Tracehound

Deterministic Runtime Security Buffer for Modern Applications.

Tracehound is a decision-free security buffer that quarantines threats detected by external systems. It acts as a forensic substrate between traffic intake and business logic.

Documentation

• Getting Started - Installation and quick start
• Configuration Reference - All configuration options
• API Documentation - Complete API reference
• Roadmap - Development phases and timeline

Installation

npm install @tracehound/core
# or
pnpm add @tracehound/core

Quick Start

import { createTracehound } from '@tracehound/core'

const tracehound = createTracehound({
  licenseKey: process.env.TRACEHOUND_LICENSE_KEY,
})

// Intercept requests
const result = tracehound.agent.intercept(scent)

// Subscribe to events
tracehound.notifications.on('threat.detected', (event) => {
  console.log(`Threat: ${event.payload.category}`)
})

// Get security snapshot
const snapshot = tracehound.securityState?.snapshot()

Architecture

External Detector (WAF, SIEM, ML)
          │
          ▼
┌─────────────────────────────────────┐
│            TRACEHOUND               │
├─────────────────────────────────────┤
│  Agent         → Traffic orchestrator│
│  Quarantine    → Evidence buffer     │
│  AuditChain    → Tamper-evident log  │
│  HoundPool     → Sandboxed analysis  │
│  Scheduler     → Jittered background │
│  Notifications → Universal events    │
│  SecurityState → Unified metrics     │
└─────────────────────────────────────┘

Core Principles

1. Decision-Free: Tracehound does NOT detect threats. External detectors do.
2. Deterministic: No ML in hot path. All behavior is explainable.
3. Payload-Less: No raw payload exposure outside quarantine.
4. GC-Independent: Explicit lifecycle management.

Project Structure

• @tracehound/core: The core logic engine
• @tracehound/express: Express adapter
• @tracehound/fastify: Fastify adapter
• @tracehound/cli: CLI and TUI dashboard

RFCs

• RFC-0000: Core Architecture - Locked
• RFC-0001: Core SecurityState - ✅ Implemented
• RFC-0002: Argos - Draft
• RFC-0003: Talos - Draft
• RFC-0004: Muninn - Draft
• RFC-0005: Huginn - Draft
• RFC-0006: Heimdall - Draft
• RFC-0007: Loki - Draft
• RFC-0008: Rust Core Pivot - Draft

Security

See SECURITY.md for vulnerability reporting policy. See Security Audit Roadmap for audit plan.

License

Apache 2.0 (Substrate: OSS, Satellites: Commercial). See LICENSE and PRICING.md.