DocMask
Last verified: 2026-05-02 · 35 claims · 0 disproved 最近核校:2026-05-02 · 共 35 条声明 · 0 条被证伪

Verify every claim we make in 5 minutes. 5 分钟内独立核校我们的每一条声明。

Every marketing claim DocMask makes — on landing pages, in white papers, on comparison pages — traces back to a specific file:line in our source code (or to an external authoritative source we cite). This page lets you audit those traces row by row, plus run a 5-command self-audit script that doesn't require us to cooperate. DocMask 在落地页 / 白皮书 / 比较页里的每一条声明都对应到源码中的具体 file:line(或我们引用的外部权威来源)。本页面让你逐行核查这些证据链,并跑 5 行 reviewer self-audit 脚本——**不需要我们配合**也能验证。

Run the 5-command audit 跑 5 行 audit 命令 Browse 35 claims 浏览 35 条声明

Verified

已验证

28

Verified with caveat / discrepancy

验证(含保留或差异)

6

Resolved this session

本次解决

1

Disproved

被证伪

0

Why this page exists

为什么有这一页

Most software vendors hide their evidence behind "trust us" copy and SOC 2 reports. We think that's the wrong trust mechanism for buyers in compliance, legal, healthcare, finance, and HR — domains where the cost of a wrong vendor decision is high enough that "trust us" doesn't clear the bar. So we publish the proof inline. If a marketing claim has no row on this page, it was not approved for publication. If a row's status is anything other than verified, the caveat is disclosed openly. If you find a claim we made that contradicts the source code, please email [email protected] — we'll either fix the code or fix the marketing within 24 hours and credit you on this page.

多数软件厂商把证据藏在"trust us"营销话术 + SOC 2 报告后面。对合规 / 法务 / 医疗 / 金融 / HR 等"选错供应商代价很高"的买方来说,这种信任机制不够。所以我们把证据直接放出来。任何一条新增 marketing claim 必须先在本页面有对应行,否则不能 publication。任何 status 不是 verified 的行,保留意见会明确披露。如果你发现我们的某条声明和源码矛盾,请发邮件 [email protected] —— 我们 24 小时内修代码或修营销文案,并把你的发现署名在本页面致谢。

5-command reviewer self-audit

5 行 reviewer self-audit 脚本

If you only have 5 minutes, run these 5 commands. They cover the highest-value claims (zero outbound HTTP from sidecar; AES-256-GCM envelope; OS keyring + keyfile fallback; offline ed25519 license; 34 sidecar actions). All paths are relative to a checked-out copy of the DocMask source tree (request access via the contact form below).

只有 5 分钟?跑下面这 5 行命令即可。它们覆盖最高 ROI 的声明(sidecar 0 outbound HTTP / AES-256-GCM envelope / OS keyring + keyfile fallback / 离线 ed25519 license / 34 个 sidecar action)。所有路径相对于已 checkout 的 DocMask 源码(通过下方联系表单申请源码访问)。

#1Zero outbound HTTP in shipped sidecar构建版 sidecar 是否有 outbound HTTP 客户端代码

Greps the entire Python sidecar tree for any of the 4 standard HTTP client libraries. Anything that ships in the PyInstaller bundle would show up here.

对 Python sidecar 整个目录 grep 4 个标准 HTTP 客户端库。任何会被 PyInstaller 打包进 binary 的 import 都会被命中。

git grep -E '^(import|from)\s+(requests|urllib|httpx|aiohttp)' --include='*.py' python-sidecar/

Expected:期望结果: only tests/e2e_worker_flow.py:58-59 (test code, not in PyInstaller bundle). 仅命中 tests/e2e_worker_flow.py:58-59(测试代码,不进 binary)。

#234 sidecar actions (ACTIONS dict count)sidecar action 数量(ACTIONS dict 计数)

Counts the entries in the ACTIONS dispatch table. Cross-references with the 35 Tauri invoke handlers in src-tauri/src/lib.rs (34 sidecar_* + 1 frontend-only open_redacted_path).

统计 ACTIONS 派发表行数。与 src-tauri/src/lib.rs 里 35 个 Tauri invoke handler 对照(34 sidecar_* + 1 个 frontend-only open_redacted_path)。

Get-Content python-sidecar/main.py | Select-Object -Skip 921 | Select-Object -First 36 | Select-String -Pattern '^\s+"[a-z_]+":' | Measure-Object | Select-Object Count

Expected:期望结果: Count = 34. (POSIX equivalent: sed -n '922,957p' python-sidecar/main.py | grep -E '^\s+"[a-z_]+":' | wc -l) Count = 34。(POSIX 等价:sed -n '922,957p' python-sidecar/main.py | grep -E '^\s+"[a-z_]+":' | wc -l

#3AES-256-GCM envelope layoutAES-256-GCM envelope 字节布局

Shows the encrypt() function that produces the on-disk vault envelope: [1B version][12B nonce][ciphertext+16B GCM tag]. Marketing claim "AES-256-GCM encrypted vault" maps to this exact construction.

显示 encrypt() 函数,它产出的 on-disk vault envelope 是:[1B version][12B nonce][ciphertext+16B GCM tag]。营销文案"AES-256-GCM 加密 vault"对应这段代码。

Get-Content python-sidecar/crypto.py | Select-Object -Skip 104 | Select-Object -First 6

Expected:期望结果: Lines 105-109 of crypto.py: AESGCM(key).encrypt(nonce, plaintext, aad) with 32-byte (256-bit) key, 12-byte nonce, 16-byte authentication tag. crypto.py 第 105-109 行:AESGCM(key).encrypt(nonce, plaintext, aad),32 字节(256 位)key,12 字节 nonce,16 字节认证 tag。

#4Fully-offline license verificationlicense 完全离线验签

License verification is pure ed25519 signature check, no network call. Confirms the claim "100% offline licence verification".

License 验签是纯 ed25519 签名校验,0 网络调用。验证"100% offline licence verification"声明。

Get-Content python-sidecar/license.py | Select-Object -Skip 201 | Select-Object -First 45 | Select-String -Pattern 'requests|urllib|httpx|fetch|http\.client' -SimpleMatch

Expected:期望结果: Zero matches. The function body (lines 202-245) is pure base64 decode → ed25519 verify → JSON parse — no network primitive. 0 hit。函数体(202-245 行)是纯 base64 decode → ed25519 verify → JSON parse —— 没有任何网络原语。

#5Network observation while running DocMask运行时网络抓包观察

This is the strongest possible audit: actually run DocMask while observing all outbound traffic. The only host that should appear is updater.tauri.app (the Tauri Updater plugin's manifest fetch — opt-out via Settings → Updates).

这是最强的 audit 方式:实际运行 DocMask 同时观察所有外发流量。唯一应该出现的 host 是 updater.tauri.app(Tauri Updater plugin 的 manifest fetch —— 在 设置 → 更新 里可关)。

# Windows (PowerShell as admin):
pktmon start --etw -c -p 80,443
# Run DocMask, redact a sample document, close DocMask
pktmon stop
pktmon format pktmon.etl -o trace.txt; Select-String trace.txt -Pattern 'docmask\.app|github\.com|cloudflareinsights' -SimpleMatch

# macOS / Linux:
sudo tcpdump -i any -A 'tcp port 443' | grep -iE 'host: '

Expected:期望结果: Only updater.tauri.app appears. Zero hits on docmask.app, GitHub, OpenAI, Anthropic, or any other LLM provider. Cloudflare Web Analytics fires from this landing page (you're reading it now), not from the DocMask app — different binary entirely. 只看到 updater.tauri.app。docmask.app、GitHub、OpenAI、Anthropic 或任何 LLM provider 0 hit。Cloudflare Web Analytics 是这个 landing 页(你现在浏览的)触发的,不是 DocMask 桌面 app 触发的 —— 完全不同的 binary。

All 35 claims, traced

35 条声明完整证据链

Filter by status or source. Each row links to the proof file on GitHub (request source access via the contact section below).

按状态或来源过滤。每行链接到 GitHub 上的证据文件(通过下方联系区申请源码访问)。

ID
编号
Claim
声明
Proof (file:line)
证据 (file:line)
Status
状态
C01
"Files never leave your computer (zero outbound HTTP from the bundled sidecar)" "文件不上任何服务器(构建版 sidecar 无 outbound HTTP)" Source:来源: landing/index.html hero + features
python-sidecar/*.py (whole tree)
see audit script #1
verified
C02
"AES-256-GCM encrypted vault for at-rest data" "at-rest 数据使用 AES-256-GCM 加密 vault" landing/index.html security
python-sidecar/crypto.py:108
verified
C03
"Master key in OS credential manager (Keychain / Credential Manager / Secret Service)" "主密钥保管在 OS 凭据管理器(Keychain / Credential Manager / Secret Service)" landing/index.html security
python-sidecar/crypto.py:69-87
caveat: <1% headless/sandboxed installs fall back to 0o600-perm keyfile保留意见:<1% headless/sandboxed 环境会回退到 0o600 权限 keyfile
verified w/ caveat
C04
"OOXML layer rewrite (true content modification, not just visual masking)" "OOXML 层重写(真实内容修改,不是视觉涂黑)" landing/index.html features
python-sidecar/converters/docx_processor.py
verified
C05
"PDF text-layer round-trip preserves redacted output as searchable PDF" "PDF text-layer 双向处理 + 输出仍是可搜索 PDF" landing/index.html features
python-sidecar/converters/pdf_bridge.py (pikepdf + reportlab)
verified
C06
"Reversible alias format like 'Person A' / 'Phone A' (space-separated)" "可逆别名格式如 'Person A' / 'Phone A'(空格分隔)" landing/index.html alias preview
python-sidecar/aliases.py:59
actual EN format is "Person_A" (underscore); ZH is "Person甲" (no separator). Copy fix scheduled.实际 EN 格式是 "Person_A"(下划线);ZH 是 "Person甲"(无分隔)。文案修订已排期。
w/ discrepancy
C07
"One-click restore: alias → original (round-trip without collision)" "一键还原:别名 → 原值(双向无冲突)" landing/index.html how-it-works
python-sidecar/restorer.py:1-28
two-stage placeholder using BMP private-use area U+E000..U+F8FF两阶段 placeholder 算法,使用 BMP 私有区 U+E000..U+F8FF
verified
C08
"Consistent alias across batch processing (same original → same alias across docs)" "批处理跨文件别名一致(同一原值 → 同一别名)" landing/index.html features
python-sidecar/aliases.py:60-79
verified
C09
"Audit trail: CSV mapping export + ZIP packaging" "审计追踪:CSV 映射导出 + ZIP 打包" landing/index.html features
python-sidecar/main.py handle_export_mapping
verified
C10
"Built-in Luhn check for credit-card numbers" "内置 Luhn 校验信用卡号" landing/index.html PII rules
python-sidecar/scanner.py credit_card_luhn rule
verified
C11
"Built-in US PII rules (SSN, EIN, phone, address)" "内置美国 PII 规则(SSN、EIN、电话、地址)" landing/index.html PII rules
python-sidecar/scanner.py US-region rules
verified
C12
"Built-in EU PII rules (IBAN format)" "内置欧盟 PII 规则(IBAN 格式)" landing/index.html PII rules
python-sidecar/scanner.py:481
caveat: format check only, NOT full mod-97 checksum保留意见:仅做格式校验,未做完整 mod-97 checksum
verified w/ caveat
C13
"CN PII rules (USCC / ID card / mobile etc.) opt-in" "中国 PII 规则(社会信用代码 / 身份证 / 手机号等)opt-in" landing/index.html PII rules
python-sidecar/scanner.py:374-378
EN UI default-OFF (true opt-in); ZH UI default-ON (opt-out). Copy will change to "Configurable per region in Settings → Rules & Keywords"EN UI 默认关闭(真 opt-in);ZH UI 默认开启(opt-out)。文案将改为 "在 设置 → 规则与关键词 中按地区配置"
w/ discrepancy
C14
"Zero client-side telemetry (no analytics in bundled app)" "客户端 0 telemetry(构建版 app 内无 analytics)" landing/index.html + privacy.html
python-sidecar/*.py + src-tauri/src/*.rs
RESOLVED 2026-05-02: CF Web Analytics beacon embedded in 7 landing/*.html (token c4a8d10...) — applies to this website only, NOT to the desktop app2026-05-02 已解决:CF Web Analytics beacon 嵌入 7 个 landing/*.html(token c4a8d10...)—— 仅本网站,**不**影响桌面 app
verified
C15
"Auto-detect Office / WPS / LibreOffice for OOXML processing" "自动探测 Office / WPS / LibreOffice 处理 OOXML" landing/index.html features
python-sidecar/converters/docx_processor.py
verified
C16
"14-day full-functionality trial; after day 14 scan stays free, redaction needs license" "14 天全功能试用;14 天后扫描免费、redaction 需 license" landing/index.html pricing
python-sidecar/license.py:50 TRIAL_DAYS = 14
UI-layer "scan stays free post-expire" pending manual regressionUI 层"过期后扫描仍免费"待手工回归
w/ discrepancy
C17
"$39 one-time purchase" "$39 一次性买断" landing/index.html pricing
infra/worker/src/index.ts:223
RESOLVED 2026-05-02: owner self-purchased 1 unit via Creem live, recorded video, full link verified end-to-end2026-05-02 已解决:owner 通过 Creem live 真实信用卡自购 1 单 + 录视频,完整链路端到端验证
verified
C18
"7-day refund window with server-side audit trail" "7 天退款窗口 + 服务端审计追踪" landing/refund.html + index.html
infra/worker/src/index.ts:244-263 + creem.ts:136-148
refund.html:197 honestly discloses "license check is offline-first; activated app may continue running in current session" — this honesty IS the marketingrefund.html:197 诚实披露 "license 校验是 offline-first;已激活的 app 当前 session 内可能继续运行" —— 这种诚实就是营销
verified
C-CH1-01
"Tauri command surface: 35 invoke handlers + updater plugin is sole outbound HTTP path" "Tauri 命令面:35 个 invoke handler + Updater plugin 是唯一 outbound HTTP 路径" whitepaper Ch1 §1.x
src-tauri/src/lib.rs:701-737 (34 sidecar_* + 1 open_redacted_path)
verified
C-CH1-02
"Windows CREATE_NO_WINDOW flag prevents black console window flash" "Windows CREATE_NO_WINDOW 标志防止黑色 console 窗口闪烁" whitepaper Ch1 sidecar spawn
src-tauri/src/sidecar.rs:101-110 CREATE_NO_WINDOW: u32 = 0x0800_0000
verified
C-CH1-03
"Bundled exe primary + dev script fallback for sidecar location" "打包 exe 优先 + dev 脚本兜底的 sidecar 定位" whitepaper Ch1 sidecar discovery
src-tauri/src/sidecar.rs:55-91
verified
C-CH1-04
"Short-lived sidecar process: spawn → write stdin → wait → die per invocation" "短生命周期 sidecar:每次调用 spawn → 写 stdin → 等 → 退出" whitepaper Ch1 sidecar lifecycle
src-tauri/src/sidecar.rs:129-165
verified
C-CH1-05
"Python sidecar exposes 33 action handlers via JSON-RPC" "Python sidecar 通过 JSON-RPC 暴露 33 个 action handler" whitepaper Ch1 §1.x action surface
python-sidecar/main.py:922-957
actual count is 34 (off-by-one in original draft, fixed in v1.2)实际数量是 34(v1 草稿有 off-by-one,v1.2 已修)
w/ discrepancy
C-CH1-06
"main() loop: read JSON request → dispatch via ACTIONS dict → write JSON response → exit" "main() 循环:读 JSON 请求 → ACTIONS dict 派发 → 写 JSON 响应 → 退出" whitepaper Ch1 sidecar entry
python-sidecar/main.py:972-1017
verified
C-CH1-07
"Vault root follows platform conventions (APPDATA / Library/App Support / XDG_DATA_HOME)" "Vault 根目录遵循平台惯例(APPDATA / Library/App Support / XDG_DATA_HOME)" whitepaper Ch1 platform paths
python-sidecar/vault.py:26-37
verified
C-CH1-08
"Master key fetched from OS keyring; falls back to 0o600 keyfile if keyring unavailable" "主密钥从 OS keyring 读取;keyring 不可用时回退到 0o600 keyfile" whitepaper Ch1 crypto bootstrap
python-sidecar/crypto.py:69-87
verified
C-CH1-09
"AES-GCM ciphertext envelope: [1B version][12B nonce][ciphertext+16B tag]" "AES-GCM 密文 envelope:[1B 版本][12B nonce][密文 + 16B tag]" whitepaper Ch1 crypto envelope
python-sidecar/crypto.py:105-109
verified
C-CH1-10
"Honest threat model: deter casual sharing, not defeat determined reverse engineer" "诚实的威胁模型:防 casual sharing,不防 reverse engineer" whitepaper Ch1 license threat model
python-sidecar/license.py:25-30 module docstring
verified
C-CH1-11
"Public-key tuple supports rotation + staging key isolation" "公钥元组支持轮换 + staging 密钥隔离" whitepaper Ch1 license keys
python-sidecar/license.py:78-102
verified
C-CH1-12
"_verify_token is fully offline (ed25519 signature verification only)" "_verify_token 完全离线(仅 ed25519 签名校验)" whitepaper Ch1 license verify
python-sidecar/license.py:202-245
see audit script #4
verified
C-CH1-13
"Device fingerprint: SHA-256 over (node + uuid.getnode + machine + system + USERNAME)" "设备指纹:SHA-256 over (node + uuid.getnode + machine + system + USERNAME)" whitepaper Ch1 device binding
python-sidecar/license.py:152-167
verified
C-CH1-GREP
"git grep for network libs in python-sidecar/ shows only test code" "git grep 在 python-sidecar/ 中查 network 库仅命中测试代码" whitepaper Ch1 §1.8 reviewer self-audit
git grep -E '^(import|from)\s+(requests|urllib|httpx|aiohttp)'
see audit script #1
verified
C-CH1-14
"Updater verifies update manifest using minisign (ed25519-based) public key" "Updater 使用 minisign(基于 ed25519)公钥验证更新 manifest" whitepaper Ch1 v1.2 §1.3
src-tauri/tauri.conf.json:62 pubkey field decodes to 'minisign public key: B92B19E4F397543C'
verified
C-CH1-15
"AES-GCM AAD = task_id UTF-8 bytes (single field), not vault_id:item_id structured" "AES-GCM AAD = task_id UTF-8 字节(单字段),非 vault_id:item_id 结构" whitepaper Ch1 v1.2 §1.5
python-sidecar/mapping_store.py:52
verified
C-CH1-16
"v1 license key was rotated because operator typo'd private key into 'name' field of wrangler secret put" "v1 license key 因操作员把私钥误填进 wrangler secret put 的 'name' 字段而被轮换" whitepaper Ch1 v1.2 §1.6
python-sidecar/license.py:80-84 verbatim from code comment
verified

How to disprove us

如何证伪我们

If our marketing copy is dishonest, here are 5 specific paths a reviewer would take. We list these so you don't have to figure them out yourself.

如果我们的营销文案不诚实,下面是 5 条 reviewer 会用的具体证伪路径。列出来是为了让你不必自己摸索。

1. Find an outbound HTTP we hid 1. 找到一条我们藏起来的 outbound HTTP audit #1, #5

If audit script #1 hits anything other than tests/e2e_worker_flow.py, or audit script #5 sees outbound traffic to a host other than updater.tauri.app, claim C01 is false.

如果 audit 脚本 #1 命中了 tests/e2e_worker_flow.py 之外的任何文件,或者 audit 脚本 #5 看到 updater.tauri.app 之外的 host 出 traffic,C01 声明就被证伪。

2. Decrypt a vault without keyring 2. 在没有 keyring 的情况下解密 vault claim C02, C03

Read %APPDATA%/DocMask/vault/*.bin on a different machine without copying the OS keyring entry (or the 0o600 keyfile, where applicable). If you can derive plaintext, the AES-256-GCM construction is broken.

在另一台机器上读 %APPDATA%/DocMask/vault/*.bin,不要复制 OS keyring 条目(或 0o600 keyfile)。如果你能解出明文,AES-256-GCM 构造就被破解了。

3. Activate license while offline 3. 离线状态下激活 license claim C-CH1-12

Pull network cable / disable WiFi / set firewall to drop all traffic, then paste a valid license token. If the app refuses to activate or contacts a server, C-CH1-12 is false.

拔网线 / 关 WiFi / 设防火墙 drop all traffic,然后粘贴一个有效 license token。如果 app 拒绝激活或试图联网,C-CH1-12 被证伪。

4. Find a cited file:line that doesn't exist 4. 找到一个不存在的 file:line 引用 all rows

Every claim row above lists file:line. Open the source (request access via the contact section), navigate to that line. If the cited line is empty or doesn't contain what we say, the row is invalid.

上面每一行都引用 file:line。打开源码(通过联系区申请访问),定位到该行。如果引用行为空或内容与我们说的不符,该行无效。

5. Catch us using third-party trackers 5. 抓到我们用了第三方 tracker claim C14

Open this website in DevTools → Network → Filter "third party". You should see only cloudflareinsights.com/beacon.min.js (CF Web Analytics, cookieless, GDPR-friendly). If you see Google / Meta / TikTok / Mixpanel / anything else, claim C14 about this site is false. (The desktop app sends nothing — that's audit script #5's job.)

在 DevTools → Network → 筛 "third party"。应该只看到 cloudflareinsights.com/beacon.min.js(CF Web Analytics,无 cookie,GDPR-friendly)。如果看到 Google / Meta / TikTok / Mixpanel 或其他,本网站的 C14 声明就被证伪。(桌面 app 不发任何东西,那是 audit 脚本 #5 的工作。)

For procurement / security review

采购 / 安全审查支持

Need source code access for a private security review? Need a signed copy of this proof sheet for your compliance file? Want to dispute or extend a claim? Contact us — we typically respond within 24 hours.

需要源码访问做私有安全审查?需要本 proof sheet 的签名副本归档到你的合规文件?想质疑或扩展某条声明?联系我们 —— 一般 24 小时内响应。

Email [email protected] 发邮件给 [email protected] Read whitepaper Ch1 阅读白皮书第 1 章