forensics
Forensics Skill
Investigate failed or stuck workflows through post-mortem analysis of git history, plan files, and session artifacts. Forensics answers "what went wrong and why" -- it detects workflow-level failures that individual tool errors don't reveal.
Key distinction: A tool error is "ruff found 3 lint errors." A workflow failure is "the agent entered a fix/retry loop editing the same file 5 times and never progressed." The error-learner handles tool-level errors. Forensics handles workflow-level patterns.
Reference Loading
| Task | Load |
|---|---|
| Collecting git evidence, running git log commands, scrubbing credentials | references/evidence-collection.md |
| Identifying failure type from symptoms, causal chain analysis | references/failure-signatures.md |
| Running any of the 5 anomaly detectors, scoring confidence | references/detectors.md |
Reference Loading Table
| Signal | Load These Files | Why |
|---|---|---|
| tasks related to this reference | detectors.md |
Loads detailed guidance from detectors.md. |
| tasks related to this reference | evidence-collection.md |
Loads detailed guidance from evidence-collection.md. |
| tasks related to this reference | failure-signatures.md |
Loads detailed guidance from failure-signatures.md. |
Instructions
This is a read-only diagnostic. The tool restriction to Read/Grep/Glob enforces this at the platform level. A diagnostic tool that modifies state destroys the evidence it needs to analyze -- forensics examines, it does not fix. Even when the user asks you to fix what you find, complete the report and recommend remediation instead. The wrong fix applied automatically can destroy work.
Phase 1: GATHER
Goal: Collect the raw evidence needed for anomaly detection. Determine what branch, plan, and time range to analyze.
Step 1: Identify the investigation target
Accept the target from one of these sources (in priority order):
- Explicit branch: User specifies a branch name to investigate
- Current branch: Use the current git branch if no branch specified
- Explicit plan: User points to a specific
task_plan.md
Before analysis, read the repository's CLAUDE.md if present. Repository conventions inform what "normal" looks like (e.g., expected branch patterns, required artifacts).
Step 2: Locate the plan file
Search for the plan that governed the workflow:
- Check
task_plan.mdin the repository root - Check
.feature/state/plan/for feature plans - Check
plan/active/for workflow-orchestrator plans
Record whether a plan exists. If no plan is found, note this -- it limits scope drift and abandoned work detection but does not block the investigation. Three of the five detectors (stuck loop, crash/interruption, and degraded abandoned work) still function without a plan, so never skip analysis because no plan file was found.
Step 3: Collect git history
Read the git log for the target branch. Extract:
- Commit hashes, messages, timestamps, and files changed
- The branch's divergence point from main/master
Use Grep to search git log output for patterns. Focus on:
- Commits on this branch since divergence from the base branch
- File change frequency across commits
- Commit message patterns (similarity, repetition)
If the branch has hundreds of commits, focus on the most recent 50 and note the truncation in the final report.
Step 4: Check working tree state
Examine the current state:
- Are there uncommitted changes? (look for modified/untracked indicators)
- Are there orphaned
.claude/worktrees/directories? - Is there an active
task_plan.mdwith incomplete phases?
See
references/evidence-collection.mdfor concrete git commands for each evidence type: log extraction, loop detection queries, timestamp analysis, and credential scrubbing patterns.
GATE: Evidence collected. At minimum: git history available, branch identified. Proceed to DETECT only when evidence gathering is complete.
Phase 2: DETECT
Goal: Run all 5 anomaly detectors against the collected evidence. Always run every detector -- anomalies are often correlated (a stuck loop causes missing artifacts causes abandoned work), so partial analysis misses the causal chain. Each detector produces zero or more findings, and every finding must include a confidence level (High/Medium/Low) because false positives erode trust.
See
references/detectors.mdfor full detector specifications: confidence scoring tables, false positive guidance, and per-detector skip conditions when no plan file exists. Seereferences/failure-signatures.mdfor observable patterns per failure type, detection commands, and causal chain analysis when multiple detectors fire.
Run detectors 1-5 in order: Stuck Loop, Missing Artifacts, Abandoned Work, Scope Drift, Crash/Interruption.
GATE: All 5 detectors have run. Each produced zero or more findings with confidence levels. Proceed to REPORT.
Phase 3: REPORT
Goal: Compile findings into a structured diagnostic report with root cause hypothesis and remediation recommendations. Every claim in the report must trace to specific evidence -- a forensics report without evidence is an opinion piece, not a diagnostic.
Step 1: Scrub sensitive content
Before assembling the report, scan all evidence strings for:
- API keys, tokens, passwords (patterns:
sk-,ghp_,token=,password=,secret=,key=, bearer tokens, base64-encoded credentials) - Absolute home directory paths
Replace sensitive values with [REDACTED] and home paths with ~/. Treat all credential-shaped strings as real -- you cannot determine whether a credential is live from its format alone. Reports may be shared or logged, so a leaked credential in a forensics report is worse than the original workflow failure. Redact paths in every report regardless of audience; it costs nothing and prevents future exposure.
Step 2: Compile anomaly table
Order findings by confidence (High first, then by detector number) so the reader gets the strongest signals first:
## Forensics Report: [branch name or session identifier]
### Anomalies Detected
| # | Type | Confidence | Description |
|---|------|------------|-------------|
| 1 | [type] | [High/Medium/Low] | [description with evidence] |
| 2 | [type] | [High/Medium/Low] | [description with evidence] |
If no anomalies detected:
### Anomalies Detected
No anomalies detected. The workflow appears to have executed normally.
Step 3: Synthesize root cause hypothesis
Connect the anomalies into a coherent narrative. Look for causal chains:
- Stuck loop + scope drift = agent tried to fix a problem, drifted into unrelated files looking for the root cause
- Missing artifacts + abandoned work = session crashed before producing outputs
- Crash/interruption + stuck loop = agent exhausted retries and was terminated
The hypothesis must be specific, testable, and grounded in evidence from the anomaly findings -- never speculate beyond what the data supports:
- BAD: "Something went wrong during execution"
- GOOD: "Agent entered a lint fix loop on server.go (4 consecutive commits with 'fix lint' messages), which consumed the session's context budget before Phase 3 VERIFY could execute, leaving test artifacts missing"
Step 4: Recommend remediation
Provide specific, actionable recommendations. Each recommendation should reference the anomaly it addresses. Remediation is advisory text only -- never execute fixes, even if the user asks. Remediation requires understanding intent, not just detecting anomalies.
| Anomaly Type | Typical Remediation |
|---|---|
| Stuck loop | Identify the root cause of the loop (often a lint/type error the agent can't resolve). Fix manually, then resume from the last successful phase. |
| Missing artifacts | Re-run the phase that failed to produce artifacts. Check if the phase definition is clear enough for the executor. |
| Abandoned work | Resume from the last completed phase. Check .debug-session.md or plan status for where to pick up. |
| Scope drift | Review out-of-scope changes for necessity. Revert unrelated changes. Re-scope the plan if the drift was needed. |
| Crash/interruption | Check for uncommitted changes worth preserving. Clean up orphaned worktrees. Resume from last committed state. |
Step 5: Format final report
Include relevant git log excerpts, file snippets, and timestamps as evidence for every anomaly. Show git hashes, timestamps, and file paths rather than making unsupported assertions.
================================================================
FORENSICS REPORT: [branch/session identifier]
================================================================
Scan completed: [timestamp]
Branch: [branch name]
Commits analyzed: [count]
Plan file: [path or "not found"]
================================================================
ANOMALIES
================================================================
| # | Type | Confidence | Description |
|---|------|------------|-------------|
| ... | ... | ... | ... |
================================================================
ROOT CAUSE HYPOTHESIS
================================================================
[Narrative connecting anomalies into causal explanation]
================================================================
RECOMMENDED REMEDIATION
================================================================
1. [Specific action referencing anomaly #N]
2. [Specific action referencing anomaly #N]
================================================================
EVIDENCE
================================================================
[Relevant git log excerpts, file snippets, timestamps]
[All paths redacted, credentials scrubbed]
================================================================
GATE: Report is complete, scrubbed, and formatted. Deliver to user.
Error Handling
| Error | Cause | Solution |
|---|---|---|
| No git history on branch | Branch has zero commits or just forked | Report "insufficient evidence" -- forensics needs commit history to analyze |
| No plan file found | Workflow ran without a plan | Note limitation in report. Detectors 2 (missing artifacts), 3 (abandoned work), and 4 (scope drift) operate in degraded mode or skip. Detectors 1 (stuck loop) and 5 (crash) still function. |
| Worktree access fails | Orphaned worktree with broken symlinks | Report the orphaned worktree as crash/interruption evidence. Do not attempt cleanup. |
| Git log too large | Long-lived branch with hundreds of commits | Focus analysis on the most recent 50 commits. Note truncation in report. |
| Ambiguous branch target | User request doesn't clearly identify which branch | Ask: "Which branch should I investigate? Current branch is [X]." |
References
- ADR-073: Forensics Meta-Workflow Diagnostics
- Systematic Debugging -- for code-level bugs (not workflow-level)
- Workflow Orchestrator -- produces the plans forensics analyzes
- Planning umbrella — check intent -- validates plans pre-execution (forensics analyzes post-execution)
- Error Learner Hook -- handles tool-level errors (forensics handles workflow-level patterns)
More from notque/claude-code-toolkit
generate-claudemd
Generate project-specific CLAUDE.md from repo analysis.
12fish-shell-config
Fish shell configuration and PATH management.
12pptx-generator
PPTX presentation generation with visual QA: slides, pitch decks.
12codebase-overview
Systematic codebase exploration and architecture mapping.
10image-to-video
FFmpeg-based video creation from image and audio.
9data-analysis
Decision-first data analysis with statistical rigor gates.
9