PurfectShield — Canonical Flow

Slide 4: Tokenize out, rehydrate back — the three-stage transformation pipeline

Developer Claude Code / Cursor prompt with secret base_url → localhost:6767 PurfectShield Gateway Go HTTPS egress proxy — port 6767 TOKENIZE — filter chain matches pattern AKIAIO...MPLE → {{REDACTED_SECRET_AWS_001}} stable placeholder, scoped per-session LLM Provider Anthropic / OpenAI sees only placeholder plaintext never reaches AKIAIO...MPLE plaintext secret {{REDACTED_SECRET_AWS_001}} tokenized response: "key {{REDACTED_SECRET_AWS_001}} is malformed" "key AKIAIO...MPLE is malformed" — rehydrated REHYDRATE — stable placeholder → real value Audit event logged (hash-chained) Legend Developer PurfectShield Gateway LLM Provider Forward (tokenize) Return (rehydrate) Audit trail

Tokenize

  • Pattern engine detects structured secrets
  • Value swapped for stable placeholder
  • Placeholder scoped per-session, per-developer
  • Streaming-safe: reassembles split tokens

Rehydrate

  • Response returns with placeholder
  • Shield restores original value transparently
  • Developer sees real key — no error, no block
  • Mapping destroyed on session close

Audit

  • Every transformation → append-only JSONL event
  • Hash-chained: each event refs previous hash
  • Categories, counts, timestamps — never raw values
  • Dashboard on :6768 (evidence, not secrets)

PurfectShield • GTM-001 Canonical Flow Diagram • Slide 4 • Source: collat/diagrams/flow-canonical.html