apple-notes-incident-runbook
Incident response runbook for Apple Notes automation failures. Trigger: "apple notes incident".
Best use case
apple-notes-incident-runbook is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Incident response runbook for Apple Notes automation failures. Trigger: "apple notes incident".
Teams using apple-notes-incident-runbook should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/apple-notes-incident-runbook/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How apple-notes-incident-runbook Compares
| Feature / Agent | apple-notes-incident-runbook | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Incident response runbook for Apple Notes automation failures. Trigger: "apple notes incident".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Apple Notes Incident Runbook
## Overview
This runbook covers the most common Apple Notes automation failures and their resolution procedures. Unlike cloud SaaS incidents that involve API endpoints and status pages, Apple Notes incidents are local to the macOS machine: app crashes, TCC permission revocations, iCloud sync failures, and database corruption. Each incident section follows a detect-diagnose-fix-verify structure. Keep this runbook accessible on any machine running Notes automation.
## Severity Levels
| Severity | Description | Example | Response Time |
|----------|-------------|---------|---------------|
| P1 | All automation blocked | TCC permissions revoked, Notes.app won't launch | Immediate |
| P2 | Data inconsistency | iCloud sync stuck, notes missing | Within 1 hour |
| P3 | Degraded performance | Slow operations, intermittent timeouts | Within 4 hours |
| P4 | Cosmetic/minor | Log warnings, non-critical script errors | Next business day |
## Incident 1: Notes.app Crash During Automation
```bash
# DETECT: Check if Notes is running
pgrep -x Notes > /dev/null && echo "Notes: running" || echo "Notes: NOT RUNNING"
# DIAGNOSE: Check crash logs
ls -lt ~/Library/Logs/DiagnosticReports/Notes* 2>/dev/null | head -3
# FIX: Restart Notes with stabilization delay
killall Notes 2>/dev/null
sleep 3
open -a Notes
sleep 5 # Wait for full launch and iCloud handshake
# VERIFY: Confirm access is restored
osascript -l JavaScript -e 'Application("Notes").defaultAccount.notes.length'
```
## Incident 2: iCloud Sync Stuck
```bash
# DETECT: Compare note count with expected (from last known good)
CURRENT=$(osascript -l JavaScript -e 'Application("Notes").defaultAccount.notes.length' 2>/dev/null)
echo "Current note count: ${CURRENT:-ERROR}"
# DIAGNOSE: Check iCloud daemons
ps aux | grep -E "(bird|cloudd|nsurlsessiond)" | grep -v grep
# Check sync status
brctl status com.apple.Notes 2>/dev/null || echo "brctl unavailable"
log show --predicate 'subsystem == "com.apple.notes"' --last 5m 2>/dev/null | tail -20
# FIX: Restart iCloud sync daemons
killall bird 2>/dev/null; killall cloudd 2>/dev/null
sleep 10 # Allow daemons to restart and reconnect
# VERIFY: Check note count is increasing / stable
sleep 30
NEW_COUNT=$(osascript -l JavaScript -e 'Application("Notes").defaultAccount.notes.length' 2>/dev/null)
echo "Note count after sync restart: ${NEW_COUNT:-ERROR}"
```
## Incident 3: TCC Permissions Revoked
```bash
# DETECT: Test Apple Events access
osascript -l JavaScript -e 'Application("Notes").name()' 2>&1 | grep -q "Not authorized" && echo "TCC: DENIED" || echo "TCC: OK"
# DIAGNOSE: Check TCC database (may require Full Disk Access)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT client, allowed FROM access WHERE service='kTCCServiceAppleEvents';" 2>/dev/null
# FIX: Reset and re-prompt
tccutil reset AppleEvents
# Run a simple command to trigger the permission dialog
osascript -l JavaScript -e 'Application("Notes").name()'
# User must click "Allow" in the system dialog
# VERIFY
osascript -l JavaScript -e 'Application("Notes").defaultAccount.notes.length'
```
## Incident 4: Notes Database Corruption
```bash
# DETECT: Notes.app launches but shows no notes or crashes on open
# DIAGNOSE: Check database integrity
NOTES_DB="$HOME/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite"
sqlite3 "$NOTES_DB" "PRAGMA integrity_check;" 2>/dev/null || echo "Cannot access DB (sandboxed)"
# FIX: Force re-download from iCloud
# 1. Quit Notes
killall Notes 2>/dev/null
# 2. Rename local database (iCloud will re-download)
mv "$HOME/Library/Group Containers/group.com.apple.notes" \
"$HOME/Library/Group Containers/group.com.apple.notes.backup.$(date +%s)" 2>/dev/null
# 3. Relaunch Notes — it will rebuild from iCloud
open -a Notes
# WARNING: "On My Mac" notes are NOT in iCloud and will be lost. Back up first.
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Crash loop after restart | Corrupt note triggering crash on load | Remove local DB; let iCloud rebuild |
| Sync stuck for >1 hour | Apple iCloud service outage | Check apple.com/systemstatus; wait for resolution |
| Permissions reset after macOS update | OS upgrade resets TCC database | Re-approve automation permissions post-update |
| Script hangs indefinitely | Notes.app showing modal dialog | Dismiss dialog manually; add `activate()` before operations |
| Automation works for user A but not B | Per-user TCC grants | Each macOS user must approve automation separately |
## Resources
- [Apple System Status](https://www.apple.com/support/systemstatus/)
- [Mac Automation Scripting Guide](https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/)
- [macOS Unified Logging](https://developer.apple.com/documentation/os/logging)
## Next Steps
For root cause analysis of specific errors, see `apple-notes-common-errors`. For monitoring to detect incidents early, see `apple-notes-observability`.Related Skills
responding-to-security-incidents
Analyze and guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".
windsurf-incident-runbook
Execute Windsurf incident response when AI features fail or cause production issues. Use when Cascade breaks code, Windsurf service is down, AI-generated code causes production incidents, or team needs emergency Windsurf troubleshooting. Trigger with phrases like "windsurf incident", "windsurf outage", "windsurf broke production", "cascade caused bug", "windsurf emergency".
webflow-incident-runbook
Execute Webflow incident response — triage by HTTP status (401/403/429/500), circuit breaker activation, cached fallback, Webflow status page checks, communication templates, and postmortem process. Trigger with phrases like "webflow incident", "webflow outage", "webflow down", "webflow on-call", "webflow emergency", "webflow broken".
vercel-incident-runbook
Vercel incident response procedures with triage, instant rollback, and postmortem. Use when responding to Vercel-related outages, investigating production errors, or running post-incident reviews for deployment failures. Trigger with phrases like "vercel incident", "vercel outage", "vercel down", "vercel on-call", "vercel emergency", "vercel broken".
veeva-incident-runbook
Veeva Vault incident runbook for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva incident runbook".
vastai-incident-runbook
Execute Vast.ai incident response for GPU instance failures and outages. Use when responding to instance failures, investigating training crashes, or handling spot preemption emergencies. Trigger with phrases like "vastai incident", "vastai outage", "vastai down", "vastai emergency", "vastai instance failed".
twinmind-incident-runbook
Incident response for TwinMind failures: transcription not starting, audio not captured, sync failures, and calendar disconnect. Use when implementing incident runbook, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind incident runbook", "twinmind incident runbook".
supabase-incident-runbook
Execute Supabase incident response: dashboard health checks, connection pool status, pg_stat_activity queries, RLS debugging, Edge Function logs, storage health, and escalation. Use when responding to Supabase outages, investigating production errors, debugging connection issues, or preparing evidence for Supabase support escalation. Trigger: "supabase incident", "supabase outage", "supabase down", "supabase on-call", "supabase emergency", "supabase broken", "supabase connection issues".
speak-incident-runbook
Incident response for Speak API outages: triage, fallback to offline mode, and recovery procedures. Use when implementing incident runbook, or managing Speak language learning platform operations. Trigger with phrases like "speak incident runbook", "speak incident runbook".
snowflake-incident-runbook
Execute Snowflake incident response with triage, rollback, and postmortem using real SQL diagnostics. Use when responding to Snowflake outages, investigating query failures, or running post-incident reviews for pipeline failures. Trigger with phrases like "snowflake incident", "snowflake outage", "snowflake down", "snowflake on-call", "snowflake emergency".
shopify-incident-runbook
Execute Shopify incident response with triage using Shopify status page, API health checks, and rate limit diagnosis. Trigger with phrases like "shopify incident", "shopify outage", "shopify down", "shopify on-call", "shopify emergency", "shopify not responding".
sentry-incident-runbook
Execute incident response procedures using Sentry error monitoring. Use when investigating production outages, triaging error spikes, classifying incident severity, or building postmortem reports from Sentry data. Trigger with phrases like "sentry incident", "sentry triage", "investigate sentry error", "sentry runbook", "production incident sentry".