build_incident_report
Build a forensic incident-report bundle for security review. Gathers evidence from session state and on-chain history, returning a structured envelope and narrative markdown for disclosure.
Instructions
Build a forensic incident-report bundle for a security review or disclosure. Read-only — gathers evidence already available to the server (demo-mode state, paired Ledger summary, skill / pin-drift notice flags) and, if you supply wallet + chain with scope: 'wallet' or 'custom', the wallet's recent on-chain tx history (uses the same data path as get_transaction_history, so address-poisoning suffix-lookalike heuristics are surfaced). Returns BOTH a structured envelope (machine-readable) and a narrative markdown string the user can paste into a GitHub issue / email / disclosure verbatim. REDACTION (default addresses): every address-shaped field is fuzzed to first-4 / last-4 of meaningful chars so the bundle is safe to display before the user has decided where to forward it. Use redact: 'all' to additionally bucket USD amounts to coarse ranges ($1k–10k etc.). Use redact: 'none' only when the user is ready to share full hex with a trusted security contact. v1 SCOPE: this tool only BUILDS the bundle; it does not submit anywhere. The user copies the narrative and routes it manually. A submit_incident_report companion that posts via the request_capability proxy is on the v2 roadmap (see claude-work/plan-incident-report-v2.md). Also deferred from v2: prepared-tx ring-buffer evidence ("last N prepared / broadcast txs"), so v1's tx evidence comes from on-chain history only.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| scope | No | Evidence-collection scope. `session` (default): notice flags fired this session, demo-mode state, paired Ledger summaries — no on-chain reads. `wallet`: same as `session` PLUS the supplied `wallet`'s recent on-chain history. `custom`: same as `wallet` but lets `incident_class` widen evidence (e.g. allowances for an address-poisoning incident). `last_tx` was reserved in the filed issue but is deferred to v2 (needs the prepared-tx ring buffer). | session |
| incident_class | No | What category of incident is being reported. Drives which evidence to fetch on top of the always-included session-level summary. `address_poisoning` adds allowance enumeration; `unexpected_tx` / `hash_mismatch` add recent tx history. `skill_pin_drift` adds the live drift status block. `unknown` is the safe default when the user isn't sure which category fits. | |
| wallet | No | Wallet address to scope evidence to. Required when `scope` is `wallet` or `custom`. Format: EVM hex / Solana base58 / TRON T-prefixed base58. Detected automatically from the prefix shape. | |
| chain | No | Chain context for the wallet. Required when on-chain evidence is fetched (`scope: wallet` or `scope: custom`). Defaults to `ethereum` when omitted in those scopes. | |
| txHash | No | Transaction hash anchoring the incident to a specific tx. Surfaced verbatim in the bundle (with redaction applied to the user-facing shape per `redact`). v1 doesn't fetch the tx body itself — the agent / user pastes additional context separately. | |
| redact | No | Redaction mode. Default `addresses` fuzzes every address-shaped field (EVM/Solana/TRON/BTC) to first-4/last-4 of meaningful chars so the bundle is safe to display before the user has decided where to forward it. `all` additionally buckets USD amounts to coarse ranges. `none` shows full hex — opt-in only when the user is ready to share with a trusted security contact. | addresses |