Transient
Back to Home
Transient Trace

Quickstart

Get your agent governed in under five minutes.

Official repositories
Canonical sources for product docs/code and ATP protocol specification.
Transient on GitHubATP open protocolRead ATP overview

1. Install Transient Trace

pipx install transient-trace

pipx installs into an isolated environment and puts transient-trace on PATH permanently. If you don't have pipx: brew install pipx && pipx ensurepath.

2. Set up governance shims

Shims intercept binaries at the OS level. Every call to git, curl, npm etc. from any agent, script, or tool on the machine goes through governance first.

transient-trace wrap install git curl npm pip3 uv sudo --auto-rc
source ~/.zshrc

Verify everything is wired up:

transient-trace wrap status
which git   # should return ~/.transient-trace/shims/git

3. Boot your agent through Transient

Transient requires you to launch your agent through it. You do not run your agent directly — you run it via transient-trace run. This is how the governance layer wraps the process.

transient-trace run python agent.py
transient-trace run claude

Every session must be started this way. Launching an agent directly without transient-trace run means there is no session context, no linked receipt chain, and no popen hook. Permanent shims will still intercept specific binaries but the receipts are unconnected.

For full governance, always start through transient-trace run.

That's it. Every action the agent takes is now intercepted, evaluated, and receipted.

4. Add OWASP governance packages

Packages are curated rule sets aligned to the OWASP Agentic Security Initiative. Load them to enforce specific security boundaries:

transient-trace --mode strict --packages filesystem,code,privilege,shell run python agent.py
PackageBlocks
filesystemBulk delete, sensitive paths (~/.ssh, /etc)
codegit push to remote, package installs without lockfile
privilegesudo, su, chmod escalation, user management
shellcurl | bash, eval, inline code execution
webSSRF, mutation requests to internal hosts
messagingExternal email, broadcast to unknown recipients

5. View receipts

Every governed action produces a tamper-evident receipt:

transient-trace receipts summary
transient-trace receipts list
transient-trace receipts list --outcome deny

Governance modes

ModeBehaviour
auditRecord everything. Never block. Default.
strictBlock on policy violations before execution.
permissiveLog violations. Never block.

Set strict as the permanent default:

transient-trace config set mode strict

Dashboard (TUI)

Use the terminal dashboard for live receipts, runtime config updates, and permission/rule changes while agents are active.

transient-trace dashboard

Connect Recall and Intelligence (in development)

Recall and Intelligence integration is currently in development. When available, start the receipt bus to connect them to Trace automatically:

cp transient.config.example.json transient.config.json
# Edit transient.config.json with your Recall and Intelligence endpoints
npm install
npm start

The receipt bus polls Trace receipts every 30 seconds and dispatches events to Recall and Intelligence. No agent code changes required.

Next steps

How it works →Trace →CLI reference →