Validate that IOC threat intelligence is fresh enough for the named action.
Call this before any high-risk agent action to ensure the TI snapshot
is not stale. The check itself completes in <1ms (no network I/O).
Action → staleness tier mapping:
critical (≤30s): credential_access, keychain_access, execute_shell, sudo
high (≤120s): load_skill, install_package, network_call, http_request
medium (≤300s): file_write, file_delete, registry_write, env_write
low (≤900s): file_read, list_directory, query_db, read_env
Args:
action: The action about to be executed. Unknown actions default
to HIGH tier (120s limit).
block_on_stale: If True and TI is stale, return an error dict that your
agent should treat as a hard block. Default False (warn only).
Returns:
action: "allow" | "warn" | "block"
tier: Staleness tier for this action
staleness_s: Seconds since last successful sync
max_staleness_s: Limit for this tier
hwm: Current high-water mark
latency_ms: Check latency (always <100ms)
reason: Human-readable explanation
Connector