{"id":51155020,"url":"https://github.com/eunomia-bpf/AgentSight","last_synced_at":"2026-06-29T05:00:56.510Z","repository":{"id":303862592,"uuid":"1015665264","full_name":"eunomia-bpf/agentsight","owner":"eunomia-bpf","description":"Zero instrucment system-level AI agent tracing in eBPF","archived":false,"fork":false,"pushed_at":"2026-06-20T02:10:21.000Z","size":43783,"stargazers_count":460,"open_issues_count":21,"forks_count":65,"subscribers_count":4,"default_branch":"master","last_synced_at":"2026-06-20T02:13:04.186Z","etag":null,"topics":["agent","ebpf","llm","observability"],"latest_commit_sha":null,"homepage":"https://eunomia.dev/agentsight/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eunomia-bpf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["yunwei37","Officeyutong"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2025-07-07T21:16:41.000Z","updated_at":"2026-06-19T15:22:19.000Z","dependencies_parsed_at":"2025-08-24T03:30:51.606Z","dependency_job_id":"2a9ecd6b-a9fa-41bb-a3ea-7d0dc6198d17","html_url":"https://github.com/eunomia-bpf/agentsight","commit_stats":null,"previous_names":["eunomia-bpf/agent-tracer","eunomia-bpf/agentsight"],"tags_count":177,"template":false,"template_full_name":"eunomia-bpf/libbpf-starter-template","purl":"pkg:github/eunomia-bpf/agentsight","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eunomia-bpf","download_url":"https://codeload.github.com/eunomia-bpf/agentsight/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34913586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-29T02:00:05.398Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","ebpf","llm","observability"],"created_at":"2026-06-26T10:00:23.255Z","updated_at":"2026-06-29T05:00:56.499Z","avatar_url":"https://github.com/eunomia-bpf.png","language":"C","funding_links":["https://github.com/sponsors/yunwei37","https://github.com/sponsors/Officeyutong"],"categories":["Harnesses \u0026 orchestration","πŸ“Š γ‚¨γƒΌγ‚Έγ‚§γƒ³γƒˆθ©•δΎ‘γ¨γ‚ͺブアーバビγƒͺティ"],"sub_categories":["Agent infrastructure","θ‡ͺ動運軒"],"readme":"# AgentSight: System-wide AI agent profiling and monitoring with eBPF\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)\n[![CI](https://github.com/eunomia-bpf/agentsight/actions/workflows/ci.yml/badge.svg)](https://github.com/eunomia-bpf/agentsight/actions/workflows/ci.yml)\n[![arXiv:2508.02736](https://img.shields.io/badge/arXiv-2508.02736-b31b1b.svg)](https://arxiv.org/abs/2508.02736)\n[![DOI:10.1145/3766882.3767169](https://img.shields.io/badge/DOI-10.1145%2F3766882.3767169-blue.svg)](https://dl.acm.org/doi/10.1145/3766882.3767169)\n\n**English** | [δΈ­ζ–‡](https://github.com/eunomia-bpf/agentsight/blob/master/README.zh-CN.md)\n\nYour local first `perf`/`top`/`strace`/`nsight`-like tool for AI agents. See what agents actually do\nto your machine, and connect those actions back to the prompts, model calls, and\ntool decisions that triggered them.\n\nRun `agentsight` around Claude Code, Codex, Gemini CLI,\nOpenCode, OpenClaw, or any command. AgentSight records:\n\n- processes and child processes, shell commands, cwd, argv, exit status, and duration\n- files created, written, truncated, renamed, or deleted\n- network destinations contacted\n- prompts, responses, tool intent, and LLM/model/token\n\nNo SDK, no proxy, no vendor integration. AgentSight observes with eBPF and TLS traffic tracing, so it works even when the agent is a\nclosed-source CLI. **✨ Zero SDK Required**\n\n## Quick Start\n\n```bash\ncargo install agentsight\n# or: wget https://github.com/eunomia-bpf/agentsight/releases/latest/download/agentsight \u0026\u0026 chmod +x agentsight\nsudo agentsight top\n```\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/top-mode-demo.png\" alt=\"AgentSight top live session view\" width=\"1000\"\u003e\n \u003cp\u003e\u003cem\u003eLive sessions ranked by model, session tokens, health, process family, tool calls, file activity, and network activity\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n## πŸš€ Why AgentSight?\n\n### Traditional Observability vs. System-Level Monitoring\n\nApplication-level tools such as [LangSmith](https://docs.langchain.com/langsmith/observability-concepts), [Langfuse](https://langfuse.com/docs/observability/overview), and [Phoenix](https://arize.com/docs/phoenix/) are great for traces, prompts, tokens, evals, and latency when you own the application code. Gateway/proxy tools such as [Helicone](https://docs.helicone.ai/getting-started/integration-method/gateway) are useful when you can route provider traffic through a managed endpoint.\n\nAgentSight focuses on the layer those tools often miss: what the agent actually does at the system boundary. It observes existing binaries and CLI agents without SDKs or proxies, then correlates LLM traffic with process execution, file access, and system activity.\n\n| **Challenge** | **Application-Level Tools** | **AgentSight Solution** |\n|---------------|----------------------------|------------------------|\n| **Framework Adoption** | ❌ SDK, callback, or gateway integration per app | βœ… Drop-in system tracer, no code changes |\n| **Closed-Source CLIs** | ❌ Limited to what the tool exposes or logs | βœ… Observes existing binaries and CLI agents from outside |\n| **Agent-Controlled Logs** | ❌ Logs can be incomplete, disabled, or modified | βœ… Kernel-level events independent of app logging |\n| **TLS LLM Traffic** | ❌ Visible when routed through SDKs/proxies | βœ… Captures plaintext at SSL/TLS calls without a proxy |\n| **System Actions** | ❌ Often misses subprocesses and local file activity | βœ… Tracks process execution, file access, and resource use |\n| **Cross-Boundary Behavior** | ❌ Traces usually stop at framework/process boundaries | βœ… Correlates LLM traffic with process and file events |\n\nAgentSight captures critical interactions that application-level tools miss:\n\n- Subprocess executions that bypass instrumentation\n- Plaintext LLM payloads at SSL/TLS call boundaries\n- File operations and system resource access \n- Cross-boundary behavior across LLM, process, and file events\n\n## Usage\n\n### Prerequisites\n\n- **Linux kernel**: 4.1+ with eBPF support (5.0+ recommended)\n- **sudo access**: eBPF probes are auto-elevated; your agent stays unprivileged\n\nFor source builds, see [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md).\n\n### Installation\n\n#### Cargo or Release Binary\n\nFor local use, install with `cargo install agentsight` or download the latest\nrelease binary, then start with `sudo agentsight top`. Use the examples below when\nyou want to record a specific command or inspect saved sessions.\n\n#### Docker\n\nDocker is useful for container, CI, or isolated Linux environments, but it still needs privileged host access for eBPF. See [docs/docker.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/docker.md).\n\n#### Build from Source\n\nBuild requirements and source build commands live in [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md).\n\n### Querying Past Sessions\n\nEvery `record` session is automatically saved to an `agentsight-*.db` SQLite\nfile in the current directory. Start with the live and record commands, then\nuse `agentsight report` for structured queries:\n\n```bash\nsudo agentsight top # live ranked view of current agent sessions\nagentsight monitor install-service # install/start the background monitor service\nagentsight top --db run.db --once # ranked view of a saved session\nsudo agentsight record -- claude # record a command\nagentsight report # high-level run summary (default)\nagentsight report list # recorded sessions in this directory\nagentsight report prompts --json # full LLM request/response JSON\nagentsight report token # token usage from latest DB, or local agent sessions\nagentsight report token --group-by dir # token usage by session/process working directory\nagentsight report audit --json # process spawns, file opens, API calls\nagentsight report serve # open the web UI for the latest session in this directory\nagentsight report export -o snapshot.json # export for web dashboard\nagentsight report --local # summarize native Claude/Codex/Gemini sessions\n```\n\n### Offline Agent pprof Profiles\n\nUse `agentpprof` when you want a no-sudo pprof/folded-stack/SVG summary of\nlocal Codex or Claude session history:\n\n```bash\ncargo run --manifest-path agentpprof/Cargo.toml -- \\\n --project-root . \\\n --view tokens \\\n -o agent.pb.gz\n\ngo tool pprof -top agent.pb.gz\n```\n\nThe `tokens` view is the best first flamegraph for cost analysis: it aggregates\nreal local Codex/Claude development sessions by project, agent, session tag,\nprompt tag, model, and token kind.\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/flamegraph-example/bpf-benchmark-tokens.svg\" alt=\"agentpprof token flamegraph from real bpf-benchmark development sessions\" width=\"1000\"\u003e\n \u003cp\u003e\u003cem\u003eOffline token profile generated from real local bpf-benchmark coding-agent sessions\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\nSee [agentpprof/README.md](agentpprof/README.md) for CLI details and\n[docs/flamegraph](docs/flamegraph-example/README.md) for flamegraph examples, view\nselection, and deterministic tagging rules.\n\n### Web Interface\n\nDuring a session, visit [http://127.0.0.1:7395](http://127.0.0.1:7395) for live traffic, process trees, and metrics:\n- **Timeline View**: http://127.0.0.1:7395/timeline\n- **Process Tree**: http://127.0.0.1:7395/tree\n- **Event Log**: http://127.0.0.1:7395/logs\n- **Metrics View**: http://127.0.0.1:7395/metrics\n\nFor a saved SQLite session, run `agentsight report serve --db run.db` and open the same routes.\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-tree.png\" alt=\"AgentSight Demo - Process Tree Visualization\" width=\"800\"\u003e\n \u003cp\u003e\u003cem\u003eProcess tree visualization for agent subprocesses and file activity\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-timeline.png\" alt=\"AgentSight Demo - Timeline Visualization\" width=\"800\"\u003e\n \u003cp\u003e\u003cem\u003eTimeline visualization for LLM, process, file, and network events\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-metrics.png\" alt=\"AgentSight Demo - Metrics Visualization\" width=\"800\"\u003e\n \u003cp\u003e\u003cem\u003eMetrics visualization for memory and CPU usage\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cp\u003e\u003cstrong\u003eTry the \u003ca href=\"https://agentsight.us\"\u003elive demo\u003c/a\u003e\u003c/strong\u003e to explore a real recorded Claude Code session in the browser.\u003c/p\u003e\n\u003c/div\u003e\n\n### Supported Agents\n\n\u003e **Privileges:** eBPF probes need root. Use `sudo` for live capture commands.\n\n`record` auto-discovers binaries, SSL libraries, and container processes. Works out of the box for:\n\n| Agent | Command |\n|-------|---------|\n| Claude Code | `sudo ./agentsight record -- claude` |\n| Gemini CLI | `sudo ./agentsight record -- gemini` |\n| Python (aider, open-interpreter, …) | `sudo ./agentsight record -c python` |\n| Docker containers (OpenClaw, …) | `sudo ./agentsight record -c node --binary-path docker://openclaw` |\n| Any command | `sudo ./agentsight record -- \u003ccommand\u003e` |\n\nSee [docs/agents.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/agents.md) for agent-specific setup, SSL quirks, browser capture, MCP stdio, and advanced flags.\n\n### OpenTelemetry Export\n\nAgentSight can export captured LLM calls as OpenTelemetry **GenAI**\n(`gen_ai.*`) spans over OTLP/HTTP β€” standards-compliant agent telemetry for any\nagent, with zero in-process instrumentation.\n\n```bash\nsudo ./agentsight debug trace --otel --otel-endpoint http://localhost:4318\n```\n\nSee [docs/otel.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/otel.md) for\ncollector setup and backend integration.\n\n## ❓ Frequently Asked Questions\n\n**Q: What permissions does AgentSight need?**\nA: eBPF probes need root privileges, so AgentSight may prompt for `sudo`. With `record -- \u003ccommand\u003e`, the monitored agent still runs as your normal user; only the probes are elevated.\n\n**Q: What's the performance impact?**\nA: Our evaluation reports less than 3% CPU overhead for typical traced agent workloads.\n\n**Q: Where does captured data go?**\nA: `record` stores sessions as `agentsight-*.db` files in the current directory by default, and `report` reads the latest matching file from that directory unless you pass `--db`. When no default DB exists, report commands warn and fall back to local Claude/Codex/Gemini agent sessions where available. `monitor` stores its weekly background DBs under `~/.agentsight/monitor`, and `top` is read-only unless you explicitly pass `--db` to inspect a saved session. Use `agentsight report`, `agentsight report list`, `agentsight report audit --json`, and `agentsight report token` to inspect prior runs. Captured data can include prompts, responses, paths, headers, and network targets, so treat logs and DBs as sensitive.\n\n**Q: Why doesn't AgentSight capture traffic from Claude Code, Node.js, or Gemini CLI?**\nA: These applications statically link their SSL library (BoringSSL for Claude/Bun, OpenSSL for **all** Node.js β€” both NVM and system installs) into their own binary instead of using system `libssl.so`, so there's nothing for sslsniff to hook by default. AgentSight handles this for you: `record -- \u003ccommand\u003e` always discovers the binary, and `record -c node` now auto-discovers the Node binary too. For Claude attach mode, pass `--binary-path`. See the \"Zero-Config: record\" and \"Monitoring Node.js AI Tools\" sections.\n\n**Q: What should I check if tracing fails?**\nA: Verify you are on Linux with eBPF support, have `sudo` or `CAP_BPF`/`CAP_SYS_ADMIN`, and are using `record -- \u003ccommand\u003e` or the correct `--binary-path` for statically linked agents.\n\n## 🀝 Contributing\n\nWe welcome contributions! After cloning and building (see [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md)), you can:\n\n```bash\n# Run tests\nmake test\n\n# Frontend development server\ncd frontend \u0026\u0026 npm run dev\n\n# Build debug versions with AddressSanitizer\nmake -C bpf debug\n```\n\n### Key Resources\n\n- [CLAUDE.md](https://github.com/eunomia-bpf/agentsight/blob/master/CLAUDE.md) - Project guidelines and architecture\n- [docs/design/README.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/design/README.md) - archived design notes and research drafts\n\n## πŸ“„ License\n\nMIT License - see [LICENSE](https://github.com/eunomia-bpf/agentsight/blob/master/LICENSE) for details.\n\n---\n\n**πŸ’‘ The Future of AI Observability**: As AI agents become more autonomous and capable of self-modification, traditional observability approaches become insufficient. AgentSight provides independent, system-level monitoring for safe AI deployment at scale.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feunomia-bpf%2FAgentSight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feunomia-bpf%2FAgentSight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feunomia-bpf%2FAgentSight/lists"}