Replace the in-memory token map with self-contained cryptographic tokens.
ggshield-flagged secrets are encrypted with AES-256-GCM under a persistent
256-bit master key; the placeholder carries IV ++ authTag ++ ciphertext as
hex, so the proxy is stateless and resolves tokens across restarts and
replayed chat histories.
The streaming detokenizer now parses SSE content_block_delta events and
reassembles placeholders fragmented across many deltas — a raw byte scan
can't bridge the interleaved event/JSON framing. Plain JSON responses keep
the simpler contiguous byte scan.
The master key is generated 0600 on first run at
~/.config/claude-tokenization-proxy/master.key (override GG_MASTER_KEY_FILE);
deleting it makes existing tokens unrecoverable.
Add templates/claude-tokenization-proxy.service (systemd user unit that runs
the proxy at login, restarts on failure) and README sections covering its
installation, lingering for boot-before-login, and permanently setting
ANTHROPIC_BASE_URL across fish, bash/zsh, and environment.d.
Local DLP proxy between claude-code and the Anthropic API. Scans outgoing
/v1/messages bodies with ggshield, swaps detected secrets for opaque
placeholder tokens, and restores them in the streamed SSE response on the fly.
Licensed under AGPL-3.0-or-later.