Every runtime failure emits a stable code like [E-0103]. Look it up here to understand what happened and exactly what to do. If you see a code not listed, email support@titanai.tech with the full log line.
The installer or an agent was invoked without a license key set. TITAN AI refuses to run without one — this is intentional.
--license TITAN-XXX on the installer, or export TITAN_LICENSE_KEY=... before running. Request a free 14-day trial at titanaisec.com/trial.The key supplied doesn't match the expected TITAN-XXX-XXX-... shape. Usually a copy-paste truncation or an extra space.
We couldn't reach titanaisec.com/api/license/verify. If you've successfully validated within the last 7 days, the agent will keep running in audit-only mode (no writes to your cloud). This matches CrowdStrike Falcon's RFM pattern.
titanaisec.com. Full-mode resumes automatically on the next successful verification. No action needed during a short outage.Your license's expires_at has passed.
This license has been explicitly revoked by the TITAN AI team (non-payment, terms breach, superseded key).
The license server has been unreachable for more than 7 days and the cached entitlement is too stale to trust. We refuse to run indefinitely on cache alone — this prevents the cache from becoming a vector for indefinite free use.
titanaisec.com and re-run. For air-gapped environments use AIRLOCK mode (license stored in the encrypted package, no grace check).You invoked (or CONDUCTOR tried to activate) an agent that your current tier does not entitle. For example, AML/Fraud/KYC require Banking tier.
You targeted AWS or GCP with a license scoped to a subset of clouds.
The Azure SDK could not acquire a token from your environment (CLI session / managed identity / service principal).
az login, then verify with az account show. If using a service principal, re-export AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_ID.Subscription ID is wrong, or the identity you're using doesn't have access.
az account list -o table to see subscriptions you have access to. Set the right one with az account set -s <SUB_ID>.Authenticated successfully but your identity lacks permission to read the targeted resources.
Reader role at subscription scope for audit-mode, or Contributor for fix-mode. For air-gapped environments, use Security Reader + resource-specific write roles.Azure Resource Manager throttled us. Not fatal — the agent retries with exponential backoff and jitter.
A resource we were about to inspect was deleted between discovery and inspection. Not an error; we skip and move on.
boto3 could not acquire credentials from any chain source (env vars, profile, instance role, SSO).
aws sts get-caller-identity to verify. Most common fix: aws configure or aws sso login.The target AWS account's trust policy does not allow the calling principal to assume the role, or the ExternalId doesn't match.
Authenticated but lacks permission to read the targeted resources (e.g., iam:ListUsers, s3:GetBucketPolicy).
SecurityAudit policy to the principal we're using.AWS throttled us. Automatic retry with exponential backoff.
Google SDK could not acquire credentials (gcloud / service account JSON / workload identity).
gcloud auth application-default login or export GOOGLE_APPLICATION_CREDENTIALS pointing at a valid service account JSON.Project ID is wrong, or the identity doesn't have access.
gcloud projects list — pick the right ID and set GOOGLE_CLOUD_PROJECT=<ID>.Authenticated but the service account lacks read permission.
roles/iam.securityReviewer at the project (or folder / org) scope.An agent raised an uncaught exception. If you're running under the watchdog, it will auto-restart up to 5 times in a 10-minute window. A crash report is written to ~/.titanai/crashes/crash-<timestamp>.json.
Agent ran past its configured timeout. Partial results are retained and a warning is emitted.
TITAN_AGENT_TIMEOUT_MINUTES or shard the scan by resource group / region.A Python dependency inside the bundle is missing or corrupted. Usually means the bundle was extracted incompletely.
install.sh / install.ps1. If repeatable, rollback via titanai-run.sh --version v1.0.0 to the last known-good.Your license is valid but PACKAGE_MATRIX resolved to zero entitled agents.
Ctrl-C or SIGTERM received. Partial results are flushed to disk.
Couldn't write to ./reports/. Typically disk full or read-only filesystem.
df -h; set TITAN_REPORT_DIR=/tmp/titanai-reports to point to a writable location.Bundle extraction is incomplete — report HTML template is missing.
bundles/titanai-v1.0.0.tar.gz.sha256.Network failure fetching bundles/titanai-<version>.tar.gz.
titanai-run.sh --channel=canary or pin a specific version: --version=v1.0.0.Downloaded bundle's hash does not match the signed .sha256. This means the bundle was corrupted in transit or tampered with. Refusing to install.
You passed --version=vX.Y.Z but that version doesn't exist in our manifest.
curl titanaisec.com/api/bundle/manifest. Use --version=latest or drop the flag to use the current channel default.Channel must be one of stable / canary / edge.
stable is recommended for production.The installer can't find a Python interpreter at version 3.10 or newer.
titanai-run.sh auto-installs it — if that failed, run manually: Ubuntu sudo apt install python3.12-venv, Windows winget install Python.Python.3.12.We hit a branch that was supposed to be impossible. Bug in our code.
~/.titanai/config.json is not valid JSON.
~/.titan-ai/license.json (note the dash).