|Ben @ Grepture|Product Updates

Introducing the Grepture CLI — A Local AI Gateway

The Grepture CLI is now on npm. Run grepture dev to route AI traffic through a local gateway with full observability, PII redaction, and cost tracking — from your terminal.

Your dev environment is flying blind

Production has observability. Development doesn't. We think that's backwards — development is where you're experimenting, iterating, and most likely to accidentally send something you shouldn't.

Today we're releasing the Grepture CLI on npm. It's a local AI gateway that gives your dev environment the same visibility and protection your production traffic gets.

Install and run

npm install -g @grepture/cli

grepture login
grepture dev

That's it. A local proxy starts on localhost:8787. Point your AI SDK at it:

import OpenAI from "openai";

const openai = new OpenAI({
  baseURL: "http://localhost:8787/proxy",
  apiKey: process.env.OPENAI_API_KEY,
});

Every request now flows through Grepture. Your terminal shows a live traffic tail:

  Grepture Dev Session
  ─────────────────────────────────────────
  Session:    d7150823
  Proxy:      http://localhost:8787
  Dashboard:  https://app.grepture.com/sessions/d7150823...
  ─────────────────────────────────────────

  9:47:30 PM  POST  200  gpt-4o     1,204ms  12,430 tok  /v1/chat/completions
  9:47:45 PM  POST  403  gpt-4o       89ms   BLOCKED     /v1/chat/completions
  9:48:01 PM  POST  200  gpt-4o     2,105ms  45,230 tok  /v1/chat/completions

Model, status, latency, token count — for every request, as it happens. If a rule blocks a request, you see it immediately. No more wondering why your app got a weird response.

Why sessions matter for development

When you run grepture dev, the CLI creates a session — a time-bounded window of AI traffic tied to your development environment. Sessions show up in the Grepture dashboard with their own traffic log, so you can inspect every request and response in detail after the fact.

This solves a real problem. During development you're:

  • Testing prompts and need to see exactly what the model received and returned
  • Debugging unexpected behaviour and need the full request/response body, not just a status code
  • Iterating on rules and need to verify they fire correctly on real requests
  • Tracking costs and want to know how many tokens your feature uses before it ships

Sessions give you all of this without changing your application code. Start a session, do your work, stop the session. Everything is logged and available in the dashboard — model used, token counts, cost estimates, latency, which rules fired, the full request and response bodies.

Sessions auto-disconnect after 15 minutes of inactivity, so you don't have to remember to stop them.

What flows through the gateway

The local proxy isn't just a passthrough. When your request hits localhost:8787, it travels through Grepture Cloud where your team's rules are applied before it reaches the LLM provider. That means during development you get:

PII redaction. The same 50+ detection patterns that protect your production traffic also protect your dev requests. If your test data includes real email addresses, credit card numbers, or phone numbers, they get caught before the model sees them.

Rule enforcement. Your team's rules — blocking rules, redaction rules, custom patterns — are applied in real-time. If you're building a feature that would trigger a rule in production, you'll find out now instead of after deploying.

Prompt management. If you're using managed prompts, they resolve server-side through the gateway. Update a prompt in the dashboard, and your next dev request uses the new version automatically.

Cost tracking. Every request shows token counts in the terminal and cost estimates in the dashboard. See exactly what your feature costs to run before it ships.

Beyond sessions: scanning your codebase

The CLI also includes a standalone security scanner. No cloud connection required — it runs locally with regex-based detection for PII, hardcoded secrets, and unsafe AI SDK patterns.

grepture scan

  src/api/chat.ts:12:21 error [grepture/generic-api-key]
  E API key or secret detected
    12 | const key = "sk-proj-abc123...";
       |              ~~~~~~~~~~~~~~~~~~

  src/prompts/system.txt:5:1 warning [grepture/prompt-injection]
  W Potential prompt injection pattern detected
     5 | Ignore all previous instructions
       | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  2 findings (1 error, 1 warning)

The scanner catches things that shouldn't be in your codebase — API keys committed to a file, PII in test fixtures, prompt injection patterns in templates. It's the static analysis complement to the runtime protection that sessions provide.

Git hooks

Install a pre-commit hook that scans staged files before every commit:

grepture hook install

If a staged file contains a hardcoded API key or PII above your severity threshold, the commit is blocked. Configure the threshold in .grepture.yml:

hook:
  block_on: error

CI/CD integration

The CLI outputs SARIF for GitHub Code Scanning:

- run: grepture ci --format sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

In CI mode, it scans only changed files (the PR diff) by default, so it's fast even in large repos.

Team rules sync

If your team has rules configured in the Grepture dashboard, the CLI pulls them automatically during grepture dev sessions. But you can also manage rules explicitly:

grepture rules pull    # Fetch team rules from cloud
grepture rules push    # Push local rules to cloud
grepture rules list    # Show all active rules

This means you can develop rules locally, test them against your codebase with grepture rules test <file>, and push them to your team when they're ready. Every developer on your team gets the same protection without manual configuration.

Open source

The CLI is open source under AGPL-3.0. The scanner, detection patterns, and local rules engine are all available to inspect, audit, and contribute to. The cloud features — sessions, AI-powered detection, team rules sync — require a Grepture account.

We believe the tools that inspect your code and sit between your app and your LLM should be transparent. You shouldn't have to trust a black box.

Get started

npm install -g @grepture/cli
grepture dev

Point your AI SDK at http://localhost:8787 and start building. Your requests are logged, your data is protected, and your costs are tracked — from the first API call.