ptracer
A ptrace-based recording tool that intercepts every syscall made by a process tree — file reads, writes, forks, execves — and stores the full trace in a DuckDB database. File writes can be redirected to a content-addressed store for reproducible builds and sandboxed execution.
ptracer attaches to any process tree via Linux ptrace and intercepts every system call — recording file reads and writes, execve invocations, forks, and process relationships — into a DuckDB database.
Usage
# Trace a build script, redirect all file writes to ./tmp
ptracer --db trace.db --redirect tmp --run ./build.sh
# Inspect the trace
duckdb trace.db "SELECT * FROM traces"
duckdb trace.db "SELECT * FROM files WHERE write > 0"What gets recorded
The traces table records every executed command with timing and a nested-set encoding of the process tree (left/right intervals encode the parent–child hierarchy, making subtree queries a single range scan).
The files table records every file read or written, joinable to traces via traceId. Redirected writes are hashed and stored in the content-addressed store under --redirect.
Where it's used
ptracer is the recording engine that powers BuildInfer's build-graph analyser — it's how BuildInfer knows which source files a build step reads and which artefacts it produces, without requiring any build-system-specific instrumentation.
It also provides the observability layer in VibeLoop: agent-spawned processes run under ptracer so every file access and subprocess is recorded, giving a full audit trail of what a coding agent did.