LUCAIRN SENSITIVE MODEWORK IN PROGRESS

Sensitive Mode —
the privacy layer in front of every desktop AI tool you use.

Most AI privacy tools live on the cloud side. Sensitive Mode lives on your laptop. A small daemon (lucairnd) sits between your browser or desktop AI client and the AI provider's API. Before your prompt leaves the machine, it is sanitized — names, emails, numbers, identifiers redacted into stable placeholders. The redacted prompt is what the AI sees. The response is rehydrated locally before it reaches you. The sanitization is reversible only on your laptop, in an encrypted store you control. This page documents what is shipped today and what is still being built.

As of 9 May 2026

01Why now (regulatory tailwind)

Article 50(2) becomes
effective 2 December 2026.

The EU AI Act's Article 50(2) machine-readable-marking obligation becomes effective 2 December 2026 — the compromise date set by the May 2026 Digital Omnibus. For deployers under Article 50(4) — anyone using AI to generate user-facing or internal-decision content — the regulator's question post-2026 is: show me, for this output, that the marking was present and the data flow is auditable.

Sensitive Mode produces the data-flow leg. Every prompt routed through the Lucairn gateway is sanitized at the laptop, signed by the daemon, and certificate-bound to a per-conversation Decision Certificate when the request reaches the gateway. The on-device redaction record stays on your machine; the gateway-side signed receipt is what your auditor verifies.

The regulation-side mapping (which obligation answers to which artifact) lives at /compliance/synthetic-content-marking.

02How it works

Three steps,
two of them on your laptop.

01

At your laptop.

A small daemon (lucairnd) intercepts the API request your AI client makes. The L1+L2 sanitizer pipeline runs locally — Microsoft Presidio plus 11 custom German recognizers (IBAN, SVNR, Fallnummer, and similar). PII spans get replaced with stable placeholders; the original spans are stored in an encrypted local store keyed off macOS Keychain.

02

At the gateway.

The redacted request reaches the Lucairn gateway, which forwards it to the upstream LLM (BYOK passthrough — gateway never holds your upstream key). The model never sees the raw PII. The signed Decision Certificate is generated on the gateway side at this step.

03

On the way back.

When you re-open the conversation later, the daemon's GET conversation-fetch interceptor relinks user-message placeholders the model saw (e.g., [PERSON_1]) back to the original text from your local encrypted store. You read the rehydrated user-side messages.

Cross-conversation placeholder consistency is per-conversation only (privacy-by-default). [PERSON_1] in chat A may be Maria; [PERSON_1] in chat B may be Bob. There is no global decoder ring.

03What's shipped vs what's coming

Three states:
shipped today, in development, and on the roadmap.

Read the matrix the way an engineer would scope a beta. Every ✅ row maps to a real capability in the lucairn-sensitive-mode-client codebase as of 9 May 2026. Every 🚧 row is being worked on right now. Every 📅 row is planned but not committed to a date.

Shipped (today)

  • macOS menubar app (Tauri-based)

    Native menubar surface for status, settings, and Forget actions. macOS only at this stage.

  • Per-conversation encrypted store (SQLite + AES-GCM)

    Persistent local store with AES-GCM at rest; symmetric key kept in macOS Keychain.

  • User-message placeholder rehydration on conversation re-open

    GET conversation-fetch interceptor relinks placeholders in user-side messages of the retrieved chat history.

  • Configurable retention window

    User-selectable retention default — 7 days / 30 days / 90 days / 365 days / Forever — exposed in the Settings panel.

  • Forget-all action (rotates encryption key in-place)

    Single-click destructive action; existing rows become unreadable; no daemon restart required.

  • 5-state popup status indicator

    ok / off / warn / error / unknown — distinguishes master-toggle-off from per-site-opt-out from daemon-unreachable.

  • Conversation-export warning (passive disclosure in Settings)

    Settings panel discloses that downloaded conversation exports contain rehydrated text; the daemon does not touch the exported blob.

In active development

  • Linux libsecret key storage

    macOS Keychain shipped; Linux libsecret backend in active development.

  • Windows DPAPI key storage

    macOS Keychain shipped; Windows DPAPI backend in active development.

  • Assistant-message rehydration

    Documented v1 limitation. Today the interceptor relinks user inputs only; assistant-side rehydration requires the gateway to expose a per-pmid placeholder map — work in progress.

  • Sidebar search-results placeholder rehydration

    v1 limitation. Sidebar search snippets render with [PERSON_1] placeholders today; full rehydration may revisit per user feedback.

  • Active conversation-export interceptor

    Warning-only today. An active interceptor that rewrites the export download is deferred to a future reverse-engineering pass.

Roadmap (no committed dates)

  • Closed beta access

    Cohort-based opening during 2026. Join the waitlist below.

  • Reproducible-build CI + Sigstore signing for distribution

    Phase 0 / pre-launch is a manual DMG today. Reproducible builds + Sigstore signing arrive before public launch.

  • Per-conversation Decision Certificate visualization in the menubar

    Parity with the /sandbox/app pattern: tap the menubar to inspect the signed receipt for the conversation in front of you.

  • Browser-extension companion for fully-headless web flows

    Today the daemon covers desktop AI clients and the major web flows. A browser-extension companion deepens coverage for headless web automation.

04Threat model in one paragraph

What Sensitive Mode protects against,
and what it does not.

Sensitive Mode protects against: prompts containing PII reaching cloud LLMs, accidental disclosure during retrieval and search-results rendering, and persistent leakage through conversation history sync.

Sensitive Mode does NOT protect against: malicious software running with your user privileges, side-channel attacks against your machine, model memorization of partial or class-level information, or post-rehydration leakage via screen-sharing or accessibility tools.

Sensitive Mode does NOT replace the EU AI Act compliance work — it is one layer in the data-flow defense. Article 50 transparency obligations, Article 12 logging obligations, Article 14 human-oversight obligations, and the rest of the Act remain controller-side responsibilities of your organization.

05How it compares to cloud AI gateways

Four properties move
when the sanitizer runs at your laptop.

Sensitive Mode is not a substitute for an EU-sovereign cloud AI gateway — it is the upstream layer to it. Each row below is a structural property that flips when the redaction step happens locally rather than at the cloud edge.

  • Where the sanitizer runs
    Cloud gatewayAt the cloud edge (after the request leaves your network)
    Sensitive ModeOn your laptop, before the request leaves the machine
  • Where the encrypted store lives
    Cloud gatewayCloud-resident
    Sensitive ModeOn your machine; symmetric key in macOS Keychain
  • When PII first leaves the device
    Cloud gatewayBefore redaction — the cloud-resident gateway sees raw PII to redact it
    Sensitive ModeIt does not — PII is redacted before transit
  • Who owns the rehydration key
    Cloud gatewayCloud vendor
    Sensitive ModeYou do — the key never leaves your machine

For the gateway-side architectural-class comparison (what changed when the cloud lane consolidated under Palo Alto Networks + Portkey), see /security/eu-sovereign-ai-gateway.

06Closed beta

Closed beta —
join the waitlist.

Sensitive Mode is in active development. The closed-beta cohort opens during 2026. Submit your email and a one-line use-case; we'll reach out as cohorts open. macOS today; Linux and Windows backends arrive ahead of public launch.

We respond within 1–2 working days. No spam, no autoresponders that pretend to be human.

07Footer disclaimer

What this page is,
and what it is not.

  • Capabilities listed under shipped are accurate to the current state of the lucairn-sensitive-mode-client codebase as of 9 May 2026.
  • Capabilities listed under in development or roadmap are subject to change. The architecture, schedule, and feature set may evolve.
  • The EU AI Act and its secondary legislation (Digital Omnibus, AI Office guidance, CEN-CENELEC JTC 21 standards) may change the regulatory framing referenced here.
  • This is not a product spec sheet. It is a public statement of where Sensitive Mode is and where it is heading.

REFERENCES

2026-05-09 · /sensitive-mode