LocalMask
See it in action

AI should read your code,
not your secrets.

LocalMask scans your repo, masks every secret, organizational data, and PII into safe tokens, and lets you share code with AI — without leaking passwords, internal hostnames, or company details.

0:00 / 0:00
Click to unmute 🔇
Register for Early Access
Local-first privacy for AI coding

AI should read your code,
not your secrets.

LocalMask runs entirely on your machine. It scans your repo, masks every credential, key, piece of PII, and organizational data into reversible tokens, then sends only safe tokens to Claude, GPT, or Gemini. Answers come back and get rehydrated locally — you stay in full control, and the real secrets never leave your local environment.

No spam — one note when the private beta opens.

You're on the list. We'll reach out when the beta opens.
Sensitivity level
payments-service / .env scanning… 8 secrets masked · safe to send
# payments-service/.env — sent to ClaudeDATABASE_URL=postgres://payments_rw~[DB_USER_0]~:pV9$kQ2!zR~[PASSWORD_0]~@db-prod-01.acme.internal~[HOST_0]~:5432~[PORT_0]~/payments~[DB_NAME_0]~STRIPE_SECRET_KEY=sk_live_51MspeZv8Klo2CqR7xY~[API_KEY_0]~JWT_SIGNING_KEY=hs256-9f3a7c1e8b2d4061~[API_KEY_1]~AWS_ACCESS_KEY_ID=AKIA5J7QX9P2M4RTUVWX~[AWS_KEY_0]~ONCALL_EMAIL=dana.cohen@acme-bank.com~[EMAIL_0]~INTERNAL_API=https://vault.acme.internal~[HOST_1]~/v2
real secret becomes → token the AI sees
What you get

Two ways to keep secrets out of AI — 100% local.

Masked repo mirror

  • Scan a repo, publish a private masked copy the AI reads
  • Every secret becomes a stable ~[TOKEN]~
  • Git sync keeps the mirror current

AI proxy · prompt firewall Pro

  • Point any AI tool at LocalMask; prompts are scrubbed live
  • Bring your own AI + key — OpenAI, Claude, Azure, self-host
  • Audit log proves no secret reached the provider

Local, learning, yours

  • Persistent encrypted vault — stable tokens across restarts
  • Editable detection rules, no code
  • Local AI model that learns (Pro)
  • Team-shared vault, LDAP/AD, SSO (Enterprise)

Free & open source on GitHub ↗ — run it entirely offline with the CLI + MCP server.

Pricing

Free forever. Pro and Enterprise are annual, per seat.

Free · OSS

$0
open source
  • Regex + entropy engine
  • Masked-repo mirror the AI reads
  • CLI + MCP server
  • Edit detections
Get the CLI

Pro

$149
per seat / year
  • Everything in Free
  • Local AI model + learning
  • Web dashboard
  • AI proxy (prompt firewall)
Buy Pro

Team

$199
per seat / year · 5+ seats
  • Everything in Pro
  • Shared org rules
  • Priority support
Buy Team

Enterprise

Custom
let's talk
  • Everything in Team
  • Central proxy fleet
  • LDAP/AD + SSO
  • Audit + support
Contact sales

Annual licenses, validated offline (no monthly re-activation, no phone-home). Keys are per seat.

Free CLI · open source

Install and mask a repo in two commands.

Download the free CLI (.tar.gz)
tar -xzf localmask-free-0.9.0.tar.gz && pip install ./localmask-free-0.9.0
localmask scan ./your-repo

Then localmask publish <scan> <masked-repo-url> creates a private masked git mirror your AI tools can safely read. Once we're on PyPI you'll also be able to pip install localmask.

Works with GitHub, GitLab, Bitbucket, self-hosted git & Google Secure Source Manager. Tokens are handled via GIT_ASKPASS — never in a URL, process args, or .git/config — and only masked content is ever pushed. In free you use your own AI (paste the masked files or point it at the mirror); Pro adds built-in Ask-AI + the proxy. Full guide & security on GitHub →

Private beta

Lock it down before you ship it to AI.

100% local. 100% your control. We're opening a small private beta — leave your email and we'll reach out when it's ready.

No spam — one note when the beta opens.

You're on the list. We'll reach out when the beta opens.