Documentation Index
Fetch the complete documentation index at: https://docs.masker.dev/llms.txt
Use this file to discover all available pages before exploring further.
Masker ships two CLI binaries built from the same repository. masker is a general-purpose text and admin CLI that you use for detection testing, policy authoring, session inspection, and compliance report generation. masker-voice is a voice-specific CLI that replays audio files through the full masking pipeline for offline testing and forensics. Neither binary is required for normal proxy operation — that is handled by the API server. The CLIs are for development, CI, and operational workflows.
Installation
Build from source
GitHub Releases
git clone git@github.com:navi25/masker.git
cd masker
cargo build --release
# Binaries land at:
# target/release/masker
# target/release/masker-voice
Download a pre-built binary for your platform from GitHub Releases. Unarchive and place the binary somewhere on your PATH. Authentication
Most commands operate on local files and need no credentials. For commands that talk to a remote Masker server — sessions, report, agents, policy reload — you authenticate with a session cookie.
Sign in via browser
Open your Masker portal at https://masker-voice.fly.dev/portal/login (or your self-hosted URL) and sign in with GitHub.
Copy the session cookie
Open your browser’s developer tools, navigate to the Application → Cookies tab, and copy the value of masker_session.
Export the variable
export MASKER_SESSION=ey...
--session.A scoped, long-lived CLI token is on the May 30 roadmap. Until then, the session cookie is the supported authentication path for remote commands.
Configuration file
The CLI reads masker.toml for defaults like the server URL, policy path, and output format. It looks for the file in this order:
--config <path> flagMASKER_CONFIG environment variable./masker.toml in the current directory~/.config/masker/config.toml
A typical masker.toml:
[server]
url = "https://masker-voice.fly.dev"
[policy]
path = "./configs/mask_policy.yaml"
[output]
format = "json"
color = "auto"
Global flags
These flags apply to every command:
| Flag | Default | Description |
|---|
--config <path> | ~/.config/masker/config.toml | Path to masker.toml |
--server <url> | (none) | Override the remote API URL |
--policy <path> | ./configs/mask_policy.yaml | Override the policy file |
--json | false | Force JSON output |
--quiet | false | Suppress non-essential output |
-v / --verbose | off | More logging; -vv for trace-level |
masker mask
Pipe text through the full masking pipeline — detection and tokenization — and see the masked output along with per-entity events.
masker mask [--input <file>] [--policy <path>] [--scheme vault-deterministic|reversible-aead|synthetic]
echo "Hi, this is Sarah Chen at (415) 555-2671" | masker mask --policy configs/mask_policy.yaml
# {
# "masked": "Hi, this is MSKV1.NAME.K_HEALTHCARE.... at MSKV1.PHONE.K_HEALTHCARE....",
# "events": [...],
# "policy_name": "healthcare-default",
# "policy_version": 1
# }
| Flag | Description |
|---|
--input <file> | Read from a file instead of stdin. |
--scheme <name> | Override the tokenization scheme for this run. |
--passes <list> | Comma-separated passes to run (regex, gemma). Defaults to policy settings. |
--require-match | Exit 2 if no entities were detected. Useful in CI assertions. |
masker detect
Run detection only, without tokenizing. Returns the list of detected spans with confidence scores. Use this when tuning thresholds in your policy.
masker detect [--input <file>] [--policy <path>] [--threshold <float>]
masker detect tests/fixtures/sample-call.json --policy configs/mask_policy.yaml --json
kind, span, text, confidence, and pass fields.
masker policy
Manage and inspect mask policies.
| Subcommand | Description |
|---|
masker policy validate <path> | Validate a policy YAML and report errors before deploying. |
masker policy diff <a> <b> | Show what would change between two policy files. |
masker policy show [--name <name>] | Print the active policy as JSON. |
masker policy reload --server <url> | Trigger an atomic policy reload on a running server. |
masker policy validate configs/mask_policy.yaml
unknown_kid, invalid_pass, and missing_entity errors. Exit code 3 on validation failure.
Diff two policy versions:
masker policy diff configs/mask_policy.yaml configs/mask_policy_v2.yaml
masker sessions
Inspect sessions on a remote server. All subcommands require MASKER_SESSION.
| Subcommand | Description |
|---|
masker sessions list [--agent <id>] [--since <duration>] | List recent sessions. |
masker sessions show <id> | Show full session detail including all redaction events. |
masker sessions tail [--agent <id>] | Stream session-completed events to stdout in real time. |
masker sessions tail --server https://masker-voice.fly.dev
masker report
Generate compliance reports for a session, an agent, or your entire account. Output is a signed PDF.
# Per-session report
masker report \
--server https://masker-voice.fly.dev \
--session-id sess_abc123 \
--output report.pdf
# Per-agent weekly report
masker report \
--server https://masker-voice.fly.dev \
--agent-id agent_xyz \
--since 7d \
--output weekly.pdf
# Account-wide monthly report
masker report \
--server https://masker-voice.fly.dev \
--since 30d \
--output monthly.pdf
| Flag | Description |
|---|
--session-id <id> | Scope report to a single session. |
--agent-id <id> | Scope report to a single agent. |
--since <duration> | Time window: 1h, 7d, 30d. |
--output <file> | PDF output path. Required. |
masker agents
Manage agents on a remote server.
| Subcommand | Description |
|---|
masker agents list | List all agents. |
masker agents create --name <n> --upstream <model> | Create a new agent. |
masker agents show <id> | Show one agent’s configuration. |
masker agents delete <id> | Delete an agent. |
masker-voice replay
Replay a recorded audio file through the full voice pipeline — ASR transcription, detection, and tokenization — and write the masked transcript to a file.
masker-voice replay \
--input recording.wav \
--policy configs/mask_policy.yaml \
--asr-provider deepgram \
--output transcript.json
| Flag | Description |
|---|
--input <file> | WAV or MP3 input file. Required. |
--asr-provider | Which ASR backend to use: deepgram, openai, or whisper-local (default). |
--diarize | Run speaker diarization (Pass 3). Default true. |
--output <file> | Write the masked transcript to this file. |
Use masker-voice replay with whisper-local and --diarize false for the fastest offline test loop — no external API calls required.
Exit codes
| Code | Meaning |
|---|
0 | Success |
1 | Generic error |
2 | Command-specific failure (e.g. --require-match not satisfied) |
3 | Policy validation failure |
4 | Auth failure — missing or invalid MASKER_SESSION |
5 | Server unreachable |
64 | Usage error (bad or missing flags) |
Environment variables read by the CLI
| Variable | Description |
|---|
MASKER_CONFIG | Path to masker.toml. Overrides the default search path. |
MASKER_SERVER | Default --server URL. |
MASKER_SESSION | Session cookie for remote commands. |
MASKER_POLICY_PATH | Default --policy path. |
RUST_LOG | Standard tracing filter (e.g. masker=debug,tower=info). |