It lets an AI assistant — Claude Desktop, Claude Code, or any MCP-compatible client — list, run, inspect, and clean up Linux containers on your Mac, safely and with a full audit trail.
This repository is the public download and documentation home for Tidesman. The source is maintained privately; the binaries published here are signed with an Apple Developer ID certificate and notarized by Apple.
Demo
<!-- A short screen recording is added here with the first release. --> <p align="center"><em>Demo coming with the first release.</em></p>What it is
<p align="center"> <img src="assets/how-it-works.svg" width="860" alt="How Tidesman works: an AI client speaks MCP over stdio to Tidesman, which talks directly to Apple's container apiserver over XPC to run Linux containers in lightweight VMs."> </p>MCP (Model Context Protocol) is an open standard that lets an AI assistant call external tools — small functions that do real work, such as listing or starting containers. Tidesman is the server side of that standard: it offers a set of container tools, and the AI is the client that calls them.
Apple's container is Apple's tool for running Linux containers on macOS. Normally you drive
it by typing commands in a terminal. Tidesman instead talks straight to the background service
that container relies on (its "apiserver"), using Apple's own Swift client library. Going
directly to that service is faster and sturdier than wrapping the command line.
Requirements
- An Apple Silicon Mac running macOS 26 (Apple's container runtime requires both).
- Apple's
containerinstalled and started:container system start.
Install
Tidesman is a signed, notarized binary. Pick whichever channel suits you.
Homebrew (recommended)
brew install JeronimoColon/tidesman/tidesman
This adds the tap and installs tidesman to /opt/homebrew/bin.
Installer package (.pkg)
Download tidesman-<version>.pkg from the
latest release, double-click
it, and follow the prompts. It installs tidesman to /usr/local/bin. The package is signed,
notarized, and stapled, so it verifies even offline.
Direct binary (zip)
Download tidesman-<version>-macos-arm64.zip, unzip it, and move tidesman onto your PATH.
Because the bare binary is not stapled, macOS checks it online the first time you run it.
Claude Desktop one-click (.mcpb)
Download tidesman-<version>.mcpb and open it with Claude Desktop (Settings → Extensions). The
bundle embeds the signed binary and registers the server for you in read-only mode.
Verify your download
Every release ships a SHA256SUMS file. From the folder holding your downloads:
shasum -c SHA256SUMS
Configure your MCP client
Tidesman runs as a local command your client launches over standard input/output. Point the
client at the binary and pass an access mode with --mode (omit it for read-only).
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"tidesman": {
"command": "/opt/homebrew/bin/tidesman",
"args": ["--mode=safe"]
}
}
}
Claude Code:
claude mcp add --transport stdio --scope user tidesman \
-- /opt/homebrew/bin/tidesman --mode=safe
Any stdio MCP client (OpenAI Codex and others) works the same way: point it at the binary and pass the flags as arguments.
What it does
Nine container tools, each tagged by what it can do — Read, Write, or Destructive:
| Tool | Capability | What it does |
|---|---|---|
system_ping | Read | check the container service is reachable |
container_list | Read | list containers |
container_inspect | Read | show a container's full details |
container_logs | Read | fetch a container's recent output |
container_run | Write | create and start a container from an image |
container_exec | Write | run a command inside a running container |
container_stop | Write | gracefully stop a running container |
container_kill | Write | stop a container by sending it a signal (SIGKILL by default) |
container_delete | Destructive | remove a container |
What the capability tags mean: a Read tool observes state and changes nothing. A Write tool changes a container's state but never removes it; the container survives and can be inspected or restarted. Destructive is reserved for removing the container itself. Your MCP client may separately mark some write tools (exec, stop, kill) as destructive, based on the MCP hints each tool carries: those tools can end work or change data inside a container, even though the container itself survives. In every mode, all nine tools stay visible to your assistant; a tool the mode locks says so in its description and refuses until you raise the mode.
Access modes — safe by default
Tidesman runs at one of three authority levels, set with --mode=, and it starts in the
safest one. If no --mode is given, it is read-only. Every tool is always listed to your
assistant; the mode controls which of them may run.
| Mode | Allows | Tools callable |
|---|---|---|
read-only (default) | Read | ping, list, inspect, logs (4) |
safe | Read + Write | the above, plus run, exec, stop, kill (8) |
full | Read + Write + Destructive | all nine, including delete |
A separate flag, --allow-host-mounts, is required before container_run may mount a folder
from your Mac into a container; it is off by default because a host mount reaches outside the
container's isolation onto your real files.
Security and trust
- Signed and notarized. The binary is signed with an Apple Developer ID certificate and notarized by Apple, so Gatekeeper runs it without a warning.
- Safe by default. Unset mode is read-only; destructive operations require
full; host mounts require an explicit flag. - Audited. Every tool call — its name, its arguments (with secret-like values redacted), and
its outcome — is recorded to
~/Library/Logs/tidesman/audit.logand the macOS unified log. - Honest tool annotations. Every tool declares MCP read-only and destructive hints that match what it can actually touch, so your client knows the stakes and can ask before anything risky runs.
- Guard your client config. Tidesman's tools cannot change the access mode — it is pinned by
the
--modeargument in your MCP client's configuration file. That file lives outside Tidesman's control, so protect it accordingly: a client that grants its assistant broad filesystem access would let the assistant edit its own mode. Every audit-log line records the mode the call ran under, so any change leaves a visible trail.
Privacy Policy
Tidesman collects nothing about you and sends nothing to us: no telemetry, no analytics, no crash reporting, no accounts. Everything it does happens on your Mac.
- The audit log (tool calls, arguments with secret-like values redacted, outcomes) is written
only to your Mac —
~/Library/Logs/tidesman/audit.logand the macOS unified log — and stays there unless you share it yourself. Delete it whenever you like. - Tidesman opens no network ports. Its only outbound connection is to a container registry (such as Docker Hub) when you or your assistant asks it to pull an image; that request shares the image name and your network address with the registry, like any container tool.
- Nothing is shared with, sold to, or retained by anyone else.
The full policy lives at tidesman.dev/privacy.html. Privacy questions: legal@tidesman.dev.
License
Tidesman is proprietary software, provided free of charge under the end-user license in EULA.txt. It bundles open-source components whose notices are preserved in THIRD-PARTY-LICENSES.
Links
- Website: https://tidesman.dev
- Report an issue: https://github.com/JeronimoColon/tidesman-mcp/issues
- Contact: hello@tidesman.dev