Let a Codex or SSH-launched AI agent read and write Apple Reminders through the rem CLI without macOS blocking it
Maintain one stable TCC-permissioned app so you stop granting Reminders access to every new terminal binary
Audit every command an AI agent ran through Fluegel via the JSONL log under ~/Library/Logs/Fluegel
Whitelist a specific absolute-path CLI tool so only that exact binary can ride on Fluegel's permissions
macOS only, must be built from source with Swift, then manually copied to ~/Applications and /opt/homebrew/bin, and granted TCC permissions once.
Fluegel is a small Mac menu-bar application written in Swift that acts as a permission broker between command-line AI agents and parts of macOS that normally lock those agents out. On modern Macs, sensitive features like Reminders, Contacts, or Calendar access are gated by a system called TCC, which grants permission to a specific app or binary. That works fine for a regular desktop user, but it breaks down when an AI coding agent might be running inside Codex, an SSH session, the Ghostty terminal, or a short-lived launchd process. Granting every one of those callers access is messy and hard to audit. Fluegel solves this by giving the permission a stable home. You install the Fluegel menu-bar app, grant it Reminders access once, and then add specific full-path command-line tools to a whitelist inside Fluegel. When an agent wants to use one of those tools, it asks Fluegel to run the command, and macOS sees the access coming from Fluegel.app, not from the agent's transient process. The first supported use case is the third-party rem tool, which exposes Apple Reminders as a command-line interface. The project ships as both a Swift app and a companion CLI binary called fluegel. You build it with swift test and a script called build-app.sh, then copy Fluegel.app into ~/Applications and the CLI binary into /opt/homebrew/bin. The CLI has subcommands for checking status, requesting permission, listing and editing the whitelist, running a whitelisted tool, and reading the audit log. The settings window inside the app shows the same three views: Permissions, Whitelist, and Audit. Security is intentionally narrow. The CLI talks to the app over a private Unix domain socket inside the application support directory, using a token the app generates. Whitelist edits require local macOS authentication. Commands are matched by their exact absolute path, and every allow or deny decision is appended to a JSON-lines audit log under ~/Library/Logs/Fluegel. The author is clear that Fluegel is a convenience boundary for trusted local automation, not a sandbox or a privilege-escalation framework, and explicitly warns against feeding it untrusted input. The README labels the project as early, with reliable Reminders automation through rem as the first practical target.
Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.