Behavioral security layer for NVIDIA OpenShell.
OpenShell controls what your agent can touch.
Zetra controls what your agent is allowed to decide.
OpenShell enforces at the infrastructure layer — filesystem, network, process boundaries. It cannot see what an agent is deciding across a session.
Zetra analyzes behavioral sequences — the multi-step decision paths that infrastructure controls cannot see. When a pattern matches a known attack sequence, Zetra emits a DetectionFindingEvent [OCSF 2004] and hot-reloads a blocking policy into OpenShell before the next action executes.
- Consumes OpenShell's OCSF event stream (NetworkActivityEvent [4001], ProcessActivityEvent [1007])
- Builds a DFS behavioral graph across the live session
- Detects known attack sequences in real time
- Emits DetectionFindingEvent [2004] — natively compatible with any OCSF-compatible SIEM
- Hot-reloads blocking policy into OpenShell
- OpenShell installed and running
- Rust 1.88+
- A running OpenShell sandbox
cargo add zetra-openshell# Start monitoring a sandbox
zetra monitor --sandbox <sandbox-id>
# View behavioral graph for a running session
zetra graph --sandbox <sandbox-id>
# Show current BES score
zetra score --sandbox <sandbox-id>[ZETRA] Monitoring sandbox abc123...
[ZETRA] Ingested: process.spawn → network.egress → file.write
[ZETRA] PATTERN DETECTED: exfiltration sequence
[ZETRA] Emitting DetectionFindingEvent [2004]
[ZETRA] Policy hot-reloaded → egress blocked
Agent (OpenClaw, Claude Code, etc.)
↓ actions
OpenShell
• Filesystem enforcement
• Network enforcement
• Process enforcement
• OCSF event stream ──────────→ Zetra
• Policy hot-reload ←────────── Zetra
(behavioral graph +
pattern detection +
BES scoring)
- CrowdStrike announced "intent-aware controls" at GTC 2026 — listed as in progress
- TrendAI identified agent decision logic as unaddressed in their OpenShell integration
- Futurum analysts stated OpenShell needs a governance layer beyond runtime enforcement
Zetra is that layer.
Zetra uses the same philosophy as OpenShell: agent-assisted, human-accountable.
You may use AI to write code. You must be able to explain every line you submit. PRs where the author cannot answer basic questions about their changes will be closed.
- Read the architecture section above
- Run
cargo testand ensure all tests pass - Run
cargo clippy -- -D warningswith zero warnings - Run
cargo fmt --checkwith no formatting issues
This project uses Conventional Commits:
feat(graph): add cross-session behavioral continuity
fix(ocsf): correct NetworkActivityEvent field mapping
docs: update quickstart with sandbox ID flag
- New attack pattern definitions in
src/patterns/ - OCSF event class support expansions
- Performance improvements to the graph traversal
- Integration examples for specific agent types
- Bug fixes with clear reproduction steps
- AI-generated code the author cannot explain
- PRs without tests
- Changes to core graph methodology without discussion first — this is patent-pending IP
Bug reports should include:
- OpenShell version
- Zetra version
- The OCSF event sequence that triggered the issue
- Expected vs actual behavior
Feature requests should explain the behavioral security use case, not just the technical change.
Core DFS-based behavioral graph methodology is patent-pending.
Apache 2.0 — see LICENSE file.
Built on top of openshell-ocsf (PR #489). Follows OCSF v1.7.0.