Transient Trace

How it works

Transient governs at the infrastructure layer, below your agent code. No hooks into the agent required.

Why infrastructure-level governance

Guardrails are instructions given to models. They can be ignored, bypassed, or misunderstood. Transient intercepts at the OS process boundary. By the time an action reaches the kernel, it has already been evaluated against policy and either permitted, denied, or escalated.

Three engines

Trace

The enforcement engine. Intercepts subprocess calls via PATH shims and a subprocess hook. Every action is classified, evaluated against policy, and receipted.

Recall

The memory engine. Reads Trace receipts and indexes them into a knowledge graph: what was attempted, what was blocked, patterns across sessions.

Intelligence

The verification engine. Listens passively to the receipt stream and verifies content-producing actions against declared intent.

How Trace intercepts

Two mechanisms work together to ensure full coverage:

PATH shims — thin wrapper scripts placed in ~/.transient-trace/shims/ ahead of the system PATH. These intercept shell-resolved binaries such as git, curl, and python.
Subprocess hook — intercepts Python subprocess calls using absolute binary paths that bypass PATH resolution.

When an action is intercepted, the sense-maker classifies it into an action class (read, write_low, write_high, delete, network). The Policy Enforcement Point evaluates it against the active rules and emits a signed receipt.

The receipt bus

A background process polls the receipt store every 30 seconds and dispatches events to subscribers (Recall, Intelligence). This is how the three engines communicate without tight coupling.

Known gaps

Transient does not currently intercept the following:

Native Python network calls (urllib, httpx, requests)
Node.js processes using absolute binary paths
GUI applications
Browser automation

macOS is production-ready. Linux is in development.

Trace →CLI reference →