Great breakdown especially the decision_source behavioral shift as a detection primitive.

Two gaps I’ve run into instrumenting this on server side EC2 instances that I'm curious how you'd approach:

User identity enrichment: OTEL's session. id and user.account_uuid are useful, but in a multi tenant EC2 environment they don't reliably map to an OS level user or a human identity in our IdP. I am exploring Claude Code hooks to inject host context and user identity at the source. Curious whether you've seen a cleaner pattern here, or whether hooks are just the accepted solution.

MCP call visibility: You flagged that MCP tool descriptions aren't captured even with OTEL_LOG_TOOL_DETAILS=1 - which is exactly where poisoning payloads live. Short of building a proxy in front of MCP servers to intercept and log tool descriptions, I haven't found a good answer. Is there a telemetry path you're aware of that captures this, or is this just a known blind spot until the spec matures?

Looking forward to Part 2.