shroud-privacy 2.2.5 → 2.2.6

package/README.md

@@ -21,11 +21,13 @@
 
 | Hook | Direction | What happens |
 |------|-----------|-------------|
-| `before_prompt_build` | User → LLM | Obfuscate user prompt, prepend privacy context |
-| `before_message_write` | Any → History | Obfuscate non-assistant messages; deobfuscate assistant messages |
+| `globalThis.fetch` intercept | User → LLM | Obfuscate all outbound LLM API requests; deobfuscate SSE responses per content block |
+| `before_prompt_build` | User → LLM | Pre-seed mapping store so the fetch intercept has mappings ready |
+| `before_message_write` | Any → History | Deobfuscate assistant messages for transcript; re-obfuscate on next turn |
 | `before_tool_call` | LLM → Tool | Deobfuscate tool parameters + track tool chain depth |
 | `tool_result_persist` | Tool → History | Obfuscate tool results before storing |
-| `message_sending` | Agent → User | Deobfuscate outbound messages (all channels) |
+| `message_sending` | Agent → User | Deobfuscate outbound messages (backup — fetch intercept handles primary deob) |
+| `globalThis.__shroudStreamDeobfuscate` | LLM → Agent | Streaming event deobfuscation hook |
 | `globalThis.__shroudDeobfuscate` | Agent → Channel | Global deobfuscation hook — called by OpenClaw before ANY channel send |
 
 > **Privacy guarantee:** Shroud intercepts ALL outbound LLM API calls (Anthropic, OpenAI, Google, any provider) at the `fetch` level and obfuscates detected PII in every message — including assistant history and Slack `<mailto:>` markup — before it leaves the process. Detected PII never reaches the LLM. Detection covers 100+ entity types; see [SECURITY.md](SECURITY.md) for known limitations. On the channel delivery side, Shroud registers `globalThis.__shroudDeobfuscate` — a single function that OpenClaw calls before sending to ANY channel (Slack, WhatsApp, Signal, web, etc.). One hook, all channels, transparent no-op if Shroud isn't loaded.
@@ -81,7 +83,7 @@ node node_modules/shroud-privacy/app-server.mjs node_modules/shroud-privacy/dist
 
 Handshake (server writes on startup):
 ```json
-{"app":"1.0","engine":"shroud","version":"2.1.0","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
+{"app":"1.0","engine":"shroud","version":"2.2.5","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
 ```
 
 Obfuscate:
@@ -213,8 +215,6 @@ Shroud registers tools that the LLM can call during conversations:
 | Tool | What it does |
 |------|-------------|
 | `shroud-stats` | Show all detection rules with status, confidence, hit counts, store size, and config summary |
-| `shroud_status` | Quick stats: entity counts, session info, audit status (JSON) |
-| `shroud_reset` | Clear all mappings and start a fresh privacy session |
 
 You can also run the stats CLI from the terminal:
 
@@ -297,7 +297,7 @@ Shroud includes a `ContextDetector` that wraps the regex engine with post-detect
 - **Proximity clustering**: When a name, email, and phone appear within 200 characters, each gets a confidence boost.
 - **Hostname propagation**: `hostname FCNETR1` in one place → bare `FCNETR1` detected everywhere in the text.
 - **Learned entities**: Hostnames and infra identifiers seen in previous messages are remembered and detected in future messages without requiring config-line context.
-- **Documentation filtering**: RFC 5737 TEST-NET IPs (192.0.2.x, 198.51.100.x, 203.0.113.x), RFC 3849 IPv6 doc prefix (`2001:db8::/32`), IPv6 loopback (`::1`), `example.com` emails, and well-known placeholders are automatically skipped.
+- **Documentation filtering**: RFC 3849 IPv6 doc prefix (`2001:db8::/32`), IPv6 loopback (`::1`), `example.com` emails, and well-known placeholders are automatically skipped. RFC 5737 TEST-NET IPs (192.0.2.x, 198.51.100.x, 203.0.113.x) are obfuscated because they commonly appear in real configs as stand-in addresses.
 - **Public URL filtering**: URLs pointing to well-known public platforms (YouTube, GitHub, Wikipedia, Google, Reddit, Stack Overflow, npm, PyPI, Docker Hub, etc.) are never obfuscated — they aren't PII. Emails at these domains are still detected.
 - **Common word decay**: Words like `permit`, `deny`, `default` that happen to match patterns get 50% confidence reduction.
 - **Recursive deobfuscation**: Up to 3 passes for nested structures (fakes inside JSON-encoded strings).
@@ -374,7 +374,7 @@ APP is an open protocol for adding privacy obfuscation to any AI agent. Shroud i
 On startup, the server writes a single JSON line to stdout:
 
 ```json
-{"app":"1.0","engine":"shroud","version":"2.1.0","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
+{"app":"1.0","engine":"shroud","version":"2.2.5","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
 ```
 
 The agent must read this line before sending requests. Fields:

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "shroud-privacy",
   "name": "Shroud",
-  "version": "2.2.3",
+  "version": "2.2.5",
   "description": "Privacy obfuscation with deterministic fake values and deobfuscation — PII never reaches the LLM, tool calls still work",
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shroud-privacy",
-  "version": "2.2.5",
+  "version": "2.2.6",
   "description": "Privacy obfuscation for AI agents — detects PII and replaces with deterministic fake values before anything reaches the LLM. Works with OpenClaw (plugin) or any agent (APP protocol).",
   "type": "module",
   "main": "dist/index.js",