Blueprint: incident response

Four agents. One outage. Shared operational memory.

Triage, root-cause, remediation, and communications agents each need the same incident facts: which ALERT fired, what GOAL is claimed, which OBSERVATION explains the failure, and which DOC or runbook supports the fix. RushDB stores all of it as linked records under one incident_id, so a remediation agent can retrieve the root-cause agent's OBSERVATION directly from the graph instead of receiving it secondhand through a forwarded prompt.

This RushDB blueprint coordinates triage, root-cause, remediation, and communications agents through a shared graph of INCIDENT, GOAL, OBSERVATION, and HANDOFF records that any agent can resume from instead of replaying prompt history.

Passing prompts between agents is not coordination.

A live incident produces ALERT, TICKET, DOC, and OBSERVATION data faster than any one agent can hold in context, and passing prompts between triage, root-cause, remediation, and communications agents flattens that evidence into a summary that drops the details underneath it. When state lives only in prompt history, a restarted agent re-investigates from scratch, two agents can claim the same GOAL, and the eventual incident summary cites nothing anyone can check.

Before

  • Each agent carries a separate context window
  • Handoffs flatten evidence into a summary
  • Repeated investigation after a restart
  • Runbooks, alerts, and tickets stay disconnected

With RushDB

  • Goals and observations written as durable records
  • Supporting alerts, tickets, and docs linked in the graph
  • Agents recall incident context by meaning and incident ID
  • A resumed agent can continue from shared state

Graph intelligence on ingest

Incoming data becomes queryable graph context.

Incident data arrives as ALERT, TICKET, DOC, GOAL, and OBSERVATION records tied to one incident_id, and RushDB writes each into the graph as it's produced rather than waiting for a post-incident cleanup pass. A managed index on DOC.body makes runbooks and prior write-ups searchable immediately, so an agent claiming a GOAL can pull supporting evidence the moment it starts work.

01

Normalize as incident data arrives

RushDB infers types for ALERT, TICKET, GOAL, and OBSERVATION fields as each record streams in during a live incident.

02

Auto-link nested structure

A nested incident payload with alerts, goals, and docs becomes traversable parent-child records under one incident_id automatically.

03

Enrich scattered evidence

Suggested-relationship analysis can propose SUPPORTED_BY or LED_TO links between observations, tickets, and runbooks tied to the same incident.

Suggested relationship analysis requires an LLM configured for the project. Suggestions stay in draft form until you approve them, so inferred domain meaning never mutates the graph silently. You can also add explicit relationships through the SDK or API.

Review suggested relationship patterns

Data model

One flexible graph for the workflow.

Start with the payload shape your product already produces. RushDB stores it as Records, infers typed properties, and keeps nested or approved domain relationships queryable.

Schema sketch
Incident payload

One incident write can carry alerts, goals, docs, and early observations while later agents add handoffs and decisions.

{
  "incidentId": "inc-42",
  "severity": "sev2",
  "startedAt": "2026-06-03T09:14:00Z",
  "ALERT": [{ "alertId": "login-errors", "service": "auth", "count": 1842 }],
  "GOAL": [{ "goalId": "goal-rca", "state": "open", "ownerRole": "root-cause-agent" }],
  "DOC": [{ "docId": "runbook-auth-rollback", "title": "Auth rollback runbook" }],
  "OBSERVATION": [
    { "summary": "Failures started after auth rollout", "confidence": 0.82 }
  ]
}

Working example

Resume the investigation from graph state.

The root-cause agent stores an observation against the incident. A later remediation agent retrieves that evidence without receiving the earlier prompt history.

Input
INCIDENT inc-42
  ALERT login-errors
  GOAL identify-root-cause
  OBSERVATION "Failures started after the auth rollout"
  DOC auth-rollback-runbook
Query
{
  "labels": ["OBSERVATION"],
  "propertyName": "summary",
  "query": "What changed before login failures started?",
  "where": { "incident_id": "inc-42" }
}
Result
{
  "agent_id": "rca-agent",
  "incident_id": "inc-42",
  "summary": "Failures started after the auth rollout",
  "runbook": "auth-rollback-runbook"
}

TypeScript SDK

A complete starting point.

The example includes the one-time index setup so the retrieval path is explicit.

from rushdb import RushDB

db = RushDB('RUSHDB_API_KEY')

tx = db.tx.begin()
try:
    goals = db.records.find(
        {'labels': ['GOAL'], 'where': {'goalId': 'goal-rca', 'state': 'open', 'INCIDENT': {'incidentId': 'inc-42'}}, 'limit': 1},
        tx,
    ).data
    goal = goals[0]
    goal.update({'state': 'claimed', 'claimedBy': 'rca-agent'}, tx)
    tx.commit()
except Exception:
    tx.rollback()
    raise

context = db.ai.search({
    'labels': ['DOC'],
    'propertyName': 'body',
    'query': 'What changed before login failures started?',
    'where': {'INCIDENT': {'incidentId': 'inc-42'}},
})

Implementation blueprint

Build the incident war-room path.

Use this sequence to coordinate triage, RCA, remediation, and communications agents through shared RushDB records.

  1. 01Import one incident with alerts, tickets, docs, goals, and agents
  2. 02Create a managed index for DOC.body
  3. 03Claim GOAL records transactionally before each agent writes output
  4. 04Attach OBSERVATION, STEP, HANDOFF, and DECISION records to the incident
  5. 05Assemble the final summary from cited graph evidence

Build path

  • Model INCIDENT, ALERT, TICKET, DOC, GOAL, OBSERVATION, STEP, HANDOFF, and DECISION records.
  • Use transactions around goal claims and critical status changes.
  • Retrieve incident context by incident ID plus semantic search over indexed docs.
  • Require final incident summaries to cite the records they used.

Relevant docs

Read the exact primitives behind this pattern.

These links point to the RushDB docs pages that map directly to this blueprint: ingestion, labels, properties, values, SearchQuery, relationships, semantic search, MCP, or deployment.

How it works

Build the smallest useful workflow first.

01

Write shared state

Store incidents, goals, steps, observations, and handoffs as records instead of hiding the workflow inside prompt history.

02

Connect evidence

Link observations to the alerts, tickets, decisions, and runbooks that support them.

03

Resume from the graph

Let the next agent recall relevant state by meaning while filtering to the active incident.

Know where it fits.

Durable state, not multi-agent chat

The useful proof is a resumed agent completing work from RushDB records without access to the earlier prompt history.

Use transactions for claims and handoffs

In production, claim goals and write critical workflow changes transactionally so two agents do not take the same task.

Questions developers ask.