v0.13.0 — Auto-Generate Policy from Observed Traces

v0.13.0 - Policy suggestion

Generate a minimal .agent-scope.json allow-list directly from what your agent actually did, instead of writing one by hand.

New command

agent-strace policy                        # analyse all sessions, print suggested policy
agent-strace policy <session-id>...        # analyse specific sessions
agent-strace policy --output .agent-scope.json   # write to file
agent-strace policy --dry-run              # print without writing

How it works

agent-strace policy scans tool_call events across one or more sessions and collects:

• Files read — from read, view, grep, glob tool calls
• Files written — from write, edit, create tool calls
• Commands — from bash tool calls
• Network hosts — extracted from URLs in bash commands

Paths are collapsed to glob patterns when 3 or more files share a directory (e.g. src/a.py, src/b.py, src/c.py → src/**). Commands are collapsed to base-executable patterns (e.g. pytest tests/foo.py -x → pytest *).

Example output

{
  "files": {
    "read":  { "allow": ["src/**", "tests/**", "pyproject.toml"] },
    "write": { "allow": ["src/**"] }
  },
  "commands": {
    "allow": ["pytest *", "git *"]
  },
  "network": {
    "deny_all": true,
    "allow": ["api.anthropic.com"]
  }
}

The generated policy can be used directly with agent-strace audit to flag future sessions that exceed the observed scope.