Local de-identification for AI coding agents.
English | 简体中文
Veil is a local de-identification proxy for AI coding agents. It masks secrets and PII before Claude Code or Codex traffic leaves your machine, then restores real values locally on the way back. The provider sees only deterministic reversible tokens. Your workflow stays unchanged.
| Status | License | Platform |
|---|---|---|
| v0.1.3 | Apache-2.0 | macOS · Linux · Windows (amd64 / arm64) |
For most users, npm is the shortest path. It installs the Veil command and downloads the matching release binary for your platform.
npm i -g @paiart/veilWorks on macOS, Linux, and Windows. The correct binary for your platform is downloaded automatically from the matching GitHub Release during install.
curl -fsSL https://veil.paiart.com/install.sh | shInstall a specific version or to a custom directory:
curl -fsSL https://veil.paiart.com/install.sh | VEIL_VERSION=v0.1.3 sh
curl -fsSL https://veil.paiart.com/install.sh | VEIL_INSTALL_DIR="$HOME/bin" shbrew tap PAIArtCom/veil
brew install veilThe tap is published by stable release automation to
PAIArtCom/homebrew-veil.
irm https://veil.paiart.com/install.ps1 | iexThe binary is placed in %USERPROFILE%\.veil\bin and added to your user PATH.
go install github.com/PAIArtCom/Veil/cmd/veil@latestUse this only when developing or testing an unreleased checkout.
git clone https://github.com/PAIArtCom/Veil.git
cd Veil
go build -o ./bin/veil ./cmd/veilPre-built binaries for all platforms are also available on the releases page.
Paste this into your AI assistant and it will handle the full installation:
Install and configure Veil for me (https://github.com/PAIArtCom/Veil). Veil is a
local proxy that replaces API keys, database passwords, and other sensitive values
in prompts with placeholders before they reach AI providers, then restores real
values locally on the way back.
Please complete these steps:
① install Veil with `npm i -g @paiart/veil`;
② confirm `veil version` works;
③ install and start the background service with `veil service install`;
④ create or update `~/.claude/settings.json` so `env.ANTHROPIC_BASE_URL` is `http://127.0.0.1:8787`;
⑤ verify with test value `postgresql://app:s3cr3t@localhost:5432/mydb` that masking works;
⑥ summarize how to use Veil day-to-day.
Fix any errors and continue without stopping to ask me.
After it finishes, restart Claude Code. For Codex, the config is slightly different — see Quickstart below.
# Without Veil — what your model provider receives today:
"...connect to postgresql://app:s3cr3t@db.internal:5432/mydb..."
"export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"
# With Veil — what your model provider receives:
"...connect to PAIArtVeil_SECRET_a1b2c3d4..."
"export AWS_ACCESS_KEY_ID=PAIArtVeil_SECRET_e5f6g7h8..."
Real values are restored locally before your terminal, files, or tool calls see the response.
After installing Veil, install the background service once and point your AI
tool at the local base URL. You should not have to run veil proxy every time.
veil service install
veil statusveil service install creates a user-level background service on macOS (launchd),
Linux (systemd --user), or Windows (Task Scheduler) that runs the localhost proxy
after login. Use veil restart after changing service options.
Daily service commands:
veil status # check the local proxy
veil restart # restart after config changes
veil service stop # stop the background proxy
veil service start # start it again
veil service uninstall # remove the OS serviceClaude Code:
Add this to ~/.claude/settings.json:
{
"env": {
"ANTHROPIC_BASE_URL": "http://127.0.0.1:8787"
}
}Codex CLI:
veil service install --force --upstream https://api.openai.comAdd to ~/.codex/config.toml:
model_provider = "veil"
[model_providers.veil]
name = "Veil"
base_url = "http://127.0.0.1:8787/v1"
wire_api = "responses"
env_key = "OPENAI_API_KEY"That's it. Your credentials still flow to the provider unchanged — only sensitive values in request and response bodies are masked.
Codex CLI with OpenRouter:
Use OpenRouter through the Responses API path. The upstream base is
https://openrouter.ai/api, so Codex's /v1/responses request becomes OpenRouter's
/api/v1/responses request.
You can keep the background service on its default upstream and put OpenRouter directly in the local base URL:
model_provider = "veil-openrouter"
[model_providers.veil-openrouter]
name = "Veil OpenRouter"
base_url = "http://127.0.0.1:8787/veil/upstream=https://openrouter.ai/api/v1"
wire_api = "responses"
env_key = "OPENAI_API_KEY"Codex appends /responses, so Veil forwards to
https://openrouter.ai/api/v1/responses. No URL escaping or extra upstream command is
required.
Do not point Chat Completions clients at Veil yet. Unsupported endpoints fail closed instead of being forwarded without verified masking.
Veil detects and masks these types before provider egress, then restores them locally:
| Type | Examples |
|---|---|
| Secrets | API keys, tokens, passwords, connection strings |
user@example.com |
|
| Phone | +1 555 123 4567 |
| IPv4 / IPv6 | 192.168.1.1, 2001:db8::1 |
| Payment cards | 4111 1111 1111 1111 |
| Account numbers | Bank and financial identifiers |
| URLs | https://internal.company.com/api |
| Dates | Off by default — opt in via policy if needed |
| Names / addresses | Off by default — opt-in L2 semantic detection |
Supported in v0.1.3:
- Claude Code via Anthropic Messages (
/v1/messages) - Codex CLI via OpenAI Responses (
/v1/responses) - OpenRouter via Codex CLI and OpenRouter Responses (
/api/v1/responses) - Go SDK integrations via
github.com/PAIArtCom/Veil
Not yet supported: Chat Completions clients, Gemini, remote MCP egress classification, OCR, document parsing, attachment rewriting, or provider thinking/control traces.
your coding tool
→ Veil masks sensitive fields on localhost
→ provider sees PAIArtVeil_<TYPE>_<id> tokens only
→ provider response returns tokens
→ Veil restores real values locally
→ your terminal, files, and tool calls use real values
Security properties:
- Local only — the proxy binds to
127.0.0.1. No relay, no cloud, no credentials stored by Veil. - Fail closed — parsing errors, detection errors, policy violations, or unsupported endpoints block the request rather than forwarding plaintext.
- Deterministic tokens — the same value maps to the same token within a scope, so multi-turn context and prompt-cache behavior survive masking.
- Reversible locally — the model sees tokens; your tools and files get real values.
- No telemetry — the engine never phones home.
A local policy file lets you choose per-type behavior:
{
"default_operator": "token",
"types": {
"EMAIL": {"operator": "ignore"},
"SECRET": {"operator": "block"}
}
}Load with --policy /path/to/policy.json, the VEIL_POLICY environment variable, or
place it at ~/.veil/policy.json to auto-load.
| Operator | Behavior |
|---|---|
token |
Replace with reversible token (default) |
ignore |
Leave value unmodified |
block |
Refuse the request entirely |
Test with a throwaway value — never a real credential:
postgresql://app:s3cr3t@localhost:5432/mydb
Ask your agent to use this string in a local task, then confirm:
- Provider-bound text contains
PAIArtVeil_...tokens, not the test value - Local tool calls receive the restored connection string
- Files written by the agent contain no unresolved
PAIArtVeil_tokens - The proxy is still listening only on
127.0.0.1
Full verification steps: Claude Code guide · Codex guide
| I want to... | Go to |
|---|---|
| Run Claude Code through Veil | Claude Code setup |
| Run Codex through Veil | Codex CLI setup |
| Run Codex through OpenRouter | OpenRouter setup |
| Install, upgrade, or operate the proxy | Deployment guide |
| Embed Veil in a Go gateway | SDK integration guide |
| Understand the security boundary | Threat model |
| Report a bug or vulnerability | Support · Security policy |
Veil is the open-source de-identification engine. PAIArt is the commercial control plane for teams that need fleet-wide policy management and compliance audit trails.
| Veil (this repo) | PAIArt | |
|---|---|---|
| What | Local engine, SDK, and reference proxy | Organization control plane |
| For | Individual developers and gateway integrators | Security and compliance teams |
| Policy | Local JSON file | Centrally pushed, fleet-wide |
| Audit | Bring your own AuditSink |
Compliance dashboards, SIEM export |
| License | Apache-2.0 | Commercial |
Individual value is open; organizational control is paid. See the open-core boundary.
| Area | Docs |
|---|---|
| User guides | Deployment, Claude Code, Codex CLI, OpenRouter |
| Concepts | Redaction model, Token spec, Detection layers |
| SDK | Contract, API reference, Integration guide, examples/embed |
| Architecture | Overview, Threat model, ADRs |
| Project | Roadmap, Open-core boundary, Support, Security, Changelog |
| Brand assets | Logo, Dark logo, Favicon, Open Graph image |