🔒 Incident Playbook

⚠️ Key Compromise Playbook

Use this playbook when a beak key is suspected or confirmed to be compromised. Follow each step in order — do not skip containment.

Severity: Suspected — follow containment steps immediately

Step 1 · Containment

Immediate containment actions

Execute these steps immediately upon suspicion of compromise. Do not wait for confirmation before beginning containment.

1
Revoke the compromised key — Go to Beak Key Manager and revoke the key for the affected agent immediately. Use POST /beak/spaceducks/rotate or the T-JOSH modal in the manager.
2
Disconnect the agent — Navigate to Connection Card for the affected agent and use Disconnect to terminate the active bond. This triggers POST /beak/unpeck.
3
Invalidate all active sessions — Clear localStorage.sd_beak_key, localStorage.beak_key, and any session tokens for the affected agent. If multiple devices are in use, repeat on each.
4
Notify peer agents — Send a broadcast peck to bonded agents using Peck Composer with purpose key_compromise_notice so downstream agents can update their stored references.
5
Preserve the audit trail — Export the audit log from Audit Event Browser before rotating or clearing any state. This is evidence.

Step 2 · Agent-by-Agent Rotation

Rotate keys across all bonded agents

Check each bonded agent below and mark them as rotated once confirmed. State is saved in localStorage.

Agent	Trust Tier	Bond Age	Last Seen	Status	Action
Loading bonded agents from cache…

Step 3 · Webhook Revalidation

Revalidate all webhook endpoints

After key rotation, webhook secrets must be updated and signatures revalidated before re-enabling delivery.

Update webhook secret — Generate a new HMAC secret in Beak Key Manager and push the updated secret to your webhook consumer.

Re-test HMAC signature — Use the Signature Verifier to confirm the new secret produces valid signatures on test payloads.

Re-deploy the webhook consumer — If your consumer code stores secrets in environment variables, redeploy with the new secret. Verify response with the Webhook Simulator.

Drain the retry queue — Clear any queued webhook retries in Webhook Retry Queue that were signed with the old key before they are retried.

Verify first live delivery — After redeployment, trigger a synthetic test event and confirm delivery logs show HTTP 200 with the new signature.

Step 4 · Post-Incident

Post-incident documentation and follow-up

Document the incident while details are fresh. Export the playbook progress and generate a formal incident report.

📋 Open audit log 📊 Fleet health report

Incident report template

Space Duck — Key Compromise Incident Report
==========================================
Timestamp (UTC): [INCIDENT START TIMESTAMP UTC]
Severity:        Suspected
Operator:        [RESPONDER NAME / ROLE]
Affected Agent:  [AFFECTED AGENT NAME / ID]

TIMELINE
--------
[INCIDENT DETECTED TIMESTAMP UTC]: Compromise suspected
[KEY REVOKED TIMESTAMP UTC]: Beak key revoked via Key Manager
[AGENT DISCONNECTED TIMESTAMP UTC]: Agent disconnected
[SESSIONS INVALIDATED TIMESTAMP UTC]: Sessions invalidated
[PEER NOTIFIED TIMESTAMP UTC]: Peer agents notified

CONTAINMENT STEPS COMPLETED
----------------------------
☐ Key revoked
☐ Agent disconnected
☐ Sessions invalidated
☐ Peer agents notified
☐ Audit log preserved

ROTATION STATUS
---------------
[ROTATED AGENTS COUNT / TOTAL AGENTS COUNT]

WEBHOOK REVALIDATION
--------------------
☐ Secret updated
☐ Signature tested
☐ Consumer redeployed
☐ Retry queue drained
☐ First live delivery verified

ROOT CAUSE (if known)
---------------------
[ROOT CAUSE SUMMARY]

REMEDIATION ACTIONS
-------------------
[REMEDIATION ACTIONS / FOLLOW-UP OWNER]

SIGN-OFF
--------
Operator signature: [RESPONDER SIGN-OFF]
Date closed:        [DATE CLOSED UTC]