# Show HN: IAXT – macOS menu-bar app that records what AI coding agents do

> Source: <https://iaxt.com/>
> Published: 2026-07-08 11:44:27+00:00

No blocking. No workflow changes. No cloud upload for individuals. Just a local audit trail you can review after the coding session ends.

AI coding agents run commands and change files on your machine, with broad permissions and at high speed.

Two things make that hard to keep up with.
**Fatigue:** over a long session the permission dialogs
blur into an *illusion of control*, and most of us click through.
**Prompt injection:** attackers now hide instructions for
the AI inside ordinary text, and the attacks keep getting more frequent
and more sophisticated.

IAXT doesn't block. IAXT doesn't restrict. IAXT watches, attributes, and
remembers, so whether it was a tired click or a hidden instruction, you
can answer the question most teams can't answer today:
*what did the AI actually do?*

Solo developer auditing your own machine, or a founder rolling an audit trail up to the whole team. IAXT fits both — and they care about different things.

Install the app, go back to coding. IAXT sits in your menu bar, logs every AI agent's activity locally, and surfaces a 30-second review screen when you're done.

Catches the accidents (the AI deleted half the repo), flags
the rarer intentional exfil (a prompt-injected README
triggered a `curl -X POST`

on your SSH key), and
stays out of your face the rest of the time.

`~/Library/Logs/IAXT/`

, openable with `sqlite3`

, deletable with `rm -rf`

.
Your engineers install IAXT — same app as the individual
tier, no extra friction. Once a day, a review summary
(**not raw logs**) pushes to a central endpoint
you control. Your security lead, CTO, or founder sees a
per-engineer roll-up.

When a customer's security review, an investor's due diligence, or an acquirer's tech audit asks "how do you manage AI-agent risk?", you open the dashboard. That's the answer. Few teams can show this today, which is why having it now sets you apart in the room.

We use Claude Code, Cursor, and Aider across the team. Every session is logged locally. Review-tier events — persistence mechanisms, credential access, exfiltration patterns — are flagged automatically and rolled up to our security review. Here's last week's report. — What you tell a customer, investor, or acquirer

Commands run, files created or modified, packages installed, git operations, cron entries, launch agents. Every action attributed to the tool that made it — confirmed, likely, or possible.

A gold stripe for actions that deserve attention — filesystem writes outside the project, unexpected network calls, changes to scheduled tasks. Violet for things simply worth a look.

A daily Overview of your AI usage patterns. Session cards, stats, attention items. Because it watches every agent at once, it also becomes a clear picture of how you actually code with AI across all your tools, Claude Code, Cursor, and the rest, not just one. CSV export for team review. Everything local, no telemetry, no cloud.

An **impartial observer** of what your AI coding
agents actually did on your machine. Catch the accidents, and
spot the rare action that does not belong, without trusting your
memory of a long session.

Visibility into how agents are used **across the
team**, with zero workflow friction. Everyone installs
the same quiet app; you get a review surface instead of a blind
spot.

**Evidence** that AI-agent risk is actually
watched: an audit trail you can point to in a security review or
due diligence, with review-tier events flagged automatically.

Real screenshots of the macOS app. Pick a view to see what it shows and why it matters.

IAXT gives you a faithful, after-the-fact record of what your AI coding agents did on your machine. Two very different situations make that worth having.

**Good faith: approval fatigue.** You approve
sensitive actions as you work, but hours and days of coding
bring fatigue and desensitization. It is human to click
*allow* out of routine, or to wave through something you
did not fully understand. IAXT lets you go back, calmly and
later, and see what you actually agreed to.

**Bad faith: prompt injection.** Attackers hide
instructions inside content an AI reads. Below is a real email:
the body looks like a harmless onboarding reminder, but its
source hides a command aimed at any AI assistant that processes
the message.

It targeted Windows and never ran here. But the technique is
real and getting more sophisticated. IAXT is passive: it does
not block, it **records**. If an agent on your Mac
ever acted on a hidden instruction like this, you would see
exactly what it did in the Action Log, after the session.

**Individual tier: zero.** No telemetry. No
analytics. No account. The only network call the app can
make is the *Check for Updates* menu item — one
request to GitHub, only when you click it.
**Company tier:** once a day, a review summary
(counts per agent, flagged/review action totals — no raw
commands) goes to the endpoint you control. Nothing to us.

Claude Code, Cursor, Aider, Codex, Windsurf, Kilo Code,
OpenCode, Copilot, Cody. New agents are added on request —
[open an issue on GitHub](https://github.com/CoralliumTech/iaxt-releases/issues)
with your tool's process name and we'll add it.

Not for the moment. IAXT is macOS-only today (macOS 13 Ventura or later), built on macOS-native event streams. A Windows version would be a separate effort; we may consider it based on demand.

No, and it can't be. App Store apps must run inside Apple's sandbox, which walls each app off from the rest of the system. IAXT's whole job is to watch what other processes do across your machine, read their command lines, and follow file activity beyond its own folder. The sandbox blocks exactly that. So IAXT ships the way most serious Mac developer tools do, as a signed and notarized DMG you download directly, verified by Apple's Gatekeeper on first launch.

Not in a way you'll feel. IAXT subscribes to macOS's native event streams (FSEvents, kqueue, periodic sysctl) — the OS is already doing this work — and drops roughly 95% of events by construction before anything touches disk. No lag in your editor, no slower builds, no stutter in your agents.

The honest caveat is battery. Because IAXT watches continuously in the background, a laptop on battery may run down a little sooner — any always-on tool has this cost. We've worked hard to keep it small: adaptive polling that backs right off when nothing is happening, and a full pause while your Mac sleeps. On power it's a non-issue; on battery it's a few percent, not a cliff.

Drag `IAXT.app`

to the Trash, then
`rm -rf ~/Library/Logs/IAXT`

to remove the SQLite
database and audit logs. That's it — no hidden files, no
LaunchAgent to unload.

Apple's Endpoint Security framework catches more (file reads,
every `exec`

) but requires a manual-review
entitlement from Apple and a system-extension install flow.
IAXT v1 runs in user-space because distribution friction
matters more than catching every last event. ES-level
detection is on the roadmap.

Both will be available. During private beta we host it for
speed of iteration. Self-hosted ships before GA. If you need
self-hosted from day one, email
[[email protected]](/cdn-cgi/l/email-protection#ea9e8f8b8799aa838b929ec4898587d5999f88808f899ed7a3abb2becfd8da9e8f8b87cfd8da8f848e9a8583849ecfd8da086a7ecfd8da998f868cc78285999e8f8ecfd8da83849e8f988f999e)
— we'll prioritize accordingly.

The individual app is closed-source today. For enterprise and
business customers, we're happy to share the source on request
for security auditing and due diligence — email
[[email protected]](/cdn-cgi/l/email-protection#ef9b8a8e829caf868e979bc18c8082d09c9a8d858a8c9bd2a6aeb7bbcadddf0d6f7bcadddf9c809a9d8c8acadddf8e8c8c8a9c9ccadddf89809dcadddf8e9a8b869b868188).

Transparency cuts both ways. These are structural — anyone claiming otherwise is selling you something. The audit story only works if you believe we won't overpromise, so here's the full list.

IAXT sits deliberately in the middle: far more than nothing, far lighter than a full EDR. No kernel extension, no system extension, nothing to slow the machine down. Right for individuals, and for the startups and teams that want real visibility without the weight and intrusiveness of endpoint security software.

Remote sandboxes on vendor infrastructure. No local process touches your machine. IAXT shows a banner when a remote-capable app is running so you know the blind spot exists.

Browser-hosted code generators. Nothing executes locally. Out of scope by design — the chat transcript on the vendor's site is the only audit surface.

IAXT records *that* files changed, not *what*
changed. A subtle code-level backdoor looks like any other
edit. Defense: `git diff`

after the session.

macOS FSEvents only fires on writes. A silent read of
`~/.ssh/id_rsa`

is invisible — unless the AI
*uses* what it read, in which case the curl / POST
/ commit is caught.

`export`

, `alias`

, `cd`

,
`source`

run inside the shell process with no
child process — they're invisible to process-level monitoring.

If an AI app makes HTTP requests from its Electron main
process directly (not via `curl`

/ `wget`

child processes), those calls don't surface.
