Now available — enterprise preview

Use Claude Code at work.
Keep your IP on-premises.

An on-premises proxy that intercepts Claude Code API traffic, enforces your IP protection policies, and audits every request — without changing how developers work.

Get early access See how it works →

Architecture

One proxy. Zero workflow changes.

SourceVeil sits between your developers and the Anthropic API. Files not covered by any policy rule pass through untouched. Protected files are intercepted, evaluated, and substituted — transparently, on your network.

Developer Machine
┌─────────────────────────────────────────────┐
Claude Code (works exactly as before)
│ │ │
│ ▼ routed through SourceVeil
└──────────┼──────────────────────────────────────┘
On-Premises Proxy Server
┌─────────────────────────────────────────────────┐
SourceVeil Proxy
│ │
│ For each file in the request: │
│ │
│ evaluate policy rules │
│ ├─ Allow → forward unchanged
│ ├─ Extract → public API surface only
│ └─ Block → content withheld
│ │
│ log event → audit trail │
└─────────────────────────────────────────────────┘
│ HTTPS — mutated payload
api.anthropic.com

.sourceveil policy files

Policy that lives in your repo

Drop a .sourceveil file anywhere in your project. Rules follow .gitignore conventions — specific files, directories, or patterns. Security teams can set organisation-wide rules; individual teams can refine them in their own directories. Seal any rule if you need it to be non-overridable.

.sourceveil  ← repo root policy
# Credentials — locked, cannot be overridden [sealed block] **/*.key **/*.pfx .env* secrets/** # Core IP — strip to public API surface [api] src/Core/** src/Algorithms/** # Docs are fine to share [allow] src/Core/README.md
src/Algorithms/.sourceveil  ← team rules policy
# Algorithm team refines their own rules [api] Tests/Fixtures/** # Benchmark harness is not sensitive [allow] Benchmarks/** # Sealed rules from the repo root # still apply — *.key cannot be unlocked
Flexible by default, enforceable when it matters. Most teams simply define which paths are sensitive. The [sealed] keyword is available when a rule must be non-negotiable — credentials, regulated data, contractual obligations.

Capabilities

What's in the box

Policy

Path-based rules

Define which files are protected using glob patterns — by directory, extension, or name. Rules follow familiar .gitignore conventions and are reloadable without restarting the proxy.

Extract

Multi-language API extraction

For protected files, SourceVeil strips implementation details and forwards only public type signatures, interfaces, and documentation. Designed to support multiple languages — C#, Java, Python, TypeScript, and more.

Audit

Audit trail

Every policy-matched event is recorded locally — who sent it, which file, which rule applied, and how much content was withheld. Queryable via CLI. No source content is ever stored.

Auth

Works with your identity stack

Integrates with your existing corporate identity. No new credentials for developers to manage, no additional sign-in steps. Developer identity flows automatically for per-user audit attribution.

Safety

Configurable fail-safe

If a file can't be parsed, SourceVeil applies your configured policy — block, pass an empty stub, or allow through. The behaviour is explicit, audited, and set at the proxy level per deployment.

Deploy

Fully on-premises

Runs entirely within your network. No data leaves except to the Anthropic API endpoint you already use. Audit storage stays on the proxy server. No cloud dependency for the proxy itself.

Who it's for

One tool. Three conversations.

VP Engineering
"Unblock your team without compromising IP policy."
  • Audit trail for Legal and the CISO
  • Policy control without IT tickets per request
  • No disruption to existing developer workflow
Developer
"Use Claude Code at work. We handle the compliance part."
  • Claude Code works exactly as before
  • Non-protected files are completely unaffected
  • No approval process on every file or request
CISO / Security Team
"Complete audit trail. Policy enforcement. No cloud dependency."
  • Full record of what left the building and when
  • On-premises deployment — no SaaS risk surface
  • Sealed rules that teams cannot override

Early access

Ready to get started?

Sign up and we'll be in touch shortly. We're actively onboarding early customers and working closely with each team to get set up.

No spam. We'll reach out to schedule a technical call.