For developers

Atested for developers

You're the person who will install this, point your agents at it, and look at the chain when something goes wrong. This page is the technical path. Install, integration, policy, and verification — all of it concrete, with the specific commands and file paths, no marketing.

Install

Atested is a Python application. Clone the repository, create a virtualenv, install the dependencies, and run the proxy. The proxy listens on a configurable port, defaulting to 8080, and exposes endpoints compatible with the Anthropic, OpenAI, Gemini, and LiteLLM APIs. Point your agent at it with one environment variable:

ANTHROPIC_BASE_URL=http://localhost:8080/anthropic

That's the integration. The agent is now governed. Other providers work the same way — set the base URL to the matching route (/openai, /gemini, /litellm). The repository's README has the current list and the specific variable names.

What you see

When you run the proxy, it logs the environment it loaded, the signing key fingerprint, the resolved base directory policy, and the startup integrity hashes for the proxy code and policy rules. Every mediated operation now produces a chain record. You can tail the chain file, read individual records with the CLI, or open the dashboard to see the same data in a browser.

The CLI is called atested. The commands you'll use most:

Policy

Atested ships with a declarative rule set that covers the common governance patterns — file operations within known directories, read-only network access, denial of operations on sensitive paths, and so on. The rules live in capabilities/policy-rules.json and you can read them.

You configure the set of base directories Atested should consider "your work" — the paths where your agents are allowed to operate. The proxy reads this from configuration at startup and logs the resolved list so you can see exactly what it's enforcing.

For operations Atested can't classify confidently — opaque scripts, encoded payloads, unusual signatures — the decision is held for your approval. You approve from the dashboard or the CLI. Your approval is a chain record like everything else.

Verification

The chain is a file. You can inspect it with any text editor that understands JSON lines. Every record has the fields you need to understand what happened: the action, the classification, the policy decision, the rule that matched, the timestamp, the hashes that anchor it in the chain, and the signature.

Runtime integrity protection covers the chain file, proxy source, and policy rules. Startup records include the proxy code hash and policy rules hash; runtime policy drift is detected before policy evaluation; missing or truncated chain history is treated as an integrity violation instead of a fresh start.

The verifier is a script in the repository. Run it against any chain file — your own, or one you've been handed — and it reports whether the chain is intact, whether every signature validates, and the exact record where any break occurs. If you want to verify a chain six months from now on a different machine, you clone the repo and run the verifier. That's it.

Where to go next

The repository has the code, the current release, and the contributor documentation. The trust page has the integrity commitments. The docs cover the full architecture, classifier, policy, chain, and dashboard. If you want to see the proxy running against a real agent, install it and point Claude Code or any other API-compatible agent at it. Five minutes.