Skip to content

AIGP Browser Extension — Public AI Governance

AIGP Browser Extension — Public AI Governance

PRIVATE AND PROPRIETARY. Owned by Kanjani AI Research & Causum. See NOTICE.md.

Status: SPEC

Purpose

Close the Public AI governance gap by intercepting prompts sent to consumer AI services (ChatGPT, Claude, Gemini, etc.) and applying AIGP protocol governance: REQUEST check, policy evaluation, audit logging, and optional redirect to the governed Merlin alternative.

Problem Statement

Public AI is the only AI category with zero visibility, zero control, and zero audit. A browser extension running AIGP protocol changes this:

Before After
No visibility into prompts Every prompt logged via AIGP RECORD
No control over data leaving Policy Engine evaluates before submission
No audit trail Full trail: who, what, where, when
No alternative offered “Use Merlin instead” redirect option

Architecture

Browser (user types prompt)
AIGP Extension (content script)
↓ intercepts before submit
AIGP REQUEST → governance-server Policy Engine
┌─────────────────────────────────────┐
│ Decision: │
│ ALLOW → log + let it through │
│ WARN → show warning, user decides│
│ BLOCK → prevent submission │
│ REDIRECT → offer Merlin instead │
└─────────────────────────────────────┘
AIGP RECORD → audit trail (who, what, where, when)

Supported Sites

Service URL Pattern Detection
ChatGPT chat.openai.com/* Textarea intercept
Claude claude.ai/* Textarea intercept
Gemini gemini.google.com/* Textarea intercept
Copilot copilot.microsoft.com/* Textarea intercept
Perplexity perplexity.ai/* Textarea intercept
Custom Configurable URL list Admin-managed

Extension Components

aigp-browser-extension/
├── manifest.json # Chrome MV3 manifest
├── background.js # Service worker — AIGP communication
├── content.js # Content script — intercepts prompts on AI sites
├── popup.html/js # Extension popup — status, settings, redirect
├── options.html/js # Configuration — governance-server URL, user identity
├── aigp-client.js # Lightweight AIGP protocol client (REQUEST/RECORD)
└── rules.json # Declarative net request rules (optional blocking)

AIGP Integration

On prompt submission (content.js):

// Intercept before the prompt is sent
const prompt = getPromptText();
const site = window.location.hostname;
// AIGP REQUEST — ask governance-server if this is allowed
const decision = await aigpRequest({
app_id: "BROWSER_EXTENSION",
actor: userEmail,
operation: "public_ai_prompt",
context: {
site: site,
prompt_length: prompt.length,
contains_pii: detectPII(prompt),
contains_code: detectCode(prompt),
sensitivity: classifyPrompt(prompt),
}
});
if (decision.action === "BLOCK") {
showBlockedUI("This content cannot be sent to " + site);
preventDefault();
} else if (decision.action === "WARN") {
showWarningUI("This may contain sensitive data. Continue?", () => {
aigpRecord(prompt, site, "ALLOWED_AFTER_WARN");
allowSubmit();
});
} else if (decision.action === "REDIRECT") {
showRedirectUI("Would you like to use Merlin instead?", merlinUrl);
} else {
// ALLOW — log and let through
aigpRecord(prompt, site, "ALLOWED");
allowSubmit();
}

AIGP RECORD (background.js):

async function aigpRecord(prompt, site, decision) {
await fetch(`${governance-server_URL}/api/v1/aigp/record`, {
method: "POST",
headers: {"Content-Type": "application/json", "X-AIGP-App-Id": "BROWSER_EXTENSION"},
body: JSON.stringify({
app_id: "BROWSER_EXTENSION",
actor: userEmail,
operation: "public_ai_prompt",
target_service: site,
decision: decision,
prompt_hash: sha256(prompt), // hash only — don't send full prompt to governance-server
prompt_length: prompt.length,
timestamp: new Date().toISOString(),
sensitivity: classifyPrompt(prompt),
})
});
}

Policy Rules (Cedar — in Policy Engine)

// Block prompts containing PII to any public AI
forbid(
principal,
action == AgentCore::Action::"PublicAIPrompt",
resource is AgentCore::Gateway
) when { context.contains_pii == true };
// Warn on code submissions
permit(
principal,
action == AgentCore::Action::"PublicAIPrompt",
resource is AgentCore::Gateway
) when { context.contains_code == true }
advice { "warn": "Code detected. Consider using Merlin for code-related tasks." };
// Allow everything else but log it
permit(
principal,
action == AgentCore::Action::"PublicAIPrompt",
resource is AgentCore::Gateway
);

Privacy Design

Principle Implementation
Prompt content stays local Only hash + metadata sent to governance-server (not full prompt text)
User identity from SSO Extension authenticates via corporate IdP (Cognito/Okta)
Opt-out possible User can disable (but disabling is logged as a governance event)
No prompt storage governance-server stores metadata only — prompt hash, length, classification
Transparency Extension shows badge with decision (✅ allowed / ⚠️ warned / 🚫 blocked)

Deployment

Method Target
Chrome Web Store (private) Managed Chromebooks, corporate Chrome
Edge Add-ons (private) Corporate Edge deployments
Group Policy / MDM Force-install via Intune/JAMF
Self-hosted Internal distribution for air-gapped environments

Metrics (visible in governance-server dashboard)

  • Prompts intercepted per day (by site, by user, by classification)
  • Block/warn/allow/redirect ratios
  • Top sites by usage
  • Sensitivity distribution
  • Redirect acceptance rate (how often users choose Merlin)

Dependencies

  • governance-server /api/v1/aigp/record endpoint (exists)
  • Policy Engine for decision logic (exists)
  • Corporate IdP for user identity (Cognito — exists)
  • PII/code detection (client-side, lightweight regex + heuristics)

Limitations

  • Cannot intercept API calls (only browser UI)
  • Cannot prevent copy-paste to mobile apps
  • Users can disable (but disabling is logged)
  • Site DOM changes may break intercept (needs maintenance per site)