Documentation
Two commands and a restart — that's the whole install. Everything else on this page is optional depth for when you want it.
What's detected out of the box
- API keys (common provider formats) and bearer tokens / OAuth secrets
- Passwords and connection strings
- Emails and phone numbers (context-boosted)
- Credit cards, IBANs, and SSNs
- Credentials embedded in URLs (always on, any profile)
Two honest edges: SSH/PEM private keys have no reliable regex signature — register them as secrets and they mask unconditionally, on every profile. Bare IPs, URLs, and MAC addresses live in the Network category, which is off in the default (Balanced) profile — enable it if your infrastructure topology is itself sensitive.
Need to mask PII, customer data, or code? Sordino Enterprise supports fully custom rules.
How masking works
Sordino is a hybrid: a reverse proxy is the data plane, and thin Claude Code hooks are the control plane. Your coding tool natively honors ANTHROPIC_BASE_URL, so there's no TLS interception and no certificates to install — the proxy simply re-originates a fresh TLS connection to the provider. When a request is about to leave your machine, Sordino scans its content surfaces — your typed prompt and the tool output the agent gathered — against its detection rules. Matches are replaced with deterministic tokens: the same value always maps to the same token within a project, which keeps multi-turn sessions coherent and the provider's prompt cache stable.
One proxy per project. Each project gets its own proxy on an OS-assigned ephemeral port, with its own key, salt, and token store — two projects can never collide or cross-contaminate a response, and concurrent claude sessions in different projects never interfere with each other.
The token ↔ value mapping is stored locally in an encrypted (AES-256-GCM) session store. When a response references a token, Sordino restores the original value locally before you see it. On the masked wires the proxy is fail-closed: mask or refuse — if masking fails, the request is rejected rather than forwarded unmasked. Sordino itself has no accounts, no cloud component, and no telemetry.
Go further
Configuration, the optional local ML model, building from source, and safe uninstall — expand only what you need.
Limitations
Stated plainly, because they shape what Sordino is for:
- Detection is pattern-based (plus the optional ML model) — recall is not 100%. A value matching no recognizer and no custom rule goes through unmasked. Registered secrets are the exception: they mask unconditionally.
- The scope is the LLM wire. Sordino is not a sandbox — an agent with shell access can still read local files — and it doesn't sit on non-LLM egress like a
curlin a tool call or a git push. - Base64-encoded images/documents and file/batch upload endpoints pass through unscanned (masking would corrupt them).
- Your coding tool's own local transcripts still contain plaintext — masking happens on the wire, not on your disk.
The complete, mechanism-cited version of this list lives in the project's threat model.