Argus sees everything your AI apps do.
Monitor exactly what your AI applications access on your machine — files, credentials, browser data, and network connections. Argus uses a 6-signal AI detection engine to identify AI processes with surgical precision, then tracks their behavior with system notifications.
AI desktop applications like Claude, Cursor, ChatGPT, and GitHub Copilot run on your machine with broad permissions. You have tools like Little Snitch to watch network ports and OverSight to monitor camera/microphone access. But nothing tells you exactly which files your AI app just read, whether they contain prompt injection attacks, or if your SSH keys were accessed.
Argus fills that gap with transparent, real-time monitoring built on open-source tooling you can inspect.
Argus runs as a macOS menubar app with a web dashboard at localhost:3131. Here's what it looks like monitoring a live machine with Claude Desktop, Claude Code, Ollama, and Python running.
The Overview tab shows everything at a glance: 5 active AI apps detected, 37 file access alerts (credentials, browser data, system files), and real-time activity feed. The Sensitive Access Review panel lets you mark each file access as "Expected" or "Suspicious" — Argus observes and alerts, it does not block. Claude Desktop was caught accessing Safari bookmarks, Keychain databases, SSH agent sockets, and /etc/hosts — all flagged with severity badges (Credentials, Browser Data, Documents, System).
The Usage tab (inspired by TermTracker) reads local session data from your AI coding tools and calculates what your usage would cost at standard API rates. In this example: 634.6M tokens consumed across 21 Codex sessions, equivalent to $4.4K at API pricing. The per-tool cards show model breakdowns (gpt-5.3-codex: 494M tokens, unknown: 140.7M, gpt-5.4-mini: 12.1K) with color-coded distribution bars. The session table ranks every conversation by token usage so you can see which tasks consumed the most resources. Supports Codex (SQLite), Claude Code (JSONL metrics), and Cursor (SQLite tracking DB).
The File Alerts tab shows every sensitive file access by AI apps with timestamps, file paths, and severity classification. Each row shows exactly when (11:05:10 PM), which app (Claude Desktop), what file (/Users/.../keychain-2.db), and what category (Credentials, Browser Data, Documents, System). This is the raw evidence trail — every time an AI app touches your SSH keys, Keychain, Safari data, or system files, it's logged here.
- Claude might read
/Documents/secret-project.md— does it contain sensitive data? - Cursor connected to
api.openai.com— or is itapi-exfil.com(typosquatting)? - ChatGPT accessed
~/.ssh/id_rsa— credential theft risk. - A Node.js process claims to be an AI agent — how can you verify?
Argus detects and alerts on all of these with specific, actionable notifications.
| Signal | Detection Method | Risk Level |
|---|---|---|
| Process Ancestry | Walks parent process tree for known AI apps (Claude, Cursor, ChatGPT, etc.) | Definitive |
| MCP Server Pattern | Detects stdin/stdout pipes → MCP server spawned by AI orchestrator | High confidence |
| AI Keywords | Scans command line for claude, langchain, openai, copilot, agent, etc. |
Medium confidence |
| Network Endpoints | Monitors connections to Anthropic, OpenAI, Google, Mistral, Ollama APIs | Definitive |
| TCC Permissions | Checks if process has Full Disk Access on macOS | Escalation indicator |
| Code Signing | Verifies code-signing authority on binaries (Anthropic, OpenAI, GitHub, etc.) | Definitive |
Score calculation:
- Score ≥ 50 →
CONFIRMED_AI(at least one definitive signal) - Score 30–49 →
LIKELY_AI(multiple confidence signals) - Score < 30 →
NOT_AI(background noise filtered out)
When an AI app reads sensitive files, Argus classifies by risk level:
- 🔑 Credentials —
.ssh/,.aws/,.gnupg/, 1Password, Bitwarden - 🌐 Browser Data — Chrome/Firefox/Safari passwords, cookies, history
- 📄 Documents — Files in
~/Documents,~/Downloads,~/Desktop - ⚙️ System Files —
/etc/passwd,.env,.npmrc
Argus detects four types of browser access:
- Direct CDP connections — AI agents connecting to Chrome on port 9222
- Browser process spawning — AI apps launching (headless) Chrome/Firefox
- AppleScript control — Using
osascriptto automate Safari or Chrome - Browser extension calls — Browser extensions making requests to AI APIs
Every alert tells you exactly what happened:
Argus — Claude
🔑 Credentials access detected
Accessed credential file: ~/.ssh/id_rsa
SSH key / cloud credential risk.
---
Argus — Cursor
new_connection
Connected to api.openai.com port 443
---
Argus — node (AI agent)
⚙️ System Files
Read 3 sensitive files
1× 🔑 Credentials, 2× 📄 Documents
Throttling: Max 1 notification per (app + alert type) per 5 minutes. Batching: If 3+ file alerts fire in quick succession, they're grouped into one summary.
Here's Argus running on a live machine during an active Claude Code session:
$ argus status
Argus Status
=================
Service: RUNNING
PID: 69546
Daemon: RESPONDING
Uptime: 6s
Memory: 94MB
Last 24h Summary
----------------
Processes seen: 3
File alerts: 21
Network events: 5,265
$ argus heatmap
Access Heatmap (last 24h)
────────────────────────────────────────────────────────────────────────────────
~/Library/Keychains ██████████████████████████████ (14)
~/Library/Keychains/6DB3F6AA-C887-.../ ███████████████ (7)
────────────────────────────────────────────────────────────────────────────────
What was found:
| File | Times | Severity | Who |
|---|---|---|---|
~/Library/Keychains/login.keychain-db |
14× | CRITICAL | Claude Code |
~/Library/Keychains/6DB3F6AA-.../keychain-2.db-wal |
7× | CRITICAL | Claude Code |
Network connections detected:
| App | Remote | Port | Service |
|---|---|---|---|
| Claude (Anthropic) | 2607:6bc0::10 |
443 | Anthropic CDN |
| Claude (Anthropic) | 34.149.66.137 |
443 | Google Cloud |
| Claude (Anthropic) | 160.79.104.10 |
443 | Cloudflare |
| Claude (Anthropic) | 172.65.251.78 |
443 | Cloudflare |
| Claude (Anthropic) | 2606:50c0:8003::154 |
443 | GitHub CDN |
$ argus export --format csv
timestamp,app,event_type,detail,severity
2026-03-18T01:22:19Z,Claude (Anthropic),FILE,~/Library/Keychains/login.keychain-db,CRITICAL
2026-03-18T01:10:04Z,Claude (Anthropic),FILE,~/Library/Keychains/login.keychain-db,CRITICAL
2026-03-18T00:54:23Z,Claude (Anthropic),FILE,~/Library/Keychains/keychain-2.db-wal,CRITICAL
2026-03-18T00:43:16Z,Claude (Anthropic),NET,api.anthropic.com,INFO
...
The Keychain reads are Claude Code fetching git/SSH credentials. Network traffic is all Anthropic/Cloudflare/GitHub — nothing suspicious. This is exactly the kind of transparency Argus provides.
npm install -g argus-monitor
argus install
argus start
argus statuscurl -fsSL https://raw.githubusercontent.com/cortexark/argus/main/install.sh | bashThe installer will:
- Verify Node.js ≥ 18 is installed
- Install Argus globally via npm
- Register it as a system service (LaunchAgent on macOS, systemd on Linux)
- Start the daemon
- Print command reference
On first launch, Argus now shows a clear choice:
- Start in Basic Mode (Recommended) — process + network monitoring, reduced permissions
- Enable Deep Monitoring — includes cross-app file access detection (may trigger the macOS prompt:
"Argus" would like to access data from other apps.)
Argus runs locally on your Mac by default.
argus install # Register Argus as a persistent system service
argus uninstall # Remove system service
argus start # Start monitoring daemon
argus stop # Stop monitoring daemon
argus restart # Restart monitoring daemon
argus status # Show daemon status + event countsargus watch # Launch interactive TUI dashboard
argus logs -f # Follow live logs (tail -f style)argus logs [options]
--follow / -f Follow output (tail -f style)
--lines N / -n N Show last N lines (default 50)
--since <duration> e.g., "1h", "30m", "2d"
--level <level> Filter by level: trace|debug|info|warn|error
--json Raw JSON output
# Examples
argus logs -f
argus logs --since 1h --level warn
argus logs --json | jq '.msg'argus report [options]
--since <ISO> Filter events since timestamp (ISO 8601)
--process <name> Filter to specific process
--alerts-only Show only file access alerts
--format json Output JSON instead of text
# Examples
argus report --since 2024-01-01T00:00:00Z
argus report --process Claude --format json
argus report --alerts-onlyargus tcc # Check which AI apps have Full Disk Access
# (macOS only — shows TCC database entries)┌─────────────────────────────────────────────────────────────┐
│ Argus Daemon (runs in background) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Process Scanner (every 5s) │ │
│ │ ├─ ps -A → process tree │ │
│ │ └─ 6-signal AI classifier per process │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ File Monitor (chokidar) │ │
│ │ └─ Watch AI processes → file access events │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Network Monitor (lsof) │ │
│ │ └─ Enumerate AI process connections │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Browser Monitor │ │
│ │ ├─ Detect CDP (Chrome DevTools) connections │ │
│ │ ├─ Detect browser spawning │ │
│ │ ├─ Detect AppleScript browser control │ │
│ │ └─ Detect browser extension API calls │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ SQLite Event Store (~/.argus/data.db) │ │
│ │ ├─ process_classifications │ │
│ │ ├─ file_events │ │
│ │ ├─ network_events │ │
│ │ └─ browser_events │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Notifier (throttled + batched) │ │
│ │ └─ Native OS notifications → user │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
↓ IPC socket
┌─────────────────────┐
│ Argus CLI │
├─────────────────────┤
│ status, logs, │
│ watch, report, tcc │
└─────────────────────┘
- Discovery — Process scanner runs every 5 seconds, building a process tree via
ps -A - Classification — Each AI process is scored on 6 signals (ancestry, pipes, keywords, network, TCC, code signing)
- File Monitoring — Chokidar watches known AI app working directories for file access
- Network Monitoring —
lsofenumerates active connections from AI processes - Storage — All events written to SQLite at
~/.argus/data.db(never leaves your machine) - Notification — Throttled, batched alerts sent as native OS notifications
- Reporting — CLI generates human-readable or JSON reports from the event database
| App | Category | Process Name |
|---|---|---|
| Claude Code | AI Code Editor | claude |
| Claude Desktop | LLM Desktop | Claude |
| OpenAI Codex | AI Code Editor | codex |
| ChatGPT | LLM Desktop | ChatGPT, chatgpt |
| Cursor | AI Code Editor | cursor, Cursor |
| VS Code + Copilot | AI Code Editor | Code, code |
| Windsurf | AI Code Editor | windsurf, Windsurf |
| Continue.dev | AI Code Editor | continue |
| Perplexity | LLM Desktop | Perplexity |
| Ollama | Local LLM | ollama |
| LM Studio | Local LLM | LM Studio, lmstudio |
| GitHub Copilot | AI Assistant | copilot |
| Amazon Q | AI Assistant | amazonq, Amazon Q |
| Tabnine | AI Code Editor | tabnine |
| Node.js agents | Runtime | node |
| Python agents | Runtime | python, python3 |
Detected AI endpoints:
- Anthropic Claude API
- OpenAI API (ChatGPT, GPT-4, etc.)
- Google Gemini API
- Mistral AI
- Cohere
- Together AI
- OpenRouter
- Hugging Face
- Replicate
- Codeium/Windsurf
- GitHub Copilot
- Perplexity AI
All monitoring data is stored in an SQLite database at ~/.argus/data.db. This database is:
- Local-only — Never leaves your machine or is sent to any server
- Permanent — Survives daemon restarts, reboots, and app updates
- Queryable — Can be inspected directly with
sqlite3 - Portable — Copy
~/.argus/to backup or analyze on another machine
Logs are written to ~/.argus/logs/ (rotating, max 10 MB per file).
- Node.js ≥ 18.0.0
- macOS 12+ (Monterey or later) or Linux (Ubuntu 20+, Debian 11+, etc.)
- No root required — Runs as a user LaunchAgent (macOS) or systemd service (Linux)
- SQLite — Built-in on all supported platforms
- lsof — Pre-installed on macOS; install on Linux:
sudo apt-get install lsof
npm installnpm testAll tests are in /tests. The test suite includes:
- Unit tests for classifiers, monitors, and utilities
- Integration tests for database operations
- E2E tests for CLI commands
- 640+ tests, 0 failures
# View test output with details
node tests/run.jsTests are run on Node 18, 20, and 22 in CI.
argus/
├── src/
│ ├── index.js # Main daemon entry point
│ ├── cli.js # CLI command dispatcher
│ ├── ai-apps.js # Registry of AI apps + detection config
│ ├── lib/
│ │ ├── config.js # Frozen config object
│ │ ├── platform.js # macOS/Linux detection
│ │ ├── exec.js # Async command executor
│ │ └── logger.js # Pino logger setup
│ ├── monitors/
│ │ ├── process-classifier.js # 6-signal AI detection engine
│ │ ├── process-scanner.js # Process tree builder
│ │ ├── file-monitor.js # Watch file access
│ │ ├── network-monitor.js # Track network connections
│ │ ├── browser-monitor.js # Detect browser automation
│ │ └── usage-tracker.js # AI tool usage (Codex/Claude/Cursor)
│ ├── db/
│ │ ├── schema.js # SQLite schema init
│ │ └── store.js # Database CRUD operations
│ ├── notifications/
│ │ └── notifier.js # Throttled + batched alerts
│ ├── daemon/
│ │ ├── daemon-manager.js # Main event loop
│ │ ├── launchd.js # macOS LaunchAgent setup
│ │ └── ipc-client.js # IPC for CLI commands
│ ├── cli/
│ │ └── commands/ # Command implementations
│ ├── dashboard/
│ │ └── dashboard.js # TUI dashboard (blessed)
│ └── report/
│ └── report-generator.js # Report formatting
├── tests/
│ ├── run.js # Test runner
│ └── [test files]
├── install.sh # One-liner installer
└── package.json
-
Add entry to
AI_APPSinsrc/ai-apps.js:'myapp': { name: 'My AI App', category: 'AI Code Editor' },
-
Add any app-specific keywords to
CMD_KEYWORDSinsrc/monitors/process-classifier.js -
Add any app-specific API endpoints to
AI_ENDPOINTSinsrc/ai-apps.js -
Add tests to ensure detection works
Edit SENSITIVE_PATHS in src/ai-apps.js to add file paths or credential locations to monitor.
Edit src/notifications/notifier.js and add a function to the notify object:
export const notify = {
myAlert(appName, detail) {
return sendAlert(appName, 'my_alert', `Custom message: ${detail}`);
},
};- No internet access — Argus is purely local. Data never leaves your machine.
- Open source — All monitoring logic is visible in this repository.
- No telemetry — No analytics, crash reporting, or tracking.
- SQLite-only — Events stored in a local database file you can inspect.
- Read-only — Argus only reads process information; it doesn't modify anything.
- Inspect
src/— all networking code is inmonitors/network-monitor.js - Check
src/notifications/notifier.js— notifications only usenode-notifier(native OS API) - Search for
httporhttps— none in production code - Run
npm lsto inspect all dependencies (all are production-ready open-source packages)
argus uninstall
npm uninstall -g argus-monitor
rm -rf ~/.argusargus logs --level errorCheck if Node.js is installed and in PATH:
which node
node --version- Check if daemon is running:
argus status - Check macOS notifications settings — Argus needs permission to notify
- Test manually:
argus logs -fto see events in real-time
Adjust throttle interval in src/lib/config.js:
NOTIFICATION_THROTTLE_MS: 300000, // 5 minutesReduce scan intervals in src/lib/config.js:
SCAN_INTERVAL_MS: 5000, // process scan every 5s
FILE_MONITOR_INTERVAL_MS: 3000, // file monitor every 3s
NETWORK_MONITOR_INTERVAL_MS: 3000, // network scan every 3sMIT — See LICENSE for details.
See CONTRIBUTING.md for guidelines on:
- Adding new AI apps
- Adding new injection patterns
- Creating new notification types
- Running and writing tests
Argus ships with a built-in MCP server that integrates directly with Claude Desktop. Ask Claude questions about what AI agents are doing on your machine — in natural language.
Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"argus": {
"command": "node",
"args": ["/path/to/argus/src/mcp/server.js"]
}
}
}Restart Claude Desktop. Argus tools appear automatically.
| Tool | Description |
|---|---|
get_active_ai_processes |
List AI agents detected in the last N hours |
get_file_accesses |
Sensitive file access alerts (credentials, browser data) |
get_network_activity |
Network connections to AI endpoints |
get_sessions |
Session history with start/stop/duration |
get_daily_summary |
Daily stats for any date |
get_injection_alerts |
Prompt injection detections |
get_ai_usage |
Token usage and estimated API costs |
get_monitoring_status |
Overall Argus status and stats |
All tools are read-only — they query the local SQLite database and never modify anything.
Prompt: "What AI agents ran on my machine today?"
Response:
[
{ "name": "claude", "app_label": "Claude Code (CLI)", "category": "AI Code Editor" },
{ "name": "Claude", "app_label": "Claude Desktop", "category": "LLM Desktop" },
{ "name": "ollama", "app_label": "Ollama", "category": "Local LLM" }
]Prompt: "Did any AI app access my SSH keys or credentials?"
Response:
[
{
"process_name": "Claude",
"app_label": "Claude Desktop",
"file_path": "/Users/you/.ssh/id_rsa",
"sensitivity": "credentials",
"is_alert": 1,
"timestamp": "2026-04-03T14:22:19.000Z"
},
{
"process_name": "Claude",
"app_label": "Claude Desktop",
"file_path": "/Users/you/Library/Keychains/login.keychain-db",
"sensitivity": "credentials",
"is_alert": 1,
"timestamp": "2026-04-03T14:10:04.000Z"
}
]Prompt: "Give me a summary of AI activity for yesterday"
Response:
{
"date": "2026-04-02",
"processCount": 4,
"fileAlertCount": 21,
"networkEventCount": 5265,
"topPorts": [443, 80, 9222],
"aiServicesHit": ["Anthropic", "OpenAI", "GitHub Copilot"]
}Argus is a local-only privacy monitoring tool. This policy covers both the Argus application and its MCP extension for Claude Desktop.
- Argus monitors AI application activity (processes, file accesses, network connections) on your local machine
- All monitoring data is stored in a local SQLite database at
~/.argus/data.db - The MCP extension reads from this same local database
- No data is ever transmitted to any external server, cloud service, or third party
- The MCP extension communicates only with Claude Desktop via local STDIO (standard input/output)
- There is no telemetry, analytics, crash reporting, or tracking of any kind
- The application makes zero outbound network connections
- All data remains on your local filesystem at
~/.argus/ - Database file permissions are set to owner-only (mode 0600)
- You can inspect, export, or delete the database at any time
- Old events are automatically cleaned up after 7 days
- Argus does not share data with anyone
- The MCP extension provides data only to Claude Desktop running on the same machine
- No third-party services, APIs, or SDKs are used for data processing
- You can pause/resume monitoring at any time via the tray menu
- You can delete all data by removing
~/.argus/ - All source code is open source and auditable at https://github.com/cortexark/argus
- Uninstall instructions:
argus uninstall && npm uninstall -g argus-monitor
For privacy questions or concerns, open an issue at https://github.com/cortexark/argus/issues
- Little Snitch — Network firewall (port-level monitoring)
- OverSight — Camera/microphone access monitor
- Lulu — Open-source firewall
- Santa — Google's binary authorization tool
Argus complements these tools by focusing specifically on what AI applications access on your machine.
Stay curious. Stay in control.