> Securely runs root-level commands via a dedicated macOS Launch Daemon
lovely.
macOS26 4 hours ago [-]
The Launch Daemon is 100% optional and can better turned off along with its tools. It's there to help users install things like software updates or disk commands that required elevated access.
It operates under least priv. And the user must approve the Launch Agent (runs under use space, same as running locally within the App), and the Launch Daemon. There are 4 levels involved and the Daemon is last on the list and is rarely used. The user can just disable it and its tools get disabled as well. The LLM won't be able to use it in that state.
What gets used:
1. AppleScript/Osascript TCC, runs within the app, user approve each app being automated
2. AgentScript/Swift Dylibs/ScriptingBridge, same TCC runs within the app
3. Local shell scripting - backup if the user's Launch Agent (user space is down
4. Launch Agent (runs in the user space), primary for running shell commands.
5. Launch Daemon, software updates, etc. Anything the previous 4 layers can't handle. Rarely ever used. can be turned off by the user. I have used it to access the security of the Mac itself and it was surprisingly accurate and thorough.
ricardobeat 23 hours ago [-]
It’s a bit concerning that AI slop made by bots is getting 80 upvotes in here.
tylermw 2 days ago [-]
A non-Apple entity using "macOS26" as their organization name? Are you trying to trigger everyone's corporate phishing training?
macOS26 6 hours ago [-]
Technically not an organization name. It's a username and a domain name, macOS26.app.
If had a concern they had months ahead of time reserve
I'm also the creator of BigMac, that supported unsupported macOS installs on old Mac Pro 2008-2012 hardware. Neither Apple nor McD's chimed in.
macOS26 17 hours ago [-]
For those wondering about Priv. Agent is built on least priv. It will Run TCC related tasks locally and each app that is being automated required consent from the user. same with automating Safari + user must check a few boxes in Developer tools for Safari. Then there's shell scripting which the preferred route is the Launch Agent which the user approves along with the Launch Daemon.
If the Launch Agent is not available, shell scripts run locally. AgentScripts within in swift also run locally in the app.
Anything priv. runs through the Launch Daemon. This is mostly used for software updates. Lately when creating a dmg using hdiutil, I have seen Agent securely ask for the the password and not use the launch daemon.
The Daemon was created first as a test to see what would happen if an LLM had access to one. And under that mode it knew about 50 things it could run as an administrator of the computer. It was never ran in that state. and its 3-4 layers of access were created.
The user can turn of the Launch Daemon and when this happens not only us the Daemon turned off, so are is access to the Launch Daemon tool. This model is used all over Agent! The user can turn off anything. I do plan to harden the Launch Agent and Launch Daemon on off access with Local Authentication and later a Pass-Key to prevent Agent! from turning it back on via things like Accessibility.
macOS26 17 hours ago [-]
Hello!
I am the creator of Agent! macOS26.4+, and many won't know this but I have been coding AI apps and related tools from scratch for the past 3 years. I wanted to build something specifically for Mac but at an Agentic level.
I'll remove the stars and forks from the banners. The ribbons are emojois. To raise awareness, I have stage 2 (T2) bladder Cancer. I have been extremely sick the past two weeks. Agent was created a month ago. But most of the work that was done in the past 3 years has been applied to Agent.
If you want to be completely save, Agent does run on a macOS VM, but without any help from Apple Intelligence which runs various things locally. Some parts of Apple AI like Triage/Mediator are experimental.
I chose macOS26 because no one else claimed it and wanted to make it clear what version of macOS the user needed. You'd be surprised how many people still asked if it ran on 10.14 Mojave.
foreman_ 3 days ago [-]
The XPC architecture is the right call for privilege separation … it’s what makes sandboxing trustworthy on macOS rather than just advisory. I’m really curious how it handles the trust boundary between LLM responses and the XPC service layer. The most obvious attack surface is prompt injection via a document the agent reads, which then instructs it to do something in Safari or Messages that the user wouldn’t normally sanction. XPC gives you OS-enforced process isolation but doesn’t help you if the privileged process is faithfully executing a poisoned instruction.
What’s the current model for distinguishing user intent from “content the agent read”? Is it purely the system prompt guidance, or is there something structural?
Thanks for posting.
macOS26 17 hours ago [-]
If anyone wants to know. My previous usernames are:
2020s SuperBox64, 2010s StarPlayrX, 2000s StarPlayr, 90s GoodTime, 80s Mirage, 80s WildFyre.
Been using Macs since 1984. Mac OS X since 2000, beta 1.
I do want to thank those who have taken the time to look at the app and who have left feedback!
evanjrowley 1 days ago [-]
Recently I tried a similar project: Fazm. It's also implemented in Swift, just like Agent here. The Fazm feature set is similar with with main differences are it's focused more on Claude exclusively. https://github.com/mediar-ai/fazm
gignico 3 days ago [-]
Off topic, but I sincerely ask: am I the only one that is disturbed by the use of the term "Mac OS X" to refer to modern versions of the OS that is currently called "macOS"? (and not MacOS either)
I mean, the name was changed ten years ago...
Hamuko 2 days ago [-]
It wasn’t even “Mac OS X” ten years ago, but “OS X”. “Mac OS X” was 15 years ago.
macOS26 6 hours ago [-]
I don't think Mac from Mac OS X, was officially dropped, I think was like Xerox, we just stopped Mac from it an called it "OS X" even thought X stood for 10 from 10.0 to 10.15. This is also why Microsoft also tried the Windows 10 game and alluded to never having Windows 11 which obviously changed.
Personally, I wish Apple would stop creating a new OS yearly. Most features users use were born in System 7/8/9 days.
vintagedave 3 days ago [-]
Looks like the submitter used the wrong term - the actual link uses "macOS".
But to answer the question: Yes! I opened thinking it was going to be some awesome Leopard or Lion app.
I miss the name, mostly because the OS was interesting and fun in those days and boring and dreary and buggy and low contrast and poor UX and squircles and flat colours if it even has colours now.
mettamage 2 days ago [-]
So…
What is a harness? People have been talking about it and couldn’t glean what it is
jayphen 2 days ago [-]
AI models on their own are raw, undirected, and inherently probabilistic. A "harness" acts as a control layer wrapped around the model, designed to steer it toward deterministic outcomes. It achieves this by equipping the model with actionable tools like web search or file I/O, and by orchestrating an evaluation loop that runs until an acceptable result is produced. (various analogies work here - an astronaut and a space suit, a rocket and the launch pad/mission control, okay I'm out of analogies that aren't car engines)
You can see this in practice by looking at the leaked Claude Code source code. It is a harness around Anthropic's model built for writing code. It relies on heavily engineered (and sometimes brittle) steering mechanisms. These range from highly specific situational prompts to deterministic, hard-coded logic that executes based on the model's output.
Getting a harness right is incredibly hard and feels like whack-a-mole at times.
macOS26 4 hours ago [-]
I can totally agree on the harness part. When I first set out to create a Cursor killer nearly 3 years ago, I built LLM tools, but when I didn't know then has I tried to wrap the LLM's brain around the tools when it needed to be the other way around.
Looks me off an on three years to realize I was doing it backwards. Agent was originally born after I re-wrote CloneTool, a more generic Disk Cloning too with an SMAppService Launch Daemon.
After I completed CloneTool, I was like mmmmm what is I connected an LLM to the Daemon? It rattled of 50 things it could do and it had no knowledge of this anywhere in the harness, system prompt or tools. It simply had figured out its environment on its own.
I never ran Agent under that scenario it definitely has a hardness now. And yes getting the hardness right is a number one challenge and once you do get it working good with most LLMs out of the box, you try not to change it because that sweet spot is hard to come by. Not to say it never gets tweaked but the further in you go, the more you chringe on a change that may break it.
miningape 2 days ago [-]
A while loop, some prompts basically amounting to "this is how you format a system call" and "make no mistakes", there's also a regex + executor for detecting and executing system calls.
bsaul 2 days ago [-]
you forgot the memory model. Which is an absolutely essential and hard to design part of the agent.
cyanydeez 2 days ago [-]
and occasionally, UI prompts with QA.
lostmsu 2 days ago [-]
Memory model? I would not want agent to remember previous conversations.
pohl 2 days ago [-]
Ever? You would not want to accumulate any useful context at all?
lostmsu 2 days ago [-]
Maybe in the future but with the current models I found the constantly accessible memories to be an impediment. I don't want models to record and repeat mistakes or suboptimal strategies.
QuercusMax 2 days ago [-]
Gemini (just in the browser) has been really bad about conflating a bunch of similar projects. It remembers "oh, you have a home server that does XYZ", so my new home server that's doing ZYX instead must be the same system.
moonlighter 3 days ago [-]
Would love to be able to use this with my Claude Max Plan subscription ($100/month)... not going to pay with an API Key which burns through tokens way faster. Might try it for the local Apple Intelligence and accessibility to drive local apps tho.
macOS26 6 hours ago [-]
Latest version of Agent supports OAuth bearer tokens with Claude Code, via "claude setup-token", command from Claude.
And there are over 17+ LLM Providers within Agent including local and cloud based solutions offered by Zai, HuggingFace, Ollama, etc.
I agree on the token part. Until I incorporated Oauth for CC, I used mostly Zai GLM5-1 and used Ollama and Huggingface as fallback which is a new feature called "Fallback chains".
anentropic 2 days ago [-]
Anthropic don't allow that unfortunately
cyanydeez 2 days ago [-]
talk to claude.
sayYayToLife 2 days ago [-]
[dead]
jsomedon 2 days ago [-]
Is this "macos26" official Apple github account?
DavidPiper 2 days ago [-]
Nope, looks like someone's angling for some sweet domain parking money.
Or a lawsuit, given macOS is a trademark.
danpalmer 3 days ago [-]
> Our Founder! of this project is battling cancer. Your Stars and Forks are appreciated.
I'm sorry to hear this, but I'm also surprised that this is the first thing I learnt about this project, and that it is written in the third person. It detracts from the project.
throwaway290 3 days ago [-]
I don't have a problem with mentioning cancer, but they should've mentioned which cancer to raise awareness and help others. The ribbon icon is gold which means pediatric/childhood cancer?
Asking for stars and forks is where it gets weird. I understand a crowdfunding program but how is this going to help?
Makes it even weirder that this is a completely anonymous, we don't know who works on it, and actually the project pretends to be authored by "AI". look at commit history and contributors
I don't want to be cynical here, my dad was diagnosed with cancer too but this just feels like some LLM was given a prompt to maximize stars and forks and this is how that went. I am very sorry to say this.
calmingsolitude 3 days ago [-]
Although not disclosed on this page, the author's name is mentioned on their other projects[0].
> Our founder, Todd Bruss, is currently battling Cancer. Through it all, he continues to pour his heart into InkPen. Your support and encouragement mean the world.
The author has posted about their project on LinkedIn as well[1].
OK, I take it back. What can I say, even knowing he is working on this LLM stuff that's becoming the curse of humanity I still wish him beat cancer.
swiftcoder 2 days ago [-]
Open-source maintainers don't owe anyone perfectly-manicured marketing copy on their landing pages. Honestly, the fact that is the first thing you learn humanises the username behind the keyboard
throwaway290 2 days ago [-]
> the fact that is the first thing you learn humanises the username behind the keyboard
The username is macOS26. The name is "Agent!". As in "Agentic AI for your entire Mac Desktop". All commits are made by this entity.
Until someone here told me there is a real guy behind it I sincerely gotta say, it looks like there's no human behind the keyboard and actually there's no keyboard at all.
Combined with cancer message on top it made me think some LLM "agent" is trying different tricks because it was prompted to achieve maximum stars and forks. I feel shitty for saying this but how not to be cynical because literally that's what we degraded to thanks to "ai".
swiftcoder 2 days ago [-]
> Combined with cancer message on top it made me think some LLM "agent" is trying different tricks because it was prompted to achieve maximum stars and forks. I feel shitty for saying this but how not to be cynical because literally that's what we degraded to thanks to "ai".
AI might increase the volume of shitty things on the internet, but it's not like GitHub accounts weren't anonymous before AI, and it's not like people weren't using scammy tactics to boost their star count before AI.
If the fear of AI turn us into worse people in our interactions, that's kind of on us, not AI
throwaway290 2 days ago [-]
An anonymous account isn't the same as bot account. Number of obvious bot accounts jumped 1000% in the last 4 years or so.
mrcwinn 3 days ago [-]
What a crazy comment. The first clause of your first sentence was more than enough.
johannsg 3 days ago [-]
Imagine seeing a cancer announcement and thinking, 'This is bad for the branding.' Your lack of empathy is what’s actually detracting here.
macOS26 6 hours ago [-]
I removed the Cancer banners. But I will tell you that I have physically gone through 2.5 weeks off hell. Chemo is no joke and I am 50% there. It gets tougher each time and the symptoms hit you in the middle of the week. And I also am getting booster shots that force white blood cells out of my bone marrow and it has severe side effects and all they can offer is over the counter Claritin.
I've had days of fevers, dehydration, nausea, vomiting and still holding down a day job. So please don't be offended by my diagnosis or saying that stars and forks mean the world because it kind of does.
macOS26 4 hours ago [-]
Sorry I responded to the nested reply. no offense.
lovely.
It operates under least priv. And the user must approve the Launch Agent (runs under use space, same as running locally within the App), and the Launch Daemon. There are 4 levels involved and the Daemon is last on the list and is rarely used. The user can just disable it and its tools get disabled as well. The LLM won't be able to use it in that state.
What gets used: 1. AppleScript/Osascript TCC, runs within the app, user approve each app being automated 2. AgentScript/Swift Dylibs/ScriptingBridge, same TCC runs within the app 3. Local shell scripting - backup if the user's Launch Agent (user space is down 4. Launch Agent (runs in the user space), primary for running shell commands. 5. Launch Daemon, software updates, etc. Anything the previous 4 layers can't handle. Rarely ever used. can be turned off by the user. I have used it to access the security of the Mac itself and it was surprisingly accurate and thorough.
If had a concern they had months ahead of time reserve
I'm also the creator of BigMac, that supported unsupported macOS installs on old Mac Pro 2008-2012 hardware. Neither Apple nor McD's chimed in.
Anything priv. runs through the Launch Daemon. This is mostly used for software updates. Lately when creating a dmg using hdiutil, I have seen Agent securely ask for the the password and not use the launch daemon.
The Daemon was created first as a test to see what would happen if an LLM had access to one. And under that mode it knew about 50 things it could run as an administrator of the computer. It was never ran in that state. and its 3-4 layers of access were created.
The user can turn of the Launch Daemon and when this happens not only us the Daemon turned off, so are is access to the Launch Daemon tool. This model is used all over Agent! The user can turn off anything. I do plan to harden the Launch Agent and Launch Daemon on off access with Local Authentication and later a Pass-Key to prevent Agent! from turning it back on via things like Accessibility.
I am the creator of Agent! macOS26.4+, and many won't know this but I have been coding AI apps and related tools from scratch for the past 3 years. I wanted to build something specifically for Mac but at an Agentic level.
I'll remove the stars and forks from the banners. The ribbons are emojois. To raise awareness, I have stage 2 (T2) bladder Cancer. I have been extremely sick the past two weeks. Agent was created a month ago. But most of the work that was done in the past 3 years has been applied to Agent.
If you want to be completely save, Agent does run on a macOS VM, but without any help from Apple Intelligence which runs various things locally. Some parts of Apple AI like Triage/Mediator are experimental.
I chose macOS26 because no one else claimed it and wanted to make it clear what version of macOS the user needed. You'd be surprised how many people still asked if it ran on 10.14 Mojave.
What’s the current model for distinguishing user intent from “content the agent read”? Is it purely the system prompt guidance, or is there something structural?
Thanks for posting.
Been using Macs since 1984. Mac OS X since 2000, beta 1.
I really didn't think about humanizing the name. I just felt this flowed really well https://agent.macOS26.app and https://github.com/macOS26/agent
I do want to thank those who have taken the time to look at the app and who have left feedback!
I mean, the name was changed ten years ago...
Personally, I wish Apple would stop creating a new OS yearly. Most features users use were born in System 7/8/9 days.
But to answer the question: Yes! I opened thinking it was going to be some awesome Leopard or Lion app.
I miss the name, mostly because the OS was interesting and fun in those days and boring and dreary and buggy and low contrast and poor UX and squircles and flat colours if it even has colours now.
What is a harness? People have been talking about it and couldn’t glean what it is
You can see this in practice by looking at the leaked Claude Code source code. It is a harness around Anthropic's model built for writing code. It relies on heavily engineered (and sometimes brittle) steering mechanisms. These range from highly specific situational prompts to deterministic, hard-coded logic that executes based on the model's output.
Getting a harness right is incredibly hard and feels like whack-a-mole at times.
Looks me off an on three years to realize I was doing it backwards. Agent was originally born after I re-wrote CloneTool, a more generic Disk Cloning too with an SMAppService Launch Daemon.
After I completed CloneTool, I was like mmmmm what is I connected an LLM to the Daemon? It rattled of 50 things it could do and it had no knowledge of this anywhere in the harness, system prompt or tools. It simply had figured out its environment on its own.
I never ran Agent under that scenario it definitely has a hardness now. And yes getting the hardness right is a number one challenge and once you do get it working good with most LLMs out of the box, you try not to change it because that sweet spot is hard to come by. Not to say it never gets tweaked but the further in you go, the more you chringe on a change that may break it.
And there are over 17+ LLM Providers within Agent including local and cloud based solutions offered by Zai, HuggingFace, Ollama, etc.
I agree on the token part. Until I incorporated Oauth for CC, I used mostly Zai GLM5-1 and used Ollama and Huggingface as fallback which is a new feature called "Fallback chains".
Or a lawsuit, given macOS is a trademark.
I'm sorry to hear this, but I'm also surprised that this is the first thing I learnt about this project, and that it is written in the third person. It detracts from the project.
Asking for stars and forks is where it gets weird. I understand a crowdfunding program but how is this going to help?
Makes it even weirder that this is a completely anonymous, we don't know who works on it, and actually the project pretends to be authored by "AI". look at commit history and contributors
I don't want to be cynical here, my dad was diagnosed with cancer too but this just feels like some LLM was given a prompt to maximize stars and forks and this is how that went. I am very sorry to say this.
> Our founder, Todd Bruss, is currently battling Cancer. Through it all, he continues to pour his heart into InkPen. Your support and encouragement mean the world.
The author has posted about their project on LinkedIn as well[1].
[0] https://inkpen.io/ [1] https://www.linkedin.com/in/principal-software-engineer-swif...
The username is macOS26. The name is "Agent!". As in "Agentic AI for your entire Mac Desktop". All commits are made by this entity.
Until someone here told me there is a real guy behind it I sincerely gotta say, it looks like there's no human behind the keyboard and actually there's no keyboard at all.
Combined with cancer message on top it made me think some LLM "agent" is trying different tricks because it was prompted to achieve maximum stars and forks. I feel shitty for saying this but how not to be cynical because literally that's what we degraded to thanks to "ai".
AI might increase the volume of shitty things on the internet, but it's not like GitHub accounts weren't anonymous before AI, and it's not like people weren't using scammy tactics to boost their star count before AI.
If the fear of AI turn us into worse people in our interactions, that's kind of on us, not AI
I've had days of fevers, dehydration, nausea, vomiting and still holding down a day job. So please don't be offended by my diagnosis or saying that stars and forks mean the world because it kind of does.