Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

What this covers

AI-assisted IDEs and coding assistants where the LLM provider and orchestration are hosted by the vendor — you can’t intercept the call server-side. Enforcement happens on the developer’s managed device. This includes:

Architecture

developer's managed device

    ├── native IDE / CLI ──► PAC ──► TrustGate Endpoint (MITM) ──► LLM provider
    └── Chromium browser ──► Browser extension ──► LLM provider web app
The developer does not install TrustGate software. Both integrations are pushed by MDM.

Prerequisites

  • An MDM tool with enrollment on developer machines — Jamf, Intune, Kandji, Workspace ONE, or similar.
  • Chromium-based browsers for the Browser surface (Chrome, Edge, Brave, Arc, Opera). Firefox and Safari are not supported.
  • Approval from IT / Security to push a root CA, a client certificate, and a managed browser extension to developer machines.

Step-by-step setup

Unlike Gateway or API surfaces, the Endpoint and Browser surfaces don’t have “upstream” Integrations — each of these Integrations is self-contained: it generates the artifacts (PAC file, certificates, extension package) that MDM pushes to devices. Both are configured under Integrations → Add Integration.
1

Create an Endpoint Integration

Integrations → Add Integration → Endpoint. Set:
  • Scope (allow-list of hostnames) — the LLM endpoints native IDEs call: api.openai.com, api.anthropic.com, api.githubcopilot.com, api.cursor.sh, and any vendor-specific host your developers use. Hosts outside the scope are not intercepted — they bypass TrustGate entirely.
  • Applications (optional) — label sub-scopes like Cursor, Copilot, Windsurf so you can filter policies and Explorer by app.
  • Tags (optional) — e.g. engineering, developers.
After saving, the integration exposes three artifacts in the console:
  • pac.url — proxy auto-config URL.
  • client.crt + client.key — per-org client certificate and private key (mTLS to identify your tenant to the Endpoint MITM).
  • trustgate-ca.crt — CA certificate used for dynamic TLS.
2

Push Endpoint artifacts via MDM

In your MDM (Jamf, Intune, Kandji, Workspace ONE), create a configuration profile targeting your developer device group that:
  1. Installs trustgate-ca.crt into the system trust store (so native IDEs accept the dynamic TLS certificate).
  2. Installs client.crt + client.key into the system keychain, scoped so only macOS/Windows can use it for mTLS.
  3. Sets an OS-level proxy configuration that references the PAC URL from Step 1, so HTTPS traffic to the hosts in scope is routed through the TrustGate Endpoint MITM.
Developers do not sign in, install software, or change settings.
3

Create a Browser Integration

Integrations → Add Integration → Browser. Set:
  • Applications — which web AI apps the extension activates on: chatgpt.com, claude.ai, gemini.google.com, cursor.com, github.com/copilot, etc.
  • Tags (optional) — e.g. engineering.
After saving, download the MDM-distributable extension package (Chrome .crx + policy manifest, Edge equivalent).
4

Push the Browser extension via MDM

Use Chromium’s ExtensionInstallForcelist enterprise policy (or Edge’s equivalent) to force-install the extension on managed browsers. The extension is bound to your tenant via the managed extension configuration — developers do not authenticate and cannot disable it.
5

Author the mirror policies

See Policies to apply below. Author the same intent on both surfaces so a developer sees consistent enforcement whether they use Cursor natively or paste into ChatGPT in a browser.
6

Verify on a test managed device

On a managed laptop:
  1. Open Cursor (or any IDE with Copilot) and send a prompt. Confirm it appears in Runtime → Explorer, filtered by the Endpoint integration.
  2. Open chatgpt.com in Chrome and send a prompt. Confirm it appears, filtered by the Browser integration.
  3. Trigger a Block policy (e.g. paste a fake AWS access key) in both surfaces. Confirm both the native IDE and the browser app reject the send.

Policies to apply

This guide uses two surfaces — Endpoint for native IDE traffic and Browser for web AI apps — and each has its own filter catalog and action semantics. Read the Policies & Enforcement page for the Where / When / Then model; on Browser and Endpoint, Block prevents the prompt or paste from ever leaving the device, and Mask redacts fragments inline before they reach the wire. Author mirror policies on both surfaces so a developer sees the same rules whether they use Cursor natively or ChatGPT in a browser.

Block credentials leaving the device

  • Where (Endpoint)Endpoint + filter Endpoints = <your-endpoint> · Applications = Cursor, Copilot, Windsurf
  • Where (Browser)Browser + filter Applications = ChatGPT, Claude, Gemini, Cursor Web, Copilot Web
  • WhenInput · Triggers · API Key / Secret
  • ThenBlock
Highest-signal policy for developer devices — a single leaked secret is a security incident.

Block PII in prompts and file uploads

  • Where (Browser)Browser + filter Applications = ChatGPT, Claude, Gemini, Cursor Web, Copilot Web
  • WhenInput · Triggers · Email Address, Phone Number, Social Security Number, Credit Card, PII in Files
  • ThenBlock
Mirror the same rule on the Endpoint surface against the native IDEs.

Keyword block on project codenames and customer identifiers

  • WhereEndpoint + filter Endpoints = <your-endpoint> and Browser + filter Applications = <web-apps>
  • WhenInput · Triggers · Keyword Match = <your-codename-list>
  • ThenBlock
Prevents developers from pasting internal project codenames, customer names, or acquisition targets into any AI tool.

Mask file uploads with PII

  • WhereBrowser + filter Applications = ChatGPT, Claude, Gemini
  • WhenInput · Triggers · PII in Files
  • ThenMask
Applies only on Browser since that’s the surface where file uploads happen. Mask redacts the PII fragments and lets the upload continue.

Block indirect prompt injection from pasted content

  • WhereEndpoint + filter Endpoints = <your-endpoint> · Applications = Cursor, Copilot, Windsurf
  • WhenInput · Triggers · Prompt Injection
  • ThenBlock
Defends against payloads embedded in documents a developer pastes into the IDE (e.g., the “ignore prior instructions” class of attack riding on an issue title or pasted log).

Log everything while you tune

  • WhereEndpoint + filter Endpoints = <your-endpoint> and Browser + filter Applications = <all>
  • When — empty
  • ThenLog
Baseline visibility before you enforce. Because precedence is block ▶ mask ▶ log, this Log rule composes safely with the Block / Mask policies above — it never weakens them. Promote each policy from Log to Block / Mask once you’ve confirmed the false-positive rate on real developer traffic in Runtime → Logs.

Limitations

  • Streaming on Endpoint: many AI IDE providers use streaming responses. Mask and Block actions apply to the final consolidated payload; the detector decision is enforced once the stream completes.
  • Certificate pinning: some native vendors pin their API certificates and will reject the TrustGate dynamic TLS certificate. Consult the vendor’s enterprise documentation; a few IDEs offer an MDM-managed CA override.
  • Browser scope: only Chromium-based browsers are supported. Firefox and Safari are not covered.
  • Unmanaged devices: BYOD laptops without MDM are out of scope for both surfaces. Restrict access from unmanaged devices via SSO / conditional access upstream.
  • Internal chat apps: these surfaces protect your developers when they use the approved public LLM tools. Homegrown internal chat apps should be covered with the Gateway or API surfaces, not Browser or Endpoint.