Skip to content
How the system actually works

Signal, not surveillance.

HeimWall catches secrets, PII, and confidential data before they leave your machine. The prompts themselves never do.

The one invariant everything is built around

Raw prompt content never leaves your device. Detection and redaction happen locally, in under 50 milliseconds, before anything is stored or sent. What reaches the cloud is redacted metadata — a category, a severity, a masked snippet — never the words you typed.

System overview

One engine, four surfaces.

The same on-device detection engine powers everything. What differs is who sees the signal and how far it travels.

01 · Individual — free

The personal safety layer

A menu-bar app (Rust + Tauri, ~15 MB). Runs entirely on your Mac — no account, no org, nothing sent anywhere. You type; it catches. This is the free tier, and the whole loop runs offline.

02 · Team

The same agent, enrolled

The individual agent, joined to an organization with one code. It sends redacted signal — counts and masked snippets — so a manager sees patterns. Raw prompts still never leave the device.

03 · Manager dashboard

Patterns, not content

A web dashboard showing a team’s Safety Score, category breakdowns, and per-engineer trends — all from redacted events. A manager sees that a secret was caught, never what it was.

04 · Company control panel

Cross-tenant, de-identified

Internal BI over de-identified aggregates, plus opt-in census. Counts only, k-anonymized — the same guarantee we sell, applied to ourselves.

The trust ladder: content stays on the device → redacted signal reaches a manager (Team, consented) → de-identified counts reach the company (opt-in). Each rung shows strictly less.

The privacy boundary

What crosses the line — and what can’t.

Everything sensitive happens inside a boundary drawn at the edge of your machine. The diagram is the product.

Your machine — on-device

Step 1

Capture

Read the prompt as you write it — before the network.

Step 2

Detect

Scan for secrets, PII, confidential terms in under 50ms.

Step 3

Redact

Mask any match. Drop the raw bytes from memory.

raw prompt classification redacted record

Never leaves

The raw prompt text. Unredacted content. Anything you actually typed into Cursor, Claude Code, or Copilot.

May cross (Team only)

Redacted metadata: tool, category, severity, matched-rule IDs, a masked snippet (≤ 500 chars), and a content hash — over TLS 1.3 with certificate pinning.

Layer 1 — capture

Seeing the prompt before the network does.

Modern AI tools talk directly to their own servers, often over pinned TLS you can’t sit in the middle of. So HeimWall reads the composer itself — three independent, on-device methods, each covering the others’ blind spots.

Method A — Accessibility

Read the editor

macOS Accessibility reads the composer's text straight from the app's UI tree, before a single byte is sent. Network-agnostic: it works even for Cursor's direct-to-cloud traffic a proxy can never see.

Method B — Clipboard

Catch the paste

A zero-permission poll of the pasteboard. The most common way a secret enters a prompt is a paste from a .env file or a terminal. This catches it at the source, with no entitlement required.

Method C — TLS inspection

The proxy path

For browser-based AI and CLI tools, a local TLS proxy inspects outbound requests. Belt-and-suspenders for the tools the first two methods don't reach.

All three run in the same Rust process on your machine. Nothing is captured to disk; a prompt is held only long enough to scan it, then dropped.

Layer 2 — detection

A tiered engine. And no model on your prompts.

Detection is a shared Rust crate, deliberately tiered so the fast, explainable path does the heavy lifting and the expensive path is rare. One thing we do not do: train a model on your prompts. We never collect them, so there is nothing to train on.

1

Deterministic rules

Live · <50ms p95

25+ hand-written regular expressions for the things with hard shapes: AWS access keys, GitHub tokens, private keys, JWTs, database URLs, and PII like SSNs, credit cards, and emails. Every rule ships with at least 5 positive and 5 negative test cases. This tier catches the overwhelming majority — deterministic, auditable, and instant.

+

Confidential terms

Live · per-org

A team can list its confidential terms — unreleased product names, codenames, “Project Titan.” The agent fetches the list and matches it on-device. The term list is org configuration; it is never prompt content.

2

Semantic layer — pretrained, on-device

Architecture shipped · model pending

For leaks with no fixed shape — a paraphrased secret, “here’s our internal roadmap…” — a small pretrained zero-shot classifier runs locally via ONNX. Zero-shot means no training: at inference it scores candidate labels like { confidential, customer data, benign }. It runs only when the rules tier found nothing, so it never slows the hot path.

3

Escalation to a frontier model

Roadmap

The hardest, highest-stakes cases can escalate to a frontier model through a zero-retention endpoint — the provider stores nothing. Reserved for ambiguity the local tiers can't resolve, and only ever on already-redacted signal.

Why this order matters. Regex is free, instant, and explainable — a manager can see exactly which rule fired. The semantic model is a fallback, not the foundation. And because the first tiers run entirely offline, the free individual app needs no network at all.

Layer 3 — redaction

Masked at the source, not in the cloud.

The moment a match is found, the content is replaced before it is written to any record. A structured token keeps everything you need to reason about the event — and nothing you don’t.

The hash, not the secret

A short content hash lets you tell “same secret, seen twice” apart from “two different secrets” — correlation without ever storing the value. Two engineers pasting the same key produce the same hash; nobody can reverse it back to the key.

Benign is dropped entirely

If a prompt is only noise — “write a test for this function” — it is never recorded or sent. Only meaningful detections become events.

Where the metadata goes

Two planes, and a device with no name.

When a Team agent does uplink, the record is split into two planes and the device stays anonymous by design.

Plane 1 — cleartext metadata

Aggregatable signal

Tool, category, severity, matched rules, timestamps, the masked snippet. This is the only input to Safety Scores, counters, and digests. It is deliberately readable so the product can do math on it.

Plane 2 — sealed payload

An opaque blob

A sealed envelope the gateway stores byte-for-byte and never parses. The server is blind to it; only an authorized, audited investigation can ever open it — never for routine analytics.

Employees have no account. An enrolled device gets a synthetic, per-device identity — anonymous by construction. Only managers sign in. An engineer is a fingerprint, not a person on file. And the census plane, if a company opts in, carries de-identified counters only: any cohort under 25 is suppressed, so a leaked row reveals only “some opted-in agent saw N flags of this shape this week.”

Performance budget — enforced, not aspirational

Fast enough to stay out of the way.

<50ms
On-device detection · p95
<200ms
Cloud API · p95
<150MB
Agent RAM · idle
<20MB
macOS bundle size

The prompts stay on the machine.

Start with the free Mac app, or bring the manager dashboard to your team.