MCPcopy Index your code
hub / github.com/InnerWarden/innerwarden

github.com/InnerWarden/innerwarden @v0.16.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.16.0 ↗ · + Follow
16,497 symbols 61,850 edges 626 files 2,954 documented · 18%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

InnerWarden

Local safety layer for AI agents that can use the terminal.

AI agents are starting to do real work: read files, run commands, install packages, call APIs, and touch servers. That is useful. It is also the moment a chatbot becomes something with operational power.

InnerWarden sits outside the agent, on the host it is using. Not a sandbox, not a prompt filter: it screens risky commands and MCP/tool traffic routed through its guard, watches the real Linux activity underneath with eBPF, blocks or flags dangerous behavior, and keeps the decision trail local. Its kernel Execution Gate (an eBPF LSM hook, inert by default) can make unauthorized binaries impossible to run, enforced below anything a hijacked agent can reach. No cloud control plane. Open source. Dry-run by default.

Your agent reads a pull request, a web page, or a file with hidden instructions. It tries to read secrets, run an unsafe shell command, or connect somewhere it should not. InnerWarden catches the action before the damage leaves the box, then shows you what happened and why.

curl -fsSL https://innerwarden.com/install | sudo bash

Installs in 10 seconds. Starts in observe-only mode. Dry-run by default. You decide when to go live.

OpenSSF Scorecard OpenSSF Best Practices codecov CI Security License: Apache-2.0

Built with Rust eBPF Programs Detectors Correlation Rules Tests MITRE Coverage Sigma Rules Memory AI Optional Storage Graph


Who is this for?

  • Developers and self-hosters running AI agents that can edit code, call tools, or touch a shell
  • Founders and operators who want to bring agents into real business workflows without "just trust the prompt" as the security plan
  • SREs and sysadmins who manage Linux servers and want automated threat response, not just alerts
  • Security teams who want kernel-level visibility (eBPF), MITRE ATT&CK coverage, local audit trails, and clear operator controls

How is this different?

Prompt guardrails try to control what an agent says. InnerWarden controls what it actually does.

It lives where the action is: on the machine the agent can affect. Agent-facing checks can review commands and MCP tool calls before they run; host-level sensors still watch what actually executes. If the agent is tricked, the safety layer is not inside the thing being tricked. One binary, one SQLite database, no SIEM bundle, no external IDS, no cloud control plane. Two Rust daemons and a CLI.

In plain terms, it does three things:

  • Supervise. It screens an agent's commands and MCP/tool calls before they run and returns allow, review, or block, scored against embedded Agent Threat Rules.
  • Watch. It sees what actually executes on the host with eBPF, so if something slips past the polite guardrail it is still caught.
  • Prove. It records every decision locally in a tamper-evident audit trail. No cloud, your data never leaves the box.

Under the hood: 27 eBPF programs loaded (kernel-dependent), 82 detectors, 69 cross-layer correlation rules, 56 MITRE ATT&CK technique IDs (90+ detector mappings), and 9800+ tests gate every change. The full tour is further down: what it does, what it detects, how it works.

See it responding to live network anomalies on our lab infrastructure


Why this exists

I built InnerWarden because agents are going to do real work, and real work needs supervision. The same system that can catch a reverse shell at the kernel level, block an attacker, deploy a honeypot, and alert you on Telegram can also sit underneath an AI agent and ask a simpler question: "is this action safe to let through?"

Apache-2.0. If this project helps make agent automation safer to try, give it a star so others can find it.


Architecture

Full layered architecture: firmware (Ring -2) to kernel eBPF to sensor to agent to response. Click to expand.

``` ┌─────────────────────────────────────────────────────────────────────┐ │ FIRMWARE / BIOS (Ring -2) │ │ MSR write guard (LSTAR/SMRR) | ACPI method monitoring | ESP hash │ │ SPI controller probing | eBPF weaponization detection (VoidLink) │ └─────────────────────────────────────────────┬───────────────────────┘ │ ┌─────────────────────────────────────────────┼───────────────────────┐ │ HYPERVISOR (Ring -1) │ │ │ VM introspection | KVM monitoring | VM exit analysis │ └─────────────────────────────────────────────┼───────────────────────┘ │ ┌─────────────────────────────────────────────┼──────────────────────┐ │ KERNEL (Ring 0) │ │ │ │ │ ┌───────────── ─┐ ┌────────────┐ ┌─────────┐ ┌───────────────┐ │ │ │23 tracepoints │ │ 10 kprobes │ │ 5 LSM │ │ XDP │ │ │ │ execve, │ │ creds, │ │ exec │ │ wire-speed │ │ │ │ connect, │ │ MSR, ACPI │ │ file │ │ IP blocking │ │ │ │ openat, │ │ timestomp │ │ bpf │ │ 10M+ pps │ │ │ │ mount, clone, │ │ truncate │ │ + kill │ │ allowlist + │ │ │ │ ptrace, ... │ │ + 7 raw_tp │ │ chain │ │ blocklist │ │ │ └──────┬─────── ┘ └─────┬──────┘ └───┬─────┘ └──────┬────────┘ │ │ └─ ───────┬───────┘ │ │ │ │ ▼ │ │ │ │ ┌─────────────┐ │ │ │ │ │ Ring Buffer │ │ │ │ │ │ (1MB epoll) │ │ │ │ │ └──────┬──────┘ │ │ │ └──────────────────┼────────────── ──────┼───────────────┼───────────┘ │ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────────── ┐ │ SENSOR │ │ │ │ ┌─────────┐ ┌─────────┐ ┌────────┐ ┌────────────────────────┐ │ │ │auth.log │ │journald │ │ Docker │ │ eBPF collector │◄─┘ | │ │nginx │ │syslog │ │ cgroup │ │ (47 compiled) │ | │ └────┬────┘ └────┬────┘ └──┬──── ┘ └───────────┬────────────┘ │ │ │ │ │ │ │ │ ┌────┴────┐ ┌────┴─────┐ ┌─┴──────────────┐ │ │ │ │DNS/HTTP │ │TLS/JA3 │ │kernel_integrity│ │ │ │ │capture │ │JA4 │ │proc_maps │ │ │ │ │(native) │ │(native) │ │fanotify │ │ │ │ └────┬────┘ └────┬─────┘ └───────┬────────┘ │ │ │ └───────────┴───────────────┴─────────────┘ │ │ │ │ │ ┌─────▼──────┐ │ │ │82 detectors│ + 8 YARA + 209 Sigma (+9 built-in)│ │ │ stateful │ │ │ └─────┬──────┘ │ │ │ │ │ ┌───────────▼───────────┐ │ │ │ events + incidents │ │ │ │ (SQLite WAL) │ │ │ └───────────┬───────────┘ │ └──────────────────────────┼────────────────────────────────────────┘ │ ┌──────────────────────────┼────────────────────────────────────────┐ │ AGENT │ │ │ ▼ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ Knowledge Graph (in-memory) │ │ │ │ 11 node types (Process, IP, File, User, Domain, ...) │ │ │ │ 53 relation types | 28 graph detectors | 10 graph rules │ │ │ │ Autoencoder anomaly scoring (65 features) │ │ │ └────────────────────────┬──────────────────────────────────┘ │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ 69 Cross-Layer Correlation Rules │ │ │ │ + Kill Chain Tracker (7 stages per entity) │ │ │ │ + Threat DNA behavioral fingerprinting │ │ │ └────────────────────┬─────────────────────────┘ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Algorithm Gate │ skip low-sev, private IP │ │ └────────┬─────────┘ │ │ ▼ │ │ ┌────────────────────┐ │ │ │ Enrich: AbuseIPDB, │ │ │ │ GeoIP, CrowdSec │ │ │ └────────┬───────────┘ │ │ ▼ │ │ ┌──────────────────────┐ │ │ │ Local Warden │ on-device ONNX classifier │ │ │ (opt-in via │ ~91 MB, 61 ms p50; routes │ │ │ install-warden, │ Decide on-device when │ │ │ warden default) │ installed by default now │ │ └──────────┬───────────┘ │ │ ▼ │ │ ┌─────────────────────┐ │ │ │ AI Triage (opt LLM) │ OpenAI / Anthropic / Ollama │ │ └────────┬────────────┘ via AI Capability Router │ │ ▼ │ │ ┌─────────────────┐ ┌──────────────┐ │ │ │ Skill Executor │────►│ LSM enforce │ │ │ │ block_ip (6) │ │ XDP block │ │ │ │ kill_process │ └──────────────┘ │ │ │ suspend_sudo │ ┌──────────────┐ │ │ │ honeypot │────►│ Cloudflare │ │ │ │ playbooks (3) │ │ AbuseIPDB │ │ │ └────────┬────────┘ └──────────────┘ │ │ │ │ │ ┌────────────┼────────────┬──────────────┐ │ │ ▼ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ Telegram │ │ Slack │ │ Webhook │ │ Mesh Network │ │ │ │ bot │ │ │ │ (any) │ │ peer defense │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ innerwarden.db (SQLite WAL) │ │ │ │ Events, incidents, decisions, graph snapshots, KV state, │ │ │ │ attacker profiles, baselines | Hash chain audit trail │ │ │ └───────────────────────────────────────────────────────────┘ │ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ Dashboard: HUD, threats, investigation, attacker intel, │ │ │ │ MITRE ATT&CK map, monthly reports, baseline learning, │ │ │ │ ISO 27001 compliance, hash chain, live SSE, audit trail, │ │ │ │ drift metrics, trust scores, regression scenario gates │ │ │ └────────────────────────────────────────

Extension points exported contracts — how you extend this code

ResponseSkill (Interface)
A response skill is an action Inner Warden can take when an incident is detected. ## Adding a community skill 1. Creat [15 …
crates/agent/src/skills/mod.rs
Preflight (Interface)
(no doc) [6 implementers]
crates/ctl/src/capability.rs
RestartHook (Interface)
Pre-spawn check the supervisor consults before launching the agent. [3 implementers]
crates/supervisor/src/hook.rs
DevnodeMetadataReader (Interface)
Filesystem facade so the detector can be unit-tested without touching the real `/dev/`. Production uses [`RealDevnodeRea [2 …
crates/sensor/src/detectors/kernel_devnode_exposed.rs
OptionalExt (Interface)
Extension trait for optional query results. [1 implementers]
crates/store/src/incidents.rs
PlaybookAudit (Interface)
Sink for per-step audit records. The production impl ([`FileAudit`]) writes both `decisions.jsonl` and `playbook_steps-< [4 …
crates/agent/src/playbook_engine/executor.rs
Capability (Interface)
(no doc) [7 implementers]
crates/ctl/src/capability.rs
PageCacheReader (Interface)
(no doc) [2 implementers]
crates/sensor/src/detectors/suid_page_cache_integrity.rs

Core symbols most depended-on inside this repo

path
called by 2925
crates/ctl/src/sudoers.rs
clone
called by 2274
crates/sensor/src/detectors/suid_page_cache_integrity.rs
now
called by 1747
crates/agent/src/notification_pipeline.rs
contains
called by 1576
crates/agent/src/skills/mod.rs
is_empty
called by 1443
crates/agent/src/ioc.rs
push
called by 1364
crates/agent-guard/src/mcp_proxy/taint.rs
get
called by 842
crates/dna/src/store.rs
len
called by 799
crates/dna/src/store.rs

Shape

Function 13,236
Method 1,924
Class 1,099
Enum 220
Interface 18

Languages

Rust98%
TypeScript1%
Python1%
C1%

Modules by API surface

crates/ctl/src/commands/ops.rs300 symbols
crates/agent/src/dashboard/mod.rs259 symbols
crates/ctl/src/commands/setup.rs232 symbols
crates/agent/src/config/mod.rs190 symbols
crates/sensor/src/config.rs153 symbols
crates/ctl/src/scan.rs152 symbols
crates/agent/src/dashboard/agent_api.rs151 symbols
crates/agent/src/skills/builtin/honeypot/session.rs133 symbols
crates/agent/src/dashboard/actions.rs125 symbols
crates/agent/src/knowledge_graph/ingestion.rs121 symbols
crates/agent/src/dashboard/data_api.rs120 symbols
crates/agent/src/notification_pipeline.rs118 symbols

Datastores touched

(mongodb)Database · 1 repos
mydbDatabase · 1 repos

For agents

$ claude mcp add innerwarden \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page