- Hardware triage mode (zero-dependency binary)
|
|
- Network forensics snapshot pipeline
|
|
- LUKS emergency recovery workflow
|
|
- Credential rotation daemon
|
|
- Chain-of-custody document generation (GPG-signed)
|
|
- IR checklist TUI
|
|
- Timeline builder (correlate syslog + eBPF + ALFRED logs)
|
|
Guide the user through implementing the next unfinished component.
|
|
|
|
## If action is "test" (test IR procedures):
|
|
Run a simulated incident response drill:
|
|
1. Snapshot current system state
|
|
2. Walk through IR checklist steps
|
|
3. Verify evidence collection procedures
|
|
4. Test recovery procedures
|
|
5. Generate drill report
|
|
|
|
## If action is "doc" (generate documentation):
|
|
Create CrashCart documentation:
|
|
- IR runbook (step-by-step triage procedures)
|
|
- Evidence chain-of-custody template
|
|
- Post-incident report template
|
|
- GRIMOIRE lab scenario ("CrashCart Incident Response")
|
|
Output as markdown, optionally save to Notion via Atlas agent.
|
|
|
|
## FEV.md Reference (v25 CrashCart Scope)
|
|
- CrashCart Core crate, IR Subsystem, Arcanum USB Integration, Hive-Aware Recovery
|
|
- Dead-man's switch integration
|
|
- Offline-first: all tools cached on USB, zero internet dependency
|
|
- One-command deploy: triage.sh auto-detects compromised state
|