local-first DLP for developers · one command · open source
Your AI coding tool sends more than you think.
leakproof reads every request your AI editor makes and redacts secrets
before they leave your machine. Local, because a scanner that has to receive your
secret to scan it isn't one.
$leakproof run -- claude▶ proxy live on 127.0.0.1:8747 · routing Claude Code through leakproof┌─ OUTBOUND api.anthropic.com POST /v1/messages ──────────────┐ ⚠ services/billing/config.py aws_access_key_id [high] → REDACTED ⚠ services/billing/config.py high_entropy_string [med] → REDACTED (a base64-wrapped key, flagged on entropy) ⚠ tests/fixtures/conftest.py db_url_with_credentials [high] → REDACTED · src/ui/Button.tsx (no secrets) passed└───────────────────────────────────────────────────────────────┘detect-secrets on this diff: 0 findings — the secrets live in fields named_aws, _fallback, DB, so keyword scanners skip them. leakproof: 3 caught,rules-only, no model. audit → ~/.local/share/leakproof/audit.jsonl✓ Claude Code still works. Your keys never left the machine.
One dashboard. Everything your tools tried to send.
leakproof watch — a live audit of every catch across every AI tool you run. The preview is always the redacted snippet; the raw secret never appears, not even here.
No CA install for the MVP — it intercepts via the same proxy/base-URL env the tools already respect.
🔎
See every byte
A live TUI of every outbound request your AI tool makes — which file, which secret, which endpoint. The screenshot nobody wants to see about their own setup.
✂️
Redact or block
Deterministic scanner catches API keys, tokens, .env values, PII and whole-file dumps — and strips them before they leave. The tool keeps working; the secret doesn't travel.
📋
Prove it
Every catch lands in a tamper-evident audit log. Wire it into CI as a gate: "no secret left the building." Exactly what compliance asks for.
Why this has to be local
A tool that scans your traffic for secrets can't itself be a cloud service — that would just leak the secret somewhere else. Local isn't a feature here, it's the only sane architecture.
🏦
Compliance can say yes
Banks, health, defense, EU shops are told they can't pipe source to OpenAI. leakproof is the control that lets them adopt AI tooling at all.
🔒
Zero new trust
It runs on localhost. There's no leakproof server to send your secrets to — that's the whole point.
🧩
Tool-agnostic
Claude Code, Cursor, Copilot, aider — anything that talks HTTP through a proxy. One control plane for all of them.
Pricing
The CLI is free and open source forever. Teams pay for shared policy + audit at scale.
OSS
$0
Full local proxy + redaction
Live TUI + local audit log
All tool adapters
Apache-2.0 licensed
Team
Early access
Shared org-wide redaction policies
Central, tamper-evident audit log
CI gate ("no secret left the building")
SSO + role-based policy (roadmap)
Enterprise
Contact
Self-hosted control plane (roadmap)
Custom detectors + DLP rules (roadmap)
Compliance reporting (SOC2/HIPAA)
Priority support
Install
One binary. Nothing to sign up for — there's no cloud to sign up to.
uvx --from git+https://github.com/acunningham-ship-it/leakproof leakproof run -- claude
PyPI package (uvx leakproof run -- claude) coming soon.
Need central policy management and signed audit-evidence reports for your SOC2 / HIPAA compliance folder? That's the Team tier — built for compliance shops where the paper trail matters as much as the technical control.