Blekline
v0.3.0GitHub

Introduction

Troubleshooting & FAQ

Common Blekline setup questions, MCP errors, and local vs cloud modes.

View as Markdown

Do I need an account to try Blekline?

No. @blekline/contracts works offline with no token — local secret scanning and tool enforcement, no network calls. You need a workspace token for cloud masking (Azure PII), fleet policy, and audit events. Start local, connect cloud when ready.

What's the difference between mcp-server and mcp-proxy?

mcp-server is what Cursor, Claude Desktop, and Codex connect to directly. It provides blekline_mask_prompt, blekline_classify_risk, and blekline_emit_event as tools the agent can call.

mcp-proxy sits between your agent and a downstream MCP server (Daytona, E2B, Modal, Cloudflare, Vercel Sandbox, etc.). It intercepts tools/call messages before they reach the downstream server, enforcing tool policy at the proxy layer. Use both together for prompt masking AND tool call governance before L1 sandboxes.

Is my prompt text stored anywhere?

No prompt bodies are stored in default event ingest. Audit events contain metadata only — entity counts, action taken, tool name, model provider. See Trust boundaries for the complete data handling spec.

MCP shows red in Cursor settings

  1. Run pnpm build:packages — dist files must exist for the stdio command.
  2. Check BLEKLINE_WORKSPACE_TOKEN is exported in your active terminal session.
  3. Reload Cursor: Cmd+Shift+P → Developer: Reload Window.
  4. Still red: try the npm path — command npx, args ["-y", "@blekline/mcp-server"].

I see the tools but the agent never calls them

Tools are available to the agent; it decides when to invoke them. Add instructions in .cursorrules or your system prompt directing the agent to call blekline_mask_prompt before sending sensitive content to a model.

Token returns 401

Regenerate in Admin → API keys with mask:write and events:write scopes. Tokens do not auto-renew.

What works without a token?

@blekline/contracts: scanTextForSecrets() and enforceToolCallLocally(). These run entirely in-process. Good for CI and local dev without any cloud dependency.

How do I run Blekline with an L1 sandbox?

Set BLEKLINE_DOWNSTREAM_MCP_COMMAND to your provider MCP server command and set BLEKLINE_DOWNSTREAM_SERVER for telemetry (daytona, modal, vercel, cloudflare, or e2b). Provide the provider API key or token. Use BLEKLINE_MCP_PROXY_MOCK=1 for local dev without provider credentials. See Sandbox providers.

How do I run Blekline without sending data to Azure?

Set BLEKLINE_MASK_FAST_PATH=local_only on the server, or pass the header x-blekline-mask-fast-path: local_only per request. This skips the Azure PII call entirely. Secret scanning still runs locally via @blekline/contracts.

How do I connect Continue or GitHub Copilot?

See Agent clients hub. Set BLEKLINE_CLIENT_SURFACE=continue or github-copilot in MCP env. Config paths differ per client — use Operations → MCP presets.

How do I route Azure OpenAI or OpenRouter through Blekline?

Use Ingress proxy with SDK base_url=https://app.blekline.com/api/ingress/v1 and set server OPENAI_API_BASE to your provider. See Model providers.

How does LangSmith fit with Blekline?

Blekline governs ingress (allow/block); LangSmith measures quality after. Export metadata-only /api/events to LangSmith — not a SIEM. See LangSmith stack and Trust boundaries.

Next steps: Quick start · Architecture · Trust boundaries · MCP Cursor setup