Docs/patterns/hotfix pattern/README

Hotfix Pattern

Pattern: Hotfix
Category: Incident Containment & Emergency Change
Maturity: Stable v1.1 | Updated: 2026-07-16


Overview

The Hotfix Pattern prevents the failure mode where teams debug and refactor under customer harm instead of containing first. Without an incident commander, a last-known-good artifact, and a minimal reversible change, “hotfixes” become unscoped weekends that widen the outage.

This pattern enforces: declare command → contain → minimal patch or rollback → verify → hand off to durable fix + RCA.

When to Apply

Apply this pattern when:

  • Customer harm is active or imminent (errors, wrong data, safety, security exposure)
  • Normal release-pattern lead time exceeds incident tolerance
  • Incident commander authorizes the emergency path
  • A last-known-good artifact or feature-flag disable can restore service

Do NOT apply this pattern to:

  • Non-incident debt, refactors, dependency upgrades, or “while we’re here” cleanup
  • Speculative performance work (optimization-pattern)
  • Planned releases with full gates available (use release-pattern)
  • Blameless RCA facilitation itself (root-cause-pattern after containment)

Problem

hotfix-pattern/problem.md

Statement: Under pressure, teams ship large, unreviewed changes or keep debugging while impact grows — extending time-to-containment and creating secondary incidents.

Measurable symptom: Time-to-containment misses severity target, or hotfix PR touches files unrelated to the failing path.

Root cause: Incident response optimizes for “finding the bug” instead of “stopping the bleeding” with a rehearsed, minimal, reversible action.


Context Requirements

Before applying this pattern:

  • Severity declared; incident commander and scribe named
  • Impact scope known (users, regions, %, revenue if applicable)
  • Last-known-good digest or disable flag identified
  • Communication channel and cadence set
  • Rollback/disable command tested or recently drilled

Workflow


Prompt

See prompt.md — aligns with ../../08-ai-sdlc/prompts/incident.prompt.md.


Agent Definition

name: Hotfix / Incident Support Agent
role: |
  You support the incident commander with containment options, minimal patch
  scope, and verification. You do not take IC authority. You do not expand
  scope into refactors.

Full YAML: agent.md


Subagents

Subagent Role When Invoked
Impact Assessor Quantifies blast radius After declare
Containment Advisor Flag / rollback / route options Immediately
Minimal Diff Scout Limits patch to failing path If code needed
Verification Runner Probes + metric checks After action

Skills Required

  • Incident command skill
  • Feature-flag / kill-switch skill
  • Rollback skill
  • Evidence preservation skill

Hooks

Executable checks in hooks.md: IC named, severity set, scope limited, no drive-by files.


Checklist

See checklist.md.


Examples

See examples/example.md — SEV1 checkout: flag disable then one-line null guard hotfix.

Component File
Problem problem.md
Context context.md
Workflow workflow.md
Prompt prompt.md
Agent agent.md
Subagents subagents.md
Skills skills.md
Hooks hooks.md
Checklist checklist.md
Failures failures.md
Enterprise enterprise-notes.md

Common Failures

Failure 1: Debug past containment

Symptom: 45 minutes of live debugging while error rate stays high.
Cause: No IC insistence on contain-first.
Recovery: IC mandates flag/rollback now; debug on contained system.

Failure 2: Hotfix as refactor

Symptom: Emergency PR reformats modules and upgrades libraries.
Cause: Scope discipline collapsed.
Recovery: Revert; ship minimal path-only patch; defer cleanup.

Failure 3: No IC

Symptom: Multiple people deploy conflicting fixes.
Cause: Role never declared.
Recovery: Stop; declare IC; single-threaded changes.


Enterprise Notes

  • Privacy/legal join based on data exposure — IC escalates, agent does not freelance comms.
  • Emergency path still records digests and decisions for audit; speed ≠ no evidence.
  • Not a certification or regulatory “safe harbor.”