v0.80.1 — 98 releases · 71 stars

strace for
AI agents

Every tool call, cost, and decision — captured at the hook layer. No proxy. No API key changes. Works with Claude Code, Cursor, LangGraph, and more.

71 stars on GitHub
~ agent-strace watch
cost $0.000 tokens 0 calls 0 live
auto-instrumentation for
Claude Code GitHub Copilot Cursor Windsurf OpenAI Codex LangGraph OpenAI SDK LiteLLM Anthropic SDK AWS Strands CrewAI Gemini CLI

Three layers. One install.

Observe what happened. Enforce what's allowed. Detect what's wrong.

01 / Observe

See every decision
your agent made

Captures at the hook layer — not the network layer. Your API keys never pass through Verio. Works with Claude Code hooks, Python decorators, and MCP record proxy.

  • Session timeline — Phase-by-phase view with wasted-spend callout
  • Cost breakdown — Per-provider, per-model, per-session — no gateway needed
  • Org-level report — Monthly digest for engineering leads and CTOs
  • Behavioral fingerprint — Detect regressions across model upgrades
agent-strace cost --breakdown provider
Cost breakdown — last 30 days
────────────────────────────────────────────────
Provider Model Sessions Cost Anthropic claude-opus-4-6 142 $38.21 Anthropic claude-sonnet-4 89 $12.44 OpenAI gpt-4o 34 $6.18 AWS Bedrock nova-pro-v1 8 $1.92 Gemini gemini-2.5-pro 21 $4.71
────────────────────────────────────────────────
Total · 294 sessions · $63.46
agent-strace lint
⚠ redundant-read src/auth.py read 4× in session abc123
⚠ context-saturation 91% fill at 1m 02s — compaction likely
✓ no tool-loop violations
✓ no reasoning-spiral detected
2 warnings · 0 errors · session abc123
.agent-scope.json
"allow": [
"read src/**",
"read tests/**",
"bash git *",
"bash pytest *"
],
"deny": [
"write /etc/**",
"bash rm -rf *",
"bash curl * | bash"
],
"human": ["write ~/.ssh/**"]
agent-strace policy backtest --days 30
Backtest — last 30 days (306 sessions, 4,821 tool calls)
──────────────────────────────────────────────────────
deny: write /etc/** matched 12 would block 12
deny: bash rm -rf * matched 1 would block 1
allow: read src/** matched 2,841 would allow 2,841
default (no rule) matched 1,523 uncovered
──────────────────────────────────────────────────────
coverage 68.4% would block: 13 calls safe to enforce ✓
02 / Enforce

Define what agents
are allowed to do

Write a policy file. Backtest it against 30 days of real session history before you enforce it. Know exactly what would have been blocked — before you flip the switch.

  • Policy backtest — Simulate against history — no surprises when you enforce
  • OpenFGA authorization — Relationship-based, not attribute-based like OPA/Rego
  • Human-in-the-loop — Pause for approval before sensitive tool calls
  • Policy coverage — Find tool calls with no explicit rule
03 / Detect

Catch threats before
they cause damage

Prompt injection, MCP tool poisoning, credential exposure, exfiltration patterns — all mapped to OWASP Agentic AI Top 10 and SOC 2 controls. No LLM calls required for detection.

  • MCP poisoning scan — Runtime detection of tool description manipulation
  • Anomaly detection — Behavioral baseline — flag sessions that deviate
  • Compliance report — SOC 2, OWASP Agentic Top 10, EU AI Act mapping
  • Secret redaction — On by default — credentials never appear in traces
agent-strace compliance-report --framework owasp-agentic
OWASP Agentic AI Top 10 — last 90 days
──────────────────────────────────────────────
#1 Prompt injection 2 flagged
#2 Insecure tool execution clean
#3 Excessive agency 1 flagged
#4 Credential exposure 1 flagged
#5 Data exfiltration clean
#6 Insecure MCP server clean
#7 Resource consumption 4 flagged
#8 Insufficient logging clean
#9 Insecure agent identity clean
#10 Supply chain compromise clean
──────────────────────────────────────────────
4 findings across 3 sessions review required
agent-strace audit-tools
Scanning for shadow AI tool usage...
⚠ cursor found in 3 repos — not in approved list
⚠ copilot found in 7 repos — not in approved list
✓ claude-code approved
2 unapproved tools · 10 repos scanned
New — Compaction Analysis

See what your agent
forgot mid-session

Claude Code, Cursor, and every other agent framework silently compacts context when the window fills. A constraint mentioned early gets dropped. The agent proceeds without it. Verio is the only tool that shows you exactly what was lost — and whether behavior changed after.

  • Token drop detection — Identifies compaction from input token signature — no LLM calls
  • Survived vs dropped — Reconstructs what the agent could see before and after
  • High-risk flag — Constraints, requirements, and decisions that didn't survive
  • Behavior diff — Did redundant reads or tool loops increase after compaction?
  • Pre-compaction checkpoint — Auto-snapshot at 80% fill — paste back into next session
agent-strace compaction abc123 --diff
Compaction events — session abc123
──────────────────────────────────────────────────────
Event #1 0m 42s 187,432 12,841 tokens 174,591 dropped (93%)
──────────────────────────────────────────────────────
Compaction #1 — context diff
──────────────────────────────────────────────────────
Survived in summary:
Task goal: "implement rate limiting"
Files modified: src/middleware.py, tests/test_rate.py
Current approach: token bucket algorithm
Likely dropped:
Constraint at event #3: "must be Redis-compatible"
Abandoned approach: fixed window (reason: memory cost)
Decision rationale: "avoid sliding window"
File read history: 4 files not in summary
⚠ High-risk drop: constraint "Redis-compatible" not in post-compaction context
agent-strace compaction abc123 --behavior-diff
Behavior change after compaction #1
──────────────────────────────────────────────────────
Before: 3 unique files, 0 redundant reads, linear progress
After: re-read 2 already-read files, re-explored src/
Lint delta (before → after):
redundant-read: 03
tool-loop: 01
verdict: behavior regressed after compaction — file-read history dropped

OSS core, forever free

The CLI never gets gated. Paid tiers add hosted infrastructure — not features.

OSS
Free
forever
  • Full CLI — all commands
  • Self-hosted collector
  • VS Code extension
  • GitHub Action (gha-v1)
  • Unlimited local storage
  • MIT license
pip install agent-strace
Most popular
Team
Coming soon
self-serve
  • Everything in OSS
  • Hosted collector — no infra
  • Web dashboard
  • Org-level report
  • Team cost attribution
  • Slack / Teams alerts
  • 30-day session retention
  • API key management
Join waitlist
Enterprise
Custom
contact us
  • Everything in Team
  • Compliance report (SOC 2, OWASP, EU AI Act)
  • CISO dashboard
  • Multi-tenant isolation
  • GDPR export
  • 90-day+ retention
  • SSO / SAML
  • SLA + dedicated support
  • On-prem / VPC option
Contact us

The CLI is MIT licensed and will always be free. No feature gates, ever. Read the source.

Start in 30 seconds

One install. No proxy. No API key changes.
Run your agent normally — Verio captures everything.

terminal
$ pip install agent-strace
$ agent-strace watch # run your agent normally
session captured · $0.031 · 2m 14s · 142 tool calls
$ agent-strace replay # see exactly what happened
$ agent-strace lint # catch loops, saturation, redundant reads
$ agent-strace cost --breakdown provider
Anthropic $38.21 · OpenAI $6.18 · Bedrock $1.92
View on GitHub See pricing