Skip to main content
The desktop agent is the part your team installs. Once it’s on, it watches the AI tools they already use and applies your policy on the device, before a prompt or file is sent — no browser extension required, because one agent covers both the AI apps in the browser (ChatGPT, Claude) and the AI APIs behind coding tools (Cursor, IDE assistants, SDKs). It ships today on macOS (signed and notarized). Windows and Linux are in active development (private preview) and not yet generally available.

Install

Getting a single machine running takes about five minutes — install the bundle, then one guided command:
./install.sh
pgshadow init --api-key pg_live_xxxxx --cloud   # logs in, starts, trusts the cert, verifies

Full quickstart

Step-by-step: prerequisites, the menu-bar option, verifying, your first block, and uninstall.
The rest of this page is the reference — what’s covered, how it enforces, the deployment tiers, and the honest limits.

What it protects

The agent works from a host allowlist of known AI vendors — it inspects traffic to those hosts and leaves everything else untouched. The current list covers:
AI vendor / toolCovered
ChatGPT / OpenAI
Claude / Anthropic
Google Gemini
Perplexity
Mistral
Cohere
Microsoft Copilot
GitHub Copilot
Cursor
DeepSeek
Grok (x.ai)
Poe
HuggingChat
Meta AI
This covers both the AI web apps in the browser and the AI APIs behind coding tools and SDKs. Adding a new vendor to the allowlist is a small config change on our side — see Known Limitations for how to request one.
PlatformStatus
macOS✅ generally available (signed + notarized)
Windows🚧 in development (private preview)
Linux🚧 in development (private preview)

What happens at send-time

Every paste, prompt, or upload gets one verdict in milliseconds:
  • Block — secrets, API keys, and prompt-injection attempts are stopped; the employee gets a clear notification with a short reference and a one-click copy-safe-version option.
  • Redact — PII is masked on the device, so the raw value is never transmitted and the employee still gets useful help.
  • Allow — everything else passes through untouched.
If the engine is ever unreachable, the agent fails open after an 8-second timeout — traffic is allowed through rather than blocking the employee’s work. This keeps AI tools usable during an outage; see Troubleshooting for what that looks like and Privacy & Data Handling for what is logged.

Two ways to deploy

Self-serve (today)

A user installs it and approves the certificate once. Perfect for pilots and smaller teams. A local admin can turn it off unless you push it via MDM.

Managed for enterprise

Pushed by your MDM, with a managed certificate and a tamper-resistant capture layer (macOS System Extension / Windows filtering driver). Same detection — just locked down and zero-touch for employees.

Honest limits

A few things are out of scope by design or still in progress. The short version:
Inspecting HTTPS means terminating TLS, which requires a trusted certificate on the device — in both deployment tiers. The enterprise tier doesn’t remove the certificate; it makes it MDM-managed and harder to tamper with. Content is read locally; only the verdict and masked metadata are logged.
Some native apps pin their own certificate and bypass any inspection proxy, and QUIC/HTTP-3 can route around the HTTP proxy entirely. Image OCR isn’t supported yet either.
For the full, honest list — and how to mitigate each one — see Known Limitations.

Next steps

Roll it out to your team

Enroll many devices with scoped, revocable credentials.

Choose where your data runs

Cloud, hybrid, or fully air-gapped.