Loupe
Free trial
Audit-grade by construction

Built so the claims are externally verifiable.

Loupe is designed for the people who write security policies, not against them. Every guarantee on this page can be checked from outside the application — by the OS, by the bundle hashes, or by commands your engineering team already knows.

Core guarantees

Six pillars. Six places we'd rather you check our work.

Local-only execution

Loupe ships without the com.apple.security.network.client entitlement. The macOS sandbox blocks every outbound network call at the OS level — not as a policy choice, as a hard system constraint.

SHA-256 chain of custody

Every imported file streams through a SHA-256 hasher at ingest. Hashes anchor every claim in the report to the byte offsets in your raw logs.

AES-256-GCM at rest

Each case is encrypted on disk with a per-case 256-bit key, stored in macOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly access.

Hash-chained audit log

Every action on a case appends to an audit log whose hashes link backward. Tampering breaks every subsequent hash — verified on every case load.

Hardened Runtime, notarized

Apple Hardened Runtime enabled. Library validation enforced. Loupe is signed and notarized by Apple Developer Team 5UF3Q334K6 — verifiable with spctl.

Ed25519-signed activation

License envelopes are signed offline by useloupe.tools and verified locally by Loupe.app against an embedded public key. Loupe never makes a license-server round-trip. The license itself is stored as a flat JSON file at ~/Library/Application Support/studio.shyguy.loupe/license.json — the signature is the integrity boundary, so the file path is bundle-ID-keyed and stable across signing-cert rotations.

Verify yourself

Don't trust. Reproduce.

The four recipes below confirm the security posture from outside Loupe — using only Apple-provided tools and standard Unix utilities. They're the same commands an auditor will run during a software review.

  1. 1

    Confirm zero network entitlements

    $ codesign -d --entitlements - /Applications/Loupe.app

    Expect: no `network.client` or `network.server` entries

  2. 2

    Confirm Apple notarization

    $ spctl -a -t execute -vv /Applications/Loupe.app

    Expect: accepted, source=Notarized Developer ID

  3. 3

    Watch for outbound traffic

    $ sudo tcpdump -i any -nn host useloupe.tools

    Expect: silence while Loupe processes a case

  4. 4

    Verify an export bundle

    $ cd <bundle> && shasum -a 256 -c Hashes.txt

    Expect: every file: OK — confirms zero downstream tampering

The list of things we don't do

Completeness, not coverage.

The privacy market grades vendors on which third-party SDKs they've managed to remove. We'd rather show you what was never there.

  • No telemetry

    Zero analytics, zero usage tracking, zero crash reporting.

  • No third-party SDKs

    No Sentry, no Segment, no Mixpanel, no Amplitude, no Fingerprint. Verifiable with `nm Loupe.app/Contents/MacOS/Loupe | grep -E "Sentry|Segment|Mixpanel|Amplitude|Fingerprint"` — should return nothing. Bundled dependency manifest at Resources/NOTICES.md.

  • No PCC

    On-device-only AI. Loupe uses Apple's LanguageModelSession with no Private Cloud Compute opt-in flag set. Inspect with `codesign -d --entitlements - Loupe.app` — no com.apple.security.network.client entry means PCC routing is structurally impossible.

  • No cookies on opt-in surfaces

    Marketing site uses zero analytics cookies — try it in DevTools.

  • Reproducible RCA rendering

    For any given brief + template, Markdown / IODEF / PDF rendering is byte-identical across runs. The narrator brief itself passes 3-of-5 consensus voting on archetype + supporting events before it ships at all. Brief consensus is exact equality on structured fields; rendering determinism is verified by RCARendererTests.

  • IODEF for machine readers

    Findings export as IODEF XML for SIEM ingestion or compliance pipelines.

  • No background daemon

    Loupe only runs when you launch it. No LaunchAgent, no LaunchDaemon.

  • No accessibility hooks

    Loupe never asks for screen recording, accessibility, or input monitoring.

Coordinated disclosure

We respond to vulnerability reports within five business days. PGP key on request. We'll work with you on a disclosure timeline and credit you in the changelog if you'd like.

security@useloupe.tools

Methodology

Read how we test Loupe — the determinism commitments, the hostile-input adversarial coverage, and the reproducibility recipes that any security reviewer can re-run.

Read the docs