[ spy daemon ]

spyd_

AI server monitoring that thinks like a senior sysadmin. Local-first. Read-only. Quiet until something actually matters.

install

$ curl -fsSL spyd.sh | sh

private by default · runs fully local until you opt in · never writes to your system

○ ○ ○ spyd status ○ ○ ○

$ spyd status
 
● daemon  running   pid 12345
  uptime  4d 02h 17m
  brain   1,284 patterns learned
 
cpu     45.2%   ▓▓▓▓▓░░░░░
mem     62.1%   ▓▓▓▓▓▓░░░░
disk    55.3%   ▓▓▓▓▓░░░░░
 
✓ no incidents · last check 14s ago
$

[ what it does ]

A daemon, a brain, and a calm second opinion.

01 — diagnose

Senior sysadmin intelligence

An on-call engineer that's seen this before. Spyd identifies root cause, not symptoms — and walks you to a fix with the exact commands to run.

02 — learn

Local brain

On-host memory that learns what's normal for your box, recognizes recurring incidents, and suppresses benign noise. Most issues are handled without an AI call.

{∞}

03 — detect

Attack pattern recognition

SSH brute force, crypto miners, DDoS, fork bombs — plus TLS expiry, DNS failures, and disk or inode exhaustion, explained in plain English.

[!]

[ how it works ]

From metric to fix — without leaving your box.

Full-fidelity data stays on the host. Only a redacted shape ever crosses to the cloud — and nothing crosses until you consent.

your host · full fidelity · never leaves

collect cpu · mem · disk · inodes · logs · tls · dns

↓

detect threshold · statistical · log · security

↓

local brain recognize · suppress · learn {∞}

↓ redacted → spyd cloud

spyd cloud · api.spyd.sh · redacted only

explain AI root cause + guided fix · no key on the host

↓

alert gate worthiness · dedupe · confidence

↓

you — Slack · Telegram · webhook · email

cockpit — fleet · incidents · insights

[ in action ]

Watch one incident, end to end.

A disk filling on a real host: Spyd detects it, checks the brain, asks AI for the root cause, sends one alert with the fix — then remembers it so the next time is silent.

○ ○ ○ incident · detect → explain → alert ○ ○ ○

$ spyd alerts
● critical · disk may fill in ~42m on api-prod-01
  detect   /var 81% → 94% in 40m
  brain    ○ no prior match → escalate to AI
  ai       root cause: nginx logs flooded by bot hits on /wp-login
✓ sent to Slack · 91% confidence
  fix      sudo logrotate -f /etc/logrotate.d/nginx
 
✓ resolved · class learned — a recurrence is handled silently
$

[ quickstart ]

Two ways to start.

Spyd is a single static binary. Put a whole fleet in the cockpit, or try it on one box local-only — either way it runs read-only and stays quiet until something actually matters.

cockpit · fleet

Connect to the fleet

Sign in at app.spyd.sh, generate an install command, and run it — the host shows up in the cockpit in ~60s, with fleet view, cloud alerting, and AI explanations.

$ curl -fsSL https://spyd.sh/install.sh | sh -s -- --enroll <token> --accept-terms

already installed? run spyd enroll <token>

local-only

Try it on one box

No account, nothing leaves the host. Install, then three commands — it learns your baseline and stays quiet. Connect to the cockpit later, anytime.

$ curl -fsSL spyd.sh | sh
$ spyd init          # config tuned to this box
$ spyd start         # learns your baseline
$ spyd status        # what it's watching

connect later with spyd enroll <token>

○ ○ ○ install · enroll · verify ○ ○ ○

$ curl -fsSL https://spyd.sh/install.sh | sh -s -- --enroll 7f3c…a91 --accept-terms
downloading spyd v2.1.3 (linux/amd64)…
✓ spyd installed → /usr/local/bin/spyd
✓ enrolled · identity registered with your org
  awaiting first check-in…
 
$ spyd status
● running · streaming to cockpit · 0 incidents
✓ visible in the app.spyd.sh fleet
$