Every time you run Claude Code, Cursor, or Copilot, your entire codebase context gets shipped to an LLM provider. That includes whatever is in your working directory — config files, .env contents, API keys embedded in source, database connection strings.

Most developers don’t think about this. I didn’t, until I built a proxy to watch the traffic.

What I found

Over one week of normal Claude Code usage on a mid-size project:

  • 47 requests contained at least one string matching an API key pattern
  • 12 requests included database connection strings with credentials
  • 3 requests sent the contents of .env files directly in the prompt
  • 8 tool calls were flagged as potentially destructive (rm -rf, git push --force)

None of this was intentional. The agent was just reading my codebase and including context to be helpful.

The problem is structural

AI coding agents are designed to read everything they can access. That’s what makes them useful — they understand your project by ingesting it. But they have no concept of “this string is a secret” versus “this string is code.”

There are three risk categories:

Secret exfiltration — credentials leave your machine in API requests. Even if the LLM provider doesn’t log them (and you’re trusting their policy on that), they transit the network in plaintext within the TLS session.

Prompt injection — a malicious instruction in a README, code comment, or fetched URL can hijack your agent’s behavior. This isn’t theoretical; it’s been demonstrated repeatedly.

Uncontrolled tool execution — agents execute shell commands, modify files, and interact with git. One wrong tool call — rm -rf, curl | bash, git push --force — and you’re dealing with real damage.

What Bastion does about it

Bastion is a local HTTPS proxy that sits between your agent and the LLM provider. It inspects traffic in both directions:

AI Agent → Bastion → LLM Provider

          DLP scan
          Injection detection
          Tool call monitoring
          Audit logging

It runs entirely on your machine. No cloud, no accounts, no data leaving your network (beyond what passes inspection).

Three commands to start:

curl -fsSL https://raw.githubusercontent.com/aiwatching/bastion/main/install.sh | bash
bastion start
bastion wrap claude

If you use AI coding agents daily, you should know what they’re sending. That’s the baseline.