Identity anchors
Attribution starts here.
alice@company.com
known owner
alice-mbp.local
developer host
Sessions meaning layer
Session inventory should rank the work that changed trust, touched sensitive context, or crossed a company boundary before it lists every run.
The raw session table is still useful, but the first read should explain which sessions widened scope, changed confidence, or created the next investigation path.
2 sessions matter now
Which session changed the overall security picture?
High-signal sessions
2
1 active, 1 ended but still explanatory
Sensitive repo touches
3
Concentrated in one workstream
Cross-entity links
5
Key, host, file, model, and outbound path
Background sessions
41
Stable and low-value for the first read
Meaning anchors
Why sessions matter before the raw catalog
3 anchors
Anchor | Summary | Operator note |
|---|---|---|
Sessions are the unit of consequence | They bind user, host, credential, files, tools, and outbound calls into one explainable lane. | A good listing page should rank by significance, not just recency. |
Raw totals hide the story | Most sessions are background noise. A small number explain the current risk picture. | The value is in spotlighting the few sessions that changed posture. |
A session page should answer what happened | Security needs a narrative summary before a turn table or cost chart. | Rows remain useful after the meaning layer points at the right place. |
Priority queue
Fastest drill paths for this entity type
Significance
Story | Summary | Why it matters |
|---|---|---|
Shared-key session touching auth code | Ended session that still anchors the unknown-key narrative. | It links the key, repo, host, and model traffic together. |
Live session on unresolved host | Active work from a weakly attributed endpoint. | Trust is lower because host ownership is still incomplete. |
Replay candidate with boundary crossing | Short replay window where file access leads into outbound calls. | Useful for explaining sequence to an operator quickly. |
c6 reference
Raw Session Ledger
5
Active
5
Live now
Total (24h)
43
Recent runs
Total cost
NaN
Session spend
Unique users
7
Distinct actors
User | Agent | Endpoint | Model | API Key | Status |
|---|---|---|---|---|---|
| alice@company.com | Claude Code v1.2.0 | alice-mbp.local | claude-sonnet-4-6 | sk-ant-...A3F2 | active |
| unknown | Claude Code v1.2.0 | 10.0.1.44 | claude-sonnet-4-6 | sk-ant-...C001 | active |
| bob@company.com | Cursor 0.42.0 | bob-thinkpad.local | claude-opus-4-6 | sk-ant-...A3F2 | ended |
Representative detail
sess_01XFa9q...
This session should read like one coherent risk story: who ran it, what it touched, where it went, and why it deserves attention now.
User :
alice@company.com
acct_01Abc...
Agent :
Claude Code v1.2.0
Node.js v22.1.0
Endpoint :
alice-mbp.local
developer machine
Working Directory :
/Users/alice/projects/api-refactor
API Key :
sk-ant-...A3F2
shared org key
Status :
ended
58m 44s
Session significance map
One session binds together the inventory types that explain the current story.
session
Use a session-centric map to show why the session listing is more than a table of costs and timestamps.
Focus
sess_01XFa9q...
Alice on a developer endpoint using a shared key while touching auth-related company files.
high-signal session
Shared lanes
These widen blast radius.
sk-ant-...A3F2
shared org key
Claude Code v1.2.0
common execution lane
Company context
This makes the session consequential.
/projects/api-refactor
auth repo path
.env + config.ts
sensitive file cluster
Outbound paths
This is where boundary questions appear.
api.anthropic.com
expected provider path
secondary host
classify this path
linked entities
6
trust level
medium
company consequence
high
next drill
raw timeline