← c16c16 / wf5 - Agent Control Plane — persona-first synthesis (wf5) / Activity Log·control-plane-v1-v1 · 2026-06-04 · draft
Qpoint
QP
Activity Logwhat happened? · the flight recorder behind every finding

Activity · What happened?

Replay exactly what an agent did — before you remediate.

Incident response needs the full record, not the headline. Reconstruct the agent → action → target → outcome trail behind every finding, filter to the flagged actions, and pivot to the agent.

Bottom line

52,400 events across 6 families in the window. 15 reconstructed actions are flagged, 6 tie directly to an open finding — and 1 shadow agent leave no trail at all.

Do nextSee the flagged worklistShow finding-linked only

Recorder coverage — known vs guessed

The full per-event store is roadmap; this trail is reconstructed from event-family aggregates + per-agent behavior (file reads, MCP calls, run starts, risk factors). 1 shadow agent emit no telemetry — their actions are absent from the recorder entirely, the one hole instrumentation can't backfill.

52,400

events in window

6 families

15

flagged actions

risk-bearing behavior

6

tie to a finding

the why behind the worklist

7

agents on the recorder

emitting telemetry

1

dark — no trail

shadow, unrecorded

Event volume — last hours

When the fleet was busy. 52,400 events total in the window.

08:00
09:00
10:00
11:00
12:00
13:00
14:00

By event family

tool
11,240
llm
8,900
mcp
4,180
file
3,820
process
2,140
run
61

Decision log — agent → action → target → outcome

reconstructed · newest first

Flagged actions lead the view — these are the events behind the open findings. Clear the filter to see the full chronological record.

|15 of 31 events
TimeAgentFamilyActionTarget / why
06-03 14:02:11Claude Codefileread secret_file./.env→ Sensitive files read into agent context06-03 14:02:11Claude Codefileread cloud_credentials~/.aws/credentials→ Sensitive files read into agent context06-03 13:55support-copilotprocessRunning as rootroot@svc-support-106-03 13:55support-copilotprocessNo tool-approval policyroot@svc-support-106-03 13:55support-copilotfileread secret_file/var/secrets/zendesk.token06-03 13:40data-pipeline-agentprocessNo tool-approval policysvc-data@etl-worker-206-03 13:39:50data-pipeline-agentllm9.2M tokens consumedno spend ceiling→ Unbounded token consumption — no spend ceiling06-03 12:10marketing-gptprocessApprovals & sandbox bypassed (yolo)root@mktg-runner→ Approvals & sandbox bypassed (--yolo)06-03 12:10marketing-gptprocessRunning as rootroot@mktg-runner→ Approvals & sandbox bypassed (--yolo)06-03 12:10marketing-gptprocessPermission checks bypassedroot@mktg-runner→ Approvals & sandbox bypassed (--yolo)06-03 12:10marketing-gptfileread secret_file/srv/marketing-gpt/.env06-03 11:48CursorprocessNo tool-approval policyjane@jane-mbp06-02 19:30Codex CLIprocessSandbox disableddev@dev-box-706-02 19:30Codex CLIprocessNo tool-approval policydev@dev-box-706-02 19:30Codex CLIfileread secret_file./config/secrets.yaml

Per-agent activity — who is doing the most

AgentObserved eventsTop familyLast activeOpen findings
data-pipeline-agent8,800tool06-03 13:401support-copilot3,825tool06-03 13:55Claude Code1,774tool06-03 14:02:111marketing-gpt1,475tool06-03 12:102Cursor1,292tool06-03 11:48Codex CLI740tool06-02 19:301Claude Desktop232tool06-03 09:20Zed Agentdarkno telemetry06-01 18:001

Findings is the distilled worklist; Activity Log is the full record behind it — open Findings →. Reconstructed from activity.families / activity.timeline + per-agent data_access · mcp_servers · sensitive_files · factors · runs in app/data/c16-fleet.ts (per-event store is roadmap).