Inspector, Agents, attribution & grants
Every write to Neotoma, observation, relationship, timeline event, source, interpretation, is attributed per row. Inspector exposes that attribution as a first-class concept so operators can answer questions like "which agents have written here?", "what tier did they sign in?", and "what is each agent permitted to do?". This is the surface for AAuth in the Inspector UI.
Agents list
The agents view (/agents) lists every distinct writer Neotoma has seen, derived from AAuth thumbprints, JWT subjects, and clientInfo.name fallbacks. Each row shows the resolved trust tier (hardware, software, unverified_client, anonymous), write counts, last-seen timestamp, and the active grant (if any).
| Agent | Tier | Alg | Writes | Last seen | Grant |
|---|---|---|---|---|---|
claude-codeed25519:Aa…7Lk | software | EdDSA | 4,120 | 12:41 | default-write |
cursor-agentes256:Bp…4Zq | hardware | ES256 | 2,810 | 12:30 | default-write |
ingest-pipelineed25519:Cq…9Rt | software | EdDSA | 980 | 11:08 | import-only |
operator (mac · SE)es256:Dr…2Yj | hardware | ES256 | 412 | 10:55 | admin |
custom-script@myco- | unverified_client | - | 18 | Apr 24 | (none) |
anonymous- | anonymous | - | 4 | Apr 22 | (none) |
Agent detail
Drill into an agent to see its public-key thumbprint, signing algorithm, JWT issuer/subject, capability grants, and a panel of recent writes scoped to that identity. The detail view is where operators decide whether to upgrade a tier (e.g. require hardware for write access) or revoke a key.
iss=https://anthropic.com sub=agent:claude-code
clientInfo.name="claude-code" v=2.4.1
Grants
Capability grants are typed entities that bind an agent identity to a scoped set of actions (e.g. store, retrieve, link, correct, merge) on a set of entity types, optionally with an expiration. Inspector renders them as first-class records with a history (granted, modified, revoked) and a reverse map back to the agents they bind.
| Name | Scope | Types | Agents | Expires |
|---|---|---|---|---|
| default-write | store, retrieve, link | any | claude-code, cursor-agent | 2026-07-31 |
| import-only | store, link | transaction, receipt, file_asset | ingest-pipeline | - |
| admin | all | any | operator (mac · SE) | - |
| read-only | retrieve | any | dashboard-bot | - |
Trust tiers
- hardware ES256 / EdDSA backed by a hardware key (Secure Enclave, TPM 2.0, YubiKey, Windows TBS). Highest trust, eligible for the strictest grants.
- software Verified AAuth signature with a software-backed key. Trustworthy for most writes but not eligible for hardware-only grants.
- unverified_client No AAuth signature, but a meaningful
clientInfo.name. Useful for triage; subject to stricter ACLs in future releases. - anonymous No signature, no usable client identity (or one of the blacklisted generic strings like
mcp,client). Allowed for backwards compatibility but flagged in audit views.
Activity
Each agent detail page exposes a recent-activity stream, the same rows you'd see in the timeline, scoped to that one identity. Filters narrow by event kind, target entity type, or trust tier so you can answer "what did this agent write yesterday?" without leaving the page.