@datafog/fogclaw 0.1.0

package/.github/workflows/harness-docs.yml

@@ -0,0 +1,30 @@
+name: Harness Docs
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  docs_lint:
+    name: Docs Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Lint harness docs
+        run: |
+          bash scripts/ci/he-docs-lint.sh
+          bash scripts/ci/he-specs-lint.sh
+          bash scripts/ci/he-plans-lint.sh
+          bash scripts/ci/he-spikes-lint.sh
+
+  docs_drift:
+    name: Docs Drift Gate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Enforce doc updates on relevant changes
+        run: bash scripts/ci/he-docs-drift.sh

package/AGENTS.md

@@ -0,0 +1,28 @@
+# AGENTS.md
+
+## Start Here
+
+This file is a map, not an encyclopedia.
+
+The system of record is `docs/`. Keep durable knowledge (specs, plans, logs, decisions, checklists) there and link to it from here.
+
+## Golden Principles
+
+- Prove it works: never claim completion without running the most relevant validation (tests, build, or a small end-to-end check) or explicitly recording why it could not be run.
+- Keep AGENTS.md minimal and stable; detailed procedure belongs in `docs/runbooks/`.
+
+## Source Of Truth (Table Of Contents)
+
+- Workflow contract + artifact rules: `docs/PLANS.md`
+- Specs (intent): `docs/specs/`
+- Spikes (investigation findings): `docs/spikes/`
+- Plans (execution + evidence): `docs/plans/`
+- Runbooks (process checklists): `docs/runbooks/`
+- Generated context (scratchpad/reference): `docs/generated/`
+- Architecture (if present): `ARCHITECTURE.md`
+
+## Workflow (Phases)
+
+intake -> spike (optional) -> plan -> implement -> review -> verify-release -> learn
+
+If this file grows beyond a compact index, move detailed guidance into `docs/` and keep links here.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 DataFog
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,208 @@
+# FogClaw
+
+An [OpenClaw](https://github.com/openclaw/openclaw) plugin for PII detection and custom entity redaction, powered by [DataFog](https://github.com/datafog/datafog-python).
+
+FogClaw uses a dual-engine approach: battle-tested regex patterns for structured PII (emails, SSNs, credit cards, etc.) and [GLiNER](https://github.com/urchade/GLiNER) via ONNX for zero-shot named entity recognition — letting you redact not just PII but any custom terms, expressions, or entity types you define.
+
+## Features
+
+- **Automatic guardrail** — intercepts messages before they reach the LLM via OpenClaw's `before_agent_start` hook
+- **On-demand tools** — `fogclaw_scan` and `fogclaw_redact` tools the agent can invoke explicitly
+- **Dual detection engine** — regex for structured PII (<1ms), GLiNER for zero-shot NER (~50-200ms)
+- **Custom entity types** — define any entity label (e.g., "project codename", "competitor name") and GLiNER detects them with zero training
+- **Configurable actions** — per-entity-type behavior: `redact`, `block`, or `warn`
+- **Multiple redaction strategies** — `token`, `mask`, or `hash`
+- **Graceful degradation** — falls back to regex-only mode if GLiNER fails to load
+
+## Installation
+
+```bash
+# From the OpenClaw CLI
+openclaw plugins install @datafog/fogclaw
+
+# Or manually
+git clone https://github.com/DataFog/fogclaw.git ~/.openclaw/extensions/fogclaw
+cd ~/.openclaw/extensions/fogclaw
+npm install
+npm run build
+```
+
+## Quick Start
+
+1. Copy the example config:
+
+```bash
+cp fogclaw.config.example.json fogclaw.config.json
+```
+
+2. Edit `fogclaw.config.json` to your needs:
+
+```json
+{
+  "enabled": true,
+  "guardrail_mode": "redact",
+  "redactStrategy": "token",
+  "model": "onnx-community/gliner_large-v2.1",
+  "confidence_threshold": 0.5,
+  "custom_entities": ["project codename", "competitor name"],
+  "entityActions": {
+    "SSN": "block",
+    "CREDIT_CARD": "block",
+    "EMAIL": "redact",
+    "PHONE": "redact",
+    "PERSON": "warn"
+  }
+}
+```
+
+3. Enable the plugin in your OpenClaw config and restart.
+
+## Submission Readiness Evidence (Recommended)
+
+These commands are the minimum evidence set for PR review:
+
+```bash
+npm test
+npm run build
+npm run test:plugin-smoke
+npm pkg get openclaw
+npm run build
+node - <<'NODE'
+import plugin from './dist/index.js';
+const result = plugin.register ? 'ok' : 'missing-register';
+console.log(result, plugin.id, plugin.name);
+NODE
+```
+
+Expected output:
+
+- All tests pass.
+- `npm run build` exits with `0` and writes `dist/index.js`.
+- `npm run test:plugin-smoke` passes and confirms hook/tool contracts.
+- `npm pkg get openclaw` shows `{"extensions":["./dist/index.js"]}`.
+- The inline node check prints `ok fogclaw FogClaw`.
+
+## How It Works
+
+```
+Incoming message
+       |
+       v
+ +-----------+
+ | Regex Pass |  emails, SSNs, phones, credit cards, IPs, dates, zips
+ |  (<1ms)    |  confidence: 1.0
+ +-----+-----+
+       |
+       v
+ +-----------+
+ | GLiNER    |  persons, orgs, locations + your custom entities
+ |  (ONNX)   |  confidence: 0.0-1.0
+ +-----+-----+
+       |
+       v
+ +-----------+
+ | Merge &   |  deduplicate overlapping spans, prefer higher confidence
+ | Normalize |
+ +-----+-----+
+       |
+       v
+  Apply action per entity type (redact / block / warn)
+```
+
+## Detected Entity Types
+
+### Regex Engine (structured PII)
+
+| Type | Examples |
+|------|----------|
+| `EMAIL` | `john@example.com`, `user+tag@example.co.uk` |
+| `PHONE` | `555-123-4567`, `(555) 123-4567`, `+44 20 7946 0958` |
+| `SSN` | `123-45-6789` |
+| `CREDIT_CARD` | Visa, Mastercard, Amex (with/without separators) |
+| `IP_ADDRESS` | `192.168.1.1`, `10.0.0.1` |
+| `DATE` | `01/15/1990`, `2020-01-15`, `January 15, 2000` |
+| `ZIP_CODE` | `10001`, `10001-1234` |
+
+### GLiNER Engine (zero-shot NER)
+
+Built-in labels: `person`, `organization`, `location`, `address`, `date of birth`, `medical record number`, `account number`, `passport number`
+
+Plus any labels you add via `custom_entities` in the config.
+
+## Redaction Strategies
+
+| Strategy | Input | Output |
+|----------|-------|--------|
+| `token` | `Contact john@example.com` | `Contact [EMAIL_1]` |
+| `mask` | `Contact john@example.com` | `Contact ****************` |
+| `hash` | `Contact john@example.com` | `Contact [EMAIL_a1b2c3d4e5f6]` |
+
+## Configuration
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | `boolean` | `true` | Enable/disable the plugin |
+| `guardrail_mode` | `string` | `"redact"` | Default action: `"redact"`, `"block"`, or `"warn"` |
+| `redactStrategy` | `string` | `"token"` | How to redact: `"token"`, `"mask"`, or `"hash"` |
+| `model` | `string` | `"onnx-community/gliner_large-v2.1"` | HuggingFace model path for GLiNER |
+| `confidence_threshold` | `number` | `0.5` | Minimum confidence for GLiNER detections (0-1) |
+| `custom_entities` | `string[]` | `[]` | Custom entity labels for zero-shot detection |
+| `entityActions` | `object` | `{}` | Per-entity-type action overrides |
+
+## OpenClaw Tools
+
+### `fogclaw_scan`
+
+Scan text for PII and custom entities. Returns detected entities with types, positions, and confidence scores.
+
+**Parameters:**
+- `text` (required) — text to scan
+- `custom_labels` (optional) — additional entity labels for zero-shot detection
+
+### `fogclaw_redact`
+
+Scan and redact PII/custom entities from text. Returns sanitized text with entities replaced.
+
+**Parameters:**
+- `text` (required) — text to scan and redact
+- `strategy` (optional) — `"token"`, `"mask"`, or `"hash"` (defaults to config)
+- `custom_labels` (optional) — additional entity labels for zero-shot detection
+
+## Standalone Usage
+
+FogClaw's core can also be used outside of OpenClaw:
+
+```typescript
+import { Scanner, redact, loadConfig, DEFAULT_CONFIG } from "@datafog/fogclaw";
+
+const scanner = new Scanner(DEFAULT_CONFIG);
+await scanner.initialize();
+
+// Scan for entities
+const result = await scanner.scan("Contact john@example.com or call 555-123-4567");
+console.log(result.entities);
+// [
+//   { text: "john@example.com", label: "EMAIL", start: 8, end: 24, confidence: 1, source: "regex" },
+//   { text: "555-123-4567", label: "PHONE", start: 33, end: 45, confidence: 1, source: "regex" }
+// ]
+
+// Redact
+const redacted = redact(result.text, result.entities, "token");
+console.log(redacted.redacted_text);
+// "Contact [EMAIL_1] or call [PHONE_1]"
+```
+
+## Development
+
+```bash
+git clone https://github.com/DataFog/fogclaw.git
+cd fogclaw
+npm install
+npm test          # run tests
+npm run build     # compile TypeScript
+npm run lint      # type-check without emitting
+```
+
+## License
+
+MIT

package/dist/config.d.ts

@@ -0,0 +1,4 @@
+import type { FogClawConfig } from "./types.js";
+export declare const DEFAULT_CONFIG: FogClawConfig;
+export declare function loadConfig(overrides: Partial<FogClawConfig>): FogClawConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAmC,MAAM,YAAY,CAAC;AAKjF,eAAO,MAAM,cAAc,EAAE,aAQ5B,CAAC;AAEF,wBAAgB,UAAU,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CA8B3E"}

package/dist/config.js

@@ -0,0 +1,30 @@
+const VALID_GUARDRAIL_MODES = ["redact", "block", "warn"];
+const VALID_REDACT_STRATEGIES = ["token", "mask", "hash"];
+export const DEFAULT_CONFIG = {
+    enabled: true,
+    guardrail_mode: "redact",
+    redactStrategy: "token",
+    model: "onnx-community/gliner_large-v2.1",
+    confidence_threshold: 0.5,
+    custom_entities: [],
+    entityActions: {},
+};
+export function loadConfig(overrides) {
+    const config = { ...DEFAULT_CONFIG, ...overrides };
+    if (!VALID_GUARDRAIL_MODES.includes(config.guardrail_mode)) {
+        throw new Error(`Invalid guardrail_mode "${config.guardrail_mode}". Must be one of: ${VALID_GUARDRAIL_MODES.join(", ")}`);
+    }
+    if (!VALID_REDACT_STRATEGIES.includes(config.redactStrategy)) {
+        throw new Error(`Invalid redactStrategy "${config.redactStrategy}". Must be one of: ${VALID_REDACT_STRATEGIES.join(", ")}`);
+    }
+    if (config.confidence_threshold < 0 || config.confidence_threshold > 1) {
+        throw new Error(`confidence_threshold must be between 0 and 1, got ${config.confidence_threshold}`);
+    }
+    for (const [entityType, action] of Object.entries(config.entityActions)) {
+        if (!VALID_GUARDRAIL_MODES.includes(action)) {
+            throw new Error(`Invalid action "${action}" for entity type "${entityType}". Must be one of: ${VALID_GUARDRAIL_MODES.join(", ")}`);
+        }
+    }
+    return config;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,MAAM,qBAAqB,GAAsB,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAC7E,MAAM,uBAAuB,GAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAE5E,MAAM,CAAC,MAAM,cAAc,GAAkB;IAC3C,OAAO,EAAE,IAAI;IACb,cAAc,EAAE,QAAQ;IACxB,cAAc,EAAE,OAAO;IACvB,KAAK,EAAE,kCAAkC;IACzC,oBAAoB,EAAE,GAAG;IACzB,eAAe,EAAE,EAAE;IACnB,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF,MAAM,UAAU,UAAU,CAAC,SAAiC;IAC1D,MAAM,MAAM,GAAkB,EAAE,GAAG,cAAc,EAAE,GAAG,SAAS,EAAE,CAAC;IAElE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,CAAC,cAAc,sBAAsB,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,CAAC,cAAc,sBAAsB,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3G,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,oBAAoB,GAAG,CAAC,IAAI,MAAM,CAAC,oBAAoB,GAAG,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,KAAK,CACb,qDAAqD,MAAM,CAAC,oBAAoB,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,mBAAmB,MAAM,sBAAsB,UAAU,sBAAsB,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/engines/gliner.d.ts

@@ -0,0 +1,14 @@
+import type { Entity } from "../types.js";
+export declare class GlinerEngine {
+    private model;
+    private modelPath;
+    private threshold;
+    private customLabels;
+    private initialized;
+    constructor(modelPath: string, threshold?: number);
+    initialize(): Promise<void>;
+    setCustomLabels(labels: string[]): void;
+    scan(text: string, extraLabels?: string[]): Promise<Entity[]>;
+    get isInitialized(): boolean;
+}
+//# sourceMappingURL=gliner.d.ts.map

package/dist/engines/gliner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gliner.d.ts","sourceRoot":"","sources":["../../src/engines/gliner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAc1C,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAa;IAC1B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,WAAW,CAAS;gBAEhB,SAAS,EAAE,MAAM,EAAE,SAAS,GAAE,MAAY;IAKhD,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAuBjC,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI;IAIjC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IA+BnE,IAAI,aAAa,IAAI,OAAO,CAE3B;CACF"}

package/dist/engines/gliner.js

@@ -0,0 +1,75 @@
+import { canonicalType } from "../types.js";
+const DEFAULT_NER_LABELS = [
+    "person",
+    "organization",
+    "location",
+    "address",
+    "date of birth",
+    "medical record number",
+    "account number",
+    "passport number",
+];
+export class GlinerEngine {
+    model = null;
+    modelPath;
+    threshold;
+    customLabels = [];
+    initialized = false;
+    constructor(modelPath, threshold = 0.5) {
+        this.modelPath = modelPath;
+        this.threshold = threshold;
+    }
+    async initialize() {
+        if (this.initialized)
+            return;
+        try {
+            const { Gliner } = await import("gliner");
+            this.model = new Gliner({
+                tokenizerPath: this.modelPath,
+                onnxSettings: {
+                    modelPath: this.modelPath,
+                    executionProvider: "cpu",
+                },
+                maxWidth: 12,
+                modelType: "gliner",
+            });
+            await this.model.initialize();
+            this.initialized = true;
+        }
+        catch (err) {
+            throw new Error(`Failed to initialize GLiNER model "${this.modelPath}": ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    setCustomLabels(labels) {
+        this.customLabels = labels;
+    }
+    async scan(text, extraLabels) {
+        if (!text)
+            return [];
+        if (!this.model) {
+            throw new Error("GLiNER engine not initialized. Call initialize() first.");
+        }
+        const labels = [
+            ...DEFAULT_NER_LABELS,
+            ...this.customLabels,
+            ...(extraLabels ?? []),
+        ];
+        // Deduplicate labels
+        const uniqueLabels = [...new Set(labels)];
+        const results = await this.model.inference(text, uniqueLabels, {
+            threshold: this.threshold,
+        });
+        return results.map((r) => ({
+            text: r.text,
+            label: canonicalType(r.label),
+            start: r.start,
+            end: r.end,
+            confidence: r.score,
+            source: "gliner",
+        }));
+    }
+    get isInitialized() {
+        return this.initialized;
+    }
+}
+//# sourceMappingURL=gliner.js.map

package/dist/engines/gliner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gliner.js","sourceRoot":"","sources":["../../src/engines/gliner.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,kBAAkB,GAAG;IACzB,QAAQ;IACR,cAAc;IACd,UAAU;IACV,SAAS;IACT,eAAe;IACf,uBAAuB;IACvB,gBAAgB;IAChB,iBAAiB;CAClB,CAAC;AAEF,MAAM,OAAO,YAAY;IACf,KAAK,GAAQ,IAAI,CAAC;IAClB,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,YAAY,GAAa,EAAE,CAAC;IAC5B,WAAW,GAAG,KAAK,CAAC;IAE5B,YAAY,SAAiB,EAAE,YAAoB,GAAG;QACpD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC;gBACtB,aAAa,EAAE,IAAI,CAAC,SAAS;gBAC7B,YAAY,EAAE;oBACZ,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,iBAAiB,EAAE,KAAK;iBACzB;gBACD,QAAQ,EAAE,EAAE;gBACZ,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YAC9B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QAC1B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,sCAAsC,IAAI,CAAC,SAAS,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7G,CAAC;QACJ,CAAC;IACH,CAAC;IAED,eAAe,CAAC,MAAgB;QAC9B,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY,EAAE,WAAsB;QAC7C,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,MAAM,GAAG;YACb,GAAG,kBAAkB;YACrB,GAAG,IAAI,CAAC,YAAY;YACpB,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;SACvB,CAAC;QAEF,qBAAqB;QACrB,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAE1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,YAAY,EAAE;YAC7D,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC,GAAG,CAChB,CAAC,CAA6E,EAAE,EAAE,CAAC,CAAC;YAClF,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,UAAU,EAAE,CAAC,CAAC,KAAK;YACnB,MAAM,EAAE,QAAiB;SAC1B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,IAAI,aAAa;QACf,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;CACF"}

package/dist/engines/regex.d.ts

@@ -0,0 +1,5 @@
+import type { Entity } from "../types.js";
+export declare class RegexEngine {
+    scan(text: string): Entity[];
+}
+//# sourceMappingURL=regex.d.ts.map

package/dist/engines/regex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.d.ts","sourceRoot":"","sources":["../../src/engines/regex.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AA4C1C,qBAAa,WAAW;IACtB,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;CAyB7B"}

package/dist/engines/regex.js

@@ -0,0 +1,54 @@
+const PATTERNS = [
+    {
+        label: "EMAIL",
+        pattern: /(?<![A-Za-z0-9._%+\-@])(?![A-Za-z_]{2,20}=)[A-Za-z0-9!#$%&*+\-/=^_`{|}~][A-Za-z0-9!#$%&'*+\-/=?^_`{|}~.]*@(?:\.?[A-Za-z0-9-]+\.)+[A-Za-z]{2,}(?=$|[^A-Za-z])/gi,
+    },
+    {
+        label: "PHONE",
+        pattern: /(?<![A-Za-z0-9])(?:(?:(?:\+?1)[-.\s]?)?(?:\(\d{3}\)|\d{3})[-.\s]?\d{3}[-.\s]?\d{4}|\+\d{1,3}[\s\-.]?\d{1,4}(?:[\s\-.]?\d{2,4}){2,3})(?![-A-Za-z0-9])/gi,
+    },
+    {
+        label: "SSN",
+        pattern: /(?<!\d)(?:(?!000|666)\d{3}-(?!00)\d{2}-(?!0000)\d{4}|(?!000|666)\d{3}(?!00)\d{2}(?!0000)\d{4})(?!\d)/g,
+    },
+    {
+        label: "CREDIT_CARD",
+        pattern: /\b(?:4\d{12}(?:\d{3})?|5[1-5]\d{14}|3[47]\d{13}|(?:(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4})|(?:3[47]\d{2}[-\s]?\d{6}[-\s]?\d{5}))\b/g,
+    },
+    {
+        label: "IP_ADDRESS",
+        pattern: /\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.(?:25[0-5]|2[0-4]\d|1?\d?\d)\.(?:25[0-5]|2[0-4]\d|1?\d?\d)\.(?:25[0-5]|2[0-4]\d|1?\d?\d))\b/g,
+    },
+    {
+        label: "DATE",
+        pattern: /\b(?:(?:0?[1-9]|1[0-2])[/-](?:0?[1-9]|[12]\d|3[01])[/-](?:\d{2}|\d{4})|(?:\d{4})-(?:0?[1-9]|1[0-2])-(?:0?[1-9]|[12]\d|3[01])|(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:t(?:ember)?)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:0?[1-9]|[12]\d|3[01]),\s+(?:19|20)\d{2})\b/gi,
+    },
+    {
+        label: "ZIP_CODE",
+        pattern: /\b\d{5}(?:-\d{4})?\b/g,
+    },
+];
+export class RegexEngine {
+    scan(text) {
+        const entities = [];
+        for (const { label, pattern } of PATTERNS) {
+            // Reset lastIndex to avoid stale state from previous calls
+            pattern.lastIndex = 0;
+            let match;
+            while ((match = pattern.exec(text)) !== null) {
+                entities.push({
+                    text: match[0],
+                    label,
+                    start: match.index,
+                    end: match.index + match[0].length,
+                    confidence: 1.0,
+                    source: "regex",
+                });
+            }
+        }
+        // Sort by start position for deterministic output
+        entities.sort((a, b) => a.start - b.start || a.end - b.end);
+        return entities;
+    }
+}
+//# sourceMappingURL=regex.js.map

package/dist/engines/regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.js","sourceRoot":"","sources":["../../src/engines/regex.ts"],"names":[],"mappings":"AAOA,MAAM,QAAQ,GAAiB;IAC7B;QACE,KAAK,EAAE,OAAO;QACd,OAAO,EACL,gKAAgK;KACnK;IACD;QACE,KAAK,EAAE,OAAO;QACd,OAAO,EACL,wJAAwJ;KAC3J;IACD;QACE,KAAK,EAAE,KAAK;QACZ,OAAO,EACL,uGAAuG;KAC1G;IACD;QACE,KAAK,EAAE,aAAa;QACpB,OAAO,EACL,iKAAiK;KACpK;IACD;QACE,KAAK,EAAE,YAAY;QACnB,OAAO,EACL,iIAAiI;KACpI;IACD;QACE,KAAK,EAAE,MAAM;QACb,OAAO,EACL,sUAAsU;KACzU;IACD;QACE,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,uBAAuB;KACjC;CACF,CAAC;AAEF,MAAM,OAAO,WAAW;IACtB,IAAI,CAAC,IAAY;QACf,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,KAAK,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC1C,2DAA2D;YAC3D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAEtB,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;oBACd,KAAK;oBACL,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBAClC,UAAU,EAAE,GAAG;oBACf,MAAM,EAAE,OAAO;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QAE5D,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+export { Scanner } from "./scanner.js";
+export { redact } from "./redactor.js";
+export { loadConfig, DEFAULT_CONFIG } from "./config.js";
+export type { Entity, FogClawConfig, ScanResult, RedactResult, RedactStrategy, GuardrailAction, } from "./types.js";
+/**
+ * OpenClaw plugin definition.
+ *
+ * Registers:
+ * - `before_agent_start` hook for automatic PII guardrail
+ * - `fogclaw_scan` tool for on-demand entity detection
+ * - `fogclaw_redact` tool for on-demand redaction
+ */
+declare const fogclaw: {
+    id: string;
+    name: string;
+    register(api: any): void;
+};
+export default fogclaw;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACzD,YAAY,EACV,MAAM,EACN,aAAa,EACb,UAAU,EACV,YAAY,EACZ,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB;;;;;;;GAOG;AACH,QAAA,MAAM,OAAO;;;kBAIG,GAAG;CA+LlB,CAAC;AAEF,eAAe,OAAO,CAAC"}