https://github.com/tensorchord/watchu
Hey, Agent! 🐝 The bees are watching you! 🐝
https://github.com/tensorchord/watchu
Last synced: 9 days ago
JSON representation
Hey, Agent! 🐝 The bees are watching you! 🐝
- Host: GitHub
- URL: https://github.com/tensorchord/watchu
- Owner: tensorchord
- License: apache-2.0
- Created: 2026-04-08T07:34:17.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-06-05T13:33:49.000Z (29 days ago)
- Last Synced: 2026-06-10T22:04:31.860Z (24 days ago)
- Language: C
- Homepage:
- Size: 268 KB
- Stars: 14
- Watchers: 1
- Forks: 2
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Agents: AGENTS.md
Awesome Lists containing this project
README

[![Build & Test][ci-check-badge]][ci-check-file]
[![Discord][discord-badge]][discord-link]
WatchU is a Linux eBPF-based collector for observing agent activities from the host.
It is designed for people who want a local collector that can capture high-value runtime signals such as:
- [x] process execs
- [x] file operations
- [x] TLS plaintext HTTP traffic (OpenSSL & BoringSSL)
- [x] TCP connects
- [x] Postgres client queries
- [x] stdio/MCP traffic

## Requirements
Current expected runtime environment:
- Linux `amd64` or `arm64` with kernel version >= 5.8
- Permissions to load eBPF programs and attach fentry/uprobe/tracepoints
## Quick Start
Build:
```bash
make build
```
Run with debug logging:
```bash
sudo ./bin/app -debug
```
Run with the terminal UI:
```bash
sudo ./bin/app -tui
```
Export events to a local JSONL file:
```bash
sudo ./bin/app -export file:///tmp/watchu.jsonl
```
## Docker Quick Start
Build the image:
```bash
docker buildx build -t watchu -f Dockerfile --load .
```
Run it:
```bash
docker run --rm \
--cap-add=CAP_SYS_ADMIN \
--cap-add=CAP_SYS_PTRACE \
--cap-add=CAP_BPF \
--cap-add=CAP_PERFMON \
-v /sys/kernel/debug:/sys/kernel/debug:ro \
--pid=host \
--security-opt apparmor=unconfined \
watchu
```
## Development
Check the [CONTRIBUTING.md](./CONTRIBUTING.md) guide.
[ci-check-badge]: https://github.com/tensorchord/watchu-cli/actions/workflows/build.yml/badge.svg
[ci-check-file]: https://github.com/tensorchord/watchu-cli/actions/workflows/build.yml
[discord-badge]: https://img.shields.io/discord/974584200327991326?&logoColor=white&color=5865F2&style=flat&logo=discord&cacheSeconds=60
[discord-link]: https://discord.gg/KqswhpVgdU