No blocking. No workflow changes. No cloud upload for individuals. Just a local audit trail you can review after the coding session ends.
AI coding agents run commands and change files on your machine, with broad permissions and at high speed.
Two things make that hard to keep up with. Fatigue: over a long session the permission dialogs blur into an illusion of control, and most of us click through. Prompt injection: attackers now hide instructions for the AI inside ordinary text, and the attacks keep getting more frequent and more sophisticated.
IAXT doesn't block. IAXT doesn't restrict. IAXT watches, attributes, and remembers, so whether it was a tired click or a hidden instruction, you can answer the question most teams can't answer today: what did the AI actually do?
Solo developer auditing your own machine, or a founder rolling an audit trail up to the whole team. IAXT fits both — and they care about different things.
Install the app, go back to coding. IAXT sits in your menu bar, logs every AI agent's activity locally, and surfaces a 30-second review screen when you're done.
Catches the accidents (the AI deleted half the repo), flags
the rarer intentional exfil (a prompt-injected README
triggered a curl -X POST
on your SSH key), and stays out of your face the rest of the time.
~/Library/Logs/IAXT/
, openable with sqlite3
, deletable with rm -rf
. Your engineers install IAXT — same app as the individual tier, no extra friction. Once a day, a review summary (not raw logs) pushes to a central endpoint you control. Your security lead, CTO, or founder sees a
per-engineer roll-up. When a customer's security review, an investor's due diligence, or an acquirer's tech audit asks "how do you manage AI-agent risk?", you open the dashboard. That's the answer. Few teams can show this today, which is why having it now sets you apart in the room.
We use Claude Code, Cursor, and Aider across the team. Every session is logged locally. Review-tier events — persistence mechanisms, credential access, exfiltration patterns — are flagged automatically and rolled up to our security review. Here's last week's report. — What you tell a customer, investor, or acquirer
Commands run, files created or modified, packages installed, git operations, cron entries, launch agents. Every action attributed to the tool that made it — confirmed, likely, or possible.
A gold stripe for actions that deserve attention — filesystem writes outside the project, unexpected network calls, changes to scheduled tasks. Violet for things simply worth a look.
A daily Overview of your AI usage patterns. Session cards, stats, attention items. Because it watches every agent at once, it also becomes a clear picture of how you actually code with AI across all your tools, Claude Code, Cursor, and the rest, not just one. CSV export for team review. Everything local, no telemetry, no cloud.
An impartial observer of what your AI coding agents actually did on your machine. Catch the accidents, and spot the rare action that does not belong, without trusting your memory of a long session.
Visibility into how agents are used across the team, with zero workflow friction. Everyone installs the same quiet app; you get a review surface instead of a blind spot.
Evidence that AI-agent risk is actually watched: an audit trail you can point to in a security review or due diligence, with review-tier events flagged automatically.
Real screenshots of the macOS app. Pick a view to see what it shows and why it matters.
IAXT gives you a faithful, after-the-fact record of what your AI coding agents did on your machine. Two very different situations make that worth having.
Good faith: approval fatigue. You approve sensitive actions as you work, but hours and days of coding bring fatigue and desensitization. It is human to click allow out of routine, or to wave through something you did not fully understand. IAXT lets you go back, calmly and later, and see what you actually agreed to.
Bad faith: prompt injection. Attackers hide instructions inside content an AI reads. Below is a real email: the body looks like a harmless onboarding reminder, but its source hides a command aimed at any AI assistant that processes the message.
It targeted Windows and never ran here. But the technique is real and getting more sophisticated. IAXT is passive: it does not block, it records. If an agent on your Mac ever acted on a hidden instruction like this, you would see exactly what it did in the Action Log, after the session.
Individual tier: zero. No telemetry. No analytics. No account. The only network call the app can make is the Check for Updates menu item — one request to GitHub, only when you click it. Company tier: once a day, a review summary (counts per agent, flagged/review action totals — no raw commands) goes to the endpoint you control. Nothing to us.
Claude Code, Cursor, Aider, Codex, Windsurf, Kilo Code, OpenCode, Copilot, Cody. New agents are added on request — open an issue on GitHub with your tool's process name and we'll add it.
Not for the moment. IAXT is macOS-only today (macOS 13 Ventura or later), built on macOS-native event streams. A Windows version would be a separate effort; we may consider it based on demand.
No, and it can't be. App Store apps must run inside Apple's sandbox, which walls each app off from the rest of the system. IAXT's whole job is to watch what other processes do across your machine, read their command lines, and follow file activity beyond its own folder. The sandbox blocks exactly that. So IAXT ships the way most serious Mac developer tools do, as a signed and notarized DMG you download directly, verified by Apple's Gatekeeper on first launch.
Not in a way you'll feel. IAXT subscribes to macOS's native event streams (FSEvents, kqueue, periodic sysctl) — the OS is already doing this work — and drops roughly 95% of events by construction before anything touches disk. No lag in your editor, no slower builds, no stutter in your agents.
The honest caveat is battery. Because IAXT watches continuously in the background, a laptop on battery may run down a little sooner — any always-on tool has this cost. We've worked hard to keep it small: adaptive polling that backs right off when nothing is happening, and a full while your Mac sleeps. On power it's a non-issue; on battery it's a few percent, not a cliff.
Drag IAXT.app
to the Trash, then
rm -rf ~/Library/Logs/IAXT
to remove the SQLite database and audit logs. That's it — no hidden files, no LaunchAgent to unload.
Apple's Endpoint Security framework catches more (file reads,
every exec
) but requires a manual-review entitlement from Apple and a system-extension install flow. IAXT v1 runs in user-space because distribution friction matters more than catching every last event. ES-level detection is on the roadmap.
Both will be available. During private beta we host it for speed of iteration. Self-hosted ships before GA. If you need self-hosted from day one, email [email protected] — we'll prioritize accordingly.
The individual app is closed-source today. For enterprise and business customers, we're happy to share the source on request for security auditing and due diligence — email [email protected].
Transparency cuts both ways. These are structural — anyone claiming otherwise is selling you something. The audit story only works if you believe we won't overpromise, so here's the full list.
IAXT sits deliberately in the middle: far more than nothing, far lighter than a full EDR. No kernel extension, no system extension, nothing to slow the machine down. Right for individuals, and for the startups and teams that want real visibility without the weight and intrusiveness of endpoint security software.
Remote sandboxes on vendor infrastructure. No local process touches your machine. IAXT shows a banner when a remote-capable app is running so you know the blind spot exists.
Browser-hosted code generators. Nothing executes locally. Out of scope by design — the chat transcript on the vendor's site is the only audit surface.
IAXT records that files changed, not what
changed. A subtle code-level backdoor looks like any other
edit. Defense: git diff
after the session.
macOS FSEvents only fires on writes. A silent read of
~/.ssh/id_rsa
is invisible — unless the AI uses what it read, in which case the curl / POST / commit is caught.
export
, alias
, cd
,
source
run inside the shell process with no child process — they're invisible to process-level monitoring.
If an AI app makes HTTP requests from its Electron main
process directly (not via curl
/ wget
child processes), those calls don't surface.