Detect runtimes, clouds, IaC, and telemetry with confidence and evidence.

What the current agent/session can access (capability mirror, not permissions).

Run full discovery (static + live) and regenerate all cirdan-out artifacts.

Ask the graph a question, e.g. 'what depends on postgres?' or 'what broke?'.

Fetch one node (by id or fuzzy name) with evidence, attributes, and edges.

Neighborhood subgraph around a node.

Shortest path between two components.

All logical services with state and origin.

What a component depends on (transitive).

What depends on a component (transitive blast radius).

Everything reachable from outside, with the reasons.

Current workloads (services, containers, pods, units) with live state.

Recent error/warning events, clustered by message template.

Tail logs for a component through the owning live adapter.

Live state of a component through the owning adapter.

Open (and optionally resolved) incidents. Runs a detection pass by default.

Evidence-backed markdown explanation of an incident.

Actions currently possible against a component with this session's access.

Execute an action id from list_available_actions. Recorded, redacted, audited.

Verify the outcome of a previously executed action (act-… record id).

Contribute a node the scanners missed. Evidence quotes required; recorded as INFERRED.

Contribute a relationship between existing nodes (ids or names). Evidence required.

Attach evidence or attributes to an existing node without changing its confidence.

What the deterministic scanners left unconnected: docs to read, isolated nodes, unlinked IaC, uncertain claims. Contribute findings via upsert_edge.

Generate an Agentic UI view ('show me …') and save html/md/json artifacts.

Regenerate INFRA_REPORT.md and return its contents.

Recent audit entries: what Cirdan observed, generated, executed, verified.