teams & fleets

how do I enforce guardrails on ai coding agents across my team?

Short answer

Put a deterministic, fail-closed veto in front of every engineer's agent. gate.cat is free per machine (pip install gate-cat) and blocks irreversible shell commands — rm -rf, DB drop, cloud teardown, secret exfiltration — before they run, with no model in the decision path.

The part a team actually needs is the layer above one laptop: a fleet-wide record, alerts, and one policy set pushed to every machine, so you can see coverage and consistency instead of trusting that each person installed it and kept their rules current. That is what the Team plan is for.

On a team, the risk is not that you run the wrong command — it's that any one of your engineers' agents does, on a machine that can reach shared infrastructure. One rogue agent on one laptop is the whole team's blast radius.

why a team is a different problem than a solo dev

A solo developer installs the guard once and moves on. A team has three problems a single install doesn't solve:

the free layer: a deterministic wall on every machine

Each developer runs the same free core. On the PreToolUse step — before the command executes — gate.cat inspects the command string and its paths for irreversible shapes and refuses the dangerous ones. It's a string-and-path deny-list, not a model call, so the decision is sub-millisecond and identical every time. It installs as a Claude Code hook, a Cursor hook, or a gated shell in front of Codex/aider.

the team layer: coverage, alerts, and one policy set

The paid tier doesn't unlock the safety — the safety is free on every machine. It adds the things you can only do at fleet scale:

Pricing is flat, not per-seat: Team €149/mo for up to 10 machines, Business €399/mo. See the full team plan →

$ gate.cat fleet --last 7d gate.cat · fleet veto log · last 7 days (8 machines reporting) machines covered ........... 8 / 8 interventions .............. 17 by rule: FS_DESTROY 6 · DB_DROP 4 · CLOUD_TEARDOWN 3 · KEY_EXFIL 2 · RUNAWAY 2 loudest machine ............ ci-runner-3 (5 interventions) gate mode .................. enforcing (fail-closed) on all

frequently asked

Can I make sure every engineer actually has the guard turned on?

The free core is installed per machine, so on its own you can't see who has it. The Team plan is exactly this gap: each machine reports veto events to one place, so you get a fleet-wide view of which machines are covered and what fired, plus alerts when a guard trips. Business adds signed policy sync so the same rule set is pushed to every machine instead of each dev editing their own.

Is the Team plan priced per seat?

No. Team is a flat €149/mo for up to 10 machines, and Business is €399/mo. It is not per-seat, so adding another engineer's laptop does not change the bill until you pass the machine limit.

What does the guard actually block, and does it call a model?

It is a deterministic, fail-closed deny-list. On the PreToolUse step, before a command runs, it inspects the command string and paths for irreversible shapes: recursive delete, disk wipe, database drop, cloud teardown, secret exfiltration and runaway loops. There is no model in the decision path, so the decision is sub-millisecond and does not vary run to run.

What does it NOT catch?

It matches known dangerous shapes, so a deliberately obfuscated or genuinely novel command can slip past it. It is not a sandbox and does not replace least-privilege credentials, backups or code review. It measured 178/178 on a published irreversible-command suite and has one false-block documented in the repo. Treat it as one deterministic layer, not the only one.

Does anything leave our machines?

The free core has zero telemetry and runs entirely local. The fleet record is opt-in Cloud, off by default, and is designed so the provider cannot read your entries because each event is encrypted on your machine. Cloud checkout stays in announce mode until that end-to-end-encrypted path ships.

give every machine the same wall — 60 seconds

The gate, the default policies, the Claude Code hook and the proxy are free forever (Apache 2.0). No account, no daemon, no telemetry. Start with your own machine:

$ pip install gate-cat

Running agents across a team? One rogue agent is the whole team’s blast radius. See the team plan — €149/mo flat →

One email when there's a catch worth showing: a real irreversible command an agent tried, and how the wall stopped it. Opt-in, no spam, no telemetry. The gate itself is free.

✓ you're on the list — first catch lands soon.

keep reading