Your LLM agent sees fake secrets & keys. Your real ones never leave your machine.
You: AKIAQX4BIPW3AHOV29GN → Mirage: AKIADKRY5CJQX4BIPW3A
You: lee.taylor56789@aol.com → Mirage: chris.hall456@gmail.com
You: +1-501-369-6183 → Mirage: +1-464-316-6112
Single binary. Sub-millisecond. Works with every major LLM tool.
If this saves you from one leaked key, star/watch the repo.
Anthropic's own Transparency Hub (Sonnet 4.6, Feb 2026):
"...using credentials to bypass user authentication without permission..." "We found that Sonnet 4.6 was substantially more likely to engage in over-eager behavior than previous models."
Agent tools can send sensitive repo context to cloud APIs unless you explicitly block it. If there's a secret in working context, it can transit upstream. Sandboxing doesn't help once it's in context.
Mirage fixes this at the network layer. It sits between your tool and the provider, replaces sensitive data with plausible fakes, and rehydrates the originals in the response. The LLM processes fake data. Your real secrets never transit.
If you do not trust prebuilt binaries from an unfamiliar maintainer, use source build.
cargo install --locked --git https://github.com/chandika/mirage-proxy
mirage-proxy --service-installRequires Rust 1.75+.
brew install chandika/tap/mirage-proxy # macOS / Linux
mirage-proxy --service-installWindows:
scoop bucket add chandika https://github.com/chandika/scoop-bucket
scoop install mirage-proxy
mirage-proxy --service-install- Source-first: default to
cargo install --locked --git ...if you do not know the maintainer. - Install scope:
--service-installonly adds one marked shell block, installs a user-level daemon, and writes backups for changed shell files. - Rollback:
mirage-proxy --service-uninstallremoves daemon + marked shell block. - Optional confidence check: run
mirage-proxy --service-install --dry-runfirst.
mirage-proxy --service-install adds one managed block to each target shell file.
On bash/zsh, that block:
- exports provider base URL env vars to
http://127.0.0.1:8686/... - defines a
mirageshell function (on,off,status,logs) - shows a startup status line when the daemon is reachable
It does not rewrite unrelated parts of your .zshrc/.bashrc.
On reinstall, Mirage removes only its previous marked block and rewrites that block.
Example (bash/zsh block shape):
# >>> mirage-proxy >>>
export ANTHROPIC_BASE_URL="http://127.0.0.1:8686/anthropic"
export OPENAI_BASE_URL="http://127.0.0.1:8686"
# ...other provider base URLs...
mirage() {
# on | off | status | logs
}
# <<< mirage-proxy <<<- Managed scope only: edits are limited to lines between
# >>> mirage-proxy >>>and# <<< mirage-proxy <<< - Backup-first for existing files: each changed profile gets a timestamped backup in
~/.mirage/backups/ - Reversible in one command:
mirage-proxy --service-uninstallremoves daemon + Mirage shell blocks - Reversible manually: delete only the marked block (or restore a backup file)
- For current shell only:
mirage off - Turn it back on in current shell:
mirage on - Fully remove auto-start + shell integration:
mirage-proxy --service-uninstall
For automation/non-interactive installs:
mirage-proxy --service-install --yesDone. Mirage runs as a background service and is ON by default for new terminals.
🛡️ mirage active (vX.Y.Z)
OpenClaw
Native provider. Install the skill from ClawdHub:
clawdhub install mirage-proxyRegisters mirage-anthropic as a provider with aliases: mirage-sonnet, mirage-haiku, mirage-opus. Switch with /model mirage-sonnet.
Mirage runs as a background daemon on port 8686. It auto-routes to 28+ providers based on the request path. No per-tool configuration needed — the --service-install command sets the right environment variables globally.
| Tool | What gets set | You do |
|---|---|---|
| Claude Code | ANTHROPIC_BASE_URL |
Nothing — just open Claude |
| Codex | OPENAI_BASE_URL |
Nothing — just run Codex |
| Cursor | OPENAI_BASE_URL |
Nothing — just open Cursor |
| Aider | ANTHROPIC_BASE_URL / OPENAI_BASE_URL |
Nothing |
| OpenCode | OPENAI_BASE_URL |
Nothing |
| Continue | OPENAI_BASE_URL |
Nothing |
| Any OpenAI-compatible tool | OPENAI_BASE_URL |
Nothing |
mirage on # route this terminal through mirage
mirage off # this terminal goes direct (daemon stays running)
mirage status # daemon/filter status + binary/daemon versions
mirage logs # live tail of redactions and session eventsmirage status
curl -s http://127.0.0.1:8686/healthz
mirage logsExpected: daemon is running and logs show request/session activity (or unmatched / health checks).
mirage-proxy --service-installinstalls a daemon (launchd/systemd/Task Scheduler)- Daemon files are standard user-level service files:
- macOS:
~/Library/LaunchAgents/com.mirage-proxy.plist - Linux:
~/.config/systemd/user/mirage-proxy.service - Windows: Task Scheduler job
mirage-proxy
- macOS:
- Shell integration exports provider base URLs in new terminals
- Shell edits are scoped to a marked block and are reversible
mirage on/offonly toggles env vars for the current shellmirage logsis the easiest way to watch what is being redacted after install
Want to see what mirage catches before committing?
mirage-proxy --service-install --dry-runTraffic passes through unmodified. Detections are logged. You see exactly what would be filtered.
| Type | Example | How |
|---|---|---|
| AWS keys | AKIA... |
Prefix match |
| GitHub tokens | ghp_..., ghs_... |
Prefix match |
| OpenAI keys | sk-proj-... |
Prefix match |
| Google API keys | AIzaSy... |
Prefix match |
| GitLab, Slack, Stripe | Various prefixes | 129 patterns from Gitleaks + secrets-patterns-db |
| Bearer tokens | Authorization: Bearer ... |
Header pattern |
| Private keys | -----BEGIN RSA PRIVATE KEY----- |
Structural |
| Connection strings | postgres://user:pass@host |
URI + credentials |
| Unknown secrets | High-entropy strings | Shannon entropy threshold |
| Type | Original → Fake |
|---|---|
lee.taylor56789@aol.com → drew.wilson@outlook.com |
|
| Phone | +1-501-369-6183 → +1-464-316-6112 |
| SSN | 927-83-6041 → 890-30-5970 |
| Credit card | 4890 1234 5678 9012 → 4789 0123 4567 8901 |
| IP address | 10.0.1.42 → 172.18.3.97 |
Every fake matches the format and length of the original. An AWS key becomes a different valid-format AWS key. A credit card keeps its issuer prefix and passes Luhn. Within a conversation, the same value always maps to the same fake (session consistency).
Your tool → mirage-proxy → Provider API
- Tool sends request to
localhost:8686/anthropic/v1/messages - Mirage parses the JSON body
- Detects secrets via 129 regex patterns + entropy analysis
- Generates format-matching fakes
- Stores original↔fake mapping in session
- Forwards redacted request to
api.anthropic.com
Provider API → mirage-proxy → Your tool
- Provider responds (JSON or SSE stream)
- Mirage scans for fake values
- Replaces fakes with originals (rehydration)
- Returns clean response to your tool
Other tools use visible tokens: [REDACTED], [[PERSON_1]], <PHONE_NUMBER>. The model knows data was removed. It adapts — refusing to write code, generating workarounds, asking for the missing data.
Mirage's fakes are invisible. The model processes the request normally because it looks normal. This is an architectural difference, not a feature toggle.
┌─────────────┐ ┌───────────────────────────────┐ ┌──────────────┐
│ Your tool │────▶│ mirage-proxy │────▶│ Provider │
│ │◀────│ │◀────│ │
└─────────────┘ │ detect → fake → forward │ └──────────────┘
│ detect fakes → rehydrate │
│ │
│ Sessions · Vault · Audit log │
└───────────────────────────────┘
Works with zero config. For fine-tuning, create ~/.config/mirage/mirage.yaml:
sensitivity: medium # low | medium | high | paranoid
dry_run: false
# Skip filtering for specific providers (e.g. TLS fingerprint issues)
bypass:
- "generativelanguage.googleapis.com"
rules:
always_redact: [SSN, CREDIT_CARD, PRIVATE_KEY, AWS_KEY, GITHUB_TOKEN, API_KEY, BEARER_TOKEN]
mask: [EMAIL, PHONE]
warn_only: [IP_ADDRESS]
audit:
enabled: true
path: "./mirage-audit.jsonl"
log_values: false # true = log originals (debugging only)| Sensitivity | What gets filtered |
|---|---|
low |
Secrets & credentials only |
medium |
Secrets + PII (email, phone) — default |
high |
Everything including warn-only categories |
paranoid |
All detected patterns regardless of rules |
Persist fake↔original mappings across restarts:
MIRAGE_VAULT_KEY="my-passphrase" mirage-proxy --service-installAES-256-GCM encryption. Argon2id key derivation. Without the passphrase, the vault file is random bytes.
- No external telemetry pipeline in mirage-proxy itself.
- Runs locally and proxies only to your configured upstream provider endpoints.
- Audit logging is local-file only and configurable (
log_values: falseby default). --dry-runshows detections without modifying traffic.
| mirage-proxy | PasteGuard | LLM Guard | LiteLLM+Presidio | |
|---|---|---|---|---|
| Install | brew install |
Docker + npm | pip + models | pip + Docker + spaCy |
| Size | ~5MB | ~500MB+ | ~2GB+ | ~500MB+ |
| Overhead | <1ms | 10-50ms | 50-200ms | 10-50ms |
| Method | Plausible fakes | [[PERSON_1]] |
[REDACTED] |
<PERSON> |
| LLM knows? | No | Yes | Yes | Yes |
| Session-aware | ✓ | ✗ | ✗ | ✗ |
| Streaming | ✓ | ✓ | ✗ | Partial |
| Encrypted vault | ✓ | ✗ | ✗ | ✗ |
| Auto-setup | ✓ | ✗ | ✗ | ✗ |
- Regex + entropy only — no NLP/NER. Won't catch secrets described in natural language.
- Streaming boundaries — 128-byte overlap buffer handles most cases, but very long fake values split exactly at a chunk boundary can slip through.
- Signed thinking blocks are immutable — Anthropic validates signatures on extended thinking payloads. Mirage intentionally skips modifying signed thinking blocks.
- Compressed responses are handled safely — Mirage now decompresses → rehydrates → recompresses. If decompression/recompression fails, it passes through original bytes to avoid corrupting streams.
- Google bot detection — Google's APIs use TLS fingerprinting. Mirage's
reqwest/rustlsfingerprint can trigger bot checks. Use thebypassconfig for Google providers.
Use latest mirage version. Mirage skips signed Anthropic thinking blocks now. If you still see this:
mirage-proxy --service-uninstall
mirage-proxy --service-install
mirage statusUse latest mirage version. Responses are now decompressed/rehydrated/recompressed safely. If it persists, collect raw logs:
mirage logs
# or full logs:
tail -f ~/.mirage/mirage-proxy.logThose are health checks. Harmless.
mirage-proxy [OPTIONS]
-p, --port <PORT> Listen port [default: 8686]
-b, --bind <ADDR> Bind address [default: 127.0.0.1]
-c, --config <PATH> Config file path
--sensitivity <LEVEL> low | medium | high | paranoid
--dry-run Log detections without modifying traffic
--vault-key <PASSPHRASE> Vault passphrase (or MIRAGE_VAULT_KEY env)
--service-install Install background service + shell integration
--yes Skip interactive confirmation prompts
--service-uninstall Remove service + shell integration
--service-status Show daemon and filter status
--list-providers Show all 28+ built-in provider routes
--no-update-check Skip version check on startup
-h, --help
-V, --version
- 129 secret patterns (Gitleaks + secrets-patterns-db)
- Plausible fake substitution with session consistency
- Encrypted vault (AES-256-GCM, Argon2id)
- SSE streaming with cross-chunk boundary buffer
- Multi-provider routing (28+ providers)
-
mirage on/off— background service + shell toggle - macOS (launchd), Linux (systemd), Windows (Task Scheduler + PowerShell)
- Native OpenClaw integration (ClawdHub skill)
- Provider bypass list
- Signed release artifacts + provenance attestation
- Custom pattern definitions in config
- Optional ONNX NER for name/organization detection
- Route mode (sensitive requests → local model)
MIT
Built by @chandika. Born from watching coding agents send API keys to the cloud.
Detection patterns from Gitleaks (MIT) and secrets-patterns-db (Apache 2.0).