https://github.com/tanguc/bleep-ai
Bleep - intercepts LLM API traffic and substitutes secrets, keys, and PII with realistic look-alike fakes, then restores the originals in the response
https://github.com/tanguc/bleep-ai
anthropic claude data-privacy dlp llm mitm-proxy pii privacy redaction rust secrets-detection security
Last synced: 3 days ago
JSON representation
Bleep - intercepts LLM API traffic and substitutes secrets, keys, and PII with realistic look-alike fakes, then restores the originals in the response
- Host: GitHub
- URL: https://github.com/tanguc/bleep-ai
- Owner: tanguc
- License: mit
- Created: 2026-06-17T19:59:50.000Z (11 days ago)
- Default Branch: main
- Last Pushed: 2026-06-17T20:44:04.000Z (11 days ago)
- Last Synced: 2026-06-17T22:22:52.466Z (11 days ago)
- Topics: anthropic, claude, data-privacy, dlp, llm, mitm-proxy, pii, privacy, redaction, rust, secrets-detection, security
- Language: Rust
- Size: 754 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# Bleep
`Bl██p` — it redacts itself
**Intercepts LLM API traffic and substitutes secrets, keys, and PII with realistic look-alike fakes — then restores the originals in the response.**
[](./LICENSE)
[](#install)
[](https://www.rust-lang.org)
[](#how-it-works)
[](#)
---
Bleep sits between your machine and the model API. It detects sensitive values
in outbound requests — API keys, tokens, emails, credit cards, connection
strings — and swaps each one for a fake that keeps the original's **shape**: an
`AKIA…` key stays an `AKIA…` key, an email stays a valid-looking email. The model
reasons about the structure just fine; the real value never leaves your machine.
On the way back, the fakes are restored to the originals before your terminal
sees them.
"Transparent" means **zero workflow change** — Bleep wraps the `claude` CLI and
intercepts its TLS, so redaction is on by default with nothing to configure. It
ships as a small gateway binary plus an optional macOS menu-bar dashboard.
> **Scope today:** Bleep MITMs `*.anthropic.com` only. Everything else is
> CONNECT pass-through and is never inspected.
---
## See it in one exchange
You paste a stack trace into `claude` without thinking. Bleep rewrites it in
flight — the **red** lines are what you typed (they never leave your machine);
the **green** lines are all `api.anthropic.com` ever receives:
```diff
- DB is down: postgres://admin:S3cr3tP%40ss@db.acme.internal/payments
- AWS key AKIA4FROMTHEPROD7XYZ — ping jane.ops@acme-corp.com
+ DB is down: postgres://admin:Xq7mK2pNvR%40te@db-71f3.internal/payments
+ AWS key AKIA9TQ3RBWELMX2K8VD — ping lena.park@example.net
```
Every substitution is **shape-for-shape**, so the model reasons about the
structure exactly as it would the real thing:
| What you wrote | What the provider saw | Rule |
| :-- | :-- | :-- |
| `S3cr3tP%40ss` | `Xq7mK2pNvR%40te` | url-credential |
| `db.acme.internal` | `db-71f3.internal` | hostname |
| `AKIA4FROMTHEPROD7XYZ` | `AKIA9TQ3RBWELMX2K8VD` | aws-key |
| `jane.ops@acme-corp.com` | `lena.park@example.net` | email |
**Your terminal shows** — originals restored. The model's answer comes back
about *your* real database and key; the mapping is cached, so the same secret
always maps to the same fake and multi-turn conversations stay coherent. The
provider only ever saw the look-alikes.
> Nothing was configured. You just ran `claude`.
---
## How it works
```mermaid
sequenceDiagram
autonumber
participant C as claude
participant B as Bleep
participant P as api.anthropic.com
Note over C,B: your machine — nothing sensitive leaves here
C->>B: prompt with real secrets
Note over B: scan and substitute
cache original to fake
B->>P: request — look-alikes only
P-->>B: streamed response (about the fakes)
Note over B: reverse the mapping
B-->>C: originals restored
```
1. A local proxy terminates TLS for `*.anthropic.com` using a **per-machine CA**,
generated on first launch into `~/.bleep/ca/`. The private key never leaves
your machine and is never shipped — see [Security](#security).
2. Outbound bodies are scanned against ~400 detection rules. Matches are replaced
with format-preserving fakes; the original→fake mapping is cached in a local
SQLite dictionary so a given secret always maps to the same fake.
3. The sanitised request is forwarded upstream, and the streamed response is
de-anonymised back to the real values before your tool sees it.
---
## Install
macOS, Apple Silicon or Intel:
```bash
curl -fsSL https://raw.githubusercontent.com/tanguc/bleep-ai/main/install.sh | bash
```
This installs `bleep` (wraps `claude`), the `bleep-gateway` binary, `Bleep.app`,
and `bclaude` (a bypass-mode alias that runs `claude` direct, no proxy).
> Piping a remote script to `bash` requires trust — [`install.sh`](./install.sh)
> is self-contained and macOS-only, read it first if you prefer.
Auto-start on login · enable/disable · uninstall
Start the gateway automatically at login:
```bash
curl -fsSL https://raw.githubusercontent.com/tanguc/bleep-ai/main/install.sh | bash -s -- --launch-agent
```
Toggle redaction (also available in the menu-bar app's Settings):
```bash
bleep disable # future claude sessions go direct to the provider
bleep enable # re-activate
bleep status # proxy + gateway health + CA path
```
Uninstall:
```bash
bash <(curl -fsSL https://raw.githubusercontent.com/tanguc/bleep-ai/main/install.sh) --uninstall
```
User data is preserved on uninstall — the generated CA (`~/.bleep/ca/`), the fake
dictionary (`~/.bleep/bleep-dictionary.db`), and `~/Library/Application Support/bleep`.
Delete those manually for a full wipe.
---
## Security
Bleep is a TLS-intercepting proxy, so the **CA private key** is the most
sensitive thing on the system — anything that trusts the CA can be impersonated.
- The CA is **generated per machine** on first launch into `~/.bleep/ca/`
(directory `0700`, key `0600`). It is never baked into the binary, shipped in a
release, or committed to this repository.
- Client trust is scoped through environment variables (`NODE_EXTRA_CA_CERTS`,
`BUN_CA_BUNDLE_PATH`, `SSL_CERT_FILE`) pointed at the generated cert — Bleep
does **not** touch the system keychain.
- The proxy and stats server bind to `127.0.0.1` only.
Found a vulnerability? See [`SECURITY.md`](./SECURITY.md) for private disclosure
— please don't open a public issue for security reports.
---
## Build from source
```bash
# prerequisites: Rust (stable), Task — brew install go-task
git clone https://github.com/tanguc/bleep-ai && cd bleep-ai
git config core.hooksPath .githooks # conventional-commit checks
task build # release gateway binary
task run # gateway on dev ports (no collision with an installed Bleep.app)
task test # full test suite
task menu-bar # build + run the menu-bar dashboard (dev)
task install-local # build + install locally, exactly like the real installer
```
See [`docs/OPERATIONS.md`](./docs/OPERATIONS.md) for implementation notes (CA,
fake dictionary, literal-prefix preservation, MITM scope).
---
## Contributing
Contributions welcome — see [`CONTRIBUTING.md`](./CONTRIBUTING.md). In short:
[Conventional Commits](https://www.conventionalcommits.org/) (enforced by
`.githooks/commit-msg`), `cargo fmt` + `cargo clippy` clean, tests passing.
| type | bump | example |
| :-- | :-- | :-- |
| `feat` | minor | `feat(menu-bar): add database reset buttons` |
| `fix` | patch | `fix(gateway): evict hung connection on :9190` |
| `perf` | patch | `perf(rules): compile regexes in parallel` |
| `feat!` | major | `feat!: drop pre-v1 /redactions response shape` |
| `chore` · `docs` · `refactor` · `test` · `ci` · `build` · `style` | none | |
---
## License
[MIT](./LICENSE) © 2026 Sergen Tanguc.
Bleep bundles detection **pattern data** adapted from gitleaks (MIT),
nosey-parker and detect-secrets (Apache-2.0), and secrets-patterns-db
(**CC BY-SA 4.0** — the derived rule data carries the ShareAlike obligation). Full
attribution in [`THIRD-PARTY-NOTICES.md`](./THIRD-PARTY-NOTICES.md).