Open source · Secret masking for AI coding agents

Your AI agent reads your secrets.

Every prompt you send carries API keys, passwords, and database URLs straight to the cloud. Veil masks them before they leave your machine.

Download VeilView on GitHub
  • Runs on 127.0.0.1
  • No cloud relay
  • Apache-2.0

Capabilities

Secrets never reach the model in the clear

If you use Claude Code or Codex, your env vars, connection strings, and API keys are going to the cloud on every request. Here's how Veil handles that.

Get started

  • Secrets pasted into prompts

    Secrets get caught automatically

    API keys, passwords, database URLs, emails, IP addresses — Veil detects and masks them before the request leaves localhost.

  • Secrets reused across turns

    Same value, same safe token

    Veil maps each secret to a stable placeholder, so the model can reason across turns without ever seeing the real value.

  • Edge-case request formats

    Unknown formats get blocked

    If Veil doesn't recognize a request format, it blocks it. No silent passthrough, no plaintext leaks.

  • Yet another service to run

    It's just a local process

    No account, no dashboard, no cloud. Veil runs on 127.0.0.1 and only touches the request and response body. Your API keys pass through untouched.

Coverage

What Veil detects and masks

Veil recognizes the sensitive data that shows up in real prompts and tool calls, and replaces each with a format-preserving placeholder before it leaves your machine.

  • Secrets
    API keys · tokens · passwords · DSNs
  • Email
    user@example.com
  • Phone
    +1 555 123 4567
  • IP addresses
    192.168.1.1 · 2001:db8::1
  • Payment cards
    4111 1111 1111 1111
  • Account numbers
    Bank & financial IDs
  • URLs
    https://internal.corp/api
  • DatesOpt-in
    Off by default
  • Names & addressesOpt-in
    Opt-in semantic detection

Why trust Veil

Nothing leaves your machine unmasked.

Secrets get masked before they go out, and restored when responses come back. That's it. No magic, no cloud, no trust required beyond localhost.

Read the threat modelReview architecture

  • 100% local

    Veil binds to 127.0.0.1. There is no cloud relay, no remote server, nothing between you and your provider except a local process.

  • Blocks what it can't parse

    Unrecognized request formats never get forwarded. If Veil isn't sure, it stops the request.

  • Your API keys stay yours

    Veil never stores or touches your provider credentials. It only rewrites request and response content.

  • Read the source yourself

    Apache-2.0. Every line is auditable. Check the threat model and release artifacts before you trust it.

Security model

Precise guarantees, not promises

Veil is small, local, and auditable. Here is exactly what it does — and does not — do.

Local only

Binds to 127.0.0.1. No relay, no remote server, and Veil stores none of your credentials.

Fail closed

Parsing errors, detection errors, policy violations, or unsupported endpoints block the request rather than forwarding plaintext.

Deterministic tokens

The same value maps to the same placeholder within a scope, so multi-turn context and prompt caching survive masking.

Reversible locally

The provider sees placeholders; your terminal, files, and tool calls get the real values back.

How it works

Point your agent at a local proxy.

No dashboard, no account. Change one environment variable to route your agent through localhost — your tools and workflow stay exactly the same.

Run the proxy

  1. Start Veil

    One command starts the proxy on localhost. That's your new privacy boundary.

    $ ./bin/veil proxy --addr 127.0.0.1:8788

  2. Point your agent

    Change the base URL for Claude Code or Codex. One environment variable.

    $ export ANTHROPIC_BASE_URL=http://127.0.0.1:8788

  3. Keep working

    Nothing else changes. Your credentials, your workflow, your tools — all the same. Veil just masks the content in transit.

Get started

Install and run in one command.

Download the binary, set one env var, done. Remove it by unsetting the variable.

Download release

Claude Code

View guide →

Start Veil, export one variable, launch Claude.

bash
$ ./bin/veil proxy --addr 127.0.0.1:8788 &
$ export ANTHROPIC_BASE_URL=http://127.0.0.1:8788
$ claude

Codex CLI

View guide →

Start Veil with the OpenAI upstream, point Codex at it.

bash
$ ./bin/veil proxy --addr 127.0.0.1:8788 --upstream https://api.openai.com
# ~/.codex/config.toml
model_provider = "veil"

Build from source

Requires Go 1.22+

Read every line before you trust it.

bash
$ git clone https://github.com/PAIArtCom/Veil.git
$ cd Veil
$ go build -o ./bin/veil ./cmd/veil
$ ./bin/veil version

Compatibility

What works today, what's next.

Veil is honest about its coverage. If it can't protect a format, it says so — or blocks it.

Download latest releaseSee protected types

Works now (v0.1.0)

  • Claude Code (Anthropic Messages)
  • Codex CLI (OpenAI Responses)
  • Go SDK integrations
  • Text and tool-use fields in supported formats

Coming soon

  • OpenAI Chat Completions
  • Gemini
  • OCR, attachments, document parsing
  • Remote MCP tool traffic

FAQ

Common questions

  • Does Veil add latency?

    It runs on localhost and only rewrites the request and response body, so the overhead is a single local hop — negligible next to the network round-trip to your provider.

  • Will it change the model’s output?

    No. Placeholders are deterministic and format-preserving, so the model reasons over stable, well-formed values. Veil restores the real values in the response before your tools see them.

  • Does Veil see my API keys?

    Veil never stores or touches your provider credentials. It only rewrites content in the request and response body; your API keys pass through untouched.

  • Which agents are supported?

    Claude Code (Anthropic Messages) and Codex CLI (OpenAI Responses) in v0.1.0, plus Go SDK integrations. OpenAI Chat Completions, Gemini, and more are on the roadmap.

  • How do I remove it?

    Unset the environment variable. Veil is just a local process — there is no account, agent, or daemon to uninstall.