ARP
Agent Runtime Protection. Monitor and enforce security policies on AI agents at execution time.
ARP observes what AI agents do while they run -- tracking process spawning, outbound network connections, filesystem modifications, and prompt content. It operates as a lightweight sidecar that attaches to your agent process and streams structured security events in real time. When a policy violation is detected, ARP can log it, alert on it, or block the offending action entirely, depending on the configured enforcement mode.
Installation
npm install -g hackmyagentbrew install opena2a-org/tap/hackmyagentopena2a runtime startWhat ARP Monitors
ARP provides six built-in monitors that cover the primary attack surfaces of AI agents running on developer workstations and in production environments:
- Process spawning -- detects unexpected child processes, shell escapes, and execution of unsigned binaries
- Network calls -- monitors outbound connections and flags communication with unknown endpoints or data exfiltration channels
- Filesystem access -- watches file creation, modification, and deletion in sensitive paths such as credential stores and configuration directories
- Prompt content -- intercepts prompts sent to AI models, logging them for audit and scanning for injection patterns
- MCP protocol traffic -- inspects communication between agents and MCP tool servers for policy violations
- A2A protocol traffic -- monitors agent-to-agent delegation and task handoff for unauthorized escalation
Configuration
ARP is configured via arp.yaml in the project root. Generate a default config:
opena2a runtime init# arp.yaml
project: my-agent
mode: monitor # monitor | adaptive | enforce
monitors:
process:
enabled: true
intervalMs: 5000
network:
enabled: true
intervalMs: 10000
filesystem:
enabled: true
prompt:
enabled: false
mcp-protocol:
enabled: false
a2a-protocol:
enabled: falseEnforcement Modes
The mode field in arp.yaml controls how ARP responds to detected violations:
| Mode | Behavior |
|---|---|
monitor | Log-only. Events are recorded but no actions are blocked. Use during initial rollout to understand baseline behavior. |
adaptive | Block high-severity violations (e.g., credential access, unknown outbound connections) while allowing low-severity events. Recommended for development. |
enforce | Block all policy violations immediately. Suitable for production deployments with well-tested policies. |
Monitors
| Monitor | Description |
|---|---|
| Process | Tracks spawned processes, detects unexpected executables. |
| Network | Monitors outbound connections, detects data exfiltration channels. |
| Filesystem | Watches file creates/modifies/deletes in sensitive paths. |
| Prompt | Intercepts and logs AI model prompts for audit. |
| MCP Protocol | Monitors MCP server communication for policy violations. |
| A2A Protocol | Monitors agent-to-agent communication. |
Quick Start
# Generate default arp.yaml opena2a runtime init # Start monitoring in the current directory opena2a runtime start # View live events opena2a runtime status # Stop monitoring opena2a runtime stop
Integration with Shield
ARP integrates with Shield to provide a combined static-and-runtime security posture. Shield analyzes agent configurations at rest, while ARP monitors behavior at execution time. Together, they provide continuous coverage across the full agent lifecycle.
Event Output
Events are logged to .opena2a/arp/events.jsonl in structured JSON Lines format. Each event includes a timestamp, monitor source, severity level, and contextual metadata. Use the --json flag with opena2a runtime status to consume events programmatically.