# Greywall

> Container-free, default-deny sandboxing with real-time observability for AI agents on Linux and macOS.

Greywall is an open-source CLI tool that wraps any AI agent (Claude Code, Codex, Cursor, Aider, and others) in a kernel-enforced sandbox. It uses five security layers on Linux (Bubblewrap namespaces, Landlock filesystem, Seccomp BPF syscall filtering, eBPF monitoring, and TUN+SOCKS5 network proxy) and four on macOS (Seatbelt sandbox, filesystem policy, log stream monitor, and proxy-based network control). Default-deny policy means nothing is accessible unless explicitly granted. Built by Greyhaven, licensed Apache 2.0.

## Key Features
- Filesystem isolation (kernel-enforced read/write/deny per path)
- Network isolation (all traffic routed through GreyProxy)
- Command blocking (detects blocked commands in pipes, chains, nested shells)
- Real-time violation monitoring (every denial captured with full context)
- Learning mode (auto-generates least-privilege templates from observed access)
- Syscall filtering (blocks 27+ dangerous system calls via Seccomp BPF)
- Dynamic allow/deny controls (adjust policies live without restarting)

## Links
- [Homepage](https://greywall.io)
- [Documentation](https://docs.greywall.io/)
- [GitHub](https://github.com/GreyhavenHQ/greywall)
- [Greyhaven (parent company)](https://greyhaven.co)

## Install
- Homebrew: `brew tap greyhavenhq/tap && brew install greywall`
- Curl: `curl -fsSL https://raw.githubusercontent.com/GreyhavenHQ/greywall/main/install.sh | sh`
- Go: `go install github.com/GreyhavenHQ/greywall/cmd/greywall@latest`

## Compatibility
Works with: Claude Code, Codex, Cursor, Aider, Goose, Amp, Gemini CLI, Cline, OpenCode, Copilot.
Platforms: Linux (3.8+), macOS.
License: Apache 2.0.