// surface catalog · 20 entries · auto-generated
Every surface. Explained honestly.
Browse every Axiom dashboard surface + connector + safety contract. These docs are the same source of truth the in-product Help & Docs page reads — one edit updates both.
// Operator
Command Center
command_center_read_onlyThe top-of-funnel landing page. Aggregates the most operator-critical signals (active risks, current autonomy cycle, last deploy, recent CloudTrail events) into one dashboard. Read-only.
1 prerequisite
· At least one cloud connector wired (AWS/Azure/GCP) so the panels have data.
route: /dashboard/command-center
AGI Cockpit
autonomy_gated_no_unsafe_executionLive view of the autonomy loop's per-stage transcript (detect → reason → simulate → policy_gate → boundary → approve → execute → verify → audit). Shows where the loop currently is and why every candidate action passed or halted.
1 prerequisite
· AUTONOMY_SCHEDULER_ENABLED=true if you want it to run unattended.
route: /dashboard/agi
Autonomy Cockpit
autonomy_gated_no_unsafe_executionRun a one-off autonomy cycle on demand. Pick a charter mode (observer / review / assisted / autonomous), trigger a tick, and read the per-candidate decision tree. Mirrors the cron scheduler but operator-driven.
1 prerequisite
· Auth + at least one cloud connector configured.
route: /dashboard/autonomy
// Providers
AWS Services Inventory
aws_service_inventory_read_onlyOne consolidated AWS read across 15 services in parallel (Lambda + RDS + IAM + S3 + EC2 + VPC + SGs + ELB + SNS + SQS + SSM + CW Log Groups + ACM + GuardDuty + Secrets Manager + Backup + WAFv2). Per-section failure isolation.
3 prerequisites
· AWS_INVENTORY_EXTRACT_ENABLED=true
· AWS_CONNECTOR_BROKER_ACCESS_KEY_ID + AWS_CONNECTOR_BROKER_SECRET_ACCESS_KEY (or AWS_USE_DIRECT_CREDS for single-account testing).
· Read-only permissions for every probed service (see scripts/fix-aws-permissions.mjs).
route: /dashboard/aws-services
Cloud Inventory
aws_service_inventory_read_onlyOne pane of glass across AWS + Azure + GCP. Compute / storage / database totals + per-cloud posture chips (public exposure, unencrypted, identity weaknesses). Single typed result.
1 prerequisite
· At least one of AWS/Azure/GCP wired.
route: /dashboard/cloud-inventory
Network Topology
aws_service_inventory_read_onlyCross-cloud node-link graph of every VPC / VNet / GCP network, with subnets and peerings. Internet-facing networks are highlighted in rose. Hover a VPC for highlight.
1 prerequisite
· AWS/Azure/GCP credentials with network:Describe* / VirtualNetworks read / compute.networks read.
route: /dashboard/network-topology
// Security
Cloud Security
multi_cloud_security_read_onlyCross-cloud security findings — AWS GuardDuty + Azure Defender for Cloud + GCP Security Command Center — folded into one typed SecurityFinding[] with severity normalized across providers.
3 prerequisites
· AWS: GuardDuty enabled in the region + guardduty:ListFindings.
· Azure: Microsoft.Security/securityContacts read.
· GCP: Security Command Center API enabled + securitycenter.findings.list.
route: /dashboard/cloud-security
// Cost
Cost Overview
billing_summary_read_onlyCross-cloud cost dashboard merging AWS Cost Explorer + Azure Cost Management + GCP Billing + GitHub + Stripe + Vercel. Stat ribbon (providers reporting / Last 30d / Prev 30d / Δ%) + anomaly panel + per-provider cards.
3 prerequisites
· AWS Cost Explorer activated in the AWS console (one-time account-level toggle).
· Azure: Cost Management Reader on the subscription.
· GCP: BigQuery billing export configured.
route: /dashboard/cost-overview
Cost Anomaly Explainer
billing_summary_read_onlyEvery billing anomaly is correlated against the live CloudTrail tail. Primary suspect when matchScore ≥ 0.7, plausible at ≥ 0.45, no_correlation when nothing scores above the threshold. Confidence is multiplied by the anomaly's own confidence.
1 prerequisite
· Same as Cost Overview + CloudTrail (cloudtrail:LookupEvents).
route: /dashboard/cost-explainer
// Containers
Container Orchestration
container_orchestration_read_onlyUnified view of every cluster across AWS ECS + EKS, Azure AKS, and GCP GKE. Per-cluster: node count, pod count, workload risk flags (privileged, hostNetwork, allowPrivilegeEscalation), public endpoint count, EOL k8s detection.
3 prerequisites
· AWS: ecs:ListClusters + eks:ListClusters + describe permissions.
· Azure: Microsoft.ContainerService/managedClusters/listClusterUserCredential/action.
· GCP: container.clusters.list.
route: /dashboard/containers
Kubernetes EOL Upgrade Planner
container_orchestration_read_onlyFilters all clusters to the ones running an EOL control-plane minor. Groups by provider, shows the EOL → target version arrow chip, and surfaces workloads with upgrade-risk flags.
1 prerequisite
· Same as Container Orchestration.
route: /dashboard/k8s-eol
// Autonomy
Autonomy Charter
policy_governance_read_onlyPer-tenant override of the autonomy charter. Pick a mode (observer/review/assisted/autonomous). Mode picks the default boundary classes; per-cycle cap clamps how many candidate actions per cron tick. Unsafe classes always halt regardless.
1 prerequisite
· Auth — operator role.
route: /dashboard/charter
Remediation Runbooks
approval_only_no_executionFor every high/critical CloudTrail event, Axiom drafts a typed RemediationRunbook with a reversal action and a hardening policy. Nothing executes — operators review and stage to the approval queue.
1 prerequisite
· CloudTrail extractor live (cloudtrail:LookupEvents).
route: /dashboard/runbooks
Runbook Approval Queue
approval_only_no_executionEvery runbook promoted from /dashboard/runbooks lands here. Approve or reject — the decision is durably recorded but Axiom does not apply the change. The IaC pipeline owns execution.
1 prerequisite
· DATABASE_URL wired (Prisma Postgres).
route: /dashboard/runbooks/queue
Policy Previews
approval_only_no_executionEvery runbook's hardening action becomes ready-to-paste SCP / Azure Policy / GCP Org Policy JSON. Copy, paste into your IaC stack, apply. Per-preview 'tf' button opens a Terraform HCL draft modal.
1 prerequisite
· Runbooks (CloudTrail) live.
route: /dashboard/policy-previews
SCP / IAM Policy Simulator
approval_only_no_executionPure local evaluator — no AWS SDK call. Paste a candidate SCP and a synthetic request, see whether the policy would Allow / Deny / not apply. Statement-by-statement reasoning. Unknown condition operators are reported (never faked).
1 prerequisite
· None — runs entirely server-side without credentials.
route: /dashboard/scp-simulator
// Notifications
Outbound Notifications (Slack/Teams)
notification_read_onlyWhen the autonomy loop halts at needs_human or surfaces a critical signal, this lane proactively pings humans via Slack / Microsoft Teams / signed generic webhook. Deduped per signal id within a 10-minute window. Email transport is pending.
2 prerequisites
· Set SLACK_WEBHOOK_URL and/or TEAMS_WEBHOOK_URL and/or OUTBOUND_WEBHOOK_URL.
· Optional OUTBOUND_WEBHOOK_SECRET enables HMAC-SHA256 signing.
route: /dashboard/notifications-outbound
// Audit
CloudTrail Audit Tail
audit_read_onlyLive AWS CloudTrail management-plane events with severity classification. Root-user activity, IAM key mutations, deletions, failed ConsoleLogin → critical / high. Lookback selector 15m / 1h / 6h / 24h.
1 prerequisite
· AWS broker IAM role with cloudtrail:LookupEvents.
route: /dashboard/cloudtrail
// Setup
Setup Wizard
setup_review_only_no_executionWalks an operator through connecting every provider in order: AWS broker creds → AWS test extract → Azure SP → GCP service account → GitHub PAT → Slack webhook. Each step is honest about what's still preview vs live.
1 prerequisite
· Auth.
route: /dashboard/setup
Integration Health
integration_health_read_onlySingle-screen view of every integration's current connectivity state: live / partial / preview / blocked / disabled. Each entry links to its own surface and lists the missing requirements.
1 prerequisite
· Auth.
route: /dashboard/integrations/health
This page regenerates automatically when lib/help/helpKnowledgeBase.ts changes. ISR revalidate: 1 hour. For the full guided onboarding, see Getting started.