kavachOS

Privilege analyzer

Detect over-permissioned agents and permission conflicts.

The privilege analyzer scans agent permissions to find over-privileged agents, unused permissions, and potential security issues.

Usage

const analysis = await kavach.analyzer.analyzeAgent(agentId);

console.log(analysis.overPrivileged);  // permissions broader than needed
console.log(analysis.unusedPermissions); // granted but never exercised
console.log(analysis.riskScore);       // 0-100 risk assessment
console.log(analysis.recommendations); // suggested permission changes

Scan all agents

const report = await kavach.analyzer.scanAll();

for (const finding of report.findings) {
  console.log(`${finding.agentId}: ${finding.type} - ${finding.description}`);
}

Finding types

TypeDescription
over-privilegedAgent has broader permissions than its actual usage
wildcard-riskAgent uses * wildcard on sensitive resources
unused-permissionPermission granted but never used in audit trail
stale-agentAgent hasn't been used in 30+ days
no-expiryAgent has no expiration date set
deep-delegationDelegation chain depth exceeds recommended limit

Configuration

const kavach = await createKavach({
  analyzer: {
    unusedThresholdDays: 30,  // flag permissions unused for 30+ days
    maxRecommendedDepth: 3,   // flag delegation chains deeper than 3
    wildcardWarning: true,    // flag wildcard permissions
  },
});

The analyzer reads from the audit trail. Enable auditAll: true in agent config for accurate unused-permission detection.

Audit trail

Immutable logging of every authorization decision, with filtering, export, and compliance references.

Trust scoring

Graduated autonomy through behavioral trust scores derived from each agent's audit history.

On this page

Usage
Scan all agents
Finding types
Configuration