Demeanor for .NET Documentation

Two ways to get started: let Claude handle everything, or configure manually via CLI.

Getting Started with Claude RECOMMENDED

The fastest path. Claude acts as a senior .NET security consultant — it audits your assemblies, identifies every risk, configures maximum-strength protection, and writes your CI/CD build config. You make the decisions; Claude does the work.

1

Install Demeanor (one command)

dotnet tool install -g WiseOwl.Demeanor

One Native AOT global tool package, two binaries on PATH: demeanor and inspect. On first invocation demeanor auto-installs the /obfuscate skill into ~/.claude/skills/obfuscate/ and registers itself as an MCP server in ~/.claude.json. Skip with DEMEANOR_NO_BOOTSTRAP=1 if needed.

2

Set your Enterprise license key

# In your shell profile or CI secrets:
export DEMEANOR_LICENSE="your-enterprise-key"

Enterprise license required for the AI-assisted workflow. Get one here. Community tier (free) works for basic renaming without AI.

3

Open your project in Claude Code and type /obfuscate

Claude follows a 6-phase workflow:

  1. Audit — scans your assemblies for 20 framework patterns that break after obfuscation
  2. Configure — builds exclusion rules from your decisions
  3. Dry Run — full simulation, shows what would change, you approve
  4. Obfuscate — applies all protection: renaming, encryption, CFG, anti-tamper
  5. Verify — compares output, queries the report, helps you test
  6. CI/CD — writes MSBuild config so every Release build is obfuscated automatically

After Phase 6, your CI/CD pipeline runs obfuscation unattended on every Release build. No ongoing AI dependency.

Full AI workflow details →

Getting Started with CLI

For developers who prefer manual control, or if you're using Community (free) tier.

1

Install the CLI tool

dotnet tool install -g WiseOwl.Demeanor

One-time setup. Puts demeanor on your PATH across Windows, Linux, and Mac.

2

Audit your assembly (Enterprise)

demeanor audit bin/Release/net10.0/MyApp.dll

Pre-obfuscation risk analysis. Detects 20 framework patterns and tells you exactly what to exclude and why. Add --json for structured output.

3

Wire MSBuild integration

demeanor init

Finds the nearest .csproj and appends a small MSBuild target that calls demeanor after every Release build. Idempotent — safe to run again. No NuGet package is added.

4

Build

dotnet build -c Release

Your Release output is now obfuscated. Every subsequent Release build is too.

5

Verify and debug

# Check if an assembly is obfuscated
demeanor check bin/Release/net10.0/MyApp.dll

# Inspect the obfuscated output (standalone tool, no license required)
inspect bin/Release/net10.0/MyApp.dll

# Deobfuscate a crash stack trace
demeanor deobfuscate crash.txt --report report.json

How Demeanor responds to risky patterns

When the IL analyzers find a construct that wouldn’t survive renaming, Demeanor takes one of two actions:

1. Auto-suppression (no action required)

For patterns where the exact names that must be preserved can be derived from the IL, Demeanor automatically excludes those symbols from renaming. You don’t need to do anything.

  • ReflectionAnalyzerType.GetType("X"), typeof(T).GetMethod("Name"), JsonSerializer.Serialize<T> (freezes T’s properties), ASP.NET WriteAsJsonAsync<T>, DLR dynamic binders
  • PropertyUsageAnalyzer — JSON DTOs, [JsonSerializable] source-gen, Blazor [Parameter]/[Inject], WPF INotifyPropertyChanged, WCF [DataContract], XML serialization, COM interop
  • ExclusionEngine — entry points (Main), runtime-critical members, serializable fields, public/protected library symbols

These show up in the audit report as auto-detected. The recommendation says “No action needed.”

2. Advisory — Demeanor recommends a source change

For patterns where Demeanor can observe the risk but not safely decide which symbols to freeze, it emits an advisory and does not change rename output. You decide: add an annotation, add an exclusion, or rewrite the construct.

  • MinimalApiScannerMapGet/MapPost handler return types whose properties aren’t protected. Recommendation: add [JsonSerializable(typeof(YourDto))].
  • AotJsonAnalyzer — reflection-path JsonSerializer.Serialize<T> / Deserialize<T> calls and non-generic JsonStringEnumConverter ctor uses. Recommendation: migrate to a source-generated JsonSerializerContext; replace with JsonStringEnumConverter<TEnum>. Surfaces unconditionally even for libraries that never AOT-publish.
  • Audit heuristics — SignalR Hub, MVC Controller, EF Core DbContext, IOptions<T>, MEF, gRPC, WPF/XAML BAML. Recommendation: add the suggested --exclude/--xr rule or [Obfuscation].

Each finding carries a Classification:

  • auto-detected — handled automatically. No action.
  • needs-exclusion — add --exclude, --xr, or [Obfuscation].
  • needs-code-change — modify source (e.g. add [JsonSerializable], switch to source-gen).
  • advisory — informational; may not need action.

Licensing Overview

Per-company licensing. No seat counting, no machine locking, no activation server. License keys are self-validating — they work completely offline.

  • Community — Free. Symbol renaming, alpha naming, single assembly.
  • Enterprise ($2,999/yr) — All encryption, CFG, proxy, AI-assisted workflow, multi-assembly, incremental, reports.

No license key is needed for Community tier. See full licensing details.

Reference

[email protected] · wiseowlsoftware.com