Back To Knowledge Base
Field Note
Agent Traces
How to think about traces that connect context, tool use, outputs, and side effects during an agentic event.
An agent trace is the evidence trail that connects what an agent saw, decided, attempted, and changed. Useful traces usually span more than one system.
Common Trace Fragments
- User prompts and task instructions
- System or developer instructions visible to the agent runtime
- Retrieved files, snippets, memory, or search results
- Tool calls and tool results
- Terminal commands and outputs
- File edits, diffs, commits, or generated artifacts
- API, SaaS, identity, and network audit logs
Investigation Pattern
Start with a bounded event: a task, session, timeframe, affected asset, or suspicious side effect. Then build a timeline that marks each record as observed, derived, redacted, or inferred.
What This Can Prove
- Which artifacts are consistent with a sequence of activity.
- Which tool surfaces were used or attempted.
- Where additional logs may exist.
What This Cannot Prove Alone
- Complete intent.
- Full model context if part of the context was not logged.
- Absence of activity in systems that were not instrumented.
Interpretation Traps
Trace records often differ by client, model provider, extension, shell, and storage backend. Do not assume one client captures the same fields as another.