Deckard

A Mac-resident MCP server that proxies Apple-native services — Mail, Calendar, iCloud Drive, Voice Memos, Reminders — to AI agents over stdio or HTTP. One trust boundary, one audit log, one place to enforce safety.

The bridge is built around a simple premise: an LLM agent talking to your iCloud should look more like a service account with scoped permissions than a fully-trusted user. Every call passes through the same policy pipeline (auth → ACL → redaction → injection-tagging → approval-gate → audit), and every layer is configurable per token.

Status: v1.0.0-beta.3 (public beta). 43 tools across 6 services, codesigned + notarized Developer ID build, 111 unit tests (incl. a schema validator that walks every registered tool), daemon + menubar UI with first-launch onboarding, auto-update via Sparkle (UI) and deckard self-update (CLI), CI on every push. Designed for personal homelab use; security model documented in docs/security-model.md. Known beta issues + roadmap in CHANGELOG.md.

Why this exists

Most "AppleScript MCP" projects expose Mail or Calendar as a thin RPC: tools fire, results come back as flat strings, the agent reads whatever the user reads. That's fine for trusted prompts and demo screenshots; it's wrong for any system where the agent might be compromised, the email content might be hostile, or the action chain might run unattended.

Deckard sits between the agent and macOS and adds:

• Default-deny ACL with per-token profiles. A "triage" agent gets mail.list_messages + mail.mark_read + nothing else. A "trusted" agent gets the full surface but mail.send still routes through an approval dialog. A "readonly" experiment can't write anything anywhere.
• Outbound redaction. Before any tool result reaches the model, secret-shaped substrings are replaced with [REDACTED:<rule>]. Cloud creds (AWS / GCP / Azure / DO), API keys (OpenAI / Anthropic / Stripe / Google / Twilio / npm), GitHub PATs, Slack/JWT tokens, RSA private blocks, SSN-like patterns — and one-time tokens: 2FA / OTP / verification / sign-in codes, magic-link URL params, inline password: / passwd= values, PIN: 1234. The OTP rule requires the matched value to contain at least one digit, so common words like "expired" or "invalid" don't trip it. New rules drop in via config.
• Inbound prompt-injection tagging. Mail bodies, calendar event notes, voice-memo titles, drive-file contents — anything the user didn't author — comes back wrapped in <untrusted>…</untrusted> so the agent treats it as data, not instructions. When known injection patterns ("ignore previous instructions", role-impersonation prefixes, etc.) are detected, the wrapper escalates to a strong warning banner.
• Approval gating for destructive actions. mail.send, drive.write, calendar.delete_event, reminders.delete_reminder — set their ACL to approve and every call pops a macOS dialog showing what's about to happen (recipients, body preview, file path, event title) before it executes. Per-token interactive_approval = "never" lets trusted remote tokens skip the dialog (audit logs as approved_by_policy for forensics).
• Multi-token auth with scoped profiles. Different agents get different secrets and different capabilities. Audit shows caller: "bearer:triage" instead of bearer:default.
• Tailnet listener (opt-in). When [tailscale] enabled = true the daemon also binds the tailnet IPv4. Peer ACLs are delegated to tailscaled — set them in the Tailscale admin console, not here. tailscale whois runs per request so audit rows for tailnet calls record transport=tailnet caller=ts:laptop:user@github. Bearer auth still applies on top.
• Batch mail ops. mail.move_message, mail.mark_read, mail.mark_unread accept a single id OR an ids: [string] array (up to 500). The batch path is one osascript invocation regardless of N — one Mail.app activation, one au

... View full README on GitHub