Guide: enforced mode

Enforced is the strictest of the three accountability modes. Passports are short-leash: TTL ties to the checkpoint interval, detectors auto-revoke on fire, and any delegation must preserve the mode. Use it for agents running against sensitive services or high-cost downstreams.

1. Enable on an agent

bash
curl -X PATCH https://api.getstack.run/v1/agents/agt_support_bot \
  -H "Authorization: Bearer $STACK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "accountability_mode": "enforced" }'

2. TTL ties to checkpoint interval

In enforced mode, ttl_seconds is capped bycheckpoint_interval_seconds. The passport dies at one interval and is only extended when a checkpoint is submitted.

text
ttl_actual = min(ttl_seconds, checkpoint_interval_seconds)

Presets:

  • frequent - 2 minutes (high-risk, real-money paths)
  • standard - 5 minutes (default)
  • relaxed - 15 minutes (long-running but still monitored)
  • marathon - 60 minutes (batch jobs)

3. Checkpoints extend the leash

Each successful checkpoint bumps the passport'sexp forward by one interval. Miss one - by even a second - and the passport dies at the current expiry.

bash
curl -X POST https://api.getstack.run/v1/passports/pp_8f3a/checkpoint \
  -H "Authorization: Bearer $STACK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "services_used": ["slack"],
    "actions_count": 2,
    "summary": "Fetched ticket context"
  }'

4. Detector auto-revoke

Real-time detector fires on enforced agents do not merely emit a security event - they call passport.revoke() with the detector's reason and cascade to delegated children. Shipped path today: scope_drift.

text
scope_drift fires with cumulative ≥ 2.00 or single-call novelty ≥ 0.80
  → securityEvent.record(signalType: "scope_drift", severity: "warning")
  → passport.revoke(jti, reason: "scope_drift_fire: ...")
  → redis.pub stack:revoked
  → next proxy call: 401 PASSPORT_REVOKED

5. Delegation cannot drop the mode

An enforced parent cannot delegate to a child whose agent is inlogged or standard. The delegate call throws DELEGATION_ACCOUNTABILITY_VIOLATION and fires adelegation_downgrade security event at critical severity.

6. Checkout review is stricter

Post-hoc flags on enforced-mode checkouts are raised atcritical severity where logged mode would emitwarning. Checkouts with any critical flag move directly toblocked, which prevents the agent from issuing future passports until POST /v1/agents/:id/unblock.

Signals enforced mode raises

  • checkpoint_silence - missed checkpoint within interval
  • credential_burst - credential retrievals above threshold
  • credential_after_checkout - activity after checkout was submitted
  • scope_drift - behavioral drift from declared intent; auto-revokes on fire
  • delegation_without_intent - delegation when intent.will_delegate was not set
  • delegation_downgrade - child agent is in a looser mode
  • unauthorized_skill_access - skill outside skill_access_mode

Enforced mode is strict by design. Test your agent inlogged mode first - same signals, no auto-revoke - so you can calibrate checkpoint cadence and intent accuracy before turning on the kill switch.

Related

  • /docs/guides/passport-lifecycle - full issue → checkpoint → checkout → review flow
  • /docs/concepts/detectors - full detector catalog and auto-revoke rules
  • /docs/concepts/revocation - cascade and Redis pub/sub

Three modes at a glance: enforced auto-revokes and blocks;logged emits the same signals but never auto-revokes;standard skips checkpoint requirements and review entirely.

stack | docs