Maxx the Marmot
macOS endpoint lifecycle intelligence

your software,
tended.

Maxx keeps every app on your Mac current, verified, and auditable.
Where competitors stop at detection, Maxx acts.

$ curl -sSL https://fixxr.org/install.sh | bash copy
macOS 13+ · Apple Silicon & Intel · Python 3.11+
535+ apps catalogued
4 update mechanisms
100% local-first
MIT open source
The gap

MacUpdater retired.
Nothing replaced it.

MacUpdater's backend went dark. 238 apps lost their update path overnight. Homebrew covers some. The App Store covers others. The rest drift — quietly accumulating security debt — until a CVE shows up and you realise you've been running a vulnerable version for four months.

  • ⚠️

    Unmanaged apps drift

    Apps outside Homebrew or the MAS have no automatic update path. They fall behind silently.

  • 🔴

    Supply chain risk is invisible

    You can't tell if a "Chrome update" is actually Chrome. TeamID verification closes that gap.

  • 📦

    No audit trail

    When did that app update? From where? What changed? Without provenance, you're guessing.

fixxr — endpoint status
$ fixxr report
--- Maxx's Endpoint Security Report ---
Total tracked apps: 247
Outdated apps: 23
CVE exposure: 3 app(s) with known CVEs
Mean days outdated: 18.4
Pending safety review: 0
Top 5 riskiest:
[high | 47d] Firefox: 118.0 → 130.0
[medium | 23d] draw.io: 23.1.0 → 24.7.8
[medium | 15d] Docker: 4.32.0 → 4.34.3
[low | 8d] Disk Drill: 5.4.0 → 5.5.0
[low | 3d] CleanMyMac: 5.0.0 → 5.0.5
The FIXXR Protocol

Provenance over speed.
Audit over blind trust.

Every update Maxx installs passes through the same four-step protocol. No shortcuts. No blind trust. The protocol is open source — you can read every line.

01
🔍

Scan

Maxx queries Sparkle feeds, Homebrew Cask, and the Mac App Store. He finds what's new across all four update mechanisms so nothing slips through.

02
🔐

Verify

TeamID from codesign -dvv is compared against the installed app. New TeamID = blocked. The community catalog adds consensus sha256 verification.

03
🛡️

Assess

Before any rights elevation: CDN origin, URL patterns, and an optional Claude Haiku second opinion. High confidence installs automatically. Low confidence queues for your review.

04
📋

Record

Every update — success or failure — is committed to a local Dolt database. Who, what, from where, when. You own the full provenance trail. Nothing leaves without your consent.

How it works

Five commands.
Complete visibility.

Maxx routes each app to the best available mechanism automatically. Homebrew Cask, MAS, Sparkle, native triggers — all unified under one protocol.

  • 1

    Discover updates across all mechanisms

    Maxx queries every source in parallel. No manual configuration — he reads your installed apps and figures out where they update from.

    fixxr scan
  • 2

    Rank by actual risk, not version delta

    Days outdated × security tier. A browser 47 days behind ranks above a utility that just hit a minor version.

    fixxr list --risk
  • 3

    Update — with the safety gatekeeper active

    AI assessment runs before every rights elevation. Suspicious installs queue for your review. Everything else completes automatically.

    fixxr update
  • 4

    Inspect any install's full provenance chain

    Where did this binary come from? What CDN? Was the TeamID consistent? SHA256 consensus from the community catalog?

    fixxr provenance
  • 5

    See your endpoint's security posture

    Total apps tracked, outdated count, CVE exposure, mean days outdated, pending safety reviews — in a single report.

    fixxr report
fixxr — update session
$ fixxr update
Maxx is rolling up his sleeves...
Polishing draw.io up to v29.6.6...
CDN: objects.githubusercontent.com ✓
TeamID: UZEUFB4N53 ✓ (matches installed)
AI assessment: HIGH confidence
SHA256: a3f1b29c... ✓
✓ draw.io updated. (brew cask)
Polishing Firefox up to v149.0...
CDN: download.cdn.mozilla.net ✓
TeamID: BPDYD23G75 ✓ (matches installed)
✓ Firefox updated. (native trigger)
⚠ SomeApp: CDN not in trusted list.
Queued for review — run `fixxr review`
Updated 2 apps (1 via cask, 1 via native).
1 queued for safety review.
The Green Seal

Provenance, made visible.

Not a checkmark. An actual stamp — the visual payoff for the whole provenance system. When Maxx earns it, he puts his mark on the work.

  • TeamID chain unbroken. The new binary's signing identity matches the installed app. Same developer, verifiably.

  • SHA256 matches community consensus. Other FIXXR users saw the same binary. Or self-verified on first download and cached locally.

  • CDN domain consistent. Mozilla doesn't suddenly update from a domain in Russia. Google doesn't deliver Chrome from a sketchy CDN. Drift is caught.

The library is in order. Every tool verified and in its place.

verified
For every Mac user

Same app. Four depths.

Depth is unlocked, not forced. A personal Mac user gets visibility and hygiene. A security engineer gets provenance and intelligence. Same Maxx, same protocol.

1
Visibility

Know what's installed, what's outdated, and how far behind. The baseline every Mac user should have.

fixxr scan · fixxr list
2
Hygiene

Actually install the updates. Maxx routes to the right mechanism. Brew, MAS, Sparkle — all in one command.

fixxr update · fixxr report
3
Provenance

Know where every binary came from. TeamID verification, SHA256, CDN tracking, the Green Seal.

fixxr provenance · fixxr review
4
Intelligence

CVE correlation. Risk-ranked updates. AI safety gatekeeper. Community checksum consensus. The full platform.

fixxr cve · fixxr report --json
Community catalog

Every observation
benefits everyone.

The FIXXR community catalog lives on DoltHub — a version-controlled, open dataset of verified app provenance. Every participant makes the catalog smarter for everyone who follows.

🗄️

DoltHub Catalog

A version-controlled SQL database of macOS app provenance: download URLs, TeamIDs, SHA256 checksums, update mechanisms. Opt-in push contributes your verified data. Pull merges community improvements into your local catalog. Dolt's 3-way merge handles conflicts. Privacy filter enforced in code — only whitelisted fields ever leave your machine.

🦫

Help Maxx — Method Discovery

For the ~53 third-party apps with no automation record, you can help Maxx learn. Run fixxr watch "App Name" while manually updating an app — Maxx monitors network connections, detects the CDN and download pattern, and records the mechanism. Opt-in with fixxr community enable --help-maxx to share what you discover. Your observation becomes the next person's automation.

🔒

Checksum Consensus

When multiple FIXXR users download the same version of the same app, their SHA256 hashes should match. A mismatch is a supply chain incident. The catalog tracks consensus — if your hash diverges from 47 other endpoints, you'll know. Architecture differences (arm64 vs universal) are annotated to avoid false alerts.

📡

OSV.dev CVE Integration

Maxx queries OSV.dev for known vulnerabilities in every installed app version, cached locally in Dolt to avoid repeated API calls. Run fixxr cve to scan your full inventory. Results surface in fixxr report and fixxr list --risk — CVE exposure moves an app up the priority queue automatically.

Governance

The FIXXR Verein.

A Verein is a Swiss non-profit association — the governance structure for projects that belong to a community, not a company. The FIXXR Verein is the entity being formed to steward the protocol, the catalog, and the open-source codebase over the long term.

  • Open membership

    Any individual or organisation can become a member. Governance is democratic. No single entity controls the protocol.

  • Transparent operations

    The Verein's accounts, decisions, and membership are public. Inspired by Objective Development's IAP model — declare what you do and be held to it.

  • Protocol stewardship

    The Verein maintains the FIXXR Protocol specification, the community catalog on DoltHub, and the domain fixxr.org.

  • Community-first economics

    Membership dues fund infrastructure (DoltHub, hosting, CI). The software stays MIT-licensed, free to use, fork, and self-host.

VEREIN STATUS: FORMING — not yet constituted. Founding members being assembled.
Founding Member
HabitusNet Consulting AG
habitus.net
HabitusNet Consulting AG is the founding organisational member of the FIXXR Verein. The project originated from HabitusNet's work building AI-assisted endpoint management for macOS environments. Their membership provides the initial infrastructure and development resources while the Verein's governance structure is being established.

The Verein is not yet formally constituted. If you or your organisation would like to participate as a founding member and help shape how FIXXR is governed, reach out directly.

The library belongs to everyone who tends it.

Data practices

Declare what you collect.
Be held to it.

Inspired by Objective Development's Internet Access Policy model. Maxx declares exactly what data exists locally, what you can share, and what never leaves your machine. Run fixxr privacy --audit to see the actual stored data alongside the policy.

● LOCAL ONLY

Stays on your machine

  • Your full software inventory (535+ apps, versions, mechanisms)
  • All provenance events and update history
  • AI safety assessment logs and the privilege elevation audit trail
  • CVE correlation results and risk scores
  • Observed update methods from fixxr watch
● OPT-IN ONLY

Shareable — with your consent

  • bundle_id — which apps you track
  • latest_version — what version Maxx found
  • download_url — where the binary came from
  • sha256 — the verified checksum
  • feed_url, homepage_url, update_mechanism
  • URL patterns from observed methods (no local paths)
● NEVER COLLECTED

Not collected, ever

  • App file contents or binaries
  • Your name, email, or device identifiers
  • Network traffic content
  • App usage behaviour or launch frequency
  • Any data from apps listed as system or vendor-managed
Get started

One command.
The workshop is open.

$ curl -sSL https://fixxr.org/install.sh | bash copy
View on GitHub Community Catalog

macOS 13 Ventura or later · Apple Silicon and Intel supported · Python 3.11+ (via Homebrew)
Dolt installed automatically · No pip dependencies in the core platform

Read the README first if you prefer to review before running install scripts. The installer source is at fixxr.org/install.sh and in the GitHub repo.

After install, Maxx suggests:

$ fixxr scan # discover updates
$ fixxr list --risk # ranked by exposure
$ fixxr setup # grant narrow sudo (one-time)
$ fixxr update # install updates + AI safety check
$ fixxr report # see your endpoint posture