Open Source

PromptWard

A Chrome extension that catches PII in your prompts before it reaches ChatGPT, Claude, Gemini, or Perplexity - redaction runs entirely on-device.

Chrome Extension
Manifest V3
ONNX Runtime
On-Device AI
Privacy
PromptWard's review modal showing an original prompt next to its redacted version with PII replaced by placeholder tokens

Project Overview

PromptWard sits in front of ChatGPT, Claude, Gemini, Perplexity, and Mistral's chat composers and intercepts the send action before the request leaves the browser.

A local ONNX token-classification model (Rampart, from National Design Studio) runs entirely inside the extension - layered with deterministic heuristics for SSNs, card numbers, emails, and phone numbers - to find PII with no network call and no server round trip.

When PII is found, a review modal shows the original text next to the redacted version. The redacted version sends automatically after a 5-second idle timer (covering the case where you step away from the keyboard), with an explicit "Send original" opt-out and instant cancellation on any interaction with the modal.

Built Around

100% local detection and redaction - no prompt text ever leaves the device.
Censor-by-default review flow with a 5s auto-confirm and explicit opt-out.
Reversible placeholders: redacted tokens rehydrate back to the original values within the same conversation.
Works across rich-text composers (Lexical/ProseMirror-style editors), not just plain textareas.

Product Capabilities

Local Detection
Named-entity + heuristic PII detection, on-device.
  • - ONNX token-classifier for names and contextual PII
  • - Regex/checksum heuristics for SSNs, card numbers (Luhn), emails, phones
  • - No network calls, no telemetry, no server component
Review & Send Flow
A deliberate checkpoint before anything reaches the AI provider.
  • - Side-by-side original vs. redacted diff
  • - 5-second auto-confirm with cancel-on-interaction
  • - Explicit "Send original" opt-out, never silent
Site Coverage
Built-in support for the major AI chat products.
  • - ChatGPT, Claude, Gemini, Perplexity, Mistral out of the box
  • - Add any other site from the side panel
  • - Fail-closed: blocks the send if it can't confirm redaction landed

Technical Architecture

Extension Runtime
  • - Manifest V3 with an offscreen document hosting a dedicated Worker
  • - Rampart ONNX model + ONNX Runtime Web (WASM) running locally
  • - Content-script interception across textarea, contenteditable, and rich-text composers
  • - Vite + @crxjs/vite-plugin build pipeline
Correctness & Safety
  • - Multi-strategy DOM write-and-verify for rich-text editors, with settle-window polling
  • - Fail-closed guard: never sends unless the redacted text is confirmed applied
  • - Vitest suite covering detection, message routing, and DOM adapters
  • - Full debug/diagnostics log accessible from the side panel for troubleshooting

Project Signals

0
Server Calls
For PII detection
5s
Auto-Confirm
Idle-safe by default
5
AI Sites
Supported out of the box
MIT
Open Source
Source on GitHub

Interested in Learning More?

This private project reflects hands-on product, engineering, and AI workflow development across the full stack.