@openbmb/clawxrouter 1.0.4

package/openclaw.plugin.json

@@ -0,0 +1,97 @@
+{
+  "id": "ClawXRouter",
+  "name": "ClawXRouter",
+  "description": "Edge-cloud collaborative routing plugin that keeps sensitive data local and routes tasks to cost-effective models — protects user privacy by classifying requests into three safety levels and redacting PII before any cloud forwarding",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "privacy": {
+        "type": "object",
+        "properties": {
+          "enabled": { "type": "boolean" },
+          "s2Policy": {
+            "type": "string",
+            "enum": ["proxy", "local"],
+            "description": "S2 handling policy: 'proxy' strips PII via local HTTP proxy before forwarding to cloud (default), 'local' routes S2 to local model entirely"
+          },
+          "proxyPort": {
+            "type": "number",
+            "description": "Port for the privacy proxy HTTP server (default: 8403)"
+          },
+          "checkpoints": {
+            "type": "object",
+            "properties": {
+              "onUserMessage": { "type": "array", "items": { "type": "string" } },
+              "onToolCallProposed": { "type": "array", "items": { "type": "string" } },
+              "onToolCallExecuted": { "type": "array", "items": { "type": "string" } }
+            }
+          },
+          "rules": {
+            "type": "object",
+            "properties": {
+              "keywords": {
+                "type": "object",
+                "properties": {
+                  "S2": { "type": "array", "items": { "type": "string" } },
+                  "S3": { "type": "array", "items": { "type": "string" } }
+                }
+              },
+              "patterns": {
+                "type": "object",
+                "description": "Regex patterns for matching sensitive content",
+                "properties": {
+                  "S2": { "type": "array", "items": { "type": "string" } },
+                  "S3": { "type": "array", "items": { "type": "string" } }
+                }
+              },
+              "tools": {
+                "type": "object",
+                "properties": {
+                  "S2": {
+                    "type": "object",
+                    "properties": {
+                      "tools": { "type": "array", "items": { "type": "string" } },
+                      "paths": { "type": "array", "items": { "type": "string" } }
+                    }
+                  },
+                  "S3": {
+                    "type": "object",
+                    "properties": {
+                      "tools": { "type": "array", "items": { "type": "string" } },
+                      "paths": { "type": "array", "items": { "type": "string" } }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "localModel": {
+            "type": "object",
+            "properties": {
+              "enabled": { "type": "boolean" },
+              "provider": { "type": "string" },
+              "model": { "type": "string" },
+              "endpoint": { "type": "string" }
+            }
+          },
+          "guardAgent": {
+            "type": "object",
+            "properties": {
+              "id": { "type": "string" },
+              "workspace": { "type": "string" },
+              "model": { "type": "string" }
+            }
+          },
+          "session": {
+            "type": "object",
+            "properties": {
+              "isolateGuardHistory": { "type": "boolean" },
+              "baseDir": { "type": "string" }
+            }
+          }
+        }
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@openbmb/clawxrouter",
+  "version": "1.0.4",
+  "description": "Edge-cloud collaborative routing plugin that keeps sensitive data local and routes tasks to cost-effective models — protects user privacy by classifying requests into three safety levels and redacting PII before any cloud forwarding",
+  "type": "module",
+  "main": "./index.ts",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "files": [
+    "index.ts",
+    "src/",
+    "prompts/",
+    "config.example.json",
+    "openclaw.plugin.json"
+  ],
+  "keywords": [
+    "openclaw",
+    "privacy",
+    "router",
+    "guard-agent",
+    "clawxrouter"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/OpenBMB/ClawXRouter"
+  },
+  "dependencies": {
+    "@sinclair/typebox": "0.34.48",
+    "synckit": "^0.11.12",
+    "tsx": "^4.21.0"
+  },
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ],
+    "compat": {
+      "pluginApi": ">=2026.3.22"
+    },
+    "build": {
+      "openclawVersion": "2026.3.28"
+    }
+  },
+  "devDependencies": {
+    "vitest": "^4.1.0"
+  }
+}

package/prompts/detection-system.md

@@ -0,0 +1,50 @@
+[SYSTEM] You are a strict privacy classifier. Output ONLY a single JSON object — nothing else.
+
+Classify based on ACTUAL data present in the message. Do NOT speculate about unknown file contents.
+
+S3 = PRIVATE (local only, never cloud):
+  - Financial: payslip, salary, tax, bank account, SSN, 工资单, 报销单, 税表
+  - Medical: health records, diagnoses, prescriptions, lab results, 病历, 体检报告
+  - Credentials: passwords, API keys, secrets, tokens, private keys, .env files, config with credentials
+  - The message itself CONTAINS or EXPLICITLY MENTIONS the above data → S3
+  "evaluate these passwords" → S3
+  "check my payslip" → S3
+  "summarize the medical record in patient_records.pdf" → S3
+  "read my .env file" → S3
+  "the secret code is XYZ" → S3
+
+S2 = SENSITIVE (redact PII, then send to cloud):
+  - Addresses (ANY physical address, 地址, 住址, street, road, apartment, 路, 街, 小区, 弄, 号)
+  - Gate/door codes, pickup codes, delivery tracking numbers
+  - Phone numbers, email addresses, real names used as contact PII
+  - License plates, SSN/ID mixed with personal context, chat logs with PII
+  - File content containing the above PII → S2
+  - ANY mention of "address"/"地址" with actual location data → S2
+  "1847 Elm St, gate code 4523#" → S2
+  "我的地址是北京市朝阳区xxx" → S2
+  "张伟 手机13912345678" → S2
+  "schedule meeting with john@example.com" → S2
+
+S1 = SAFE: No sensitive data or intent.
+  "write a poem about spring" → S1
+  "how to read Excel with pandas" → S1
+  "read summary_source.txt and write a summary" → S1
+  "read notes.md and answer a question" → S1
+  "create a market research report about observability tools" → S1
+  "find upcoming tech conferences" → S1
+  "create a Python project structure" → S1
+
+Rules:
+- Passwords/credentials → ALWAYS S3 (never S2)
+- Medical data → ALWAYS S3 (never S2)
+- Gate/access/pickup codes → S2 (not S3)
+- If file content is provided and contains PII → at least S2
+- Generic file operations (read/write .txt, .md, .csv with NEUTRAL names) → S1 unless the message itself contains PII
+- Do NOT escalate just because a file MIGHT contain sensitive data — only escalate when evidence exists in the message
+- "Read X file and summarize" with no PII in the request → S1
+- "Analyze quarterly_sales.csv" or "company_expenses.xlsx" with NO actual financial PII in the message → S1
+- Tool calls (read, write, exec, shell) within the agent workspace are NORMAL operations → S1 unless parameters explicitly contain credentials or PII
+- Reading config.json, settings.json, database.yml for task purposes → S1 (classify based on actual content, not filename speculation)
+- When genuinely unsure AND the filename/context suggests sensitivity → pick higher level
+
+Output format: {"level":"S1|S2|S3","reason":"brief"}

package/prompts/token-saver-judge.md

@@ -0,0 +1,25 @@
+You are a task complexity classifier for an AI coding agent. Classify each task into exactly one of five tiers based on the nature of the work.
+
+## Tiers
+
+SIMPLE — Pure text transformation. Takes existing text and produces modified text: summarizing a single document, rewriting or humanizing content, simple Q&A, greetings.
+
+MEDIUM — Standard agent work (default). Writing emails, coding scripts, data analysis (CSV/Excel), project scaffolding, image generation, factual lookups, researching events or conferences, competitive/market research and analysis reports, search-and-replace, memory management.
+
+COMPLEX — Structured multi-item processing. Systematically processes a collection or extracts precise information: triaging or searching through multiple emails, creating multiple files and directories as a structured tree, extracting facts or structured data from documents and reports.
+
+RESEARCH — Creative synthesis. Original long-form writing or multi-source combination: blog posts, articles, multi-step workflows (read → code → document), briefings from multiple source files.
+
+REASONING — Deep PDF analysis. Reading, understanding, and explaining PDF documents in simplified terms.
+
+## Disambiguation
+
+- Summarizing ONE text file → SIMPLE; synthesizing MULTIPLE text/research source files into a briefing → RESEARCH.
+- Data analysis (CSV, Excel, spreadsheets) → MEDIUM, regardless of file count.
+- Scaffolding a project or library → MEDIUM; creating multiple files and directories from a spec → COMPLEX.
+- Explaining or simplifying a PDF (ELI5) → REASONING; extracting structured data points from a document → COMPLEX.
+- Market/competitive analysis or event/conference research → MEDIUM.
+- When unsure, choose MEDIUM.
+
+CRITICAL: Output ONLY a raw JSON object. No markdown, no explanation.
+{"tier":"SIMPLE|MEDIUM|COMPLEX|RESEARCH|REASONING"}

package/src/config-schema.ts

@@ -0,0 +1,210 @@
+import { Type } from "@sinclair/typebox";
+
+export const clawXrouterConfigSchema = Type.Object({
+  privacy: Type.Optional(
+    Type.Object({
+      enabled: Type.Optional(Type.Boolean()),
+      s2Policy: Type.Optional(
+        Type.Union([Type.Literal("proxy"), Type.Literal("local")]),
+      ),
+      proxyPort: Type.Optional(Type.Number()),
+      checkpoints: Type.Optional(
+        Type.Object({
+          onUserMessage: Type.Optional(
+            Type.Array(
+              Type.Union([Type.Literal("ruleDetector"), Type.Literal("localModelDetector")]),
+            ),
+          ),
+          onToolCallProposed: Type.Optional(
+            Type.Array(
+              Type.Union([Type.Literal("ruleDetector"), Type.Literal("localModelDetector")]),
+            ),
+          ),
+          onToolCallExecuted: Type.Optional(
+            Type.Array(
+              Type.Union([Type.Literal("ruleDetector"), Type.Literal("localModelDetector")]),
+            ),
+          ),
+        }),
+      ),
+      rules: Type.Optional(
+        Type.Object({
+          keywords: Type.Optional(
+            Type.Object({
+              S2: Type.Optional(Type.Array(Type.String())),
+              S3: Type.Optional(Type.Array(Type.String())),
+            }),
+          ),
+          patterns: Type.Optional(
+            Type.Object({
+              S2: Type.Optional(Type.Array(Type.String())),
+              S3: Type.Optional(Type.Array(Type.String())),
+            }),
+          ),
+          tools: Type.Optional(
+            Type.Object({
+              S2: Type.Optional(
+                Type.Object({
+                  tools: Type.Optional(Type.Array(Type.String())),
+                  paths: Type.Optional(Type.Array(Type.String())),
+                }),
+              ),
+              S3: Type.Optional(
+                Type.Object({
+                  tools: Type.Optional(Type.Array(Type.String())),
+                  paths: Type.Optional(Type.Array(Type.String())),
+                }),
+              ),
+            }),
+          ),
+        }),
+      ),
+      localModel: Type.Optional(
+        Type.Object({
+          enabled: Type.Optional(Type.Boolean()),
+          type: Type.Optional(
+            Type.Union([
+              Type.Literal("openai-compatible"),
+              Type.Literal("ollama-native"),
+              Type.Literal("custom"),
+            ]),
+          ),
+          provider: Type.Optional(Type.String()),
+          model: Type.Optional(Type.String()),
+          endpoint: Type.Optional(Type.String()),
+          apiKey: Type.Optional(Type.String()),
+          module: Type.Optional(Type.String()),
+        }),
+      ),
+      guardAgent: Type.Optional(
+        Type.Object({
+          id: Type.Optional(Type.String()),
+          workspace: Type.Optional(Type.String()),
+          model: Type.Optional(Type.String()),
+        }),
+      ),
+      localProviders: Type.Optional(Type.Array(Type.String())),
+      toolAllowlist: Type.Optional(Type.Array(Type.String())),
+      modelPricing: Type.Optional(
+        Type.Record(
+          Type.String(),
+          Type.Object({
+            inputPer1M: Type.Optional(Type.Number()),
+            outputPer1M: Type.Optional(Type.Number()),
+          }),
+        ),
+      ),
+      session: Type.Optional(
+        Type.Object({
+          isolateGuardHistory: Type.Optional(Type.Boolean()),
+          baseDir: Type.Optional(Type.String()),
+          injectDualHistory: Type.Optional(Type.Boolean()),
+          historyLimit: Type.Optional(Type.Number()),
+        }),
+      ),
+      routers: Type.Optional(
+        Type.Record(
+          Type.String(),
+          Type.Object({
+            enabled: Type.Optional(Type.Boolean()),
+            type: Type.Optional(Type.Union([Type.Literal("builtin"), Type.Literal("custom"), Type.Literal("configurable")])),
+            module: Type.Optional(Type.String()),
+            weight: Type.Optional(Type.Number()),
+            options: Type.Optional(Type.Record(Type.String(), Type.Unknown())),
+          }),
+        ),
+      ),
+      pipeline: Type.Optional(
+        Type.Object({
+          onUserMessage: Type.Optional(Type.Array(Type.String())),
+          onToolCallProposed: Type.Optional(Type.Array(Type.String())),
+          onToolCallExecuted: Type.Optional(Type.Array(Type.String())),
+        }),
+      ),
+      redaction: Type.Optional(
+        Type.Object({
+          internalIp: Type.Optional(Type.Boolean()),
+          email: Type.Optional(Type.Boolean()),
+          envVar: Type.Optional(Type.Boolean()),
+          creditCard: Type.Optional(Type.Boolean()),
+          chinesePhone: Type.Optional(Type.Boolean()),
+          chineseId: Type.Optional(Type.Boolean()),
+          chineseAddress: Type.Optional(Type.Boolean()),
+          pin: Type.Optional(Type.Boolean()),
+        }),
+      ),
+    }),
+  ),
+});
+
+export const defaultPrivacyConfig = {
+  enabled: true,
+  s2Policy: "proxy" as "proxy" | "local",
+  proxyPort: 8403,
+  checkpoints: {
+    onUserMessage: ["ruleDetector" as const, "localModelDetector" as const],
+    onToolCallProposed: ["ruleDetector" as const],
+    onToolCallExecuted: ["ruleDetector" as const],
+  },
+  rules: {
+    keywords: {
+      S2: [] as string[],
+      S3: [] as string[],
+    },
+    patterns: {
+      S2: [] as string[],
+      S3: [] as string[],
+    },
+    tools: {
+      S2: { tools: [] as string[], paths: [] as string[] },
+      S3: { tools: [] as string[], paths: [] as string[] },
+    },
+  },
+  localModel: {
+    enabled: true,
+    type: "openai-compatible" as const,
+    model: "openbmb/minicpm4.1",
+    endpoint: "http://localhost:11434",
+  },
+  guardAgent: {
+    id: "guard",
+    workspace: "~/.openclaw/workspace-guard",
+    model: "ollama/openbmb/minicpm4.1",
+  },
+  localProviders: [] as string[],
+  toolAllowlist: [] as string[],
+  modelPricing: {
+    "claude-sonnet-4.6": { inputPer1M: 3, outputPer1M: 15 },
+    "claude-3.5-sonnet": { inputPer1M: 3, outputPer1M: 15 },
+    "claude-3.5-haiku": { inputPer1M: 0.8, outputPer1M: 4 },
+    "gpt-4o": { inputPer1M: 2.5, outputPer1M: 10 },
+    "gpt-4o-mini": { inputPer1M: 0.15, outputPer1M: 0.6 },
+    "o4-mini": { inputPer1M: 1.1, outputPer1M: 4.4 },
+    "gemini-2.0-flash": { inputPer1M: 0.1, outputPer1M: 0.4 },
+    "deepseek-chat": { inputPer1M: 0.27, outputPer1M: 1.1 },
+  } as Record<string, { inputPer1M?: number; outputPer1M?: number }>,
+  redaction: {
+    internalIp: false,
+    email: false,
+    envVar: false,
+    creditCard: false,
+    chinesePhone: false,
+    chineseId: false,
+    chineseAddress: false,
+    pin: false,
+  },
+  session: {
+    isolateGuardHistory: true,
+    baseDir: "~/.openclaw",
+    injectDualHistory: true,
+    historyLimit: 20,
+  },
+  routers: {
+    privacy: { enabled: true, type: "builtin" as const },
+  } as Record<string, { enabled?: boolean; type?: "builtin" | "custom" | "configurable"; module?: string; weight?: number; options?: Record<string, unknown> }>,
+  pipeline: {
+    onUserMessage: ["privacy"],
+    onToolCallProposed: ["privacy"],
+    onToolCallExecuted: ["privacy"],
+  },
+};

package/src/dashboard-config-io.ts

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+
+const HOME_DIR = process.env.HOME ?? "/tmp";
+
+export const CLAWXROUTER_CONFIG_PATH = join(
+  HOME_DIR,
+  ".openclaw",
+  "clawxrouter.json",
+);
+
+export function saveClawXrouterConfig(privacy: Record<string, unknown>): void {
+  try {
+    const dir = join(HOME_DIR, ".openclaw");
+    mkdirSync(dir, { recursive: true });
+    let existing: Record<string, unknown> = {};
+    try {
+      existing = JSON.parse(readFileSync(CLAWXROUTER_CONFIG_PATH, "utf-8")) as Record<string, unknown>;
+    } catch { /* file may not exist yet */ }
+    const updated = { ...existing, privacy };
+    writeFileSync(CLAWXROUTER_CONFIG_PATH, JSON.stringify(updated, null, 2), "utf-8");
+  } catch {
+    // best-effort persistence
+  }
+}

package/src/detector.ts

@@ -0,0 +1,230 @@
+import type { 
+  Checkpoint, 
+  DetectionContext, 
+  DetectionResult, 
+  DetectorType, 
+  PrivacyConfig, 
+  SensitivityLevel 
+} from "./types.js";
+import { maxLevel } from "./types.js";
+import { detectByRules } from "./rules.js";
+import { detectByLocalModel } from "./local-model.js";
+import { defaultPrivacyConfig } from "./config-schema.js";
+
+/**
+ * Main detection function that coordinates all detectors.
+ *
+ * Accepts either a raw `pluginConfig` (legacy — will merge with defaults)
+ * or a pre-merged `PrivacyConfig` via the `resolvedConfig` option to avoid
+ * double-merging when called from routers that already merged config.
+ */
+export async function detectSensitivityLevel(
+  context: DetectionContext,
+  pluginConfig: Record<string, unknown>,
+  resolvedConfig?: PrivacyConfig,
+): Promise<DetectionResult> {
+  const privacyConfig = resolvedConfig ?? mergeWithDefaults(
+    (pluginConfig?.privacy as PrivacyConfig) ?? {},
+    defaultPrivacyConfig
+  );
+
+  // Check if privacy is enabled (skip when dry-run so dashboards get real classification)
+  if (privacyConfig.enabled === false && !context.dryRun) {
+    return {
+      level: "S1",
+      levelNumeric: 1,
+      reason: "Privacy detection disabled",
+      detectorType: "ruleDetector",
+      confidence: 1.0,
+    };
+  }
+
+  // Get detectors for this checkpoint
+  const detectors = getDetectorsForCheckpoint(context.checkpoint, privacyConfig);
+
+  if (detectors.length === 0) {
+    // No detectors configured for this checkpoint, default to S1
+    return {
+      level: "S1",
+      levelNumeric: 1,
+      reason: "No detectors configured",
+      detectorType: "ruleDetector",
+      confidence: 1.0,
+    };
+  }
+
+  // Run all configured detectors
+  const results = await runDetectors(detectors, context, privacyConfig);
+
+  // Merge results (take maximum level)
+  return mergeDetectionResults(results);
+}
+
+/**
+ * Get configured detectors for a specific checkpoint
+ */
+function getDetectorsForCheckpoint(
+  checkpoint: Checkpoint,
+  config: PrivacyConfig
+): DetectorType[] {
+  const checkpoints = config.checkpoints ?? {};
+
+  switch (checkpoint) {
+    case "onUserMessage":
+      return checkpoints.onUserMessage ?? ["ruleDetector", "localModelDetector"];
+    case "onToolCallProposed":
+      return checkpoints.onToolCallProposed ?? ["ruleDetector"];
+    case "onToolCallExecuted":
+      return checkpoints.onToolCallExecuted ?? ["ruleDetector"];
+    default:
+      return ["ruleDetector"];
+  }
+}
+
+/**
+ * Run detectors and collect results.
+ *
+ * Short-circuits on S3: once any detector returns S3 (highest level),
+ * remaining detectors are skipped — no further detection can raise the
+ * level and running an LLM judge for a message that will stay local is
+ * both wasteful and a needless exposure of sensitive content.
+ */
+async function runDetectors(
+  detectors: DetectorType[],
+  context: DetectionContext,
+  config: PrivacyConfig
+): Promise<DetectionResult[]> {
+  const results: DetectionResult[] = [];
+
+  for (const detector of detectors) {
+    try {
+      let result: DetectionResult;
+
+      switch (detector) {
+        case "ruleDetector":
+          result = detectByRules(context, config);
+          break;
+        case "localModelDetector":
+          result = await detectByLocalModel(context, config);
+          break;
+        default:
+          console.warn(`[ClawXrouter] Unknown detector type: ${detector}`);
+          continue;
+      }
+
+      results.push(result);
+
+      if (result.level === "S3") break;
+    } catch (err) {
+      console.error(`[ClawXrouter] Detector ${detector} failed:`, err);
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Merge multiple detection results into a single result
+ * Takes the highest severity level and combines reasons
+ */
+function mergeDetectionResults(results: DetectionResult[]): DetectionResult {
+  if (results.length === 0) {
+    return {
+      level: "S1",
+      levelNumeric: 1,
+      reason: "No detection results",
+      detectorType: "ruleDetector",
+      confidence: 0,
+    };
+  }
+
+  if (results.length === 1) {
+    return results[0];
+  }
+
+  // Find the highest level
+  const levels = results.map((r) => r.level);
+  const finalLevel = maxLevel(...levels);
+
+  // Collect reasons from all detectors that contributed to the decision
+  const relevantResults = results.filter((r) => r.level === finalLevel);
+  const reasons = relevantResults
+    .map((r) => r.reason)
+    .filter((r): r is string => Boolean(r));
+
+  // Calculate average confidence
+  const confidences = results.map((r) => r.confidence ?? 0.5);
+  const avgConfidence = confidences.reduce((a, b) => a + b, 0) / confidences.length;
+
+  // Determine primary detector type (the one that found the highest level)
+  const primaryDetector = relevantResults[0]?.detectorType ?? "ruleDetector";
+
+  return {
+    level: finalLevel,
+    levelNumeric: results.find((r) => r.level === finalLevel)?.levelNumeric ?? 1,
+    reason: reasons.length > 0 ? reasons.join("; ") : undefined,
+    detectorType: primaryDetector,
+    confidence: avgConfidence,
+  };
+}
+
+/**
+ * Merge user config with defaults
+ */
+function mergeWithDefaults(
+  userConfig: PrivacyConfig,
+  defaults: PrivacyConfig
+): PrivacyConfig {
+  return {
+    enabled: userConfig.enabled ?? defaults.enabled,
+    checkpoints: {
+      onUserMessage: userConfig.checkpoints?.onUserMessage ?? defaults.checkpoints?.onUserMessage,
+      onToolCallProposed:
+        userConfig.checkpoints?.onToolCallProposed ?? defaults.checkpoints?.onToolCallProposed,
+      onToolCallExecuted:
+        userConfig.checkpoints?.onToolCallExecuted ?? defaults.checkpoints?.onToolCallExecuted,
+    },
+    rules: {
+      keywords: {
+        S2: userConfig.rules?.keywords?.S2 ?? defaults.rules?.keywords?.S2,
+        S3: userConfig.rules?.keywords?.S3 ?? defaults.rules?.keywords?.S3,
+      },
+      patterns: {
+        S2: userConfig.rules?.patterns?.S2 ?? defaults.rules?.patterns?.S2,
+        S3: userConfig.rules?.patterns?.S3 ?? defaults.rules?.patterns?.S3,
+      },
+      tools: {
+        S2: {
+          tools: userConfig.rules?.tools?.S2?.tools ?? defaults.rules?.tools?.S2?.tools,
+          paths: userConfig.rules?.tools?.S2?.paths ?? defaults.rules?.tools?.S2?.paths,
+        },
+        S3: {
+          tools: userConfig.rules?.tools?.S3?.tools ?? defaults.rules?.tools?.S3?.tools,
+          paths: userConfig.rules?.tools?.S3?.paths ?? defaults.rules?.tools?.S3?.paths,
+        },
+      },
+    },
+    localModel: {
+      enabled: userConfig.localModel?.enabled ?? defaults.localModel?.enabled,
+      type: userConfig.localModel?.type ?? defaults.localModel?.type,
+      provider: userConfig.localModel?.provider ?? defaults.localModel?.provider,
+      model: userConfig.localModel?.model ?? defaults.localModel?.model,
+      endpoint: userConfig.localModel?.endpoint ?? defaults.localModel?.endpoint,
+      apiKey: userConfig.localModel?.apiKey ?? defaults.localModel?.apiKey,
+      module: userConfig.localModel?.module ?? defaults.localModel?.module,
+    },
+    guardAgent: {
+      id: userConfig.guardAgent?.id ?? defaults.guardAgent?.id,
+      workspace: userConfig.guardAgent?.workspace ?? defaults.guardAgent?.workspace,
+      model: userConfig.guardAgent?.model ?? defaults.guardAgent?.model,
+    },
+    session: {
+      isolateGuardHistory:
+        userConfig.session?.isolateGuardHistory ?? defaults.session?.isolateGuardHistory,
+      baseDir: userConfig.session?.baseDir ?? defaults.session?.baseDir,
+      injectDualHistory:
+        userConfig.session?.injectDualHistory ?? defaults.session?.injectDualHistory,
+      historyLimit: userConfig.session?.historyLimit ?? defaults.session?.historyLimit,
+    },
+  };
+}