teams & fleets
how do I enforce guardrails on ai coding agents across my team?
Put a deterministic, fail-closed veto in front of every engineer's agent. gate.cat is free per machine (pip install gate-cat) and blocks irreversible shell commands — rm -rf, DB drop, cloud teardown, secret exfiltration — before they run, with no model in the decision path.
The part a team actually needs is the layer above one laptop: a fleet-wide record, alerts, and one policy set pushed to every machine, so you can see coverage and consistency instead of trusting that each person installed it and kept their rules current. That is what the Team plan is for.
On a team, the risk is not that you run the wrong command — it's that any one of your engineers' agents does, on a machine that can reach shared infrastructure. One rogue agent on one laptop is the whole team's blast radius.
why a team is a different problem than a solo dev
A solo developer installs the guard once and moves on. A team has three problems a single install doesn't solve:
- Coverage you can't see. Ten engineers, ten machines — did all ten install the guard? Is it still on? Per-machine software gives you no answer.
- Drift. If everyone edits their own rules, your protection is whatever the least-careful person configured. You want one reviewed policy set, not ten diverging ones.
- Shared blast radius. One agent with prod credentials, a shared database URL, or a team key in its environment can take down infrastructure the whole team depends on, or leak keys that belong to everyone.
the free layer: a deterministic wall on every machine
Each developer runs the same free core. On the PreToolUse step — before the command executes — gate.cat inspects the command string and its paths for irreversible shapes and refuses the dangerous ones. It's a string-and-path deny-list, not a model call, so the decision is sub-millisecond and identical every time. It installs as a Claude Code hook, a Cursor hook, or a gated shell in front of Codex/aider.
- Fail-closed. If a rule matches, the command doesn't run — the safe default is to refuse, not to allow.
- Measured, and honest about the edges. 178/178 on a published irreversible-command suite, replayed against 1,085,159 real agent commands, with one false-block documented openly in the repo. It catches known dangerous shapes; obfuscated or novel commands can still slip, and it is not a sandbox.
- Free forever, Apache 2.0. Every engineer can have the wall today, at no cost, with no account.
the team layer: coverage, alerts, and one policy set
The paid tier doesn't unlock the safety — the safety is free on every machine. It adds the things you can only do at fleet scale:
- Fleet record. Every machine reports its veto events to one place, so you can see which machines are covered and what the guards stopped — a tamper-evident record kept off the machine that was blocked.
- Alerts. When a guard trips on someone's machine, the team hears about it — a runaway loop or an attempted teardown surfaces instead of staying on one laptop.
- Signed policy sync (Business). One reviewed rule set is pushed to every machine, so coverage is consistent instead of drifting per developer.
Pricing is flat, not per-seat: Team €149/mo for up to 10 machines, Business €399/mo. See the full team plan →
frequently asked
Can I make sure every engineer actually has the guard turned on?
The free core is installed per machine, so on its own you can't see who has it. The Team plan is exactly this gap: each machine reports veto events to one place, so you get a fleet-wide view of which machines are covered and what fired, plus alerts when a guard trips. Business adds signed policy sync so the same rule set is pushed to every machine instead of each dev editing their own.
Is the Team plan priced per seat?
No. Team is a flat €149/mo for up to 10 machines, and Business is €399/mo. It is not per-seat, so adding another engineer's laptop does not change the bill until you pass the machine limit.
What does the guard actually block, and does it call a model?
It is a deterministic, fail-closed deny-list. On the PreToolUse step, before a command runs, it inspects the command string and paths for irreversible shapes: recursive delete, disk wipe, database drop, cloud teardown, secret exfiltration and runaway loops. There is no model in the decision path, so the decision is sub-millisecond and does not vary run to run.
What does it NOT catch?
It matches known dangerous shapes, so a deliberately obfuscated or genuinely novel command can slip past it. It is not a sandbox and does not replace least-privilege credentials, backups or code review. It measured 178/178 on a published irreversible-command suite and has one false-block documented in the repo. Treat it as one deterministic layer, not the only one.
Does anything leave our machines?
The free core has zero telemetry and runs entirely local. The fleet record is opt-in Cloud, off by default, and is designed so the provider cannot read your entries because each event is encrypted on your machine. Cloud checkout stays in announce mode until that end-to-end-encrypted path ships.
give every machine the same wall — 60 seconds
The gate, the default policies, the Claude Code hook and the proxy are free forever (Apache 2.0). No account, no daemon, no telemetry. Start with your own machine:
Running agents across a team? One rogue agent is the whole team’s blast radius. See the team plan — €149/mo flat →
One email when there's a catch worth showing: a real irreversible command an agent tried, and how the wall stopped it. Opt-in, no spam, no telemetry. The gate itself is free.
✓ you're on the list — first catch lands soon.