tidesman-mcp

mcp
Security Audit
Warn
Health Warn
  • No license — Repository has no license file
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 6 GitHub stars
Code Pass
  • Code scan — Scanned 2 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested

No AI report is available for this listing yet.

SUMMARY

Tidesman — a free native MCP server for running, understanding, and debugging Linux containers with Apple's container tool. Public downloads + docs.

README.md

Tidesman logo

Tidesman

A free native MCP server for running, understanding, and debugging Linux containers with Apple's container tool.

Latest release Homebrew tap version macOS 26 · Apple Silicon MCP server License: EULA

Website · Downloads

It lets an AI assistant (Claude Desktop, Claude Code, or any MCP-compatible client) list,
run, inspect, and clean up Linux containers on your Mac, safely and with a full audit trail.

This repository is the public download and documentation home for Tidesman. The source is
maintained privately; the binaries published here are signed with an Apple Developer ID
certificate and notarized by Apple.

Demo

Demo coming with the first release.

What it is

How Tidesman works: an AI client speaks MCP over stdio to Tidesman, which talks directly to Apple's container apiserver over XPC to run Linux containers in lightweight VMs.

MCP (Model Context Protocol) is an open standard that lets an AI assistant call external
tools: small functions that do real work, such as listing or starting containers. Tidesman is
the server side of that standard: it offers a set of container tools, and the AI is the client
that calls them.

Apple's container is Apple's tool for running Linux containers on macOS. Normally you drive
it by typing commands in a terminal. Tidesman instead talks straight to the background service
that container relies on (its "apiserver"), using Apple's own Swift client library. Going
directly to that service is faster and sturdier than wrapping the command line.

Requirements

  • An Apple Silicon Mac running macOS 26 (Apple's container runtime requires both).
  • Apple's container installed and started: container system start.

Install

Tidesman is a signed, notarized binary. Pick whichever channel suits you.

Homebrew (recommended)

brew install JeronimoColon/tidesman/tidesman

This adds the tap and installs tidesman to /opt/homebrew/bin.

Installer package (.pkg)

Download tidesman-<version>.pkg from the
latest release, double-click
it, and follow the prompts. It installs tidesman to /usr/local/bin. The package is signed,
notarized, and stapled, so it verifies even offline.

Direct binary (zip)

Download tidesman-<version>-macos-arm64.zip, unzip it, and move tidesman onto your PATH.
Because the bare binary is not stapled, macOS checks it online the first time you run it.

Claude Desktop one-click (.mcpb)

Download tidesman-<version>.mcpb and open it with Claude Desktop (Settings → Extensions). The
bundle embeds the signed binary and registers the server for you in read-only mode.

Verify your download

Every release ships a SHA256SUMS file. From the folder holding your downloads:

shasum -c SHA256SUMS

Configure your MCP client

Tidesman runs as a local command your client launches over standard input/output. Point the
client at the binary and pass an access mode with --mode (omit it for read-only).

Claude Desktop, edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "tidesman": {
      "command": "/opt/homebrew/bin/tidesman",
      "args": ["--mode=safe"]
    }
  }
}

Claude Code:

claude mcp add --transport stdio --scope user tidesman \
  -- /opt/homebrew/bin/tidesman --mode=safe

Any stdio MCP client (OpenAI Codex and others) works the same way: point it at the binary and
pass the flags as arguments.

What it does

Nine container tools, each tagged by what it can do (Read, Write, or Destructive):

Tool Capability What it does
system_ping Read check the container service is reachable
container_list Read list containers
container_inspect Read show a container's full details
container_logs Read fetch a container's recent output
container_run Write create and start a container from an image
container_exec Write run a command inside a running container
container_stop Write gracefully stop a running container
container_kill Write stop a container by sending it a signal (SIGKILL by default)
container_delete Destructive remove a container

What the capability tags mean: a Read tool observes state and changes nothing. A Write
tool changes a container's state but never removes it; the container survives and can be
inspected or restarted. Destructive is reserved for removing the container itself. Your MCP
client may separately mark some write tools (exec, stop, kill) as destructive, based on the MCP
hints each tool carries: those tools can end work or change data inside a container, even
though the container itself survives. In every mode, all nine tools stay visible to your
assistant; a tool the mode locks says so in its description and refuses until you raise the
mode.

Access modes: safe by default

Tidesman runs at one of three authority levels, set with --mode=, and it starts in the
safest one. If no --mode is given, it is read-only. Every tool is always listed to your
assistant; the mode controls which of them may run.

Mode Allows Tools callable
read-only (default) Read ping, list, inspect, logs (4)
safe Read + Write the above, plus run, exec, stop, kill (8)
full Read + Write + Destructive all nine, including delete

A separate flag, --allow-host-mounts, is required before container_run may mount a folder
from your Mac into a container; it is off by default because a host mount reaches outside the
container's isolation onto your real files.

Security and trust

  • Signed and notarized. The binary is signed with an Apple Developer ID certificate and
    notarized by Apple, so Gatekeeper runs it without a warning.
  • Safe by default. Unset mode is read-only; destructive operations require full; host mounts
    require an explicit flag.
  • Audited. Every tool call is recorded to ~/Library/Logs/tidesman/audit.log and the macOS
    unified log: its name, its arguments (with secret-like values redacted), and its outcome.
  • Honest tool annotations. Every tool declares MCP read-only and destructive hints that match
    what it can actually touch, so your client knows the stakes and can ask before anything
    risky runs.
  • Guard your client config. Tidesman's tools cannot change the access mode; it is pinned by
    the --mode argument in your MCP client's configuration file. That file lives outside
    Tidesman's control, so protect it accordingly: a client that grants its assistant broad
    filesystem access would let the assistant edit its own mode. Every audit-log line records
    the mode the call ran under, so any change leaves a visible trail.

Privacy Policy

Tidesman collects nothing about you and sends nothing to us: no telemetry, no analytics, no
crash reporting, no accounts. Everything it does happens on your Mac.

  • The audit log (tool calls, arguments with secret-like values redacted, outcomes) is written
    only to your Mac (~/Library/Logs/tidesman/audit.log and the macOS unified log) and stays
    there unless you share it yourself. Delete it whenever you like.
  • Tidesman opens no network ports. Its only outbound connection is to a container registry
    (such as Docker Hub) when you or your assistant asks it to pull an image; that request shares
    the image name and your network address with the registry, like any container tool.
  • Nothing is shared with, sold to, or retained by anyone else.

The full policy lives at tidesman.dev/privacy.html.
Privacy questions: [email protected].

License

Tidesman is proprietary software, provided free of charge under the end-user license in
EULA.txt. It bundles open-source components whose notices are preserved in
THIRD-PARTY-LICENSES.

Links

Reviews (0)

No results found