‹ 首页

after-action-report

@rampstackco · 收录于 1 周前 · 上游提交 4 天前

Run a structured after-action review (postmortem, retrospective) on a launch, incident, or completed project to capture timeline, root cause analysis, contributing factors, and actionable lessons. Use this skill whenever the user wants to run a postmortem, retrospective, AAR, or after-action review on any past event. Triggers on after-action report, AAR, postmortem, retrospective, retro, post-incident review, what went well what didn't, lessons learned, blameless postmortem, root cause analysis, RCA, five whys. Also triggers when the user has just shipped something or just resolved an incident and wants to capture learnings.

适合你,如果团队需要从过去事件中系统性地学习改进

/ 下载安装
after-action-report.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add rampstackco/claude-skills/after-action-report
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- rampstackco/claude-skills/after-action-report
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify rampstackco/claude-skills/after-action-report
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
459GitHub stars
~2K最小装载
~3.8K含声明引用
~3.8K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · bc6d961

After-Action Report

Run a structured retrospective on a launch, incident, or completed project. Produce actionable lessons, not just a document.

This skill is for after-the-fact analysis. For active incident response, use incident-response. For planning launches, use launch-runbook.


When to use
  • After any incident (any severity)
  • After every major launch
  • At the end of a project (sprint retro, quarterly retro, project closeout)
  • When a recurring issue has happened enough times to demand investigation
  • When a decision didn't work out and the team wants to learn
When NOT to use
  • During an active incident (use incident-response)
  • For pre-launch planning (use launch-runbook)
  • For one-off bug fixes that don't merit broad analysis

Required inputs
  • The event being analyzed (incident, launch, project)
  • A timeline reconstructed from logs, chat, tickets
  • Participant accounts of what they observed and did
  • Outcomes and impact (what actually happened to users, the business)

The framework: blameless analysis

The most important principle: blameless. Without it, retrospectives produce hidden information and theatrical lessons rather than real ones.

What blameless means
  • Focus on systems, not individuals
  • Assume everyone made reasonable decisions given what they knew at the time
  • The question is "why was this decision reasonable to make?" not "who screwed up?"
  • Fixing the system means the next person in that situation succeeds where this person didn't
What blameless does not mean
  • No accountability (action items still have owners)
  • No hard truths (sometimes the system is broken in obvious ways)
  • No standards (some patterns of failure are individual, not systemic)
  • No discomfort (real reflection is uncomfortable)

The framework: 6 sections

A complete AAR covers six sections.

1. Summary

A 2 to 3 paragraph overview. Captures:

  • What happened
  • Impact (users, business, time)
  • Root cause (in plain language)
  • Top action items

This is what executives read. Anyone who reads only this section should leave with the most important information.

2. Timeline

A reconstructed timeline of events.

For incidents:

  • T-0: Detection
  • T+X: Acknowledgment
  • T+Y: Severity assessed, IC assigned
  • T+Z: Investigation began
  • ... mitigation, communication, resolution events
  • T+N: Resolution declared

For launches:

  • Pre-launch decisions and milestones
  • Launch day events
  • Post-launch monitoring observations

For projects:

  • Major milestones, decisions, pivots
  • Both planned and emergent

The timeline is the source of truth. Disagreements about what happened get resolved here.

3. Root cause analysis

What caused this, in plain language.

Use one or both of:

Five whys. Start with the surface symptom. Ask "why?" Repeat 5 times (or until you reach a true root). Each "why" should yield a substantive answer, not a tautology.

Example:

  • Why did the site go down? Database connection pool exhausted.
  • Why was the pool exhausted? Background job opened too many connections.
  • Why did the background job open too many connections? Connection cleanup code didn't run on errors.
  • Why didn't cleanup run on errors? Original code review didn't cover error paths.
  • Why didn't the review cover error paths? No checklist for error handling in our review process.

The fifth why often reveals the system fix. In this case: improve the review process.

Causal chain. Multiple contributing factors that combined.

  • Factor 1: Background job opened too many connections (technical)
  • Factor 2: Connection limit was set too low for actual traffic (configuration)
  • Factor 3: No alert on connection pool saturation (monitoring)
  • Factor 4: Recent traffic doubled without infra capacity review (process)

No single fix addresses the incident. Multiple gaps need attention.

4. Contributing factors

Factors that didn't cause the event but made it worse, or removed safety nets that would have caught it.

  • Monitoring gaps
  • Documentation gaps
  • Process gaps
  • Tooling gaps
  • Knowledge gaps

A "would have been caught earlier if..." factor.

5. What went well

Real lessons require capturing successes, not just failures.

  • What detection worked?
  • What response worked?
  • What decisions were good?
  • What tools or processes performed as expected?

This is not consolation. It's calibration. Things that worked here should be reinforced and replicated.

6. Action items

Specific, owned, dated.

| Action | Owner | Due | Type | |---|---|---|---| | Add alert on connection pool saturation | [name] | [date] | Monitoring | | Add error handling checklist to PR template | [name] | [date] | Process | | Audit other background jobs for similar issue | [name] | [date] | Code |

Action item criteria:

  • Specific. "Improve monitoring" is not actionable. "Add alert on connection pool saturation, threshold 80%, page on-call" is.
  • Owned. A name. Not "the team."
  • Dated. A real date. Not "soon."
  • Sized. Roughly hours, days, or weeks of effort.
  • Closeable. Definition of done is clear.

Action items that don't close in their committed timeframe should re-surface in the next AAR. Patterns of unclosed actions point to deeper organizational issues.


Workflow
1. Schedule the AAR

Within 1 to 2 weeks of the event. Long enough that emotions cooled and facts gathered. Short enough that memories are fresh.

For incidents: pre-decided in the response procedure. For launches: schedule on the runbook. For projects: schedule at project closeout.

2. Gather inputs

Before the meeting:

  • Reconstructed timeline (often the scribe's notes if there was one)
  • Logs, chat transcripts, tickets, incident updates
  • Individual accounts from each participant (written, before the meeting)
  • Impact data (users affected, duration, revenue impact, etc.)
3. Run the meeting

Typical agenda (60 to 90 minutes):

  • Read the summary as drafted (5 min)
  • Walk the timeline together. Add corrections. Resolve disagreements. (20 to 30 min)
  • Discuss root cause. Use five whys or causal chain. (15 to 20 min)
  • Discuss contributing factors. (10 min)
  • Discuss what went well. (10 min)
  • Identify action items. Owners and dates. (10 min)

A facilitator runs the meeting. Often the IC for an incident, or a project lead for a project. The facilitator is not the scribe.

4. Write the document

Within a few days of the meeting. The full AAR includes all 6 sections.

5. Distribute

Internal: post in a known location. Make searchable. Reference in onboarding.

For high-severity incidents: external summary may be appropriate (status page, customer email, public blog).

6. Track action items

Every action item should be tracked to closure. The next AAR re-surfaces unclosed ones.


Failure patterns
  • Skipping the AAR for "small" incidents. Patterns get missed.
  • Naming and shaming. Real lessons get hidden when people fear blame.
  • Generic action items. "Improve testing" instead of specific testing change.
  • Action items that never close. Filed, forgotten. Same incident recurs.
  • Theater retrospectives. Going through the motions without genuine reflection.
  • Skipping "what went well." Misses calibration on what's working.
  • Blame externalized. "Our vendor failed." OK, what's our system for vendor risk?
  • Single-person AAR. One person writes the whole thing. Misses other perspectives.
  • AAR only for failures. Successful launches deserve AARs too. Lessons from success are valuable.
  • Long delays. Memories fade. Conversations cool. Get it done within 2 weeks.

Output format

A markdown document at aar-[date]-[event-name].md.

Structure:

# AAR: [Event name]

**Date of event:** [YYYY-MM-DD]
**AAR date:** [YYYY-MM-DD]
**Severity / scope:** [SEV-1 / Major launch / Project closeout]
**Facilitator:** [Name]
**Participants:** [Names]

## Summary
[2 to 3 paragraphs]

## Impact
- Users affected: [number, segment]
- Duration: [time]
- Revenue / business impact: [if applicable]

## Timeline
[Timestamped events]

## Root cause analysis
[Five whys or causal chain]

## Contributing factors
[List]

## What went well
[List]

## Action items
| Action | Owner | Due | Type | Status |
|---|---|---|---|---|
| | | | | |

## Lessons
[Reflections that don't fit elsewhere. Often the most quotable section.]

Reference files
  • [references/aar-template.md](references/aar-template.md) - Fillable AAR template covering incidents, launches, and projects.
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。