Stop AI data leakage at the source¶
Open-source, privacy-first AI Data Loss Prevention for desktop. Block unauthorized AI tools at DNS. Inspect content sent to approved ones. Persist nothing about user access.
Why Prompt Gate¶
The problem¶
Your users paste customer data, source code, API keys, and internal docs into ChatGPT, Claude, Copilot, and a dozen other AI tools every day. SaaS DLP sees an encrypted blob heading for a cloud provider โ too late. Network DLP can't decrypt browser-pinned TLS. You need answers to three questions:
1. What is actually leaving the endpoint? A keystroke-by-keystroke browser hook is intrusive and laggy. A network tap can't see inside HTTPS. Prompt Gate intercepts at the paste / form / fetch / drag / clipboard boundary in the browser and through a selective MITM proxy for non-browser apps.
2. Will it leave a trail of who said what? Traditional DLP logs every prompt โ that's its own privacy problem, and it makes employees route around the tool. Prompt Gate persists only aggregate counters, never per-event content, domains, URLs, or user identifiers. Verified by a column-sweep test in CI.
3. Can it be stopped before the network call? DNS-layer blocking refuses queries for unauthorized AI hosts (NXDOMAIN); the browser companion + on-device pipeline scan content for approved hosts; blocks happen client-side before bytes leave.
Block leakage in three commands¶
Install once. Configure the tier list. Run.
git clone https://github.com/ShieldNet-360/prompt-gate.git
cd prompt-gate && make dist
./agent/prompt-gate-agent --config config.yaml
Prefer a packaged build? Grab a v1.0.1 release for your OS, or use a package manager โ see Installation for Homebrew / winget and how to verify what you install.
The agent exposes a loopback API at 127.0.0.1:9191. The browser extension and tray app pick it up automatically.
# config.yaml โ minimal
upstream_dns: "8.8.8.8:53"
dns_listen: "127.0.0.1:15353"
api_listen: "127.0.0.1:9191"
rule_paths:
- rules/ai_chat_blocked.txt # Tier 3 โ DNS block
- rules/ai_chat_dlp.txt # Tier 2 โ inspect with DLP
- rules/ai_allowed.txt # Tier 1 โ pass through
dlp_patterns: rules/dlp_patterns.json
dlp_exclusions: rules/dlp_exclusions.json
# Test the DLP pipeline
$ curl -s -X POST http://127.0.0.1:9191/api/dlp/scan \
-H 'Content-Type: application/json' \
-d '{"content":"AKIAIOSFODNN7EXAMPLE is my real key"}'
{"blocked":true,"pattern_name":"aws_access_key_id","score":0.95}
$ curl -s -X POST http://127.0.0.1:9191/api/dlp/scan \
-H 'Content-Type: application/json' \
-d '{"content":"hello, what is the weather"}'
{"blocked":false,"pattern_name":"","score":0.0}
No per-event log written. Counters tick: dlp_scans_total++ and dlp_blocks_total++.
How it works¶
flowchart LR
U["๐ค User"] -->|paste / form / fetch| EXT["Browser<br>Companion"]
U -->|HTTP via system proxy| PRX["MITM Proxy<br>(Tier-2 only)"]
EXT -->|/api/dlp/scan| AGENT
PRX -->|in-process| AGENT
APP["๐ฅ Other apps"] -->|DNS query| DNS["DNS Resolver<br>:53"]
DNS --> AGENT
subgraph AGENT [" Prompt Gate Agent "]
direction LR
POL["Policy Engine<br>Tier 1-4"]
DLP["DLP Pipeline<br>5 stages"]
STATS["Aggregate<br>Counters"]
POL --> DLP --> STATS
end
AGENT -->|Allow| OUT["โ๏ธ Cloud AI"]
AGENT -->|Block| X["โ NXDOMAIN<br>or 403"]Every layer is optional. DNS alone gives you allow-listed AI. Add the extension for content inspection on approved hosts. Add the MITM proxy if you need non-browser coverage. Add a signed enterprise profile to lock policy across a fleet.
Components¶
Platforms¶
| OS / Browser | Package | Install |
|---|---|---|
| ๐ macOS | .pkg (notarized at v1.0) |
bash scripts/macos/build-pkg.sh |
| ๐ง Linux | .deb + .rpm |
bash scripts/linux/build-packages.sh |
| ๐ช Windows | .msi (Authenticode at v1.0) |
pwsh scripts/windows/build-msi.ps1 |
| ๐ Chrome / Edge | MV3 extension | Load extension/dist unpacked, or Web Store at v1.0 |
| ๐ฆ Firefox | MV3 extension | Load extension/dist temporary, or AMO at v1.0 |
| ๐งญ Safari | MV3 extension | Bundled via Xcode wrapper (planned v1.1) |
Configuration presets¶
Three enforcement modes ship in the repo root. Pick one, edit, deploy.
| Preset | Default action | Override policy | Tamper response | Audience |
|---|---|---|---|---|
config.personal.example.yaml |
Allow + DLP | Editable in tray UI | Counter only | Individuals |
config.team.example.yaml |
Block + DLP | Editable, ephemeral | Counter + tray balloon | Small teams |
config.managed.example.yaml |
Block + DLP | Locked by Ed25519 profile | Counter + heartbeat (opt-in) | Enterprise / MDM |
Privacy invariant¶
Three things persist on disk. Nothing else.
โ Policy configuration โ what categories are allowed / blocked
โ Aggregate counters โ integers: dns_queries_total, dlp_blocks_total, โฆ
โ Rule files โ domain lists + DLP patterns
โ Domain names โ NEVER
โ URLs โ NEVER
โ IP addresses โ NEVER
โ User identifiers โ NEVER
โ Per-event timestamps โ NEVER
โ Scanned content โ NEVER (in-memory only, GC'd post-scan)
Enforced by agent/internal/store/privacy_test.go โ a CI test that sweeps every text column of the SQLite database and asserts these values cannot reach disk.
Scope vs adjacent tooling¶
| Question | Prompt Gate | Microsoft AGT | Network DLP |
|---|---|---|---|
| Subject | Human user | Autonomous agent | Traffic |
| Enforcement layer | DNS + browser ext + MITM | Function-call wrapper | Network gateway |
| Sees inside browser-pinned TLS | โ via MITM | n/a | โ |
| Privacy of users | No per-event log | Tamper-evident audit | Full session log |
| Best for | Endpoint, BYOD | Agent fleets | Egress monitoring |
Most teams will run both Prompt Gate (human โ cloud AI) and AGT (agent โ tools). See the comparison doc for the full breakdown.
Standards alignment¶
| Standard | Coverage |
|---|---|
| OWASP Agentic AI Top 10 | Endpoint slice โ ASI-02 (Tool Misuse, outbound) and ASI-06 (Context Poisoning, paste-time). Full agent-runtime coverage is out of scope; pair with AGT. |
| GDPR (privacy-by-design) | No per-event PII persisted; column-sweep CI test enforces invariant. |
| MIT License | Free to fork, embed, and ship in commercial products. |
| SBOM | Generated per release (planned v1.0). |
Verify a release¶
Every release artifact ships with a Sigstore-backed SLSA build provenance attestation and a SHA256SUMS file โ no long-lived signing key to trust.
# provenance: confirms the binary was built by this repo's Release workflow
gh attestation verify prompt-gate-agent-darwin-arm64 --repo ShieldNet-360/prompt-gate
# integrity
sha256sum --check SHA256SUMS
See Verifying releases for the full story.
Engineering reports & foundations¶
Every number below is regenerated from tests โ not hand-entered.
Get involved¶
Prompt Gate is open source under the MIT license and built in the open.
- Add a DLP pattern โ see the pattern authoring guide.
- Harden a platform โ packaging scripts live under
scripts/{macos,linux,windows}. - Found a vulnerability? โ please follow the security policy for coordinated disclosure.