classified // until you ship it

stop showing
your email
on stream.

a live privacy preview for screen sharing. apple vision ocr finds the emails, phone numbers, and secrets on your display, then redacts them before they ever reach the stream.

read the manual ↓ source

macos 14+/ open source/ apple vision ocr/ runs locally

guard preview recording

support
account on file: adam.krupa@gmail.comemail
you
call me back at +1 (312) 847-1928phone after five.
support
case ref customer-4821needle

mode: standard · 8 fps redacted 3

apple vision finds an email, a phone number, and a custom string, then covers each before the frame is shown.

§ 01

the exposure

the stream two hours, one corner your email sits in the corner of the frame for a whole live session. by the end it belongs to everyone watching.

the demo the tab bar tell you screen-share with a client and your personal gmail is right there in the tab bar. the room notices before you do.

the recording fourteen minutes a customer's phone number is visible for fourteen minutes of a tutorial. you find out after it ships.

the handoff the pasted log you share a log with an internal token in it. it is now in three slack channels you do not own.

§ 02

the countermeasure

over-redact is safer than leak.

guard watches your screen, finds what looks like personal data, and covers it on a delayed preview before it ever reaches the stream. capture and detection are decoupled, so the preview never waits on ocr. if anything in the pipeline breaks, the client fails closed with a black frame.

§ 03

the procedure

captureScreenCaptureKit

the main display streams to a pixel buffer continuously. capture never blocks on detection.

throttlebackground queue

frames are downscaled and ocr runs five to ten times a second, off the hot path.

detectVision OCR

email regex and custom needles run against recognized text, producing per-substring boxes.

storePIIBox snapshot

a thread-safe snapshot holds the latest boxes, so the preview never waits on detection.

redactprotected preview

the delayed frame is drawn with boxes or a blackout over anything that matched.

§ 04

operating modes

lockdown most cautious

accurate ocr, a longer delay buffer, and full blackouts while armed. for demos and recordings you cannot re-shoot.

accurate ocrblackoutenhance contrast

standard balanced default

fast ocr, a modest delay, and boxes by default. the one you reach for most days.

fast ocrboxes

low-latency responsive

lower delay and a faster cadence. for live walkthroughs where the preview should track your hands.

lowest delayfaster cadence

§ 05

deployment

localone mac

the same machine captures the screen, runs ocr, and renders the protected preview. no network, no trust surface.

remoteclient + server

a client mac captures frames and sends them to a processing server over a token-authenticated websocket. if the remote path fails, the client fails closed with a black frame.

§ 06

field install

macos only. built with swiftpm, no xcode project. the interactive installer builds the release binary and offers to start any mode.

macOS 14 or newer
SwiftPM from xcode or the command line tools
Screen Recording permission for your terminal

one-line installer

./scripts/setup.sh

build from source

swift build -c release
.build/release/pii-stream watch --mode standard

server + client

pii-stream serve --host 0.0.0.0 --port 8765 \
  --token "a-long-random-token"

pii-stream watch --remote SERVER:8765 \
  --token "a-long-random-token" --mode standard

scan a static image

pii-stream detect-image --image ./shot.png --json

§ 07

the safe default

when in doubt, show nothing.

if anything in the pipeline breaks, you do not get a partial frame with pii in it. you get a black frame. the safe default is no picture.