Policy-driven context firewall for AI workflows — scan and redact sensitive data before prompts, logs, or traces leave your environment.
Project description
ContextDuty
The local-first prompt firewall — stop secrets and PII from reaching any AI tool, before the prompt ever leaves your machine.
Try it live: ContextDuty demo on Hugging Face Spaces · Detection brain: Microsoft Presidio
pip install contextduty
contextduty protect # stop all AI tools from indexing your secrets
contextduty install-hooks # block commits that contain secrets
Why
By 2026, 34.8% of data developers paste into AI tools is sensitive (Cyberhaven). A secret leaks the moment it's typed into a prompt — long before it ever reaches a repo. Traditional DLP can't see that flow, and enterprise AI plans don't stop an engineer pasting a key into Cursor.
ContextDuty closes every door a developer leaks through — the IDE, a git commit, live AI-API traffic, and MCP tool calls — with one install, one policy, zero cloud.
What it is (and what it isn't)
ContextDuty is not a new PII detector. Detection is hard and already solved — so the NLP layer is powered by Microsoft Presidio (with a spaCy fallback), plus 60 deterministic regex detectors for secrets.
ContextDuty is the enforcement fabric around that detection: it wires it into the four places developers actually leak, governs everything with a portable block/warn/redact policy, and runs 100% locally — no data leaves your machine, no SaaS, MIT-licensed.
Presidio is the brain. ContextDuty is the firewall.
| Microsoft Presidio | GitGuardian ggshield |
Cloud DLP (Aona/Lasso/Nightfall) | ContextDuty | |
|---|---|---|---|---|
| PII detection | ✅ (we use it) | ❌ | ✅ | ✅ via Presidio |
| Secret detection | partial | ✅ (secrets only) | ✅ | ✅ 60 detectors |
| Git pre-commit hook | ❌ | ✅ | ❌ | ✅ |
IDE indexing block (.cursorignore…) |
❌ | ❌ | ❌ | ✅ |
| Live HTTPS proxy over AI-API traffic | ❌ | ❌ | network/browser | ✅ |
| MCP server | ❌ | ❌ | ❌ | ✅ |
| Portable block/warn/redact policy | operators only | limited | cloud console | ✅ one JSON, all surfaces |
| Local-first — nothing leaves the machine | ✅ | cloud engine | ❌ SaaS | ✅ |
| Open-source | ✅ | ❌ | ❌ | ✅ MIT |
The five enforcement surfaces
flowchart LR
WS["🗂️ Your workspace\n.env · keys/ · config"] --> CD
subgraph CD["ContextDuty — 60 regex detectors + Presidio NLP"]
L1["IDE ignore files"]
L2["git pre-commit hook"]
L3["HTTPS proxy (21 AI APIs)"]
L4["MCP server"]
L5["CI / CD"]
end
CD --> AI["✅ AI tools protected\nCursor · Copilot · Claude · Windsurf · Cody · Amazon Q · …"]
| Surface | What it does | Command |
|---|---|---|
| IDE ignore | Generates ignore files for 6 AI tools so secrets are never indexed | contextduty protect |
| Git hook | Pre-commit scan blocks secrets from entering history | contextduty install-hooks |
| HTTPS proxy | Intercepts 21 AI API hosts, redacts secrets from request bodies in-flight | contextduty proxy start |
| MCP server | Redacts tool-call results before they enter the AI context window | contextduty-mcp |
| CI/CD | Policy-as-code gate — PRs with secrets exit non-zero | contextduty scan src/ |
Quick start
pip install contextduty # core (regex detectors, hooks, CLI)
cd your-project/ # run from your git root
contextduty init # create .contextduty.json policy
contextduty protect # write ignore files for all 6 AI tools
contextduty install-hooks # block secret-bearing commits
# Optional extras
pip install 'contextduty[presidio]' # NLP PII detection (recommended)
pip install 'contextduty[proxy]' # live HTTPS interception
Scan or redact anything:
contextduty scan src/ # JSON findings report
contextduty scan --nlp src/ # add Presidio NLP PII detection
contextduty redact --in raw.txt --out clean.txt
Detection
60 built-in regex detectors across Cloud/Infra, VCS/CI, Payment, Messaging, AI/ML, Databases, Generic secrets, IaC, PII, Healthcare, and Crypto/Web3 — including aws_key, github_pat, stripe_secret, openai_key, postgres_dsn, ssh/pgp keys, credit_card, ssn, jwt_token, and more. See detectors.py for the full list.
Presidio NLP catches unstructured PII regex can't — person names, organizations, locations, dates — running entirely locally:
pip install 'contextduty[presidio]'
python -m spacy download en_core_web_sm
contextduty scan --nlp src/
Deterministic masks: AKIAIOSFODNN7EXAMPLE always becomes <AWS_KEY_1a5d44a2dc> — same value, same mask, everywhere — so audit logs stay correlatable without storing raw secrets.
Custom detectors (no code, no redeploy):
{ "custom_detectors": { "employee_id": "\\bEMP-[0-9]{6}\\b" } }
📊 Benchmarked: 100k prompts, fully local — p99 latency ~13 ms, precision 1.000, F1 0.94 (0.99 at threshold 0.4). See benchmarks/README.md.
Policy
{
"mode": "redact", // redact | warn | block
"detectors": ["email", "aws_key", "openai_key", "postgres_dsn"],
"detector_modes": { "aws_key": "block" }, // per-detector override
"allow_patterns": { "email": ["@example\\.com$"] },// known-safe values
"extends": "../../policies/org-baseline.json" // team baseline + repo override
}
| Mode | Behavior |
|---|---|
redact |
Replace matches with deterministic masks |
warn |
Log findings, don't modify or block |
block |
Exit non-zero — for CI and pre-commit hard stops |
Compliance baselines included: policies/soc2-baseline.json, policies/hipaa-baseline.json.
Notebooks, MCP & dashboard
Jupyter / Colab / Databricks — one import, zero config:
from contextduty.notebook import guard, redact
guard("aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY") # prints a warning
clean = redact("db = postgres://admin:secret@prod:5432/app") # → <POSTGRES_DSN_…>
MCP server — redacts tool-call results before they enter the model's context:
{ "mcpServers": { "contextduty": { "command": "contextduty-mcp" } } }
Audit dashboard — local web UI, all data stays on your machine:
contextduty dashboard --demo # synthetic data
contextduty dashboard # reads ~/.contextduty/audit.jsonl
Commands
| Command | Description |
|---|---|
contextduty protect [watch|status] |
Write/auto-update ignore files for all 6 AI tools |
contextduty install-hooks / uninstall-hooks |
Manage the git pre-commit hook |
contextduty proxy [setup|start|stop|status] |
Manage the HTTPS interception proxy |
contextduty scan <file|dir> [--nlp] |
Scan and print JSON findings |
contextduty redact --in <f> --out <f> |
Write a redacted copy |
contextduty dashboard / report |
Audit dashboard / log summary |
contextduty policy validate |
Validate and resolve a layered policy |
contextduty init |
Create a default .contextduty.json |
contextduty demo |
20-second interactive walkthrough |
Local development
git clone https://github.com/SHUBHAGYTA24/contextduty
cd contextduty
pip install -e ".[dev]"
make check # format + lint + tests
Architecture: engine.py (scan/redact), detectors.py (60 patterns), policy.py (layered policy), nlp/ (Presidio + spaCy), proxy/ (mitmproxy field-walker), adapters/ide.py (AI tool registry), dashboard.py (audit UI). See docs/USER_MANUAL.md.
Roadmap
- 60 detectors · git hook · MCP · HTTPS proxy (21 APIs) · 6 IDE ignore files
- Presidio NLP PII detection · notebook API · audit dashboard · policy layering
- Local 100k-row latency/quality benchmark · hosted demo Space
- VS Code / Cursor extension
- Prometheus metrics endpoint
- International + domain-specific detector packs
License
MIT. Built on Microsoft Presidio. Issues and PRs welcome — open an issue if a detector is missing or misfiring.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file contextduty-1.0.0.tar.gz.
File metadata
- Download URL: contextduty-1.0.0.tar.gz
- Upload date:
- Size: 104.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e295f8f59def1ff7bc0b1f3a7d5814dd1d9998b239c3bc21193133c4af666351
|
|
| MD5 |
27f54f871d7bb5b221c59ebbc53a8044
|
|
| BLAKE2b-256 |
f40248f7a856b8f2bcd6cc9859cd2246f2e782c17403e2a16c8ecc1384acb506
|
File details
Details for the file contextduty-1.0.0-py3-none-any.whl.
File metadata
- Download URL: contextduty-1.0.0-py3-none-any.whl
- Upload date:
- Size: 89.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e7a0e129958176bf366add31c2b4cb14a2c9a2fdb445f9742dcbd9bdd42e09b8
|
|
| MD5 |
108b4be0dfc9e753678d4e2ecc421898
|
|
| BLAKE2b-256 |
c67f4f576b50629b559a7217855224023510a57afe3f513a2e59219e0df71fd6
|