CAPPY - Cortex AI-Powered Pattern analYsis for TAC investigations. Structured 8-phase investigation workflow with native fallback tools, investigation loop with convergence gates, reference search across Cortex docs and TAC cases at every phase, and HITL checkpoints throughout.
npx claudepluginhub thelightarchitect/cappy-toolkit --plugin cappy-toolkitAnalyze log bundles, HAR files, and other evidence
8-phase TAC investigation using native tools only — alias for /investigate, kept for compatibility
Launch 8-phase TAC investigation for Cortex XSOAR/XSIAM/XDR cases
Search CAPPY pattern database for known issues using weighted keyword scoring
Generate situation report for all assigned Salesforce cases with policy compliance check
Phase 2 triage for a reported symptom — pattern database search, SF case context, and JIRA/Confluence reference lookup. Use when you want to run triage outside of a full /investigate session.
Claim registration and citation rules for CAPPY investigations — enforces the ICFP v2.0 protocol, ensures every claim has a file:line citation, and maintains the verified claim registry.
Phase 6-7 deliverable generation for CAPPY investigations — compiles root cause statement, remediation steps, and investigation narrative from verified claims, produces JIRA escalation ticket and customer response draft, and checks the Phase 7 deliverable quality gate.
Full CI/CD pipeline for CAPPY ecosystem — local dev → GitLab (Sentinel gate) → GitHub prod (3 repos). Use whenever deploying binaries, plugin files, or the pattern database. Handles build, test, codesign, atomic replacement, and git fan-out. Use this skill when the user says "deploy", "release", "push to prod", "ship it", or asks to update the binary, plugin, or database.
Escalation advisor for CAPPY investigations — defines escalation paths when investigation hits constraints, blocked gates, or requires Engineering involvement.
Phase 3 evidence analysis for CAPPY TAC investigations — analyzes HAR files, log bundles, and support archives using jq and grep, cross-references findings against Cortex docs and similar cases, extracts errors and timelines, and checks the Phase 3 completeness gate.
Phase gate thresholds and recovery logic for all CAPPY investigation phases — defines confidence, completeness, coherence, and quality thresholds and specifies what to do when a gate fails.
Inter-phase transition orchestration for CAPPY — evaluates phase gates, extracts context from phase JSON results, checks inv_context.json health, and prepares HITL checkpoint content for Main Claude.
Phase 4 hypothesis generation and causation analysis for CAPPY TAC investigations — applies OBSERVE→CORRELATE→HYPOTHESIZE→FALSIFY→SURVIVE reasoning, validates environment fit against Cortex docs and TAC precedents, classifies the issue type (customer_config/product_bug/known_issue), and checks the Phase 4 coherence gate.
Phase 0-1 investigation initialization for CAPPY — handles case directory setup, SF case context extraction, evidence inventory, and environment detection.
8-phase TAC investigation for Cortex XSOAR, XSIAM, and XDR. Trigger this skill whenever the user mentions a Salesforce case number (SF-XXXXXXXX or 0XXXXXXXX), shares a log bundle (.tar.gz, .zip), HAR file, or describes a product error or symptom. Also trigger when the user says "investigate", "triage", "what's wrong with", "customer is getting", "why is X failing", or asks for help diagnosing any Cortex XSOAR/XSIAM/XDR issue — even if they don't use the word "investigate". Provides human-in-the-loop checkpoints at each phase gate, inline claim verification, and CAPPY agent orchestration.
Structured logging rules for CAPPY investigations — defines how to update inv_context.json at each phase, correlation ID usage, and discrepancy tracking between tool output and manual verification.
Architecture knowledge and environment compatibility validation for CAPPY Phase 4 — checks hypothesis against the customer's actual deployment topology, product version, and infrastructure constraints.
Phase 5 solution validation orchestration for CAPPY — validates the proposed resolution against Cortex documentation, Confluence KB, and closed TAC case precedents, checks the Phase 5 quality gate, and confirms the solution is actionable.
Hypothesis validation rules for CAPPY TAC investigations — applies falsification-first methodology, tests hypotheses against Phase 3 evidence, and eliminates hypotheses that cannot survive scrutiny.
Root cause narrative synthesis for CAPPY investigations — verifies remediation steps against Cortex docs and resolved TAC cases, constructs the investigation story from verified claims, prepares the Phase 5 research direction, and produces the root cause statement.
Phase 2 triage orchestration for CAPPY TAC investigations — searches the pattern database, Cortex docs, similar closed TAC cases, and Confluence KB for symptom matches, scores confidence, and checks the Phase 2 gate. Invoke during an active investigation when pattern matching and reference lookup are needed.
Citation validation and post-phase verification for CAPPY investigations — checks that all claims have proper file:line citations and that no uncited assertions appear in deliverables.
CAPPY helps Palo Alto Networks TAC engineers investigate Cortex XSOAR, XSIAM, and XDR customer issues faster and more consistently — directly inside Claude Code.
Customer investigations are time-consuming and easy to get wrong. You're juggling log files, network traces, case history, engineering tickets, and product documentation across multiple tabs and tools. It's easy to miss a pattern that's been seen before, skip a diagnostic step, or spend an hour on a root cause that turns out to be a known issue.
CAPPY gives you a structured investigation workflow built into your AI assistant. When a customer reports an issue, CAPPY:
At each step, CAPPY stops and asks for your input before proceeding. You stay in control; CAPPY handles the systematic work.
Install via the Spark marketplace inside Claude Code:
/plugin install cappy-toolkit@spark-pilot
No configuration required.
| Command | What it does |
|---|---|
/cappy-toolkit:investigate | Run a full structured investigation for a case or symptom |
/cappy-toolkit:triage | Quick lookup — does this match a known pattern or documented issue? |
/cappy-toolkit:evidence | Analyze a log bundle, network trace, or support archive |
/cappy-toolkit:pattern | Search the pattern database directly |
/cappy-toolkit:sitrep | Status report across all your open cases |
/cappy-toolkit:investigate SF-03845933
/cappy-toolkit:investigate Docker container running out of memory --product XSOAR
/cappy-toolkit:triage War Room Edit button missing
/cappy-toolkit:evidence ~/Downloads/xsoar-support-bundle.tar.gz
/cappy-toolkit:pattern API timeout --product XSIAM
When you run /cappy-toolkit:investigate, CAPPY walks through a structured process:
At each phase, CAPPY presents its findings and waits for your approval before moving on.
| Platform | Status |
|---|---|
| macOS (Apple Silicon) | Supported |
| Windows | Supported |
| macOS (Intel) | Coming soon |
| Linux | Coming soon |
Maintained by Kevin Francis Tan (github.com/theLightArchitect). Questions or issues: open a GitHub issue.
Comprehensive C4 architecture documentation workflow with bottom-up code analysis, component synthesis, container mapping, and context diagram generation
Uses power tools
Uses Bash, Write, or Edit tools
Complete collection of battle-tested Claude Code configs from an Anthropic hackathon winner - agents, skills, hooks, rules, and legacy command shims evolved over 10+ months of intensive daily use
Core skills library for Claude Code: TDD, debugging, collaboration patterns, and proven techniques
Team-oriented workflow plugin with role agents, 27 specialist agents, ECC-inspired commands, layered rules, and hooks skeleton.
Upstash Context7 MCP server for up-to-date documentation lookup. Pull version-specific documentation and code examples directly from source repositories into your LLM context.
Context-Driven Development plugin that transforms Claude Code into a project management tool with structured workflow: Context → Spec & Plan → Implement