Guides
Learning mode
Monitor what Security Layer would block before enforcing.
Learning mode lets you observe Security Layer's decisions without affecting your workflow. Everything is allowed — but blocked actions are logged so you can tune your policy before enforcing it.
Enabling
sl learn --duration 7dThis sets mode: learning in your config and records a learning_expires timestamp. After the duration, Security Layer returns to enforcement mode.
What gets logged
In learning mode, Security Layer evaluates every action through the full security pipeline and logs:
- Actions that would have been denied and why
- The layer that triggered the block (capability gate, rules, LLM judge)
- Timing information for each layer
- Caller identity and taint level
Checking status
sl statusShows whether learning mode is active, when it expires, and how many actions have been logged.
Reviewing results
After the learning period:
sl learn reportThis shows:
- Actions that would have been blocked — grouped by reason
- Recommended capability changes — based on actual usage patterns
- Suggested rules — patterns that appeared frequently
Workflow
- Install and init —
sl init - Enable learning —
sl learn --duration 7d - Work normally — Use your AI tools as usual
- Review —
sl learn report - Tune policy — Adjust capabilities and rules based on findings
- Enforce — Learning mode expires, enforcement begins
Tips
- Start with 7 days to capture a representative sample of your workflow
- Use shorter durations (1-2 days) if you want to iterate quickly
- Review the report before the learning period ends to make adjustments
- You can disable learning mode early by editing
config.yamland removing themode: learningline
See also
- learn — Command reference
- Configuration — Editing your policy
- Capabilities — Understanding capability grants