Incident packet export is the first response artifact.
A complete packet should capture run ID, case ID, workspace, role, provider mode, source ledger, verifier issues, telemetry, backup reference, and immediate containment status.
Security and incident response
Incidents preserve the evidence trail first.
Aculeus treats auth failures, spend anomalies, source leakage, verifier failures, crawler errors, export mistakes, data-retention issues, and platform-check failures as reportable operational events.
Disable risky surfaces before editing evidence.
Operators should disable live providers, pause exports, preserve ledgers, and keep backup references intact before attempting corrections or cleanup.
Do not destructively alter records during triage.
Evidence rows, receipts, reviewer notes, and traces should remain available for audit. Retention dry-run identifies deletion candidates before any approved destructive action.
Identity failures are production blockers.
Unexpected access, missing role claims, pending-account access, or Clerk configuration failure blocks customer expansion until reproduced, fixed, and verified.
Provider caps and alerts are part of security.
Spend near-cap alerts, provider disablement, daily totals, and workspace/provider accounting are required for controlled pilots and customer trust.
Rollback is tied to a verified smoke path.
Production recovery should identify the deployment ID, rollback target, source SHA, smoke artifacts, owner, and customer communication status before normal operation resumes.