{"slug": "local-privacy-filter-for-claude-code", "title": "Local Privacy Filter for Claude Code", "summary": "Outgate AI released og-local, a local privacy proxy that intercepts API calls from coding agents to detect and redact personally identifiable information and secrets before they reach third-party large language models. The single binary runs on a user's machine, replacing sensitive data with opaque placeholders and restoring the originals in responses, with detection performed locally via OpenAI's privacy-filter ONNX model. The tool supports macOS, Linux, and Windows, with full redaction capabilities on most platforms except Intel-based Macs.", "body_md": "A local privacy proxy for coding agents.\n\nWhen your coding agent reads a file, the file gets shipped to a third-party LLM. Often that's fine. The file is open-source, or your team has a vendor agreement that covers it. Sometimes it isn't: a `.env`\n\nslipped into a diff, a customer email in a test fixture, an API key in a comment, a stack trace from a private service.\n\n**og-local** is a single binary that runs on your machine, intercepts the API calls your agent makes, detects PII and secrets in the prompt body before it leaves localhost, swaps them with opaque placeholders, forwards the redacted prompt upstream, and transparently restores the originals in the response. The agent never sees the difference. The upstream provider never sees the secrets.\n\nDetection runs in-process via the [ openai/privacy-filter](https://huggingface.co/openai/privacy-filter) ONNX model. There's no cloud round-trip and no network call to anywhere except the upstream provider you were already calling. The model is fetched once with\n\n`ogl model pull`\n\n; everything after that is local.macOS / Linux:\n\n```\ncurl -fsSL https://raw.githubusercontent.com/outgate-ai/og-local/main/scripts/install.sh | sh\n```\n\nWindows (PowerShell):\n\n```\nirm https://raw.githubusercontent.com/outgate-ai/og-local/main/scripts/install.ps1 | iex\n```\n\nThis installs the `ogl`\n\nbinary and, on platforms that support redaction, places the bundled ONNX Runtime where `ogl`\n\nexpects it. Then download the detection model once:\n\n```\nogl model pull          # ~840MB into ~/.cache/og-local; also fetches the ONNX Runtime if missing\n```\n\nThat's it — `ogl claude \"...\"`\n\nand `ogl codex \"...\"`\n\nnow redact.\n\nIf anything is missing on first run, `ogl`\n\noffers to download it on the spot (showing the expected size) before launching the agent; in non-interactive sessions it keeps the explicit error instead.\n\n**Manual download.** Grab a signed archive from [Releases](https://github.com/outgate-ai/og-local/releases/latest):\n`ogl_<version>_<os>_<arch>.tar.gz`\n\n(or `.zip`\n\non Windows). On a redaction-capable platform the archive contains the binary plus `lib/libonnxruntime.{so,dylib}`\n\n(`lib\\onnxruntime.dll`\n\non Windows); copy that lib to `~/.cache/og-local/runtime/<os>-<arch>/`\n\n, or point `OGL_ONNXRUNTIME_LIB`\n\nat it.\n\n`go install`\n\n.`go install github.com/outgate-ai/og-local/cmd/ogl@latest`\n\nproduces a **passthrough build only** — it cannot redact (no cgo, no bundled model runtime). Use the install script or a release archive for redaction.\n\n| Platform | Redaction |\n|---|---|\n| linux / amd64 | ✅ full |\n| linux / arm64 | ✅ full |\n| macOS / arm64 (Apple Silicon) | ✅ full |\n| Windows / amd64 | ✅ full |\n| macOS / amd64 (Intel) |\n\nRedaction needs two native libraries: [ daulet/tokenizers](https://github.com/daulet/tokenizers) (the Windows staticlib is built from the pinned source during release, since upstream doesn't publish one) and\n\n[ONNX Runtime](https://github.com/microsoft/onnxruntime), which ships no Intel-macOS binary — hence the one passthrough target. On a passthrough platform\n\n`ogl claude`\n\n/`ogl codex`\n\nexit with a clear \"this build cannot redact\" message rather than forwarding your prompt unprotected.\n\nmacOS first run:the binary and bundled library aren't notarized yet, so Gatekeeper may quarantine them. Clear it with`xattr -d com.apple.quarantine $(command -v ogl)`\n\n(and the lib under`~/.cache/og-local/runtime/`\n\n), or right-click → Open once.\n\nWindows first run:the`.exe`\n\nis unsigned, so SmartScreen may warn. Choose \"More info\" → \"Run anyway\", or unblock the file with`Unblock-File`\n\nin PowerShell.\n\nReleases ship `checksums.txt`\n\nand a keyless [cosign](https://github.com/sigstore/cosign) signature:\n\n```\nsha256sum -c checksums.txt          # or: shasum -a 256 -c checksums.txt\n\ncosign verify-blob \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  --certificate-identity-regexp '^https://github.com/outgate-ai/og-local/.github/workflows/release.yml@refs/tags/v.*$' \\\n  --signature checksums.txt.sig \\\n  checksums.txt\nogl model pull                      # one-time, ~800MB\n\n# Anthropic-flavored agent\nogl claude \"fix the failing test in cmd/server\"\n\n# OpenAI-flavored agent\nogl codex \"review this PR\"\n```\n\n`ogl`\n\nstarts a local proxy on a random loopback port, points the child agent at it, and `exec`\n\ns the agent as a child process. Your full environment forwards to the child, and the agent keeps using whatever credentials it already has — `ogl`\n\nonly redirects where the requests go. When the agent exits, `ogl`\n\nexits.\n\nMost agents are redirected with their `*_BASE_URL`\n\nenv var. Codex ignores that variable, so `ogl codex`\n\ninstead writes a dedicated provider config under `~/.codex/ogl`\n\n(via `CODEX_HOME`\n\n) pointing Codex at the proxy; your own `~/.codex/config.toml`\n\nis left untouched.\n\n`ogl codex`\n\nworks with both Codex sign-in modes. With an API key (`OPENAI_API_KEY`\n\n, or `auth_mode = \"apikey\"`\n\nin `~/.codex/auth.json`\n\n) it forwards to `api.openai.com`\n\n. With a ChatGPT subscription login it forwards to `chatgpt.com/backend-api/codex`\n\n, the endpoint that login's token is scoped for — sending those requests to `api.openai.com`\n\nwould fail. The mode is read from `~/.codex/auth.json`\n\n, with `OPENAI_API_KEY`\n\ntaking precedence; either way the proxy forwards your existing Codex credentials and redacts the prompt body in between.\n\nNo daemon, no PID file, no global state.\n\nFor each outbound request, `ogl`\n\nextracts the user-supplied content fields (`messages[].content`\n\n, `system`\n\n, tool-call inputs, and tool results), runs the ONNX-based PII detector locally over each field independently, replaces detected spans with opaque placeholders (`OG_PRIVATE_EMAIL_<hex>`\n\n, `OG_SECRET_<hex>`\n\n, and the like), forwards the rewritten body upstream, and inverts the substitution on the response, including streaming responses where placeholders may split across SSE events. Request frame fields (`model`\n\n, `temperature`\n\n, tool schemas, ids) are passed through unchanged. The placeholder↔value mapping lives only for the duration of a single request — there is no persistent vault. Placeholders themselves are deterministic for the lifetime of an `ogl`\n\nsession: the same value redacts to the same placeholder on every request, so re-sent conversation history stays byte-identical and provider-side prompt caching keeps working.\n\n- OpenAI Chat Completions (\n`/v1/chat/completions`\n\n), streaming and non-streaming - OpenAI Responses (\n`/v1/responses`\n\n) and ChatGPT-subscription Codex (`/backend-api/codex/responses`\n\n) - Anthropic Messages (\n`/v1/messages`\n\n), streaming and non-streaming, including tool use - Other paths pass through untouched\n\n| Variable | Purpose |\n|---|---|\n`OGL_CACHE_DIR` |\nOverride the model + runtime cache directory (default: `~/.cache/og-local` ) |\n`OGL_DEBUG` |\n`1` logs proxy activity to a file (no PII values); a path chooses the file. The path is printed at startup |\n`OGL_ONNXRUNTIME_LIB` |\nPath to the ONNX Runtime shared library, overriding the default cache lookup |\n\nSee [CONTRIBUTING.md](/outgate-ai/og-local/blob/main/CONTRIBUTING.md). The TL;DR:\n\n```\ngit clone https://github.com/outgate-ai/og-local\ncd og-local\nmake setup    # one-time: installs git hooks\nmake ci       # lint + tests + coverage + build\n```\n\nPRs against `main`\n\nrequire a passing CI run and one review. Conventional-commits subject lines are CI-enforced.\n\nBusiness Source License 1.1, converting automatically to Apache 2.0 on **2030-06-08**. See [LICENSE](/outgate-ai/og-local/blob/main/LICENSE) for the precise terms.\n\nIn plain English: free to use, modify, and redistribute, including in commercial software. The one restriction until the change date is that you can't offer og-local (or a substantially-similar service) to third parties as a hosted multi-tenant service. After the change date, that restriction lifts and it's just Apache 2.0.\n\nLicensor: Gatewise UG (haftungsbeschränkt). For commercial alternatives or questions: [support@outgate.ai](mailto:support@outgate.ai).", "url": "https://wpnews.pro/news/local-privacy-filter-for-claude-code", "canonical_source": "https://github.com/outgate-ai/og-local", "published_at": "2026-06-11 20:24:48+00:00", "updated_at": "2026-06-11 20:51:15.616753+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-tools", "ai-infrastructure", "large-language-models"], "entities": ["Claude Code", "OpenAI", "outgate-ai", "og-local", "ONNX Runtime", "Hugging Face"], "alternates": {"html": "https://wpnews.pro/news/local-privacy-filter-for-claude-code", "markdown": "https://wpnews.pro/news/local-privacy-filter-for-claude-code.md", "text": "https://wpnews.pro/news/local-privacy-filter-for-claude-code.txt", "jsonld": "https://wpnews.pro/news/local-privacy-filter-for-claude-code.jsonld"}}