Inventory Concentration Board
Operator Brief
3 hotspots
Credential lane · sensitive auth code touch · plain HTTP after sensitive work
Expanded Context
Unknown key `sk-ant-...C001` is active and has not been tied to a confident owner, team, or approved workload.
This is the trust story that binds the other hotspots together: the same credential appears beside live work, unresolved infrastructure, and sensitive code touch.
What Is In The Cluster
sk-ant-...C001 · 10.0.1.44 · unknown owner chain · shared AI session activity
One session touched auth-service, customer-web, auth logic, and local secret-bearing config.
This is concerning because the session moved through identity-critical code and config, not just ordinary repo files.
What Is In The Cluster
auth-service · customer-web · /src/auth.ts · /Users/alice/.env
One session touched sensitive code and then called 10.0.2.15:8080 over plain HTTP.
This is concerning because the same session crossed an unencrypted boundary after moving through higher-consequence code and config.
What Is In The Cluster
10.0.2.15:8080 over http · shared automation lane · session followed auth-service touch
Priority Lanes
Unknown key `sk-ant-...C001` is active and has not been tied to a confident owner, team, or approved workload.
This is the trust story that binds the other hotspots together: the same credential appears beside live work, unresolved infrastructure, and sensitive code touch.
What Is In The Cluster
sk-ant-...C001 · 10.0.1.44 · unknown owner chain · shared AI session activity
Why Start Here
If this key resolves cleanly, the rest of the board may collapse into normal activity. If it does not, it becomes the fastest containment question on the page.
Open Story
Open API key story
One session touched auth-service, customer-web, auth logic, and local secret-bearing config.
This is concerning because the session moved through identity-critical code and config, not just ordinary repo files.
What Is In The Cluster
auth-service · customer-web · /src/auth.ts · /Users/alice/.env
Why Start Here
Open this hotspot to see the specific code and config surfaces that make the broader story high consequence.
Open Story
Open repo story
One session touched sensitive code and then called 10.0.2.15:8080 over plain HTTP.
This is concerning because the same session crossed an unencrypted boundary after moving through higher-consequence code and config.
What Is In The Cluster
10.0.2.15:8080 over http · shared automation lane · session followed auth-service touch
Why Start Here
Open this hotspot to see whether the call was expected, what automation lane made it, and whether the destination is trusted.
Open Story
Open secondary-call story
Meaning Buckets
Unknowns
3
One key, one host, and one identity chain are not confidently identified yet.
Sensitive Touchpoints
5
A small number of files, repos, and automation paths carry most of the company consequence.
Boundary Crossings
2
One plain HTTP edge and one unlabeled destination still matter now.
Stable Baseline
34
Most current sessions still fit the known-good lane and should stay compressed.
Relationship Spotlight
Representative Hotspot
This compact map is the inventory version of the overview spotlight: one grouped concentration story instead of a flat catalog of entity counts.
Identity, adjacency, activity, and posture around one representative item.
Identity
Attribution is still incomplete.
Credential Lane
The riskiest shared execution path.
Lane
Unknown key + sensitive repo context
A shared key lane connects an unresolved host, auth-service code touchpoints, and one plain HTTP destination window.
Company Context
Why the lane matters.
Boundary Edge
What changed consequence.
Trust changed by
unknown key + unresolved host
Consequence concentrated in
auth-service + customer-web
Boundary crossed by
plain HTTP destination
Fastest entity drill
API keys or repos
Unknown Entities
Unknown API key is active and not tied to a known person, team, or approved workload.
Next Drill
Open API key storyActive endpoint is part of this session but is not mapped to a known owner or expected environment.
Next Drill
Open endpoint storyThe key, endpoint, and session do not resolve to a confident person or team owner.
Next Drill
Open user storyExposure Paths
One session called 10.0.2.15:8080 over plain HTTP after touching sensitive code and config.
Open Story
Open boundary storyOne automation path now crosses more high-consequence repos and execution surfaces than expected.
Open Story
Open agent storySensitive Context Touchpoints
Primary repo carrying the highest current security consequence.
Open Story
Open repo storySecond repo inside the same widening company-impact lane.
Open Story
Open repo storyAuth-related file touch that gives the session direct security consequence.
Open Story
Open file storySensitive config path that widens the blast radius if the surrounding session is risky.
Open Story
Open file storyExecution path whose reuse across repos and hosts makes the story more consequential.
Open Story
Open agent storyFirst Drill Paths
Start here if the goal is to verify or contain the riskiest shared lane in the environment.
Why Start Here
The API key story is still the shortest path from inventory concentration into a concrete trust decision.
Start here if the main question is whether this is legitimate onboarding drift or shadow activity.
Why Start Here
Host attribution remains the largest inventory blocker in the current environment picture.
Start here if the goal is to see which company code paths carry the most consequence right now.
Why Start Here
Sensitive repos and file clusters are the strongest link between raw inventory and company impact.
Stable Coverage
Known users and sessions
34 / 36
Most live activity still maps to expected developers or CI runners.
Expected model routing
92%
The bulk of requests remain inside the normal approved model lane.
Cataloged destination traffic
7 / 8
Most observed network edges still map to familiar organization patterns.