What you'll learn: How incidents are created, the incident lifecycle, and how to triage and resolve them.
An incident is a policy violation record. When the engine evaluates a step and a policy returns warn or block, an incident is created and sent to the platform (if the incident webhook is configured).
Incidents provide the compliance audit trail — they record what was violated, when, by which agent, and in which task.
open → active → resolved
→ ignoredopen
Newly created. No human has reviewed it.
active
Acknowledged by a team member. Under investigation or remediation.
resolved
The violation has been addressed — code fixed, policy adjusted, or root cause mitigated.
ignored
Reviewed and determined to be a false positive or acceptable risk.
Each incident includes:
agent_id
The agent that triggered the violation.
scope
step_execution or agent_registration.
task_id
The task in which the violation occurred (for step violations).
step_name
The step that was evaluated.
step_type
The behaviour type.
action
warn or block.
risk_score
The aggregate risk score (0.0 to 1.0).
violations
List of violated policies with name, severity, and details.
timestamp
When the violation occurred.
Navigate to Incidents in the sidebar.
Filter by status, agent, severity, or time range.
Click an incident to see full details.
Use the action buttons:
Resolve — mark as addressed.
Ignore — mark as false positive.
Reactivate — reopen a resolved or ignored incident.
GET
/api/v1/incidents
List incidents (filterable).
GET
/api/v1/incidents/{id}
Get incident details.
PUT
/api/v1/incidents/{id}/resolve
Resolve incident.
PUT
/api/v1/incidents/{id}/ignore
Ignore incident.
PUT
/api/v1/incidents/{id}/reactivate
Reactivate incident.
Incidents are never deleted — they form part of the immutable audit trail.
By default, the engine does not send incidents to the platform. To enable:
Or set to stdout for local debugging:
Dashboard Guide — navigate the dashboard
Reports — generate audit reports from incident data
Policies and Rules — understand how violations are determined
Last updated
export KV_INCIDENT_ENDPOINT=https://platform.kyvvu.com/api/v1/incidentsexport KV_INCIDENT_ENDPOINT=stdout