Identity OS OS
Operator surface for the identity os workforce. Run, inspect, and approve every agent action.
Panels
- InboxPending approvals + agent runs awaiting your call.
- PlanOutcome plans the workforce is executing.
- KPIsLive revenue, cost, and quality metrics.
- AgentsThe domain workforce roster + capabilities.
- OutcomesOutcome catalog + status by category.
- WorkforceTeam templates + assignments per outcome.
- EvalsEval suites + recent results from /api/agent/systems/health.
- MemoryDomain-scoped memory store.
- ToolsTool catalog + connector registry.
- TwinDigital twin lifecycle + state.
- AutomationScheduled jobs + automation rules.
- SettingsDomain-scope configuration.
- AuditPer-domain audit log.
- AlertsLive alerts + ack history.
- BillingPer-domain usage + cost.
AI systems
- · radar anomaly scorer (shipped — 10 signal kinds incl. AGENT_RUNAWAY/AGENT_COST_SPIKE/AGENT_DESTRUCTIVE_CALL)
- · MFA risk-classifier hook (shipped — DESTRUCTIVE skill ⇒ WebAuthn step-up)
- · RBAC skill-scope PDP (shipped — roles authorize skill IDs, not just routes)
Backend services
- · identity-provider-store
- · audit-log-store
- · magic-auth-store
- · vault-store
- · radar-signal-store
Known gaps in this domain (registry-disclosed)
- · BoxyHQ SAML Jackson HTTP wiring (cycle 80)
- · libsodium + KMS envelope encryption in vault-secret-store (cycle 80)
- · Prisma promotion of magic-auth + radar in-process stores (cycle 81)
- · Hosted Admin Portal CNAME provisioning via Cloud DNS API (cycle 82)
- · HRIS Rippling / Workday SCIM bridge (cycle 83)
Next action: Cycle 80 — wire BoxyHQ SAML Jackson behind connection-state-machine.ts; flips PARTIAL rows to FULL → net advantage moves from -8 to ~+18.