tripline 2.0.0

Runtime safety monitoring SDK for AI agents. Probe every boundary, enforce policies, block threats.

Tripline

Runtime safety for AI coding agents. See everything your agent does. Block what it shouldn't.

"My Windsurf agent read my entire home directory while deploying infrastructure."

That's why this exists.

Three Layers of Protection

Layer	What it catches	Setup
MCP Server	All tool calls from the agent	One line in your MCP config
FUSE Mount	ALL file I/O (even built-in tools)	tripline mount ~
Network Proxy	Outbound HTTP/HTTPS (exfiltration)	tripline net-proxy

Start with Layer 1. Add more when you want full coverage.

Quick Start (30 seconds)

pip install tripline
tripline init

Add to your MCP config (.kiro/settings/mcp.json, claude_desktop_config.json, etc.):

{
  "mcpServers": {
    "tripline-fs": {
      "command": "tripline",
      "args": ["serve", "--config", "tripline.yaml", "--allowed-dirs", "/path/to/your/project"]
    }
  }
}

Done. Every file operation goes through Tripline's safety layer.

See What's Happening

tripline ui          # Web dashboard (localhost:8484)
tripline log         # Terminal event log
tripline log --stats # Summary

What It Does

• Directory confinement — agent can't escape your project. Reads to ~/.ssh, ~/.aws? Blocked.
• Risk classification — delete = critical, write = high, read = medium
• Deny paths — always blocked, all modes, no exceptions (configurable via UI)
• Pattern learning — repeated safe operations get auto-approved (critical ops never learned)
• Sensitive burst detection — 3+ credential files read in 10s? Alert. 5+? Freeze.
• PID capture — know which process made each file access
• Three operating modes — Auto (observe + protect), Supervised (approve high-risk), Locked (block all)
• Circuit breaker — freeze or kill the agent from the dashboard

Web Dashboard

tripline ui

Shows all events from all layers with colored source badges:

• 🔵 FUSE (filesystem)
• 🟣 MCP (tool calls)
• 🟠 Network (HTTP/HTTPS)

Filter by source, risk level, or search. Click events for full detail. Settings tab to configure deny paths without editing YAML.

Full Coverage (FUSE + Network)

For agents with built-in tools (Kiro, Cursor, Windsurf), the MCP server alone doesn't catch everything. Add FUSE for complete filesystem coverage:

# macOS: install macFUSE first (one-time)
brew install macfuse  # then approve kernel extension in System Settings

# Mount your project (or ~ for full coverage)
tripline mount . --target /tmp/tripline-view

# Add network monitoring
tripline net-proxy

Works With

Claude Desktop · Kiro · Claude Code · Windsurf · Cursor · OpenClaw — anything that speaks MCP.

Agent	MCP Server	FUSE	Coverage
Claude Desktop	✅ 100%	Optional	Full — MCP-only agent
Kiro / Claude Code	✅ MCP calls	✅ Everything	Full with FUSE
Windsurf / Cursor	✅ MCP calls	✅ Everything	Full with FUSE
Custom agents	✅ 100%	Optional	Full — if MCP-only

Example Output

[09:41:02] ✗ BLOCK     read_file    ~/.ssh/id_rsa
           ↳ deny_paths: blocked in all modes

[09:41:03] ⚠ HIGH      read_file    ./.env
           ↳ sensitive file — credential access flagged

[09:41:04] ✓ ALLOW     read_file    ./src/index.ts
           ↳ auto-approved: learned pattern

[09:41:05] ✗ BLOCK     symlink      /etc/passwd → ./link.txt
           ↳ symlink target escapes project root

Configuration

tripline init generates this. Edit via the Settings tab in the dashboard, or directly:

policies:
  allow_paths:
    - "./"
  deny_paths:
    - "~/.ssh"
    - "~/.aws"
    - "~/.gnupg"
    - "/etc"
  risk_levels:
    critical: [rm, delete, drop, truncate, destroy]
    high: [exec, shell, write, modify, install]
    medium: [create, read, list, search]
    low: [help, version, status]
  actions:
    critical: block
    high: countdown
    medium: allow
    low: allow

countdown_seconds: 3
learning:
  enabled: true
  threshold: 5

noise_filter:
  enabled: true
  exclude_processes: []

CLI Reference

tripline init              # Generate config for your project
tripline serve             # MCP filesystem server (drop-in replacement)
tripline mount . --target  # FUSE filesystem overlay
tripline net-proxy         # HTTP/HTTPS network proxy
tripline ui                # Web dashboard (localhost:8484)
tripline wrap -- <cmd>     # Proxy mode (wrap another MCP server)
tripline log [--stats]     # View event log
tripline watch             # Live tail events
tripline report            # Session risk report
tripline scan              # False positive detection
tripline patterns          # View learned patterns
tripline baseline build    # Build behavioral baseline

How It Catches Real Attacks

Attack	How Tripline catches it
Shai-Hulud npm worm	Sensitive burst detection (credential scanning pattern) + network proxy blocks exfil to webhook.site
Hugging Face typosquatting	deny_paths blocks ~/.ssh, ~/.aws reads. FUSE catches even if agent uses absolute paths
Prompt injection via MCP	Injection detector scans tool responses for hidden instructions
Supply chain (pip install)	Confinement blocks post-install scripts from reading .env, .git/config
OpenClaw credential dump	Sensitive file reads flagged as HIGH risk, burst detection fires
Data exfiltration	Network proxy tracks cumulative outbound bytes, alerts on threshold

License

MIT