npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

anchanto-pii-guard

v1.0.2

Published

Lightweight local AI DLP system for Cursor — detects and prevents PII and secrets from being sent to LLMs

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

nikhil_kumar_anchantonikhil_kumar_anchanto

Keywords

cursorpiidlpsecuritysecretsai-safetyllm-safetydata-loss-prevention

Readme

Anchanto Guard

Lightweight, fully local PII and secret detection for Cursor. Prevents sensitive data from reaching LLMs through Cursor's hook system — no cloud, no telemetry, zero data leaves your machine.

How It Works

Anchanto Guard hooks into Cursor's beforeSubmitPrompt and beforeReadFile events. Before any prompt or file reaches the LLM, it is scanned. If sensitive data is found, the prompt is blocked and Cursor shows a message explaining what was detected and what to do.

Note: Cursor's hook API does not support modifying prompt text — hooks can only allow or deny. This means all detected PII and secrets result in the prompt being blocked. The user must remove or replace the sensitive value before retrying.

What Gets Blocked

Credentials (must be removed)

| Pattern | Example | |---|---| | AWS Access Keys | AKIAIOSFODNN7EXAMPLE | | OpenAI API Keys | sk-abc123... | | Anthropic API Keys | sk-ant-api03-... | | GitHub Tokens | ghp_abc123... | | GCP API Keys | AIza... | | JWTs | eyJhbGci... | | Private Keys | -----BEGIN RSA PRIVATE KEY----- | | DB connection strings | postgres://user:pass@host/db | | Passwords in code | password="hunter2" | | Bearer tokens | Bearer eyJhb... | | npm / Slack / SendGrid / Shopify / Twilio tokens | service-specific formats | | High-entropy secrets | Random base64/hex tokens |

PII (replace with placeholder before retrying)

| Pattern | What to use instead | |---|---| | Email addresses | [email protected] | | Indian phone numbers | a dummy number | | PAN numbers | a dummy PAN | | Aadhaar numbers | a dummy Aadhaar | | Credit card numbers | a test card number |

Allowed through (no action)

| Pattern | Behaviour | |---|---| | Internal/private IP addresses | logged, passes through | | Internal domain URLs | logged, passes through | | UUIDs | logged, passes through |

Installation & Setup

# Install globally
npm install -g anchanto-pii-guard

# Setup hooks in your project (run from project root)
cd /your/project
anchanto-guard init

# Restart Cursor to activate

init creates or updates .cursor/hooks.json with absolute paths to Node and the script. Safe to re-run — merges with existing hooks.

Verify Installation

anchanto-guard check

Output when healthy:

[anchanto-guard] Checking hooks in /your/project

  [ OK ] .cursor/hooks.json exists
  [ OK ] beforeSubmitPrompt hook present
  [ OK ] beforeReadFile hook present
  [ OK ] Node path is current
  [ OK ] Script path exists

[anchanto-guard] All checks passed. Hooks are healthy.

Policy Customization

Create .anchanto-guard.json in your project root or home directory to override defaults:

{
  "rules": [
    { "type": "UUID", "action": "ALLOW" },
    { "type": "EMAIL", "action": "WARN" }
  ],
  "allowlist": {
    "values": ["[email protected]"],
    "patterns": ["@example\\.com$"],
    "types": ["UUID"]
  }
}

Default allowlisted email domains (pass through without blocking)

example.com, example.net, example.org, test.com, foo.com, bar.com, mailinator.com, yopmail.com, sample.com, dummy.com

Use these domains in test/dummy data and they will not be blocked.

Policy file lookup order

  1. <project>/.anchanto-guard.json
  2. <project>/.cursor/anchanto-guard.json
  3. ~/.anchanto-guard.json

Environment Variables

| Variable | Default | Description | |---|---|---| | PII_GUARD_LOG_LEVEL | info | Log level: debug, info, warn, error |

Troubleshooting

Hooks are not triggering at all

  1. Confirm .cursor/hooks.json exists in your project root:
    cat .cursor/hooks.json
  2. Run the health check:
    anchanto-guard check
  3. Restart Cursor — hooks are loaded at startup, not hot-reloaded.
  4. Check your Cursor version supports hooks (requires Cursor ≥ 0.40).

"command not found" or hook silently fails

Cursor runs hooks with a minimal PATH that often does not include your npm global bin. The init command handles this by writing absolute paths for both Node and the script. Re-run init to fix:

anchanto-guard init
# Restart Cursor

Node version changed (nvm / fnm / volta)

init bakes the current Node binary path into hooks.json. After switching Node versions that path goes stale — hooks silently fail.

Fix: after every nvm use or Node upgrade, run:

anchanto-guard init
# Restart Cursor

anchanto-guard check detects a stale Node path and warns you.

Cursor shows "hook timed out"

Default timeout is 10 seconds. Increase in .cursor/hooks.json:

{ "command": "...", "timeout": 30 }

Hook blocks a legitimate prompt (false positive)

Option 1 — use an allowlisted test domain:

Use [email protected] instead of a real email. These domains are allowlisted by default and pass through without blocking.

Option 2 — allowlist a specific value or pattern:

{
  "allowlist": {
    "values": ["[email protected]"],
    "patterns": ["@yourcompany\\.com$"]
  }
}

Save as .anchanto-guard.json in your project root.

Option 3 — change action for a rule:

{
  "rules": [
    { "type": "EMAIL", "action": "WARN" }
  ]
}

Windows

  • After init on Windows, verify the generated hooks.json paths are valid.
  • If hooks fail, set the command manually in .cursor/hooks.json:
    { "command": "C:\\Program Files\\nodejs\\node.exe C:\\path\\to\\anchanto-guard.js hook prompt" }
  • Use where anchanto-guard in PowerShell to find the installed binary location.

Re-running init is safe

init removes existing Anchanto Guard entries and adds fresh ones with current absolute paths. Other hooks in your hooks.json are preserved.

Security

  • Runs entirely locally — no data leaves your machine
  • No network calls of any kind
  • Dependencies: libphonenumber-js, validator only — no heavy frameworks
  • Logs never contain raw secret values (SHA-256 fingerprints only)
  • No background daemon or persistent process

License

MIT