cappy-toolkit

Analyze log bundles, HAR files, and other evidence

8-phase TAC investigation using native tools only — alias for /investigate, kept for compatibility

Launch 8-phase TAC investigation for Cortex XSOAR/XSIAM/XDR cases

Search CAPPY pattern database for known issues using weighted keyword scoring

Generate situation report for all assigned Salesforce cases with policy compliance check

Phase 2 triage for a reported symptom — pattern database search, SF case context, and JIRA/Confluence reference lookup. Use when you want to run triage outside of a full /investigate session.

Cortex AI-Powered Pattern analYsis - TAC investigation specialist for validation, gate checking, causation analysis, and guidance during 8-phase investigation workflow. <example> Context: Main Claude is running an investigation and reaches Phase 4 hypothesis generation user: "Run falsification on these hypotheses" assistant: "Invoking CAPPY with falsify sub-skill to attack each hypothesis before it can proceed." <commentary> CAPPY is invoked as a sub-agent during investigation phases for validation, causation analysis (falsification, causal ordering, asymmetry detection), and gate checking. </commentary> </example> <example> Context: Main Claude needs to validate phase gate thresholds during investigation user: "/investigate SF-03929257" assistant: "Launching investigation. CAPPY will handle validation at each phase gate." <commentary> CAPPY is automatically invoked by the investigate skill at phase boundaries to check gates, validate coherence, and run causation analysis sub-skills. </commentary> </example> <example> Context: Main Claude completed Phase 3 evidence analysis and needs citation validation user: "Validate the evidence findings" assistant: "Invoking CAPPY to validate citations and check completeness gate." <commentary> CAPPY validates that all claims have file:line citations and checks the completeness threshold. </commentary> </example>

Claim registration and citation rules for CAPPY investigations — enforces the ICFP v2.0 protocol, ensures every claim has a file:line citation, and maintains the verified claim registry.

Phase 6-7 deliverable generation for CAPPY investigations — compiles root cause statement, remediation steps, and investigation narrative from verified claims, produces JIRA escalation ticket and customer response draft, and checks the Phase 7 deliverable quality gate.

Full CI/CD pipeline for CAPPY ecosystem — local dev → GitLab (Sentinel gate) → GitHub prod (3 repos). Use whenever deploying binaries, plugin files, or the pattern database. Handles build, test, codesign, atomic replacement, and git fan-out. Use this skill when the user says "deploy", "release", "push to prod", "ship it", or asks to update the binary, plugin, or database.

Escalation advisor for CAPPY investigations — defines escalation paths when investigation hits constraints, blocked gates, or requires Engineering involvement.

Phase 3 evidence analysis for CAPPY TAC investigations — analyzes HAR files, log bundles, and support archives using jq and grep, cross-references findings against Cortex docs and similar cases, extracts errors and timelines, and checks the Phase 3 completeness gate.

Phase gate thresholds and recovery logic for all CAPPY investigation phases — defines confidence, completeness, coherence, and quality thresholds and specifies what to do when a gate fails.

Inter-phase transition orchestration for CAPPY — evaluates phase gates, extracts context from phase JSON results, checks inv_context.json health, and prepares HITL checkpoint content for Main Claude.

Phase 4 hypothesis generation and causation analysis for CAPPY TAC investigations — applies OBSERVE→CORRELATE→HYPOTHESIZE→FALSIFY→SURVIVE reasoning, validates environment fit against Cortex docs and TAC precedents, classifies the issue type (customer_config/product_bug/known_issue), and checks the Phase 4 coherence gate.

Phase 0-1 investigation initialization for CAPPY — handles case directory setup, SF case context extraction, evidence inventory, and environment detection.

8-phase TAC investigation for Cortex XSOAR, XSIAM, and XDR. Trigger this skill whenever the user mentions a Salesforce case number (SF-XXXXXXXX or 0XXXXXXXX), shares a log bundle (.tar.gz, .zip), HAR file, or describes a product error or symptom. Also trigger when the user says "investigate", "triage", "what's wrong with", "customer is getting", "why is X failing", or asks for help diagnosing any Cortex XSOAR/XSIAM/XDR issue — even if they don't use the word "investigate". Provides human-in-the-loop checkpoints at each phase gate, inline claim verification, and CAPPY agent orchestration.

Structured logging rules for CAPPY investigations — defines how to update inv_context.json at each phase, correlation ID usage, and discrepancy tracking between tool output and manual verification.

Architecture knowledge and environment compatibility validation for CAPPY Phase 4 — checks hypothesis against the customer's actual deployment topology, product version, and infrastructure constraints.

Phase 5 solution validation orchestration for CAPPY — validates the proposed resolution against Cortex documentation, Confluence KB, and closed TAC case precedents, checks the Phase 5 quality gate, and confirms the solution is actionable.

Hypothesis validation rules for CAPPY TAC investigations — applies falsification-first methodology, tests hypotheses against Phase 3 evidence, and eliminates hypotheses that cannot survive scrutiny.

Root cause narrative synthesis for CAPPY investigations — verifies remediation steps against Cortex docs and resolved TAC cases, constructs the investigation story from verified claims, prepares the Phase 5 research direction, and produces the root cause statement.

Phase 2 triage orchestration for CAPPY TAC investigations — searches the pattern database, Cortex docs, similar closed TAC cases, and Confluence KB for symptom matches, scores confidence, and checks the Phase 2 gate. Invoke during an active investigation when pattern matching and reference lookup are needed.

Citation validation and post-phase verification for CAPPY investigations — checks that all claims have proper file:line citations and that no uncited assertions appear in deliverables.