{"id":47678324,"url":"https://github.com/sevorix/sevorix-lite","last_synced_at":"2026-04-06T21:02:42.010Z","repository":{"id":346878057,"uuid":"1171846124","full_name":"sevorix/sevorix-lite","owner":"sevorix","description":"Sevorix Lite is a Rust-native, open-source runtime containment engine for autonomous AI agents.","archived":false,"fork":false,"pushed_at":"2026-03-31T23:36:28.000Z","size":544,"stargazers_count":10,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-03T01:41:47.914Z","etag":null,"topics":["agent-framework","ai-agents","autonomous-agents","containment","ll","llm","llms","runtime","rust","sandbox"],"latest_commit_sha":null,"homepage":"https://sevorix.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sevorix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-03T17:10:35.000Z","updated_at":"2026-04-01T22:33:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sevorix/sevorix-lite","commit_stats":null,"previous_names":["sevorix/sevorix-lite"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/sevorix/sevorix-lite","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sevorix%2Fsevorix-lite","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sevorix%2Fsevorix-lite/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sevorix%2Fsevorix-lite/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sevorix%2Fsevorix-lite/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sevorix","download_url":"https://codeload.github.com/sevorix/sevorix-lite/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sevorix%2Fsevorix-lite/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31489427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T17:22:55.647Z","status":"ssl_error","status_checked_at":"2026-04-06T17:22:54.741Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-framework","ai-agents","autonomous-agents","containment","ll","llm","llms","runtime","rust","sandbox"],"created_at":"2026-04-02T13:39:47.331Z","updated_at":"2026-04-06T21:02:42.005Z","avatar_url":"https://github.com/sevorix.png","language":"Rust","readme":"# 🛡️ Sevorix Watchtower (Lite)\n\n\u003e **Runtime Containment for Autonomous AI Agents.**\n\u003e *Zero-Latency. Action-Centric. Rust-Native.*\n\n![Build Status](https://img.shields.io/badge/build-passing-brightgreen) ![Rust](https://img.shields.io/badge/built%20with-Rust-orange) ![License](https://img.shields.io/badge/license-AGPL--3.0-blue)\n\nMost developers think an \"AI Gateway\" is enough. But if your agent gets a raw shell command or a direct network socket, it bypasses the gateway entirely. Sevorix Lite is an open-source, local runtime firewall that enforces an inescapable **Action Authorization Boundary** on your AI agents. \n\nIt intercepts, records, and blocks dangerous/undesirable activity in \u003c 20ms. What is considered dangerous and undesirable is completely up to you!\n\n---\n\n## ⚡ Quick Start (Under 60 Seconds)\n\n### 1. Download and install\n\n**Linux / WSL:**\n```bash\nVERSION=$(curl -s https://api.github.com/repos/sevorix/sevorix-lite/releases/latest | grep tag_name | cut -d'\"' -f4)\ncurl -L https://github.com/sevorix/sevorix-lite/releases/download/${VERSION}/sevorix-${VERSION}-x86_64-linux.tar.gz | tar -xz\ncd sevorix-${VERSION}-x86_64-linux \u0026\u0026 ./install-binary.sh\n```\n\n**macOS (Apple Silicon):**\n```bash\nVERSION=$(curl -s https://api.github.com/repos/sevorix/sevorix-lite/releases/latest | grep tag_name | cut -d'\"' -f4)\ncurl -L https://github.com/sevorix/sevorix-lite/releases/download/${VERSION}/sevorix-${VERSION}-aarch64-darwin.tar.gz | tar -xz\ncd sevorix-${VERSION}-aarch64-darwin \u0026\u0026 ./install-binary.sh\n```\n\n**macOS (Intel):**\n```bash\nVERSION=$(curl -s https://api.github.com/repos/sevorix/sevorix-lite/releases/latest | grep tag_name | cut -d'\"' -f4)\ncurl -L https://github.com/sevorix/sevorix-lite/releases/download/${VERSION}/sevorix-${VERSION}-x86_64-darwin.tar.gz | tar -xz\ncd sevorix-${VERSION}-x86_64-darwin \u0026\u0026 ./install-binary.sh\n```\n\nOr download directly from the [releases page](https://github.com/sevorix/sevorix-lite/releases/latest).\n\n### 2. Verify the download (optional)\n\nTo verify the integrity of the archive before installing, download and check the SHA256 checksum:\n\n```bash\n# Linux\nsha256sum -c sevorix-${VERSION}-x86_64-linux.tar.gz.sha256\n# macOS\nshasum -a 256 -c sevorix-${VERSION}-aarch64-darwin.tar.gz.sha256\n```\n\n### 3. Start the Daemon\nLaunch the Sevorix Control Plane in the background.\n```bash\nsevorix start\nsevorix status\n```\n\n### 4. Open the Watchtower Dashboard\nNavigate to your local command center to see real-time enforcement:\n👉 **`http://localhost:3000/dashboard/desktop.html`**\n\n---\n\n### Install from source\n\n**Linux/WSL** — builds with full eBPF support:\n```bash\ngit clone https://github.com/sevorix/sevorix-lite.git\ncd sevorix-lite\n./install.sh\n```\n\n**macOS** — builds proxy + policy engine only (no eBPF, no libseccomp required):\n```bash\ngit clone https://github.com/sevorix/sevorix-lite.git\ncd sevorix-lite\ncargo build --release\ncp target/release/sevorix target/release/sevsh ~/.local/bin/\n```\n\n---\n\n## 🏎️ The Test Drive: See it in Action\n\nDon't trust us. Test it. We've included `sevsh`, a secure shell wrapper that routes commands through the Sevorix engine before they ever hit the processor. \n\nLeave your Dashboard open in a browser, and run these in your terminal:\n\n### Scenario 1: The Green Lane (Allowed)\nRun a benign command.\n```bash\nsevsh -c \"echo 'Agent is thinking...'\"\n```\n**Result:** The command executes normally.\n\n### Scenario 2: The Red Lane (Zero-Latency Kill Switch)\nSimulate a rogue agent trying to drop a database table. Our default `policies.json` strictly forbids the `DROP` keyword.\n```bash\nsevsh -c \"DROP TABLE users;\"\n```\n**Result:** The command is instantly vaporized. You will see `SEVORIX BLOCKED: Policy Violation` in your terminal.\n\n### Scenario 3: The Yellow Lane (Human-in-the-Loop)\nSimulate an agent trying to access sensitive data. Our default policy flags the `SELECT` keyword for human review.\n```bash\nsevsh -c \"SELECT * FROM admin_credentials;\"\n```\n**Result:** The terminal hangs. Switch to your **Dashboard**. You will see a Yellow Intervention Panel with a countdown timer. Click **Block** or **Allow** to determine the outcome.\n\n---\n\n## 🤖 AI Agent Integrations (The Vault)\n\nSevorix isn't just for manual testing. We integrate directly with your favorite autonomous coding agents to put them in a secure sandbox. \n\nCurrently supporting **Claude Code** (with Codex and OpenClaw in active development).\n\n\u003e See **[docs/INTEGRATIONS.md](docs/INTEGRATIONS.md)** for full usage, internals, and per-tool guides.\n\n### Securing Claude Code\nWhen you start Claude Code through Sevorix, we use a Linux mount namespace to bind-mount `sevsh` over `/bin/bash`. This means even if Claude uses an absolute path to try and bypass security, it hits our inescapable lock.\n\n**1. Install the Integration:**\n```bash\nsevorix integrations install claude\n```\n*(Note: This just checks prerequisites; it does not modify your system config).*\n\n**2. Launch Claude in the Vault:**\n```bash\nsevorix integrations start claude\n```\n\n**3. Pass Arguments seamlessly:**\n```bash\nsevorix integrations start claude -- /path/to/project --resume\n```\n\nClaude is now running. Any command it attempts to execute will be intercepted, evaluated against your policies, and governed by Sevorix. \n\n---\n\n## ⚙️ How it Works: The Architecture\n\n### Without Sevorix\n\nAn AI agent has unrestricted access to your system. Shell commands, network requests, and syscalls execute directly — with no interception, no audit trail, and no way to stop a rogue or compromised agent before it causes damage.\n\n```mermaid\ngraph LR\n    Agent[\"🤖 AI Agent\"]\n    Agent --\u003e|shell commands| Shell[\"💻 Shell / OS\"]\n    Agent --\u003e|HTTP requests| Network[\"🌐 Network\"]\n    Agent --\u003e|syscalls| Kernel[\"⚙️ Kernel\"]\n```\n\n### With Sevorix\n\nEvery action the agent takes passes through the Sevorix enforcement plane before it can reach the system. Actions are evaluated in real time against your policies, and blocked, flagged, or allowed accordingly.\n\n```mermaid\ngraph LR\n    Agent[\"🤖 AI Agent\"]\n    PE[\"📋 Policy Engine\"]\n\n    Agent --\u003e|shell commands| sevsh[\"sevsh\"]\n    Agent --\u003e|HTTP requests| Proxy[\"Network Proxy\"]\n    Agent --\u003e|syscalls| eBPF[\"eBPF\"]\n\n    sevsh \u003c--\u003e|evaluate / decide| PE\n    Proxy \u003c--\u003e|evaluate / decide| PE\n    eBPF \u003c--\u003e|evaluate / decide| PE\n\n    sevsh --\u003e|allowed| Shell[\"💻 Shell / OS\"]\n    Proxy --\u003e|allowed| Network[\"🌐 Network\"]\n    eBPF --\u003e|allowed| Kernel[\"⚙️ Kernel\"]\n```\n\n#### Components\n\n| Component | Role |\n|-----------|------|\n| **sevsh** | A secure shell wrapper that intercepts every command before it reaches the OS. Used directly in the Test Drive, and bind-mounted over `/bin/bash` inside the Claude Code vault so there is no escape path. |\n| **Network Proxy** | An HTTP proxy running on the Sevorix daemon. Intercepts all outbound agent HTTP/S requests before they leave the machine. |\n| **eBPF** | A kernel-level syscall interceptor (Linux only, `ebpf` feature). Catches raw syscalls that bypass the shell and network layers entirely. |\n| **Policy Engine** | Consulted by each interceptor before a call is passed or rejected. Evaluates the action against your loaded policies (Simple / Regex / Executable) and returns Allow, Block, or Flag. |\n\n### macOS vs Linux\n\nThe macOS binary ships the proxy, policy engine, sevsh, and the dashboard. The two Linux-only subsystems — eBPF and seccomp — are not available on macOS because they depend on Linux kernel APIs.\n\n| Capability | macOS | Linux/WSL |\n|-----------|:-----:|:---------:|\n| HTTP proxy + policy enforcement | ✓ | ✓ |\n| sevsh shell interception (text patterns) | ✓ | ✓ |\n| Dashboard + WebSocket | ✓ | ✓ |\n| Claude Code integration | ✓ | ✓ |\n| SevorixHub client | ✓ | ✓ |\n| Human-in-the-loop Yellow Lane | ✓ | ✓ |\n| Shell syscall filtering (seccomp) | — | ✓ |\n| Kernel network interception (eBPF) | — | ✓ |\n| Per-process syscall tracing (eBPF) | — | ✓ |\n\n**What this means in practice:** On macOS, if an AI agent bypasses the HTTP proxy — for example, by opening a raw TCP socket — Sevorix cannot see that traffic. On Linux with eBPF, such bypasses are caught at the kernel level. For most developer workflows on a Mac the proxy layer is sufficient; the eBPF layer provides deeper containment for production or adversarial environments.\n\n`Syscall`-context policies are accepted by the policy engine on macOS but will never trigger (there is no syscall interception layer to feed them). Use `Shell` or `Network` context for policies you want enforced on Mac.\n\n---\n\nSevorix Watchtower relies on physics, not suggestions. We enforce a **Three-Lane Traffic** system:\n\n1.  **🔴 Red Lane (The Block):** Deterministic kills. SQL Injection, Data Exfiltration, Financial Theft. (Latency: ~0ms).\n2.  **🟡 Yellow Lane (Intervention):** Ambiguous intent **held** for operator review. Request is suspended until Allow/Block decision or timeout.\n3.  **🟢 Green Lane (The Pass):** Approved patterns passed with zero overhead.\n\n### Customizing Permissions\n\nPermissions are created using two constructs: roles and policies. A policy is a rule for blocking or flagging activity, and a role is a collection of policies. By default during installation you will have a default role and policy set installed. The defaults are **NOT** a comprehensive or particularly useful set of rules, but rather a tool for validating your install and starting point for creating real, effective rule sets.\n\n#### Policy JSON Schema\n\n```json\n{\n  \"id\": \"unique-policy-id\",\n  \"type\": \"Simple\",\n  \"pattern\": \"DROP TABLE\",\n  \"action\": \"Block\",\n  \"context\": \"Shell\",\n  \"kill\": false\n}\n```\n\n| Field     | Type    | Description |\n|-----------|---------|-------------|\n| `id`      | string  | Unique identifier (kebab-case recommended) |\n| `type`    | enum    | `Simple`, `Regex`, or `Executable` |\n| `pattern` | string  | The match pattern (see match types below) |\n| `action`  | enum    | `Block`, `Flag`, or `Allow` |\n| `context` | enum    | `Shell`, `Network`, `Syscall`, or `All` (default: `All`) |\n| `kill`    | bool    | If true, kill the traced process instead of returning EPERM. Use only for critical violations. |\n\n#### Match Types\n\n- **`Simple`** — Substring match (case-sensitive). Fast and predictable.\n  ```json\n  { \"type\": \"Simple\", \"pattern\": \"DROP TABLE\" }\n  ```\n\n- **`Regex`** — Full Rust regex match. Compiled once and cached.\n  ```json\n  { \"type\": \"Regex\", \"pattern\": \"(?i)(drop|delete|truncate)\\\\s+table\" }\n  ```\n\n- **`Executable`** — Pipes the content to an external command via stdin; blocks if exit code is 0. Powerful but slow — use sparingly and only for complex logic that Simple/Regex can't express.\n  ```json\n  { \"type\": \"Executable\", \"pattern\": \"grep -qi 'wire.*funds'\" }\n  ```\n  \u003e **Security warning**: Always review executable policies published on SevorixHub before pulling.\n\n#### Actions\n\n| Action  | Meaning |\n|---------|---------|\n| `Block` | Hard reject. |\n| `Flag`  | Soft reject — marks the action for review and pauses execution. |\n| `Allow` | Explicit permit — overrides nothing but documents intent. |\n\u003e Flag doesn't work well with Syscall yet, and will post a message to the user but block the syscall without an option for allowing.\n\n#### Policy Context\n\nScope policies to specific interception layers:\n\n| Context   | When it applies |\n|-----------|-----------------|\n| `Shell`   | Agent shell commands intercepted before execution |\n| `Network` | Outbound HTTP requests through the proxy |\n| `Syscall` | Low-level syscall interception (eBPF feature) |\n| `All`     | All contexts (default) |\n\nUse `context` to avoid false positives — e.g., a policy blocking `DELETE` should use `context: \"Network\"` if you only want to block HTTP DELETE methods, not shell `delete` commands.\n\n#### Role Schema\n\nRoles group policies and are assigned to agents:\n\n```json\n{\n  \"name\": \"restricted-agent\",\n  \"policies\": [\"block-destructive-sql\", \"block-wire-funds\", \"flag-admin-ops\"],\n  \"is_dynamic\": false\n}\n```\n\nAn agent running with `restricted-agent` will only be evaluated against policies in that role.\n\n#### File Locations\n\n- **Policies**: `~/.sevorix/policies/` — each `.json` file is one policy or an array of policies\n- **Roles**: `~/.sevorix/roles/` — each `.json` file is one role or an array of roles\n\nFiles are loaded automatically when the daemon starts. No restart needed if you use `sevorix validate` for testing.\n\n---\n\n## 🛠️ CLI Reference\nManage your local enforcement node with the unified `sevorix` CLI.\n\n```bash\nsevorix start               # Start daemon\nsevorix stop                # Kill daemon\nsevorix config check        # Validate your policies.json\nsevorix validate \"CMD\"      # Test a command against rules\nsevorix integrations list   # Show available AI sandboxes\n```\n\n---\n\n## ⚠️ Common Installation Issues\n\n**1. \"command not found: sevorix\" or \"command not found: sevsh\"**\n* **The Fix:** Your system doesn't know where the installed binaries are. They are likely in `~/.local/bin`. Run this to add it to your path:\n  `export PATH=$PATH:~/.local/bin`\n  *(Tip: Add that line to your `~/.bashrc` or `~/.zshrc` file to make it permanent).*\n\n**2. Port 3000 is already in use**\n* **The Fix:** The Sevorix Watchtower dashboard runs on port 3000 by default. If you have a React or Node.js app running in the background, Sevorix might fail to start. Kill the process using port 3000, then run `sevorix start` again. Support for designating a port other than the default 3000 coming soon.\n\n**3. Permission Denied during Claude Code Integration**\n* **The Fix:** When you run `sevorix integrations start claude`, Sevorix uses a Linux mount namespace to safely lock the agent down. This requires temporary `sudo` privileges. Ensure your user has sudo rights, or check that the installer successfully placed the rule in `/etc/sudoers.d/sevorix-claude`.\n\n**4. macOS: daemon does not start on login**\n* **The Fix:** The daemon does not integrate with launchd automatically. To start Sevorix on login, create `~/Library/LaunchAgents/com.sevorix.watchtower.plist`:\n  ```xml\n  \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n  \u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\n  \u003cplist version=\"1.0\"\u003e\u003cdict\u003e\n      \u003ckey\u003eLabel\u003c/key\u003e\u003cstring\u003ecom.sevorix.watchtower\u003c/string\u003e\n      \u003ckey\u003eProgramArguments\u003c/key\u003e\u003carray\u003e\n          \u003cstring\u003e/Users/YOUR_USER/.local/bin/sevorix\u003c/string\u003e\n          \u003cstring\u003erun\u003c/string\u003e\n      \u003c/array\u003e\n      \u003ckey\u003eRunAtLoad\u003c/key\u003e\u003ctrue/\u003e\n      \u003ckey\u003eKeepAlive\u003c/key\u003e\u003ctrue/\u003e\n      \u003ckey\u003eStandardOutPath\u003c/key\u003e\u003cstring\u003e/tmp/sevorix.log\u003c/string\u003e\n      \u003ckey\u003eStandardErrorPath\u003c/key\u003e\u003cstring\u003e/tmp/sevorix.err\u003c/string\u003e\n  \u003c/dict\u003e\u003c/plist\u003e\n  ```\n  Then run `launchctl load ~/Library/LaunchAgents/com.sevorix.watchtower.plist`.\n\n**5. macOS build error: `could not find library 'seccomp'`**\n* **The Fix:** This occurs when building from source before the `libseccomp` dependency is gated as Linux-only in `sevorix-core`. As a temporary workaround, move the dependency in `sevorix-core/Cargo.toml`:\n  ```toml\n  [target.'cfg(target_os = \"linux\")'.dependencies]\n  libseccomp = \"0.4\"\n  ```\n  Pre-built macOS binaries from the releases page do not have this issue.\n\n---\n\n**License:** Open source under the AGPL-3.0 license. For commercial or enterprise use, contact `chris@sevorix.com`.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsevorix%2Fsevorix-lite","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsevorix%2Fsevorix-lite","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsevorix%2Fsevorix-lite/lists"}