I built an Open-Source CLI that stops your AI terminal from leaking secrets

Source: Dev.to

I love AI coding tools. I use them every day.

But there’s a thing nobody building them seems to care about: everything you send goes straight to the model, unfiltered.

• Your command history
• Your environment variables
• Credentials, tokens, customer data sitting in error logs

None of it gets redacted. There’s no audit trail. You just have to trust that nothing sensitive slipped into your prompt.

That’s not a great security posture. So I built something.

The quiet risk in AI‑powered dev workflows

AI terminal assistants are incredible for productivity. I use one constantly. Most of them work like this:

Your full prompt → LLM API → response back

No filtering. No redaction. No audit trail.

That means if your prompt context includes:

• credentials from command history
• PII from error logs
• internal hostnames from your environment
• tokens from your clipboard

…it all goes to the model.

For side projects? Who cares. But the moment you’re working with production systems, customer data, or proprietary code, this becomes a real compliance problem—especially in regulated industries or with enterprise clients.

So I built: Bast CLI

Bast is a free, open‑source AI terminal assistant that routes through a security gateway before anything reaches the LLM.

It does everything you’d expect from an AI CLI—natural‑language to shell commands, command explanation, error recovery—plus a security layer that:

• Redacts PII automatically (emails, API keys, credentials, tokens) before it hits the model
• Blocks prompt injection and jailbreak attempts
• Logs everything so you have full observability on what’s being sent and when

It’s written in Go, uses Bubble Tea for the TUI, and is MIT licensed.

See it in action

Walkthrough

Bastio AI Security | BAST CLI Tool — Screen Studio
Created and shared with Screen Studio

Install (macOS / Linux)

curl -fsSL https://raw.githubusercontent.com/bastio-ai/bast/main/scripts/install.sh | sh
bast init

Generate commands from plain English

$ bast run
> find all go files modified in the last week

find . -name "*.go" -mtime -7

[⏎ Run] [e Edit] [c Copy] [? Explain] [Esc Exit]

Understand a command before you run it

$ bast explain "tar -xzvf archive.tar.gz"

Extracts a gzip‑compressed tar archive. The flags:
  x = extract,
  z = decompress gzip,
  v = verbose output,
  f = specify filename.

Fix a failed command

$ git push origin feature/auth
! [rejected] feature/auth -> feature/auth (non‑fast‑forward)

$ bast fix
The remote branch has commits you don't have locally.
Suggested fix:
  git pull --rebase origin feature/auth

Beyond the security layer

Bast isn’t just a security wrapper—it’s a full‑featured AI terminal assistant. Highlights:

Dangerous command detection

Automatically warns before rm -rf, git push --force, dd, and other destructive operations. A full list of protected git operations (force push, hard reset, branch deletion, history rewriting) is included.

Git awareness

Knows your current branch, staged changes, merge/rebase state, and recent commits. When you ask it to “commit my changes with a good message,” it reads your diff to craft a meaningful commit message.

Agentic mode

Type /agent for multi‑step tasks. Bast can execute commands, read files, and iterate to complete complex workflows:

$ bast run
> /agent find all TODO comments in go files and summarize them

Tool Calls:
  run_command {"command": "grep -r 'TODO' --include='*.go' ."}

Found 2 TODO comments in the codebase:
1. internal/ai/anthropic.go — Add streaming support for responses
2. internal/tools/loader.go — Validate script permissions before execution

Shell integration

Add eval "$(bast hook zsh)" to your config and get Ctrl+A to launch Bast and Ctrl+E to explain whatever command you’re currently typing.

Custom plugins

Extend Bast with your own tools using simple YAML manifests in ~/.config/bast/tools/. Great for deployment pipelines, database operations, or any workflow you want to make AI‑aware.

The Gateway (and how to skip it)

The Bastio security gateway is free for 100 000 requests/month—no credit card required. It handles PII redaction, injection blocking, and observability.

If you prefer to connect directly to the Anthropic API:

export ANTHROPIC_API_KEY=sk-ant-...
export BAST_GATEWAY=direct

You lose the security features, but everything else works.

Why Open Source?

If a tool claims to protect your data, you should be able to read the code. A closed‑source security tool is a contradiction.

The entire CLI is on GitHub under MIT. Read it, fork it, break it, improve it.

→ github.com/bastio-ai/bast

What’s Next

This is v0.1.0 — the beginning. Some things I’m working on:

• More LLM provider support beyond Anthropic
• Team dashboards and policy controls
• Expanded PII detection patterns
• IDE integration

I’d Love Your Feedback

This is my first Dev.to post, and bast is a brand‑new project. If you’re using AI coding tools in environments with sensitive data, I’d genuinely like to hear how you’re handling it:

• Are you running AI assistants against production codebases?
• Does your team have any policies around what can be sent to LLMs?
• Would you use something like this, or does it feel like overkill?

Star the repo if it’s interesting to you, open an issue if something breaks, and tell me what I’m missing.

GitHub: github.com/bastio-ai/bast
Website: bastio.com