Interceptor

The interceptor is a transparent network proxy that captures every HTTP and HTTPS request during a run. You get a structured record of what the agent contacted, what it sent, and what came back.

The agent is unaware of the interceptor. No code changes, no configuration inside the guest.

What it captures

Each captured flow includes:

• Request. Method, URL, headers, body.
• Response. Status code, headers, body, timing.
• TLS metadata. Server name (SNI), protocol version.

Flows are written to flows.jsonl in the job's working directory. One JSON object per line, parseable by any tool.

How it works

1. A job starts with interception enabled.
2. The runtime starts a TLS proxy and generates a short-lived CA certificate.
3. The CA cert is shared into the guest VM through a filesystem mount. The guest trusts it automatically.
4. All outbound traffic routes through the proxy. The proxy decrypts, records, and forwards each request.
5. When the job completes, the runtime counts and summarizes the intercepted flows.
6. Flows are ingested into CIR as network_flow signals, queryable like any other signal.

Supports HTTP/1.1, HTTP/2, HTTP/3, and mutual TLS.

CIR integration

Each flow becomes a CIR signal with type network_flow. Fields include method, URL, response status, timing, and TLS server name. You can query them like any other signal:

mentu cir query --type network_flow

Denied domain requests also produce sandbox violation signals.

Domain control

Sandbox profiles support allowlists and denylists. If a domain is denied, the request is blocked and a violation signal is captured.

{
  "sandbox": {
    "allowedDomains": ["api.anthropic.com", "github.com"],
    "deniedDomains": ["*.example.com"]
  }
}

ANE classification

When the ANE daemon is running, the interceptor classifies flows in real-time using on-device neural inference. No data leaves the machine. Classification categories include API calls, authentication flows, file downloads, and anomalous patterns. Results attach to the flow signal.

Enabling interception

Recipe JSON:

{
  "steps": [
    {
      "name": "analyze",
      "vm": true,
      "enableInterception": true
    }
  ]
}

CLI:

mentu-runtime exec --profile my-sandbox.json --interceptor

Interception requires VM mode. It has no effect in normal (host) execution.

See also

• VM Isolation for how sandboxed execution works
• CIR Substrate for how captured signals are stored and queried