Skip to content

SecOpsAI Edge

SecOpsAI Edge is the network discovery and sensor module for the SecOpsAI platform. Edge owns authorized LAN discovery, Wi-Fi observations, worker heartbeat, and scan execution. Core owns the canonical asset graph, findings, long-term context, triage, research, and reporting workflows.

The repositories remain separate and do not share a database. They exchange a versioned secopsai.edge.bundle.v1 contract containing normalized graph nodes, graph edges, and findings. Raw Nmap output, packet captures, and raw scan logs are excluded.

One-Step Sync From The Edge Repo

From the SecOpsAI Edge repo:

./scripts/edge core sync --cloud --core-root "$HOME/secopsai" --output edge-bundle.json

This exports the normalized Edge bundle, saves it for audit/review, and imports it into this Core local SOC/graph store.

Supervised Automatic Sync

From the Edge repo, install the platform service that repeats the same versioned export/import safely:

./scripts/edge core sync-service install --cloud --core-root "$HOME/secopsai" --interval 300
./scripts/edge core sync-service start
./scripts/edge core sync-service status

Use logs, run-now, stop, and uninstall for recovery. The service uses launchd on macOS and a systemd user timer on Linux. It has a separate lifecycle from the scanner worker and skips overlapping runs. A staged runner avoids macOS Documents-folder privacy failures; configuration and credentials are isolated in separate owner-only JSON files, and the token is never placed in launch arguments.

Import A Bundle

secopsai edge import --bundle edge-bundle.json

Use a custom SOC/graph database:

secopsai edge import --bundle edge-bundle.json --db-path /path/to/openclaw_soc.db

Sync From Edge API

SECOPSAI_EDGE_API_URL=https://secopsai-edge-api.onrender.com \
SECOPSAI_EDGE_ACCESS_TOKEN=<workspace-core-export-token> \
secopsai edge sync

Or pass values directly:

secopsai edge sync \
  --edge-api-url https://secopsai-edge-api.onrender.com \
  --access-token <workspace-core-export-token>

Create this expiring, revocable token from the Edge dashboard Settings page. It grants only core:export for the selected workspace. The legacy admin-token environment variable and CLI alias remain temporarily supported for existing single-workspace installations, but new services should not use them.

Inspect The Graph

secopsai graph assets
secopsai graph show 192.168.1.50
secopsai graph changes

Review Edge Findings

secopsai triage list --source secopsai_edge
secopsai triage investigate EDGE-...

Core stores Edge findings with stable EDGE-... identifiers and preserves analyst triage state on re-sync.

Ownership Boundary

Surface Owner
LAN and Wi-Fi collection Edge sensor
Scan jobs, schedules, and worker health Edge API
Raw scan minimization Edge agent
Canonical findings and analyst disposition Core
Asset graph and long-term change context Core
Unified asset/finding operator workspace SecOpsAI dashboard
Scan, schedule, and sensor administration Edge dashboard
Local automation and approval-gated actions OpenClaw plugin

The canonical SecOpsAI dashboard now consumes Core graph assets, graph changes, and Edge-origin findings, with optional server-side enrichment from the Edge API for live sensor operations. The Edge dashboard remains the administration surface for scans, schedules, and sensor recovery. Edge credentials are held by the helper service and are never exposed to the browser.