General 19 min read

Which Files Did Your AI Actually Read? The Read-Audit Every Vault Owner Should Keep

MMNMNOTE
aiagentsaudit-trailmcpclaude-codeinotifyfseventslocal-firstobservabilitynotes

Simon Willison named it — "private data, untrusted content, and external communication" — the lethal trifecta.1 Your notes are the private-data leg. One question falls out. Which of your notes did the agent read to answer that? An answer is only as forensic as the log of what was read to produce it. Keep the read-audit yourself — the vendor won't.

The pattern is different from what a write-side audit answers. A write-audit tells you what changed — the companion piece on this blog names the discipline of keeping your own record of what your agent did.2 A read-audit is the other axis. It tells you what the agent saw before it decided what to change. Both matter. Neither is automatic. In 2026 the surface an agent reads over is your files — a folder handed to Claude Code, a roots boundary in the Model Context Protocol, a personal vault indexed on-device. OWASP's LLM06:2025 puts the discipline plainly for LLM extensions: log and monitor.3 The vendor's UI often hides the reads. The OS emits them anyway.

A personal vault owner already has three tiers of visibility available — a five-minute vendor log, a thirty-minute OS-level watcher, and, for the advanced, an MCP-proxy that sniffs the tool-call wire.

What most people believe: the transcript is the record

Most agent transcripts scroll every decision in real time, and the ambient chatter feels like accountability. The transcript tells you what the model said it did. It does not tell you which of your files it opened, which chunks it retrieved from the vault, or which folder it quietly checked. Testimony is not evidence.

The frame shifted this week without much noise. An indie developer, fuzzykidoo, put the shift in one line on dev.to: "MCP didn't give AI memory. It gave AI access to memory."4 Whatever the model appears to remember is, in practice, a series of live reads through the tool-call bus at the moment of the answer. If reading is the mechanism, then reading is the thing to log.

The same pattern shows up in the enterprise. Teams already pay platform observability vendors to answer the read-side question at scale. That market is a signal, not the subject of this essay. The signal is that the discipline is real. The subject is what a personal vault owner can do in the next thirty minutes with tools they already have.

The pivot: the read-path is the private-data leg

Willison's lethal trifecta describes the mechanism: an agent with private data, exposure to text it did not write, and a channel to send bytes outward becomes a leak the moment the three legs touch.1 The read-path is the first leg. Whatever the agent reads is the private data at risk of leaving.

If you cannot see which files the agent opened, you cannot see the surface on which the trifecta might be closing. The standards body has already named the practice. OWASP LLM06:2025's mitigation section opens with a caveat, then names it verbatim: "The following options will not prevent Excessive Agency, but can limit the level of damage caused: Log and monitor the activity of LLM extensions and downstream systems to identify where undesirable actions are taking place, and respond accordingly."3

The caveat is honest. Logging does not stop the read; it makes the read visible. The naming is the point. The read-side of an agent's behaviour is a normal observability surface, not an exotic one. The tools that surface it already exist on every operating system you own.

The related discipline is scope. A companion essay on this blog sets out the positive-permission root — the smallest folder you hand the agent decides what it can read.5 The read-audit is the sequel. Of the files it can see, which ones did it actually open this session?

The argument: three tiers of read-audit, in order of effort

Every serious agent surface in 2026 exposes a knob that shows the reads. Vendor CLIs ship a verbose flag. Every mainstream operating system emits file-access events. The Model Context Protocol standardises tools/list and tools/call at the JSON-RPC frame. The knobs differ per surface — the shape is the same. Pick the tier that matches your effort budget, and layer.

Tier (a) — the five-minute vendor log. Anthropic's Claude Code CLI reference documents --verbose as "Enable verbose logging, shows full turn-by-turn output. Overrides the [verbose setting]".6 Turned on, every Read invocation prints with the file path the agent opened.

Pair it with --add-dir, which the same reference defines as "Add additional working directories for Claude to read and edit files. Grants file access; most .claude/ configuration is [not discovered]".7 The same session ties what the agent is allowed to see to what the agent actually read. The scope decision is --add-dir. The audit decision is --verbose. Two flags, one habit.

Tier (b) — the thirty-minute OS-level watcher. The vendor's log is a courtesy. The OS emits the read whether the vendor talks about it or not. Three surfaces, three names, one habit — inotify on Linux, FSEvents on macOS, and ReadDirectoryChangesW on Windows.

Each hooks the syscall path the vendor UI cannot elide. If the agent opens a file inside the watched folder, the OS says so. The log is a plain text file on your own disk, not a row in a vendor's database. That is the point.

Tier (c) — the MCP-proxy, for the advanced. The Model Context Protocol standardises the tool-call bus. From the specification: "To discover available tools, clients send a tools/list request" and "To invoke a tool, clients send a tools/call request."11 The same page defines the capability advertisement: "Servers that support tools MUST declare the tools capability: { "capabilities": { "tools": { "listChanged": true } } }."12

Because the schema is open, an in-line proxy can see every request the client makes to the server. Someone shipped one this week: kerlenton/mcpsnoop, described by its own README as "Wireshark for MCP. A transparent proxy that shows every real tool call between your AI client and your MCP servers, live in your terminal."13

The maintainer's own problem statement is the honest reason it exists: "The official MCP Inspector connects as its own client, so it never sees what your client (Cursor, Claude Code, Codex) actually sends your server."13 The Show HN post that put the tool in front of the community earned sixty-three points on July 3, 2026. Read that as the signal that the personal-vault owner's version of a discipline the enterprise already buys is being built in the open.

Team-scale observability products solve the same question with dashboards and invoices. You do not need their invoice to run the discipline. You need the tier that matches your effort budget.

The practice: keep the log yourself

Start with the five-minute tier today, and add the OS watcher when the folder starts to matter. Log the read, not the keystroke. Store the log where the agent cannot rewrite it. The habit is boring, and boring is the point. The useful audit is the one you already run when a wrong answer arrives at 11pm.

Three concrete moves, in order:

The layering pairs with the folder-scope discipline of the smallest working root5 and the write-side record of what changed.2 The protocol-layer background is where these reads live in the first place. Each layer catches what the layer above lets through.

The honest caveats: three failure modes to name

This is hygiene, not security. An audit does not stop the read; it makes the read visible. Three failure modes survive every tier, and every reader should hold them. The audit records what was read, not what the vendor retains. The vendor's own log is only as complete as the vendor makes it. And OS-level watchers have real gaps.

One — the audit records the READ, not the RETENTION. OWASP names the ceiling of the discipline in the same sentence that names its usefulness: "The following options will not prevent Excessive Agency, but can limit the level of damage caused."3 Your log tells you which of your files the agent touched during a session.

It does not tell you which characters the vendor kept on their server, cached in a session store, or reserved for training absent a contrary setting. Read-audit needs to pair with a written policy about what should never have been fed to a hosted model in the first place14 and with a check on the training defaults you accepted when you signed up.15

Two — vendor --verbose is only as complete as the vendor makes it. Claude Code's documented behaviour today is full turn-by-turn output.6 A future release could redact tool-call arguments, elide certain paths, or omit tool calls performed inside subagents. That would be a legitimate product decision. It would also close the tier.

The OS-level tier exists precisely because it does not depend on the vendor. If the vendor's log ever disagrees with the OS log, believe the OS.

Three — OS-level watchers have real gaps. Linux's naive read-audit anchor was atime, and every modern mainstream distribution now mounts with relatime or noatime, so atime lags or disappears. inotify IN_ACCESS does not depend on atime; it hooks the syscall path, which is the honest workaround.8

But macOS FSEvents watches directory-level modifications, not per-file reads9; per-file read-audit on macOS needs kernel-audit openbsm/auditd, which needs escalated privileges and a written baseline. Windows NTFS access-time updates have been default-disabled since Vista (fsutil behavior set disablelastaccess); the FILE_NOTIFY_CHANGE_LAST_ACCESS filter fires on subtree change notifications, not on every per-file read.10 Every tier is more than nothing and less than everything.

Layered defence is the shape. The read-audit shrinks the surface a wrong answer can hide inside. The write-audit tells you what changed after the reads.2 The upstream deny-list keeps sensitive classes out of the reachable folder.14 A write-side firebreak keeps a destructive delete from touching everything in scope.16 The append-only pattern preserves what an agent may write.17 Secrets never live where an agent reads.18 The user turn you typed is worth saving too.19 The session file you carried across a model handoff carries its own discipline.20 Each of these is a layer. The read-audit is the one that watches the eyes.

Frequently asked questions

How do I see which files Claude Code read to answer a question? Run the session with --verbose on. Anthropic's CLI reference documents the flag as "Enable verbose logging, shows full turn-by-turn output."6 Redirect the output to a dated file (claude --verbose > ~/logs/agent-2026-07-08.txt 2>&1), and every Read invocation prints with the file path. Grep the transcript for Read ( to lift only the read-lines from the log.

How do I log the files an AI agent opened during a session? Three tiers. The five-minute tier is the vendor's own verbose log: --verbose on Claude Code6, the equivalent on your CLI of choice. The thirty-minute tier is an OS-level watcher: inotifywait -m -r -e access ~/notes/8 on Linux, an FSEvents client on macOS9, ReadDirectoryChangesW on Windows.10 The advanced tier is an MCP-proxy that sits between your client and its servers.13

How do I audit MCP tool calls locally? The protocol layer is where the reads live. The MCP specification defines "to discover available tools, clients send a tools/list request" and "to invoke a tool, clients send a tools/call request".11 Every conforming server declares its tool capability under { "capabilities": { "tools": { "listChanged": true } } }.12 A transparent proxy — Mcpsnoop is one reference implementation — captures every request on that channel and prints it live.13

Which notes did Claude Code read to answer this question? Every Read tool call is printed by --verbose with the file path.6 Grep the transcript for Read ( to isolate the reads. Pair the read-side transcript with --add-dir so the scope of what was allowed to be read is on the record next to what was actually read.7

Can my agent leak files by touching things it shouldn't? Yes. The read-path is the private-data leg of Willison's lethal trifecta.1 The moment private data, untrusted content, and an external channel are all present, the read is the seed of the leak. The two mitigations are scoping the folder and auditing the reads inside it. A smaller root is the first move5; the read-audit is the second.

How do I log file reads on Linux, macOS, and Windows? On Linux, inotify(7) emits IN_ACCESS: "IN_ACCESS (+) File was accessed (e.g., read(2), execve(2))."8 On macOS, Apple's FSEvents API delivers "notification when the contents of a directory hierarchy are modified"9 at the directory level; per-file reads require openbsm/auditd. On Windows, ReadDirectoryChangesW accepts FILE_NOTIFY_CHANGE_LAST_ACCESS on subtree change notifications.10

Is a tool-call log the same as knowing what the model retained? No. The audit records the read, not the retention. OWASP says it plainly: the discipline "will not prevent Excessive Agency, but can limit the level of damage caused."3 The log tells you what the agent opened on your machine. It does not tell you which characters the vendor kept, cached, or used for training. Layer read-audit with an upstream deny-list14 and a check on your training defaults.15


Steph Ango's version is the philosophical anchor: "Apps are ephemeral, but your files have a chance to last. If you want to create digital artifacts that last, they must be files you can control, in formats that are easy to retrieve and read."21 The corollary is that the log of what an app read from your files is also yours to keep. The vendor's transcript will roll away when the vendor does. The plain text file the kernel wrote survives.


Your notes live on your device as plain Markdown files, so the OS can watch them and the log is a file right next to them — mnmnote.com is the same shape at the layer below.


References


Footnotes

  1. Simon Willison, "The lethal trifecta for AI agents: private data, untrusted content, and external communication," simonwillison.net, 2025-06-16. https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ 2 3

  2. MNMNOTE, "The Only Record of What Your Agent Did Is the One You Keep," blog.mnmnote.com, 2026-06-14. https://blog.mnmnote.com/posts/the-only-record-of-what-your-agent-did 2 3

  3. OWASP Foundation, "LLM06:2025 Excessive Agency — Prevention & Mitigation," OWASP Top 10 for LLM Applications 2025. https://genai.owasp.org/llmrisk/llm062025-excessive-agency/ 2 3 4

  4. fuzzykidoo, "MCP didn't give AI memory. It gave AI access to memory.," dev.to, 2026-07-02. https://dev.to/fuzzykidoo/mcp-didnt-give-ai-memory-it-gave-ai-access-to-memory-3jh

  5. MNMNOTE, "The Root of View Is the Permission: Shape the Folder You Hand Your AI," blog.mnmnote.com, 2026-07-07. https://blog.mnmnote.com/posts/shape-the-folder-you-hand-your-ai 2 3

  6. Anthropic, "CLI reference — --verbose," Claude Code documentation, retrieved 2026-07-08. https://code.claude.com/docs/en/cli-reference 2 3 4 5 6

  7. Anthropic, "CLI reference — --add-dir," Claude Code documentation, retrieved 2026-07-08. https://code.claude.com/docs/en/cli-reference 2 3

  8. Michael Kerrisk, "inotify(7) — Linux manual page," man7.org, kernel v6.14 series. https://man7.org/linux/man-pages/man7/inotify.7.html 2 3 4 5

  9. Apple, "File System Events Programming Guide — Introduction," Apple Developer Archive. https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/FSEvents_ProgGuide/Introduction/Introduction.html 2 3 4

  10. Microsoft, "ReadDirectoryChangesW function," Win32 API reference, Microsoft Learn, retrieved 2026-07-08. https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readdirectorychangesw 2 3 4 5

  11. "Server → Tools — Protocol Messages," Model Context Protocol specification, version 2025-06-18. https://modelcontextprotocol.io/specification/2025-06-18/server/tools 2

  12. "Server → Tools — Capabilities," Model Context Protocol specification, version 2025-06-18. https://modelcontextprotocol.io/specification/2025-06-18/server/tools 2

  13. kerlenton, "mcpsnoop — Wireshark for MCP (transparent proxy and live TUI)," github.com/kerlenton/mcpsnoop, MIT, retrieved 2026-07-08; Show HN item 48777144, 2026-07-03, 63 points. https://github.com/kerlenton/mcpsnoop 2 3 4 5

  14. MNMNOTE, "Decide What Not to Feed the AI," blog.mnmnote.com. https://blog.mnmnote.com/posts/decide-what-not-to-feed-the-ai 2 3

  15. MNMNOTE, "Does Your AI Assistant Train on Your Notes?" blog.mnmnote.com. https://blog.mnmnote.com/posts/does-your-ai-assistant-train-on-your-notes 2

  16. MNMNOTE, "A Destructive-Action Firebreak for Your Vault," blog.mnmnote.com. https://blog.mnmnote.com/posts/a-destructive-action-firebreak-for-your-vault

  17. MNMNOTE, "Let the AI Add Lines, Never Rewrite History," blog.mnmnote.com. https://blog.mnmnote.com/posts/let-your-ai-agent-append-not-overwrite

  18. MNMNOTE, "Secrets Do Not Belong in Notes an AI Reads," blog.mnmnote.com. https://blog.mnmnote.com/posts/secrets-do-not-belong-in-notes-an-ai-reads

  19. MNMNOTE, "Keep the Raw Prompt You Sent Your AI," blog.mnmnote.com. https://blog.mnmnote.com/posts/keep-the-raw-prompt-you-sent-your-ai

  20. MNMNOTE, "Recover Your Work from the AI Tool's Session Files," blog.mnmnote.com. https://blog.mnmnote.com/posts/recover-your-work-from-the-ai-tools-session-files

  21. Steph Ango, "File over app," stephango.com, 2023-07-01. https://stephango.com/file-over-app