@blanklogic/proxy

Your AI agent is leaking money and secrets. BlankLogic Proxy catches both before OpenAI or Claude sees them.

| Product | Link | |---------|------| | Homepage | blanklogic.io | | Refinery web app | blanklogic.io/refinery | | Refinery CLI | @blanklogic/refinery | | MCP server | @blanklogic/refinery-mcp | | VS Code / Cursor | VS Marketplace |

BlankLogic Proxy is a local BYOK proxy for OpenAI and Anthropic-compatible agent traffic. It compresses noisy text context, redacts obvious secrets, forwards the request with your provider key, and returns proof headers that show what changed.

What's new in 0.2.6

• npx @blanklogic/proxy --demo — one-shot proof loop with stats, no API keys.

What's new in 0.2.5

• Coordinated release with MCP server and Refinery browser app (@blanklogic/[email protected]).
• README refresh: 60-second proof loop and marketplace copy alignment.
• Transform whitelist (Pro+), architecture map (Team) — unchanged from 0.2.x.

Saved tokens or caught a secret?

If BlankLogic saved you tokens or caught a secret before a provider call, a quick review helps others find it:

• Cursor / Open VSX: Rate BlankLogic Refinery on Open VSX
• VS Code: Leave a review on the Marketplace
• Feedback: blanklogic.io/#support

60-second proof loop

No API key — run a one-shot local demo:

npx @blanklogic/proxy --demo

With your keys — forward real agent traffic:

npx -y @blanklogic/proxy
export OPENAI_API_KEY=sk-...   # or ANTHROPIC_API_KEY
export OPENAI_BASE_URL=http://127.0.0.1:3011/v1
# send one agent/API request through the proxy, then:
curl -s http://127.0.0.1:3011/stats

You should see non-zero bytesIn / tokensSaved after the first forwarded request. Full transcript: blanklogic.io/demo.

Fast Start

Install and run:

npx -y @blanklogic/proxy

This package is a CLI/local service. It does not expose a supported JavaScript library API; the package export map intentionally keeps internals private.

Short alias after install:

npx bl-proxy

Set provider keys in the same shell that runs the proxy:

export OPENAI_API_KEY=sk-...
export ANTHROPIC_API_KEY=sk-ant-...

Point your agent at the local proxy:

export OPENAI_BASE_URL=http://127.0.0.1:3011/v1
export ANTHROPIC_BASE_URL=http://127.0.0.1:3011

Open the local dashboard:

http://127.0.0.1:3011/stats

Proof Demo

Inside this repo:

npm --workspace @blanklogic/proxy run demo

Installed from npm:

node node_modules/@blanklogic/proxy/examples/proof-demo.mjs

Expected proof headers:

X-BlankLogic-Bytes-Saved: ...
X-BlankLogic-Tokens-Saved: ...
X-BlankLogic-Secrets-Redacted: ...
X-BlankLogic-Estimated-Cents-Saved: ...

What It Does

BlankLogic Proxy runs the same local Refinery engine used by the CLI and MCP server:

1. De-bloats noisy text, code, HTML, logs, and scraped context.
2. Redacts obvious secrets before the request leaves your machine.
3. Forwards the compressed request to the provider using your API key.
4. Adds proof headers to the response.
5. Records local request stats for /stats and /stats.json.

Community stats (opt-out)

By default, the proxy sends anonymous aggregate metrics to https://blanklogic.io/api/refinery/local-event after each forwarded request: bytes in/out, tokens saved, secrets redacted, and provider label (proxy:openai or proxy:anthropic). No prompts, API keys, or paths are transmitted.

# Disable community telemetry
export BLANKLOGIC_PROXY_TELEMETRY=0

# Point at a staging API during development
export BLANKLOGIC_STATS_URL=http://127.0.0.1:3012/api/refinery/local-event

The v1 transform is conservative. It only rewrites text segments in OpenAI/Anthropic message payloads and preserves images, tool metadata, tool calls, tool results, function metadata, response format settings, and other non-text content.

Endpoints

• POST /v1/chat/completions: OpenAI-compatible non-streaming proxy.
• POST /v1/messages: Anthropic-compatible non-streaming proxy.
• GET /stats: local dashboard.
• GET /stats.json: machine-readable stats.
• GET /health: provider and runtime health without API keys.
• GET /pro/status: local feature-gate status without printing license keys.

Proxy Pro ($29/mo)

Free proxy forwarding stays unlimited and local. Proxy Pro is live on blanklogic.io/#proxy — Stripe checkout issues a blp_pro_* license key.

For server-side Refinery cleanup (not the proxy), see blanklogic.io/refinery/#cloud-credits.

With a Pro or Team license key, the proxy also exposes:

• GET /exports/summary.json
• GET /exports/events.json?limit=1000
• GET /exports/events.csv?limit=1000
• project labels via X-BlankLogic-Project
• team labels via X-BlankLogic-Team
• policy mode per request via X-BlankLogic-Policy
• secret-caught alerts via local file or webhook
• history retention controls

Configuration:

export BLANKLOGIC_PROXY_LICENSE_KEY=blp_pro_0123456789abcdef
export BLANKLOGIC_PROXY_POLICY_MODE=conservative # conservative | standard | aggressive
export BLANKLOGIC_PROXY_PROJECT=my-agent
export BLANKLOGIC_PROXY_TEAM=platform
export BLANKLOGIC_PROXY_HISTORY_LIMIT=5000
export BLANKLOGIC_PROXY_RETENTION_DAYS=30
export BLANKLOGIC_PROXY_ALERT_FILE=~/.blanklogic/proxy/alerts.jsonl

Policy modes are intentionally conservative:

• conservative: current free behavior.
• standard: transforms shorter suspicious text segments.
• aggressive: evaluates every non-empty text segment.

Transform whitelist (Pro+)

Skip debloat for configured paths or regex patterns matched against paths in message text (not raw filesystem access unless your agent embeds paths). Secrets are still sanitized on skipped segments.

export BLANKLOGIC_PROXY_WHITELIST_PATHS=package.json,pnpm-lock.yaml,*.lock
export BLANKLOGIC_PROXY_CONFIG_PATH=./blanklogic.proxy.json

Example blanklogic.proxy.json:

{
  "policyMode": "conservative",
  "transform": {
    "whitelistPaths": ["package.json", "src/generated/**"],
    "skipRegex": ["^\\s*\\{"]
  }
}

Request header bypass (Pro license): x-blanklogic-skip-transform: 1

Architecture map (Team)

Build an offline import graph (never scans the repo on each forward):

npx @blanklogic/proxy graph --cwd . --out .blanklogic/proxy-graph.json

Team license + cache file injects a compact import-edge block into system context. Disable per request with x-blanklogic-graph: off.

Privacy And BYOK

Provider keys stay on your machine. BlankLogic does not receive, custody, meter, or resell your OpenAI or Anthropic keys. This package runs locally and sends provider requests directly from your machine to the configured upstream.

BlankLogic does not pay your OpenAI or Anthropic bill. You keep paying providers directly. The proxy shows what it saved before the request hit their API.

Local stats are stored under:

~/.blanklogic/proxy/stats.db

On Node versions without built-in SQLite, the proxy falls back to a local JSONL event file beside the configured DB path. No provider keys are stored in either backend.

Override the stats path:

export BLANKLOGIC_PROXY_DB_PATH=/path/to/stats.db

Stats, dashboard, and export routes are local-only by default. If you bind the proxy to a non-loopback host, remote clients receive 403 for /stats, /stats.json, and /exports/* unless you explicitly opt in:

export BLANKLOGIC_PROXY_ALLOW_REMOTE_STATS=1

Force JSONL stats fallback for testing or older runtimes:

export BLANKLOGIC_PROXY_STATS_BACKEND=jsonl

Limits

• Non-streaming v1: requests with stream: true return a clear 400.
• Max request body: 2 MB.
• Text-only transformation: image blocks, tool calls, tool results, and other non-text payloads pass through unchanged.
• Provider keys stay local and are never printed by /health.
• OpenAI endpoint coverage starts with /v1/chat/completions.
• Anthropic endpoint coverage starts with /v1/messages.

Custom Upstreams

Do not run the proxy with OPENAI_BASE_URL pointed at itself. Agent-facing base URL variables are intentionally separate from BlankLogic upstream variables.

Use these only when the proxy itself should call a custom provider-compatible upstream:

export BLANKLOGIC_OPENAI_BASE_URL=https://api.openai.com
export BLANKLOGIC_ANTHROPIC_BASE_URL=https://api.anthropic.com
export BLANKLOGIC_PROXY_UPSTREAM_TIMEOUT_MS=120000

Troubleshooting

• OPENAI_API_KEY is required: set OPENAI_API_KEY before using /v1/chat/completions.
• ANTHROPIC_API_KEY is required: set ANTHROPIC_API_KEY before using /v1/messages.
• Request body must be valid JSON: the proxy only accepts JSON request bodies.
• stream=true fails: v1 intentionally supports non-streaming requests first.
• /health reports enabled providers and upstream URLs without printing keys.

Positioning

BlankLogic Proxy is not just cost tracking. It changes the payload before provider egress, then proves the delta.

It is not a hosted gateway. It is local BYOK infrastructure for users who want compression plus secret redaction without giving another hosted service their provider keys.

The paid path is not token resale. Pro features focus on local history, alerts, exports, project labels, and policy rules after usage proves demand.

Support

• Homepage: blanklogic.io
• Refinery web app: blanklogic.io/refinery
• Bug reports: blanklogic.io/#bugs

License

Free to use locally under the included source-available license. Commercial redistribution, resale, embedding, and hosted-service rights require a separate license.