Frequently asked questions

Pricing, license, OS support, security posture, and how tamer compares to other AI coding workflows. Anything missing? Open a GitHub issue.

Product

Why is Tamer different from other AI solutions?

Tamer stands out with its "infrastructure-first" approach and radical transparency:

  • Interface via Standard Input (STDIN) — Unlike solutions that rely on specific APIs, Tamer wraps your existing CLI tools (Claude Code, Aider, etc.) via a terminal (PTY). It interacts with them exactly as a human would, ensuring universal compatibility without waiting for vendor API updates.
  • Keep Your Subscriptions — You continue to use your current LLM subscriptions (Claude Pro, Gemini Advanced) without change. Tamer is not a token reseller, but an orchestration and security layer.
  • Terminal Transparency — Every exchange, command, and AI thought is visible in real-time in your terminal. The terminal becomes the control point where nothing happens "under the hood" without your visibility.
Does tamer replace my Claude / Gemini subscription?

No — tamer runs on top of your existing LLM subscription. Bring your own Claude Code, Gemini CLI, or any other agent; tamer orchestrates them. Your keys, your model, your quota.

What tamer adds turns "an LLM that codes well sometimes" into a system that delivers:

  • Token savings — smart orchestration, spec-completeness gates, pre-dispatch dedup. 30–50% token reduction on multi-step features (fewer reruns, less "try again better").
  • Sharper specs — automatic surfacing of hidden constraints before the agent starts. The Master Agent (an AI supervisor that orchestrates workers, detects conflicts, and handles approvals automatically) asks what's missing first, not after.
  • Drift detection — the Master Agent continuously audits worker output, catching hallucinations, overconfidence and silent regressions before they ship.
  • 🛡️ SOC teams happy — every LLM action is journaled with a 7-field schema (timestamp, agent, version, task, input, output, human decision), automatic secret redaction, MCP allowlist, abnormal-usage detection. Compatible with SOC 2, ISO 27001, EU AI Act. Your auditors stop asking "how do you trace what AI does internally".
  • Governance audit trail — every decision, approval, message and escalation journaled. Built-in LLM registry, human-in-the-loop traceability, incident log.

Keep your Claude Max, Gemini Advanced, GPT-Plus, Cursor Pro — whatever you use. Tamer = orchestration, quality, and governance layer on top.

Which AI agents does tamer support?
Tamer wraps any CLI-based agent via PTY — no plugin or SDK required. Built-in adapters cover Claude Code, Aider, Gemini CLI, Cursor and Cline. Anything else can be wrapped with tamer -- <your-cli>. Read the deeper answer on Features →
What does Human-in-the-Loop mean for AI coding agents?
Every dangerous action — bash, file write, network call — is paused for an explicit human decision before execution. Tamer ships HITL by default, kernel-enforced, with mobile approval. Full HITL FAQ →
What happens if I'm offline when the agent needs approval?
The agent waits silently. The relay queues the approval request; once your phone reconnects you receive the notification and the agent resumes. There is no timeout. More on offline behaviour →
Is HITL alone enough to secure an AI agent?
No. HITL stops bad intent, but the kernel sandbox stops bad capability. Tamer ships both — Landlock + seccomp-BPF + bubblewrap on Linux, Job Object + Low Integrity Process on Windows — so even a missed approval cannot reach ~/.ssh/ or .env. Security architecture →

License & pricing

How much does tamer cost? Is there a free tier?
Tamer is free to self-host. There is no per-seat fee, no usage limit, and no telemetry. You run the relay on your own infrastructure (Docker, fly.io, bare metal, private VPC) and the CLI on each developer machine. No credit card, no signup. See the pricing page →
What license is tamer under? Can I use it commercially?
Tamer is released under the Business Source License 1.1 (BSL 1.1), which converts to Apache 2.0 four years after each release. Internal commercial use is permitted from day one — only resale of tamer as a managed competing service is restricted during the BSL window. The full license text lives in the LICENSE file on GitHub.
Does tamer work on Windows, macOS and Linux? What are the hardware requirements?
Yes — tamer ships single-binary CLIs for Linux (kernel ≥ 5.13 for Landlock, 4.x acceptable with seccomp-only fallback), macOS (12+ Apple Silicon and Intel), and Windows (10/11 64-bit, PowerShell 5+). The relay runs anywhere Docker runs. Footprint: ~30 MB CLI, ~80 MB relay container at idle. No GPU required.

Security & data

Does tamer send my code or secrets to the cloud?
No. The relay only sees an encrypted PTY stream and redacted metadata. API keys, .env values and SSH keys never leave your machine. Encryption is AES-256-GCM end-to-end; the server is a blind transport. Full data-flow answer →
Does the relay see my code or my approval payload?
No. Both the PTY stream and the approval payload are encrypted with AES-256-GCM keys derived on the CLI and your phone. The relay forwards opaque ciphertext. Cryptographic detail on the HITL page →
What audit logs does tamer keep? Is there compliance support (SOC 2 / ISO 27001)?
Every approval decision (allow / reject / edit), every sandbox denial, every loop-detector trigger and every supply-chain block is written to a structured JSONL audit log on the relay (rotated daily, configurable retention). The log can be shipped to your SIEM via syslog, OpenTelemetry, or file-tail. Tamer itself is not yet SOC 2 / ISO 27001 audited as a vendor — it is self-hosted, so the certification belongs to your deployment. The audit-log format is documented to make a SOC 2 evidence trail straightforward.
Is tamer GDPR-compliant? Where is the data stored?
Tamer is self-hosted, so the data controller is you. The CLI stores config in ~/.tamer/ on the developer machine; the relay stores ephemeral ciphertext + audit logs on the host you deploy it to (your VPC, your data centre, your fly.io region). No data ever transits a tamer-controlled cloud. Personal-data handling reduces to who has SSH access to your relay host. For EU customers, deploy the relay inside the EU and you are GDPR-aligned by construction.

Operations

Can I install tamer on my own servers?
Yes — tamer is on-premise by design. Install the CLI on developer machines and self-host the relay on Docker, fly.io, bare metal, or your private VPC. Install guide →
How do I allow Docker inside the sandbox?
Remove ~/.docker from file_deny and add it to home_binds in .tamer/config.yaml. The Docker socket lives outside $HOME and is accessible by default. Full Docker-in-sandbox recipe →
How do I update tamer (CLI and relay)?
CLI updates are pulled with tamer self-update (verifies a signed manifest before swapping the binary). The relay is a container — bump the tag in your compose / fly.toml and redeploy; in-flight approvals survive a graceful restart because the queue is persisted to disk. CLI and relay use a versioned protocol, so a slightly older CLI works against a newer relay during rolling upgrades.
Can my agent access Docker, deploy to Fly.io, or use other system tools from within the sandbox?

Yes — tamer exposes a dedicated sandbox.bwrap.system_binds option in .tamer/config.yaml. You can declare system sockets (/var/run/docker.sock, /run/podman/podman.sock) or auth paths (~/.fly, ~/.aws if authorized) that the agent needs to reach from inside the sandbox.

Each entry is filtered through an allowlist + blocklist (Docker socket, Podman socket, timezone, public certs — allowed; /proc, /sys, /etc/shadow, /root — blocked) to silently filter out high-risk paths. Binds are READ-ONLY by default; RW access is opt-in via system_binds_rw. Refer to the tamer-cli documentation (docs/sandbox-cross-platform.md) for the full list and detailed security guardrails.

Example — authorizing an agent to run docker build or fly deploy:

sandbox:
  bwrap:
    system_binds:
      - /var/run/docker.sock
    system_binds_rw:
      - /var/run/docker.sock
    home_binds:
      - ~/.fly
How do I uninstall tamer cleanly?
Run tamer uninstall on each developer machine — it removes the binary, ~/.tamer/, the PATH shim and the shell hooks, then prints a summary of every file it touched. On the relay host, stop and remove the container (and optionally the audit-log volume). No residual system-wide changes — tamer never installs into /usr, never edits sudoers, and never installs a daemon.

Comparison

How does tamer compare to Cursor, Cline, Aider's built-in approval, or Claude Code's permission mode?
Built-in approval flows are in-process: the agent itself decides what to ask. A jailbroken or malicious prompt can disable them. Tamer runs out-of-process — the kernel sandbox blocks the action even if the agent forgets to ask, and the approval check happens on a separate device. Tamer also adds remote (mobile) approval, structured audit logs, multi-agent orchestration, and per-agent rules in one place instead of one config per tool. Built-ins remain useful as a first line; tamer is the kernel-level second line.
Is HITL the same as "manual approval" in Claude Code?
Same idea, different layer. Claude Code's prompt is in-terminal and in-process. Tamer's HITL is on your phone, kernel-enforced, auditable, and works with any agent. Side-by-side detail →
Won't HITL slow my agent down?
Only on dangerous actions, and only the first time. The Master Agent learns from your decisions; safe patterns get auto-allowlisted on the next run. Median approval round-trip is sub-second on 4G. Latency benchmarks →

Still have a question?

Open a GitHub issue or read the per-area docs.

Open an issue Features → HITL → Security →