v0.1.0 shipped · mit licensed · local-only

See what your AI tools actually send

When you press Tabin Cursor or paste into Claude, the assumption is “just my prompt goes out.” The reality is messier. upbox is a local proxy and dashboard that records every request your AI assistants make, redacts secrets before forwarding, and shows you what happened: on your machine, with zero cloud calls.

Install upbox →Source on GitHub

Single Python process Zero outbound calls VPN-safe by default Linux · macOS · Windows

~/projects · zsh3 lines

$pipx install upbox
$upbox init # one-time CA install
$upbox start # curated capture · VPN-safe
→dashboard ready at http://127.0.0.1:8800

CA installed · proxy readyPython 3.12+

CURSOR → api2.cursor.sh · 12.4 KB · forwardedCLAUDE → api.anthropic.com · 8.9 KB · 2 keys redactedCOPILOT → api.githubcopilot.com · 3.2 KB · warnCHATGPT → api.openai.com · 4.1 KB · forwardedCODEIUM → unknown.host · blockedGEMINI → generativelanguage.googleapis.com · 14.2 KB · 1 env strippedTAILSCALE → 100.64.0.7 · skipped · VPN-safeCURSOR → api2.cursor.sh · 12.4 KB · forwardedCLAUDE → api.anthropic.com · 8.9 KB · 2 keys redactedCOPILOT → api.githubcopilot.com · 3.2 KB · warnCHATGPT → api.openai.com · 4.1 KB · forwardedCODEIUM → unknown.host · blockedGEMINI → generativelanguage.googleapis.com · 14.2 KB · 1 env strippedTAILSCALE → 100.64.0.7 · skipped · VPN-safe

what's leaving your laptop

A day in the life of one developer.

illustrative figures · your real numbers appear in the dashboard · single workstation

captured2,847requestsacross 6 AI toolsCursor, Claude, Copilot, ChatGPT, Codeium, Gemini: all logged locally.

redacted41secretsbefore they shipped.env vars, AWS / OpenAI / Anthropic / GitHub tokens. All stripped at the proxy layer before forwarding.

blocked12unknown hostsoff the allowlistTools quietly reaching new domains. You'd never have seen any of these without upbox.

outbound from upbox0bytesphone-home callsThe auditor itself stays local. Binds 127.0.0.1 only. The whole point.

the problem

“Just my prompt goes out.” Not really.

Vendors aren't necessarily being shady. Their docs just don't match what people think is happening, and there's no built-in way to verify from the outside. So we built one.

01
The current file. Often neighbor files too.
Tab-complete in Cursor frequently ships several KB of surrounding context, including files you didn't have open.
02
The project tree, env vars, sometimes shell history.
Workspace metadata gets bundled in. None of it is logged anywhere you can read.
03
Secrets from .env files you never meant to share.
An AWS_ACCESS_KEYsitting two lines above the function you're editing goes out by default.
04
4–8 AI tools running at once.
A typical developer can't track all of it. Nobody can.

live preview

The dashboard, running locally.

Every request, in real time, grouped by tool. Click any row to inspect the body, headers, redactions, and what was forwarded.

↓ this is rendered with mock data,

but the layout is the real v0.1 dashboard.

http://127.0.0.1:8800/feedupbox v0.1.0

8requests

1redacted

1blocked

127.0.0.1bind

live

timetool · host · pathsizeredactstatus

-2sCsPOSTapi2.cursor.sh/aiserver.v1/AiService/StreamChat12.4 KB·forwarded

-7sClPOSTclaude.ai/v1/messages8.9 KB2×forwarded

-14sCoPOSTapi.githubcopilot.com/v1/engines/copilot-codex/completions3.2 KB1×redacted

-21sCsPOSTapi.cursor.sh/aiserver.v1/AiService/CmdK21.7 KB·forwarded

-34sGpPOSTapi.openai.com/api/conversation4.1 KB·forwarded

-41sCdPOSTserver.codeium.com/exa.language_server_pb.LanguageServerService/GetCompletions6.3 KB·blocked

-58sCsPOSTapi2.cursor.sh/aiserver.v1/AiService/StreamChat9.0 KB3×forwarded

-1m 11sClPOSTclaude.ai/v1/messages14.2 KB·forwarded

Tool

Cursor

Destination

api2.cursor.sh

SHA-256

00000000…

Forwarded

yes

Request body (4 KB excerpt)

{
  "model": "gpt-4o-cursor",
  "stream": true,
  "messages": [
    { "role": "system", "content": "You are a coding assistant." },
    { "role": "user", "content": "Fix the type error in this file." }
  ],
  "context": {
    "file": "src/payments.ts",
    "neighbors": ["lib/utils.ts", "types.d.ts"],
    "snippet": "const STRIPE_KEY = 'sk_live_3Hf9...XQpZ';\n  const AWS_ACCESS = 'AKIAXXXXXXXXXXXXXXXX';"
  },
  "metadata": { "endpoint": "cmd-k", "workspace": "monorepo" }
}

what's in v0.1

Six capabilities. One binary. One SQLite file.

new · v0.1.0shipped 2026-05-15

Curated capture scope: VPN-safe by default

upbox start now only redirects packets from a curated list of AI-tool processes: Claude, Cursor, ChatGPT, Codex, Ollama, common browsers. VPN clients (Tailscale, WireGuard, OpenVPN, NordVPN, Mullvad, ProtonVPN) and unrelated apps are never touched, so tunnels stay up.

--capture-spec"claude,cursor"|--capture-all (pre-fix behavior)

Cursor · Claude · ChatGPTcapture

Codex · Ollama · browserscapture

Tailscale · WireGuard · VPNsskip

01capture

Live feed

Every request as it happens, grouped by tool. Tiles for Cursor, Claude desktop, Copilot, ChatGPT, Codeium, plus generic OpenAI / Anthropic / Gemini fallbacks.

12.4 KB

8.9 KB

3.2 KB

02inspect

Bodies, headers, the lot

The actual prompt. The actual file content. The actual headers. Content-Type-aware: parses JSON properly so gzipped or nested-field secrets don't slip through.

"model":"claude-sonnet-4-5"

"file":"server/db.ts"

"key":sk_live_3Hf9…XQpZ

03redact

Strip secrets before forwarding

Regex rules strip .env blocks, API keys, and PII patterns before the request reaches the cloud. Ships with AWS / OpenAI / Anthropic / GitHub defaults.

AWS_KEY=AKIA…→AWS_KEY=[REDACTED]

04enforce

Domain allowlist per tool

Allow only the destinations you've sanctioned. Warn or block unknown hosts. See the receipts in the audit log when a tool reaches somewhere new. A TLS allowlist (built from tools.yaml) means non-AI HTTPS traffic passes as a CONNECT tunnel without decryption: banking, Teams, pinned-cert apps keep working.

api.anthropic.comallow

api2.cursor.shallow

unknown.hostblock

05audit

JSONL + CSV export

Article-26-friendly fields. Tamper-evident hash chain lands in v0.2. Filter by tool, time range, status. The compliance team gets a real artifact, not a screenshot.

06local-only

Nothing leaves your machine

SQLite on disk. Dashboard binds to 127.0.0.1 only and refuses to start on any other host. Zero outbound calls from upbox itself.

127.0.0.1←upbox✗internet

architecture

One process. Boring stack.

mitmproxy as the TLS interception core, captured at the OS level via the mitmproxy-rs LocalMode redirector. A TLS allowlist routes non-AI traffic through as a CONNECT tunnel without decryption: banking and pinned-cert apps keep working. SQLite as the audit store. FastAPI + HTMX for the dashboard, no build step.

→ mitmproxy · MIT · proxy core
→ FastAPI · MIT · dashboard backend
→ HTMX · BSD-2 · frontend without a build
→ SQLite · public domain · audit log
→ Pico.css · MIT · minimal styles

  curated AI processes                  (VPN clients, banking, OS noise:
  Claude · Cursor · ChatGPT              never redirected · tunnels stay up)
  Codex · Ollama · code · browsers
              │
              ▼  LocalMode redirector · mitmproxy-rs · OS-level capture
  ┌─────────────────────────────────┐
  │  mitmproxy core + upbox addons  │  ─ AI host (allowlist) ─▶  decrypt · process · forward
  │  ┌───────────────────────────┐  │                              to cloud LLM
  │  │ 1 fingerprint (tag tool)  │  │
  │  │ 2 enforce     (allow|warn|403)│  │  ─ pinned host (off list) ─▶  CONNECT tunnel
  │  │ 3 redact      (json-aware)   │  │                              (no decryption ·
  │  │ 4 capture     → SQLite       │  │                               Teams · banking
  │  └───────────────────────────┘  │                               keep working)
  └────────────────┬────────────────┘
                   ▼
         ┌──────────────────┐       ┌──────────────────┐
         │  SQLite · WAL    │ ◀────┤  dashboard       │
         │  ~/.upbox/       │       │  FastAPI + HTMX  │
         └──────────────────┘       └──────┬───────────┘
                                           │
                                           ▼
                                   127.0.0.1:8800  ← you
                                   ✗ refuses any other host

install

Five ways. Same binary.

Pick whichever fits your setup. Python 3.12+ required.

then:

$ upbox init

$ upbox start

→ OS-level capture: no per-tool proxy config

(admin/root on first run for WinDivert / iptables / Network Extension)

→ open http://127.0.0.1:8800

Recommended: isolated venv, no system Python conflicts.

# install pipx if you don't have it$python3 -m pip install --user pipx$python3 -m pipx ensurepath# install upbox$pipx install upbox# verify$upbox --help

eu ai act · gdpr

Endpoint-level evidence, before the deadline.

upbox is a deployer-side tool. It does not certify you compliant on its own, but it produces the evidence and controls that the obligations demand.

2025-02AI Act Article 4 (AI literacy): in force

2026-05-15upbox v0.1.0 ships: pipx · uv · source

2026-05 →You are here

2026-08-02Article 26 + 50 full enforcement

v0.2 (Aug)tamper-evident chain · team mode · encrypted-at-rest

Obligation

What upbox does to help you comply

AI Act

Art. 4: AI literacy ↗A visible, inspectable record of what AI tools are doing on your endpoints.

Live dashboard groups traffic by tool, host, request size
Audit log is queryable and exportable: real artefacts, not policy slides
Per-tool allowlist enforces destination policy

AI Act

Art. 26: deployer obligations ↗Per-request audit log with the fields a deployer needs to evidence logging, monitoring, and human oversight.

ts · tool · method · scheme · host · path: every interaction
req_bytes · resp_bytes · status: size + outcome
headers_json · body_excerpt · body_hash: integrity (SHA-256 of full body)
redactions_applied_json · blocked: what the engine intervened on
upbox export --format jsonl|csv with --since / --until / --tool filters

AI Act

Art. 50: transparency ↗Records of every AI-system interaction sufficient to support transparency duties toward affected persons.

What was sent, when, where, by which tool, in what size, with what status. All queryable per tool.

AI Act

Art. 99: penalties ↗Helps demonstrate good-faith effort and concrete technical measures.

Auditable open-source proxy + redaction + enforcement + retention
Exportable evidence trail rather than verbal policy claims

GDPR

Art. 5: data minimisation ↗Redaction runs before the request leaves the endpoint, so the cloud provider receives an already-minimised body.

Content-aware: JSON bodies parsed + walked + re-serialised
Defaults: AWS / OpenAI / Anthropic / GitHub keys + dotenv lines
Extendable via ~/.upbox/rules/redact.yaml

GDPR

Art. 32: security of processing ↗Technical measure providing visibility + control over data leaving the endpoint.

Local CA the user installs and can uninstall (upbox init --uninstall)
Dashboard binds 127.0.0.1 only: refuses any other host
Zero outbound calls from upbox itself
Encrypted-at-rest SQLite + tamper-evident hash chain land in v0.2

GDPR

Art. 35: DPIA ↗Concrete per-tool data flows that feed DPIA templates.

Per-tool destinations + data classes + observed volume: straight from the audit log
upbox export --format csv produces a spreadsheet your privacy team can hand off

primary sourcesstable ELI URLs · publisher: EUR-Lex / EDPB

EU AI ActRegulation (EU) 2024/1689: full text ↗eur-lex.europa.eu/eli/reg/2024/1689/oj AI Act timelineOfficial implementation timeline ↗ai-act-service-desk.ec.europa.eu GDPRRegulation (EU) 2016/679: full text ↗eur-lex.europa.eu/eli/reg/2016/679/oj upbox mappingFull AI Act + GDPR mapping doc ↗github.com/krishnamallam/upbox/docs/ai-act-mapping.md

upbox is not legal advice. It is a deployer-side technical measure: it produces evidence and controls, not a certification. Consult counsel for compliance sign-off.

faq

Questions you should be asking.

A closed-source tool that watches your AI traffic is itself a privacy problem. The auditor has to be open.

Does upbox phone home?+

No. upbox makes zerooutbound network calls of its own. The proxy forwards the requests your AI tools were going to make anyway: that's the entire network footprint. The dashboard binds to 127.0.0.1 only and refuses to start on any other host.

What happens to my request bodies?+

Stored locally in ~/.upbox/upbox.db (SQLite, WAL mode). The body_excerpt column holds the first 4 KB; full bodies are not persisted. body_hash (SHA-256) is recorded for integrity.

How big does the database get?+

About 5 KB per request. ~500 requests/day is roughly 2.5 MB/day or ~900 MB/year. Configurable retention lands in v0.2; until then, prune manually with a one-line SQL DELETE.

Performance impact on the AI tools?+

Negligible. The mitmproxy core handles tens of thousands of requests per second; AI tools peak in the low hundreds per hour. Latency added per request: ~1–5 ms.

Some apps pin certificates and reject the local CA: what then?+

A handful of mobile and certain desktop clients ship with hard-coded CA fingerprints. Without modifying the app binary, you can't MITM them. Known-working and known-broken tools are listed in the docs.

Can I extend upbox with a new tool fingerprint or redaction rule?+

Yes. Edit ~/.upbox/rules/tools.yaml (or redact.yaml, or allowlist.yaml), or use the dashboard's /settings page. Restart upbox start to apply.

Is the audit log tamper-evident?+

Not in v0.1: the body_hashcolumn proves each captured body is intact, but the row sequence itself isn't chained. Tamper-evident hash chain lands in v0.2 as part of the compliance lens.

ship the screenshot

Install once. Run it for a week. The first screenshot is usually a surprise.

v0.1.0 just shipped and is moving fast. The fastest way to help: install it, run it against your daily tools, and report what surprised you.

quick start~30s

$pipx install upbox

$upbox init && upbox start

★ Star on GitHubkrishnamallam/upbox