Claude Code & Codex Monitor Pro Privacy Policy
Last updated: 2026-07-12
Claude Code & Codex Monitor Pro is a local Stream Deck plugin. It does not operate an Iridium activity server and does not sell, share, or collect user-identifiable analytics.
Activity Monitoring
Monitoring is disabled until you select the provider-labelled Install monitoring button. Guided setup can:
- Add marked handlers to
~/.claude/settings.jsonor~/.codex/hooks.jsonwithout replacing unrelated hooks. - Add marked events-only OpenTelemetry settings to
~/.claude/settings.jsonfor exact Claude permission decisions. Existing or managed telemetry destinations and content-logging settings are preserved and reported as incompatible. - Run one authenticated HTTP receiver bound only to
127.0.0.1on a port from38173through38183for installed providers. - Read at most the first 64 KiB and final 1 MiB from up to 32 local Codex rollout files modified within 24 hours when Codex monitoring is installed. The initial metadata line distinguishes top-level sessions from subagents; only top-level tails are used for question and completion fallback.
- Generate a fail-open Codex wrapper in platform-standard per-user application data when Codex monitoring is installed.
Provider hook requests can contain prompts, notification text, tool arguments, or tool output. The receiver accepts at most 2 MiB, extracts only the provider, session identifier, lifecycle event, attention kind, notification type, background-task count, opaque subagent identifier, and timestamp, then discards the raw body. To prevent a parallel Claude tool from clearing an unrelated permission prompt, the receiver computes keyed HMAC correlation references from the tool call identifier and, when needed, the tool name and input. Only these opaque references, their attention kind, and timestamp are stored while input remains unresolved. They are removed after resolution, session completion, provider removal, or expiry and are never sent to the property inspector. Claude notification text, background descriptions and commands, Codex agent types, transcripts, messages, tool output, and tool errors are ignored. Raw hook bodies are not logged or written to disk.
Codex rollout metadata is structurally allowlisted to the rollout ID, canonical session ID, thread source, parent thread ID, and presence of a subagent marker. Subagent rollouts are ignored as sessions and folded into their parent through native lifecycle hooks. The raw prefix and tail are discarded immediately. Rollout paths, agent names, prompts, commands, other session content, and raw identifiers are neither retained nor logged; Diagnostics exposes only aggregate ignored and malformed counts.
Claude Code also sends an events-only OpenTelemetry JSON envelope to the authenticated loopback receiver. The envelope can include account identity and unrelated attributes. The plugin allowlists only event name, session ID, tool-use ID, accept or reject decision, emitter version, and timestamp; it HMAC-pseudonymizes identifiers immediately and discards the complete envelope. Account identity, email, tool name, prompts, responses, commands, arguments, output, and resource attributes are not retained, logged, exposed to Stream Deck, or forwarded. Metrics, traces, prompts, assistant responses, tool details and content, and raw API bodies are explicitly disabled in the owned configuration.
Session, subagent, unresolved tool-correlation, and Claude decision-capability identifiers are converted to keyed HMAC references before storage. Activity state contains only provider, pseudonymized references, normalized state, attention kind, background counts, signal source, up to eight observed exact-capable emitter versions, and timestamps. Version evidence records only the version string and the time a valid exact decision was observed. It contains no project name, account identity, prompt text, completion text, background command or description, tool arguments, tool output, or raw identifier. The temporary mapping between a pseudonymized tool input and pseudonymized tool-use ID remains in memory only.
Activity data is not sent to Iridium or another remote service.
Quota Data
After independent Codex quota authorization, the plugin reads file-backed Codex auth.json for the current access token and account ID needed for usage checks. Those values are sent only to chatgpt.com/backend-api/wham/usage. The plugin does not read OS credential stores, alter cliauthcredentials_store, or ask users to paste tokens.
No activity state, Stream Deck layout, prompt, completion, or project content is included in the request. Tokens, account IDs, and raw provider responses are not shown in the property inspector or written to logs.
After separate authorization on Windows or macOS, Claude Code opens its normal browser login using a plugin-owned isolated configuration directory. The plugin never reads or modifies the user's normal Claude Code or Claude Desktop credential. The isolated access and refresh values stay in memory except when the plugin stores its renewed token bundle in Stream Deck global settings and its own credential file. Symlinked, malformed, unsafe, or concurrently changed files are refused. The access token is sent only to api.anthropic.com/api/oauth/usage; renewal is sent only to platform.claude.com/v1/oauth/token. The response supplies exact account-wide 5-hour and 7-day percentages and reset timestamps, covering usage from Claude Code CLI and Claude Desktop. The plugin does not open Claude's Usage panel, use accessibility APIs, send artificial prompts, or read conversation content.
A previously installed Claude Code status-line bridge may provide an exact fallback observation from the documented rate_limits payload. It forwards only the four numeric quota fields over authenticated 127.0.0.1; prompts, paths, models, session IDs, credentials, and every other status-line field are discarded inside the helper.
Data Stored
The local integration stores a random bearer token, selected loopback port, generated helpers, integration metadata, pseudonymized structural activity records, normalized quota windows, and sanitized health codes in platform-standard per-user application data. Stream Deck global settings also hold the plugin's renewed Claude token bundle after authorization. Credentials are excluded from diagnostics and logs. File permissions are restricted to the current user where the operating system exposes POSIX-style modes.
Monitoring configuration retains no backup. Claude quota installation stores the exact prior statusLine object in user-only integration metadata so removal can restore it. Configuration updates use a same-directory temporary file, verify that the original did not change concurrently, replace it atomically, and remove the temporary file. Managed, malformed, symlinked, ambiguous, concurrently changed, or partially modified owned status-line settings are refused rather than overwritten.
Stream Deck separately stores provider quota authorization, the Codex live-check and source-path settings, the renewed Claude token bundle, thresholds, dial provider, and refresh settings through its local settings APIs. No Codex token or account ID is stored in Stream Deck settings.
Logs
Logs are limited to non-sensitive status and diagnostic messages. Raw hook bodies, tokens, prompts, completions, tool content, and raw provider responses are not logged.
Deleting Data
Before uninstalling, use Revoke Claude quota and Revoke Codex quota, then use each provider's Remove monitoring control. Monitoring removal deletes only that provider's owned hooks and activity state. Claude monitoring removal also deletes the exact plugin-owned OpenTelemetry environment entries and decision correlations. Codex monitoring removal also deletes its generated monitoring wrappers and watcher. Quota authorization is unchanged. Shared receiver data remains while monitoring or a previously installed Claude CLI fallback is enabled.
Uninstalling the Stream Deck plugin alone cannot remove external hook entries or the plugin-owned Claude quota login because Stream Deck provides no reliable plugin-uninstall lifecycle callback. If Claude quota is not revoked first, its isolated refresh credential remains in the stable legacy per-user Claude Code & Codex Monitor Claude Quota application-data folder until manually deleted. Manual recovery instructions are provided in docs/setup.md.
Use Revoke Codex quota to delete Codex plugin authorization, live-check setting, source override, and cached quota. Use Revoke Claude quota to delete Claude authorization, the isolated login file, the Stream Deck-held renewed token bundle, and cached quota. Revocation does not remove monitoring or sign Claude Code or Claude Desktop out. Removing the Stream Deck plugin deletes its remaining Stream Deck-managed settings but cannot clean up the isolated Claude login, external monitoring hooks, or a legacy Claude status-line wrapper.
Scope
Activity monitoring covers agents running as the same native OS user and in the same network namespace as Stream Deck. WSL, containers, SSH sessions, cloud agents, and other OS users are not monitored in v1.
Not Affiliated
Claude Code & Codex Monitor Pro is not affiliated with OpenAI, Anthropic, Claude, Codex, Corsair, or Elgato.
Contact
support@iridiumindustries.eu