agent-machinev0.1

agent-machine · macOS · v0.1

Discover, invoke, and audit.
The agent control plane for macOS.

One CLI for static manifests, live desktop control, and Authority-backed cryptographic audit. Every action is a capability-attenuated cell with verifiable side-effect bounds.

Quick startView on GitHubApache-2.0 · single binary · no Node required
terminal · 60s tour
agent-machine v0.1
$ agent-machine scan /Applications/Spotify.app # discover (54 capabilities)
$ agent-machine observe --app Spotify # live UI tree
$ agent-machine demo --app Spotify --workflow playpause --auto-approve
[1/5] discover scanned Spotify (17 capabilities)
[4/5] invoke cell:099e67 classify=write approval=oneshot (auto-approved)
[5/5] audit signed Ed25519 b1ee11...f902
side effect: write · audit chain: 1 entry, signature valid
$ agent-machine adapt /Applications/Spotify.app --target mcp --out ./mcp-spotify
generated 17 typed MCP tools, Authority-aware

Discovery

v0.1
scanlistrecipeadapt

Static macOS bundle inspection emits Authority-compatible manifests. Generate MCP servers from any .app in 30 seconds. AppleScript dictionary extraction, Info.plist parsing, app-kind detection.

Runtime

v0.1
observeclicktypescrollscreenshotwindowsdemo

Live UI control via accessibility tree (wraps agent-desktop). Inspect windows, read elements with stable refs, dispatch real interactions on Apple-native and Catalyst apps.

Authority

v0.1
always-on enforcement

Every runtime action becomes a capability-attenuated execution cell. Side-effect classification, approval contracts, and Ed25519-signed audit chain — verifiable proof of bounded execution.

CDP Bridge

v0.2
cdp launchcdp clickcdp evalcdp screenshotcdp query

Electron + CEF apps via Chrome DevTools Protocol. Cursor, VSCode, Notion, Slack, Linear, Discord, Figma — all controllable with the same Authority enforcement surface.

commands

Three layers, one CLI

Discover what an app exposes

  • agent-machine list

    Inventory installed apps grouped by kind

  • agent-machine scan /Applications/Spotify.app

    Deep scan: AppleScript dictionary, App Intents, URL schemes

  • agent-machine recipe com.spotify.client

    Curated invocation recipes for 20 popular apps

  • agent-machine adapt --target mcp

    Generate a typed MCP server from any scanned app

Invoke real actions on macOS

  • agent-machine observe --app Spotify

    Live accessibility tree with stable refs (@e1, @e2, ...)

  • agent-machine click @e3 --app Spotify

    Wrapped in an Authority cell + audit signature

  • agent-machine demo --app Spotify --workflow playpause

    End-to-end: discover → cell → execute → sign

  • agent-machine demo --app Notes --workflow notes-create

    Pre-built workflows across 8 apps

Reach Electron apps with the same primitive

  • agent-machine cdp launch cursor

    Relaunch Cursor with --remote-debugging-port

  • agent-machine cdp click "button.run" --app cursor

    Dispatch real click via CDP, audited by Authority

  • agent-machine cdp eval "document.title" --app cursor

    Destructive class — approval prompt by default

  • agent-machine cdp screenshot --app cursor

    Pixel-perfect viewport capture

comparison

What makes agent-machine different

Other tools control desktop UIs. None of them combine static manifests, capability classification, and signed audit in one binary.

Featureagent-machineusagent-desktopOculOSagent-device
Static manifest
Runtime control
Capability classification
Cryptographic audit
MCP server generation
built-in
Electron via CDPv0.2
macOS
Linuxv0.3
Windowsv0.3
Mobile (iOS/Android)v0.4
supportedunique to usplanned (with target version)partialpartial / different scopenot supported

principles

Built for agents that need proof

agent-machine is the runtime layer for Authority — a capability-attenuated execution primitive. Each principle below is a constraint we hold even when convenient shortcuts are available.

Discover before you invoke

Manifests are stable contracts, not ephemeral DOM refs. The same capability ID survives app restarts and version updates.

Authority is the substrate

Cells, capabilities, side-effect classes, and audit signatures are the primitive — not a guardrail bolted on top.

Agent-first, human-friendly

Every command supports --json for machine output. Human renders use color, alignment, and next-step hints. Pipes auto-detect mode.

Static + runtime + safety in one binary

Single Rust CLI. No Node prerequisite, no daemon, no manual setup. Install once, use everywhere.

playground

Browse a real manifest

This is the actual output of agent-machine scan on a macOS app — capabilities, AppleScript commands, URL schemes, extensions.

Playground

Inspect a manifest before you wire execution around it.

Drop a generated manifest, paste an app path to copy the MCP setup, or switch between real sample scans committed from local apps.

Load a manifest

Sample apps

Setup command preview

npx agent-machine adapt "/System/Applications/Notes.app" --target mcp

Drop a manifest JSON or load a real sample.

Notes
nativeauthority/0.1

com.apple.Notes

Version 3146.81.3 · public.app-category.productivity

/System/Applications/Notes.app

Scanned Apr 27, 2026, 12:18 AM

Capabilities

55

Extensions

5

AppleScript

13

Capabilities snapshot
applescript_commandwrite
open note location

applescript.notes_suite.open_note_location

applescript_commandwrite
show

applescript.notes_suite.show

applescript_commanddestructive
close

applescript.standard_suite.close

applescript_commandwrite
count

applescript.standard_suite.count

applescript_commanddestructive
delete

applescript.standard_suite.delete

applescript_commandwrite
duplicate

applescript.standard_suite.duplicate

applescript_commandread
exists

applescript.standard_suite.exists

applescript_commandwrite
make

applescript.standard_suite.make

URL schemes
AppleScript commands

open note location

Notes Suite

write

Open a note URL.

Direct parameter: text

show

Notes Suite

write

Show an object in the UI

Direct parameter: account|folder|note|attachment

Parameters: separately

close

Standard Suite

destructive

Close a document.

Direct parameter: specifier

Parameters: saving, saving in

count

Standard Suite

write

Return the number of elements of a particular class within an object.

Direct parameter: specifier

Parameters: each

delete

Standard Suite

destructive

Delete an object.

Direct parameter: specifier

duplicate

Standard Suite

write

Copy an object.

Direct parameter: specifier

Parameters: to, with properties

roadmap

Where this is going

v0.1Q3 2026
shipping
  • Discovery layer (scan, list, recipe, adapt)
  • Runtime via agent-desktop (observe, click, type, ...)
  • Authority enforcement built-in (cell + audit)
  • MCP server generation with Authority embedded
v0.2Q4 2026
in flight
  • CDP bridge for Electron + CEF apps
  • Cursor, VSCode, Slack, Discord, Notion, Linear, Figma
  • Mobile approval surface (Expo)
v0.3Q1 2027
next
  • Linux support (AT-SPI + DBus)
  • Windows support (UI Automation + COM)
  • Cross-host capability transfer
v0.4Q2 2027
future
  • iOS App Intents extraction
  • Android manifest + intents
  • WASM verifier for audit chain

authority

Built alongside Authority — the runtime that decides what's executable.

agent-machine discovers and invokes. Authority wraps every action in a capability-attenuated cell with cryptographic audit. They ship together.

github.com/Railly/authority →