tripwire_guard
Optional deterministic honeytoken tripwires for compromise detection.
What it mitigates
- Recon scans for sensitive-looking files
- Attempts to reference decoy environment tokens
- Early-stage exfil workflows before high-impact actions
Recommended defaults
| Profile | enabled | onTrip |
|---|---|---|
local | true for production | kill_switch |
standard | opt-in for high-risk agents | deny or kill_switch |
unbounded | optional | alert |
Minimal config
moduleConfig:
tripwire_guard:
enabled: true
fileTokens:
- "${workspace}/.tripwire/**"
envTokens:
- "RADIUS_TRIPWIRE_SECRET"
onTrip: kill_switchDesign guidance
- Place it after
fs_guardso path canonicalization has already happened. - Keep tripwire paths outside normal workflows; any hit should be suspicious.
- Start with
onTrip: alertin rollout, then move todenyorkill_switch.