No trust required. Check the path.

TigerMole masks secrets locally before Claude Code sends a request. This page lists the network surface, cryptography and failure behaviour behind the 111 detection rules.

Local masking · fail-closed · no telemetry
01 / Network surface

Three paths. Nothing hidden.

Your prompt and code take one outbound path, already masked. Licensing is separate and never carries your prompts, code or secrets.

127.0.0.1:9800

Local interception point. Secrets are detected and replaced here before the request leaves your machine.

api.anthropic.com

Masked prompts and placeholders only. Anthropic never receives the original secret value.

api.tigermole.com

Activation and periodic revalidation. Sends the license, machine fingerprint, hostname or owner label and platform only.

02 / Cryptographic boundaries

Keys stay where they belong.

License at rest
DPAPI / AES
Bound to the current user on the machine.
Audit integrity
SHA-256 + ED25519
Team logs are signed and tamper-evident.
Audit encryption
X25519 + ENC2
Optional encryption with your public key. TigerMole never sees the private key.
03 / Failure mode

Fail-closed by default.

If masking panics, times out or cannot parse a request, TigerMole blocks it instead of forwarding unmasked data. This is not a switch.

BLOCKED · NON-CONFIGURABLE
04 / Verify it yourself

Read the implementation path.

The public quickstart explains activation, the local proxy and the checks you can run after installation.

Open the quickstart
Security contactsecurity@tigermole.com

Your privacy, your choice

We use essential cookies to keep the site working, and — only with your consent — analytics and advertising cookies. Read our Privacy Policy.