Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt

Use this file to discover all available pages before exploring further.

The desktop agent (pgshadow) inspects LLM provider API egress at the network layer. One agent covers any app or tool that calls the public LLM APIs — Cursor, IDE assistants, and SDK/API-based tools — across the whole machine.
Scope: the agent matches traffic to the provider APIs (api.openai.com, api.anthropic.com, Gemini, …). Consumer web apps do not use those APIs — ChatGPT, Claude, and Gemini in the browser (and the ChatGPT/Claude native desktop apps) call private web backends, so they are not covered by the agent. That surface is the browser extension, which is on the roadmap.

Install (user-space tier)

./install.sh
pgshadow login --api-key pg_live_… --cloud      # or --local for self-hosted
pgshadow start                                  # interceptor + system proxy
# trust the agent CA once (admin), then:
pgshadow doctor                                 # verify engine + CA + proxy
pgshadow stop                                   # safe teardown (reverts proxy)
The device credential is stored in the OS keychain (macOS) with a file fallback. Switch infra anytime: pgshadow login --cloud | --local | --base-url ….

Covered providers

Anthropic, OpenAI (chat + responses), Google Gemini, Perplexity, Mistral, and Cohere. Adding a provider is one entry in the agent’s target list.

Deployment tiers (be honest with your security team)

User-space agent (today)

Trusted CA + system proxy. Ships now; great for pilots and SMB. A local admin can disable it unless MDM-force-installed; cert-pinned apps bypass.

System Extension / WFP (enterprise)

macOS System Extension / Windows WFP driver. CA is MDM-managed, tamper-resistant, survives uninstall, no user action. Same detection logic; only the capture mechanism hardens.
Inspecting HTTPS content requires terminating TLS — i.e. a certificate — in both tiers. The enterprise tier doesn’t remove the certificate; it makes it MDM-managed and the interceptor tamper-resistant. Certificate-pinned apps bypass the proxy in both tiers. See the security model for the full threat analysis.

Enforcement & privacy

  • Block / redact / allow at send-time (the correct DLP point), with a native notification on a block.
  • Edge redaction: in redact mode sensitive values are masked on-device; the raw value is never transmitted.
  • Fail-closed by default if the engine is unreachable (configurable).
  • Cross-platform: identical interceptor + protocol on macOS and Windows; only the OS integration (CA trust, proxy toggle, autostart) differs.