Skip to content
Clasper Core

Operations

Operations

Section titled “Operations”

Clasper Core’s Ops surface exists to answer (quickly and defensibly):

  • what ran
  • who allowed it
  • what was granted
  • what actually happened

Tracing (adapter-aware)

Section titled “Tracing (adapter-aware)”

Every execution produces a trace. Traces include adapter governance fields:

  • adapter_id
  • granted_scope
  • used_scope
  • violations[]

Traces include integrity status:

  • integrity_status (verified, compromised, unsigned, unverified)
  • integrity_failures[]

Traces include trust status:

  • trust_status (verified, verified_with_violations, unverified, compromised)

Ops Console

Section titled “Ops Console”

The Ops Console is served at:

  • GET /ops

It provides:

  • Trace list — Filter by agent_role, risk_level, status, adapter_id; trace detail with execution graph (Prompt → Reasoning → Tool call → Policy decision → Approval → Execution)
  • Governance Health — Approval/denial rates, risk distribution, adapter errors, pending decisions
  • Agent inventory — Agents derived from traces (agent_id, agent_role, trace count)
  • Incidents — Denied or error traces; inspect and export evidence bundles
  • Policies — CRUD, dry-run, policy test (actor/action/resource)
  • Approvals — Pending decisions queue
  • Audit — Audit log
  • Adapters — Registry with certification badges (verified/community/experimental) and tool-level capabilities
  • risk highlighting, integrity status, trust status filtering

Dashboards

Section titled “Dashboards”

Ops dashboards provide aggregated metrics:

  • GET /ops/api/dashboards/cost — Cost by day, workspace, skill
  • GET /ops/api/dashboards/risk — Risk distribution, recent high-risk traces
  • GET /ops/api/dashboards/governance — Approval/denial rates, pending count, risk distribution, adapter errors

Decision replay and simulation

Section titled “Decision replay and simulation”
  • Trace diffPOST /ops/api/traces/diff compares two traces (behavior, scope, cost, risk).
  • Policy simulation — From the trace detail drawer, “Simulate policy” re-runs policy evaluation with the current policy bundle and shows original vs simulated decision.
  • Decision replay — Replay APIs return trace context for debugging; full re-execution of traces is planned. Today, policy simulation covers re-evaluating decisions against new policies.

Adapter registry

Section titled “Adapter registry”

Adapters are registered, versioned, and can be disabled:

  • GET /ops/api/adapters (Ops RBAC required)

Adapters can register with certification_tier (verified/community/experimental) and tool_capabilities for tool-level scope. The Ops Console shows certification badges and tool capabilities in the adapters view.

Audit chain

Section titled “Audit chain”

Audit events are hash-linked and exportable:

  • GET /ops/api/audit-chain/export

Verifiable exports

Section titled “Verifiable exports”

For audits, security reviews, and incident response, Core can produce verifiable export bundles:

  • POST /ops/api/exports (download a .tar.gz bundle)
  • npx clasper-core export ... (CLI to download bundles)

Incident response

Section titled “Incident response”

The Ops Console Incidents view lists traces with errors or denied governance decisions. Workflow:

  1. Open Incidents to see denied/error traces.
  2. Click a trace to open the trace detail drawer.
  3. Inspect the execution graph (Prompt → Reasoning → Tool call → Policy decision → Approval → Execution).
  4. Review policy decision, decision record, and tool authorizations.
  5. Export evidence — Download a trace-specific bundle (trace + audit) via the Export button.

For broader scope:

  • POST /ops/api/exports with trace_id in the body for a single-trace export.
  • npx clasper-core export --trace-id <id> for CLI export.

Note: Disabling adapters is typically done via Cloud or your deployment control; OSS Core provides inspection and export for evidence collection.

Section titled “Related”