AI Secret Hygiene — MCP server, proxy, and hooks that catch and remediate hardcoded secrets in AI-generated code
Project description
aigate
Secret hygiene for AI-generated code. Catches hardcoded credentials in prompts, tool inputs, generated code, and existing files.
Quick start
pip install aigate && aigate setup-all
That's it. This installs a background proxy (redact mode), a PostToolUse hook for file scanning, and registers the MCP server with Claude Code. Restart your terminal for env vars to take effect.
Requires Python 3.11+ and jq.
What it does
Three layers, one detection engine:
| Layer | Scope | How |
|---|---|---|
| Proxy | Network-level | Intercepts HTTPS requests to AI APIs. Redacts secrets before they leave your machine. |
| Hooks | Claude Code | PostToolUse scans files after Write/Edit. PreToolUse redacts tool inputs. |
| MCP Server | Any agent | Three tools agents call to scan code, store secrets, and audit files. |
setup-all installs all three. Or pick what you need:
aigate install-hook # hooks only (no proxy)
claude mcp add aigate aigate-mcp # MCP server only
aigate setup && aigate start # proxy only
Scan existing code
aigate scan-dir . # find secrets in a directory
aigate scan-dir . --fix --dry-run # preview what would change
aigate scan-dir . --fix # replace with env var refs, save to .env
Detection
AWS keys, API tokens (OpenAI, Anthropic, GitHub, GitLab, Slack, SendGrid, Square), database URLs, private keys, GCP service accounts, Tailscale keys, env file secrets, and high-entropy password/token fields.
Detected secrets are mapped to conventional env var names:
| Token | Env var |
|---|---|
sk-ant-* |
ANTHROPIC_API_KEY |
sk-*, sk-proj-* |
OPENAI_API_KEY |
ghp_*, github_pat_* |
GITHUB_TOKEN |
glpat-* |
GITLAB_TOKEN |
xoxb-* |
SLACK_BOT_TOKEN |
SG.* |
SENDGRID_API_KEY |
AKIA* |
AWS_ACCESS_KEY_ID |
Proxy modes
aigate start -m block # reject requests (default)
aigate start -m redact # replace secrets with env var placeholders
aigate start -m warn # forward + log warning
aigate start -m audit # forward + silent log
Uninstall
aigate stop-proxy && aigate uninstall-hook && claude mcp remove aigate
pip uninstall aigate && rm -rf ~/.aigate ~/.mitmproxy
Remove the lines after # aigate: proxy env vars and # aigate: trust mitmproxy CA from your shell profile.
CA cert removal — macOS: sudo security delete-certificate -c mitmproxy /Library/Keychains/System.keychain | Debian: sudo rm /usr/local/share/ca-certificates/mitmproxy-aigate.crt && sudo update-ca-certificates --fresh | RHEL: sudo rm /etc/pki/ca-trust/source/anchors/mitmproxy-aigate.pem && sudo update-ca-trust
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aigate-0.3.1.tar.gz.
File metadata
- Download URL: aigate-0.3.1.tar.gz
- Upload date:
- Size: 38.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0a5be5a3c2716132d742078228a3ed9b4fd365790501a55695687d8c51013712
|
|
| MD5 |
dfc875f99b548c3a1fc2f8f543222867
|
|
| BLAKE2b-256 |
27da58b35419ba8c8bfae88a3b6322ec3b8d99533783b3ade356671494af1813
|
File details
Details for the file aigate-0.3.1-py3-none-any.whl.
File metadata
- Download URL: aigate-0.3.1-py3-none-any.whl
- Upload date:
- Size: 27.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
07906235478c23ebb52ba297f71dd9f6d3737b383ff98b0f348fc475e0d0919a
|
|
| MD5 |
cd7239881e1ecddfcffd2fd534fd916b
|
|
| BLAKE2b-256 |
1f649fa037b21f5eefad37ae8691f51cbfae0bea7d57cc66f20f37e65b4bbaf2
|
