Local-first secret firewall for AI coding assistants.
Your security team banned Claude Code or Cursor over data egress. Here's the local technical control that lets you turn them back on.
leakproof sits between the tool and the model API and reads every outbound request before it leaves the machine. Finds a secret, it redacts it or kills the request. Nothing hits the cloud. The decision happens on your laptop, which is the only setup that isn't self-defeating — you don't hand a key to a stranger to ask them whether it's a key.
Two ways to run it:
leakproof run -- claude
leakproof run -- aider
leakproof install-hook
Compliance-bound teams under SOC 2 / HIPAA / ITAR / GDPR whose security team blocked AI coding tools because the tools exfiltrate working-tree context — including any secrets in open files — to a cloud API. leakproof is the local technical control and audit trail that satisfies the objection.
The alternative tools (GitGuardian's ggshield recently added Claude Code and Cursor hooks) require a cloud account: scan metadata leaves the machine. That's structurally off the table for the shops that most need this. leakproof has zero cloud dependency — no account, no API key, no telemetry, nothing leaves the building.
148 tests, including a 24-case adversarial suite. Rules-only pass: 15/15 planted leaks caught, 0/9 false-positives on decoys (AWS doc-example keys, git SHAs, env reads without literals — all correctly ignored).
Catches on the first pass (no local model needed): AWS access keys and secret keys, GitHub/OpenAI/Anthropic/Stripe tokens, JWTs, PEM private keys, raw .env
values, high-entropy blobs, email, phone, card numbers.
The second pass is optional — a local-model semantic check (qwen2.5:1.5b via ollama) that reads the value rather than the variable name. That's where keyword scanners break down.
detect-secrets is a common pre-commit baseline. It uses keyword matching plus entropy on a per-line basis.
| Scenario | detect-secrets | leakproof |
|---|---|---|
AWS_SECRET_ACCESS_KEY=abc123… in config |
||
| ✅ caught | ✅ caught | |
AWS-shaped 40-char string in a prose comment (no = anchor, no keyword) |
||
| ❌ missed | ✅ caught (entropy) | |
| Live DB connection string in a test fixture with a neutral var name | ❌ missed | ✅ caught (entropy) |
| Base64-wrapped token, benign-looking variable name | ❌ missed | ✅ caught (entropy) |
| Bulk source paste containing a buried credential | ❌ missed | ✅ caught |
AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE" (AWS doc placeholder) |
||
| ✅ ignored (EXAMPLE marker) | ||
sha256:e3b0c44298fc… git SHA |
||
| ✅ ignored | ✅ ignored |
The honest framing: leakproof catches what keyword scanners miss when the variable name is benign. The local-model semantic pass is opt-in and additive — you get the full regex+entropy layer with or without it.
pipx install leakproof
uvx leakproof run -- claude
Python 3.10+. The proxy surface needs aiohttp
— install with pipx install 'leakproof[proxy]'
or uvx 'leakproof[proxy]' run -- claude
.
leakproof run -- claude
sets ANTHROPIC_BASE_URL
(or OPENAI_API_BASE
for aider) to a local proxy on 127.0.0.1:8747
, then launches the tool. The proxy reads each request body, runs the scanner, forwards a redacted copy upstream, and streams the response back untouched. No certificate to install, no system-wide proxy, no interception of anything you didn't ask it to wrap.
Every catch lands in an append-only audit log at ~/.local/share/leakproof/audit.jsonl
. leakproof watch
tails it:
$ leakproof watch
14:02:11 claude-code → api.anthropic.com redacted aws_secret_key (critical)
14:02:11 claude-code → api.anthropic.com redacted STRIPE_SECRET_KEY from .env
14:06:48 aider → api.openai.com blocked private_key (PEM)
this session: 3 secrets stopped, 0 reached the cloud
monitor
— logs only, nothing changes. Use this first to see what's been leaving without disrupting your workflow.
redact
— swaps each finding for a placeholder and forwards the cleaned request. Default.
block
— rejects the request outright with a 403 and names what would have leaked.
The CLI is Apache-2.0 and free. One developer, no account, no wall.
leakproof Team is for compliance shops that need more than a per-laptop file. It adds: a shared redaction policy your whole team inherits, a central audit log aggregated across machines, a CI gate that fails the build when a secret would have shipped, and signed audit-evidence exports you can drop straight into your SOC 2 or HIPAA folder.
Early access and pricing: hamstudios101@gmail.com
Works today: Claude Code and aider (any tool that honors a base-URL env var). Cursor and Copilot use proprietary backends that need a real HTTPS intercept proxy and a cert install — that's v1.1, not v1. One machine, no daemon, no telemetry.
Apache-2.0. Built by hamstudios. Issues and PRs welcome.