u/SteveHaller

How do you protect your code when you're allowed to use an LLM but not to disclose the source?

Curious how others handle this. My situation: the client lets me use LLMs for coding, but explicitly asked that the actual source not be disclosed to a third party. So "just paste it into  a cloud model" is off the table for the sensitive parts, but going fully without an assistant  isn't realistic either.
I first tried keeping everything local. On a laptop the reasoning models were too slow to be usable (minutes per turn), and the smaller ones were unreliable — they'd "answer" without really reading the files. Moving to a server helped the speed a bit but the quality still wasn't there  for real work. Local felt like paying a lot to end up with a weaker assistant.
What I landed on instead: a workflow where the sensitive parts go through an obfuscating proxy before reaching the model — identifiers in code, comment and conf get renamed on the way out and restored on the way back,  so I keep a capable cloud model but the remote side never sees the real names/structure. I'm using promptCape for that piece, and so far it's held up.
 
But I'd like a reality check — how do you handle it?
- Local models good enough for you now, or same slowness/quality wall I hit?
- Obfuscation / proxy layer, and if so which?
- Air-gapped setups, contract clauses, or just not using AI on those parts at all?
 
Genuinely want to hear what's working for people under a "no disclosure" constraint.

reddit.com
u/SteveHaller — 4 days ago

Which products to protect code

What are the products which already there to protect the code when sent to ai considering must continue to be of help to generate code or fix or extend ? We look at presidio in the past but it was mostly to anonymise.

reddit.com
u/SteveHaller — 1 month ago
▲ 2 r/codingProtection+1 crossposts

Just subscribed. CISO at a mid-sized SaaS company. The hardest conversation I have right now isn't *"should we allow AI assistants"* — that battle is lost, devs will use them with or without permission. It's *"how do we give them productive AI without accepting unbounded data egress."*
 
Three things keep me up at night:  

  1. Vendor data-retention policies that change quietly in ToS updates nobody reads.
  2. Devs pasting full files into web UIs, where the API-tier guardrails (zero retention, no training) don't apply.
  3. The "context windows are huge now!" marketing — meaning whole repos get sent in a single prompt, and your IP-leakage surface scales with the model size.

 
We've started looking at proxying outbound prompts through something that strips identifiers, secrets, and proprietary class names before anything reaches the provider. Curious who else here is doing similar.

reddit.com
u/SteveHaller — 2 months ago