Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.velatir.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The most common questions we hear about the Velatir desktop client, grouped by topic. If your question is not here, Troubleshooting covers diagnosis flows, and your account team can help with anything operational.

What It Is and What It Does

The browser extension covers AI used in the browser. The desktop client covers AI used outside the browser: IDE-based assistants like GitHub Copilot, office suite Copilots in Word and Excel, terminal tools like Claude Code, and native desktop AI clients. The two are complementary. Many organisations deploy both for full coverage.
No. The desktop client operates in apps-only mode. It only decrypts traffic from a curated list of supported AI applications, identified by process, hostname, and request path. Everything else is blind-relayed without decryption.
Coverage includes GitHub Copilot (VS Code, JetBrains Rider, IntelliJ IDEA, Visual Studio, Xcode, Neovim, GitHub Copilot CLI), Microsoft Copilot in Word, Excel, PowerPoint, Outlook, and Teams, the standalone Microsoft Copilot desktop app, Claude Code (CLI and VS Code), Claude Desktop, Claude for Word, and ChatGPT for Word. See the supported applications table for the current list. If you need coverage for an application that is not yet supported, request it through your account team.
The host runs the proxy and submits traces. The agent is a background supervisor that keeps the host alive and applies updates. The watchdog is the supervisor loop inside the agent that runs every 30 seconds. See How it works for the full architecture.

Installation and Updates

A signed MSI for Windows and a signed, notarised PKG for macOS. Linux support is in development. See Download and install.
Yes. Microsoft Intune, Jamf Pro, and any MDM that supports MSI or PKG deployment work out of the box. See Enterprise deployment.
The agent polls every four hours, downloads new payloads to a versioned directory, and atomically swaps a current symlink. Previous versions stay on disk until the new one is confirmed running. Users can also force an update with velatir update --apply. There is no separate update service to manage.
Yes. Tenant-specific update channels are available for organisations that need to coordinate desktop-app updates with their own change-management process. Contact support to enable this for your tenant.
Use Add/Remove Programs on Windows (or msiexec /x), and the bundled uninstall.sh on macOS. Both flows remove the binaries, the certificate, and the platform-specific networking artefacts cleanly. See Download and install.

Permissions and Privacy

Administrator rights at install time on both platforms. On macOS, a system extension approval. The full list with rationale is documented in Permissions.
No. The desktop client requests none of these permissions. It does not request Full Disk Access on macOS. It does not capture screenshots or keystrokes. Its only inputs are the network connections of supported AI applications.
For each captured interaction, a trace containing the prompt, the response, the model, token counts, and process context. What gets stored after capture is governed by your agent configuration and the data privacy settings on your tenant. See Data privacy.
The host needs to reach api.velatir.com to submit traces. If the device is offline, the proxy continues to intercept supported applications and the host buffers traces, but no agent evaluation can take place until connectivity returns. Existing AI applications that themselves work offline will continue to function.

Networking

Yes, including split-tunnel and full-tunnel VPNs. macOS uses Apple’s supported NETransparentProxyProvider API; Windows uses a Wintun adapter with VPN-aware binding. The single known limitation is that the Windows path captures VPN state at startup; a VPN state change while the desktop client is running requires velatir restart. See VPN compatibility.
On Windows, the desktop client blocks outbound UDP 443 so traffic stays on TCP, where it is observable. This is rarely user-visible since most applications fall back to HTTPS over TCP automatically. macOS routing already redirects the supported flows to the proxy.
The watchdog detects this within 30 seconds and respawns the host. If the transparent proxy was active, the watchdog also tears down the proxy networking so the device does not lose internet access in the gap. See How it works.

Certificates

Yes. Provide a PFX bundle and the desktop client will use it as the MITM authority instead of the Velatir CA. This is the recommended path for organisations that already operate an internal CA. See Bring Your Own Certificate.
Runtimes that maintain their own trust stores (Node.js, Python requests, JVM) need an explicit pointer to the Velatir CA. See Troubleshooting.
Pinned applications are detected and let through unmodified. They cannot be intercepted without the application cooperating. If a pinned application is important to your compliance workflow, contact your account team.

Operations

Run velatir status --json as a Microsoft Intune Remediation, a Jamf Pro extension attribute, or any similar device-state collector. The JSON includes agent and host status, version, transparent proxy state, and last trace timestamp.
Redeploy the install command with the new key, or run velatir set-api-key --key vltr_... on the device. The host restarts automatically and picks up the new key immediately.
Nothing visible besides a tray icon. Supported AI applications work exactly as they did before; users are not prompted for approval or anything else. Compliance enforcement (block, escalate) only changes behaviour when an agent in Enforcer mode produces that intent.

Next Steps

Download and install

Set the app up on Windows or macOS.

Enterprise deployment

Roll out across your organisation.

Troubleshooting

Diagnose the issues most commonly seen in production.

How it works

The architecture behind the app.