Two things pushed me to build it. First is approval fatigue: on a long Claude Code or Cursor run you start clicking Approve on autopilot and stop reading the diffs. Second is the concrete version of that. While I was wiring up analytics on my own machine, a Claude Code session wrote a macOS LaunchAgent (login persistence) as a side effect of something else I had asked for. I never saw it happen. Afterward IAXT had it in the Review tier, "PERSISTENCE: LaunchAgent", attributed to that session. Harmless in my case, but I had approved my way straight past it.
How it works, and I want to be upfront that none of the observation primitives are new. FSEvents for filesystem writes (~500ms latency), kqueue NOTE_FORK/NOTE_EXIT plus a periodic sysctl process snapshot for process lifecycle, and a periodic snapshot-diff of crontab -l and ~/Library/LaunchAgents/ to catch persistence that does not reliably fire FSEvents. All documented user-space APIs. There is no kernel extension, no system extension, and no Endpoint Security entitlement. That is a deliberate constraint: it installs without the ESF provisioning process, but it also bounds what the app can see, and I would rather say that than pretend this is an EDR. It is not one.
The part that is actually work is keeping the log readable, and that is an attribution gate. Every raw event runs four checks in order: (1) sensitive path always logs (LaunchAgents, ~/.ssh, shell rc files, /etc/hosts, crontab); (2) a file inside an active agent's project dir during a session logs as correlated; (3) a new executable script created during a session logs; (4) everything else is dropped. Gate 4 throws away roughly 95% of OS noise (Spotlight, iCloud, Chrome temp, DerivedData). Without it the log is a firehose nobody opens.
Each action carries two orthogonal fields: an actor (user / aiAgent / aiApp / system / unknown) and a confidence level. High is direct PID ancestry or an exec-path match. Medium is a file in the agent's project dir during an active session. Low is pure temporal correlation. Those render as confirmed / likely / possible, on top of three severity tiers: Routine, Flagged (chmod +x, git remote add, pip install, curl download, osascript), and Review (writes to LaunchAgents or authorized_keys, curl piped to bash, crontab writes, LD_PRELOAD). The attribution is a heuristic, not ground truth, and the app says so in the UI. If an agent and a background process touch the same directory in the same second, "possible" is carrying real weight and I don't want to oversell it.
What it deliberately cannot see, because you'll ask and I'd rather say it first:
- It watches writes, not reads. A silent read of ~/.ssh/id_rsa is invisible. What gets caught is the agent then USING the key: the curl, the commit, the POST. - It logs that a file changed, not the contents. - It does not see shell built-ins (export, alias, cd, source). No child process, no trace. - It does not see remote-sandbox work. Claude Cowork, ChatGPT Code Interpreter, Devin, Replit, Bolt, v0 run on vendor infra and leave zero local footprint. The app shows a banner when a remote-capable app is running so at least the blind spot is visible.
So it is closer to a flight recorder than a firewall. It does not block anything, and if you want blocking you want Little Snitch or an ESF tool, not this. For the coding-agent case it overlaps with reading your git diff and reflog, and honestly if the agent only touched the repo, the diff is enough. Where it earns its keep is the stuff outside the repo, correlated to a session: a LaunchAgent, a crontab line, a script dropped in /tmp, a touch of ~/.ssh, hours later, across several agents, when you were not going to run find yourself.
Data is all local: SQLite at ~/Library/Logs/IAXT/events.db (raw events ~14 days, actions and sessions ~90) plus daily JSONL. Open it with any sqlite3 client, delete it with rm. No account, no signup, no telemetry, no cloud. The only network call the app makes is a Check for Updates button you press, one HTTPS GET to api.github.com.
The honest tradeoff: it's closed source. I know that is a real cost for a tool that asks you to trust what it reports about other software, and I don't love it. Source is available to enterprises on request for auditing, and there is a future paid team tier, but the individual app is free and is what I'm posting. If closed source is a dealbreaker for you, that's a reasonable place to get off, and I'd rather hear that sharply than paper over it.
Free, macOS 13+, Apple Silicon and Intel, signed and notarized DMG at https://iaxt.com. Tear the model apart. I'm most interested in cases where the gate would mislabel something, and in observation gaps I haven't thought about.