Neuri — Complete Product Walkthrough

What Is Neuri?

Neuri is an AI-powered Root Cause Analysis (RCA) engine built for Site Reliability Engineering teams. When an incident fires, Neuri automatically pulls evidence from your observability stack — metrics, logs, deploys, and infrastructure events — and produces a structured root cause analysis in seconds, not hours.

Fluidify Regen Screenshot

Watch the complete walkthrough tutorial here

Neuri does not replace your SREs. It gives them a head start: a confident, evidence-backed explanation of what broke and why, ready before the first postmortem conversation starts.

Core outcomes Neuri is designed to improve:

  • MTTI (Mean Time to Investigate): Neuri targets sub-5-second automated RCA generation from incident creation.
  • MTTR (Mean Time to Resolve): Faster diagnosis means faster remediation handoff, whether to an automated workflow or a human runbook.
  • Recurrence reduction: Neuri clusters recurring incidents and surfaces automation candidates so the same failure stops repeating.

Key Concepts

RCA (Root Cause Analysis): A structured document Neuri produces for each incident. It contains three sections: Observations (the evidence), RCA (the causal chain), and Suggested Next Step.

Confidence Score: A numeric score from 0 to 100 with a label (High / Medium / Low) representing how strongly the evidence supports the root cause Neuri identified. This is an honest signal about evidence completeness, not a quality rating. A Medium score means one or more evidence sources were partial or unavailable during the investigation.

RCA State: Every RCA has a lifecycle state. The possible states are:

  • GENERATING — Neuri is actively investigating.
  • PENDING_REVIEW — Investigation complete, awaiting human approval.
  • APPROVED — Accepted into the Playbook.
  • DISAPPROVED — Rejected; reason feeds the training signal.
  • STEERED — Modified by a human and re-queued for review.
  • DUPLICATE_OF — Linked to a prior approved RCA as a confirmed recurrence. Terminal state. Duplicates are excluded from the accuracy benchmark, do not appear in the pending review queue, increment the recurrence counter on the parent RCA, and are recorded in the Activity Log as a linking event.

Playbook: The active working surface for RCAs — live investigations streaming in real time, RCAs pending approval, and approved RCAs all visible in one place. This is where on-call users watch RCAs generate and where reviewers do their approval work.

Investigations Screen: A complete historical library of every RCA initiation Neuri has ever run, across all states — generating, pending, approved, disapproved, steered, and duplicate. This is the audit and search surface, not the live action surface.

RCA Versioning: Every time a human modifies and re-saves an RCA, a new version is created. The original is always preserved. Versions are displayed as a chain (v1 → v2 → v3) in the RCA detail view. Superseded versions are watermarked but remain fully viewable.

Environment: Neuri is configured and scoped per environment (e.g., Staging, Production). Connectors, guardrails, token budgets, and RCA history are all per-environment unless a setting is explicitly enforced at org level.

Connector: An integration between Neuri and an external data source. Neuri supports: Prometheus / Mimir / Thanos / VictoriaMetrics / Cortex (metrics), Loki (logs), Kubernetes (infra events and ConfigMap changes), ArgoCD (deploy events), and GitHub Actions (CI/CD events).

Guardrails: Configuration that governs cost, PII handling, and investigation behavior. Set by Admins. Individual settings can be locked across all environments using the Enforced by org policy toggle.

Evidence Retention: Raw evidence (log lines, metric snapshots, event payloads) is retained for 30 days. After that, the raw data is purged. The RCA narrative, causal chain, and the original query used to fetch each evidence item are preserved permanently. Expired evidence rows show a Re-run against source option that re-issues the preserved query against the live source.


User Roles

Admin Full access to all screens. Can configure connectors, set and lock guardrails, manage environments, clone configurations, and perform hard operations such as deletion and org-policy enforcement.

Reviewer Can approve, disapprove, and edit RCAs. Manages the Playbook review queue. Can initiate reinvestigations and steer RCAs via Gills. Cannot change connector configuration or guardrail policy.

On-call (standard authenticated user) Can view and interact with RCAs during live incidents. Can mark duplicates, trigger reinvestigations, and give inline feedback. Read-only access to the Guardrails screen.

Role labels appear throughout this document only when a step requires a specific capability. Where no role is noted, assume any authenticated user can perform the action.


Navigation Overview

Neuri has five primary screens accessible from the left navigation panel.

Screen Name Primary Purpose
Screen 1 Home Analytics, KPIs, and system health
Screen 2 Investigations Full historical library of all RCA initiations
Screen 3 Playbook Live RCAs + pending approval + approved library
Screen 4 Guardrails PII filtering and investigation policy
Screen 5 Configuration Connectors, integrations, and environment setup

An environment switcher sits in the top-right corner of every screen. When an environment is active, a chip displaying its name appears next to every screen title. All data is scoped to the active environment unless you select "All environments" on the Home screen.


Screen 1 — Home

Who uses it: All roles. The default landing screen for all users.

What it does: The Home screen is the analytics and operational command center for Neuri. It gives you a real-time view of RCA volume, accuracy trends, system health, and cost status — all filterable by environment and time range. It answers the question: how is Neuri performing, and is anything wrong right now?


Layout

The screen is organized into four zones from top to bottom:

KPI Strip — Four metric cards across the top. Evaluation Benchmark — An accuracy gauge with a trend line. Volume Bar Graph + Activity Log — A visualization and event feed linked by brushing. Right Rail — Budget meter, connector health summary, and top recurring root causes.


KPI Strip

RCAs Generated — Total RCA count for the selected time window and environment. Sub-links below the number (e.g., "12 Approved," "3 Pending") deep-link to the Playbook screen pre-filtered to that state.

MTTI (Mean Time to Investigate) — Average time from incident creation to a validated (Approved) RCA. Hovering the tooltip shows the full methodology definition. Neuri uses "Mean Time to Validated RCA" as its precise definition.

Time Saved — Estimated time savings based on a configurable baseline representing the assumed time your team would spend on manual investigation. Hovering the tooltip shows an Edit baseline link that deep-links to the Reporting Baselines section of the Guardrails screen.

Disapproved or Steered — Count of RCAs either rejected or modified by a human in the selected window. A trend arrow shows the delta versus the prior equivalent window. Hovering the arrow shows the exact delta value.


Evaluation Benchmark

The headline gauge shows your overall accuracy percentage (e.g., 87%) alongside a sample size label (e.g., "n = 41 reviewed"). Hovering the sample size label shows a tooltip explaining what is and is not counted — duplicates and test runs are excluded.

A trend line shows accuracy over time. Clicking any point scrolls and filters the Activity Log to that specific day, letting you drill into which RCAs drove accuracy up or down. Clicking the headline gauge itself opens the Playbook screen in a combined live + pending + approved view.

A review queue nudge appears when RCAs are pending review (e.g., "5 RCAs await review →"). Clicking it routes to the Playbook screen's pending tab.

A Recurring incidents caught stat appears when duplicates have been identified in the period. Clicking it filters the Activity Log to duplicate-linking events only.


Volume Bar Graph

Shows RCA volume over the selected time range. A toggle switches the grouping between by severity, by status, and by service. Clicking any bar segment filters the Activity Log below it — this is called linked brushing. Clicking a legend item toggles that series on or off.


Activity Log

A chronological event feed covering everything Neuri has done or had done to it: RCAs generated, approved, disapproved, steered, duplicated, connectors degraded, guardrails edited, budgets hit.

Filter chips along the top allow filtering by status, severity, service, and user. Each row links to its source object:

  • RCA / Object rows route to the full RCA detail view on the Playbook screen.
  • Guardrail edited rows deep-link to the specific guardrail row on the Guardrails screen.
  • Connector degraded rows deep-link to the specific connector card on the Configuration screen.

Right Rail

Budget meter — Shows current token spend against the monthly budget as a percentage. Amber at 75%, red at 90%. Clicking it routes to the Investigation Bounds section of the Guardrails screen.

Connector health — A summary list of all connectors and their current status. Clicking any item routes to that connector's card on the Configuration screen.

Top recurring root causes — A short list of the most frequently recurring approved RCAs in the current period. Clicking any item routes to the Playbook screen filtered to that recurrence cluster.


First-Run Empty State

When Neuri has not yet generated any RCAs, the Home screen shows an illustrated empty state with the message "Neuri hasn't investigated anything yet," a connector completeness checklist, and two CTAs: Set up integrations → (routes to the Configuration screen) and Run a test investigation on a historical incident.

The test investigation CTA opens a picker to select a resolved incident from the last 30 days. Neuri runs a sandboxed investigation against it. The result appears in the Playbook screen with a TEST RUN watermark, is audit-logged as a test, and is excluded from accuracy benchmarks. This is the fastest way to validate Neuri is working before a real incident occurs.


Full Click-Path Reference — Home Screen

Element Action / Destination
Environment switcher Re-scopes all data; or select All environments for aggregate view
Time-range picker (7d / 15d / 30d / custom) Re-queries all zones
KPI — RCAs Generated status sub-links Deep-links to Playbook screen pre-filtered to that state
KPI — MTTI tooltip Shows full methodology definition
KPI — Time Saved → Edit baseline Deep-links to Guardrails screen Reporting Baselines
KPI — Disapproved or Steered trend arrow Hover shows delta vs prior window
Evaluation Benchmark headline gauge Opens Playbook screen combined view
Evaluation Benchmark — n = N reviewed label Tooltip explains sample scope
Evaluation Benchmark trend line point Scrolls Activity Log to that day
Review queue nudge Routes to Playbook screen pending tab
Recurring incidents caught stat Filters Activity Log to duplicate-linking events
Bar graph grouping toggle Re-colors bars, updates legend
Bar graph segment click Filters Activity Log (linked brushing)
Bar graph legend item click Toggles that series on or off
Activity Log filter chips Filters by status, severity, service, or user
Activity Log row — RCA / Object link Routes to RCA detail on Playbook screen
Activity Log row — Guardrail edited Deep-links to that guardrail row on Guardrails screen
Activity Log row — Connector degraded Deep-links to that connector on Configuration screen
Right rail — Budget meter Routes to Guardrails screen → Investigation Bounds
Right rail — Connector health item Routes to Configuration screen → that connector
Right rail — Top recurring root cause Routes to Playbook screen filtered to that cluster
Recurring incidents caught stat Filters Activity Log to duplicate-linking events
First-run — Set up integrations → Routes to Configuration screen
First-run — Run a test investigation CTA Opens historical incident picker; runs sandboxed test
Degraded banner Dismissible; deep-links to Configuration screen

Screen 2 — Investigations

Who uses it: All roles. Reviewers and Admins most frequently, for audit, search, and retrospective analysis.

What it does: The Investigations screen is the complete historical library of every RCA initiation Neuri has ever run, across every state — including in-progress investigations that are still generating. Where the Playbook screen is your live working surface, the Investigations screen is your audit and search surface. Every investigation Neuri has ever started appears here, whether it succeeded, failed, was approved, was disapproved, was marked a duplicate, or is still running.


Layout

The screen is a filterable, searchable table of all investigation records. There are no tabs — all states coexist in one view, with filters used to narrow scope.


Table Structure

Each row represents a single investigation initiation. Columns include:

  • Investigation ID — A unique monospace identifier. Clicking copies it to clipboard.
  • Incident — The linked incident name and severity, deep-linking back to the originating incident in your incident management interface.
  • Service — The primary service associated with the incident.
  • State — The current lifecycle state of the investigation (GENERATING / PENDING_REVIEW / APPROVED / DISAPPROVED / STEERED / DUPLICATE_OF / FAILED / CANCELLED).
  • Confidence — Score and label (High / Medium / Low), shown for completed investigations. Empty for in-progress ones.
  • Version — Current version number (e.g., v3), indicating how many times this investigation has been revised.
  • Recurrence — If this investigation is approved and has been linked as the parent of one or more duplicates, shows the recurrence count (e.g., "Seen 5×").
  • Token spend — Total tokens consumed by this investigation. For in-progress investigations, shows a live counter.
  • Initiated — Timestamp of when the investigation was triggered.
  • Last updated — Timestamp of the most recent state change.

State Indicators

Each state has a distinct visual treatment in the State column:

  • GENERATING — A pulsing indicator showing the investigation is actively running. Token spend counter is live.
  • PENDING_REVIEW — An amber badge indicating the investigation needs human review.
  • APPROVED — A green badge.
  • DISAPPROVED — A muted badge with the disapproval reason visible on hover.
  • STEERED — A blue badge indicating a human-modified version is in the review queue.
  • DUPLICATE_OF — A linked badge that shows the parent RCA ID on hover.
  • FAILED — A red badge. Hover shows the failure reason (e.g., "Loki unreachable"). A Retry button appears inline.
  • CANCELLED — A muted badge showing who cancelled and when.

Filters

Filter chips across the top of the table allow filtering by:

  • State — Any combination of the states above.
  • Severity — SEV1 through SEV5.
  • Service — The affected service.
  • Environment — The environment the investigation ran in (visible when "All environments" is selected in the env switcher).
  • Date range — Custom range picker.
  • Initiated by — Auto-triggered by Neuri, or manually initiated by a specific user.

A search bar supports full-text search across investigation ID, incident name, service name, and root cause narrative.


Row Actions

Clicking anywhere on a row expands an inline preview showing the investigation summary: state, confidence, token spend, the root cause one-liner (for completed investigations), and the suggested next step.

From the inline preview:

  • Open in Playbook — Routes to the full live RCA view on the Playbook screen. Available for GENERATING, PENDING_REVIEW, and APPROVED investigations.
  • Open detail — Routes to the full RCA detail view (equivalent to Screen 4 Mode A in the prior architecture) within the Playbook screen.
  • Retry — Available for FAILED investigations. Re-runs the investigation.
  • View parent RCA — Available for DUPLICATE_OF investigations. Routes to the parent approved RCA.

The overflow menu on each row provides:

  • Copy investigation link — Copies a deep-linkable URL to clipboard.
  • Export as Markdown / PDF — Downloads the RCA.
  • Delete — Soft-deletes the investigation record; recoverable for 30 days.

In-Progress Investigations

Investigations in GENERATING state are visible in the table with a live token spend counter ticking in real time. The row expands to show the streaming evidence checklist:

✓ Pulled 214 log lines (Loki)
✓ Correlated deploy payments-api@a3f9c2 (ArgoCD, 12m ago)
⟳ Analyzing pod events (K8s)…

A Cancel button is available on in-progress rows. Clicking it triggers a confirmation dialog. If confirmed, the investigation halts, the state changes to CANCELLED, and an audit log entry is written.


Bulk Actions

Checking the bulk select checkbox on multiple rows enables the bulk action bar. Available bulk actions: export as Markdown, delete. A single confirmation dialog covers all selected rows. Individual audit entries are written per row.


Full Click-Path Reference — Investigations Screen

Element Action / Destination
Environment switcher Re-scopes table; or All environments shows cross-env records
Filter chips (state / severity / service / environment / date / initiated by) Compound filter on the table
Search bar Full-text across ID, incident name, service, root cause narrative
Row click (anywhere) Expands inline preview
Inline preview — Open in Playbook Routes to live RCA view on Playbook screen
Inline preview — Open detail Routes to full RCA detail view
Inline preview — Retry (FAILED) Re-runs the investigation
Inline preview — View parent RCA (DUPLICATE_OF) Routes to parent approved RCA
Row overflow — Copy investigation link Copies deep-linkable URL to clipboard
Row overflow — Export as Markdown / PDF Downloads RCA
Row overflow — Delete Confirm dialog; soft-deletes; recoverable 30 days
In-progress row — streaming checklist source chip Opens evidence drawer with exact query
In-progress row — Cancel Confirm dialog; halts investigation; writes audit entry
Investigation ID (monospace) Click copies to clipboard
Incident name chip Deep-links to originating incident
Recurrence chip (Seen N×) Expands linked incidents list with timestamps
State badge — DISAPPROVED hover Shows disapproval reason
State badge — DUPLICATE_OF hover Shows parent RCA ID
State badge — FAILED hover Shows failure reason
Bulk select checkbox Enables bulk action bar
Bulk action bar — Confirm Single dialog covers all selected; writes per-row audit entries

Screen 3 — Playbook

Who uses it: On-call users for live incident investigation. Reviewers for approval work. All roles for referencing approved RCAs.

What it does: The Playbook is the active working surface of Neuri. It brings together three things in one screen: RCAs actively generating in real time (so on-call users can watch evidence stream in during a live incident), RCAs waiting for human approval (so reviewers can triage from one place), and the full library of approved RCAs (the institutional memory that Neuri uses for recurrence matching). You come to the Playbook when something is happening right now or when you need to act on an RCA.


Layout: Three Tabs

The Playbook screen is organized into three tabs:

Tab Contents
Live All investigations currently in GENERATING state, streaming in real time
Pending Review All investigations in PENDING_REVIEW or STEERED state, awaiting human action
Approved All approved RCAs forming the canonical Playbook library

Tab labels show live counts (e.g., "Live (2)", "Pending Review (5)", "Approved (41)"). Counts update in real time.


Tab 1 — Live

This tab shows all investigations that are currently generating. It is the equivalent of the Neuri RCA tab inside the incident management interface — but surfaced here as a standalone screen so it is accessible outside the incident context.

Each active investigation appears as a card showing:

  • The incident name and severity
  • The linked service
  • A streaming evidence checklist updating in real time
  • An elapsed timer
  • A live token spend counter
  • The similar-RCA banner (if a Playbook match is found during generation)

Streaming checklist: Each checklist item represents one evidence collection step. Items appear as they complete:

✓ Pulled 214 log lines (Loki)
✓ Correlated deploy payments-api@a3f9c2 (ArgoCD, 12m ago)
⟳ Analyzing pod events (K8s)…

Clicking any completed checklist item's source chip opens an evidence drawer showing the exact query Neuri issued and the raw data returned.

Similar-RCA banner: Mid-generation, if Neuri identifies a match in the approved Playbook, a banner appears on the live card:

⚡ Similar to approved RCA: "payments-api OOMKill after deploy"
   (approved 2026-06-12, seen 4×, 91% match)
   [View RCA]  [This is the same issue]  [Not related]  [Why 91%?]
  • View RCA — Opens the matched approved RCA in Approved tab detail view (new tab).
  • This is the same issue — Confirm micro-dialog; marks the fresh investigation as DUPLICATE_OF; increments the recurrence counter on the parent; excludes from accuracy benchmark; writes Activity Log entry.
  • Not related — Dismisses the banner; feeds the match as a negative pair to the clustering model.
  • Why N%? — Opens a tooltip with the match breakdown by dimension (service / failure signature / change type).

When generation completes, the investigation card transitions automatically to the Pending Review tab. The Live tab count decrements and the Pending Review count increments.

A Cancel button is available on each live card. Clicking it triggers a confirmation dialog. If confirmed, the investigation halts, the card moves to the Investigations screen with state CANCELLED, and an audit log entry is written.


Tab 2 — Pending Review

This tab is the review queue. It shows all investigations in PENDING_REVIEW state (freshly generated, awaiting first approval) and in STEERED state (returned from Gills after a human-guided reasoning session, awaiting re-approval).

Steered RCA identification: Steered RCAs are visually distinguished from freshly generated ones with a "Steered" badge and a note showing who steered it and when.

Each row in the pending list shows the RCA name, service, severity, confidence score, version number, and time since the investigation completed.

Inline preview: Clicking a row expands an inline preview showing the observations summary, root cause one-liner, and suggested next step — alongside three action buttons: Approve, Disapprove, and Open full.

Approve (inline) — Confirm dialog. Sets status to APPROVED. The RCA moves to the Approved tab. An audit entry is written. (Reviewer / Admin only)

Disapprove (inline) — Opens a reason picker: Wrong root cause / Wrong evidence / Too shallow / Other. Sets status to DISAPPROVED. The reason feeds the training signal. An audit entry is written. (Reviewer / Admin only)

Open full — Opens the full RCA detail view (see RCA Detail section below).

Bulk actions: Select multiple rows to enable the bulk action bar. Bulk approve and bulk disapprove are available. A single confirmation dialog covers all selected rows. Individual audit entries are written per row.


Tab 3 — Approved

The Approved tab is the canonical Playbook — the full library of all approved RCAs. This is the source of truth Neuri uses for recurrence matching on future incidents.

Table columns: RCA name, service, severity, root-cause category, confidence, version count, recurrence count, date approved, evidence expiry status.

Recurrence chip (e.g., "Seen 5×") — Clicking expands a linked incidents list showing every incident confirmed as a duplicate of this RCA, with timestamps and links back to each originating incident.

Evidence expiry icon — When raw evidence for an RCA has passed the 30-day retention window, a clock icon appears. Hovering explains that raw data has been purged but the narrative is fully intact.

Knowledge graph icon — Clicking opens the full-screen causal graph directly without navigating into the full detail view.

Filter chips across the top: severity, service, root-cause category, date range, disapproved-included (hidden by default).

Search bar: Full-text across RCA name, narrative, and services.

Overflow menu per row:

  • Export selected as Markdown — Downloads selected approved RCAs.
  • Mark Disapproved — Moves an approved RCA back to DISAPPROVED state. Confirm dialog required.
  • Delete — Soft-deletes the RCA and all its versions. 30-day recovery window.

RCA Detail View

Accessible from any tab by clicking Open full or View in detail on any row. This is the full single-RCA view, analogous to what was formerly Screen 4. It has two modes: read-only (Mode A) and reinvestigate (Mode B).


Mode A — Read-Only Detail

Header elements:

  • RCA name — Editable via the pencil icon. The only mutable field in Mode A. Renaming does not create a new version.
  • Status badge — Current lifecycle state. Hovering shows a state history timeline.
  • RCA ID — Monospace identifier. Clicking copies to clipboard.
  • Linked incident chip — Deep-links back to the originating incident.
  • Version chain chip (e.g., v1 → v2 → v3) — Click any version to render that version's read-only view. Superseded versions are watermarked.

Three-section RCA body:

Section 1 — Observations: Bulleted evidence items, each with a source chip (Loki / Prometheus / ArgoCD / K8s) that opens an evidence drawer with raw data and the exact query used. Where fields have been redacted, a note reads "⛨ N fields redacted" — hovering reveals which redaction rules fired (rule names only, never the redacted content).

Section 2 — Causal Chain: A numbered sequence of reasoning steps connecting the evidence to the root cause. Example:

1. Deploy a3f9c2 lowered memory limits from 512Mi → 384Mi
2. OOMKill cascade in payments-api pods
3. cart-service 5xx spike as downstream dependency

Section 3 — Suggested Next Step: A single recommended action. This section intentionally stops short of specifying exact remediation commands — that is handled downstream. Example: "Roll back deploy a3f9c2 or restore memory limit."

Confidence badge: Shown at the top of the body (e.g., High · 87). Clicking the Why? expander opens a breakdown:

Metrics corroboration ✓
Log pattern match ✓
Change correlation ✓
All connectors healthy at generation ✓

If a connector was degraded during generation, it is flagged here.

Low-confidence behavior: If confidence is below the configured threshold, the RCA body is collapsed by default with a caution header. A Show anyway button expands the full report.

Guardrail-truncated behavior: If the investigation hit a cost or loop limit, a banner appears on the RCA. An Adjust in Guardrails link routes to the Guardrails screen.

Evidence drawer: Clicking any observation row expands the full raw data and the exact query issued. For evidence older than 30 days: "Raw data expired per 30-day retention policy — query preserved: [query] · Re-run against source." The Re-run button re-issues the preserved query against the live source.

Knowledge graph: An interactive thumbnail showing the causal graph. Clicking opens full-screen with pan and zoom. Clicking any node opens the underlying evidence for that reasoning step.

Action bar:

  • Reinvestigate — Opens Mode B (available to all roles).
  • Approve (if pending) — Confirm dialog; sets status to APPROVED; writes audit entry. (Reviewer / Admin)
  • Disapprove (if pending) — Reason picker; sets status to DISAPPROVED; writes audit entry. (Reviewer / Admin)
  • Export — Downloads as Markdown or PDF.
  • Delete — Confirm dialog: "Soft-deletes entire version lineage. 30-day recovery. Proceed?" (Admin only)

Feedback controls (for on-call users on freshly generated RCAs):

  • Thumbs up (👍) — Sets status to APPROVED; enters Approved tab; writes audit entry.
  • Thumbs down (👎) — Opens reason picker; sets status to DISAPPROVED; feeds training signal; writes audit entry.

Mode B — Reinvestigate

Mode B lets you modify the inputs to Neuri's reasoning before regenerating. A persistent banner at the top reads: "Reinvestigation draft — will save as v[n+1]. Original preserved." This banner cannot be dismissed.

What you can edit:

Observations (Section 1):

  • Toggle individual observations on or off. Toggling off removes that evidence item from what Neuri reasons over on save.
  • Click + Add evidence to open a picker for logs, metrics, or deploy events. Select a source and define a time window. The result is appended as a new observation.

Reasoning Chain (Section 2):

  • Click any reasoning step card to edit the text inline. A live hint reads "Confidence will be recomputed on save."
  • Drag steps using the reorder handle. Final order is recorded in the audit log.
  • Delete a step. You cannot reduce the chain below one step.
  • Click + Add step to add a reasoning step. Disabled when three steps are shown (the display cap). Internal reasoning is uncapped.

Suggested Next Step (Section 3):

  • Edit the textarea freely. A helper note reminds you that precise remediation commands belong downstream — this field describes direction, not execution.

Saving options:

Save as new version — Persists edits without involving Gills. Status moves to STEERED → PENDING_REVIEW. The new version enters the Pending Review tab.

Edit RCA in Gills → (primary action) — Snapshots the current draft, sets status to STEERING — in Gills, engages a soft lock preventing simultaneous edits, and routes to Gills. Neuri's scope ends here. When Gills returns a refined version, it appears in the Pending Review tab as a STEERED RCA awaiting approval. The soft lock auto-releases after 24 hours of inactivity. Navigation back from Gills to Neuri is manual — the notification bell shows an alert when the steered RCA is ready.

Discard draft — Confirm dialog; drops all edits; original version is unaffected.

Navigation guard: A guard dialog appears if you attempt to navigate away with unsaved changes.


Full Click-Path Reference — Playbook Screen

Tab navigation

Element Action / Destination
Live tab Shows all actively generating investigations
Pending Review tab Shows all PENDING_REVIEW and STEERED investigations
Approved tab Shows all APPROVED RCAs

Live tab

Element Action / Destination
Streaming checklist source chip Opens evidence drawer with exact query and raw data
Similar-RCA banner — View RCA Opens matched approved RCA detail (new tab)
Similar-RCA banner — This is the same issue Confirm dialog; marks DUPLICATE_OF; increments recurrence; writes audit entry
Similar-RCA banner — Not related Dismisses banner; feeds negative pair to clustering model
Similar-RCA banner — Why N%? Tooltip with match breakdown by dimension
Cancel (live card) Confirm dialog; halts investigation; writes audit entry

Pending Review tab

Element Action / Destination
Row click Expands inline preview
Inline — Approve Confirm dialog; sets APPROVED; moves to Approved tab; writes audit entry
Inline — Disapprove Reason picker; sets DISAPPROVED; feeds training signal; writes audit entry
Inline — Open full Opens full RCA detail view (Mode A)
Bulk select checkbox Enables bulk action bar
Bulk action bar — Confirm Single dialog; writes per-row audit entries

Approved tab

Element Action / Destination
Filter chips Compound filter by severity / service / root-cause / date
Search bar Full-text across name, narrative, services
Row click Expands inline preview
Row — View in detail Opens Mode A detail view
Row — Edit Opens Mode B (forks draft)
Row — knowledge graph icon Opens full-screen causal graph
Recurrence chip (Seen N×) Expands linked incidents list
Evidence expiry icon Hover shows 30-day purge tooltip
Row overflow — Export as Markdown Downloads selected RCAs
Row overflow — Mark Disapproved Confirm dialog; sets DISAPPROVED; writes audit entry
Row overflow — Delete Confirm dialog; soft-deletes lineage; 30-day recovery

RCA Detail — Mode A

Element Action / Destination
Pencil next to RCA name Inline rename; only mutable field in Mode A
Status badge Hover shows state history timeline
RCA ID (monospace) Click copies to clipboard
Linked incident chip Deep-links to originating incident
Version chain chip Click any version to render that version's Mode A; superseded are watermarked
Observation source chip Opens evidence drawer with raw data and exact query
⛨ N fields redacted Hover reveals which redaction rules fired
Knowledge graph thumbnail Opens full-screen causal graph with pan, zoom, node-to-evidence
Confidence badge — Why? expander Evidence breakdown and connector health at generation
Low-confidence — Show anyway Expands collapsed report
Guardrail-truncated banner — Adjust in Guardrails Routes to Guardrails screen
Expired evidence — Re-run against source Re-issues preserved query against live source
Thumbs up (👍) Sets APPROVED; enters Approved tab; writes audit entry
Thumbs down (👎) Reason picker; sets DISAPPROVED; feeds training signal
Action bar — Reinvestigate Opens Mode B
Action bar — Approve (if pending) Confirm; sets APPROVED; writes audit entry
Action bar — Disapprove (if pending) Reason picker; sets DISAPPROVED; writes audit entry
Action bar — Export Downloads as Markdown or PDF
Action bar — Delete Confirm; soft-deletes entire lineage; 30-day recovery

RCA Detail — Mode B

Element Action / Destination
Observation include/exclude toggle Scopes evidence Neuri reasons over on save
+ Add evidence Picker (logs / metrics / deploys); appends new observation
Reasoning step — edit Inline textarea; live confidence recomputation hint
Reasoning step — reorder handle Drag to reorder; recorded in audit log
Reasoning step — delete Removes step; minimum one step enforced
+ Add step (disabled at 3) Tooltip explains display cap
Suggested Next Step textarea Free-form edit
Edit RCA in Gills → Snapshots draft; sets STEERING — in Gills; soft lock engaged; routes to Gills
Save as new version Persists edits; sets STEERED → PENDING_REVIEW
Discard draft Confirm dialog; drops all edits
Navigate away with unsaved changes Guard dialog

Screen 4 — Guardrails

Who uses it: Admins and SRE Leads with admin rights for editing. All other roles have read-only access. A role indicator at the top of the screen explains why fields are read-only for non-editors.

What it does: The Guardrails screen is the policy control center for Neuri. It has two clearly labelled sub-sections: PII and Data Filtering, which controls what sensitive data gets redacted before it enters an RCA; and Investigation Bounds and Behavior, which controls how much Neuri is allowed to spend and how it behaves when it hits limits. A right-rail audit log tracks every change made, by whom, in which environment, and at what time.

Individual settings can be locked across all environments using the Enforced by org policy toggle. When org-enforced, a setting renders with a lock icon and the badge "Enforced by org policy" in every environment. This cannot be overridden by environment-level edits.

Every change writes an audit entry to the right rail. The audit log is exportable as CSV and filterable by actor, setting, and environment.

A dirty-row navigation guard prevents accidental navigation away with unsaved edits.


Sub-section 1 — PII and Data Filtering

This sub-section controls what Neuri redacts from evidence before it is used in RCA generation and before the RCA is displayed to any user.

Entity class toggles (Presidio + spaCy) Standard entity classes are each controlled by an on/off toggle: email addresses, IP addresses, credit card numbers, person names, phone numbers. All are enabled by default. Toggling a class saves immediately and writes an audit entry.

Custom regex rules Add custom redaction rules using regular expressions. Each rule has four fields:

  • Pattern — The regex to match.
  • Label — A human-readable name for the rule (e.g., "internal-hostname").
  • Mask — The replacement string shown in place of the matched content (e.g., "[REDACTED:host]").
  • Enabled — An on/off toggle.

Saving a custom regex rule is gated: you must run at least one test in the Test filters panel before the Save button enables. This prevents deploying an untested or broken pattern.

String literals A simple list of exact strings — such as customer codenames or project names — that should always be redacted. String literal rules can be added and deleted inline without a test-gate requirement.

Test filters panel A live redaction preview panel. Paste a sample log line or text block, click Run test, and the panel highlights every match with the corresponding mask applied. Iterate on regex patterns here before saving. The panel shows which rules fired and which did not, so you can diagnose a pattern that is not matching as expected.

Enforced by org policy Any redaction rule can be org-enforced. When enforced, the rule applies in every environment and cannot be disabled through environment-level edits. Use this for rules that must never be relaxed.

Section operations:

  • Restore defaults — Confirm dialog; reverts all PII settings to platform defaults; writes audit entry.
  • Copy from another environment — Opens a picker; copies rules from the selected environment into the current one; confirm dialog lists what will be copied; writes audit entry.

Sub-section 2 — Investigation Bounds and Behavior

This sub-section controls how much Neuri is allowed to spend per investigation and per month, and how it behaves when it hits those limits.

Every numeric parameter row shows a p50/p95 usage sparkline — a small chart of the median and 95th-percentile historical usage for that parameter. This allows data-informed decisions when tightening limits: if the p95 is 4 and you set the cap to 5, you know you are catching genuine outliers without impacting typical investigations. Sparklines show "No data yet" until enough investigations have run in the environment.

Configurable parameters:

Max token spend per RCA — The maximum tokens Neuri may use in a single investigation. Investigations exceeding this are truncated; the resulting RCA is flagged as guardrail-truncated on the Playbook screen.

Max reasoning loops — The maximum number of internal reasoning iterations Neuri can perform per investigation.

Monthly token budget — The maximum total token spend across all investigations in the calendar month. When set, the Home screen budget meter gains a cap and changes color at 75% (amber) and 90% (red). Slack notifications fire at the configured threshold percentage.

On-limit-hit behavior — A radio selector with two options:

  • Stop and emit partial RCA (flagged) — Produces a partial RCA with a guardrail-truncated banner. On-call users see what Neuri found before hitting the limit.
  • Fail — Produces a hard failure requiring a manual retry.

Behavior limit toggles — On/off switches for operational constraints such as Read-only mode (prevents Neuri from writing back to any connected source). Any toggle can be org-enforced.

Reporting Baselines — A single editable field setting the assumed manual investigation time used to calculate the Time Saved KPI on the Home screen. Changes here affect the Home screen display only.

Data Retention — Read-only for all users. Shows the current raw evidence retention window (30 days) as set by org policy. A View purge audit log link opens a filtered log showing every purge job — what was purged, when, and under which policy. Exportable as CSV for compliance verification.

Each parameter saves individually via a per-row Save button. An optimistic toast confirms each save.


Full Click-Path Reference — Guardrails Screen

Element Action / Destination
Environment switcher Scopes all settings to selected environment; org-enforced rows stay locked
Role indicator (top) Explains read-only state for non-editors
PII entity toggle (per class) Saves on toggle; writes audit entry
Custom regex row — edit fields Pattern / label / mask / enabled; Save gated on test
Custom regex row — delete Confirm dialog; writes audit entry
String literal — add / delete Saves inline; writes audit entry
Test filters panel — Run test Live redaction preview; highlights matches with masks
Regex row — Save (post-test) Persists rule; releases Save gate
Enforced by org policy toggle (PII rule) Confirm dialog; locks rule across all environments; writes audit entry
Sub-section — Restore defaults Confirm dialog; writes audit entry
Sub-section — Copy from another environment Picker; confirm dialog lists what will be copied; writes audit entry
Investigation Bounds row input + Save Optimistic toast; writes audit entry; sparkline updates over time
On-limit-hit behavior selector Radio: Stop and emit partial (flagged) or Fail; saves inline
Behavior limit toggle On / off; org-enforced rows show lock icon
Enforced by org policy toggle (bounds / behavior) Confirm dialog; locks setting across all environments; writes audit entry
Reporting baseline edit Affects Home screen Time Saved display; writes audit entry
Data Retention — View purge audit log Opens filtered log of all purge jobs
Data Retention — Export Downloads purge log as CSV
Right rail audit log — filter chips Filter by actor / setting / environment
Right rail audit log — Export Downloads as CSV
Dirty-row navigation guard Dialog on navigate away with unsaved changes

Screen 5 — Configuration

Who uses it: Admins primarily. Reviewers may view connector status.

What it does: The Configuration screen is where you connect Neuri to your data sources. It covers three integration categories: the alert management integration with Regen (your incident management platform), observability connectors (metrics and logs), and change event sources (deploy and config change signals). No connectors means no RCAs. The setup checklist on first load guides you through the three required categories in sequence.


Layout

The screen is divided into a left rail (section navigation) and a main content area (connector card grid). The left rail has four sections:

Alert Management — Regen — The privileged first-party integration with your Regen incident management platform. This is how Neuri learns that an incident has been created and auto-triggers an investigation. Pre-connected; not user-configurable.

Observability Connectors — Metrics and log sources: Prometheus (and compatible variants), Loki, and Kubernetes.

Change Event Sources — Deploy and config change sources: ArgoCD, GitHub Actions, and Kubernetes ConfigMap (which auto-links when Kubernetes is connected in the section above).

Upgrade — Locked cards for sources available on higher plan tiers. A single Upgrade to Standard CTA at the section header routes to billing. There are no per-card upgrade prompts.

Each connector appears as a card in the grid with a status pill (Connected / Disconnected / Degraded / Paused) and an overflow menu.

A persistent degraded connector banner appears at the top of the screen when any connector is in a degraded state. It is dismissible and contains a deep link to the affected card.


Alert Management — Regen Integration

The Regen integration is the trigger layer for Neuri. When Regen creates an incident, it notifies Neuri via this integration, and Neuri auto-initiates an investigation. This card is pre-connected and cannot be disconnected or reconfigured by users.

Clicking View data contract opens a drawer listing the exact fields Regen sends to Neuri on incident creation: incident ID, severity, affected service, creation timestamp, and any attached labels. This drawer is informational — intended for security review and understanding of what data flows from Regen into Neuri's investigation context.

The Regen integration card shows:

  • Connection status — Always Connected; shown as read-only.
  • Last event received — Timestamp of the most recent incident trigger Neuri received from Regen.
  • Events received (7d) — Count of incident triggers in the last 7 days, giving you a sense of investigation volume driven by Regen.

Connecting Observability Connectors and Change Event Sources

Every configurable connector follows the same four-step flow.

Step 1 — Open the configuration drawer. Click the connector card, then click Configure. A right-side drawer slides in with fields specific to that connector: endpoint URL, authentication method, and scope selectors.

Step 2 — Fill in credentials and scope. Enter your endpoint and authentication credentials. Use scope selectors to restrict Neuri's data access to the relevant environment. For example, adding a label matcher env="staging" on Prometheus scopes all queries to staging metrics only.

Step 3 — Test the connection. Click Test Connection. Neuri fires a live probe and renders the result inline in the drawer: the exact query executed, the HTTP response status, the round-trip time in milliseconds, and a sample series or record count. Save is disabled until a successful test has run.

  • If authentication fails, a red banner reads "401 Unauthorized — check token scope." Save stays disabled.
  • If the endpoint is unreachable, the banner reads "Connection refused" with a copyable curl command you can run outside the platform to diagnose independently.

Step 4 — Save. Click Save. The card status pill changes to Connected, the last sync time shows as "just now," and an audit log entry is written.


Connector-Specific Notes

Prometheus and compatible variants (Mimir, Thanos, VictoriaMetrics, Cortex) The Prometheus card accepts any Prometheus-compatible remote read endpoint. Compatibility badges are shown on card expansion so you can confirm your variant is supported before configuring.

Loki The Loki drawer includes a tenant field and a label selector for scoping log queries to the correct environment.

Kubernetes The Kubernetes drawer includes a namespace allowlist multi-select and a ConfigMap watch toggle (default on). When ConfigMap watch is enabled, an inline note explains that this also feeds the Change Event Sources section. Enabling it auto-links a Kubernetes ConfigMap card in the Change Events grid with a shared-credential icon — no separate credential entry is needed.

ArgoCD The ArgoCD drawer includes an application filter field so you can scope deploy event ingestion to specific ArgoCD applications relevant to the current environment.

GitHub Actions The GitHub Actions drawer includes a poll interval field and a rate-limit meter showing your current API quota headroom. The meter is informational — it does not block saving, but signals when a shorter poll interval could exhaust your quota.


First-Time Setup: The Checklist

When no connectors exist, the card grid is replaced by a guided setup checklist:

① Metrics (Prometheus / Mimir / Thanos / VictoriaMetrics / Cortex)
② Logs (Loki)
③ Change source (ArgoCD / GitHub Actions / Kubernetes ConfigMap)

Each item turns green when that category has at least one connected source. When all three are green, the checklist collapses and the card grid renders normally. The Neuri module badge in the left nav changes from "Not activated" to "Ready."


Connector Card Overflow Menu

Every configurable connector card has an overflow menu with three options:

Pause connector — Suspends syncs without removing credentials. The status pill turns amber. Use this for planned maintenance windows when you do not want degraded-connector alerts firing. Investigations continue but evidence from this source will be absent, which will lower confidence scores.

View sync log — Opens the historical sync and latency log for this connector, showing the last N sync events, response times, and any errors encountered.

Disconnect — Triggers a confirmation dialog. Removes stored credentials, purges any pending sync data, and writes an audit entry. The card returns to Disconnected state.


Cloning Configuration Across Environments

When replicating a working connector setup from one environment to another, use the Clone config from another environment option at the section level. This copies endpoint URLs and scope selectors only. Authentication credentials are never copied — auth fields appear blank with red required indicators after cloning, prompting you to enter credentials for the target environment manually. An audit entry is written for every clone operation.


Full Click-Path Reference — Configuration Screen

Element Action / Destination
Environment switcher Re-scopes entire screen to selected environment
Left rail — Alert Management (Regen) Scrolls to Regen integration card
Regen card — View data contract Opens drawer listing exact fields received from Regen
Left rail — Observability Connectors Scrolls to observability card grid
Left rail — Change Event Sources Scrolls to change event card grid
Left rail — Upgrade Scrolls to locked cards
Card — Configure Opens right drawer with endpoint, auth, and scope fields
Drawer — Test Connection Fires live probe; renders result inline with exact query, status, RTT, sample count
Drawer — Save Persists config (gated on passing test); flips status pill to Connected; writes audit entry
Card overflow — Pause connector Suspends syncs; status pill turns amber
Card overflow — View sync log Opens historical sync and latency log
Card overflow — Disconnect Confirm dialog; removes credentials; purges pending syncs; writes audit entry
Kubernetes card — ConfigMap watch toggle Cascades to Change Events section; auto-links ConfigMap card with shared credential
GitHub Actions drawer — rate-limit meter Informational; hover shows exact API quota headroom
Section header — Upgrade to Standard CTA Routes to billing
Section level — Clone config from another environment Confirm dialog; copies endpoints and scope only (never credentials); writes audit entry
Empty state — Set up integrations → Scrolls to first checklist item
Degraded banner Dismissible; deep-links to offending connector card

End-to-End User Flows

The following flows trace complete journeys through Neuri from start to finish. Each step includes the user action, the system response, and the intent behind the action. Edge cases are called out inline.


Flow 1 — First-Time Setup and Onboarding

Context: New tenant. No connectors configured. No RCAs generated. Setting up Staging first. Role required: Admin throughout.

Step 1 — Land and orient. Sign in. The left nav shows the Neuri module with a "Not activated" badge. Click Neuri. The Home screen renders in first-run empty state: an illustration, "Neuri hasn't investigated anything yet," a connector checklist showing 0/3 required, and two CTAs. Click the environment switcher and select Staging. A "STAGING" chip appears next to every screen title.

Step 2 — Navigate to Configuration. Click Set up integrations → on the Home screen, or navigate directly to the Configuration screen. The card grid is replaced by the setup checklist: Metrics, Logs, Change source.

Step 3 — Confirm the Regen integration. The Alert Management section shows the Regen card as pre-connected. Click View data contract to confirm which fields Regen will send to Neuri on incident creation. No action required here — this integration is ready out of the box.

Step 4 — Connect Prometheus. Click the Prometheus card. Compatibility badges confirm support for Mimir, Thanos, VictoriaMetrics, and Cortex. Click Configure. In the drawer, paste the endpoint URL, select Bearer token, paste the token, and add a label matcher such as env="staging" to scope queries to Staging only. Click Test Connection. The inline result shows the exact query issued, the HTTP status, the round-trip time, and the sample series count. Click Save. The card flips to Connected and checklist item ① turns green.

Step 5 — Connect Loki. Repeat Configure / Test / Save for Loki using the Staging tenant and label selector.

Step 6 — Connect Kubernetes. Click the Kubernetes card. In the drawer, select only the namespaces relevant to Staging using the namespace allowlist multi-select. Leave the ConfigMap watch toggle on. Note the inline message confirming this also feeds the Change Event Sources section. Upload the service-account kubeconfig. Test. Save. The Kubernetes ConfigMap card in Change Events auto-links with a shared-credential icon. Checklist item ② turns green.

Step 7 — Connect ArgoCD. Click the ArgoCD card. Enter the API endpoint and token. Filter to the application relevant to Staging. Test. Save. Checklist item ③ turns green. The checklist collapses. The Neuri module badge changes to "Ready."

Step 8 — Set baseline guardrails. Navigate to the Guardrails screen. The screen renders with the STAGING chip. In the PII and Data Filtering sub-section, standard entity classes are on by default. If your logs contain internal hostnames or other sensitive patterns not covered by defaults, add a custom regex rule: enter the pattern, label, and mask, then click Test filters and paste a sample log line to confirm it matches. Only after a successful test does Save enable. Save the rule. In the Investigation Bounds sub-section, set Max token spend per RCA and Monthly token budget appropriate for Staging. Save each row individually.

Step 9 — Lock a setting org-wide. If a setting must apply to every environment without exception — such as a PII rule covering customer names — click the Enforced by org policy toggle on that row. A confirmation dialog warns that this locks the setting across all environments. Confirm. The row renders with a lock icon and "Enforced by org policy" badge in every environment.

Step 10 — Clone Staging to Production. Switch the environment to Production. On the Guardrails screen, click Copy from another environment → select Staging. The confirmation dialog lists what will be copied (rules and bounds only — never the audit log, never credentials). Confirm. On the Configuration screen, use Clone config from another environment for each observability connector and change event source. Endpoints and scope selectors clone; auth fields appear blank. Enter Production credentials for each connector, test, and save.

Step 11 — Validate with a test investigation. Return to the Home screen. Click Run a test investigation on a historical incident. Select a resolved incident from the last 30 days. Neuri runs a sandboxed investigation. The result appears in the Playbook screen Live tab with a TEST RUN watermark, then moves to the Approved tab. It is excluded from accuracy benchmarks. Share the result with the team to demonstrate Neuri is working before a real incident occurs.


Flow 2 — Live Incident: RCA Arrives, Review, and Resolution

Context: A SEV2 incident fires on the payments-api service (pods OOMKilling). Regen creates the incident and Neuri auto-triggers. Role: On-call user for Steps 1–8. Reviewer for Steps 9–15.

Step 1 — Pager fires. The on-call user is paged. They join the incident Slack channel and open the Regen incident view.

Step 2 — Open the Playbook screen. Navigate to the Playbook screen. The Live tab shows a count badge of 1 — a new card has appeared for the payments-api investigation. The card shows the incident name, severity (SEV2), service name, and a streaming evidence checklist updating in real time.

Step 3 — Watch evidence stream in. The streaming checklist on the live card updates:

✓ Pulled 214 log lines (Loki)
✓ Correlated deploy payments-api@a3f9c2 (ArgoCD, 12m ago)
⟳ Analyzing pod events (K8s)…

The elapsed timer and token spend counter are visible on the card.

Step 4 — Similar-RCA banner appears mid-generation. Before generation completes, a banner appears on the live card: a 91% match to an approved RCA "payments-api OOMKill after deploy (approved 2026-06-12, seen 4×)." Click Why 91%? to see the match breakdown: matched on service, failure signature, and change type. Click View RCA to open the historical approved RCA in detail view and review the prior root cause and fix.

Step 5 — Generation completes and card moves to Pending Review. The live card disappears from the Live tab and a new row appears in the Pending Review tab with an amber badge. The Live tab count decrements; Pending Review count increments. The notification bell may show a new alert if configured.

Step 6 — Review the RCA. Click the new row in the Pending Review tab to expand the inline preview. The observations summary shows the ArgoCD deploy event prominently. The root cause one-liner reads: "Deploy a3f9c2 lowered memory limits 512Mi → 384Mi, causing OOMKill cascade and downstream cart-service errors." Confidence is High · 87. Click Open full to go to Mode A detail view and verify one evidence link: click the ArgoCD source chip on the deploy observation. The evidence drawer shows the exact commit diff confirming the memory limit change.

Step 7 — Mark as duplicate. Return to the Pending Review tab. Click the row to expand the inline preview. Instead of approving or disapproving, navigate to the similar-RCA banner (visible in the full detail view). Click This is the same issue. Confirm the micro-dialog: "Link this incident to approved RCA v3 and mark as duplicate?" Confirm. The investigation moves out of Pending Review entirely. The recurrence count on the approved RCA increments to 5. The Activity Log on the Home screen records the linking event.

Step 8 — Hand off remediation. The on-call user exits Neuri. Remediation is handled downstream. Neuri's scope ends here.


Alternate path — Lower confidence, different mechanism (Step 5 variant):

If the fresh RCA comes back at Medium · 62 rather than High · 87, and the evidence points at a different mechanism:

Step 5a — Open full detail. In the Pending Review tab, click Open full to enter Mode A. The Why? expander on the confidence badge shows that log pattern match is partial — Loki coverage was incomplete during the initial window.

Step 5b — Click Reinvestigate. Click Reinvestigate in the action bar. Mode B opens with the persistent banner confirming the original is preserved.

Step 5c — Modify the evidence and reasoning. Toggle off coincidental log lines from the auth service. Add a relevant metric window via + Add evidence (JVM heap utilization over the last 30 minutes). Edit the ambiguous reasoning step from "ConfigMap changed" to "ConfigMap changed AND deploy a3f9c2 shipped simultaneously — causal ordering unclear."

Step 5d — Route to Gills. Click Edit RCA in Gills →. The draft is snapshotted. The RCA status changes to STEERING — in Gills. A soft lock is engaged. Gills opens. Neuri's scope ends here.

Step 5e — Return from Gills. After refining the reasoning in Gills and approving the result there, navigate back to Neuri manually. The notification bell shows: "Your steered RCA is ready for review." Click it. The Pending Review tab shows the steered version (v2) with a Steered badge.

Step 5f — Approve the steered version. Click the row, click Open full, review v2 in Mode A. Click Approve. Confirm. The RCA moves to the Approved tab. The version chain shows v1 (generated) → v2 (steered · approved).


Reviewer queue work (later the same day):

Step 9 — Check the queue. The Reviewer opens Neuri. The Home screen KPI strip shows 5 pending RCAs and accuracy of 87% (n=41). The review queue nudge reads "5 RCAs await review →." Click it. The Playbook screen Pending Review tab opens pre-filtered.

Step 10 — Triage inline. Click rows to expand inline previews. For RCAs where the root cause is clearly correct, click Approve inline. Confirm. Status changes to APPROVED. The row moves to the Approved tab.

Step 11 — Bulk disapprove false positives. Select two low-severity RCAs that are clearly wrong using the bulk select checkbox. Click Mark Disapproved. A single bulk-destructive confirmation dialog appears. Confirm. Both are set to DISAPPROVED and the negative signal is fed to the training model.

Step 12 — Identify automation candidates. Switch to the Approved tab. Sort by recurrence count descending. The top entry shows "payments-api OOMKill after deploy · seen 5×." Click the recurrence chip to see all five linked incidents. This pattern is a strong candidate for a downstream automation workflow.


Flow 3 — Playbook Curation and Weekly Maintenance

Context: Non-incident-driven. Weekly housekeeping. Role: Reviewer for edits. Admin for deletion.

Step 1 — Weekly accuracy audit. Open the Home screen. Set the time range to 30d and the environment to All environments. Examine the accuracy trend line for dips. Click any dip point — the Activity Log scrolls and filters to that week. Look for Connector degraded entries. Click one to deep-link to the Configuration screen → that connector's sync log showing the outage window that caused the accuracy drop.

Step 2 — Use the Investigations screen for audit. Navigate to the Investigations screen. Filter by state "DISAPPROVED" and the date range covering the dip week. Review which investigations were disapproved and whether they share a pattern — common service, common connector, common failure type. This is the fastest way to diagnose systematic accuracy problems.

Step 3 — Retire superseded Playbook entries. Navigate to the Playbook screen Approved tab. Enable the disapproved-included filter. Find approved RCAs that have been superseded by newer versions in a different lineage. Click View in detail → Mode A. Click Delete in the action bar. Confirm the soft-delete dialog (30-day recovery window). Toggle the Recently deleted filter briefly to confirm the entry is there.

Step 4 — Fix a stale suggested next step. Open an approved Playbook entry whose suggested next step references a deprecated approach. Click Reinvestigate → Mode B. Edit Section 3 only. Click Save as new version. The new version is created with status STEERED → PENDING_REVIEW and appears in the Pending Review tab. Open it, review, click Approve. The version chain shows the new version as current.

Step 5 — Surface automation candidates. Return to the Approved tab. Sort by recurrence count descending. Select rows with five or more recurrences using the bulk select checkbox. Click Export selected as Markdown from the overflow menu. Download the file and share it with the team responsible for downstream automation workflows.


Flow 4 — Guardrails Under Cost Pressure

Context: Month-end. Monthly token budget has reached 78%. Role: Admin.

Step 1 — Receive the budget alert. A Slack notification arrives: "Neuri monthly token budget at 78% — threshold breached." Click the deep link. The Home screen loads with the right-rail budget meter highlighted amber.

Step 2 — Identify the offenders. Click the budget meter to route to the Guardrails screen Investigation Bounds sub-section. Navigate back to the Home screen Activity Log, filter by event type "RCA generated," sort by cost descending. Identify the top-spending investigations — for example, three at approximately 15,000 tokens each, nearly twice the configured 8,000 cap. Click one to open the full detail view on the Playbook screen. The header shows the token cost. A "Guardrail-truncated" banner appears — this investigation hit the max reasoning loops limit.

Step 3 — Tighten the reasoning loop cap. Navigate to the Guardrails screen. In Investigation Bounds, find the Max reasoning loops row. The p50/p95 sparkline shows p50=2, p95=4. Reduce the cap from 5 to 3. This catches the outlier cases at p95=4 without affecting typical investigations at p50=2. Save. Set On-limit-hit behavior to "Stop and emit partial RCA (flagged)" so that investigations that hit the limit still produce usable output rather than failing entirely.

Step 4 — Apply separately to Production. Switch the environment to Production. Review Production's own p50/p95 sparkline data — it may differ from Staging. Adjust Production's limits based on Production's own usage history.

Step 5 — Add a PII rule after a near-miss. A team member reports that an RCA displayed a customer codename that was not in the redaction list. Navigate to the Guardrails screen PII and Data Filtering sub-section → String literals. Add the codename as a string literal. Open the Test filters panel, paste a sample log line containing the codename, and confirm it is redacted. Save. Click the Enforced by org policy toggle on this rule to lock it across all environments. Confirm. Audit entry written.

Step 6 — Retention audit for compliance. Compliance requests proof that old evidence is being purged. Navigate to the Guardrails screen. In the Investigation Bounds sub-section, Data Retention shows "Raw evidence retention: 30 days" (read-only). Click View purge audit log. The filtered log shows every purge job with what was purged, when, and under which policy. Export the last 90 days as CSV. As a spot-check, open any investigation from more than 30 days ago in the Investigations screen, then open its full detail view. The evidence drawer shows "Raw data expired per 30-day retention policy — query preserved: [query] · Re-run against source" for each observation. The narrative and causal chain are fully intact.


Flow 5 — Adverse Path: Investigation Fails Mid-Incident

Context: SEV1. The Loki connector becomes unreachable during Neuri's investigation. Role: On-call user.

Step 1 — Open the Playbook screen. Navigate to the Playbook screen. The Live tab shows the active SEV1 investigation. The streaming checklist on the card shows:

✓ Pulled deploys (ArgoCD)
✗ Loki unreachable
⟳ Analyzing K8s events…

Step 2 — Investigation fails. After approximately 30 seconds, the live card transitions to a failure state showing: "Investigation failed: Loki unreachable during evidence collection." A Retry button appears on the card. The card state is reflected in the Investigations screen as FAILED. The Home screen shows a degraded connector banner for Loki.

Step 3 — Retry. Click Retry. Neuri restarts the investigation. The card re-enters generating state in the Live tab. This time Loki responds. An RCA generates and the card moves to Pending Review. The confidence badge shows Medium · 58. Opening the full detail view and clicking the Why? expander shows: "Log pattern match ✓ (partial coverage — Loki stale during initial window)." The lower score reflects the incomplete log coverage during the retry window.

Step 4 — Proceed with appropriate caution. Do not approve immediately. Click Reinvestigate from the action bar. In Mode B, broaden the log window time range using + Add evidence to compensate for the gap in the initial collection. Save as new version. The steered version enters Pending Review for a reviewer to approve. Treat this investigation as a strong hypothesis requiring additional human verification before it enters the Playbook.


Frequently Asked Questions

What happens if Neuri generates an RCA while a connector is degraded? Neuri proceeds with whatever evidence is available. The confidence score reflects the gap — you will see a lower score and a specific note in the Why? expander indicating which connector was unhealthy at generation time and which evidence dimension was therefore incomplete.

Can multiple users edit the same RCA simultaneously? No. When an RCA enters Mode B or is routed to Gills, a soft lock is engaged. Other users can view the RCA in Mode A but cannot initiate their own reinvestigation until the lock releases. Locks auto-release after 24 hours of inactivity.

What is the difference between the Investigations screen and the Playbook screen? The Investigations screen is a historical audit log of every RCA initiation Neuri has ever run, across all states including in-progress, failed, and cancelled. The Playbook screen is your live working surface — it is where you watch investigations generate in real time, where reviewers approve or disapprove pending RCAs, and where you access the approved Playbook library. Use Investigations for audit, search, and retrospective analysis. Use the Playbook for everything you need to act on right now.

What is the difference between Save as new version in Mode B versus routing to Gills? Save as new version persists your manual edits directly. The reasoning chain reflects exactly what you typed. Routing to Gills opens a conversational interface where the AI assists you in refining the causal reasoning. Gills is the better option when the ambiguity in the reasoning is complex and difficult to resolve through direct text editing.

Does approving a DUPLICATE_OF investigation affect the accuracy benchmark? No. Duplicate investigations are excluded from the accuracy benchmark entirely. They contribute to the recurrence count on the parent approved RCA and to the pattern-matching training signal, but they do not affect the approval percentage displayed on the Home screen.

What is preserved after the 30-day evidence retention period? The RCA narrative, the full causal chain, every reasoning step, the suggested next step, all metadata (confidence, versions, status history, audit trail), and the exact query used to retrieve each evidence item. Only the raw evidence payload — log lines, metric data points, event bodies — is purged.

Can org-enforced guardrail settings be overridden at the environment level? No. Once a setting is marked Enforced by org policy, it is locked in every environment and cannot be changed through environment-level guardrails editing. The toggle used to set it is the only way to remove the enforcement.

What does the recurrence count on an approved RCA represent? It is the number of subsequent investigations that have been explicitly linked to that approved RCA using the "This is the same issue" action. It is not automatically inferred — a human must confirm each linkage. The count drives the recurrence clustering display on the Home screen right rail and is the primary signal for identifying patterns worth automating downstream.

What happens to an RCA if I delete its entire version lineage? It is soft-deleted and hidden from all default views. It can be recovered within 30 days using filters on the Investigations screen or on the Playbook Approved tab. After 30 days, deletion is permanent and irreversible.


Glossary

Term Definition
RCA Root Cause Analysis. A structured document produced by Neuri explaining the cause of an incident.
MTTI Mean Time to Investigate. Average time from incident creation to a validated (Approved) RCA.
MTTR Mean Time to Resolve. Time from incident creation to full resolution. Neuri reduces this by reducing MTTI.
SEV1–SEV5 Incident severity levels. SEV1 is the most severe.
Confidence score A 0–100 numeric score reflecting how strongly Neuri's evidence supports the identified root cause.
Playbook The active working surface combining live investigations, pending approvals, and the approved RCA library.
Investigations screen The complete historical audit library of all RCA initiations across all states.
Connector An integration between Neuri and an external data source.
Guardrails Admin-configured policies governing cost, PII, and investigation behavior.
Environment A scoped configuration context (e.g., Staging, Production).
OOMKill Out-of-Memory Kill. A Kubernetes event where a container is terminated for exceeding its memory limit.
GitOps An operational framework where infrastructure and application configuration is managed via Git.
Recurrence clustering Neuri's automatic grouping of incidents sharing the same root cause pattern.
Soft lock A temporary write-lock applied to an RCA while it is being edited in Mode B or steered in Gills.
Chain of thought The internal step-by-step reasoning Neuri performs to arrive at a root cause. Visible as the causal chain in Section 2 of the RCA.
Knowledge graph An interactive visual representation of causal relationships between evidence nodes in an RCA.
Blast radius The scope of systems and services affected by an incident or change.
Shadow mode An operational mode where Neuri generates RCAs internally without surfacing them — used for validation before full rollout.
Gills The conversational steering interface for Neuri. Lets users refine RCA reasoning through natural language. A separate product in the suite.

What's Next

Neuri is the 2nd tool in Fluidify AI's broader AI-SRE suite. Coming next:

  • Reflex — agentic workflow execution
  • Gills — a conversational, natural-language interface to your backend systems

We'd keep announcing latest changelogs, roadmaps and other stuff on our Github pages and Slack community)