Developers running AI agents like Claude Code and Codex CLI with dangerous flags such as `--dangerously-skip-permissions` and `--yolo` now have a way to audit what these tools actually do. logira is an observe-only Linux CLI that uses eBPF to record exec, file, and network events at the OS level, providing per-run local storage for auditing and forensic analysis.

Unlike relying on agent-generated narratives, logira captures what actually happened during automation runs. The tool includes built-in detection rules for credential access, persistence changes, suspicious exec patterns, and network egress. Events are saved locally in JSONL and SQLite formats, allowing post-run review, search, and detection triage without blocking the workflow. The system requires Linux kernel 5.8+, systemd, and cgroup v2.

Installation is straightforward through a recommended script or manual tarball method. Users can run commands under audit with `logira run --`, view results with `logira view last`, and query specific events. The tool ships with opinionated default rules targeting AI agent safety, including patterns like `rm -rf`, `git clean -fdx`, and network connections to cloud metadata endpoints. Custom YAML rules can be added per run for specialized monitoring needs.