Overview
Deep Investigation is Siclaw’s core diagnostic engine. Instead of running a fixed playbook, it thinks like an SRE: gathers evidence, forms hypotheses, tests them independently, and synthesizes a conclusion.The 4-Phase Pipeline
Phase 1: Context Gathering
A sub-agent with tool access collects the current state of the environment:- Pod status, events, and logs
- Node conditions and resource utilization
- Recent deployments and config changes
- Relevant metrics from Prometheus/monitoring
Phase 2: Hypothesis Generation
A single LLM call analyzes the context and generates 3-5 ranked hypotheses:Phase 3: Parallel Validation
Up to 3 sub-agents run simultaneously, each validating one hypothesis:- Each sub-agent has its own independent tool budget (up to 10 calls each)
- Sub-agents don’t share information — this prevents confirmation bias
- Each agent produces a verdict:
validated,invalidated, orinconclusive - Tool set is minimal:
read,restricted-bash,node_execonly
Phase 4: Conclusion
All evidence is synthesized into a structured report containing:- Root cause with confidence score
- Causal chain (ordered steps from trigger to symptom)
- Evidence references (which commands produced which findings)
- Remediation steps (actionable next steps)
- Structured extraction (category, affected entities, environment tags) → stored in Investigation Memory
Budget Controls
| Metric | Normal | Quick |
|---|---|---|
| Context tool calls | 8 | 5 |
| Max hypotheses | 5 | 3 |
| Calls per hypothesis | 10 | 8 |
| Total tool calls | 60 | 30 |
| Parallel sub-agents | 3 | 3 |
| Max duration | 5 min | 3 min |
Triggering Deep Investigation
Automatic (via triage)
The main agent triages the user’s question. If it determines a deep investigation is needed, it callsdeep_search with pre-gathered context and hypotheses, skipping Phases 1-2.
Manual
Via Alert Webhook
Reports
Every investigation produces a report saved to~/.siclaw/reports/: