# Troubleshooting & FAQ ## Do I need an account to try Blekline? No. `@blekline/contracts` works offline with no token — local secret scanning and tool enforcement, no network calls. You need a workspace token for cloud masking (Azure PII), fleet policy, and audit events. Start local, connect cloud when ready. ## What's the difference between mcp-server and mcp-proxy? `mcp-server` is what Cursor, Claude Desktop, and Codex connect to directly. It provides `blekline_mask_prompt`, `blekline_classify_risk`, and `blekline_emit_event` as tools the agent can call. `mcp-proxy` sits between your agent and a downstream MCP server (Daytona, E2B, Modal, Cloudflare, Vercel Sandbox, etc.). It intercepts `tools/call` messages before they reach the downstream server, enforcing tool policy at the proxy layer. Use both together for prompt masking AND tool call governance before L1 sandboxes. ## Is my prompt text stored anywhere? No prompt bodies are stored in default event ingest. Audit events contain metadata only — entity counts, action taken, tool name, model provider. See [Trust boundaries](/docs/security/trust-boundaries) for the complete data handling spec. ## MCP shows red in Cursor settings 1. Run `pnpm build:packages` — dist files must exist for the stdio command. 2. Check `BLEKLINE_WORKSPACE_TOKEN` is exported in your active terminal session. 3. Reload Cursor: `Cmd+Shift+P → Developer: Reload Window`. 4. Still red: try the npm path — command `npx`, args `["-y", "@blekline/mcp-server"]`. ## I see the tools but the agent never calls them Tools are available to the agent; it decides when to invoke them. Add instructions in `.cursorrules` or your system prompt directing the agent to call `blekline_mask_prompt` before sending sensitive content to a model. ## Token returns 401 Regenerate in Admin → API keys with `mask:write` and `events:write` scopes. Tokens do not auto-renew. ## What works without a token? `@blekline/contracts`: `scanTextForSecrets()` and `enforceToolCallLocally()`. These run entirely in-process. Good for CI and local dev without any cloud dependency. ## How do I run Blekline with an L1 sandbox? Set `BLEKLINE_DOWNSTREAM_MCP_COMMAND` to your provider MCP server command and set `BLEKLINE_DOWNSTREAM_SERVER` for telemetry (`daytona`, `modal`, `vercel`, `cloudflare`, or `e2b`). Provide the provider API key or token. Use `BLEKLINE_MCP_PROXY_MOCK=1` for local dev without provider credentials. See [Sandbox providers](/docs/integrations/sandbox-providers). ## How do I run Blekline without sending data to Azure? Set `BLEKLINE_MASK_FAST_PATH=local_only` on the server, or pass the header `x-blekline-mask-fast-path: local_only` per request. This skips the Azure PII call entirely. Secret scanning still runs locally via `@blekline/contracts`. ## How do I connect Continue or GitHub Copilot? See [Agent clients hub](/docs/integrations/agent-clients). Set `BLEKLINE_CLIENT_SURFACE=continue` or `github-copilot` in MCP env. Config paths differ per client — use **Operations → MCP** presets. ## How do I route Azure OpenAI or OpenRouter through Blekline? Use [Ingress proxy](/docs/api/ingress-proxy) with SDK `base_url=https://app.blekline.com/api/ingress/v1` and set server `OPENAI_API_BASE` to your provider. See [Model providers](/docs/integrations/model-providers). ## How does LangSmith fit with Blekline? Blekline governs ingress (allow/block); LangSmith measures quality after. Export metadata-only `/api/events` to LangSmith — not a SIEM. See [LangSmith stack](/docs/integrations/langsmith-stack) and [Trust boundaries](/docs/security/trust-boundaries). --- **Next steps:** [Quick start](/docs/introduction/quick-start) · [Architecture](/docs/introduction/architecture) · [Trust boundaries](/docs/security/trust-boundaries) · [MCP Cursor setup](/docs/mcp/cursor)