Skip to main content
Windows only. Annotated screenshots of the in-product experience are being finalized.
Once registered and assigned to a project, the Desktop Agent works transparently. You keep using AI tools (such as web chat assistants, desktop apps, and CLI tools) as normal; the Agent inspects what you send and applies your company’s Guard Policies. There is no SDK to integrate and nothing to turn on.

Which requests are inspected

The Agent only intercepts traffic to the AI services your company governs — the capture targets defined by your project’s Control Profiles. Every other request on your PC passes straight through and is never inspected or sent to Starfort.

What happens to an inspected request

Each inspected request gets one of the three actions:
  • PASS — your input is sent unchanged, with no notification.
  • MASK — sensitive spans (for example phone numbers or emails) are replaced with placeholder tokens such as [PHONE_NUMBER_1] before the request leaves your machine. The AI service only ever sees the masked version.
  • BLOCK — the request is stopped and nothing is sent to the AI service. A notification explains why. See Block & mask notifications.
Topic checks (a policy type that can flag a subject for review) are logged but not enforced on the Desktop Agent — they are treated as PASS, so they never change or stop your request. Only PASS, MASK, and BLOCK affect what you send.

If the Agent can’t reach Starfort

Behavior during a network outage follows your company’s Network Fail-Safe setting — either fail-open (allow all intercepted requests, the default) or fail-closed (block all intercepted requests) — and recovers automatically when the connection returns. See Desktop Agent settings. This applies only when the Agent genuinely can’t reach Starfort. If the connection is fine but the analysis itself can’t complete, the request is always blocked — even when your company has chosen fail-open.