Install & first scan
Download the signed .dmg, drag the app to Applications, and run your first scan in under two minutes.
1. Download
Grab the signed, notarized .dmg from
dl.tekimax.ai/get.
The build is signed with our Apple Developer ID (2enovate LLC, Team ID
96PL364LHU) and notarized by Apple, so Gatekeeper opens it on a
clean macOS install with a single "Open" confirmation.
The /get URL routes through a small free-download counter (total +
per-day + country + referrer + UTM tags, all aggregate, no IPs or
per-request rows) and then 302s to the real .dmg on dl.tekimax.ai.
You can also fetch the file directly from
dl.tekimax.ai/transcript-vault.dmg
if you'd rather skip the counter.
2. Install
Open the .dmg and drag Transcript Vault to your Applications
folder. Eject the disk image when you're done. The app is fully
self-contained.
3. Run your first scan
Launch Transcript Vault from Applications. On first launch macOS may ask for read-access to your home folder, allow it.
The scanner sweeps the on-disk session files written by each supported assistant:
| Assistant | Path |
|---|---|
| Claude Code | ~/.claude/projects/<project>/<session-uuid>.jsonl |
| OpenAI Codex CLI | ~/.codex/sessions/YYYY/MM/DD/rollout-*.jsonl and ~/.codex/history.jsonl |
| Gemini CLI | ~/.gemini/tmp/<project_hash>/checkpoint-*.json (and the auto-checkpoints under checkpoints/) |
| Google Antigravity | ~/.gemini/antigravity/brain/<task>/*.{md,log}, the per-turn JSONs under .system_generated/messages/, and session annotations at annotations/*.pbtxt |
The scanner is system-folder-blind. It does not walk
~/Documents, does not read your shell history, and does not
ask for Full Disk Access.
Click Scan. The app reads each transcript file, looks for API keys, tokens, and private-key patterns, and lists the ones it flags. Each finding shows the source assistant, the file path, the line number, the kind of secret detected, and a masked preview of the value (first 4 + last 4 with a fixed star count in the middle, so the redaction never leaks the secret's length).
Detection is heuristic. It can over-flag (a string that looks like a key but isn't) and it can miss (a key in an unusual format). The app says so plainly so you know what to double-check.
4. Read the report
The findings view shows one row per leaked key:
- Source — Claude / Codex / Gemini CLI / Antigravity badge
- File — the transcript that contains it
- Line — clickable; jumps straight to that line in context
- Kind — what the app thinks it found (Anthropic key, OpenAI key, AWS key, GitHub PAT, generic bearer token, etc.)
- Status —
Needs rotationorRotated
Click any row to open the transcript at the matched line, with the secret value masked.
5. Rotate, then encrypt
For each finding:
- Open the provider's dashboard and rotate the key there.
- Come back to Transcript Vault and mark it Rotated.
- Once everything in a transcript is rotated, click Encrypt on that transcript. The plain text gets saved into the encrypted vault.
- (Optional) Delete the leftover plain-text original. This is an explicit second step, not a default — the encryption alone is what protects the secret.
That's the whole loop. Re-scan whenever you've used an assistant heavily. The background watcher (free, runs by default) also picks up new transcripts and new leaks within seconds without a manual rescan.
Uninstall
Quit the app, then drag Transcript Vault from Applications to the
Trash. The encrypted vault lives at
~/Library/Application Support/dev.tekimax.transcriptvault/ and can
be deleted independently if you want it gone too. None of your
original Claude Code, Codex, Gemini CLI, or Antigravity transcripts
are touched by uninstalling.