Anomaly Detection

The anomaly detector is a background watchdog that continuously monitors the audit trail for behavioral patterns that indicate a compromised, malfunctioning, or misbehaving agent.

Detection Rules

Four rules are currently implemented:

1. Volume Spike

Detects an unusually high number of tool invocations within a short time window for a single agent.

Trigger: More than N tool invocations in M seconds (configurable thresholds)
Response: volume_spike anomaly event, escalation to parent

2. Scope Creep

Detects repeated access-denied errors for a single agent, which may indicate capability probing or a prompt-injection attack attempting to discover what the agent can access.

Trigger: More than N access_denied audit entries in a short window
Response: scope_creep anomaly event, escalation to parent

3. Repeated Kernel Denials

Detects seccomp-BPF or AppArmor denials appearing in the audit trail, indicating an agent is pushing against its kernel-level sandbox.

Trigger: More than N kernel denial events
Response: kernel_denial_spike anomaly event, may trigger agent pause

4. Secret Probe / Canary Leak

Two sub-rules:

  • Secret probe: Agent attempts to use a secret it hasn't declared (secret.use:<name> not in capabilities)
  • Canary leak: A canary token (a fake secret value embedded in the store) appears in a tool result output

Trigger: secret_probe (attempt to resolve undeclared secret); canary_leak (canary value in scrubbed output)
Response: Immediate escalation, potential agent termination

Viewing Anomaly Events

# Recent events (all agents)
ash anomaly list

# Filter by agent
ash anomaly list --agent <uuid>

# Show more
ash anomaly list --limit 50

Output:

TIMESTAMP              AGENT         RULE           DETAIL
2026-02-22T12:34:56Z   my-agent      scope_creep    5 denied calls in 30s
2026-02-22T12:35:01Z   my-agent      secret_probe   attempted secret: db-password

Anomaly Escalation

When an anomaly fires:

  1. An anomaly_detected entry is written to the audit trail
  2. An escalation message is published to scarab.escalation.<parent-agent-id>
  3. The parent agent receives it via pending_escalations()
  4. If unhandled, it bubbles to the root agent and then to the human

Canary Tokens

agentd embeds canary tokens in the secret store. These are fake secret values that are never legitimately used. If a canary value appears in a tool result (e.g., it leaked via a tool output), it indicates the secret scrubber may have been bypassed, or a tool is exfiltrating data.

Canary tokens are rotated periodically. Their values are never logged or shown to operators.