From masking to decryption
Understand the local audit chain, ENC2 format and browser-based decryption flow.
From masking to the audit log
When TigerMole detects a secret, it replaces it before forwarding the request to Anthropic and records the decision locally. An entry includes metadata such as ts_ms, rule_id, gdpr_category, confidence, field_path, prev_hash and sig.
The chain links every entry to the previous one. Team plans use ED25519 to detect later tampering.
What an ENC2 line is
With an imported audit key, an entry may include the original value encrypted as ENC2:. The explanatory format contains an ephemeral key, a nonce and authenticated ciphertext:
ENC2:<ephemeral_pub[32]>:<nonce[12]>:<ciphertext+tag>
Value capture is only included in ENC2 lines and is never sent to TigerMole.
Decrypting in the browser
Open the decryptor, load your X25519 private key and select the .jsonl files. Everything happens in the tab and requires no network connection.
The result distinguishes decrypted lines, non-ENC2 lines and lines with an incorrect or corrupt key.
Legacy ENC: lines may depend on DPAPI and can only be decrypted on the originating machine.
Verifying integrity
To validate the installation and local chain:
tigermole-proxy verify
tigermole-proxy doctor
Keep the public key and retention policy with the operational runbook. The private key is required for decryption and must never be stored beside the logs.