Local safety layer for AI agents that can use the terminal.
AI agents are starting to do real work: read files, run commands, install packages, call APIs, and touch servers. That is useful. It is also the moment a chatbot becomes something with operational power.
InnerWarden sits outside the agent, on the host it is using. Not a sandbox, not a prompt filter: it screens risky commands and MCP/tool traffic routed through its guard, watches the real Linux activity underneath with eBPF, blocks or flags dangerous behavior, and keeps the decision trail local. Its kernel Execution Gate (an eBPF LSM hook, inert by default) can make unauthorized binaries impossible to run, enforced below anything a hijacked agent can reach. No cloud control plane. Open source. Dry-run by default.
Your agent reads a pull request, a web page, or a file with hidden instructions. It tries to read secrets, run an unsafe shell command, or connect somewhere it should not. InnerWarden catches the action before the damage leaves the box, then shows you what happened and why.
curl -fsSL https://innerwarden.com/install | sudo bash
Installs in 10 seconds. Starts in observe-only mode. Dry-run by default. You decide when to go live.
Prompt guardrails try to control what an agent says. InnerWarden controls what it actually does.
It lives where the action is: on the machine the agent can affect. Agent-facing checks can review commands and MCP tool calls before they run; host-level sensors still watch what actually executes. If the agent is tricked, the safety layer is not inside the thing being tricked. One binary, one SQLite database, no SIEM bundle, no external IDS, no cloud control plane. Two Rust daemons and a CLI.
In plain terms, it does three things:
Under the hood: 27 eBPF programs loaded (kernel-dependent), 82 detectors, 69 cross-layer correlation rules, 56 MITRE ATT&CK technique IDs (90+ detector mappings), and 9800+ tests gate every change. The full tour is further down: what it does, what it detects, how it works.
I built InnerWarden because agents are going to do real work, and real work needs supervision. The same system that can catch a reverse shell at the kernel level, block an attacker, deploy a honeypot, and alert you on Telegram can also sit underneath an AI agent and ask a simpler question: "is this action safe to let through?"
Apache-2.0. If this project helps make agent automation safer to try, give it a star so others can find it.
Full layered architecture: firmware (Ring -2) to kernel eBPF to sensor to agent to response. Click to expand.
``` ┌─────────────────────────────────────────────────────────────────────┐ │ FIRMWARE / BIOS (Ring -2) │ │ MSR write guard (LSTAR/SMRR) | ACPI method monitoring | ESP hash │ │ SPI controller probing | eBPF weaponization detection (VoidLink) │ └─────────────────────────────────────────────┬───────────────────────┘ │ ┌─────────────────────────────────────────────┼───────────────────────┐ │ HYPERVISOR (Ring -1) │ │ │ VM introspection | KVM monitoring | VM exit analysis │ └─────────────────────────────────────────────┼───────────────────────┘ │ ┌─────────────────────────────────────────────┼──────────────────────┐ │ KERNEL (Ring 0) │ │ │ │ │ ┌───────────── ─┐ ┌────────────┐ ┌─────────┐ ┌───────────────┐ │ │ │23 tracepoints │ │ 10 kprobes │ │ 5 LSM │ │ XDP │ │ │ │ execve, │ │ creds, │ │ exec │ │ wire-speed │ │ │ │ connect, │ │ MSR, ACPI │ │ file │ │ IP blocking │ │ │ │ openat, │ │ timestomp │ │ bpf │ │ 10M+ pps │ │ │ │ mount, clone, │ │ truncate │ │ + kill │ │ allowlist + │ │ │ │ ptrace, ... │ │ + 7 raw_tp │ │ chain │ │ blocklist │ │ │ └──────┬─────── ┘ └─────┬──────┘ └───┬─────┘ └──────┬────────┘ │ │ └─ ───────┬───────┘ │ │ │ │ ▼ │ │ │ │ ┌─────────────┐ │ │ │ │ │ Ring Buffer │ │ │ │ │ │ (1MB epoll) │ │ │ │ │ └──────┬──────┘ │ │ │ └──────────────────┼────────────── ──────┼───────────────┼───────────┘ │ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────────── ┐ │ SENSOR │ │ │ │ ┌─────────┐ ┌─────────┐ ┌────────┐ ┌────────────────────────┐ │ │ │auth.log │ │journald │ │ Docker │ │ eBPF collector │◄─┘ | │ │nginx │ │syslog │ │ cgroup │ │ (47 compiled) │ | │ └────┬────┘ └────┬────┘ └──┬──── ┘ └───────────┬────────────┘ │ │ │ │ │ │ │ │ ┌────┴────┐ ┌────┴─────┐ ┌─┴──────────────┐ │ │ │ │DNS/HTTP │ │TLS/JA3 │ │kernel_integrity│ │ │ │ │capture │ │JA4 │ │proc_maps │ │ │ │ │(native) │ │(native) │ │fanotify │ │ │ │ └────┬────┘ └────┬─────┘ └───────┬────────┘ │ │ │ └───────────┴───────────────┴─────────────┘ │ │ │ │ │ ┌─────▼──────┐ │ │ │82 detectors│ + 8 YARA + 209 Sigma (+9 built-in)│ │ │ stateful │ │ │ └─────┬──────┘ │ │ │ │ │ ┌───────────▼───────────┐ │ │ │ events + incidents │ │ │ │ (SQLite WAL) │ │ │ └───────────┬───────────┘ │ └──────────────────────────┼────────────────────────────────────────┘ │ ┌──────────────────────────┼────────────────────────────────────────┐ │ AGENT │ │ │ ▼ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ Knowledge Graph (in-memory) │ │ │ │ 11 node types (Process, IP, File, User, Domain, ...) │ │ │ │ 53 relation types | 28 graph detectors | 10 graph rules │ │ │ │ Autoencoder anomaly scoring (65 features) │ │ │ └────────────────────────┬──────────────────────────────────┘ │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ 69 Cross-Layer Correlation Rules │ │ │ │ + Kill Chain Tracker (7 stages per entity) │ │ │ │ + Threat DNA behavioral fingerprinting │ │ │ └────────────────────┬─────────────────────────┘ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Algorithm Gate │ skip low-sev, private IP │ │ └────────┬─────────┘ │ │ ▼ │ │ ┌────────────────────┐ │ │ │ Enrich: AbuseIPDB, │ │ │ │ GeoIP, CrowdSec │ │ │ └────────┬───────────┘ │ │ ▼ │ │ ┌──────────────────────┐ │ │ │ Local Warden │ on-device ONNX classifier │ │ │ (opt-in via │ ~91 MB, 61 ms p50; routes │ │ │ install-warden, │ Decide on-device when │ │ │ warden default) │ installed by default now │ │ └──────────┬───────────┘ │ │ ▼ │ │ ┌─────────────────────┐ │ │ │ AI Triage (opt LLM) │ OpenAI / Anthropic / Ollama │ │ └────────┬────────────┘ via AI Capability Router │ │ ▼ │ │ ┌─────────────────┐ ┌──────────────┐ │ │ │ Skill Executor │────►│ LSM enforce │ │ │ │ block_ip (6) │ │ XDP block │ │ │ │ kill_process │ └──────────────┘ │ │ │ suspend_sudo │ ┌──────────────┐ │ │ │ honeypot │────►│ Cloudflare │ │ │ │ playbooks (3) │ │ AbuseIPDB │ │ │ └────────┬────────┘ └──────────────┘ │ │ │ │ │ ┌────────────┼────────────┬──────────────┐ │ │ ▼ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ Telegram │ │ Slack │ │ Webhook │ │ Mesh Network │ │ │ │ bot │ │ │ │ (any) │ │ peer defense │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ innerwarden.db (SQLite WAL) │ │ │ │ Events, incidents, decisions, graph snapshots, KV state, │ │ │ │ attacker profiles, baselines | Hash chain audit trail │ │ │ └───────────────────────────────────────────────────────────┘ │ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ Dashboard: HUD, threats, investigation, attacker intel, │ │ │ │ MITRE ATT&CK map, monthly reports, baseline learning, │ │ │ │ ISO 27001 compliance, hash chain, live SSE, audit trail, │ │ │ │ drift metrics, trust scores, regression scenario gates │ │ │ └────────────────────────────────────────
$ claude mcp add innerwarden \
-- python -m otcore.mcp_server <graph>