Incident Lifecycle
Incidents follow ITIL-aligned lifecycle states. The system tracks SLA timers, linked assets, change associations, and supports post-incident reviews.
State machine
Section titled “State machine”flowchart TD
A[New - open] --> B[In Progress - assigned]
B --> C[Pending - waiting external]
C --> B
B --> D{Major incident?}
D -->|Yes| E[Major Incident - escalated]
D -->|No| F[Resolved - fix applied]
E --> F
F --> G[Closed - verified]
G --> H[PIR Created - optional for majors]
A --> I[Cancelled - invalid]
style E fill:#ff6b6b,color:#fff
style F fill:#51cf66,color:#fff
style G fill:#339af0,color:#fff
SLA tracking
Section titled “SLA tracking”Each incident has two SLA deadlines calculated at creation from the tenant’s SLA policy:
| SLA | Field | Breach flag |
|---|---|---|
| First Response | sla_response_due | sla_response_breached |
| Resolution | sla_resolve_due | sla_resolve_breached |
Priority determines which SLA policy applies. Priority is derived from severity × impact × urgency via the tenant’s priority matrix (configurable in Settings).
Full lifecycle sequence
Section titled “Full lifecycle sequence”sequenceDiagram
participant User as User (SPA)
participant API as Cloud Backend
participant DB as Azure SQL
participant Notification as Notification Service
User->>API: POST /api/v1/incidents { title, severity, impact, urgency }
API->>API: Calculate priority from matrix
API->>API: Calculate SLA deadlines from policy
API->>DB: INSERT incidents (status=open)
API->>DB: INSERT audit_log (action=created)
API->>Notification: Notify assigned users (email/in-app)
API-->>User: { incident_id, ... }
User->>API: PATCH /api/v1/incidents/:id { status: in_progress, assigned_to }
API->>DB: UPDATE incidents
API->>DB: INSERT incident_timeline_events (status_change)
User->>API: POST /api/v1/incidents/:id/comments { body, mentions }
API->>DB: INSERT incident_comments
API->>Notification: Notify @mentioned users
User->>API: PATCH /api/v1/incidents/:id { status: resolved, resolution_note }
API->>DB: UPDATE incidents (resolved_at = NOW())
API->>DB: Check SLA breaches
User->>API: PATCH /api/v1/incidents/:id { status: closed }
API->>DB: UPDATE incidents (closed_at = NOW())
alt Major incident
User->>API: POST /api/v1/pir { incident_id }
API->>DB: INSERT post_incident_reviews
API-->>User: PIR created
end
Cross-links
Section titled “Cross-links”Incidents can be linked to:
- Assets — affected configuration items
- Problems — root cause investigation
- Changes — related change requests
- Vulnerabilities — security-triggered incidents
- Knowledge articles — workarounds and resolution notes
Cross-links are managed in the incident detail page and stored in junction tables (e.g. incident_assets, incident_problems).
Key files
Section titled “Key files”| Layer | Location |
|---|---|
| API handlers | Backend/internal/domain/incidents/handler.go |
| Business logic | Backend/internal/domain/incidents/service.go |
| DB queries | Backend/internal/domain/incidents/repository.go |
| Frontend pages | Frontend/src/routes/incidents/ |
| SLA policy config | Backend/internal/domain/settings/ (SLA policy CRUD) |