Metadata-Version: 2.4
Name: tripline
Version: 2.0.0
Summary: Runtime safety monitoring SDK for AI agents. Probe every boundary, enforce policies, block threats.
Project-URL: Homepage, https://github.com/tripwire-security/tripwire
Author: Tripwire Security
License-Expression: MIT
License-File: LICENSE
Keywords: agents,ai,guardrails,langchain,langgraph,llm,monitoring,safety,security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.9
Requires-Dist: opentelemetry-api>=1.20.0
Requires-Dist: opentelemetry-sdk>=1.20.0
Requires-Dist: pyyaml>=6.0.1
Provides-Extra: bedrock
Requires-Dist: boto3; extra == 'bedrock'
Provides-Extra: crewai
Requires-Dist: crewai; extra == 'crewai'
Provides-Extra: dev
Requires-Dist: hypothesis; extra == 'dev'
Requires-Dist: pytest; extra == 'dev'
Requires-Dist: pytest-cov; extra == 'dev'
Provides-Extra: fuse
Requires-Dist: fusepy; extra == 'fuse'
Provides-Extra: langchain
Requires-Dist: langchain-core; extra == 'langchain'
Provides-Extra: langgraph
Requires-Dist: langgraph; extra == 'langgraph'
Provides-Extra: openai
Requires-Dist: openai; extra == 'openai'
Description-Content-Type: text/markdown

# Tripline

Runtime safety for AI coding agents. See everything your agent does. Block what it shouldn't.

```
"My Windsurf agent read my entire home directory while deploying infrastructure."
```

That's why this exists.

## Three Layers of Protection

| Layer | What it catches | Setup |
|---|---|---|
| **MCP Server** | All tool calls from the agent | One line in your MCP config |
| **FUSE Mount** | ALL file I/O (even built-in tools) | `tripline mount ~` |
| **Network Proxy** | Outbound HTTP/HTTPS (exfiltration) | `tripline net-proxy` |

Start with Layer 1. Add more when you want full coverage.

## Quick Start (30 seconds)

```bash
pip install tripline
tripline init
```

Add to your MCP config (`.kiro/settings/mcp.json`, `claude_desktop_config.json`, etc.):

```json
{
  "mcpServers": {
    "tripline-fs": {
      "command": "tripline",
      "args": ["serve", "--config", "tripline.yaml", "--allowed-dirs", "/path/to/your/project"]
    }
  }
}
```

Done. Every file operation goes through Tripline's safety layer.

## See What's Happening

```bash
tripline ui          # Web dashboard (localhost:8484)
tripline log         # Terminal event log
tripline log --stats # Summary
```

## What It Does

- **Directory confinement** — agent can't escape your project. Reads to `~/.ssh`, `~/.aws`? Blocked.
- **Risk classification** — `delete` = critical, `write` = high, `read` = medium
- **Deny paths** — always blocked, all modes, no exceptions (configurable via UI)
- **Pattern learning** — repeated safe operations get auto-approved (critical ops never learned)
- **Sensitive burst detection** — 3+ credential files read in 10s? Alert. 5+? Freeze.
- **PID capture** — know which process made each file access
- **Three operating modes** — Auto (observe + protect), Supervised (approve high-risk), Locked (block all)
- **Circuit breaker** — freeze or kill the agent from the dashboard

## Web Dashboard

```bash
tripline ui
```

Shows all events from all layers with colored source badges:
- 🔵 FUSE (filesystem)
- 🟣 MCP (tool calls)  
- 🟠 Network (HTTP/HTTPS)

Filter by source, risk level, or search. Click events for full detail. Settings tab to configure deny paths without editing YAML.

## Full Coverage (FUSE + Network)

For agents with built-in tools (Kiro, Cursor, Windsurf), the MCP server alone doesn't catch everything. Add FUSE for complete filesystem coverage:

```bash
# macOS: install macFUSE first (one-time)
brew install macfuse  # then approve kernel extension in System Settings

# Mount your project (or ~ for full coverage)
tripline mount . --target /tmp/tripline-view

# Add network monitoring
tripline net-proxy
```

## Works With

**Claude Desktop** · **Kiro** · **Claude Code** · **Windsurf** · **Cursor** · **OpenClaw** — anything that speaks MCP.

| Agent | MCP Server | FUSE | Coverage |
|---|---|---|---|
| Claude Desktop | ✅ 100% | Optional | Full — MCP-only agent |
| Kiro / Claude Code | ✅ MCP calls | ✅ Everything | Full with FUSE |
| Windsurf / Cursor | ✅ MCP calls | ✅ Everything | Full with FUSE |
| Custom agents | ✅ 100% | Optional | Full — if MCP-only |

## Example Output

```
[09:41:02] ✗ BLOCK     read_file    ~/.ssh/id_rsa
           ↳ deny_paths: blocked in all modes

[09:41:03] ⚠ HIGH      read_file    ./.env
           ↳ sensitive file — credential access flagged

[09:41:04] ✓ ALLOW     read_file    ./src/index.ts
           ↳ auto-approved: learned pattern

[09:41:05] ✗ BLOCK     symlink      /etc/passwd → ./link.txt
           ↳ symlink target escapes project root
```

## Configuration

`tripline init` generates this. Edit via the Settings tab in the dashboard, or directly:

```yaml
policies:
  allow_paths:
    - "./"
  deny_paths:
    - "~/.ssh"
    - "~/.aws"
    - "~/.gnupg"
    - "/etc"
  risk_levels:
    critical: [rm, delete, drop, truncate, destroy]
    high: [exec, shell, write, modify, install]
    medium: [create, read, list, search]
    low: [help, version, status]
  actions:
    critical: block
    high: countdown
    medium: allow
    low: allow

countdown_seconds: 3
learning:
  enabled: true
  threshold: 5

noise_filter:
  enabled: true
  exclude_processes: []
```

## CLI Reference

```
tripline init              # Generate config for your project
tripline serve             # MCP filesystem server (drop-in replacement)
tripline mount . --target  # FUSE filesystem overlay
tripline net-proxy         # HTTP/HTTPS network proxy
tripline ui                # Web dashboard (localhost:8484)
tripline wrap -- <cmd>     # Proxy mode (wrap another MCP server)
tripline log [--stats]     # View event log
tripline watch             # Live tail events
tripline report            # Session risk report
tripline scan              # False positive detection
tripline patterns          # View learned patterns
tripline baseline build    # Build behavioral baseline
```

## How It Catches Real Attacks

| Attack | How Tripline catches it |
|---|---|
| **Shai-Hulud npm worm** | Sensitive burst detection (credential scanning pattern) + network proxy blocks exfil to webhook.site |
| **Hugging Face typosquatting** | deny_paths blocks ~/.ssh, ~/.aws reads. FUSE catches even if agent uses absolute paths |
| **Prompt injection via MCP** | Injection detector scans tool responses for hidden instructions |
| **Supply chain (pip install)** | Confinement blocks post-install scripts from reading .env, .git/config |
| **OpenClaw credential dump** | Sensitive file reads flagged as HIGH risk, burst detection fires |
| **Data exfiltration** | Network proxy tracks cumulative outbound bytes, alerts on threshold |

## License

MIT
