Skip to content

Every angle covered

Four ways your secrets stay yours.

Each protection mode runs on the same engine: zero network on the critical path, signed updates, opt-in everything that touches your data.

Outbound · Active

Vibe Coding Mode

For people who paste all day long, remembering a special shortcut isn't realistic. Vibe Mode inverts the bindings so the muscle-memory shortcut becomes the protected one.

  • Toggle from the menu bar — icon turns green when active
  • Per-app rules: enable globally, on selected apps, or everywhere except specific ones
  • Smart blocklist out of the box: 1Password, Xcode, VSCode, IntelliJ, Terminal, iTerm2, Warp
  • Fast path with 10 priority patterns + per-changeCount cache → paste in <60ms when no secret found
  • Hard 250ms timeout with automatic fallback — productivity never blocked
  • Triple-click on status bar icon disables instantly. Safety net for any unexpected scenario.
  • Auto-disable after 3 consecutive failures — protects you from a misbehaving rule

Forgetting to protect stops being possible.

screenshot · vibe

Real app capture coming pre-launch

Outbound · Vision

Image & PDF Redaction

Screenshots of terminals, photos of dashboards, PDFs from providers — every visual format you copy gets the same on-device OCR pass that text gets, with surgical black rectangles only over the secrets.

  • Apple Vision framework — world-class accuracy, 30+ languages auto-detected
  • Opaque black rectangles, not blur (blur can be reversed by AI)
  • QR codes and barcodes scanned too — embedded credentials get caught
  • PDFs supported (both text-embedded and scanned)
  • EXIF / GPS / maker notes stripped automatically — photos leak location too
  • ~300ms on a 1080p screenshot — imperceptible in the paste UX
  • Original image with secrets visible is NEVER stored. Privacy by design.

30+ OCR languages. Zero cloud calls.

screenshot · ocr

Real app capture coming pre-launch

Outbound · Compromised

Compromised Password Alerts

Even if you remember not to paste your password directly, your tools might. We catch passwords from known leaks before they leave the device — including ones hidden in Basic auth headers or database URLs.

  • 1.5M passwords from real breach datasets (SecLists / rockyou) verified in real time
  • Local bloom filter — database embedded in the app, never sent over the network
  • 0.1% false positive rate, 0% false negative within the dataset
  • Immediate notification: "⚠️ Known leaked password detected"
  • Works for passwords hidden inside Authorization: Basic and database URLs

A 1.5M password list with no network calls. Math, not magic.

screenshot · breach

Real app capture coming pre-launch

Inbound · Supply chain

Malicious Dependency Detection

Package compromise on npm/PyPI/pub is now the most common supply chain attack vector. We catch it the moment you copy the install command — before the paste, before the damage.

  • Covers npm + PyPI + pub today; Go, Cargo, Maven, RubyGems, Composer on the roadmap
  • OSV.dev advisory feed synced in background — coverage grows without app release
  • Rich modal: summary, markdown details, severity badge, links to advisory (GHSA, OSV, PyPA)
  • Four trigger modes: copy-time, selected text via Services menu, manifest file (right-click), full folder recursive scan
  • Privacy preserved: nothing from your clipboard, file, or folder goes to our server. Detection is local; advisory details fetched by public ID only.
  • Offline-capable: if internet drops, detection keeps working with the cached catalog

Other tools alert after the package is in your repo. We alert before the install runs.

screenshot · deps

Real app capture coming pre-launch