| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability within dotmask, please create an issue or contact the maintainer directly.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We ask that you:
- Give us reasonable time to address the issue before making any public disclosure
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption of service
dotmask uses a local MITM (Man-in-the-Middle) HTTPS proxy to intercept and modify traffic. This requires:
- CA Certificate Generation: A custom CA is generated at
~/.dotmask/ca/ - System Trust: The CA must be installed and trusted in macOS Keychain
- Local Traffic Only: Only intercepts traffic to configured AI provider domains
| Property | Implementation |
|---|---|
| Secrets never leave machine | MITM intercepts before TLS, mask before forwarding |
| Format preservation | Fakes maintain same prefix/length/charset as real |
| Secure storage | Real secrets stored in macOS Keychain |
| Memory safety | Secrets cleared from memory after masking |
| Cache TTL | Keychain lookups cached for 30s only |
- Header masking: Currently dotmask only masks secrets in request bodies, not HTTP headers
- Pattern matching: Secrets must match known patterns or have high entropy to be masked
- Local-only: CA certificate must be trusted on the same machine
dotmask protects against:
- ✅ Accidental secret leaks in AI prompts
- ✅ Secrets being stored in AI provider logs
- ✅ Secrets being used for training data
dotmask does NOT protect against:
- ❌ Malicious Claude Code prompts that exfiltrate secrets
- ❌ Compromised AI providers
- ❌ Secrets in file system (use other tools like git-secrets, Talisman)
Security advisories will be posted to the GitHub repository.