Native macOS · Governance-ready · Audit-complete

Governed AI your
board can approve.

Crewfile gives ambitious organisations a complete, governed AI workforce — with a kernel-level audit trail, constitutional authority controls, and cryptographic protection of your ops config. For leaders who want to move fast and have the governance to prove it.

Download Crewfile.app macOS 13+ · Free trial See how protection works
crewfile — session start
$ cd agency-ops && claude
 
# Crewfile.app — SessionStart
Token verified — Studio plan
Fetching ops config...
5 agents loaded
7 skills active
ES protection: active
 
# Protected paths (kernel-level):
managed-settings.json
core-ops/CLAUDE.md
 
Claude
9:41 AM
cf
Status
Protected
Endpoint Security Active
Last ops sync 2 min ago
Protected files 3 files
Plan Studio
The problem

The governance gap AI creates.
And how Crewfile closes it.

Most organisations have deployed AI. Very few have governed it. The gap between "we use Claude" and "we can defend how we use Claude" is exactly where Crewfile lives.

Without Crewfile
No audit trail. If a client asks what AI context was used in their deliverables, you have no answer.
Every staff member prompts Claude differently. Outputs vary by person, not by standard.
Junior or departing staff can expose client data to AI with no governance or logging.
Your board asks about AI governance. You have no documented policy, no audit log, no controls.
One misconfigured session can leak context across clients — with no way to detect or prove it didn't.
With Crewfile
Immutable audit log. Every session, every permission change, every blocked tamper attempt — recorded.
Every session loads the same ops config. One definition of how AI operates in your organisation.
Constitutional admin model. One person holds authority. All changes require their explicit approval.
Kernel-level file protection. Your AI governance config cannot be modified by any process — including root.
Client-scoped tokens for freelancers. No cross-client context. No exposure you can't account for.
Who it's for

Built for innovators
who carry the responsibility.

Crewfile is for leaders who are already running with AI — and who know that being early doesn't mean being ungoverned. You're not asking whether to use AI. You're asking how to use it in a way you can stand behind.

👤
CEO / Founder
You've mandated AI adoption but have no visibility into how it's actually being used. You need a governance story for your board, your clients, and your legal counsel — without slowing your team down.
→ Constitutional authority over all AI ops
→ Board-presentable governance model
→ No technical setup required
⚙️
CTO / Head of Digital
You're the one being asked to implement AI governance with no precedent and limited time. You want something that actually works at the technical layer — not a policy document that nobody enforces.
→ Git-native — no new infrastructure
→ Kernel-level enforcement, not policy
→ Delegated authority model
⚖️
Compliance / Legal / Risk
You've been asked to review the organisation's AI usage and you're not satisfied with "we're careful." You need an auditable record of who had access to what AI context, when, and on whose authority.
→ Immutable permission audit log
→ Tamper detection with evidence trail
→ GDPR-defensible access model
Digital agencies
Consistent client delivery
Professional services
Law, accounting, consulting
Health & education tech
Regulated data environments
Nonprofits & NGOs
Donor and compliance accountability
Governance-ready

The audit trail your
legal team will actually want.

Crewfile doesn't just make AI consistent — it makes it accountable. Every session, every permission change, every blocked tamper attempt is logged immutably. You always know who had access to what, and when.

Immutable audit log
Every action, recorded forever
Every permission change, every staff addition or removal, every tamper attempt — written to an append-only log stored both on the Crewfile server and as a git commit trail in your repo. Two independent records. Neither can be modified retroactively.
Apr 1 · 14:32 @jane added as staff
Apr 3 · 09:11 CLAUDE.md updated — PR #42
Apr 5 · 16:44 ⊘ Tamper blocked — Terminal · @contractor
Apr 8 · 11:20 @contractor removed — project end
Constitutional authority
One person holds the keys
The CEO or designated admin holds constitutional authority over all AI ops. No change to agents, skills, or operating instructions can reach the live system without their explicit approval — enforced by GitHub's branch protection at the server level.
All changes require CEO approval as a pull request
Delegated authority model for CTOs and Heads of
Clean handover wizard when leadership changes
Immutable transfer trail — no disputed authority
GDPR & data defensibility
Know what context each session had
Crewfile controls exactly what context Claude loads in each session — which clients, which data, which instructions. Freelancers get scoped tokens with no cross-client visibility. You can answer "what did the AI know about this client and who authorised it" for any session, any time.
Tamper detection
Know if anyone tried to change the rules
The Endpoint Security extension logs every blocked write attempt — including which process triggered it and on which machine. The CEO's dashboard shows tamper alerts in real time. There's no way for a staff member to modify governance config without that attempt being recorded, even if it's blocked before it succeeds.
The governance answer your board is waiting for.
Print the audit log. Show the tamper detection record. Point to the constitutional admin model. Crewfile is your AI governance policy, implemented — not written.
Start free trial →
How protection works

Five layers. One absolute floor.

Crewfile's protection is layered — each layer independent of the others. The local layers stop accidents and casual circumvention. The kernel layer stops determined technical users. The GitHub layer is the absolute floor that nothing can breach.

1
CLAUDE.md instructions
Tells Claude what it should and shouldn't do. Advisory — a well-prompted Claude respects this. Can be overridden by a manipulated session.
Advisory
2
PreToolUse hooks in .claude/settings.json
Intercepts and blocks Claude's write attempts to protected paths before they execute. Committed to the repo — applies to every staff session.
Reactive
3
Crewfile.app — Endpoint Security System Extension
A kernel-level policy registered via Apple's Endpoint Security API. Intercepts and blocks any write to protected files from any process — including root — before it reaches the filesystem. Installed once with the app. Cannot be bypassed with sudo.
Kernel level
4
Crewfile.app — Cryptographic signing + watchdog
The privileged helper signs every write to managed-settings.json with a private key stored in the macOS Keychain. Claude Code verifies the signature on every session start. Unsigned content is rejected. A background daemon restores and re-signs every 5 minutes.
Cryptographic
5
GitHub CODEOWNERS + branch protection
Server-enforced by GitHub. No local override is possible — ever. Every change to core files must arrive via PR and receive CEO approval before merging. Git history is immutable. This is the absolute floor that protects against all local circumvention.
Constitutional
How the Endpoint Security Extension works
Apple's Endpoint Security API lets the app register a policy at the kernel level. Every file operation is evaluated against this policy before it executes. There is no userspace bypass — the kernel decides before any process gets to touch the file.
Any process
root, sudo, Claude Code, any app
Write attempt
ES_EVENT_TYPE_AUTH_OPEN fires
ES policy check
Crewfile extension evaluates path
EPERM returned
Write blocked. File untouched. Log entry created.
V1 ships with Layers 1–4. The Endpoint Security extension (Layer 3) requires Apple to approve the com.apple.developer.endpoint-security.client entitlement. This is standard for security applications and requires a one-time user approval in System Settings → Privacy & Security. V2 targets this as the Studio and Agency tier feature.
The install

One prompt.
Everything active.

Crewfile replaces bash scripts, MDM subscriptions, and manual file permissions with a single app download. Staff install it the same way they install anything else.

1
CEO subscribes, gets the download
Subscribe on crewfile.io. Download Crewfile.app. A unique token is generated for the organisation and stored inside the app's first-run configuration.
2
CEO runs setup on each machine
Open Crewfile.app on the machine being set up. The app detects the machine role (CEO or staff) and presents the configuration screen. One Mac password prompt installs the privileged helper and Endpoint Security extension.
3
One approval in System Settings
macOS prompts the user to approve the System Extension in System Settings → Privacy & Security. This is the same prompt users see for Little Snitch, Lulu, or any security application. One click. Never asked again.
4
Staff clone the repo and start Claude Code
Git clone the agency-ops repo. Run claude from inside it. The SessionStart hook fetches the ops config, loads agents and skills, and confirms protection is active. The menubar icon turns green.
5
CEO sees all machines in the dashboard
The CEO's Crewfile.app shows all enrolled machines, their last check-in time, protection status, and any tamper alerts. No external dashboard needed — it's built into the app.
Asked once only
cf
"Crewfile" wants to install a System Extension
Crewfile needs a System Extension to protect your AI ops configuration at the kernel level. This extension will block unauthorised writes to Crewfile's protected files.

You will be asked to approve this in System Settings → Privacy & Security.
This prompt appears once. The extension runs silently in the background and cannot be removed without your Mac password.
What gets protected
/Library/…/ClaudeCode/managed-settings.json
/Library/…/ClaudeCode/core-ops/CLAUDE.md
/Library/…/ClaudeCode/core-ops/guardian.sh
All other files on the machine are completely unaffected.
Pre-built workforce

A team, ready to deploy.

Every subscription includes a curated set of agents and skills for digital agency operations — all in your git repo, all yours to extend.

📋
Account Manager
Client relationship briefs, project summaries, stakeholder comms. Knows your client roster from the repo.
⚙️
Tech Lead
Technical scoping, architecture decisions, delivery estimates. Stack-aware out of the box.
📄
Proposal Writer
Full client proposals from a brief — scope, timeline, pricing — against your delivery standards.
📅
Delivery PM
Sprint scoping, resource allocation, status reports. Knows the team and the process.
🔍
Client Brief Skill
Auto-triggered when discussing new work. Structures requirements into a clean brief.
Code Review Skill
Auto-triggered on development work. Reviews against your agency delivery standards.
🎨
Figma MCP + Skill
Bidirectional Figma integration. Paste a Figma URL — Claude reads design data and generates code against your component library. Push live UI back to Figma as editable layers.
Third-party tool governance
Any MCP server. One governance model.
Figma, GitHub, Slack, Linear, Notion — any tool that exposes an MCP server integrates into your Crewfile workspace the same way. The MCP config lives in .mcp.json (CEO-controlled, CODEOWNERS-protected). The skills that govern how Claude uses each tool live in .claude/skills/ (same governance). Authentication is per-user via OAuth — personal tokens stored in macOS Keychain by Crewfile.app, never in the repo.
🎨 Figma 🐙 GitHub 💬 Slack 📋 Linear 📝 Notion + any MCP-compatible tool
Your repo, your rules. Agents, skills, and MCP connections are all markdown and JSON files committed to your repo. Customise freely. Changes flow through the CEO's approval workflow automatically — the governance model applies equally to first-party skills and third-party integrations.
Figma integration

Design-to-code,
governed like everything else.

Figma has a first-class MCP server with Claude Code. The right setup for a governed team is the Claude Code Plugin — it bundles the MCP connection, OAuth authentication, and Agent Skills in one install that commits to your repo and propagates to all staff automatically.

What it enables
Design → Code. Paste a Figma URL. Claude reads the full design data — layers, tokens, Auto Layout, components — and generates code against your stack and component library.
Code → Canvas. Claude captures your live-rendered UI and pushes it back to Figma as editable layers. Designers iterate without a handoff doc.
Design system audit. Claude checks a Figma frame against your component library before writing a line of code — flags gaps instead of silently approximating.
FigJam as context. User flows and architecture maps in FigJam feed directly into implementation — no translation step.
Setup — CEO does once
# Install plugin — writes .mcp.json + skills
claude plugin install figma@claude-plugins-official
 
# Commit to repo — all staff get it on pull
git add .mcp.json .claude/skills/figma/
git commit -m "feat: add Figma MCP"
Each staff member authenticates once with their own Figma account via OAuth. Their personal token is stored in Keychain by Crewfile.app — never in the repo.
Figma plan required
Developers need a Dev or Full seat on Figma Professional. The free plan allows only 6 tool calls/month.
Pricing

Per agency, not per seat.

Your entire workforce on one plan. No per-user fees as you grow.

Starter
$79
per month
For solo operators and micro-agencies starting with AI-native ops.
  • 1 CEO + up to 3 staff
  • 4 agents, 6 skills
  • Cryptographic signing + watchdog
  • Remote ops config
  • GitHub setup via CLI
Get started
Most popular
Studio
$149
per month
For growing agencies who need the full governed AI workforce.
  • 1 CEO + up to 12 staff
  • All agents + skills included
  • Endpoint Security extension (kernel-level)
  • CEO dashboard — all machines
  • Freelancer scoped tokens
  • Remote Control guidance
  • Priority support
Get started
Agency
$349
per month
For established agencies building Crewfile into their own IP.
  • Unlimited staff
  • White-label app binary
  • Custom ops domain
  • Dedicated ops instance
  • Custom agent development
  • Reseller agreement available
  • Onboarding call + QBR
Talk to us
Technical architecture

For the spec-minded buyer.

Full transparency on what the app installs, what the vendor controls, and what stays entirely on your machine.

The app's components

Component What it does Runs as
Crewfile.app (SwiftUI) Menubar app. CEO dashboard. Token management. Machine status. Configuration UI. Current user
io.crewfile.helper Privileged LaunchDaemon. Owns protected files. Signs managed-settings.json. Watchdog restores every 5 min. Stores CREWFILE_TOKEN in Keychain. root
io.crewfile.extension Endpoint Security System Extension. Registers ES_EVENT_TYPE_AUTH_OPEN policy. Blocks all writes to protected paths at kernel level from any process. kernel
load-core.sh SessionStart hook. Fetches canonical CLAUDE.md from ops.crewfile.io on every Claude Code session. Falls back to local signed copy if offline. root (via helper)

Vendor vs customer control

Crewfile controls
ops.crewfile.io ← remote CLAUDE.md server Token validation ← billing gate App binary updates ← signed by Crewfile Extension entitlement ← Apple-approved Pre-built agents/skills ← shipped with app
Customer controls
agency-ops/ repo ← customer owns entirely .claude/agents/ ← customise freely .claude/skills/ ← extend or replace memory/learnings.md ← CEO curates client-work/ ← all delivery work
Privacy: Crewfile cannot see your repo. The only data that reaches our servers is your token (for validation) and the CLAUDE.md we serve back. Your code, your client data, your agents, your sessions — none of it leaves your machine or your GitHub account. Third-party MCP connections (Figma, GitHub, Slack) are direct from your machine to those services — Crewfile sits between you and Claude Code, not between you and your tools.

Vendor repository architecture

RepositoryVisibilityPurpose
crewfile/crewfile-app Private The native macOS app. SwiftUI + Swift system extension + Go privileged helper. Distributed as a notarised .dmg from crewfile.io.
crewfile/crewfile-template Private The agency-ops repo template customers clone. Granted on payment via GitHub API.
crewfile/crewfile-ops Private Canonical CLAUDE.md and agent config served from ops.crewfile.io, per subscription tier.
crewfile/crewfile-docs Public Documentation, setup guides, security model explanation. Built transparent — customers know exactly how the system works.