Documentation Index
Fetch the complete documentation index at: https://docs.velatir.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Velatir desktop client needs a small set of operating system permissions to intercept and inspect AI traffic on a managed device. Every permission is requested at install time and is documented below so administrators can review exactly what the app does and why. The desktop client never requests permissions it does not need. There is no microphone access, no camera access, no location access, and no full disk access requirement.Windows
The Windows installer requests administrator elevation once. From that single elevation it performs four discrete operations.Administrator elevation
Administrator elevation
The MSI installer requires administrator rights because the operations that follow each need elevated privileges. Without elevation the installer cannot register the Wintun driver, install the trusted root certificate, or create a logon scheduled task.The CLI also requires administrator rights for commands that change traffic interception or configuration. See CLI reference for which commands require elevation.
Wintun virtual network adapter
Wintun virtual network adapter
The desktop client uses the Wintun TUN adapter to capture outbound TCP traffic at the kernel level. The Wintun driver is signed by its upstream maintainer (WireGuard) and is bundled with the installer for both x64 and arm64.On modern Windows builds the driver loads on demand. Administrator rights are required at install time to register it with the operating system.Wintun is widely deployed and is the same adapter used by WireGuard. The desktop client does not modify Wintun’s source or behaviour.
Trusted root certificate
Trusted root certificate
The installer adds the Velatir CA certificate to the
LocalMachine\Root trusted root store. This certificate authority is used only by the local MITM proxy to terminate TLS for supported AI applications.If group policy or another system constraint prevents writing to LocalMachine\Root, the installer falls back to CurrentUser\Root for the installing account. Other users on the device will not see the desktop client until the certificate is also trusted in their context.For organisations that operate their own internal certificate authority, see Bring Your Own Certificate.Logon scheduled task
Logon scheduled task
The installer creates a scheduled task named Velatir that starts the agent at user logon with the HIGHEST run level. This is how the watchdog can keep the host alive across user sessions without running as a Windows service.The task runs only when a user is logged on. The desktop client does not run in Session 0.
What Windows Will Prompt For
| Prompt | When | What it grants |
|---|---|---|
| User Account Control (UAC) | At install | Administrator rights for the MSI session |
| SmartScreen warning | First time a new MSI version is seen | One-time bypass to run the signed installer |
| UAC for CLI write commands | When running velatir start, stop, set-api-key, etc. | Per-command elevation for state-changing operations |
macOS
On macOS the desktop client uses Apple’s supportedNETransparentProxyProvider system extension. There is no kernel extension and no patching of system frameworks.
Administrator authentication
Administrator authentication
The installer package asks for an administrator password once. This is the standard macOS installer flow.Administrator rights are also required for CLI commands that change interception or configuration. See CLI reference for the full list.
System Extension approval
System Extension approval
Velatir ships its network extension as a system extension signed with Velatir’s Apple Developer ID and notarised by Apple.On first run, macOS prompts the user to approve the extension in System Settings > General > Login Items & Extensions > Network Extensions. Until approval is granted, traffic interception cannot start.The Velatir entitlements are:
com.apple.developer.networking.networkextensionwith theapp-proxy-provider-systemextensioncapabilitycom.apple.developer.system-extension.install
Network Extension capability
Network Extension capability
The system extension activates a
NETransparentProxyManager configuration so the operating system routes outbound TCP flows through the Velatir extension. macOS records this configuration under Network Extensions in System Settings and surfaces it to the user.The capability is granted to the Velatir bundle identifier only. Uninstalling Velatir removes the configuration.System keychain certificate
System keychain certificate
The installer adds the Velatir CA certificate to the System keychain (
/Library/Keychains/System.keychain). This certificate is trusted by Safari, Chrome, Edge, and any other application that uses the macOS trust store.Some applications maintain their own trust stores and do not consult the System keychain. See Troubleshooting for the common cases (Node.js, Python, JVM).For organisations that operate their own internal certificate authority, see Bring Your Own Certificate.What macOS Will Prompt For
| Prompt | When | What it grants |
|---|---|---|
| Administrator password | At install | Permission to run the installer package |
| System Extension approval | First run | Permission to load the Velatir network extension |
| Authorisation prompt for CLI write commands | When running velatir start, stop, set-api-key, etc. | Per-command elevation for state-changing operations |
What the Desktop Client Does Not Do
To make the trust boundary explicit:- The desktop client does not request Full Disk Access.
- It does not read user files, browser history, keychain entries, or clipboard contents.
- It does not capture screenshots or keystrokes.
- It does not modify the operating system kernel. macOS uses a system extension and Windows uses a userspace TUN adapter.
- It does not intercept traffic from applications that are not in the supported application list. All other traffic passes through without TLS decryption.
Next Steps
VPN compatibility
How the desktop client behaves alongside corporate VPNs.
Enterprise deployment
Silent install, bring-your-own CA, and MDM rollouts.
Data privacy
What Velatir stores and how it scrubs sensitive content.
Troubleshooting
Diagnose certificate and approval issues.