{"slug": "show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider", "title": "Show HN: Leakproof – local secret-egress firewall for Claude Code/Cursor/aider", "summary": "Leakproof, a local-first secret-egress firewall for AI coding assistants like Claude Code and Cursor, launched on Hacker News. The tool intercepts outbound requests to redact or block secrets before they reach cloud APIs, addressing security team concerns about data exfiltration. It requires no cloud dependency, offering an audit trail for compliance-bound teams under SOC 2, HIPAA, ITAR, or GDPR.", "body_md": "**Local-first secret firewall for AI coding assistants.**\n\nYour security team banned Claude Code or Cursor over data egress. Here's the local technical control that lets you turn them back on.\n\nleakproof sits between the tool and the model API and reads every outbound request before it leaves the machine. Finds a secret, it redacts it or kills the request. Nothing hits the cloud. The decision happens on your laptop, which is the only setup that isn't self-defeating — you don't hand a key to a stranger to ask them whether it's a key.\n\nTwo ways to run it:\n\n```\n# wrap your AI tool: everything it sends gets scanned + cleaned first\nleakproof run -- claude\nleakproof run -- aider\n\n# guard the repo itself: stop secrets before they reach a commit\nleakproof install-hook\n```\n\nCompliance-bound teams under SOC 2 / HIPAA / ITAR / GDPR whose security team blocked AI coding tools because the tools exfiltrate working-tree context — including any secrets in open files — to a cloud API. leakproof is the local technical control and audit trail that satisfies the objection.\n\nThe alternative tools (GitGuardian's ggshield recently added Claude Code and Cursor hooks) require a cloud account: scan metadata leaves the machine. That's structurally off the table for the shops that most need this. leakproof has zero cloud dependency — no account, no API key, no telemetry, nothing leaves the building.\n\n148 tests, including a 24-case adversarial suite. Rules-only pass: 15/15 planted leaks caught, 0/9 false-positives on decoys (AWS doc-example keys, git SHAs, env *reads* without literals — all correctly ignored).\n\nCatches on the first pass (no local model needed): AWS access keys and secret keys, GitHub/OpenAI/Anthropic/Stripe tokens, JWTs, PEM private keys, raw `.env`\n\nvalues, high-entropy blobs, email, phone, card numbers.\n\nThe second pass is optional — a local-model semantic check (qwen2.5:1.5b via ollama) that reads the value rather than the variable name. That's where keyword scanners break down.\n\ndetect-secrets is a common pre-commit baseline. It uses keyword matching plus entropy on a per-line basis.\n\n| Scenario | detect-secrets | leakproof |\n|---|---|---|\n`AWS_SECRET_ACCESS_KEY=abc123…` in config |\n✅ caught | ✅ caught |\nAWS-shaped 40-char string in a prose comment (no `=` anchor, no keyword) |\n❌ missed | ✅ caught (entropy) |\n| Live DB connection string in a test fixture with a neutral var name | ❌ missed | ✅ caught (entropy) |\n| Base64-wrapped token, benign-looking variable name | ❌ missed | ✅ caught (entropy) |\n| Bulk source paste containing a buried credential | ❌ missed | ✅ caught |\n`AWS_ACCESS_KEY_ID = \"AKIAIOSFODNN7EXAMPLE\"` (AWS doc placeholder) |\n✅ ignored (EXAMPLE marker) | |\n`sha256:e3b0c44298fc…` git SHA |\n✅ ignored | ✅ ignored |\n\nThe honest framing: leakproof catches what keyword scanners miss **when the variable name is benign**. The local-model semantic pass is opt-in and additive — you get the full regex+entropy layer with or without it.\n\n```\npipx install leakproof\n# or run without installing:\nuvx leakproof run -- claude\n```\n\nPython 3.10+. The proxy surface needs `aiohttp`\n\n— install with `pipx install 'leakproof[proxy]'`\n\nor `uvx 'leakproof[proxy]' run -- claude`\n\n.\n\n`leakproof run -- claude`\n\nsets `ANTHROPIC_BASE_URL`\n\n(or `OPENAI_API_BASE`\n\nfor aider) to a local proxy on `127.0.0.1:8747`\n\n, then launches the tool. The proxy reads each request body, runs the scanner, forwards a redacted copy upstream, and streams the response back untouched. No certificate to install, no system-wide proxy, no interception of anything you didn't ask it to wrap.\n\nEvery catch lands in an append-only audit log at `~/.local/share/leakproof/audit.jsonl`\n\n. `leakproof watch`\n\ntails it:\n\n``` bash\n$ leakproof watch\n  14:02:11  claude-code → api.anthropic.com   redacted   aws_secret_key (critical)\n  14:02:11  claude-code → api.anthropic.com   redacted   STRIPE_SECRET_KEY from .env\n  14:06:48  aider       → api.openai.com      blocked    private_key (PEM)\n\n  this session: 3 secrets stopped, 0 reached the cloud\n```\n\n`monitor`\n\n— logs only, nothing changes. Use this first to see what's been leaving without disrupting your workflow.\n\n`redact`\n\n— swaps each finding for a placeholder and forwards the cleaned request. Default.\n\n`block`\n\n— rejects the request outright with a 403 and names what would have leaked.\n\nThe CLI is Apache-2.0 and free. One developer, no account, no wall.\n\n**leakproof Team** is for compliance shops that need more than a per-laptop file. It adds: a shared redaction policy your whole team inherits, a central audit log aggregated across machines, a CI gate that fails the build when a secret would have shipped, and signed audit-evidence exports you can drop straight into your SOC 2 or HIPAA folder.\n\nEarly access and pricing: [hamstudios101@gmail.com](mailto:hamstudios101@gmail.com)\n\nWorks today: Claude Code and aider (any tool that honors a base-URL env var). Cursor and Copilot use proprietary backends that need a real HTTPS intercept proxy and a cert install — that's v1.1, not v1. One machine, no daemon, no telemetry.\n\nApache-2.0. Built by [hamstudios](https://github.com/hamstudios). Issues and PRs welcome.", "url": "https://wpnews.pro/news/show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider", "canonical_source": "https://github.com/acunningham-ship-it/leakproof", "published_at": "2026-06-17 20:05:13+00:00", "updated_at": "2026-06-17 20:23:19.855251+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-ethics", "developer-tools", "ai-infrastructure"], "entities": ["Leakproof", "Claude Code", "Cursor", "aider", "GitGuardian", "ggshield", "Anthropic", "OpenAI"], "alternates": {"html": "https://wpnews.pro/news/show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider", "markdown": "https://wpnews.pro/news/show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider.md", "text": "https://wpnews.pro/news/show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider.txt", "jsonld": "https://wpnews.pro/news/show-hn-leakproof-local-secret-egress-firewall-for-claude-code-cursor-aider.jsonld"}}