If you're running AI coding agents like Claude Code or OpenAI Codex with active environment variables, .env files, or raw tokens in your command history, you've got a problem. These tools write and run commands, grep files, and read logs—and it's incredibly easy for them to accidentally inject exposed secrets into prompts sent upstream. That's exactly what ai-noleak was built to stop.
Three-Layer Defense Architecture
The tool sits between your terminal and any AI API as a local HTTP reverse proxy, intercepting accidentally exposed credentials before they leave your machine. It operates through three independent protection layers: Layer 1 catches secrets in bracketed-paste events at the PTY level before the shell executes them; Layer 2 scans outbound HTTP requests (and AI responses) at the transport layer, replacing detected secrets with deterministic placeholders like @TOKEN_8f51a2@; and Layer 3 uses filesystem watchers to immediately redact any temporary shell snapshots, logs, or history files written to disk. All three layers share a single local vault daemon called noleakd that stores placeholder-to-secret mappings either in ephemeral memory or encrypted on disk with AES-256-GCM encryption derived from a master passphrase via Argon2id. When an AI model outputs a placeholder, the proxy translates it back to the real secret locally before returning results to your CLI.
Security Model: No MITM Certificates Required
Here's what makes ai-noleak clever—unlike traditional man-in-the-middle proxies that require installing custom Root CA certificates (introducing serious security risks), this tool requires zero certificate installation. You simply point AI CLI tools at http://127.0.0.1:9999/v1 over plaintext HTTP locally. The proxy intercepts, scans, and redacts the plaintext requests in local memory, then forwards the sanitized payload to your upstream provider (Anthropic or OpenAI) over a secure encrypted outbound HTTPS connection. The vault daemon communicates with the proxy via Unix Domain Socket with strict peer UID verification using SO_PEERCRED on Linux and LOCAL_PEERCRED on macOS—meaning only processes owned by the exact same User ID that started the daemon can query the vault. The intercepting HTTP proxy itself runs with read-only capabilities relative to the vault database: it can check placeholder bindings but cannot dump plaintext secrets or modify values.
Getting Started in Minutes
Installation is straightforward on Linux and macOS with a single curl command pulling from GitHub, or you can build from source with Go 1.22+. After installing (binaries land in ~/.local/bin), configure your proxy endpoint in ~/.noleak/config.yaml pointing upstream to api.anthropic.com or api.openai.com, start the services with noleak start --ephemeral for testing or persistent mode for encrypted storage, then point your AI CLI at the local proxy via environment variables like ANTHROPIC_BASE_URL. Run noleak doctor to verify all services are connected correctly.
Limitations Worth Knowing
The maintainers are upfront about constraints: macOS users face potential delays under heavy disk I/O as FSEvents may coalesce filesystem events, creating a window where an AI agent could write and read a secret before Layer 3 catches it. The PTY wrapper (Layer 1) only handles bracketed-paste interception—raw character-by-character keystrokes bypass it but are still caught by the outbound proxy. Requests using unsupported content encodings like brotli, zstd, or deflate fail closed with HTTP 502 to prevent silent redaction bypasses.
The Bottom Line
ai-noleak is currently in released beta (v0.1.0) and the codebase weighs around 4,000 lines of Go using mostly standard library components—easy enough for security-conscious teams to audit themselves. If you're running agentic AI tools in environments with sensitive credentials, this is exactly the kind of defense-in-depth approach that should be in your threat model yesterday.