📖 Help

Every contextual help topic in SafeCadence, in one place. Hover the icons anywhere in the product for the same content inline. Press ? on any page for keyboard shortcuts.

🔐 Identity translator + simulator

Intent translator-intent	Plain-English description of the access policy you want enforced. Be specific about WHO the policy targets, WHAT action they're trying to do, and WHERE (which environments / asset types). Example`contractors without MFA cannot SSH to prod`
Effect translator-effect	What happens when the policy matches a request. deny blocks it, allow permits it, require_step_up forces MFA or a trusted device check before allowing. Accepted values deny allow require_step_up Example`deny`
Target systems translator-targets	Which identity systems should enforce this policy. Pick the smallest set that covers the action — SSH typically maps to ['okta', 'ise']; admin portal access to ['entra', 'okta']. Use 'all' to apply to every connected system. Accepted values okta ise ad entra clearpass all Example`okta, ise`
Conditions translator-conditions	Additional requirements that must hold for the rule to fire. Compose multiple conditions with AND. Accepted values mfa_required — principal must have MFA enrolled posture_compliant — device must pass posture check device_trusted — device must be Azure AD-joined time_window — only during a specific time range session_age_max — re-auth required after N minutes
Severity translator-severity	How forcefully the rule is applied once committed. advisory just records the recommendation; warn shows a banner; enforce actually blocks the action when the rule fires. Accepted values advisory warn enforce Example`enforce`
Policy IR simulator-input	Paste a Unified Policy IR (the JSON the translator emits). The simulator projects its impact against your live fleet without making any external HTTP/LDAP calls. Click 'Load demo IR' to fill the box automatically.
Risk delta simulator-risk-delta	Net change in attack-path reach-weighted risk if the policy is applied. Negative numbers are good — they mean attack paths are severed by the change.

🔎 Effective permissions + JIT

Principal who-can-principal	The user or non-human identity (NHI) you're evaluating. Use the email address for human users, or the NHI ID (e.g. 'nhi-build-bot') for service accounts. Example`alice.admin@acme.local`
Action who-can-action	What the principal is trying to do. Accepted values ssh rdp http https read write admin login Example`ssh`
Resource who-can-resource	The asset_id or hostname the principal is trying to access. Example`dc-01.acme.local`
Duration jit-duration	How long the JIT grant stays active. After this, the daemon auto-revokes the access. Keep grants short — JIT is for exceptions, not steady-state access. Accepted values 30m 1h 4h 8h 1d max 14d Example`4h`
Target IdP jit-target	Which identity system enforces the grant. The IdP must have credentials configured (e.g. OKTA_API_TOKEN env var). Accepted values okta ise ad entra clearpass
Reason jit-reason	Audit-trail justification. Required for SOX / SOC2 compliance when granting time-bounded access. Example`INC-4321 — incident triage on prod-db`

🚩 Findings + automation

Severity finding-severity	How serious the finding is. critical and high warrant immediate action; medium can wait a sprint; low is hygiene. Accepted values critical high medium low info
Finding kind finding-kind	What category the finding belongs to. Determines which remediation playbook applies. Accepted values stale_nhi — service account unused 90+ days no_mfa — tenant or principal without MFA enforcement over_privileged — user in 5+ privileged groups never_rotated — credential past rotation window orphan_service_account — owner departed
Match kind automation-when-kind	Run this rule when a finding of this kind appears. Leave blank to match any kind (combined with severity threshold). Accepted values stale_nhi no_mfa over_privileged never_rotated orphan_service_account (any)
Severity threshold automation-when-severity	The minimum severity that triggers the rule. 'medium+' fires for medium, high, and critical findings. Accepted values any low+ medium+ high+ critical
Action to take automation-action	What happens when the rule fires. Accepted values auto_fix — run the suggested IR through dry-run on the matching adapter assign — create an Assignment for the named user notify_log — append to ~/.safecadence/intel/automation.log notify_slack — send to your configured Slack channel
Rate limit automation-rate-limit	Don't refire the rule for the same finding within this window. Default 1 hour. Prevents a noisy finding from spamming your Slack 100 times. Example`3600 (1 hour)`

📌 Watchlists + sharing

What to watch watchlist-entity-kind	What kind of entity is being pinned. The daemon detects changes to the corresponding fields and reports them in your morning briefing. Accepted values asset nhi principal finding policy path
Share scope share-scope	What the recipient of the share URL can see. summary = top-line counts; compliance = policies + drift; identity = findings + paths; evidence = full SOC2/ISO/NIST view. Accepted values summary compliance identity evidence
Token lifetime share-ttl	How long the share URL is valid. After this, the token expires and the URL returns 403. Max 90 days. Accepted values 1 day 7 days 30 days max 90 days

🎯 Identity attack paths

Risk score path-risk	Reach-weighted risk score: higher means more dangerous. Computed from path length, edge weights (impersonation > membership), and terminal asset criticality (crown-jewels score 3×). Accepted values 0–4 = informational 4–7 = elevated 7+ = critical
Attack chain path-chain	Each → represents an edge in the identity graph. Common edge types: member_of (human → group), can_impersonate (principal → principal), can_assume_role (NHI → role), has_credential_to (group → asset).

📊 Dashboard + observability

Compliance score compliance-score	Percent of policy controls that pass across your fleet. Computed continuously by the daemon from the latest evaluations. Trend is week-over-week. 80%+ is healthy; below 60% needs attention.
Next 3 actions next-3-actions	Auto-prioritized: attack paths > critical findings > policy fails > drift > active JIT. Click any row to drill into remediation. Updated on every page load.
Live activity feed live-activity	Last 8 events from the last 24 hours: audit log entries, JIT grants, comments, assignments, automation rule fires. Auto-refreshes every 60 seconds.

⚙️ Operational

Demo data demo-data	31 realistic fake assets + 3 NHIs designed to trip every detector — 13 Domain Admins without MFA, 1 stale NHI, 1 never-rotated, 1 orphan service account. Run `safecadence demo --clear` to remove.
Tier-3 TOTP challenge tier-3-totp	Per-job MFA required for high-risk command execution. Configure once via 'safecadence admin totp enroll', then every Tier-3 commit prompts for a 6-digit code.
BYO-AI key byo-ai	Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST. Your key is read at runtime; it never leaves your machine. Without a key, AI features fall back to deterministic answers for common keyword queries.

Missing a topic?

Help text lives in src/safecadence/ui/help_registry.py. Add an entry, drop a <span class="sc-help" data-help="..."></span> next to the field, and it shows up automatically.

🔔 Recent activity