Every AI action, traced and costed.

An auditor asks what an agent did for a specific user last Tuesday. In a typical Claude deployment that question becomes a search across application logs, an LLM provider dashboard, and an MCP server's stdout. systemprompt.io collapses it into a single TraceId lookup. TraceQueryService::get_all_trace_data takes one trace id and resolves the full request lineage in a single call.

The method runs eight queries in parallel via tokio::try_join!: log events, AI request events, MCP execution events, execution step events, AI request summary, MCP execution summary, execution step summary, and the linked task id. Nothing is sampled. Every row is fetched, then assembled into one ordered timeline.

The LogEntry struct that backs every row carries twelve typed fields, including six identity and correlation columns: UserId, SessionId, TaskId, TraceId, ContextId, and ClientId. Identity is bound at construction time through builder methods like with_user_id and with_trace_id, so a row that reaches the database without a trace is a programming error, not a configuration choice. TraceListFilter then exposes the same data to operators, with filters for agent, status, tool, MCP presence, and time range.

An agent issues a tool call you did not anticipate. By the time it shows up in a log it has already run. The fix is to put a programmable checkpoint in front of the tool call, not behind it. The HookEvent enum names ten such checkpoints in ALL_VARIANTS: PreToolUse, PostToolUse, PostToolUseFailure, SessionStart, SessionEnd, UserPromptSubmit, Notification, Stop, SubagentStart, and SubagentStop.

Each event maps through HookEventsConfig to a vector of HookMatcher entries (glob default "*"). A matcher contains HookAction entries with three HookType variants: Command runs a shell process, Prompt sends an LLM evaluation, Agent delegates to another agent. A PreToolUse matcher whose action exits non-zero aborts the tool call before the model runtime sees the result.

SubagentStart and SubagentStop close the loop on delegation. When an agent spawns a child, the parent-child relationship is recorded against the same TraceId, so the audit-trails section's lookup walks the full chain back to the originating user prompt.

SIEM teams do not want a log file to grep. They want typed JSON they can index. The ToSse trait serialises every event domain to SSE-compatible JSON with five implementations: AgUiEvent, A2AEvent, SystemEvent, ContextEvent, and AnalyticsEvent. Splunk, ELK, Datadog, and Sumo Logic ingest the stream as is. No regex extraction, no brittle log-format coupling.

Distribution runs through EventRouter on four static broadcasters: AGUI_BROADCASTER, A2A_BROADCASTER, CONTEXT_BROADCASTER, and ANALYTICS_BROADCASTER. GenericBroadcaster<E> holds one channel per user per connection, with automatic deregistration via a Drop-based ConnectionGuard. The keep-alive interval is fifteen seconds, set by the HEARTBEAT_INTERVAL constant.

For anomaly checks, AnomalyDetectionService ships with three default metrics: requests_per_minute (warning 15, critical 30), session_count_per_fingerprint (warning 5, critical 10), and error_rate (warning 10%, critical 25%). check_trend_anomaly flags any value that exceeds 2x (warning) or 3x (critical) the rolling average inside a configurable window. The same hooks are how a security team catches an unauthorised account hammering the inference API at three in the morning.

An exec asks why this month's Claude spend doubled. Without typed attribution, the answer is a finance ticket and a week of CSV merging. CostAnalyticsRepository answers it in five SQL methods that all read from the same ai_requests table.

get_summary returns total request count, total cost in microdollars, and total tokens for a window. get_breakdown_by_model groups by model. get_breakdown_by_provider groups by provider. get_breakdown_by_agent joins ai_requests against agent_tasks on task_id, so every dollar resolves to a named agent. get_costs_for_trends returns the raw time series for charting. Costs are stored as integer microdollars to avoid floating-point drift, and converted to dollars at presentation time.

For the wider analytics dashboard, CoreStatsRepository::get_platform_overview returns eight platform metrics in a single query, and get_cost_overview computes 24h, 7d, and 30d rolling windows alongside total_cost and avg_cost_per_request. ToolAnalyticsRepository::list_tools ranks tools by execution_count, success_rate, avg_time, and last_used, so the same data answers a reliability question as well as a spend question.

An operator opening the dashboard at the start of a shift wants three things: who is using AI, how the system is behaving, and what changed since yesterday. CoreStatsRepository::get_platform_overview returns eight metrics for the first question in one query: total_users, active_users_24h, active_users_7d, total_sessions, active_sessions, total_contexts, total_tasks, and total_ai_requests. get_activity_trend answers the second with a daily time series across five dimensions (sessions, contexts, tasks, ai_requests, tool_executions) over a configurable window.

For user-side behaviour, AnalyticsEventType defines six named variants (PageView, PageExit, LinkClick, Scroll, Engagement, Conversion) plus a Custom(String) escape hatch for in-house event types. Each variant maps through the category() method to navigation, interaction, engagement, or conversion. EngagementEvent persists eighteen behavioural columns alongside identity and timestamps, including time_on_page_ms, max_scroll_depth, scroll_velocity_avg, focus_time_ms, is_rage_click, is_dead_click, and reading_pattern.

Updates land on the dashboard over SSE through ANALYTICS_BROADCASTER, with idle clients held open by the same fifteen-second heartbeat documented in the SIEM section. Leaderboards back the third question: get_top_users, get_top_agents, and get_top_tools rank by ai_request_count, task_count, and execution_count respectively, and get_user_metrics_with_trends computes current versus previous period counts across 24h, 7d, and 30d windows for trend arrows.

The 3 a.m. incident question is rarely "what does the dashboard show," it is "give me the raw rows for trace abc123 right now." A platform team needs a CLI that hits the same database the dashboard uses, and pipes results into grep, jq, and CSV without a browser.

AnalyticsCommands defines nine subcommands: Overview, Conversations, Agents, Tools, Requests, Sessions, Content, Traffic, and Costs. Each subcommand offers both remote execution and a local execute_with_db path against a DatabaseContext, so the same binary works against staging, production, or a local Postgres dump. TraceQueryService exposes the underlying queries: list_traces with TraceListFilter, list_tool_executions with ToolExecutionFilter, search_logs with pattern, level, and since filters, list_ai_requests by model and provider, and the log summary methods count_logs_by_level, top_modules, log_time_range, and total_log_count.

For audit work, find_ai_request_for_audit resolves a request from a request_id, task_id, or trace_id, including partial prefix matches. list_audit_messages returns the full conversation, list_audit_tool_calls returns every tool invocation, and list_linked_mcp_calls joins tool calls to MCP executions. RetentionConfig handles cleanup with tiered policies (debug 1d, info 7d, warn 30d, error 90d) on a configurable cron with vacuum.