Overview

Live

Data Sources

-

configured

Sources Up

-

connected

Services

-

discovered

Services Healthy

-

live

MCP Endpoint: http://localhost:3000/mcp

How it works

◇AgentMCP call

⛨Gateentitlement · RBAC · catalog

⇄ConnectorsPrometheus · Loki

✦Analysisscored health

Sources

Loading...

Services

Loading...

Needs attention

—

Loading…

Services by health score

Loading…

Data Sources

All sources

Loading...

Services

Discovered services

Loading...

Connectors

Installed connectors

Loading...

Available from the Connector Hub

Open Hub ↗

Loading...

Upload a connector bundle

Install a signed connector .tgz directly — handy for air-gapped environments. The bundle is always verified against the configured trust root before it is loaded.

Service Health

Loading health data...

Infrastructure Topology

Sources & counts

Loading topology...

Grouped by host (pivots on the `RUNS_ON` relation)

Scope filter Scope = any resource pointed to by an IN_NAMESPACE edge (e.g. k8s namespaces, future: vCenter folders).

Loading...

Layered graph

click a resource to inspect · drag to reposition · wheel to zoom · drag the background to pan

Tab to focus · Enter to inspect · arrows to move focus · Esc to clear

Inspect — agent activity

Whether a call is normal vs. the learned baseline for that identity — behavioral guardrails. Distinct from Policies (allowed at all).

… Window

Flows identities → tools → backends · edge width = call volume · colour = allowed / deviation / blocked

Tab to focus · Enter to inspect · arrows to move focus · Esc to clear

Loading flows…

Mode

…

Behavior profile learn a baseline from observed traffic, then accept the rules that look right

Review queue

No suggestions yet. Click Learn from traffic to derive rules from what agents have actually done.

Accepted rules

No accepted rules yet. Accept suggestions above to build the enforceable profile.

Rejected rules

No rejected rules. Rejected suggestions are kept here (not deleted) and won't reappear in the review queue on re-learn — restore one anytime.

Deviations calls outside the accepted profile — would-block in dry-run, blocked in enforce

Switch to Dry-run and accept some rules — calls that fall outside them show up here as “would-block”, so you can verify the profile before enforcing.

Settings

Check Interval (ms)

How often the agent scans for anomalies

Default Sensitivity

Configure how service health scores are calculated. Weights must sum to 1.0.

Weights

Error Rate

Latency

CPU

Log Errors

Thresholds

CPU (%)

Good ≤

Warn ≤

Crit ≤

Error Rate (req/s)

Good ≤

Warn ≤

Crit ≤

Latency P99 (seconds)

Good ≤

Warn ≤

Crit ≤

Log Errors (/min)

Good ≤

Warn ≤

Crit ≤

Status Boundaries

Healthy above score

Degraded above score

Each data source has its own metric definitions with backend-specific queries (PromQL, LogQL, etc.). Use {{service}} as placeholder for the service/job name.

Source:

Name	Unit	Query	Description
Select a source above

Access Control

Who can sign in and which role they hold — identities, SSO/OIDC, sessions. Authentication.

How governance fits together

Access Controlwho you are→ Productswhat you're offered→ Policieswhat you're allowed→ Inspectis it normal

Each layer answers a different question. Catalog runs alongside, adding resource context (owners, criticality). Audit Log records every change. Policies = allowed at all (static); Inspect = normal vs. the learned baseline (behavioral).

Roles & bindings

Loading…

Use Edit policy above — no command line needed. The block below is the optional API equivalent for automation/CI.

▾API · add a role & binding via curl

# grant the "viewer" role read-only metrics, bind a principal to it.
# needs an admin API key (a principal the current policy grants admin).
curl -X PUT http://localhost:3000/api/enterprise/policy \
  -H "Authorization: Bearer <ADMIN_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "roles": {
      "viewer": { "tools": ["query_metrics","get_service_health"], "readOnly": true }
    },
    "bindings": { "alice": ["viewer"] }
  }'

Postmortems

Generated reports

Loading…

Tool Playground

Invoke a tool

Tool

Arguments (JSON)

Context Products

Curated, governed tool bundles you expose to an agent or credential.

Which tools a credential is offered (packaging). Distinct from Policies, which decide what's permitted.

MCP Products

Loading…

Bind a credential to a product

Bind a credential to a product via OMCP_KEY_PRODUCTS; the agent's next /mcp session then sees only that product's tools:

OMCP_API_KEYS="agent:tok_ops,ci:tok_dev"
OMCP_KEY_PRODUCTS="agent=ops-bundle;ci=dev-bundle"

Full docs →

Legacy catalog (enterprise)

Deprecated. Backed by OMCP_ENTERPRISE_CATALOG_FILE. Use MCP Products above for new deployments.

Loading…

▾API · create a context product via curl

# publish a "payments-eu" product and grant it to a principal.
# needs an admin API key (a principal the current policy grants admin).
curl -X PUT http://localhost:3000/api/enterprise/catalog \
  -H "Authorization: Bearer <ADMIN_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "products": {
      "payments-eu": {
        "description": "EU payment-service metrics + logs",
        "sources": ["prometheus","loki"],
        "services": ["payment-service"]
      }
    },
    "grants": { "alice": ["payments-eu"] }
  }'

Policies

What a role is allowed to call at all — coarse RBAC (resource × action). Distinct from Inspect, which judges whether a call is normal.

Probe a permission

Roles comma-separated

Resource

Action

Tenant optional

Roles

Select a role on the left to see its permission matrix.

Batch evaluate

Subjects (one role per line; format: label=role1,role2; e.g. alice=viewer):

Resources (multi-select):

Actions (multi-select):

Pick subjects + resources + actions, then click Evaluate.

Audit Log

An append-only, tamper-evident record of every mutating action — who did what, when.

Recent decisions

Loading…

Management changes

Loading…

Entitlement

Read-only

Access-control gate

Loading…

▾CLI · mint a token · API · check the gate

# issuer side — sign an entitlement token
node enterprise/entitlement/mint.mjs \
  --key issuer-ed25519.pem \
  --sub org-acme --features access-control,audit --ttl 365d

# deployment — current gate mode
curl -s http://localhost:3000/api/enterprise/status

Edit rule

Sign in

Overview

How it works ?

Today's MCP usage ?

Sources

Services

Needs attention

Services by health score

Data Sources

All sources

Services

Discovered services

Connectors

Installed connectors

Available from the Connector Hub

Upload a connector bundle

Service Health

Infrastructure Topology

Sources & counts

Grouped by host (pivots on the RUNS_ON relation)

Layered graph

Inspect — agent activity

Flows identities → tools → backends · edge width = call volume · colour = allowed / deviation / blocked

Behavior profile learn a baseline from observed traffic, then accept the rules that look right

Review queue

Accepted rules

Rejected rules

Deviations calls outside the accepted profile — would-block in dry-run, blocked in enforce

Settings

Weights

Thresholds

CPU (%)

Error Rate (req/s)

Latency P99 (seconds)

Log Errors (/min)

Status Boundaries

Access Control

How governance fits together

Roles & bindings ?

Postmortems

Generated reports ?

Report

Tool Playground

Invoke a tool ?

Result

Context Products ?

MCP Products ?

Policies

Probe a permission ?

Roles ? + New role

Bindings ?

New role

Edit binding ·

Subjects ?

Provisioning ?

Batch evaluate ?

Active policy (legacy view)

Audit Log

Recent decisions ?

Management changes ?

Entitlement

Access-control gate ?

Add Source

Delete

Add Metric

New Product

Agent preview

How it works

Today's MCP usage

Grouped by host (pivots on the `RUNS_ON` relation)

Roles & bindings

Generated reports

Invoke a tool

Context Products

MCP Products

Probe a permission

Roles

Bindings

Subjects

Provisioning

Batch evaluate

Recent decisions

Management changes

Access-control gate