Pluck Studio / Bureau

TRIPWIRE

Wireshark-of-agent-traffic. A JS-layer interceptor patches globalThis.fetch and node:http/node:https so every outbound LLM request from your dev machine is captured, attested, and (optionally) notarized. Per-machine timeline lives at tripwire/me.

Phase 2 alpha — JS-layer only

This release ships the in-process interceptor. That covers every Node-process LLM client that uses standard HTTP — which is essentially all of them.

Native macOS Network Extension and Linux eBPF paths are deferred to Phase 2.5: they require entitlements + libbpf bindings that aren't trivial to ship inside a published npm package. JS-layer first, kernel hooks when the demand justifies the entitlement application.

Install

pluck bureau tripwire install --keys ./keys --out ./.tripwire

Add --notarize to publish non-green cassettes to Sigstore Rekor. Default is local-only — bodies stay on disk in ./.tripwire/cassettes/.

Captured policy by default

  • api.openai.com — OpenAI
  • api.anthropic.com — Anthropic
  • generativelanguage.googleapis.com — Google AI
  • openrouter.ai/api — OpenRouter
  • localhost:11434 / 127.0.0.1:11434 — Ollama

Override via --policy ./tripwire-policy.json for private endpoints or watched-model lists.

Privacy posture

  • Bodies are local only. The cassette stays on disk; the dot summary carries only sanitised metadata.
  • No SSL termination. TRIPWIRE is in-process — it sees the request before the http layer encrypts. We don't MITM.
  • Notarization is opt-in. Pass --notarize only when you accept that cassette content becomes public on the Rekor log.