Investigations need a complete chain

A suspicious agent session rarely arrives as one clean record. The prompt may be in one place, tool calls in another, model usage somewhere else, and identity in a dashboard that was not designed for incident response.

That fragmentation slows down the first question every analyst asks: what happened, in what order, and who was affected?

A complete chain ties each event to a session, workstation, project, repository, model, and actor. That makes cost spikes, unusual tool patterns, and policy violations part of the same investigation instead of separate exports.

Screenshots can tell a story once. Correlated events let the system answer follow-up questions without starting over.

The investigation surface should start with the decision and then expose the evidence: prompt context, tool arguments, output summary, policy match, and timing. That keeps the analyst oriented without hiding the technical detail.

Agent Keeper's telemetry work is aimed at that chain. Not more logs for their own sake, but fewer blind spots between agent intent and agent impact.