{"id":29583778,"url":"https://github.com/eunomia-bpf/agentsight","last_synced_at":"2026-06-05T07:01:08.350Z","repository":{"id":303862592,"uuid":"1015665264","full_name":"eunomia-bpf/agentsight","owner":"eunomia-bpf","description":"Zero instrucment LLM and AI agent (e.g. claude code, openclaw, gemini-cli) observability in eBPF","archived":false,"fork":false,"pushed_at":"2026-06-02T02:46:35.000Z","size":13169,"stargazers_count":358,"open_issues_count":15,"forks_count":57,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-06-02T04:20:24.179Z","etag":null,"topics":["agent","ebpf","llm","observability"],"latest_commit_sha":null,"homepage":"https://www.arxiv.org/abs/2508.02736","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eunomia-bpf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["yunwei37","Officeyutong"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2025-07-07T21:16:41.000Z","updated_at":"2026-06-02T02:39:49.000Z","dependencies_parsed_at":"2025-08-24T03:30:51.606Z","dependency_job_id":"2a9ecd6b-a9fa-41bb-a3ea-7d0dc6198d17","html_url":"https://github.com/eunomia-bpf/agentsight","commit_stats":null,"previous_names":["eunomia-bpf/agent-tracer","eunomia-bpf/agentsight"],"tags_count":148,"template":true,"template_full_name":"eunomia-bpf/libbpf-starter-template","purl":"pkg:github/eunomia-bpf/agentsight","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eunomia-bpf","download_url":"https://codeload.github.com/eunomia-bpf/agentsight/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eunomia-bpf%2Fagentsight/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33932048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-05T02:00:06.157Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","ebpf","llm","observability"],"created_at":"2025-07-19T23:38:51.897Z","updated_at":"2026-06-05T07:01:08.343Z","avatar_url":"https://github.com/eunomia-bpf.png","language":"C","funding_links":["https://github.com/sponsors/yunwei37","https://github.com/sponsors/Officeyutong"],"categories":["Code Quality","Provenance, Instrumentation \u0026 Observability"],"sub_categories":["可观测"],"readme":"# AgentSight: System-wide AI agent tracing and monitoring with eBPF\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)\n[![CI](https://github.com/eunomia-bpf/agentsight/actions/workflows/ci.yml/badge.svg)](https://github.com/eunomia-bpf/agentsight/actions/workflows/ci.yml)\n[![arXiv:2508.02736](https://img.shields.io/badge/arXiv-2508.02736-b31b1b.svg)](https://arxiv.org/abs/2508.02736)\n[![DOI:10.1145/3766882.3767169](https://img.shields.io/badge/DOI-10.1145%2F3766882.3767169-blue.svg)](https://dl.acm.org/doi/10.1145/3766882.3767169)\n\n**English** | [中文](https://github.com/eunomia-bpf/agentsight/blob/master/README.zh-CN.md)\n\nYour local first `perf`/`top`/`strace`/`nsight`-like tool for AI agents. See what agents actually do\nto your machine, and connect those actions back to the prompts, model calls, and\ntool decisions that triggered them.\n\nRun `agentsight` around Claude Code, Codex, Gemini CLI,\nOpenCode, OpenClaw, or any command. AgentSight records a local trace of:\n\n- processes and child processes, shell commands, cwd, argv, exit status, and duration\n- files created, written, truncated, renamed, or deleted\n- network destinations contacted\n- prompts, responses, tool intent, and LLM/model/token\n\nNo SDK, no proxy, no vendor integration. AgentSight observes with eBPF and TLS traffic tracing, so it works even when the agent is a\nclosed-source CLI. **✨ Zero Instrumentation Required**\n\n## Quick Start\n\n```bash\ncargo install agentsight\n# or: wget https://github.com/eunomia-bpf/agentsight/releases/latest/download/agentsight \u0026\u0026 chmod +x agentsight\nsudo agentsight top\n```\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/top-mode-demo.png\" alt=\"AgentSight top live session view\" width=\"1000\"\u003e\n  \u003cp\u003e\u003cem\u003eLive sessions ranked by model, session tokens, health, process family, tool calls, file activity, and network activity\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\nIf you downloaded the binary into the current directory, run `sudo ./agentsight top`.\n`top` loads eBPF probes, discovers local agents, and connects system activity to\nagent behavior in real time. See the [Usage](#usage) section for more examples\nand details.\n\n## 🚀 Why AgentSight?\n\n### Traditional Observability vs. System-Level Monitoring\n\nApplication-level tools such as [LangSmith](https://docs.langchain.com/langsmith/observability-concepts), [Langfuse](https://langfuse.com/docs/observability/overview), and [Phoenix](https://arize.com/docs/phoenix/) are great for traces, prompts, tokens, evals, and latency when you own the application code. Gateway/proxy tools such as [Helicone](https://docs.helicone.ai/getting-started/integration-method/gateway) are useful when you can route provider traffic through a managed endpoint.\n\nAgentSight focuses on the layer those tools often miss: what the agent actually does at the system boundary. It observes existing binaries and CLI agents without SDKs or proxies, then correlates LLM traffic with process execution, file access, and system activity.\n\n| **Challenge** | **Application-Level Tools** | **AgentSight Solution** |\n|---------------|----------------------------|------------------------|\n| **Framework Adoption** | ❌ SDK, callback, or gateway integration per app | ✅ Drop-in system tracer, no code changes |\n| **Closed-Source CLIs** | ❌ Limited to what the tool exposes or logs | ✅ Observes existing binaries and CLI agents from outside |\n| **Agent-Controlled Logs** | ❌ Logs can be incomplete, disabled, or modified | ✅ Kernel-level events independent of app logging |\n| **TLS LLM Traffic** | ❌ Visible when routed through SDKs/proxies | ✅ Captures plaintext at SSL/TLS calls without a proxy |\n| **System Actions** | ❌ Often misses subprocesses and local file activity | ✅ Tracks process execution, file access, and resource use |\n| **Cross-Boundary Behavior** | ❌ Traces usually stop at framework/process boundaries | ✅ Correlates LLM traffic with process and file events |\n\nAgentSight captures critical interactions that application-level tools miss:\n\n- Subprocess executions that bypass instrumentation\n- Plaintext LLM payloads at SSL/TLS call boundaries\n- File operations and system resource access  \n- Cross-boundary behavior across LLM, process, and file events\n\n## Usage\n\n### Prerequisites\n\n- **Linux kernel**: 4.1+ with eBPF support (5.0+ recommended)\n- **sudo access**: eBPF probes are auto-elevated; your agent stays unprivileged\n\nFor source builds, see [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md).\n\n### Installation\n\n#### Cargo or Release Binary\n\nFor local use, install with `cargo install agentsight` or download the latest\nrelease binary, then start with `sudo agentsight top`. Use the examples below when\nyou want to record a specific command or inspect saved sessions.\n\n#### Docker\n\nDocker is useful for container, CI, or isolated Linux environments, but it still needs privileged host access for eBPF. See [docs/docker.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/docker.md).\n\n#### Build from Source\n\nBuild requirements and source build commands live in [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md).\n\n### Querying Past Sessions\n\nEvery `stat -- \u003ccommand\u003e` or `record` session is automatically saved to SQLite. Start with the perf-style commands, then use `agentsight report` for structured queries:\n\n```bash\nagentsight stat                              # counters for the latest saved session\nsudo agentsight top                          # live ranked view of current agent sessions\nagentsight top --db run.db --once            # ranked view of a saved session\nsudo agentsight record -- claude             # record a command\nagentsight report                            # high-level run summary (default)\nagentsight report list                       # all recorded sessions\nagentsight report prompts --json             # full LLM request/response JSON\nagentsight report token                      # token usage (auto-finds latest session)\nagentsight report audit --json               # process spawns, file opens, API calls\nagentsight report export -o snapshot.json    # export for web dashboard\n```\n\n### Web Interface\n\nDuring a session, visit [http://127.0.0.1:7395](http://127.0.0.1:7395) for live traffic, process trees, and metrics:\n- **Timeline View**: http://127.0.0.1:7395/timeline\n- **Process Tree**: http://127.0.0.1:7395/tree\n- **Event Log**: http://127.0.0.1:7395/logs\n- **Metrics View**: http://127.0.0.1:7395/metrics\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-tree.png\" alt=\"AgentSight Demo - Process Tree Visualization\" width=\"800\"\u003e\n  \u003cp\u003e\u003cem\u003eProcess tree visualization for agent subprocesses and file activity\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-timeline.png\" alt=\"AgentSight Demo - Timeline Visualization\" width=\"800\"\u003e\n  \u003cp\u003e\u003cem\u003eTimeline visualization for LLM, process, file, and network events\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/eunomia-bpf/agentsight/raw/master/docs/demo-metrics.png\" alt=\"AgentSight Demo - Metrics Visualization\" width=\"800\"\u003e\n  \u003cp\u003e\u003cem\u003eMetrics visualization for memory and CPU usage\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003cp\u003e\u003cstrong\u003eTry the \u003ca href=\"https://agentsight.us\"\u003elive demo\u003c/a\u003e\u003c/strong\u003e to explore a real recorded Claude Code session in the browser.\u003c/p\u003e\n\u003c/div\u003e\n\n### Supported Agents\n\n\u003e **Privileges:** eBPF probes need root. Use `sudo` for live capture commands.\n\n`record` auto-discovers binaries, SSL libraries, and container processes. Works out of the box for:\n\n| Agent | Command |\n|-------|---------|\n| Claude Code | `sudo ./agentsight record -- claude` |\n| Gemini CLI | `sudo ./agentsight record -- gemini` |\n| Python (aider, open-interpreter, …) | `sudo ./agentsight record -c python` |\n| Docker containers (OpenClaw, …) | `sudo ./agentsight record -c node --binary-path docker://openclaw` |\n| Any command | `sudo ./agentsight record -- \u003ccommand\u003e` |\n\nDiscover what's installed locally with `./agentsight discover`.\n\nSee [docs/agents.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/agents.md) for agent-specific setup, SSL quirks, browser capture, MCP stdio, and advanced flags.\n\n### OpenTelemetry Export\n\nAgentSight can export captured LLM calls as OpenTelemetry **GenAI**\n(`gen_ai.*`) spans over OTLP/HTTP — standards-compliant agent telemetry for any\nagent, with zero in-process instrumentation.\n\n```bash\nsudo ./agentsight debug trace --otel --otel-endpoint http://localhost:4318\n```\n\nSee [docs/otel.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/otel.md) for\ncollector setup and backend integration.\n\n## ❓ Frequently Asked Questions\n\n**Q: What permissions does AgentSight need?**\nA: eBPF probes need root privileges, so AgentSight may prompt for `sudo`. With `record -- \u003ccommand\u003e` or `stat -- \u003ccommand\u003e`, the monitored agent still runs as your normal user; only the probes are elevated.\n\n**Q: What's the performance impact?**\nA: Our evaluation reports less than 3% CPU overhead for typical traced agent workloads.\n\n**Q: Where does captured data go?**\nA: `record` and `stat -- \u003ccommand\u003e` store sessions locally in SQLite by default. Use `agentsight stat`, `agentsight top`, `agentsight report`, `agentsight report list`, `agentsight report audit --json`, and `agentsight report token` to inspect prior runs. Captured data can include prompts, responses, paths, headers, and network targets, so treat logs and DBs as sensitive.\n\n**Q: Why doesn't AgentSight capture traffic from Claude Code, Node.js, or Gemini CLI?**\nA: These applications statically link their SSL library (BoringSSL for Claude/Bun, OpenSSL for **all** Node.js — both NVM and system installs) into their own binary instead of using system `libssl.so`, so there's nothing for sslsniff to hook by default. AgentSight handles this for you: `record -- \u003ccommand\u003e` always discovers the binary, and `record -c node` now auto-discovers the Node binary too. For Claude attach mode, pass `--binary-path`. See the \"Zero-Config: record\" and \"Monitoring Node.js AI Tools\" sections.\n\n**Q: What should I check if tracing fails?**\nA: Verify you are on Linux with eBPF support, have `sudo` or `CAP_BPF`/`CAP_SYS_ADMIN`, and are using `record -- \u003ccommand\u003e` or the correct `--binary-path` for statically linked agents.\n\n## 🤝 Contributing\n\nWe welcome contributions! After cloning and building (see [docs/build.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/build.md)), you can:\n\n```bash\n# Run tests\nmake test\n\n# Frontend development server\ncd frontend \u0026\u0026 npm run dev\n\n# Build debug versions with AddressSanitizer\nmake -C bpf debug\n```\n\n### Key Resources\n\n- [CLAUDE.md](https://github.com/eunomia-bpf/agentsight/blob/master/CLAUDE.md) - Project guidelines and architecture\n- [docs/design/README.md](https://github.com/eunomia-bpf/agentsight/blob/master/docs/design/README.md) - archived design notes and research drafts\n\n## 📄 License\n\nMIT License - see [LICENSE](https://github.com/eunomia-bpf/agentsight/blob/master/LICENSE) for details.\n\n---\n\n**💡 The Future of AI Observability**: As AI agents become more autonomous and capable of self-modification, traditional observability approaches become insufficient. AgentSight provides independent, system-level monitoring for safe AI deployment at scale.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feunomia-bpf%2Fagentsight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feunomia-bpf%2Fagentsight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feunomia-bpf%2Fagentsight/lists"}