Trace
The OS-layer enforcement engine. Intercepts, evaluates, and receipts every agent action.
Governance modes
Set with --mode:
audit
defaultIntercepts and records all actions. Nothing is blocked. Use this to understand agent behaviour before enforcing.
strict
Blocks any action that violates policy. The agent receives a denial at the process level.
permissive
Logs actions but never blocks. Useful for noisy environments where you want visibility without interference.
OWASP governance packages
Pre-built policy sets aligned to OWASP agent security categories. Pass with --packages:
| Package | Covers |
|---|---|
filesystem | File reads, writes, deletes outside working directory |
shell | Arbitrary shell execution, script runners |
code-deployment | git push, CI triggers, registry publish |
privilege | sudo, su, chmod, chown |
network | curl, wget, DNS, outbound HTTP |
messaging | Email, Slack, webhook calls |
Combine packages: --packages filesystem,shell,network
Action classes
Every intercepted action is classified before policy evaluation:
readFile reads, directory listings
write_lowLow-risk writes (temp files, logs)
write_highWrites to sensitive paths, config files
deleteFile or directory deletion
networkAny outbound network call
Self-protection
Trace protects its own governance layer. Agents cannot uninstall shims or modify the receipt store during an active session.