Jump To Category Page

Jump To Representative Detail

Sessions Category View

Session inventory should separate background activity from the handful of runs that actually changed trust, scope, or boundary exposure.

The category page should explain which sessions deserve attention first, what made them high-signal, and which supporting entities make the story legible before a reviewer opens the full ledger.

Use This Page When Asking

Which runs changed trust, scope, or boundary exposure enough to deserve review right now?

Representative Detail

sess_01XFa9q...

Open representative detail

Sessions in scope

5 active, 38 ended

High-signal runs

Trust or boundary changes

Shared-key sessions

Affect attribution confidence

Fastest drill

1 live + 1 ended

One active session and one anchor replay

Why This Page Exists

This category page should help the reviewer decide what matters in sessions before the raw table takes over the reading experience.

What This Page Should Make Obvious

The reviewer should know what is routine, what is risky, and what deserves the next click.

Separate replay value from live urgency

Some ended sessions still explain the present trust story better than a purely live queue.

Rank by consequence, not recency alone

Sensitive-file access plus outbound traffic is more important than a newer but routine run.

Keep supporting context adjacent

User, endpoint, model, and key should stay visible beside the session story.

Fastest Drill Paths

The next clicks should feel obvious and intentional.

Shared-key auth session

The session that binds sensitive files, shared credentials, and outbound traffic together.

Open representative detail

Best first click for understanding the current trust break.

Raw live queue

The list still needs a clear path to the currently running sessions.

Open c6 raw list

Operators need to compare live urgency against historical explanation.

Session-Centered Topology

A session map should show who initiated it, what stack it ran on, and what it touched.

Useful per session: actor chain, execution context, touched assets, outbound calls, and the posture signals that make this session normal or suspicious.

Session

alice@company.com · active session

Claude Code v1.2.0 on alice-mbp.local using claude-sonnet-4-6 with sk-ant-...A3F2.

14m live · 8 turns · $0.43

Touched capabilities

filesystem · github · web-search

Files in scope

3 files · 1 sensitive

Outbound edges

2 hosts

Current posture

active · within normal band

Actor Chain

The primary “who ran this?” questions.

3 nodes

alice@company.comuser

Claude Code v1.2.0agent

alice-mbp.localendpoint

Execution Stack

The core runtime dependencies.

3 nodes

claude-sonnet-4-6model

sk-ant-...A3F2api key

filesystem MCPtool path

Touched Assets

What the session read or changed.

3 nodes

/src/auth.tsread

/src/routes.tsedited

api.github.comoutbound call

Risk Lens

What deserves review before drilling deeper.

3 nodes

sensitive file heuristicmatched auth.ts

cost slopestable

alert statenone open

c6 Raw Reference

c6 shape: summary strip, relationship map, then a session ledger.

Active

Live now

Total (24h)

Recent runs

Total cost

$52.48

Session spend

Unique users

Distinct actors

Why Keep The Raw Ledger

c12 should still flow back into the raw inventory model. This page frames the question and likely answer; the raw table proves it.

Open c6 Raw List

Use the original category ledger for exact rows, counts, and timestamps.

Open c6 raw list

Raw Session Ledger

User, agent, endpoint, model, key, timing, and cost.

User	Agent	Endpoint	Model	API Key	Status
alice@company.com	Claude Code v1.2.0	alice-mbp.local	claude-sonnet-4-6	sk-ant-...A3F2	active
unknown	Claude Code v1.2.0	10.0.1.44	claude-sonnet-4-6	sk-ant-...C001	active
bob@company.com	Cursor 0.42.0	bob-thinkpad.local	claude-opus-4-6	sk-ant-...A3F2	ended