I rebuilt 4 dev tools so they stop uploading your data

There's a quiet pattern in everyday dev work: the most convenient tool for a job
is a website you paste sensitive data into.

• Need to read a JWT? → paste a production token into jwt.io.
• Checking a Content-Security-Policy? → paste your security config into an online evaluator.
• Sharing a payload in a bug report? → paste customer PII into an online redactor.

Each is genuinely useful — and each either uploads data you're trying to protect,
or makes you deploy first just to check a config. But none of these jobs needs a
server: they're parsing, checksums, and rule-based analysis that run fine in your
browser. So I rebuilt four of them to run locally and upload nothing.

1. jwtlens — decode, audit & verify JWTs

Decode the claims, run a security lint (alg:none, missing exp, HS↔RS
alg-confusion), and verify the signature client-side with the Web Crypto API —
HS/RS/PS/ES, with your own secret/PEM/JWK.

→ https://didrod205.github.io/jwtlens/ · npx jwtlens scan

2. csp-doctor — find the XSS holes in your CSP

Paste a policy and it flags 'unsafe-inline', wildcards, missing
object-src/base-uri, and the allowlisted CDN hosts that silently bypass CSP
(JSONP / hosted AngularJS) — nonce/strict-dynamic-aware, so a modern policy isn't
flagged for nothing.

→ https://didrod205.github.io/csp-doctor/ · npx csp-doctor scan

3. scrubpii — make a payload safe to share

Paste a JSON payload or log and get a redacted copy: emails, Luhn-valid cards,
JWTs, API keys, IPs. Pseudonyms keep referential integrity — the same value
maps to the same alias everywhere, so the redacted data is still coherent.

→ https://didrod205.github.io/scrubpii/ · cat payload.json | npx scrubpii redact

4. cookie-doctor — lint your Set-Cookie headers

Paste a Set-Cookie (or a curl -I response) and it flags missing
HttpOnly/Secure/SameSite, SameSite=None without Secure, and the
__Host-/__Secure- prefix rules — the violations that make a browser
silently drop your cookie, so logins mysteriously stop sticking.

→ https://didrod205.github.io/cookie-doctor/ · curl -sI url | npx cookie-doctor scan

How they're built (the part that makes "local-first" honest)

Each is a small TypeScript package with a pure, zero-dependency core that powers
both a CLI and the browser playground — same engine, same results. The CLI lets you
gate any of this in CI; the playground is just that core compiled for the web. The
only "server-ish" bit, JWT signature verification, runs on crypto.subtle in the
browser and node:crypto in the CLI (fun detail: JWS ECDSA signatures are raw
P1363, which WebCrypto wants natively but Node needs told explicitly).

All MIT, all on npm. If you maintain something similar, the takeaway is simply:
a lot of "paste it into our website" tools don't need to be websites.

Which dev tool do you wish ran locally? I'm collecting ideas.