AI Router · DLP

Customer-owned, in-VPC trust perimeter for AI coding agents

See everything your coding agents send — and stop what shouldn't leave. Point Cursor, Claude Code, opencode, or Codex at the OpenScope AI Router and every call flows through an in-VPC gateway: content-aware DLP at the edge, per-model metering, and a signed receipt — structurally unable to read your prompts, a property you can validate, not take on faith.

Try the live demo →Request a demo

One governed path

Every agent call takes the same governed path.

No new tool to learn for your engineers — they keep Cursor, Claude Code, opencode, or Codex. You just change the base URL to the router, and every request is governed and audited before it can leave your perimeter.

Authenticate

Per-workspace identity

Each agent call carries a key and a workspace label. A restricted repo is a deny-by-default channel — nothing from it reaches an external model, regardless of content.

Inspect & decide

Content-aware DLP at the edge

The full payload is scanned in plaintext at the router (TLS terminates here — a reverse proxy, not a man-in-the-middle). Proprietary IP, classification markers, and secrets are blocked before the prompt leaves your VPC.

Forward & receipt

Metered, signed, audited

Allowed calls go to the model in your own account, metered per model with cost. Every request produces an Ed25519-signed receipt and a metadata audit row — no prompt body required to reconcile.

Layered DLP

Catch IP by what it is — not just where it came from.

Three layers run on every payload. A restricted repo is blocked outright; the content layers are the backstop that still catches the same IP when a file is moved, renamed, or pasted from an allowed repo.

Content-class — proprietary source by structure: Verilog / SystemVerilog, VHDL, SPICE netlists, Liberty, SDC, LEF/DEF/GDS — and tapeout streams (GDSII / OASIS) by their format bytes, not a filename.
Markers — confidentiality & trade-secret labels, export-control (ITAR / EAR / ECCN), and foundry / PDK identifiers under NDA.
Secrets & PII — cloud keys, private-key blocks, API tokens, IEEE-1735 encrypted-IP pragmas, SSNs, and card-like numbers.
Deny-by-default channels — a restricted repo never egresses, period; the content layers prove it would have been caught anyway.

OpenScope governed console blocking a restricted repo while ordinary code flows — Demo · governed console — a restricted repo is blocked at the perimeter; ordinary code flows, audited and receipted

Real-time audit

What your security team sees — in real time.

Every coding-agent call, as it happens: which agent, the decision, the DLP rule that fired, the model it was served by, token counts and cost. The prompt and code never appear here — bodies live where OpenScope's own role is GRANT-denied at the database.

OpenScope live security feed showing allowed and blocked coding-agent calls — Demo · Security / IT view — live feed of every governed call, blocks surfaced as alerts

The feed is metadata, exportable to your SIEM. A block shows the rule and the bytes withheld; an allow shows the model and region it was served by. Your team gets the audit trail without anyone — including OpenScope — reading the prompt or the code.

Per-call decision, DLP rule, model · provider · region, tokens, cost.
Blocks surfaced as alerts; clean restricted-repo calls still denied by channel policy.
Bodies are stored where the vendor role cannot read them — verifiable in the demo.

Metering & receipts

Per-model spend, signed for reconciliation.

A real Bedrock-class lineup, metered per model with unit price and cost — and a signed receipt for every call, so finance and security can reconcile spend without ever reading a prompt.

Your administrator curates the lineup — enable the models you want, turn off the expensive or low-quality ones; the router refuses a disabled model at the edge. Every call is metered by model and Ed25519-signed, so a receipt reconciles against your provider bill on its own.

Per-model breakdown: calls, tokens, unit price, cost — for a tenant or across all of them.
Admin model policy: enabled / disabled per model, enforced by the router.
Ed25519 receipts over canonical metadata — no body content, fully verifiable.

OpenScope per-model usage and pricing breakdown — Demo · Models & spend — per-model usage, unit price, and cost, with admin enable/disable

Customer-owned · validatable

Structurally blind to your content — and you can prove it.

The router runs in your VPC and nothing transits a third party to be scanned. OpenScope operators cannot read prompts or code — not because we promise, but because the database refuses the query and the IAM and schema GRANTs show the access never existed.

OpenScope signed receipts panel — Demo · signed receipts — Ed25519 over metadata, verifiable against your own logs

This is the difference from an edge-hosted gateway: scanning happens in yourperimeter, on infrastructure you own, source-available so you can audit exactly what it does. The demo lets an “OpenScope operator” role try to read prompt bodies — and shows Postgres refusing the query.

See it yourself →Request a demo

Bring your own agent

Your real tools — the same governance.

No proxy to babysit, no SDK to adopt. Set the base URL and key, and the agent your engineers already use is governed.

Anthropic-compatible

Claude Code · opencode

Point ANTHROPIC_BASE_URL at the router and pass your key — Claude Code is governed with no model name to set. opencode adds a custom provider in one config block.

OpenAI-compatible

Cursor · Codex CLI · Cline · Aider

Override the OpenAI base URL to the router's /v1 endpoint. Any model name works — unknown names are remapped to the demo default; a disabled model is refused at the edge.