PromptCloak
A VS Code extension that prevents AI coding assistants from seeing your proprietary code. When AI tools read your files, they get an AST-abstracted "shadow" version — full structure, zero implementation details.
Currently supports Claude Code.
The Problem
AI coding assistants read your entire source files to provide context. That means your secrets, proprietary algorithms, business logic, and internal architecture all get sent to an LLM — even when the AI only needs to understand your code's structure.
The Solution
PromptCloak generates stripped-down versions of your source files using tree-sitter AST parsing. When Claude Code tries to read a file, a hook silently redirects the read to the shadow version.
No secrets leave your machine. No implementation details enter the AI's context. The AI still understands your codebase structure well enough to help.
Before & After
What the AI would normally see:
import { db } from "./database";
import jwt from "jsonwebtoken";
const JWT_SECRET = "sk-prod-9f8a7b6c5d4e3f2a1b0c";
const ENCRYPTION_KEY = "aes-256-key-do-not-share";
interface User {
id: string;
email: string;
role: "admin" | "user";
}
export async function authenticateUser(
email: string,
password: string
): Promise<string | null> {
const user = await db.query("SELECT * FROM users WHERE email = $1", [email]);
if (!user) return null;
const isValid = await bcrypt.compare(password, user.passwordHash);
if (!isValid) return null;
return jwt.sign(
{ sub: user.id, role: user.role },
JWT_SECRET,
{ expiresIn: "24h" }
);
}
export function decryptPayload(encrypted: string): string {
const decipher = crypto.createDecipheriv("aes-256-cbc", ENCRYPTION_KEY, iv);
let decrypted = decipher.update(encrypted, "hex", "utf8");
decrypted += decipher.final("utf8");
return decrypted;
}
What the AI sees with PromptCloak:
import { db } from "./database";
import jwt from "jsonwebtoken";
const JWT_SECRET = "<string>";
const ENCRYPTION_KEY = "<string>";
interface User {
id: string;
email: string;
role: "admin" | "user";
}
export async function authenticateUser(
email: string,
password: string
): Promise<string | null> { /* [implementation hidden] */ }
export function decryptPayload(encrypted: string): string { /* [implementation hidden] */ }
The AI knows authenticateUser exists, takes an email and password, and returns a nullable string. It can reference it, call it, and write code that interacts with it — but it never sees the JWT secret, the SQL query, the bcrypt logic, or the encryption implementation.
What Gets Hidden
| Category |
Examples |
Shadow |
| String literals |
API keys, secrets, URLs, SQL queries, error messages |
"<string>" |
| Number literals |
Pricing margins, thresholds, port numbers, magic numbers |
0 |
| Regex patterns |
Validation rules, parsing patterns |
.* |
| Function bodies |
Algorithms, business logic, data transformations |
/* [implementation hidden] */ |
| Method bodies |
Class method implementations |
/* [implementation hidden] */ |
What the AI Still Sees
| Category |
Why |
| Function & method names |
AI needs to reference and call your code |
| Type signatures & annotations |
AI needs to understand inputs/outputs |
| Interfaces & type aliases |
AI needs to know your data shapes |
| Import/export statements |
AI needs to understand module relationships |
| Class structure & properties |
AI needs to understand your architecture |
| Enum declarations |
AI needs to know valid values |
| Comments & docstrings |
AI needs intent and documentation |
PromptCloak is designed for read-only AI assistance. The AI can understand your codebase, answer questions about it, and give you instructions — but it cannot modify existing files that are shadowed.
This is intentional. Claude Code requires reading a file before writing to it. Since the hook redirects reads to shadow files, Claude never "reads" the real file — so it can't write to it either. This is a feature, not a bug. If the AI could modify files it can't fully see, it could break your code.
What PromptCloak is for:
- Understanding your codebase structure and architecture
- Getting implementation instructions and guidance
- Asking "how should I build X?" and getting answers that reference your existing code
- Code reviews and security audits (the AI sees the surface area without the secrets)
- Onboarding — let AI explain your codebase to new developers without exposing proprietary logic
What PromptCloak is NOT for:
- Having the AI directly edit or implement code in shadowed files
- Debugging logic inside function bodies
- Automated refactoring of existing code
If you need the AI to modify a specific file, use the pause/resume toggle in the VS Code status bar or run PromptCloak: Pause Protection from the command palette. This lets Claude read and write real files temporarily. Resume protection when you're done.
Important: After toggling pause/resume, you must start a new Claude Code session for the change to take effect. Claude caches file reads within a conversation, so it will keep using whatever version it read first — shadow or real — until you start a fresh session.
Use Cases
Individual Developers
- Side projects with proprietary logic — get AI help structuring your code without exposing your secret sauce
- Freelance work — use AI tools on client codebases without sending their code to third-party LLMs
- Open source + private hybrid — shadow only the private modules, let AI read the open source parts freely
Teams & Enterprise
- Vendor and contractor onboarding — external developers can use AI to understand your codebase and get instructions without seeing trade secrets, proprietary algorithms, or internal infrastructure details
- Regulatory compliance — industries like finance, healthcare, and defense where source code cannot be sent to third-party AI services, but developers still need AI-assisted productivity
- IP protection — prevent proprietary algorithms (pricing models, ranking systems, recommendation engines) from entering AI context windows where they could be cached, logged, or used for training
- Security audits — let AI analyze your API surface area, type contracts, and module boundaries for vulnerabilities without exposing the implementation details an attacker would need
- Multi-team organizations — Team A can use AI to understand and integrate with Team B's services through their type signatures and interfaces, without seeing Team B's implementation
- AI governance policies — enforce a company-wide policy of "AI can read structure, not implementation" without relying on individual developer discipline
How It Works
PromptCloak has two parts:
Shadow Generator — A file watcher in VS Code that uses tree-sitter to parse your source files and generate stripped-down shadow versions in a .shadow/ directory. Shadows regenerate automatically every time you save a file.
Claude Code Hook — A PreToolUse hook that intercepts Claude Code's Read tool. When Claude tries to read src/auth.ts, the hook silently redirects it to .shadow/src/auth.ts.
You save src/auth.ts
→ PromptCloak generates .shadow/src/auth.ts (stripped)
Claude Code runs: Read src/auth.ts
→ Hook intercepts, redirects to .shadow/src/auth.ts
→ Claude sees the shadow version
The AI never knows it's reading a shadow file. It operates normally — it just can't see implementation details.
Installation
- Install the extension from the VS Code Marketplace
- Open a workspace and run the command palette (
Cmd+Shift+P):
- PromptCloak: Install Claude Code Hook — adds the hook to your
~/.claude/settings.json
- PromptCloak: Generate Shadows for Workspace — generates initial shadow files
That's it. The file watcher keeps shadows up to date as you work.
Commands
| Command |
Description |
PromptCloak: Install Claude Code Hook |
Install the Claude Code hook for the current project |
PromptCloak: Generate Shadows for Workspace |
Generate shadow files for all supported files in the workspace |
PromptCloak: Generate Shadow for Current File |
Generate a shadow file for the active editor file |
PromptCloak: Pause Protection |
Pause shadowing — Claude reads and writes real files |
PromptCloak: Resume Protection |
Resume shadowing — Claude reads shadow files again |
PromptCloak: Toggle Protection |
Toggle between paused and active (also available in the status bar) |
Configuration
| Setting |
Default |
Description |
promptCloak.enabled |
true |
Enable/disable shadow generation on file save |
promptCloak.languages |
["typescript", "typescriptreact", "javascript", "javascriptreact"] |
Languages to generate shadows for |
promptCloak.shadowDir |
".shadow" |
Directory for shadow files (relative to workspace root) |
promptCloak.exclude |
["**/node_modules/**", "**/dist/**", "**/build/**"] |
Glob patterns for files to exclude |
promptCloak.stripComments |
false |
Strip comments from shadow files. Enable if your comments contain sensitive notes or internal context. |
Supported Languages
- TypeScript (
.ts)
- TypeScript React (
.tsx)
- JavaScript (
.js)
- JavaScript React (
.jsx)
More languages can be added by including additional tree-sitter WASM parsers.
Important Notes
- Add
.shadow/ to your .gitignore — shadow files are generated artifacts
- Both
Read and Bash tools are intercepted. The hook catches Read calls and rewrites common shell commands (cat, head, tail, sed, awk) to serve shadow files instead. The installer also adds a CLAUDE.md instruction reinforcing that Claude should prefer the Read tool.
- Some Bash patterns may still slip through (e.g., piped commands, subshells,
grep with context output). Coverage is ~95%, not 100%.
- Shadow generation is local and deterministic — no data is sent anywhere. Tree-sitter runs entirely on your machine.
- CSS, HTML, JSON, and other non-code files pass through unshadowed — they typically don't contain sensitive logic.
License
MIT
