Companion CLI · Open source

CLOAK

A local CLI that redacts code before it reaches ChatGPT, Claude, or Cursor. Pairs with Fob, runs fine standalone, governed by a policy file checked into your repo.

View on GitHub pip install cloak-cli

30 seconds

Scan, preview, redact, obfuscate, verify.

Four commands against a real Python project. The last one runs your test suite against the obfuscated output — if your tests don't pass, the operation fails. That's the difference between a redactor and a tool you'd actually trust with a contractor handoff.

Terminal recording: cloak scan, cloak diff-context, cloak context, then cloak obfuscate with --verify pytest passing. — Real terminal recording. Regenerated from the same VHS tape file checked into the repo.

What CLOAK does

Four commands, one policy file, zero servers.

scan

Find secrets first

Wraps detect-secrets and layers in your .cloakpolicy regex rules. Exit 1 on findings, JSON output for CI. Drop it into pre-commit and stop leaks at the keyboard.

diff-context

See before you trust

Dry-run preview of what gets redacted: function bodies, proprietary tables, docstrings under --strict. Per-file byte reduction. No files written.

context

Safe to paste

Generates a redacted markdown view of your repo — signatures preserved, bodies hidden — and copies to clipboard. Architectural feedback from an LLM without sending the implementation.

obfuscate --verify

Verified handoff

Renames module-private identifiers, optionally strips docstrings, then runs your test suite against the output. Tests fail, the operation fails. That's the differentiator.

Why this exists

The "don't paste code into ChatGPT" memo nobody reads.

Leadership says no. Developers do it anyway because the alternative is missing a deadline. Existing solutions are either six-figure network DLP that has to be bought through IT, or a policy document buried in Confluence. CLOAK is the third option: a small CLI you commit to a repo, a policy file your CTO writes once, and a workflow where the right thing happens by default.

Local onlyNo server, no SaaS, no cloud. Source never leaves your laptop unless you tell it to.

Repo-governedPolicy lives in .cloakpolicy, reviewed via the same PR process as your code.

Authority = merge accessWhoever can merge to main controls policy. No new permissions system to invent.

Apache 2.0Free forever for the CLI. Fork it, vendor it, audit it. No license keys to lose.

Installation

One pip install. Or pair it with Fob.

CLOAK is a Python CLI on PyPI. Install standalone, or run it inside a Fob project so context packets get redacted before they leave your machine.

GitHub repo How it works with Fob

pip install cloak-cli

cd your-repo
cloak policy init        # one-time scaffold
cloak scan .             # find secrets
cloak diff-context .     # preview redactions
cloak context . --copy   # safe to paste

cloak obfuscate ./src \
  --out ./src.cloaked \
  --verify "pytest"

What gets redacted

Signatures stay. Implementation goes.

Here's a real Python file before and after cloak context. Imports, class shapes, and function signatures survive — that's what an LLM needs to give architectural feedback. The body, the proprietary table, and the docstring details are gone.

// pricing.py — original
"""Pricing engine. Proprietary."""

from enum import Enum

class Region(str, Enum):
    NORTHEAST = "NE"
    WEST = "W"

_TIER_DISCOUNTS = {
    "low": 0.0,
    "mid": 0.08,
    "high": 0.15,
}

def calculate_total(base, region, tier):
    """Compute final customer total."""
    discount = _TIER_DISCOUNTS[tier]
    surcharge = 1.06 if region == Region.NORTHEAST else 1.0
    return base * surcharge * (1 - discount)

// after `cloak context pricing.py`
"""Pricing engine. Proprietary."""

from enum import Enum

class Region(str, Enum):
    NORTHEAST = "NE"
    WEST = "W"

_TIER_DISCOUNTS = ...

def calculate_total(base, region, tier):
    """Compute final customer total."""
    ...




// --strict also aliases enums + strips docstrings

The real product

One YAML file, reviewed in a PR.

CLOAK's governance hook is a .cloakpolicy at the repo root. It's checked into git, versioned with the code, and reviewed via the same PR process as everything else. Authority follows merge access — no separate permissions system to invent. Run cloak policy init for an interactive scaffold.

version: 1

sensitive_paths:
  - "src/pricing/**"
  - "src/auth/**"

public_api:
  - "QuoteEngine.calculate_quote"
  - "PaymentGateway.*"

secret_rules:
  - id: internal_endpoint
    pattern: 'https?://internal\..*\.corp\.example'
    severity: high

context_defaults:
  keep_docstrings: true
  redact_function_bodies: true
  alias_enums: false

obfuscate_defaults:
  rename_private: true
  rename_public_api: false
  profile: standard

What's in the box

Open source, no servers, no surprises.

Apache 2.0Free forever. Fork, vendor, audit. No license keys, no telemetry, no phone-home.

Python 3.11+Pure Python CLI, available on PyPI as cloak-cli. Binary on $PATH is cloak.

Python & JS/TSBoth languages supported by every command. .js, .mjs, .cjs, .jsx, .ts, .tsx.

Headless-friendlyStable JSON output (--json), predictable exit codes, no interactive prompts. Drop into CI or pre-commit.

Trusted PublisherPyPI releases via OIDC. No long-lived tokens, no compromised maintainer keys.

Latest: v0.3.0Released 2026-05-08. CI-gated, main branch protected, tag-triggered releases.

Fob × CLOAK

Workflow runtime, meet policy gate.

Fob is the local continuity layer for AI work — memory, decisions, handoffs, multi-model routing. CLOAK is the policy gate for outbound code. Fob can shell out to cloak context when a context packet contains source. The .cloakpolicy in your repo becomes the shared answer to "what code is allowed to reach an LLM?" — Fob honors it automatically when present.

Fob orchestrates Multi-model routing, decisions, handoffs, MCP server, approval-gated edits. The runtime for serious AI work.

CLOAK redacts Function bodies hidden, proprietary tables stripped, secrets blocked. The gate before code reaches a model.

One policy file .cloakpolicy lives in your repo. Fob honors it; CLOAK enforces it. PR review controls both.

No lock-in CLOAK is open source. Fob is a paid Founder License. CLOAK works without Fob; Fob works without CLOAK. Together they cover the gap nobody else fills.

Honest positioning

Friction tooling, not unbreakable protection.

A motivated reader given a CLOAK-obfuscated copy of your code can still figure out what it does. CLOAK reduces leak surface and creates governance — it does not provide cryptographic protection. Real protection comes from blocking, encrypting, compiling, or never sending the source. We say so on the README, on the PyPI page, and here. Honest positioning is the line that separates CLOAK from the dishonest end of the obfuscation market.

What it is

The smallest sharp tool for the Shadow AI problem.

Engineers are pasting code into LLMs. CTOs want governance. Network DLP is expensive and blunt. CLOAK is the developer-side, repo-governed alternative — a CLI small enough to actually adopt, with a policy file enforceable enough to actually mean something. And when you run it inside Fob, the context never leaves your laptop unredacted.