The free menu-bar app for individual developers. It flags secrets and PII in your AI prompts — in Cursor, Claude Code, and Copilot — entirely on your Mac. No account, no org, nothing sent anywhere.
The whole point
This app sends nothing, anywhere. There is no account to create and no server to phone home to. Capture, detection, and the alert all happen on your Mac. Pull the network cable and it works exactly the same.
What it catches
The stuff you never meant to paste. #
One accidental paste from a .env file or a log is all it takes. The app watches the prompt as you write it and flags the things that shouldn’t go out.
Secrets, before you send them
AWS access keys, GitHub tokens, private keys, JWTs, database URLs — 25+ hand-written rules for the credentials with hard shapes. The most common way a secret enters a prompt is a paste from a .env file; this catches it at the source.
PII you didn't mean to paste
SSNs, credit-card numbers, and emails buried in a log or a stack trace you dropped into Cursor to debug. Flagged instantly, before the prompt is sent.
Across every AI tool you use
Cursor, Claude Code, Copilot — one menu-bar agent reads the composer itself, so it sees the prompt even when the tool talks straight to its own cloud. No per-tool setup.
The heavy lifting is deterministic regex — instant, explainable, and offline. A small pretrained classifier runs on-device as a fallback for fuzzier leaks. Either way, no model is ever trained on your prompts, because they are never collected.
Local-only, and we mean it
Nothing leaves your Mac. #
Not the prompt, not a redacted snippet, not a count. The entire loop lives on your machine — this is a claim we’ve audited, not a slogan.
Step 1
Capture
Reads the prompt as you write it — on-device, before the network.
Step 2
Detect
Scans for secrets and PII in under 50ms, entirely offline.
Step 3
Flag
A soft toast at the source. Nothing is stored, nothing is sent.
prompt scan toast dropped from memory
No account, no cloud
You never sign in. There is no backend to receive your data because the app has nothing to send.
Zero egress
~15 MB, Rust + Tauri, under 150 MB RAM idle. Runs fully offline — the network is never touched.
Free app vs. the team product
Same engine. This one sends nothing. #
The team product is the exact same on-device agent, enrolled in an organization so a manager can see redacted signal — counts and masked snippets, never prompts. The free app skips all of that: it is not enrolled, so there is no uplink at all.
Everything stays local
No account, no org, no network. You type; it catches; the raw bytes are dropped from memory. Nothing is ever recorded or sent. Free forever.
Redacted signal, by consent
The same agent, joined to an org with one code. It uplinks redacted metadata so a manager sees a Safety Score and trends. Raw prompts still never leave the device. For teams →
Curious how the capture, detection, and redaction pipeline works under the hood? See the full architecture →
Get the free app
Download HeimWall for Mac. #
Free forever, no account. Signed and notarized by Apple, so it opens with a normal double-click — no security warnings to click through.
Download for Macv0.0.5 · 3.9 MB · Apple Silicon · macOS 13+ Signed & notarized · 100% on-device · no account, ever.
Open the DMG
Drag HeimWall into your Applications folder.
Grant Accessibility
Launch it once and allow Accessibility, so it can read the prompt box of your AI tools. Nothing ever leaves your Mac.
You're protected
The window shows Protected. Type a fake key into Cursor and watch it get flagged, redacted, on-device.
On an Intel Mac or Windows? Get notified when your build is ready.