cella
Low-level Runtime Control Plane
for Agentic AI

A terminal-native control plane for LXD/LXC and Docker containers — real-time metrics, syscall tracing, HTTPS interception, security policy engine, and inference observability for AI agent workloads.

🤖 Agentic AI Go · 27K+ lines LXD + Docker 20 TUI Panels MITM Interception Inference Stats
⚡ Quick Install ⭐ GitHub
27K+
Lines of Go
20
TUI Panels
~15MB
Single Binary
2
Runtimes

Why cella?

Purpose-built for the agentic AI era.

🤖

AI Agent Governance

AI agents run inside containers. cella gives operators real-time visibility into what those agents are doing — every syscall, every API call, every byte.

🔍

Zero Trust Observability

Transparent HTTPS interception reveals exactly which external APIs your containers call, how often, and at what cost — without modifying the workload.

Terminal-Native, Zero Dependencies

A single static binary. No web server, no database, no YAML. SSH in, run cella, and you have full control. Works on any Linux box with LXD or Docker.

Core Capabilities

From lifecycle operations to deep security observability.

📊

Real-time Metrics

CPU, memory, RX/TX, and disk I/O with live sparklines and per-CPU detail.

🔬

Dual-mode Syscall Monitoring

Passive bpftrace visibility + active LXD BPF blocking with operator approval.

🔐

HTTPS Interception

Transparent MITM via nftables REDIRECT, HTTP/2 aware, with CA auto-injection.

💰

Inference Stats

RPM/TPM/tokens/cost across 27+ models (OpenAI, Anthropic, Gemini, Copilot).

🔀

Inference Routing

Route APIs to local/alternative backends (OpenAI → Ollama, Copilot → NVIDIA).

🛡️

Security Policy Engine

Seccomp, AppArmor, egress controls, DNS monitor, plus policy export/import.

Architecture

How cella connects the pieces.

┌─────────────────────────────────────────────────────────────────┐ │ cella TUI (Go) │ │ Dashboard · Exec · Logs · Trace · Policy · Audit · Routing │ ├────────────┬──────────────┬─────────────────┬──────────────────┤ │ LXD REST │ Docker API │ bpftrace │ nftables + MITM │ │ (unix) │ (unix) │ (syscall trace) │ (HTTPS proxy) │ ├────────────┴──────────────┴─────────────────┴──────────────────┤ │ cgroup v2 metrics · /proc · netlink · BPF │ ├────────────────────────────────────────────────────────────────┤ │ Linux Kernel │ └─────────────────────────────────────────────────────────────────┘

Documentation Hub

Pick the doc type by your current need.

Quick Install

Single binary, SSH-ready workflow.

1

Download

Fetch the latest release binary.

curl -Lo cella https://github.com/fourdollars/cella/releases/download/latest/cella_linux_amd64 && chmod +x cella
2

Run

Use sudo (or appropriate runtime group permissions).

sudo ./cella
3

Enable HTTPS interception (optional)

Inside TUI: open Audit panel, then setup proxy.

# In cella TUI: A → p
4

Build from source

Requires Go 1.20+.

git clone https://github.com/fourdollars/cella && cd cella && go build -o cella ./cmd/main.go

Requirements

What you need to run cella.

🐧

Linux

Any modern Linux with cgroup v2. Tested on Ubuntu 22.04+, Debian 12+.

📦

Container Runtime

LXD 5.0+ and/or Docker 24+. At least one runtime must be available.

🔑

Permissions

Root or sudo access for cgroup metrics, bpftrace, and nftables proxy setup.

TUI Panels

Compact key map for daily workflow.

default
Dashboard
CPU/MEM/NET/DISK sparklines
e
Exec
Run commands / interactive shell
l
Logs
Streaming logs + follow mode
w
Network
RX/TX + ports + connections
r
Resources
CPU/MEM limits + per-CPU bars
n
Snapshots
Create/restore/clone with size
t
Syscall Trace
bpftrace passive monitor
G
Seccomp Generator
Generate OCI seccomp JSON
auto
Syscall Approval
Approve/deny overlay
P
Policy
Seccomp + AppArmor + egress
Z
Syscall Block
Toggle LXD BPF deny
D
DNS Monitor
DNS traffic + allow/deny
A
Audit
HTTP proxy audit + approvals
M
Inference Stats
RPM/TPM/cost per model
R
Routing
Redirect AI APIs
V
Events
LXD event log
+
Create
Container creation wizard
E / I
Export/Import
Container config JSON