CLI commands
learn
Enable learning/monitor mode.
Learning mode monitors what Security Layer would block without actually blocking anything. Use it to understand your usage patterns before enforcing a policy.
Usage
sl learn [--duration <duration>]Flags
| Flag | Default | Description |
|---|---|---|
--duration <duration> | 7d | How long to stay in learning mode |
Duration format
| Suffix | Unit | Examples |
|---|---|---|
m | Minutes | 30m |
h | Hours | 1h, 12h |
d | Days | 1d, 7d, 30d |
Behavior
When learning mode is active:
- All actions are allowed (your existing capabilities are unchanged)
- Security Layer logs what it would have blocked under recommended settings
- The mode expires automatically after the specified duration
- Config is updated with
mode: learningandlearning_expirestimestamp
After the learning period, use sl learn report to see recommended capability changes based on actual usage.
Example
# Monitor for 7 days
sl learn --duration 7d
# Check what was logged
sl learn reportExit codes
| Code | Meaning |
|---|---|
0 | Learning mode enabled |
1 | Invalid duration format |
Why learning mode?
The #1 reason users disable security tools: "I installed it and it broke everything." Learning mode prevents this by letting you observe before enforcing.
See also
- Learning mode guide
- status — Shows learning mode status