Building grith — OS-level syscall interception for AI coding agents.
The problem: every agent (Cline, Aider, Codex, Claude Code) has unrestricted access to your filesystem, shell, and network. When they process untrusted content — a cloned repo, a dependency README — they’re prompt injection vectors with full machine access. No existing tool evaluates what the agent actually does at the syscall level.
grith wraps any CLI agent without modification. OS-level interception captures every file open, network call, and process spawn, then runs it through 17 independent security filters in parallel across three phases (~15ms total). Composite score routes each call: auto-allow, auto-deny, or queue for async review. Most will auto approve - which eliminates approval fatigue.
Also does per-session cost tracking and audit trails as a side effect of intercepting everything.
Each syscall taking 15ms on top of the normal considered costly time taken for context switching to the kernel seems excessivly slow, no?
It’s fast in terms of a response from a LLM model - but it is part of the system I am quite active on at the moment to ensure it’s performant as possible