Agent - Native Mac OS X coding ide/harness

> Securely runs root-level commands via a dedicated macOS Launch Daemon

lovely.

Off topic, but I sincerely ask: am I the only one that is disturbed by the use of the term "Mac OS X" to refer to modern versions of the OS that is currently called "macOS"? (and not MacOS either)

I mean, the name was changed ten years ago...

So…

What is a harness? People have been talking about it and couldn’t glean what it is

Is this "macos26" official Apple github account?

Would love to be able to use this with my Claude Max Plan subscription ($100/month)... not going to pay with an API Key which burns through tokens way faster. Might try it for the local Apple Intelligence and accessibility to drive local apps tho.

Emoji in the macOS menu bar, that's new.

> Our Founder! of this project is battling cancer. Your Stars and Forks are appreciated.

I'm sorry to hear this, but I'm also surprised that this is the first thing I learnt about this project, and that it is written in the third person. It detracts from the project.

The XPC architecture is the right call for privilege separation … it’s what makes sandboxing trustworthy on macOS rather than just advisory. I’m really curious how it handles the trust boundary between LLM responses and the XPC service layer. The most obvious attack surface is prompt injection via a document the agent reads, which then instructs it to do something in Safari or Messages that the user wouldn’t normally sanction. XPC gives you OS-enforced process isolation but doesn’t help you if the privileged process is faithfully executing a poisoned instruction.

What’s the current model for distinguishing user intent from “content the agent read”? Is it purely the system prompt guidance, or is there something structural?

Thanks for posting.