For the developer machine

You have controls
on every other
egress lane.
AI tools are the gap.

Tether is a visibility-and-enforcement layer for AI-tool egress on the developer machine. Every decision carries a signed policy version your auditor re-verifies offline. The shape is three layers: a Tier 0 deterministic floor that always blocks, an optional Tier 1 sync judge that fails closed when enabled, and an advisory Tier 2 async judge that produces evidence.

~10s  fleet policy propagation Ed25519 signed policy bundles  —  no MITM CA on the developer machine
tether-proxy · 127.0.0.1:11435 · policy v42
ACTIVE
[09:14:32] POLICY v42 verified · Ed25519 sig OK
[09:14:33] CONNECT claude-code → api.anthropic.com · agent=claude-code
[09:14:51] PROXY POST /v1/messages · 2.1KB · floor=clear
[09:14:51] ALLOW identity=alex@acme · X-Tether-Policy-Version: 42
[09:15:04] JUDGE sampled · cloud-sync · timeout 800ms
[09:15:09] BLOCK matched deterministic blocklist · aws_access_key
[09:15:09] SIEM → splunk-hec · event_id=AI_PROXY_REQUEST
[09:15:12] AUDIT policy-audit.jsonl appended

Your developers use AI tools every day.
Your stack does not see what leaves with them.

Four things are true at the same time. None of the controls you already pay for closes them.

EDR

EDR does not see prompts.

Your EDR sees the process, the network connection, the binary. It does not read the JSON body inside the TLS tunnel a coding agent opens to its vendor.

CASB

CASB does not classify them.

CASBs are tuned for SaaS-app posture and shadow-IT discovery. A Claude Code or Cursor call to api.anthropic.com is just another approved SaaS host.

DLP

DLP does not catch them in flight.

Network DLP runs on egress patterns at the perimeter or on file content. A developer paraphrases a customer record into a prompt and the patterns never fire.

AI Vendor Logs

Vendor logs are not discoverable.

The only record of what your developers prompted is at the AI vendor. It is not in your SIEM, not on your audit timeline, and not available during incident response.

Tether does not replace your EDR, CASB, IdP/SSO, or DLP. It covers the AI-egress lane on the developer machine each of them misses. Full coexistence map →

Three capabilities your security org can audit
against the code on day one.

Every claim below points at a line on master. The full claims-to-code map is in the repo.

01 · POLICY

Cryptographically signed policy distribution

Every published policy bundle is Ed25519-signed in Overwatch and verified by the proxy before it takes effect. Fail-closed on signature mismatch; replay blocked by a monotonic version. Fleet propagation is bounded by a 10-second poll.

policy-signing.js:122-150 policy_client.go:26
02 · DEPLOY

Runs in your own GCP or AWS account

One Overwatch service per tenant, provisioned via Terraform in your cloud project. No Tether-hosted data transit. No root CA installed on the developer machine. Per-tenant secrets live in your Secret Manager / Secrets Manager.

deploy/README.md proxy/main.go:1-22
03 · EVIDENCE

Reproducible per-request attestation

Every decision carries an X-Tether-Policy-Version response header. Every event and judge review stamps the active version. An auditor pulls the signed bundle and verifies the Ed25519 signature offline against the controls in force.

docs/ATTESTATION.md

There are five more BUILT capabilities — SIEM adapters for Splunk HEC, Microsoft Sentinel, and syslog RFC 5424 UDP; SCIM via Jackson with role-from-groups mapping; device posture export in Tether / Okta Device Trust / Microsoft Graph managedDevice / CSV; a hardware-adaptive local model judge across four hardware tiers; and a three-tier judge authority model where Tier 0 always blocks. The full list is on the Controls page.

Take a 30 minutes.
Decide if it fits your stack.

A working pilot in your own cloud account in two weeks. Explicit success criteria. terraform destroy if it does not deliver.