open source · on-device · content never leaves

CuraIQ

Open-source, on-device guardrails for AI coding agents. A thin local layer between people and the AI coding agents they run — Claude Code, Codex, GitHub Copilot CLI. Every prompt is reviewed locally, before it reaches the agent: coach, alert, or block by policy. Content never leaves the machine; security teams get redacted, content-free signals — governance without surveillance.

Coach Alert Block
Community agent on GitHub How it works ↓
// on the device
claude-code — ~/acme-api — zsh
$ claude
add AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY to deploy.sh and commit it
CuraIQ · Blocked
Credential detected in prompt · category: credential · hash 9f2a…c71
Secrets don't belong in agent prompts — reference a vault instead.
Edit prompt Override with justification
run: rm -rf ./build && redeploy prod
CuraIQ · Coached · category: destructive-cmd
Double-check prod scope before continuing.
Reviewed on-device · content never left this machine
// in the console
https://console.curaiq.internal/
CuraIQ
Posture
Devices
Alerts
Compliance
12
Devices enrolled
On-device
Where prompts are reviewed
0
Prompt bodies stored
40+
Threat matrix rules
secret-in-prompt
cat: credential · hash 9f2a…c71
blocked
redacted
exfil-pattern
cat: data-egress · hash 4b81…0de
alerted
redacted
risky-shell
cat: destructive-cmd · hash 1c07…a95
coached
redacted
routine-edit
cat: none · hash 7e33…b42
allowed
redacted
// capabilities

Reviewed on the device.
Before the agent sees it.

CuraIQ sits between people and the AI coding agents they run. Every prompt is checked locally against policy first — and the actual prompts and conversations never leave the machine.

Review on the device
Every prompt is checked locally against policy — a 40+ threat matrix plus content rules — before it ever reaches the agent. Content never leaves the machine.
Coach · alert · block
Choose the response per policy, per tenant, per device. Nudge with a coaching note, raise an alert, or block the prompt outright.
Central visibility
A web console shows posture, device inventory, alerts, and compliance — built from redacted metadata only, never prompt content.
Content-free signals
Security teams see a category, a risk level, and a one-way hash — never the actual prompts or conversations. Governance without surveillance.
In front of your agents
Works ahead of the AI coding agents your team already uses — Claude Code, Codex, and GitHub Copilot CLI — as a thin local layer.
Community agent
Runs standalone with local policy control and no account required. Open source under AGPL-3.0, for macOS.
Native host + webview core
Built in Rust with a Tauri native host and a webview detection core — a small, local footprint on the machine it protects.
Fleet management
A separate, proprietary management server adds a multi-tenant console, SSO, and compliance reporting across a whole fleet of devices.
Privacy-preserving DLP
Governance and data-loss protection for AI coding agents that keeps content on-device — the difference from cloud DLP is that nothing has to leave the machine.
Acceptable-use guardrails
Keep AI use professional. On-device content rules flag not-safe-for-work material — explicit, harassment, hate, violence — in both prompts and AI responses, in English and Hebrew.
Govern agents, tools & MCP
Allow or deny which agent CLIs and MCP servers each policy permits, set a default action per data class (PII, secrets, source, regulated), and require a logged justification to proceed — per tenant, per device.
Trust score & AI readiness
A composite device trust score rolls up alert history, shadow-AI exposure, and endpoint posture into a board-level AI-readiness number — with a content-free data-lineage trail of which data categories left via which agent.
// vs the alternatives

On-device,
not in the cloud.

Lakera Guard and Prompt Security are cloud/gateway-based — prompts are sent to their service for analysis. CuraIQ reviews prompts on the device, so content never leaves the machine, and it wraps the coding agents you already run. See the honest, architecture-level head-to-head.

// mapped to the standards

Built around the frameworks
your auditors ask about.

CuraIQ's threat model and reports line up with the AI-security standards enterprise teams already use — so “how do you govern AI use?” has an evidenced answer, drawn from redacted, content-free telemetry.

Threat coverage
OWASP LLM Top 10
Prompt injection, sensitive-information disclosure, insecure output, excessive agency — mapped to the categories.
Adversary techniques
MITRE ATLAS
Detections aligned to the ATLAS techniques for adversarial AI — ATT&CK, for AI.
Risk management
NIST AI RMF
Govern · map · measure · manage — mapped per tenant from redacted signals.
Management system
ISO/IEC 42001
AI management-system controls, reportable across the fleet.
Assurance
SOC 2 · ISO 27001
Control-mapping reports that feed your existing audit programs.
Regulation
EU AI Act-aware
Usage governance and records that support emerging AI-Act obligations.
// what you can't see

Find the shadow AI already on your machines.

Most AI use at work runs through personal accounts and tools security never approved. CuraIQ inventories the AI on each device — the apps, accounts, agents, and extensions — from redacted, content-free signals, so shadow AI stops being a blind spot.

Personal vs corporate
Agent accounts
Which account each AI agent (Claude Code, Codex, Copilot CLI) is signed in as — accounts on non-corporate domains flagged as personal. Never the token, only the identity.
Unmanaged tools
AI apps & CLIs
ChatGPT, Claude, Cursor, Ollama, LM Studio and the agent CLIs installed on the device — sanctioned or not.
Agent posture
MCP servers
The Model Context Protocol servers each agent has wired up — local, container, or remote — with unapproved ones flagged against policy.
Browser reach
AI extensions
AI browser extensions across Chrome, Edge, Brave, Firefox and Safari — and which can read the pages you visit.
// workflow

Three moves, on every prompt.

CuraIQ reviews each prompt where it's typed, decides what to do, and reports only redacted metadata upstream.

01
Review on the device
The prompt is checked locally against policy — a 40+ threat matrix plus content rules — before it reaches the agent. Content never leaves the machine.
02
Coach, alert, or block
Based on the policy for that tenant and device, CuraIQ nudges with a coaching note, raises an alert, or blocks the prompt.
03
Central visibility
The web console shows posture, device inventory, alerts, and compliance — assembled from redacted metadata only, never the prompts themselves.
Privacy-preserving by design

CuraIQ is governance without surveillance. Prompts and conversations are reviewed on the device and never leave the machine; security teams receive only redacted, content-free signals — a category, a risk level, and a one-way hash. It's a guardrail for the AI coding agents your organization runs, not a window into what people type.

// built with

Small footprint.
On the device.

A local agent that reviews prompts where they're written, and a separate console for the fleet.

On-device
Rust
Tauri native host
Webview detection core
40+ threat matrix
Redacted metadata
Multi-tenant console
SSO
macOS
AGPL-3.0
// faq

Common questions.

What is CuraIQ?

CuraIQ is on-device guardrails for AI coding agents. It's a thin local layer between people and the AI coding agents they run — Claude Code, Codex, GitHub Copilot CLI. Every prompt is reviewed locally, before it reaches the agent, and CuraIQ can coach, alert, or block by policy. The community agent is open source under AGPL-3.0.

How does it work?

Three steps. First, the prompt is reviewed on the device — checked locally against policy, a 40+ threat matrix plus content rules — and the content never leaves the machine. Second, CuraIQ coaches, alerts, or blocks, per policy, per tenant, per device. Third, a central web console shows posture, device inventory, alerts, and compliance, built from redacted metadata only.

What do security teams actually see?

Redacted, content-free signals — a category, a risk level, and a one-way hash — never the actual prompts or conversations. The console gives teams posture and compliance without exposing what anyone typed.

Which AI coding agents does it work with?

CuraIQ is designed to sit in front of the AI coding agents teams already use, including Claude Code, Codex, and GitHub Copilot CLI.

Do my prompts or code get sent to the cloud?

No. Review happens on the device, and content never leaves the machine. That's the key difference from cloud DLP: CuraIQ keeps the actual prompts and conversations local, and only redacted metadata is shared upstream.

What's the difference between the community agent and the management server?

The community agent runs standalone with local policy control and no account required — it's open source under AGPL-3.0, for macOS (Rust + a Tauri native host and webview detection core). Centralized fleet management — a multi-tenant console, SSO, and compliance reporting — is a separate, proprietary CuraIQ management server.

Is CuraIQ open source?

The community agent is open source under AGPL-3.0 and runs standalone with no account required. The code is on GitHub. The centralized management server is a separate, proprietary product.

Review it
on the device.

Coach, alert, or block — before the prompt reaches the agent.

Community agent on GitHub Read the docs ↗
glick.run — AGPL-3.0