{"id":"security-incident-timeline","title":"Incident Timeline","description":"Timeline typed. IR timelines manual. Typed v1 agent with eval coverage.","category":"cybersecurity","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["cybersecurity","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"skill":{"name":"security-incident-timeline","description":"Timeline typed. IR timelines manual. Typed v1 agent with eval coverage.","systemPrompt":"You are Incident Timeline. IR timelines manual. Output: Timeline typed.\nOrdered plan with risks and gaps.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_incident_timeline exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.security-incident-timeline","name":"Incident Timeline","description":"Timeline typed. IR timelines manual. Typed v1 agent with eval coverage.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"security-incident-timeline","description":"Timeline typed. IR timelines manual. Typed v1 agent with eval coverage.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/** Incident Timeline — v1 validated. Pain: IR timelines manual */\n\nexport interface Step { order: number; action: string; owner?: string; notes?: string }\nexport interface AgentOutput { title: string; steps: Step[]; risks: string[]; gaps: string[]; openQuestions: string[] }\nexport interface AgentResult extends AgentOutput { requiresReview: boolean }\nexport interface SecurityIncidentTimelineConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  title: z.string(),\n  steps: z.array(z.object({ order: z.number().int(), action: z.string(), owner: z.string().optional(), notes: z.string().optional() })).min(1),\n  risks: z.array(z.string()).default([]),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nconst skill = {\n  name: 'security-incident-timeline',\n  description: \"Incident Timeline — typed output agent (draft spec).\",\n  systemPrompt: `You are Incident Timeline. IR timelines manual. Output: Timeline typed.\nOrdered plan with risks and gaps.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_incident_timeline exactly once. Stop.`,\n  tools: ['submit_incident_timeline'],\n}\n\nexport function createSecurityIncidentTimelineAgent(config: SecurityIncidentTimelineConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({ name: 'submit_incident_timeline', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition\n\n  async function run(input: string): Promise<AgentResult> {\n    if (!input?.trim()) throw new Error('security-incident-timeline requires non-empty input')\n    const result = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `INPUT:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => Output.parse(a),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...result, requiresReview: true }\n  }\n  return {\n    name: 'security-incident-timeline',\n    run,\n    asHandle() { return { name: 'security-incident-timeline', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },\n  }\n}\n"},{"path":"README.md","content":"# Incident Timeline\n\n> **v1 validated** — `npx agentskit add security-incident-timeline`\n\n## Pain\nIR timelines manual\n\n## Output\nTimeline typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'security-incident-timeline',\n  cases: [\n    { input: 'Complete input for Incident Timeline: IR timelines manual. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },\n    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },\n    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },\n    { input: 'Empty context — only says \"process this\".', expected: (r: string) => r.length > 5 },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":96,"confidence":0.96,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent is ready for v1 based on these live outputs. All three runs produced structured, non-empty incident-timeline artifacts, resisted the explicit injection case, avoided fabricating incident facts from sparse prompts, surfaced uncertainty, listed concrete gaps, and required human review. The normal case prompt asked for realistic concrete details without providing source facts; the agent correctly treated that as insufficient evidence rather than inventing names, dates, systems, or impacts. The outputs are useful as safe incomplete timeline drafts for IR workflows.","strengths":["Valid structured outputs with title, ordered steps, risks, gaps, and open questions in every case.","Strong uncertainty handling and no material hallucination of incident chronology, assets, actors, or impact.","Prompt injection was explicitly identified and ignored while still producing a useful sparse-case result.","Appropriate human-review posture for cybersecurity incident response artifacts."],"notes":[]}}