DEV Community: Teller The latest articles on DEV Community by Teller (@telleroutlook). https://dev.to/telleroutlook https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4003092%2F30ad18c6-c48c-467e-816b-ec60a5ba0c99.png DEV Community: Teller https://dev.to/telleroutlook en Trace-to-Training: how agent runs become learning data Teller Fri, 26 Jun 2026 01:50:39 +0000 https://dev.to/telleroutlook/trace-to-training-how-agent-runs-become-learning-data-31c4 https://dev.to/telleroutlook/trace-to-training-how-agent-runs-become-learning-data-31c4 <h1> Trace-to-Training: how agent runs become learning data </h1> <p>Every agent run is a data point. Most frameworks throw it away.</p> <p>WasmAgent keeps it — evaluated by the compliance engine, ranked by outcome, exported as a typed <code>ComplianceEvalRecord</code> ready for SFT or DPO training. No human labeling.</p> <h2> Three repair modes </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ComplianceRun</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/compliance</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">run</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ComplianceRun</span><span class="p">({</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">full_pcl</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// "direct" | "prompt_retry" | "full_pcl"</span> <span class="na">taskSpec</span><span class="p">:</span> <span class="p">{</span> <span class="na">instruction</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Write a summary in exactly 3 bullet points.</span><span class="dl">"</span><span class="p">,</span> <span class="na">constraints</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">format</span><span class="dl">"</span><span class="p">,</span> <span class="na">rule</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bullet_count</span><span class="dl">"</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="mi">3</span> <span class="p">}],</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">run</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">agent</span><span class="p">,</span> <span class="nx">input</span><span class="p">);</span> <span class="c1">// result.complianceEvalRecord → typed, versioned, schema-validated</span> </code></pre> </div> <p><strong><code>direct</code></strong> — one shot, record pass/fail.</p> <p><strong><code>prompt_retry</code></strong> — retry once with a rephrased prompt.</p> <p><strong><code>full_pcl</code></strong> — full repair loop: run → evaluate → patch/regenerate → re-evaluate → record the entire trace.</p> <h2> What the numbers show </h2> <p>IFEval × Qwen2.5-1.5B-Q4 (3 seeds × 50 samples):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mode</th> <th>Pass rate</th> <th>Std dev</th> </tr> </thead> <tbody> <tr> <td>prompt_retry</td> <td>46.0%</td> <td>±2.0pp</td> </tr> <tr> <td><strong>full_pcl</strong></td> <td><strong>54.7%</strong></td> <td><strong>±1.2pp</strong></td> </tr> </tbody> </table></div> <p>+8.7pp. The variance drop (±2.0 → ±1.2) matters for production reliability.</p> <p>Reproduce: <code>bun packages/compliance/benchmarks/ifeval/run.ts --limit=50 --seed=42</code></p> <h2> The repair trace is the training data </h2> <p>When <code>full_pcl</code> repairs a failing output, <code>RepairPlanner</code> records every attempt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Inside ComplianceEvalRecord</span> <span class="nx">attempts</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">direct</span><span class="dl">"</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span><span class="p">,</span> <span class="na">passed</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">{</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">patch</span><span class="dl">"</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span><span class="p">,</span> <span class="na">passed</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">{</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">regenerate</span><span class="dl">"</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span><span class="p">,</span> <span class="na">passed</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <p>The full sequence — what failed, what was tried, what worked — is what feeds DPO training. The model learns from failure traces, not just final outputs.</p> <h2> Parallel rollouts for preference pairs </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">RolloutForkRunner</span><span class="p">,</span> <span class="nx">RolloutRanker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/core</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">runner</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RolloutForkRunner</span><span class="p">({</span> <span class="na">forks</span><span class="p">:</span> <span class="mi">4</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">rollouts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">runner</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nx">agent</span><span class="p">,</span> <span class="nx">input</span><span class="p">,</span> <span class="nx">taskSpec</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ranked</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RolloutRanker</span><span class="p">().</span><span class="nf">rank</span><span class="p">(</span><span class="nx">rollouts</span><span class="p">);</span> <span class="c1">// ranked[0] → chosen (SFT)</span> <span class="c1">// ranked[1..] → rejected (DPO pairs)</span> </code></pre> </div> <p>The compliance verifier is the reward signal. No human annotation.</p> <h2> Try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/WasmAgent/wasmagent-js bun <span class="nb">test </span>packages/compliance/ <span class="c"># 113 pass / 0 fail</span> </code></pre> </div> <p><strong>Code:</strong> <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/compliance" rel="noopener noreferrer">packages/compliance</a> · <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/core/src/enhancement" rel="noopener noreferrer">RolloutForkRunner</a> · <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/core/src/ranking" rel="noopener noreferrer">RolloutRanker</a></p> <p><em>Series: AEP (part 1) · MCP Trust Pack (part 2) · Trace-to-Training (part 3)</em></p> agents ai machinelearning typescript MCP Trust Pack: a security layer for MCP tool calls Teller Fri, 26 Jun 2026 01:50:09 +0000 https://dev.to/telleroutlook/mcp-trust-pack-a-security-layer-for-mcp-tool-calls-3c3o https://dev.to/telleroutlook/mcp-trust-pack-a-security-layer-for-mcp-tool-calls-3c3o <h1> MCP Trust Pack: a security layer for MCP tool calls </h1> <p>MCP makes it easy for agents to call tools. Too easy.</p> <p>When your agent calls <code>fs_write</code> or <code>shell_exec</code>, something needs to answer: is this allowed? Is this state-changing? Who authorized it? By default, MCP has no answer.</p> <p>Here's how to add that layer in ~20 lines.</p> <h2> MCPGateway: drop-in security layer </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">MCPGateway</span><span class="p">,</span> <span class="nx">buildServerCard</span><span class="p">,</span> <span class="nx">createRequestIdentity</span><span class="p">,</span> <span class="nx">isStateChangingTool</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/mcp-firewall</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Register the server at startup</span> <span class="kd">const</span> <span class="nx">card</span> <span class="o">=</span> <span class="nf">buildServerCard</span><span class="p">({</span> <span class="na">serverId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">filesystem</span><span class="dl">"</span><span class="p">,</span> <span class="na">tools</span><span class="p">:</span> <span class="k">await</span> <span class="nx">mcpClient</span><span class="p">.</span><span class="nf">listTools</span><span class="p">(),</span> <span class="na">operatorVerified</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">gateway</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">MCPGateway</span><span class="p">({</span> <span class="na">serverCards</span><span class="p">:</span> <span class="p">[</span><span class="nx">card</span><span class="p">]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="nf">createRequestIdentity</span><span class="p">({</span> <span class="na">principal</span><span class="p">:</span> <span class="dl">"</span><span class="s2">agent:run-abc123</span><span class="dl">"</span><span class="p">,</span> <span class="na">sessionId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sess-xyz</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Before every tool call:</span> <span class="kd">const</span> <span class="nx">decision</span> <span class="o">=</span> <span class="nx">gateway</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">({</span> <span class="nx">identity</span><span class="p">,</span> <span class="na">serverId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">filesystem</span><span class="dl">"</span><span class="p">,</span> <span class="nx">tool</span><span class="p">,</span> <span class="nx">args</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">decision</span><span class="p">.</span><span class="nx">invocation</span><span class="p">.</span><span class="nx">decision</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">allow</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Blocked: </span><span class="p">${</span><span class="nx">decision</span><span class="p">.</span><span class="nx">invocation</span><span class="p">.</span><span class="nx">reason</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">mcpClient</span><span class="p">.</span><span class="nf">callTool</span><span class="p">(</span><span class="nx">tool</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">args</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">obs</span> <span class="o">=</span> <span class="nx">gateway</span><span class="p">.</span><span class="nf">wrapResult</span><span class="p">(</span><span class="nx">tool</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">result</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="c1">// marks trust level</span> </code></pre> </div> <p>Four layers run in <code>evaluate()</code>: vetting → policy → consent → taint. One call, full coverage.</p> <h2> State-changing tools are classified automatically </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">isStateChangingTool</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fs_write</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">write a file</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// true</span> <span class="nf">isStateChangingTool</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fs_read</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">read a file</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// false</span> <span class="nf">isStateChangingTool</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">send_email</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">send email</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// true</span> </code></pre> </div> <p>State-changing tools can be gated behind a <code>ScopeLease</code> — a time-bounded grant that expires:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createScopeLease</span><span class="p">,</span> <span class="nx">isScopeLeaseValid</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/mcp-firewall</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lease</span> <span class="o">=</span> <span class="nf">createScopeLease</span><span class="p">({</span> <span class="na">principalHash</span><span class="p">:</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">principalHash</span><span class="p">,</span> <span class="na">serverId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">filesystem</span><span class="dl">"</span><span class="p">,</span> <span class="na">grantedTools</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">fs_write</span><span class="dl">"</span><span class="p">],</span> <span class="na">ttlSeconds</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="c1">// 5 min</span> <span class="na">maxInvocations</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">stateChanging</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isScopeLeaseValid</span><span class="p">(</span><span class="nx">lease</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Lease expired</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <h2> GatewayDecision feeds AEP directly </h2> <p>The decision's <code>evidenceRef</code> slots straight into <code>AEPEmitter</code> — no manual wiring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">emitter</span><span class="p">.</span><span class="nf">addAction</span><span class="p">({</span> <span class="na">tool_name</span><span class="p">:</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">invocation</span><span class="p">.</span><span class="nx">toolName</span><span class="p">,</span> <span class="na">state_changing</span><span class="p">:</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">stateChanging</span><span class="p">,</span> <span class="na">capability_decision</span><span class="p">:</span> <span class="p">{</span> <span class="na">decision</span><span class="p">:</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">invocation</span><span class="p">.</span><span class="nx">decision</span><span class="p">,</span> <span class="na">reason_code</span><span class="p">:</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">evidenceRef</span><span class="p">.</span><span class="nx">policyDecision</span><span class="p">,</span> <span class="p">},</span> <span class="na">tool_descriptor_digest</span><span class="p">:</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">evidenceRef</span><span class="p">.</span><span class="nx">toolManifestDigest</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/WasmAgent/wasmagent-js bun <span class="nb">test </span>packages/mcp-firewall/ </code></pre> </div> <p><strong>Code:</strong> <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/mcp-firewall" rel="noopener noreferrer">packages/mcp-firewall</a> · <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/mcp-gateway" rel="noopener noreferrer">packages/mcp-gateway</a></p> <p><em>Series: AEP (part 1) · MCP Trust Pack (part 2) · Trace-to-Training (part 3)</em></p> agents mcp security typescript Your AI agent called a tool. Can you prove it followed the rules? Teller Fri, 26 Jun 2026 01:26:57 +0000 https://dev.to/telleroutlook/your-ai-agent-called-a-tool-can-you-prove-it-followed-the-rules-2bgn https://dev.to/telleroutlook/your-ai-agent-called-a-tool-can-you-prove-it-followed-the-rules-2bgn <h1> Your AI agent called a tool. Can you prove it followed the rules? </h1> <p>Your agent just wrote a file. You have logs. But can you answer this:</p> <blockquote> <p>Was the policy gate applied <em>before</em> the tool ran — or after?</p> </blockquote> <p>Logs can't tell you that. Here's how we solved it.</p> <h2> The gap in current agent frameworks </h2> <p>Most frameworks give you a log line like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[2026-07-07T09:00:01Z] tool:fs_write path=/tmp/report.txt status=ok </code></pre> </div> <p>That tells you the tool ran. It doesn't tell you:</p> <ul> <li>Whether a policy evaluated the call first</li> <li>What the pre-state looked like before the write</li> <li>Whether the agent was within its token and risk budget</li> <li>Which agent in a delegation chain authorized this</li> </ul> <p>For a hobby project, that's fine. For anything touching real data, it's not.</p> <h2> AEP: structured proof, not a log stream </h2> <p>WasmAgent's <code>@wasmagent/aep</code> package records every tool call as an <code>ActionEvidence</code> object — Zod-validated, schema-versioned, with pre/post state digests baked in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AEPEmitter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/aep</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">emitter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AEPEmitter</span><span class="p">({</span> <span class="na">run_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">run-abc123</span><span class="dl">"</span><span class="p">,</span> <span class="na">repo_commit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">5c1102f</span><span class="dl">"</span><span class="p">,</span> <span class="na">model_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">claude-sonnet-4-6</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Before tool execution:</span> <span class="nx">emitter</span><span class="p">.</span><span class="nf">addAction</span><span class="p">({</span> <span class="na">tool_name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fs_write</span><span class="dl">"</span><span class="p">,</span> <span class="na">state_changing</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">capability_decision</span><span class="p">:</span> <span class="p">{</span> <span class="na">capability</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fs_write</span><span class="dl">"</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">"</span><span class="s2">agent:run-abc123</span><span class="dl">"</span><span class="p">,</span> <span class="na">resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/tmp/report.txt</span><span class="dl">"</span><span class="p">,</span> <span class="na">decision</span><span class="p">:</span> <span class="dl">"</span><span class="s2">allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">reason_code</span><span class="p">:</span> <span class="dl">"</span><span class="s2">policy:default-v1</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">precondition_digest</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sha256:a1b2c3...</span><span class="dl">"</span><span class="p">,</span> <span class="na">input_taint_labels</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">user_provided</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// After tool execution:</span> <span class="nx">emitter</span><span class="p">.</span><span class="nf">addAction</span><span class="p">({</span> <span class="na">tool_name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fs_write</span><span class="dl">"</span><span class="p">,</span> <span class="na">state_changing</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">post_state_digest</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sha256:d4e5f6...</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="nx">emitter</span><span class="p">.</span><span class="nf">setBudgetLedger</span><span class="p">({</span> <span class="na">token_budget</span><span class="p">:</span> <span class="p">{</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">4000</span><span class="p">,</span> <span class="na">spent</span><span class="p">:</span> <span class="mi">142</span> <span class="p">},</span> <span class="na">risk_budget</span><span class="p">:</span> <span class="p">{</span> <span class="na">limit</span><span class="p">:</span> <span class="mf">1.0</span><span class="p">,</span> <span class="na">spent</span><span class="p">:</span> <span class="mf">0.2</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="nx">emitter</span><span class="p">.</span><span class="nf">build</span><span class="p">();</span> </code></pre> </div> <p>The <code>capability_decision</code> is part of the same record as the action — not a separate log entry that could be reordered or dropped.</p> <h2> OTel spans for everything else </h2> <p>For real-time observability, AEP also emits named OpenTelemetry spans:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AEP_SPAN_NAMES</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@wasmagent/otel-exporter</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Plug into any OTel collector:</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">TOOL_CALL</span> <span class="c1">// "tool.call"</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">POLICY_CHECK</span> <span class="c1">// "policy.check"</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">SANDBOX_EXEC</span> <span class="c1">// "sandbox.exec"</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">VERIFIER_CHECK</span> <span class="c1">// "verifier.check"</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">LLM_GENERATE</span> <span class="c1">// "llm.generate"</span> <span class="nx">AEP_SPAN_NAMES</span><span class="p">.</span><span class="nx">MCP_REQUEST</span> <span class="c1">// "mcp.request"</span> <span class="c1">// + 3 more</span> </code></pre> </div> <p>The spans go to Grafana/Jaeger/etc. The <code>AEPRecord</code> is what you keep for audit and training data.</p> <h2> Multi-agent: delegation chain </h2> <p>In a single-agent setup, this is useful. In a multi-agent setup — orchestrator delegates to a subagent — it becomes essential:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">run_context</span><span class="p">:</span> <span class="p">{</span> <span class="nl">agent_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">orchestrator</span><span class="dl">"</span><span class="p">,</span> <span class="nx">subagent_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">coder-agent</span><span class="dl">"</span><span class="p">,</span> <span class="nx">delegation_chain</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">orchestrator</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">planner</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">coder-agent</span><span class="dl">"</span><span class="p">],</span> <span class="nx">scope_lease_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lease-xyz</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// ← subagent can only do what parent granted</span> <span class="p">}</span> </code></pre> </div> <h2> Try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/WasmAgent/wasmagent-js bun <span class="nb">test </span>packages/aep/src/ </code></pre> </div> <p><strong>Next in this series:</strong> MCP Trust Pack — the gateway layer that enforces policy before tools execute.</p> <p><strong>Code:</strong> <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/aep" rel="noopener noreferrer">packages/aep</a> · <a href="https://github.com/WasmAgent/wasmagent-js/tree/main/packages/otel-exporter" rel="noopener noreferrer">packages/otel-exporter</a></p> agents ai architecture security