- Review prompts, reasoning, all tool calls (MCP and local), and model responses in one timeline
- See tool scanner outcomes for each tool call, including pass, alert, mask, and block decisions
- Detect unsafe agent trajectory with AgentGuard, including prompt injection, reasoning drift, and multi-step manipulation
- Enforce tool scanner and AgentGuard decisions across the rest of the session
- Apply session policies for data isolation and protection against session-based attacks like privilege drift and cross-context access
Sessions are short-term operational monitoring data. Audit Logs remain the long-term system of record for policy decisions, security events, and administrative activity.
How Sessions work
Sessions are built from several event sources:- Client hooks send AI IDE and CLI activity from Cursor, VS Code, Claude Code, GitHub Copilot CLI, Codex, Hermes, and Goose
- OTLP telemetry sends Claude Cowork session events directly from Anthropic’s infrastructure
- Runlayer Agents stream run activity into the same session model
- Tool scanners add scan results for every MCP and local tool call — shell, file, web, and other client-local operations
- Compliance imports bring supported web chat activity in for monitor-only review
- Identity — user, client, status, timestamps, and source
- Prompt context — initial prompt and topic when available
- Timeline — prompts, thoughts, responses, tool inputs, tool outputs, errors, and subagent activity
- Tool usage — tools called, connected servers, and failures
- Security results — tool scanner passes, warnings, alerts, masked content, and blocks
- AgentGuard turns — agent trajectory analysis across prompt, reasoning, tool output, and follow-up reasoning
- External links — provider links for imported web chat sessions when available
Set up Sessions
Enable Full session scanning
Go to Settings → General → Full session scanning.Turn on Full session scanning APIs. This allows Runlayer to accept detailed session events from hooks and first-party agents.
Choose the clients to monitor
Under Hook clients, enable each client or source you want to record in Sessions, such as Cursor, VS Code, Claude Code, GitHub Copilot CLI, Codex, Hermes, Goose, Claude Cowork, Runlayer Agents, or the Hooks SDK (TypeScript or Python).Leave a client off if you do not want its prompts, reasoning, tool inputs, and tool outputs collected.
Install client hooks or configure OTLP
For IDE or CLI clients, install or reinstall hooks. For Sessions, pass For MDM deployments, the bootstrap installs the full session hook set by default — no script edit needed. See Deploy AI Watch for the
--event-hooks (or the --all-events alias) so hooks send full session telemetry, not just shadow MCP enforcement.Shadow MCP source blocking can run without full session telemetry. Local tool lifecycle scanning requires Full session scanning APIs and the target Hook client to be enabled.Sessions package flag; set it to false only if you want enforcement hooks without session telemetry.For Claude Cowork, configure OTLP monitoring to send session events. See Claude Cowork monitoring for setup.Configure scanners
Under Settings → Security Scanners, tune catalog and per-call tool scanners, then configure AgentGuard and the session kill switch.
Hook integrations
Hooks are the real-time source for IDE sessions. They capture both MCP tool calls and local tool activity, so Sessions show shell commands, file reads and writes, web fetches, and other client-local operations alongside MCP activity. For custom agents, the Hooks SDK (TypeScript or Python) sends the same lifecycle and tool events through the hook pipeline.Enforce is the guide for supported hook clients and manual hook flags. Deploy AI Watch is the canonical guide for MDM package configuration, including the
Sessions flag. Enforce and Sessions are separate controls: Enforce hooks can block unmanaged Shadow MCPs as soon as they are installed, while full session scanning records detailed prompts, reasoning, tool calls, and scanner results in Sessions.Reviewing Sessions
The Sessions page groups activity into security-focused tabs:- All shows every session visible to you.
- Alerted shows sessions where scanners or policies recorded warning-level activity.
- Blocked shows sessions where Runlayer blocked an action.
AgentGuard
AgentGuard is Runlayer’s session-level behavior monitoring. It looks across the agent’s trajectory — prompt, reasoning, tool output, follow-up reasoning — to detect output-steering injection, sudden reasoning pivots, and slow-chain drift that single-call scanners miss. In the Sessions timeline, AgentGuard results appear as session turns. Configure Agent monitoring and the session kill switch on the AgentGuard page.Session policies
Session policies enforce data isolation and defend against session-based attacks — privilege drift, cross-context access, and tool calls that switch resources mid-session. They build on session payload tracking and are configured as connector or agent Policies.Web chat and compliance imports
Some providers expose compliance APIs for reviewing web chat activity. When configured, Runlayer can import supported chat sessions into the Sessions view. Imported web sessions are monitor only:- They appear in Sessions for review and investigation
- They can include provider links when available
- They do not support real-time blocking because the chat already happened
Privacy and access
Sessions can contain prompts, reasoning, tool inputs, and tool outputs. Treat them as sensitive operational data. Workspace settings may redact session content for users who are not allowed to view another user’s activity. Admins with the required permission can view unredacted session content when needed for investigation.Recommended rollout
Sessions work best when enabled gradually — observe first, then enforce, then expand. The same phased approach applies when moving from a pilot to org-wide deployment:- Start with admins and security reviewers. Enable Full session scanning and hooks for a small pilot group before adding broader teams.
- Enable session privacy if your workspace expects user-level confidentiality (see Privacy and access).
- Use Alert mode before Block mode for new tool scanners and AgentGuard. Alert mode logs detections without blocking, so you can tune sensitivity on real traffic before enforcing.
- Roll out policies gradually — start with deny-all and grant exceptions as legitimate usage patterns emerge.
- Verify agents in the Playground and tighten prompt/tool scope before broad rollout.
- Review blocked and alerted sessions daily during rollout. Use the Alerted and Blocked tabs to triage, and rely on Audit Logs as the long-term record of policy decisions and security events.
- Expand client coverage — once the pilot group’s alerts are quiet and scanner settings are tuned, enable additional Hook clients and move to managed MDM deployment for the rest of the org.
Troubleshooting
No sessions appear
Start with Set up Sessions. Empty Sessions usually mean Full session scanning is off, the source is not enabled, hooks were not installed in event mode, or the AI client was not restarted after hook installation or MDM redeployment. Also check that the user is logged in withrunlayer login.
Enforce blocks shadow MCPs, but Sessions are empty
Enforce and Sessions are separate. Shadow MCP blocking can work without full session telemetry. Complete Set up Sessions. For managed deployments, confirm theSessions package flag is unset or true (see Deploy AI Watch), wait for the next bootstrap tick, then restart the AI client.
Hook commands cannot find runlayer
Install the CLI permanently and restart the AI client:
AgentGuard options are missing
See AgentGuard → Requirements.Related docs
Enforce
Install hooks for Cursor, VS Code, Claude Code, GitHub Copilot CLI, Codex, Hermes, and Goose
ToolGuard Models
Configure per-call tool scanners and model sensitivity
AgentGuard
Session-level behavior monitoring across the agent trajectory
Policies
Restrict tools using access policies
Claude Cowork monitoring
Send Cowork session events via OTLP