agent-beacon
Health Gecti
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 231 GitHub stars
Code Basarisiz
- rm -rf — Recursive force deletion command in cli/beacon/.goreleaser.yaml
- network request — Outbound network request in cli/beacon/internal/endpoint/dashboard/static/app.js
Permissions Gecti
- Permissions — No dangerous permissions requested
Bu listing icin henuz AI raporu yok.
Agent Beacon is the world's first open-source telemetry layer for AI agents wherever they run: locally, in CI, or in the cloud.
Asymptote Lab's Agent Beacon
Unified telemetry for AI agents, wherever they run.
Docs · Discord · Install · For Security & IT Teams · Dashboard · Commands
What is Agent Beacon
Agent Beacon is the world's first open-source telemetry layer for AI agents wherever they run: locally, in CI, or in the cloud.
Beacon started with local endpoint telemetry for security and IT teams that need visibility into AI agent activity on employee machines. It now captures supported runtime activity across local agents, CI agents, and cloud agents, then normalizes that activity into events your team can inspect, retain, and forward under your control.
Beacon is built to be easy to deploy for Security and IT teams through
MDM deployment, CI workflows, and cloud-agent setup paths, and to
emit agent harness telemetry logs to
all the major enterprise-grade SIEMs.
Learn more in the Agent Beacon Documentation.
High-Level Architecture
Beacon keeps endpoint collection, processing, and inspection local by default,
while extending the same normalized event model to CI and cloud-agent telemetry
paths under customer control.
- Agent runtime layer: Hooks, OpenTelemetry sources, CI wrappers, and SDKs
capture supported activity from AI agent harnesses wherever they run. - Beacon endpoint layer: Local processing normalizes events, applies
retention and redaction settings, and writes durable endpoint telemetry. - Output layer: Teams inspect events in the local dashboard, retain JSONL,
or forward records into all the major enterprise-grade SIEMs.
Supported Surfaces
Beacon captures supported agent harness activity across local endpoints, CI
jobs, and cloud-agent surfaces, then writes normalized events that teams can
inspect in place or forward into customer-managed security pipelines.
Agent Runtimes
Agent Beacon supports the most popular enterprise agent harnesses across local,
CI, and cloud surfaces.
Local Agents
Coding Agent Harnesses
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Antigravity CLI | Native hooks | Prompt, pre-tool, post-tool, stop, invocation, command, and file telemetry where Antigravity exposes hook payloads |
| Claude Code | Local OTLP export plus optional hooks | Prompt, command, tool, file, lifecycle, subagent, and permission telemetry where emitted through OTLP or hooks |
| Codex CLI | Local OTLP logs | Session, prompt, approval, and tool-result activity from Codex semantic logs |
| Cursor | Native hooks | Prompt, tool, shell command, MCP-like, approval, and file edit telemetry |
| Devin CLI | Native hooks | Session, prompt, pre-tool, post-tool, permission request, stop, session-end, approval, and file telemetry |
| Devin Desktop | Cascade/Windsurf hooks | Prompt, command, MCP tool, file read, and file write telemetry where Desktop exposes Cascade hook payloads |
| Factory Droid | OTLP HTTP plus optional hooks | Session, prompt, write/edit/create tool use, stop, session-end, and available OTLP telemetry |
| Gemini CLI | Opt-in local OTLP | Prompts, tool calls, MCP activity, file operations, and approval-related events emitted through OTLP |
| GitHub Copilot CLI | MDM-managed OTLP HTTP | Prompt, session, tool, and approval-like activity emitted through Copilot CLI spans |
| Grok Build | Native hooks | Session, prompt, pre-tool, post-tool, failed tool, stop, session-end, command, and file telemetry |
| OpenCode | Managed plugin hooks | Chat messages, session events, command execution, permission activity, diffs, and errors |
| VS Code | Copilot Chat OTel plus optional preview hooks | Copilot session, prompt, model, and tool activity through OTel; optional hooks for extra lifecycle and cross-agent detail |
Knowledge Worker Agent Harnesses
| Agent harness | Collection path | Telemetry coverage |
|---|---|---|
| Claude Cowork | Admin-configured OTLP | Prompt, command, tool, and file telemetry when emitted through Claude Cowork OTLP |
| Hermes Agent | Shell hooks | Prompt, observed tool, command, file, approval request and response, session lifecycle, and subagent stop telemetry |
| OpenClaw Gateway | Gateway-configured OTLP/HTTP | OTLP logs, traces, and metrics from the Gateway diagnostics plugin |
CI Agents
| Harness | Collection path | Telemetry coverage |
|---|---|---|
| CI agent telemetry | Temporary local collector through beacon ci exec or beacon ci start / beacon ci finish |
Supported agent prompt, tool, command, file, and run context where emitted during the job |
Cloud Agents
| Cloud surface | Collection path | Telemetry coverage |
|---|---|---|
| Anthropic | OpenLLMetry instrumentation through @asymptote/sdk |
Supported Anthropic model call spans, errors, and OpenTelemetry attributes |
| Claude Agent SDK | Query wrapper through Observe.wrapClaudeAgentQuery() |
Query root spans with Beacon-compatible prompt attributes |
| Claude Code Cloud Agents | Cloud sandbox hooks with GCS upload | Session, prompt, tool, command, file, and lifecycle telemetry where Claude Code cloud hook payloads expose it |
| Cursor Cloud Agents | Cloud sandbox hooks with GCS upload | Tool, shell command, file, subagent, and compaction telemetry where Cursor cloud hook payloads expose it |
| OpenAI | OpenLLMetry instrumentation through @asymptote/sdk |
Supported OpenAI model call spans, errors, and OpenTelemetry attributes |
| Vercel AI SDK | Tracer handoff through experimental_telemetry |
AI SDK model call and tool spans where telemetry is enabled |
Output Destinations
Agent Beacon writes endpoint telemetry to local JSONL by default and supports
customer-controlled forwarding into common security information and event
management (SIEM), log aggregation, and object storage destinations.
Security Information and Event Management (SIEM)
| Destination | Support path |
|---|---|
| CrowdStrike Falcon LogScale HEC | Optional endpoint forwarding with LogScale ingest tokens during install or repair |
| Microsoft Sentinel | Azure Monitor Agent and Data Collection Rule content pack over local JSONL |
| Rapid7 InsightIDR | Custom Logs webhook content pack over local JSONL |
| Splunk HEC | Optional endpoint forwarding during install or repair |
| Sumo Logic | HTTP Logs & Metrics Source content pack over local JSONL |
| Wazuh | Localfile configuration and Beacon Wazuh content pack |
Log Aggregation
| Destination | Support path |
|---|---|
| AWS CloudWatch Logs | Vector content pack over local JSONL using customer-managed AWS credentials |
| Customer-managed log pipelines | Forwarding from local Beacon JSONL under customer control |
| Datadog | Datadog Agent custom log collection over local JSONL |
| Elastic | Filebeat or Elastic Agent content pack over local JSONL |
Object Storage
| Destination | Support path |
|---|---|
| AWS S3 | Vector content pack over local JSONL using customer-managed AWS credentials |
| Google Cloud Storage | Vector content pack over local JSONL using customer-managed Google credentials |
Local
| Destination | Support path |
|---|---|
| Local JSONL | Default endpoint log and local dashboard source |
MDM Deployment
Agent Beacon is designed for Security and IT teams to deploy and validate
through standard MDM workflows.
| MDM platform | Support path |
|---|---|
| Fleet | macOS package and user-context deployment helpers |
| Jamf Pro | macOS package, policy scripts, validation, and Extension Attributes |
Dashboard
Beacon includes a local, read-only dashboard for validating endpoint activity
without a hosted backend. The overview screen summarizes recent runtime events
and collection status, while log search helps teams inspect normalized event
records during rollout, testing, and investigations. The token usage screen
breaks captured token telemetry down by model, session (with per-step
drilldown), CI run, and harness, including context-window utilization and
runtime-reported cost. The detections screen lists the active threat-detection
rules (the local store when present, otherwise the embedded baseline), and the
findings screen runs those rules over the runtime log on load and links each hit
back to its rule — the same read-only, offline detection as beacon scan.
For scripted or CI reporting, beacon endpoint tokens prints the same token
usage rollups as text or JSON from any runtime JSONL log, for examplebeacon endpoint tokens --log-path "$BEACON_CI_LOG_PATH" --json after a CI
session.
Beacon writes endpoint activity to a stable local runtime.jsonl file. The
active file rotates at 10 MiB with five numbered local archives, keeping the
endpoint handoff file bounded while external SIEM forwarders continue tailing
the active path. The dashboard reads the active log plus retained numbered
archives for local triage; SIEM destinations remain the source of truth for
long-term retention and search.
Detect threats in local telemetry
beacon scan runs threat-detection rules over the local runtime log and reports
findings — read-only, with no network access. Rules are an open, versioned format
(spec/threat-rules) whose match conditions are
CEL expressions over the endpoint event schema, and each rule ships
its own conformance fixtures.
beacon scan # run the active rules over the runtime log
beacon scan --json # machine-readable findings
beacon scan --min-severity high # only high/critical findings
beacon scan --fail-on high # non-zero exit for CI gating
The detection engine ships in the binary, but the rule corpus is external data loaded
from a local store (~/.beacon/endpoint/rules), so a growing rule set never enlarges the
agent. A small baseline is built in; manage the store with beacon rules:
beacon rules list # active rules (baseline or store)
beacon rules add ./my-rules # install local rule files (validated before install)
beacon rules pull <url> # explicit, user-initiated fetch of a rule pack
beacon rules lint ./rules # validate + run a rule pack's fixtures (authoring)
beacon rules fields # list event fields a rule can match on
The full rule pack ships as a release asset (threat-rules.tar.gz), not inside the
binary, so the corpus grows without enlarging beacon. Install it with one command:
beacon rules pull https://github.com/asymptote-labs/agent-beacon/releases/latest/download/threat-rules.tar.gz
beacon scan
beacon rules pull is the only command that reaches the network, and only when you run
it against a URL you supply — the agent never fetches rules on its own. Offline or
air-gapped users can instead git clone the repo and run beacon rules add ./rules.
Start Here
- Beacon CLI docs — full documentation index.
- Installation — install Beacon locally.
- For Security & IT Teams — rollout, validation, and security workflows.
- Security review — review Beacon's architecture, data handling, and local-only posture.
- Endpoint agent — install, status, repair, and uninstall.
- Dashboard — inspect local runtime logs.
- Endpoint event schema — normalized JSONL event model.
- Supported surfaces — supported runtimes, destinations, and boundaries.
- Command reference — detailed CLI command docs.
Quickstart
See the Quickstart docs for the
full setup paths.
For Security & IT Teams
Start with the
security and IT quickstart and
managed deployment guidance
for rollout, validation, retention, and SIEM forwarding. For vendor review, see
the security review.
For Developers
Install the released Beacon CLI locally with Homebrew:
brew tap asymptote-labs/tap
brew install beacon
beacon version
Or build from source:
cd cli/beacon
make build
For setup, deployment, integrations, and command details, see the
Beacon CLI docs.
Star Growth
License
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi