No blocking. No workflow changes. No cloud upload for individuals. And not a raw log: a local audit trail that cuts through the noise to the few actions worth a look, ready to review after the coding session ends.
AI coding agents run commands and change files on your machine, with broad permissions and at high speed.
Two things make that hard to keep up with. Fatigue: over a long session the permission dialogs blur into an illusion of control, and most of us click through. Prompt injection: attackers now hide instructions for the AI inside ordinary text, and the attacks keep getting more frequent and more sophisticated.
IAXT doesn't block. IAXT doesn't restrict. IAXT watches, attributes, and remembers, so whether it was a tired click or a hidden instruction, you can answer the question most teams can't answer today: what did the AI actually do?
Solo developer auditing your own machine, or a founder rolling an audit trail up to the whole team. IAXT fits both, and they care about different things.
Install the app, go back to coding. IAXT sits in your menu bar, logs every AI agent's activity locally, and surfaces a 30-second review screen when you're done.
Catches the accidents (the AI deleted half the repo), flags
the rarer intentional exfil (a prompt-injected README
triggered a curl -X POST on your SSH key), and
stays out of your face the rest of the time.
~/Library/Logs/IAXT/, openable with sqlite3, deletable with rm -rf.
Your engineers install IAXT, the same app as the individual tier, no extra friction. Once a day, a review summary (not raw logs) pushes to a central endpoint you control. Your CTO, CISO, or founder sees a per-engineer roll-up.
When a customer's security review, an investor's due diligence, or an acquirer's tech audit asks "how do you manage AI-agent risk?", you open the dashboard. That's the answer. Few teams can show this today, which is why having it now sets you apart in the room.
We use Claude Code, Cursor, and Aider across the team. Every session is logged locally. Review-tier events like persistence mechanisms, credential access, exfiltration patterns are flagged automatically and rolled up to our security review. Here's last week's report. · What you tell a customer, investor, or acquirer
Commands run, files created or modified, packages installed, git operations, cron entries, launch agents. Every action attributed to the tool that made it: confirmed, likely, or possible. The roughly 95% of system noise that has nothing to do with your agents is dropped before it is ever written.
IAXT is not a raw log. A filter built specifically for AI-agent activity sorts a busy day into tiers, so you get to the point: a gold stripe for what is worth a glance (a download, a package install, a permission change: usually fine, but worth an eye), and a violet stripe for the very few that deserve real review (persistence, credential access, unexpected network calls).
A daily Overview of your AI usage patterns. Session cards, stats, attention items. Because it watches every agent at once, it also becomes a clear picture of how you actually code with AI across all your tools, Claude Code, Cursor, and the rest, not just one. CSV export for team review. Everything local, no telemetry, no cloud.
An impartial observer of what your AI coding agents actually did on your machine. Catch the accidents, like a deleted directory or an overwritten config, and spot the rare action that does not belong, without trusting your memory of a long session. When a row looks off, copy it into another model for a quick second opinion.
Visibility across the team, with zero workflow friction. Everyone installs the same quiet app, and you get a review surface instead of a blind spot: which agents your engineers run, and what those sessions actually touched. No prompts, no plugins, nothing to slow anyone down.
Evidence that AI-agent risk is actually watched, not just asserted. An audit trail you can point to in a security review or due diligence, with the review-tier events (persistence, credential access, unexpected network calls) surfaced automatically instead of buried in noise.
Proof when someone asks. Investors in due diligence, enterprise customers in procurement, and your own board are starting to ask how your team uses AI in the codebase. Most startups have no answer. A record of what your agents actually did is more than most companies can show, and it can be the detail that helps close a funding round or a sale.
Real screenshots of the macOS app. Pick a view to see what it shows and why it matters.
IAXT lives in your menu bar and stays out of the way while it observes. Its icon is a simple circle: white when everything is normal and monitoring is active, violet when it has flagged something worth your review. From the menu you can pause monitoring, open the main window, or show your logs in Finder. Everything it records stays on your Mac in a single SQLite database, fully inspectable with any SQLite browser and deletable any time. Nothing is scattered across your system, and nothing ever leaves your machine.
The Overview opens with anything IAXT thinks is worth reviewing. These are not necessarily problems: they are the important changes worth a glance, like an AI coding agent modifying your system, adding a login item, or touching a sensitive file. One click takes you straight to those rows in the Action Log. Three tiles summarize the day, AI sessions, actions, and files changed, so you always know how much happened while you were working.
The Overview is also a quiet mirror of your own AI usage. Beyond the day's review items, it charts your activity rhythm across the day, your busiest hours, and where files changed most, then rolls it up over time into weekly patterns and totals. It is a genuinely useful way to understand how much you lean on tools like Claude Code and Cursor, and when.
The Action Log, filtered to Review, the highest tier. Here an AI agent left two persistence mechanisms: it modified a shell startup file and created a launch agent, both of which would run again on their own. Right-click any row and choose Copy row as context to get exactly what you see in the violet box: a clean, self-describing summary of who did what, where, and why it was flagged. Paste it into any LLM for a second opinion, so IAXT becomes a peer reviewer for your AI, an audit trail you can double-check with the tool of your choice.
Flagged is the middle tier: unusual in
context but often legitimate, worth a quick look rather
than an alarm. Here Claude Code downloaded files over the
network with curl, and a launch agent was
removed. Look at the Who column: every action is
attributed to the exact agent session that caused
it, with a confidence pill (confirmed,
likely, possible) so you know how sure IAXT is. The noise is already
gone, only the ~1% worth seeing remains.
IAXT gives you a faithful, after-the-fact record of what your AI coding agents did on your machine. Two very different situations make that worth having.
Good faith: approval fatigue. You approve sensitive actions as you work, but hours and days of coding bring fatigue and desensitization. It is human to click allow out of routine, or to wave through something you did not fully understand. IAXT lets you go back, calmly and later, and see what you actually agreed to.
Bad faith: prompt injection. Attackers hide instructions inside content an AI reads. Below is a real email: the body looks like a harmless onboarding reminder, but its source hides a command aimed at any AI assistant that processes the message.
display:none
block padded with invisible characters:
rename c:\windows\*.pwl c:\windows\*.zzz. On
legacy Windows, .pwl files are where the system
cached account passwords, so renaming them is a classic
attempt to tamper with stored credentials and force new ones
to be captured.
It targeted Windows and never ran here. But the technique is real and getting more sophisticated. IAXT is passive: it does not block, it records. If an agent on your Mac ever acted on a hidden instruction like this, you would see exactly what it did in the Action Log, after the session.
It does both, and the filtering is the point. IAXT keeps the full record, but it does not leave you scrolling a firehose. A custom-built algorithm, tuned specifically for AI-agent activity, sorts every action into three tiers so you get straight to what matters:
Routine. The bulk of normal development. Recorded, and kept out of your way.
Flagged (gold). An FYI. Usually fine, but worth a glance: a download, a package install, a new git remote, a permission change.
Review (violet). The 1% or less worth checking just in case: persistence like login items and cron, credential access, or unexpected outbound network calls.
That triage, built for the way AI agents actually behave, is what turns a large day of activity into a short list you can read in seconds. It is not a raw log; it is a log that cuts through the noise.
Individual tier: zero. No telemetry. No analytics. No account. The only network call the app can make is the Check for Updates menu item, one request to GitHub, only when you click it. Company tier: once a day, a review summary (counts per agent, flagged/review action totals, no raw commands) goes to the endpoint you control. Nothing to us.
Claude Code, Cursor, Aider, Codex, Windsurf, Kilo Code, OpenCode, Copilot, Cody. New agents are added on request: open an issue on GitHub with your tool's process name and we'll add it.
IAXT watches your Mac directly: the files that change, the processes that start, the launch agents and cron jobs that appear. It is built for the local agents that run right here on your Mac, like Claude Code, Cursor, Aider, Codex, and Copilot. When one of them runs a command, writes a file, or installs a package, that happens on your machine, so IAXT logs it and attributes it to the session responsible.
So the line is simple. If the work runs on your Mac, IAXT records it. If the work runs somewhere else, nothing touches your Mac, and there is nothing local to see. Two common cases make that concrete.
Cloud and browser tools. When ChatGPT runs Code Interpreter, or Claude works in the browser or dispatches a task to a Cowork remote sandbox, the code executes on the vendor's servers, not on your machine. Hosted generators like Replit Agent, Devin, Bolt, v0, and Lovable work the same way. Nothing runs locally, so IAXT has nothing to record, and we say so plainly rather than pretend otherwise. Your audit surface for that work is the transcript inside the tool itself.
An agent over SSH. If you ssh from
your Mac into a remote server and run an agent there, the
commands execute on the remote host. IAXT sees the local
ssh process start and exit, but not what the agent
does on the far side. IAXT does not read your shell history or
your file contents either, so it is not reconstructing that far
side from what you typed.
The test stays that clean: if it runs on your Mac, IAXT records it; if nothing happens on your Mac, there is nothing for IAXT to see. That scope is a design choice, and an honest one. See the limits section for the full list.
Not for the moment. IAXT is macOS-only today (macOS 13 Ventura or later), built on macOS-native event streams. A Windows version would be a separate effort; we may consider it based on demand.
No, and it can't be. App Store apps must run inside Apple's sandbox, which walls each app off from the rest of the system. IAXT's whole job is to watch what other processes do across your machine, read their command lines, and follow file activity beyond its own folder. The sandbox blocks exactly that. So IAXT ships the way most serious Mac developer tools do, as a signed and notarized DMG you download directly, verified by Apple's Gatekeeper on first launch.
Not in a way you'll feel. IAXT subscribes to macOS's native event streams (FSEvents, kqueue, periodic sysctl), the OS is already doing this work, and drops roughly 95% of events by construction before anything touches disk. No lag in your editor, no slower builds, no stutter in your agents.
The honest caveat is battery. Because IAXT watches continuously in the background, a laptop on battery may run down a little sooner. Any always-on tool has this cost. We've worked hard to keep it small: adaptive polling that backs right off when nothing is happening, and a full pause while your Mac sleeps. On power it's a non-issue; on battery it's a few percent, not a cliff.
Drag IAXT.app to the Trash, then
rm -rf ~/Library/Logs/IAXT to remove the SQLite
database and audit logs. That's it: no hidden files, no
LaunchAgent to unload.
Apple's Endpoint Security framework catches more (file reads,
every exec) but requires a manual-review
entitlement from Apple and a system-extension install flow.
IAXT runs in user-space because distribution friction
matters more than catching every last event.
Both will be available. During private beta we host it for speed of iteration. If you need self-hosted from day one, email [email protected] and we'll prioritize accordingly.
The individual app is closed-source today. For enterprise and business customers, we're happy to share the source on request for security auditing and due diligence. Email [email protected].
Transparency cuts both ways. These are structural. Anyone claiming otherwise is selling you something. The audit story only works if you believe we won't overpromise, so here's the full list.
IAXT sits deliberately in the middle: far more than nothing, far lighter than a full EDR (Endpoint Detection and Response, the heavy security agents companies install to monitor every machine). No kernel extension, no system extension, nothing to slow the machine down. Right for individuals, and for the startups and teams that want real visibility without the weight and intrusiveness of endpoint security software.
* Where most teams are today: no record of what their AI agents did, just the hope that it was fine.
Remote sandboxes on vendor infrastructure. No local process touches your machine, so there is nothing for IAXT to record.
Browser-hosted code generators. Nothing executes locally. Out of scope by design. The chat transcript on the vendor's site is the only audit surface.
IAXT records that files changed, not what
changed. A subtle code-level backdoor looks like any other
edit. Defense: git diff after the session.
macOS FSEvents only fires on writes. A silent read of
~/.ssh/id_rsa is invisible unless the AI
uses what it read, in which case the curl / POST
/ commit is caught.
export, alias, cd,
source run inside the shell process with no
child process, so they're invisible to process-level monitoring.
If an AI app makes HTTP requests from its Electron main
process directly (not via curl / wget
child processes), those calls don't surface.