For Platform & Engineering Teams
One policy + audit layer under every AI coding tool your team runs.
Claude Code, Cursor, Codex CLI, Hermes, Claude Desktop, Continue — each captured through its own native path: an MCP tool proxy, the vendor's official hooks API (prompt + reply, no MITM), or the LLM egress broker. MCP and broker tool calls hit a policy gate — allow, deny, redact, or route to a human; hooks add full prompt/reply content and a local deny gate on dangerous shell commands. The hash-chained audit is on by default. Runtime intervention catches drift, hallucination, tool loops, and cost runaway mid-stream — an operator reviews and approves the fix from Slack or the desktop tray.
This is the Build plane — governing how your developers build with AI. Need to govern how your business operates with AI? See the Run plane →
Wire it once, per app
Three drop-in paths, no MITM: MCP config for MCP-speaking hosts (Claude Desktop, Continue); the vendor's official hooks for local agents (Cursor, Claude Code, Hermes — full prompt/reply + a shell deny gate); and the LLM egress broker for Codex and non-MCP automators (Zapier, Make, n8n, Power Automate, UiPath, Agentforce). The daemon identifies which app is talking and resolves the right scope policy automatically — same policy + audit + cost chain across all three.
MCP config · official hooks · egress broker — one audit chain
Per-agent scope policies
Allowed tools, data sources, egress destinations, approval requirements, and redaction levels — declared per agent, enforced per call. Block, redact, or escalate to a human; every decision lands in the audit chain with its rule reference and rationale.
Scope policies · per-tool, per-call
Self-evolving system prompts
Quality drift on a vendor triggers a proposed prompt edit, sandboxed against past failing samples before going anywhere near production. An admin approves before the change goes live, and the next session picks it up. Approval-gated, audit-trailed, reversible — no silent prompt changes.
Approval-gated prompt evolution
The integration in one block of JSON
For MCP-speaking hosts (Claude Desktop, Continue), drop one block into the MCP config, relaunch, and tool calls route through the policy gate into the audit chain. Local agents are one command each — airgov_daemon install-cursor-hooks / install-claude-hooks / install-hermes-hooks — and Codex + non-MCP automators route through the egress broker. The full template — org token issuance, host-specific variants, onboarding scripts — ships inside the customer workspace after organisation verification.
{
"mcpServers": {
"proofpane": {
"command": "proofpane",
"args": ["mcp"],
"env": {
"PROOFPANE_ORG": "<your-org>",
"PROOFPANE_TOKEN": "<issued-token>"
}
}
}
}What the audit log looks like
Cryptographically chained. One event per tool call, decision, approval checkpoint, or redaction — scoped per tenant so cross-org tampering is structurally detectable. Every event is linked to its parent run so the entire decision tree is navigable in the operator UI.
{
"event_type": "tool.deny",
"actor": "agent",
"tool": "shell",
"decision": "deny",
"reason": "Destructive operation against shared infrastructure",
"approval": "required, not granted",
"vendor": "<host>",
"verifiable": true
}Why engineering teams pick us
The features above are the surface. These three are the substrate — what holds up when you scale past one team or one agent vendor.
Meets each app where it lives
MCP-native hosts, hooks-capable local agents, and non-MCP automators all land in one hash-chained audit. MCP + broker tool calls are gated — block, redact, or escalate. Native built-in tools that don't route through us (an agent's own file/shell built-ins) are captured observe-only, honestly labelled as such — we never claim to block what we can't see. Signed daemon binary ships for macOS, Windows, and Linux.
MCP · hooks · broker — gated where we sit, observed where we don't
Two runners, one contract
The coding-agent loop can run via direct LLM API or via the official CLI subprocess of the agent of your choice. Same audit events, same governance contract, same stop controls. Swap per session and measure which one wins for your codebase.
API runner or vendor-CLI runner
Comprehensively tested, every PR
Hash-chain integrity, multi-tenant isolation, sandbox path-escape guards, cooperative cancellation, policy-gate decisions, and evidence-pack signature verification are all pinned in CI. Green build is a real signal, not a vibe.
Full suite runs on every PR
Are you on the compliance side, not the engineering side?
See the compliance-officer pitch →