DEV Community: Oz Gomez

I renamed my AI agent safety tool and added a team dashboard — here's what drove those decisions

Oz Gomez — Mon, 08 Jun 2026 16:50:54 +0000

A few months ago I wrote about building a file watcher for AI coding agents. The problem I was solving: when you're running Claude Code or Codex remotely, the agent modifies files you didn't expect, and by the time you notice, the change is already there.
Since then, a few things have shifted.
The context changed
I'm doing contract work that keeps me away from the machine most of the day. I still want to maintain my own projects — a beach flag dashboard, some internal tools — but I can't sit in front of a terminal for hours. So I've been experimenting with running AI agents more autonomously, checking in remotely, and managing them more like a lightweight PM than a hands-on developer.
That shift changed what I needed from the tool. It's not just "alert me when something dangerous happens." It became: I need to know what my agents did while I was away, across multiple projects, from my phone.
What I built since
The tool now has a persistent background daemon that runs via launchd on macOS — it starts on login and watches configured directories permanently, not just during active sessions. When something sensitive changes (.env, keys, CI configs, agent memory files like CLAUDE.md), it logs the event and sends a Telegram message with Keep/Rollback buttons.
The bigger addition was a team dashboard. Events from any machine running the daemon sync to a central server — I deployed mine on Railway. You open a browser, enter a token, and see what each machine detected, filtered by project and time range. I tested it with two machines and it works the way I hoped.
I also added a memory file scanner. When CLAUDE.md or .cursorrules changes, it scans the content for prompt injection patterns — things like "ignore previous instructions" or suspicious base64 strings. If it finds something, it elevates the alert to CRITICAL. This felt important as I started using agent memory files more heavily in my own workflow.
The rename
The tool was called AgentGuard. There's a company called GoPlus Security that also has a product called AgentGuard, focused on skill/plugin security — different angle, but the name collision was confusing. I spent some time looking for a better name and landed on Ilum — the planet in Star Wars where kyber crystals form and wait for their Jedi. It felt right for something that watches quietly and doesn't interfere unless something is wrong.
The npm package is ozilum.
Where it's at
It's open source, early, and I'm the main user. The team dashboard is functional but basic. The memory scanner catches obvious patterns but isn't sophisticated. I'm looking for solo developers and small teams who run AI agents regularly and want some visibility into what they're doing.
If you're building something AI-native and running agents with any autonomy, I'd genuinely appreciate feedback — what's missing, what's wrong, what's unnecessary.
npm install -g ozilum
GitHub: github.com/Osva2023/AgentGuard

Who's watching what your AI agent does when you're not looking?

Oz Gomez — Thu, 28 May 2026 19:07:43 +0000

This isn't about AI being dangerous. It's about a habit most of us have developed without noticing.
You start a Claude Code session. The agent asks permission for the first action. You read it, approve. Second action — you read it, approve. Third action — you skim it, approve. By the fourth or fifth, you've clicked "don't ask again for this session" and gone back to whatever you were doing.
That's not carelessness. That's a completely rational response to an approval-fatigue problem that the tools themselves create. The agents ask too often, for too many things, and we adapt by tuning them out.
The problem gets worse when you're working remotely. I run AI coding sessions in two ways: sometimes through OpenClaw connected to Telegram, where I send messages and the agent executes actions on my machine. Sometimes through Claude.ai on my phone, running a remote session. Either way, you're watching a small screen, approving actions with limited context, and eventually you stop reading carefully.
One day I came back to my machine and found that the agent had modified files I didn't expect — not maliciously, just confidently. An .env file updated. A config changed. A dependency added. Nothing catastrophic. But I had no record of it. I couldn't tell what changed, when, or why.
So I built something to watch.
AgentGuard is a background daemon that monitors what AI coding agents do to your files during and between sessions. It doesn't try to stop the agent from working — it tries to give you visibility into what happened.
What it actually does:
It watches configured directories with a file watcher. When a sensitive file changes (.env, keys, CI configs, package.json, agent memory files like CLAUDE.md), it logs the event to an audit trail and optionally sends a Telegram message with Keep/Rollback buttons — even if you're not at the machine.
It runs as a permanent background daemon (launchd on macOS) so it's always watching, not just during explicit sessions.
It has a macOS menu bar icon showing daemon status and recent activity — same idea as Docker Desktop's tray icon.
What I learned building it:
The hardest problem wasn't detection — it was deciding what to do about it. Block everything and the agent becomes useless. Block nothing and you're back where you started. The answer I landed on: log everything, alert on the things that actually matter (credential files, mass deletes, CI configs), and let the user decide.
The second thing I learned: real-time command interception is harder than it sounds. Codex is a Rust binary that doesn't use the shell in an interceptable way. The file watcher ended up being more reliable than the command interceptor for most agents.
The open question I don't have an answer to:
Is this the right layer to solve this problem? Should the agents themselves have better audit trails? Should there be a standard for "what did this session change"? I genuinely don't know.
I built this because I needed it. It's been running on my machine for a few weeks watching two projects. The log is mostly quiet — which is either good news or means I'm not watching the right things.
If you use Claude Code, Codex, aider, or run agents remotely via OpenClaw or similar — I'd be curious whether this matches a problem you've actually experienced, or whether the approval-fatigue thing is just me.
npm install -g agentguard-dev
GitHub: github.com/Osva2023/AgentGuard

AgentGuard 0.3.0 — macOS menu bar app, Telegram rollback, and more

Oz Gomez — Thu, 21 May 2026 19:55:58 +0000

Quick update on AgentGuard since my last post.
A few days ago I shared a tool I built because I kept finding that Claude Code was modifying files I didn't expect while I was away from the machine. Today I pushed 0.3.0 with some meaningful additions.
What's new:
A macOS menu bar app. Click the shield icon and you get a popup showing daemon status, which directories are being watched, and the last 5 file events. Start/stop the daemon from there too.
Telegram approve/deny buttons. When a sensitive file changes (.env, keys, CI configs, agent memory files), you get a Telegram message with ✅ Keep and ↩️ Rollback buttons. Works while you're away from the machine — the whole reason I built this.
macOS system notifications for HIGH and CRITICAL events.
Agent memory files now monitored — CLAUDE.md, .cursorrules, .hermes/, aider configs. These are persistent instructions that survive between sessions and could be poisoned.
A daily report command: agentguard daemon report --days=7
npm install -g agentguard-dev
agentguard init
for the menu bar app:
cd $(npm root -g)/agentguard-dev/tray && npm install
agentguard tray

Still honest about limitations: file watcher is the primary defense — real-time command interception doesn't work reliably with Codex (Rust binary) or Copilot CLI (TUI). Claude Code is the best-supported agent.
Nobody has really tested this except me. If you use Claude Code or any CLI agent and want to try it, I'd genuinely appreciate feedback — brutal honesty welcome.
GitHub: github.com/Osva2023/AgentGuard

leave question or help in comments if prefers. thanks

I built a file watcher for AI coding agents — would love brutal feedback

Oz Gomez — Mon, 18 May 2026 19:43:46 +0000

I've been using Claude Code for the past few months — heavily. And a lot of the time, I'm running it remotely. I'll kick off a session from my phone via Telegram, leave it working on a project, and come back later to see what it did.
That's when I started noticing something uncomfortable.
The agent would modify files I didn't expect. Overwrite a .env. Delete something it considered "unused". Touch config files while doing something else entirely. When I was sitting at the machine, I'd catch it. When I wasn't — I'd find out later, sometimes much later.
So I built something to watch what it does while I'm away.
AgentGuard is a CLI wrapper and background daemon that monitors your filesystem while AI coding agents work. It detects changes to sensitive files (.env, keys, CI configs, package.json), logs everything to an audit trail, and can send you a Telegram message with rollback buttons if something looks wrong — even when you're not at the machine.
npm install -g agentguard-dev
agentguard init
agentguard claude # wraps Claude Code
Or run it as a permanent background daemon:
agentguard daemon install # starts on login via launchd
agentguard daemon status
What it actually does:

Watches configured directories permanently, even when you're away
Detects mass deletes, env overwrites, CI config changes, credential files
Sends Telegram alerts with ✅ Keep / ↩️ Rollback buttons you can tap from your phone
Writes a full audit log so you can see what the agent touched during a session

Honest limitations:

Real-time command interception doesn't work reliably — Codex is a Rust binary that bypasses our hooks, Copilot CLI has a TUI that interferes. The file watcher is the primary defense.
Tested mainly with Claude Code on macOS. Other agents and Linux need more testing.
Nobody has really used this except me.

That last point is why I'm posting this.
I have a few years of experience in testing and developer support, so I know enough to build something that works — but I built this primarily because I needed it, and Claude Code helped me write most of it, which is a bit meta. The code works, the tests pass, and it's been running as a daemon on my machine for a week watching two real projects.
But I have no idea if it's useful to anyone else, if the UX makes sense, or if I'm solving the wrong problem entirely.
GitHub: github.com/Osva2023/AgentGuard
If you use Claude Code, Codex, or aider — I'd genuinely appreciate you taking a look. Even just "this is pointless because X" would be valuable right now.
leave questions, suggestions, etc, in the comments, thanks DEVs