> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Desktop Agent

> Install the Shadow AI agent and your Mac or PC checks every AI tool — ChatGPT, Claude, Cursor, and more — before anything sensitive is sent.

The desktop agent is the part your team installs. Once it's on, it watches the
AI tools they already use and applies your policy **on the device, before a
prompt or file is sent** — no browser extension required, because one agent
covers both the AI **apps** in the browser (ChatGPT, Claude) and the AI **APIs**
behind coding tools (Cursor, IDE assistants, SDKs).

It ships today on **macOS** (signed and notarized). **Windows and Linux are in
active development** (private preview) and not yet generally available.

## Install

Getting a single machine running takes about five minutes — install the bundle,
then one guided command:

```bash theme={"system"}
./install.sh
pgshadow init --api-key pg_live_xxxxx --cloud   # logs in, starts, trusts the cert, verifies
```

<Card title="Full quickstart" icon="bolt" href="/shadow-ai/quickstart">
  Step-by-step: prerequisites, the menu-bar option, verifying, your first block,
  and uninstall.
</Card>

The rest of this page is the reference — what's covered, how it enforces, the
deployment tiers, and the honest limits.

## What it protects

The agent works from a **host allowlist** of known AI vendors — it inspects
traffic to those hosts and leaves everything else untouched. The current list
covers:

| AI vendor / tool       | Covered |
| ---------------------- | ------- |
| **ChatGPT / OpenAI**   | ✅       |
| **Claude / Anthropic** | ✅       |
| **Google Gemini**      | ✅       |
| **Perplexity**         | ✅       |
| **Mistral**            | ✅       |
| **Cohere**             | ✅       |
| **Microsoft Copilot**  | ✅       |
| **GitHub Copilot**     | ✅       |
| **Cursor**             | ✅       |
| **DeepSeek**           | ✅       |
| **Grok (x.ai)**        | ✅       |
| **Poe**                | ✅       |
| **HuggingChat**        | ✅       |
| **Meta AI**            | ✅       |

This covers both the AI **web apps** in the browser and the AI **APIs** behind
coding tools and SDKs. Adding a new vendor to the allowlist is a small config
change on our side — see [Known Limitations](/shadow-ai/known-limitations) for
how to request one.

| Platform    | Status                                     |
| ----------- | ------------------------------------------ |
| **macOS**   | ✅ generally available (signed + notarized) |
| **Windows** | 🚧 in development (private preview)        |
| **Linux**   | 🚧 in development (private preview)        |

## What happens at send-time

Every paste, prompt, or upload gets one verdict in milliseconds:

* **Block** — secrets, API keys, and prompt-injection attempts are stopped; the
  employee gets a clear notification with a short reference and a one-click
  **copy-safe-version** option.
* **Redact** — PII is masked **on the device**, so the raw value is never
  transmitted and the employee still gets useful help.
* **Allow** — everything else passes through untouched.

If the engine is ever unreachable, the agent **fails open** after an 8-second
timeout — traffic is allowed through rather than blocking the employee's work.
This keeps AI tools usable during an outage; see
[Troubleshooting](/shadow-ai/troubleshooting) for what that looks like and
[Privacy & Data Handling](/shadow-ai/privacy-data-handling) for what is logged.

## Two ways to deploy

<CardGroup cols={2}>
  <Card title="Self-serve (today)" icon="user">
    A user installs it and approves the certificate once. Perfect for pilots and
    smaller teams. A local admin can turn it off unless you push it via MDM.
  </Card>

  <Card title="Managed for enterprise" icon="building-shield">
    Pushed by your MDM, with a managed certificate and a tamper-resistant
    capture layer (macOS System Extension / Windows filtering driver). Same
    detection — just locked down and zero-touch for employees.
  </Card>
</CardGroup>

## Honest limits

A few things are out of scope by design or still in progress. The short version:

<AccordionGroup>
  <Accordion title="It needs a certificate to read encrypted traffic" icon="certificate">
    Inspecting HTTPS means terminating TLS, which requires a trusted certificate
    on the device — in **both** deployment tiers. The enterprise tier doesn't
    remove the certificate; it makes it MDM-managed and harder to tamper with.
    Content is read **locally**; only the verdict and masked metadata are logged.
  </Accordion>

  <Accordion title="Certificate-pinned apps and QUIC/HTTP-3 can bypass inspection" icon="lock">
    Some native apps pin their own certificate and bypass any inspection proxy,
    and QUIC/HTTP-3 can route around the HTTP proxy entirely. Image OCR isn't
    supported yet either.
  </Accordion>
</AccordionGroup>

For the full, honest list — and how to mitigate each one — see
**[Known Limitations](/shadow-ai/known-limitations)**.

## Next steps

<CardGroup cols={2}>
  <Card title="Roll it out to your team" icon="users" href="/shadow-ai/fleet-enrollment">
    Enroll many devices with scoped, revocable credentials.
  </Card>

  <Card title="Choose where your data runs" icon="cloud" href="/shadow-ai/deployment-modes">
    Cloud, hybrid, or fully air-gapped.
  </Card>
</CardGroup>
