Skip to content

GenseeAI/gensee-crate

Gensee Crate

Full-stack, long-horizon runtime safety for AI coding agents.

Gensee Crate watches system events, user requests, agent tool calls, skills and memory behind unmodified coding agents such as Claude Code, Codex, Antigravity, and Omnigent. It follows long-horizon agent behavior across requests and sessions and runs as a low-latency sidecar beside the agents on native hosts like macOS and Linux. Real-time enforcement combines agent-interface decisions with Linux syscall, network, and sensitive-file controls. Offline event tracking, lineage, and provenance can be viewed in a web dashboard and command line.

License: Apache 2.0 Status: alpha Rust: stable Platform: macOS and Linux

gensee.ai · Docs · Join Discord

Gensee Crate defense-in-depth architecture

Need company-enforced rules, credential and identity controls, and oversight across a distributed fleet of developer endpoints? Contact GenseeAI.


Why Gensee Crate?

Gensee Crate helps you:

  • Watch what your agent actually does. Capture files read and written, commands run, network targets reached, hook intent, alerts, and timeline context in one local store.
  • Enforce policy before risky tools run. Enforces a deterministic, configurable policy that can allow, ask, or deny secret reads, destructive ops, out-of-workspace writes, cloud-metadata access, control-plane writes, dangerous executable content, and more.
  • Trace provenance across sessions. Lineage graphs link prompts, tool calls, filesystem effects, artifacts, alerts, and review verdicts so long-horizon safety issues such as memory poisoning and data exfiltration can be prevented in time and examined afterward.
  • Seamless integration with your current workflow. Run gensee watch beside an agent or launch an agent in a sandbox with gensee run with additional safety. Manage policy with gensee policy and inspect activity in the local dashboard.

Preliminary Benchmark Results

Preliminary AgentCanary benchmark results show Gensee Crate improving defense rate across memory poisoning, long-horizon, and prompt-injection threat types with low runtime overhead.

Preliminary AgentCanary benchmark results

Quick start

1. Install

One command installs Gensee Crate and checks or installs its command-line prerequisites on macOS. At the end, the installer can configure supported agent hooks for active safety policy enforcement, lets you choose GENSEE_HOME, and lets you keep the bundled default policy or create an editable local policy:

curl -fsSL https://raw.githubusercontent.com/GenseeAI/gensee-crate/main/scripts/install_oss.sh | bash

For non-interactive installs that should configure Claude Code, Codex, and Antigravity hooks:

curl -fsSL https://raw.githubusercontent.com/GenseeAI/gensee-crate/main/scripts/install_oss.sh | GENSEE_CONFIGURE_CLAUDE=1 GENSEE_CONFIGURE_CODEX=1 GENSEE_CONFIGURE_ANTIGRAVITY=1 bash
Prefer to install manually?

Install platform prerequisites first.

On macOS:

xcode-select --install

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

brew install jq

On Ubuntu/Debian Linux:

sudo apt update
sudo apt install -y build-essential pkg-config libssl-dev jq nftables git

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

Build the CLI from source:

git clone https://github.com/GenseeAI/gensee-crate.git
cd gensee-crate
cargo build -p gensee-crate-cli

The binary is now at target/debug/gensee. For convenience, either add that directory to your PATH, or install gensee globally:

cargo install --path crate/gensee-crate-cli   # puts `gensee` on PATH

Gensee stores its local state under ~/.gensee by default. Set GENSEE_HOME to override it, and use the same GENSEE_HOME for watch, hooks, run, timeline, and the dashboard so the signals appear together. GENSEE_HOME is the Gensee data store, not the agent project/workspace folder:

export GENSEE_HOME="$HOME/.gensee"

For hook-based agents, there are two paths to keep straight:

  • GENSEE_HOME: where Gensee records hooks, alerts, timelines, policies, and dashboard data. Use the same value across Claude Code, Codex, Antigravity, Omnigent sidecars, gensee watch, gensee timeline, and the dashboard when you want one combined view.
  • agent workspace/config path: where the agent looks for its hook settings. Claude Code uses ~/.claude/settings.json, Codex uses ~/.codex/hooks.json, and Antigravity defaults to global ~/.gemini/config/hooks.json. Antigravity also supports workspace-local .agents/hooks.json when you pass --hooks.

Avoid pointing GENSEE_HOME at the project workspace root. A repo-local store such as $PWD/.gensee-dev is convenient for development, while $HOME/.gensee-<agent> is better for long-running sidecars such as Omnigent so Gensee does not watch its own store writes.

The local store can include redacted prompts, commands, paths, policy alerts, and lineage data. Fresh telemetry stores are encrypted at rest by default with a local key in $GENSEE_HOME/gensee.key. Keep that key private and do not share it with store snapshots; sharing the key and store together gives readers access to the telemetry. Existing plaintext development stores remain readable rather than breaking hooks; move or remove the old GENSEE_HOME to start a fresh encrypted store. Set GENSEE_STORE_ENCRYPTION=0 only for local debugging stores.

Toolchain and prerequisites (if the installer reports a missing tool)
  • macOS and Linux for the stable v0.1 path. Linux host controls include /proc process attribution, fanotify sensitive-path enforcement, seccomp launcher profiles, and cgroup/nftables network controls.
  • Claude Code, Codex, or Antigravity for hook-based enforcement. Other agents are planned.
  • Rust toolchain (cargo) and jq.
  • On Linux: build tools, pkg-config, OpenSSL headers, nftables, and git.

Install the required command-line tools on macOS:

xcode-select --install

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

brew install jq

Install the required command-line tools on Ubuntu/Debian Linux:

sudo apt update
sudo apt install -y build-essential pkg-config libssl-dev jq nftables git

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"
Configure agent hooks manually

To capture prompt/tool intent and enforce the safety policy, configure your agent's hooks to call the matching gensee hook endpoint. The installer offers Claude Code, Codex, and Antigravity setup. To run the setup step later for Claude Code:

gensee setup claude-code --gensee-home "$GENSEE_HOME"

If your team requires Claude Code traffic to pass through an inspecting LLM gateway, configure that during the same setup step:

gensee setup claude-code \
  --gensee-home "$GENSEE_HOME" \
  --anthropic-base-url https://llm-gateway.example.com \
  --anthropic-auth-token "$GATEWAY_TOKEN"

For local screening/blocking, start the bundled gateway and point Claude Code at it:

GENSEE_HOME="$GENSEE_HOME" \
GENSEE_BIN="$PWD/target/debug/gensee" \
GENSEE_GATEWAY_TOKEN="local-gateway-token" \
ANTHROPIC_UPSTREAM_API_KEY="$ANTHROPIC_API_KEY" \
node scripts/anthropic_gateway.mjs

./target/debug/gensee setup claude-code \
  --gensee-home "$GENSEE_HOME" \
  --anthropic-base-url http://127.0.0.1:8787 \
  --anthropic-auth-token local-gateway-token

Or for Codex:

gensee setup codex --gensee-home "$GENSEE_HOME"

Or for global Antigravity hooks:

gensee setup antigravity --gensee-home "$GENSEE_HOME"

For workspace-local Antigravity hooks instead, pass an explicit workspace hook path:

gensee setup antigravity \
  --gensee-home "$GENSEE_HOME" \
  --hooks /path/to/workspace/.agents/hooks.json

If you are running from a source checkout instead of an installed binary:

./target/debug/gensee setup claude-code --gensee-home "$GENSEE_HOME"
./target/debug/gensee setup codex --gensee-home "$GENSEE_HOME"
./target/debug/gensee setup antigravity --gensee-home "$GENSEE_HOME"

The setup commands back up the previous hook settings, update ~/.claude/settings.json, ~/.codex/hooks.json, or ~/.gemini/config/hooks.json by default, and use the absolute path to the gensee binary you invoked. Fully restart Claude Code or Antigravity after changing hook config. Open /hooks in Codex to review and trust the hook command before testing enforcement. Full manual config and what gets recorded (plus redaction details) are in docs/claude-code-hooks.md, docs/codex-support.md, and docs/antigravity-support.md.

Updating to a new release

Rerun the installer to update gensee in place:

curl -fsSL https://raw.githubusercontent.com/GenseeAI/gensee-crate/main/scripts/install_oss.sh | bash

If you installed from a source checkout, pull the latest changes and reinstall:

git pull --ff-only
cargo install --path crate/gensee-crate-cli --force

2. Run

Choose the section for your operating system. Each path can combine hooks, sidecar watching, and managed gensee run launches.

macOS

Hooks only. Agent requests and tool calls are checked by Gensee policy after Step 1 setup. No extra command needs to keep running.

Watch. Observe workspace file effects, and optionally ingest macOS EndpointSecurityLogger events:

gensee watch # optional flags: --workspace --watch-root --duration-seconds
sudo gensee watch --system-events eslogger

If you use --system-events eslogger, open Apple menu > System Settings > Privacy & Security > Full Disk Access, click +, add the app hosting gensee (for example Terminal, iTerm, or Visual Studio Code), then quit and reopen that app.

Run. Launch the agent as a child of Gensee. --sandbox mac uses sandbox-exec and can stage workspace writes for review.

gensee run -- claude # or: gensee run -- codex
gensee run --sandbox mac --profile cautious --workspace-mode staged -- claude

For orchestration frameworks such as Omnigent, use the same outer safety layer:

gensee watch --workspace . --watch-root ~/.omnigent
gensee run --workspace-mode staged -- omnigent run path/to/agent.yaml
Linux

Hooks only. Agent requests and tool calls are checked by Gensee policy after Step 1 setup. No extra command needs to keep running.

Environment config. Linux host controls include /proc process attribution, fanotify sensitive-path permission enforcement, seccomp launcher profiles, and cgroup/nftables network controls. Kernel-owned controls need sudo; supervised launches and seccomp-only launches can usually run without it.

For Node/npm-installed agents such as Codex or Claude Code, preserve PATH so the agent shim can still find node, and preserve HOME/GENSEE_HOME so Gensee and the agent use the expected user config:

export GENSEE_HOME="${GENSEE_HOME:-$HOME/.gensee}"
alias gensee-sudo='sudo env "PATH=$PATH" "HOME=$HOME" "GENSEE_HOME=$GENSEE_HOME" gensee'

Add those two lines to ~/.bashrc, ~/.zshrc, or your shell profile to make them permanent. Because these commands preserve HOME while running privileged controls, a root-launched agent may create root-owned files in your home directory.

Inspect Linux host capabilities and enabled controls:

gensee status --json

Watch. Attach to an already-running agent process tree:

gensee watch --pid <agent-root-pid>

Run. Launch the agent as a child of Gensee with Linux host controls:

gensee-sudo run --sandbox linux -- codex

If testing from a source build, use the same pattern with the debug binary:

sudo env "PATH=$PATH" "HOME=$HOME" "GENSEE_HOME=${GENSEE_HOME:-$HOME/.gensee}" \
  ./target/debug/gensee run --sandbox linux -- codex

For orchestration frameworks such as Omnigent, use the same outer safety layer:

gensee watch --workspace . --watch-root ~/.omnigent
gensee-sudo run --sandbox linux -- omnigent run path/to/agent.yaml

See docs/watch.md, docs/run-and-sandbox.md, and docs/linux.md for the full options.

3. Examine results

CLI. Inspect what happened at any time:

gensee run list   # list guarded run sessions and staged workspaces
gensee timeline   # show prompts, tool intent, file effects, and policy decisions

Dashboard. Open the local dashboard for a browser view of the same store:

The local dashboard reads the same GENSEE_HOME store as watch, hooks, and timeline. It shows live agent activity, policy decisions, alerts, file and request lineage, and the active policy document; users can record review verdicts and edit validated policy settings from the browser.

Launch it from the repository checkout against your active store:

cd /path/to/agent-shield
GENSEE_HOME="$PWD/.gensee-dev" npm --prefix "$PWD/dashboards/web" run dev
# open http://localhost:5173

If you launch it from another directory, use absolute paths and the same GENSEE_HOME that your hooks or gensee watch use:

REPO=/path/to/agent-shield
GENSEE_HOME="$REPO/.gensee-dev" npm --prefix "$REPO/dashboards/web" run dev

See dashboards/web/README.md for requirements, demo data, and policy editing notes.

The activity view brings policy decisions, timeline filtering, event details, and command/tool context into one local browser surface.

Gensee Crate dashboard activity timeline

The lineage view links derived artifacts and shows the facts behind each path, including current risk state and the policy/query context used to inspect it.

Gensee Crate artifact lineage dashboard

The multi-turn view highlights long-horizon patterns across a session, including read-to-exfiltration chains, memory-poison signals, repeated artifact targeting, and policy decisions over time.

Gensee Crate multi-turn provenance dashboard

4. Manage policy

Use gensee policy or the dashboard UI to inspect, initialize, validate, and edit the active policy document without copying files by hand:

gensee policy path
gensee policy setup
gensee policy validate "$GENSEE_HOME/policy.json"

gensee policy setup walks through the same dashboard-style policy settings, artifact definitions, and decision rules. Use it to tune resource limits, network egress, runtime, enforcement, watch system events, allowlisted paths, what counts as executable/memory/skill/control-plane artifacts, and whether each safety rule denies, asks, or allows.

Use gensee policy print-default to inspect the bundled default policy. The guided setup flow writes the user policy to $GENSEE_HOME/policy.json, which is auto-loaded by the hook, CLI, and dashboard when GENSEE_POLICY_FILE is unset. You can also point GENSEE_POLICY_FILE at a custom policy path; see docs/policy.md for the full policy workflow.

Roadmap

Gensee Crate supports macOS and Linux today, with Claude Code, Codex, and Antigravity hook support, local policy enforcement, staged workspace runs, local telemetry, and a browser dashboard. Next directions include:

  • Linux system enforcement: eBPF telemetry, Landlock/AppArmor profile generation, daemon-owned fanotify lifecycle, and richer per-attempt attribution.
  • Endpoint Security-based macOS defense: deeper host-level file, process, and network visibility once the Apple Endpoint Security path is available.
  • Sandbox support: stronger gensee run confinement, staged writes, and speculative or transactional execution for risky agent actions.
  • ML-based policy and rules: learning from controlled traces, blocked actions, and bypass attempts to improve risk scoring and policy suggestions.
  • Integrations: support for more agents and security tooling, including ChatGPT, Gemini, Cursor, GitHub Copilot, Omnigent, CrowdStrike, LLM gateways, MCP servers, and audit/security workflow exports.

See docs/roadmap.md for more detail.

Documentation

Full docs live in docs/:

  • Architecture — the v0.1 wedge, workspace crates, and roadmap.
  • Roadmap — planned Linux enforcement, macOS Endpoint Security, sandbox, ML policy, and integration work.
  • Linux host support/proc monitoring, fanotify sensitive-path enforcement, seccomp launcher profiles, cgroup/nftables egress controls, and the Linux enforcement plan.
  • gensee watch — sidecar filesystem and system-event audit, backends, and watch roots.
  • gensee run and the macOS sandbox — managed launch and staged workspaces.
  • gensee policy — inspect, initialize, validate, and edit local policy settings.
  • Claude Code hooks — wiring Claude Code prompts and tool intent into Gensee.
  • Codex hooks — wiring Codex prompts and tool intent into Gensee.
  • Antigravity support — wiring Antigravity hooks and .agents customizations into Gensee.
  • Omnigent integration — thin sidecar/managed-run support and the deeper policy-bridge plan.
  • Safety policy — the data-driven allow/ask/deny engine and gensee policy workflow.
  • SQLite lineage graph — the provenance schema and example queries.
  • Endpoint Security spikeeslogger system events and the future signed EndpointSecurity path.

About

Runtime safety for AI coding agents with real-time enforcement, system-event monitoring, and long-horizon provenance. Supports Claude Code, Codex, Antigravity, Omnigent on native macOS and Linux.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

98 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors