shroud-privacy 2.2.5 → 2.2.7

package/README.md

@@ -2,53 +2,99 @@
   <img src="logo.png" alt="Shroud" width="160" height="160">
 </p>
 
-<h1 align="center">Shroud — Community Edition</h1>
+<h1 align="center">Shroud</h1>
 
 <p align="center">
-  Privacy obfuscation for AI agents. Detects sensitive data (PII, network infrastructure, credentials) and replaces it with deterministic fake values before anything reaches the LLM. Tool calls still work because Shroud deobfuscates on the way back. Works with <a href="https://openclaw.ai">OpenClaw</a> (plugin) or any agent via the Agent Privacy Protocol (APP).
+  <strong>Privacy and infrastructure protection for AI agents.</strong><br>
+  Prevents sensitive data from reaching LLMs — PII, network topology, credentials, OT/SCADA identifiers, and internal infrastructure details are replaced with deterministic fakes before any API call leaves the process. Responses are deobfuscated transparently so users and tools see real values.
 </p>
 
-> **Open-source Community Edition** — free to use under Apache 2.0 license. [Enterprise Edition](#enterprise-edition) available with additional features for teams.
+<p align="center">
+  <a href="#install">Install</a> &middot;
+  <a href="#why-shroud">Why Shroud</a> &middot;
+  <a href="#configure">Configure</a> &middot;
+  <a href="#agent-privacy-protocol-app">APP Protocol</a> &middot;
+  <a href="CHANGELOG.md">Changelog</a>
+</p>
+
+> Apache 2.0 &middot; Zero runtime dependencies &middot; Works with [OpenClaw](https://openclaw.ai) or any agent via [APP](#agent-privacy-protocol-app)
+
+---
+
+## Why Shroud
+
+Frontier LLMs are transformative for infrastructure operations — network troubleshooting, incident response, change planning, compliance audits. But every prompt you send is an API call to a third party. Without protection, you're transmitting:
+
+- **Network topology** — subnets, VLANs, BGP ASNs, OSPF areas, interface descriptions, ACL names, route-maps
+- **Device identities** — hostnames, management IPs, SNMP communities, firmware versions
+- **Credentials** — API keys, connection strings, PSKs, enable secrets, TACACS/RADIUS shared keys
+- **OT/SCADA identifiers** — Modbus addresses, OPC-UA endpoints, IEC 61850 IED names, historian tags, BACnet device IDs
+- **Customer PII** — emails, phone numbers, national IDs, credit cards, physical addresses
+- **Internal URLs** — wiki pages, Jira tickets, admin portals, API endpoints
+
+Shroud sits between your agent and the LLM. It detects all of the above (100+ entity types), replaces each with a deterministic format-preserving fake, and reverses the mapping on the way back. The LLM reasons over realistic-looking data. Your real infrastructure stays private.
+
+### Who needs this
+
+| Sector | What leaks without Shroud |
+|--------|--------------------------|
+| **Telecoms & ISPs** | MPLS topologies, BGP peering, customer CPE configs, circuit IDs |
+| **Energy & utilities** | SCADA/ICS endpoints, substation IPs, OPC-UA tags, DNP3 addresses |
+| **Transport & aviation** | ATC sector IDs, NAV frequencies, signalling network topology |
+| **Banking & finance** | Internal API endpoints, database connection strings, customer PII |
+| **Healthcare** | Patient identifiers, internal system hostnames, API credentials |
+| **Government & defence** | Classified network segments, device inventories, operational IPs |
+| **Any enterprise** | Internal URLs, credentials, employee PII, customer data |
+
+### Regulatory context
+
+If you process personal data of EU residents, **GDPR Article 32** requires "appropriate technical measures" to protect it. Sending unredacted PII to a third-party LLM API is a data transfer — Shroud ensures detected PII never leaves your process. Similar obligations exist under CCPA, HIPAA, PCI-DSS, and sector-specific regulations (NIS2, NERC CIP, IEC 62443).
+
+Shroud does not guarantee compliance — regex-based detection has limitations (see [SECURITY.md](SECURITY.md)). But it is a meaningful technical control that reduces exposure.
+
+---
 
 ## What it does
 
-1. **Detects** 100+ entity types: emails, IPs, phones, API keys, hostnames, SNMP communities, BGP ASNs, credit cards, SSNs, file paths, URLs, person/org/location names, VLANs, route-maps, ACLs, OSPF IDs, IBANs, JWTs, PEM certs, GPS coordinates, ICS/SCADA identifiers, Palo Alto/Check Point/Juniper/Fortinet/F5 config secrets, and custom regex patterns.
+1. **Detects** 100+ entity types: emails, IPs, phones, API keys, hostnames, SNMP communities, BGP ASNs, credit cards, SSNs, file paths, URLs, person/org/location names, VLANs, route-maps, ACLs, OSPF IDs, IBANs, JWTs, PEM certs, GPS coordinates, ICS/SCADA identifiers, vendor-specific secrets (Cisco, Juniper, Palo Alto, Check Point, Fortinet, F5, Arista), and custom regex patterns.
 2. **Replaces** each value with a deterministic fake (same input + key = same fake every time). Fakes are format-preserving: IPv4 stays in CGNAT range (`100.64.0.0/10`), IPv6 uses ULA range (`fd00::/8`), emails keep `@domain` structure, credit cards pass Luhn, etc.
-3. **Deobfuscates** LLM responses and tool parameters so the user sees real values and tools receive real arguments.
-4. **Audit logs** every obfuscation/deobfuscation event with counts, categories, char deltas, and optional proof hashes — never logging raw sensitive values.
+3. **Passes through public URLs** — external URLs (arxiv.org, docs.stripe.com, etc.) are not obfuscated. Shroud resolves FQDNs via DNS: public IPs pass through, RFC 1918 / NXDOMAIN / internal IPs are obfuscated. Well-known platforms (GitHub, YouTube, Wikipedia, etc.) are always passed through.
+4. **Deobfuscates** LLM responses and tool parameters so the user sees real values and tools receive real arguments.
+5. **Audit logs** every event with counts, categories, char deltas, and optional proof hashes — never logging raw sensitive values.
 
 ### Hook lifecycle
 
 | Hook | Direction | What happens |
 |------|-----------|-------------|
-| `before_prompt_build` | User → LLM | Obfuscate user prompt, prepend privacy context |
-| `before_message_write` | Any → History | Obfuscate non-assistant messages; deobfuscate assistant messages |
+| `globalThis.fetch` intercept | User → LLM | Obfuscate all outbound LLM API requests; deobfuscate SSE responses per content block |
+| `before_prompt_build` | User → LLM | Warm DNS cache for URL classification; pre-seed mapping store |
+| `before_message_write` | Any → History | Deobfuscate assistant messages for transcript; re-obfuscate on next turn |
 | `before_tool_call` | LLM → Tool | Deobfuscate tool parameters + track tool chain depth |
 | `tool_result_persist` | Tool → History | Obfuscate tool results before storing |
-| `message_sending` | Agent → User | Deobfuscate outbound messages (all channels) |
+| `message_sending` | Agent → User | Deobfuscate outbound messages (backup — fetch intercept handles primary deob) |
+| `globalThis.__shroudStreamDeobfuscate` | LLM → Agent | Streaming event deobfuscation hook |
 | `globalThis.__shroudDeobfuscate` | Agent → Channel | Global deobfuscation hook — called by OpenClaw before ANY channel send |
 
-> **Privacy guarantee:** Shroud intercepts ALL outbound LLM API calls (Anthropic, OpenAI, Google, any provider) at the `fetch` level and obfuscates detected PII in every message — including assistant history and Slack `<mailto:>` markup — before it leaves the process. Detected PII never reaches the LLM. Detection covers 100+ entity types; see [SECURITY.md](SECURITY.md) for known limitations. On the channel delivery side, Shroud registers `globalThis.__shroudDeobfuscate` — a single function that OpenClaw calls before sending to ANY channel (Slack, WhatsApp, Signal, web, etc.). One hook, all channels, transparent no-op if Shroud isn't loaded.
+> **How it works:** Shroud intercepts ALL outbound LLM API calls (Anthropic, OpenAI, Google, any provider) at the `fetch` level and obfuscates detected entities in every message — including assistant history and Slack `<mailto:>` markup — before it leaves the process. On the response side, SSE streaming is deobfuscated per content block with buffered flushing. Every delivery path (Slack, WhatsApp, TUI, Telegram, Discord, Signal, web) gets real text automatically. Zero host patches required.
+
+> **Requires OpenClaw 2026.3.24 or later.**
 
-> **Requires OpenClaw 2026.3.24 or later** with the channel delivery patch (see [OpenClaw patch](#openclaw-channel-delivery-patch) below).
+---
 
 ## Install
 
 ### OpenClaw (2026.3.24+)
 
 ```bash
-# Ensure you're on OpenClaw 2026.3.24 or later
-openclaw --version
-
-# Install Shroud
+openclaw --version    # ensure 2026.3.24+
 openclaw plugins install shroud-privacy
 ```
 
-Configure in `~/.openclaw/openclaw.json` under `plugins.entries."shroud-privacy".config`. No OpenClaw file modifications needed — Shroud uses runtime prototype patches only.
+Configure in `~/.openclaw/openclaw.json` under `plugins.entries."shroud-privacy".config`. No OpenClaw file modifications needed — Shroud uses runtime interception only.
 
 ### Any agent (via APP)
 
-The **Agent Privacy Protocol** (APP) lets any AI agent add privacy obfuscation — no OpenClaw required. Shroud ships with an APP server and a Python client.
+The **Agent Privacy Protocol** (APP) lets any AI agent add privacy and infrastructure protection — no OpenClaw required. Shroud ships with an APP server and a Python client.
 
 ```bash
 npm install shroud-privacy
@@ -81,19 +127,19 @@ node node_modules/shroud-privacy/app-server.mjs node_modules/shroud-privacy/dist
 
 Handshake (server writes on startup):
 ```json
-{"app":"1.0","engine":"shroud","version":"2.1.0","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
+{"app":"1.0","engine":"shroud","version":"2.2.7","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
 ```
 
 Obfuscate:
 ```json
-→ {"id":1,"method":"obfuscate","params":{"text":"Contact admin@acme.com"}}
-← {"id":1,"result":{"text":"Contact user@example.net","entityCount":1,"categories":{"email":1},"modified":true}}
+> {"id":1,"method":"obfuscate","params":{"text":"Contact admin@acme.com"}}
+< {"id":1,"result":{"text":"Contact user@example.net","entityCount":1,"categories":{"email":1},"modified":true}}
 ```
 
 Deobfuscate:
 ```json
-→ {"id":2,"method":"deobfuscate","params":{"text":"Contact user@example.net"}}
-← {"id":2,"result":{"text":"Contact admin@acme.com","replacementCount":1,"modified":true}}
+> {"id":2,"method":"deobfuscate","params":{"text":"Contact user@example.net"}}
+< {"id":2,"result":{"text":"Contact admin@acme.com","replacementCount":1,"modified":true}}
 ```
 
 Other methods: `reset`, `stats`, `health`, `configure`, `shutdown`.
@@ -111,12 +157,13 @@ openclaw gateway restart
 ## Updating
 
 ```bash
-# Remove old plugin, reinstall from npm, restart
 openclaw plugins remove shroud-privacy
 openclaw plugins install shroud-privacy
 openclaw gateway restart
 ```
 
+---
+
 ## Configure
 
 Edit `~/.openclaw/openclaw.json` under `plugins.entries."shroud-privacy".config`:
@@ -125,11 +172,7 @@ Edit `~/.openclaw/openclaw.json` under `plugins.entries."shroud-privacy".config`
 "shroud-privacy": {
   "enabled": true,
   "config": {
-    // Recommended: safe defaults for community use
     "auditEnabled": true           // audit log on — see what Shroud is doing
-    // "auditIncludeProofHashes": false  // off by default (opt-in)
-    // "auditMaxFakesSample": 0          // off by default (opt-in)
-    // "auditLogFormat": "human"         // human-readable single lines
     // "minConfidence": 0.0              // catch everything (default)
     // "secretKey": ""                   // auto-generated if empty
     // "persistentSalt": ""              // set for cross-session consistency
@@ -149,29 +192,17 @@ openclaw gateway restart
 Out of the box, Shroud:
 - Auto-generates a secret key (per-session unless you set `secretKey`)
 - Detects all entity categories at confidence >= 0.0
+- Passes through public URLs (DNS-verified) and well-known platforms
 - Logs audit lines (counts + categories) but **not** proof hashes or fake samples
-- Never logs raw values, real→fake mappings, or original text
+- Never logs raw values, real-to-fake mappings, or original text
 
-To enable proof hashes and fake samples for deeper audit:
-
-```jsonc
-"config": {
-  "auditEnabled": true,
-  "auditIncludeProofHashes": true,
-  "auditHashTruncate": 12,
-  "auditMaxFakesSample": 3
-}
-```
-
-## Config reference
-
-### Core settings
+### Config reference
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | `secretKey` | string | auto | HMAC secret for deterministic mapping |
 | `persistentSalt` | string | `""` | Fixed salt for cross-session consistency |
-| `minConfidence` | number | `0.0` | Minimum detector confidence (0.0–1.0) |
+| `minConfidence` | number | `0.0` | Minimum detector confidence (0.0-1.0) |
 | `allowlist` | string[] | `[]` | Values to never obfuscate |
 | `denylist` | string[] | `[]` | Values to always obfuscate |
 | `canaryEnabled` | boolean | `false` | Inject tracking tokens for leak detection |
@@ -204,58 +235,28 @@ Disable or tune individual detection rules by name. Rule names match the built-i
 }
 ```
 
-Rules not listed keep their defaults. Overrides apply to both direct regex detection and code-aware detection.
+---
 
-### Conversational tools
+## URL handling
 
-Shroud registers tools that the LLM can call during conversations:
+Shroud distinguishes between internal and external URLs:
 
-| Tool | What it does |
-|------|-------------|
-| `shroud-stats` | Show all detection rules with status, confidence, hit counts, store size, and config summary |
-| `shroud_status` | Quick stats: entity counts, session info, audit status (JSON) |
-| `shroud_reset` | Clear all mappings and start a fresh privacy session |
-
-You can also run the stats CLI from the terminal:
-
-```bash
-node ~/.openclaw/extensions/shroud-privacy/scripts/shroud-stats.mjs           # live rule table
-node ~/.openclaw/extensions/shroud-privacy/scripts/shroud-stats.mjs --json    # JSON output
-node ~/.openclaw/extensions/shroud-privacy/scripts/shroud-stats.mjs --test "Contact john@acme.com"
-```
-
-Tip: create an alias for convenience:
-```bash
-alias shroud-stats="node ~/.openclaw/extensions/shroud-privacy/scripts/shroud-stats.mjs"
-```
-
-The CLI reads live stats from `/tmp/shroud-stats.json` (override with `SHROUD_STATS_FILE` env var). The stats file is updated by the running gateway on every obfuscation event.
-
-### How privacy works
-
-Shroud uses **one `globalThis.fetch` intercept** for both directions — no OpenClaw file modifications required:
-
-**Outbound (PII → LLM):** The fetch intercept catches all POST requests to LLM API endpoints (`/v1/messages`, `/chat/completions`, `:generateContent`, etc.). Every message in the request body — user, assistant, system, tool results — is obfuscated before the request leaves the process. Slack `<mailto:>` markup is stripped to prevent PII leaking through chat formatting. Assistant messages from previous turns are re-obfuscated to prevent multi-turn PII leaks.
-
-**Inbound (LLM → User):** The same fetch intercept wraps the LLM's SSE streaming response with a per-block flushing `TransformStream`. Text deltas are buffered per content block. When `content_block_stop` arrives, the accumulated text is deobfuscated and flushed — the first delta receives the full real text, subsequent deltas are emptied. Non-PII blocks stream with zero delay. PII blocks delay by ~0.5-1s (time for one content block to complete). JSON (non-streaming) responses are parsed and deobfuscated directly.
+- **External URLs pass through.** When Shroud detects a URL, it checks the FQDN against a DNS cache populated in the `before_prompt_build` hook. If the domain resolves to a public IP, the URL is not obfuscated — the LLM needs to see real URLs for tool calls like `fetch` and `web_search`. Well-known platforms (GitHub, YouTube, Wikipedia, Stack Overflow, npm, PyPI, etc.) always pass through regardless of DNS.
 
-**Result:** OpenClaw receives already-deobfuscated events from the LLM response — it never sees fake text. Every delivery path (Slack, WhatsApp, TUI, Telegram, Discord, Signal, cron, subagents, web) gets real text automatically. Zero OpenClaw patches required. Works with `streaming: "on"` and `streaming: "off"`, and with every LLM provider.
+- **Internal URLs are obfuscated.** Domains that resolve to RFC 1918 addresses (10.x, 172.16-31.x, 192.168.x), CGNAT, link-local, loopback, or that fail DNS resolution (NXDOMAIN, timeout) are treated as internal infrastructure and obfuscated.
 
-**Defense-in-depth layers:**
-1. `EventStream.prototype.push()` patch — deobfuscates content blocks in `message_end` events
-2. `globalThis.__shroudDeobfuscate` — available for on-demand deobfuscation
-3. `message_sending` hook — deobfuscates outbound message content when fired by OpenClaw
-4. `before_message_write` hook — deobfuscates assistant messages in the transcript
+- **DNS cache miss = obfuscate.** If the FQDN hasn't been resolved yet (first message in a session, DNS timeout), the URL is obfuscated as a safe default. The cache warms on each turn, so subsequent mentions of the same domain will pass through if it's public.
 
-### Rule hit counters
+| URL | Resolves to | Action |
+|-----|-------------|--------|
+| `https://arxiv.org/abs/2301.12345` | 151.101.1.42 (public) | Pass through |
+| `https://docs.stripe.com/api` | 52.x.x.x (public) | Pass through |
+| `https://wiki.internal.corp/runbooks` | 10.0.0.50 (RFC 1918) | Obfuscate |
+| `https://jira.mycompany.net/issue/123` | 172.16.1.10 (RFC 1918) | Obfuscate |
+| `https://secret.local/admin` | NXDOMAIN | Obfuscate |
+| `https://github.com/org/repo` | (PUBLIC_DOMAINS list) | Pass through |
 
-Shroud tracks per-rule match counts for the lifetime of the process. Counters appear in three places:
-
-- **`shroud-stats` CLI** — see [Conversational tools](#conversational-tools) above for usage. Shows all rules with status, confidence, and hit counts from the running gateway.
-- **Audit log lines** — `byRule=regex:email:3,regex:ipv4:2,...` alongside the existing `byCat` field.
-- **`getStats()`** — the `ruleHits` object in the stats response, useful for programmatic access.
-
-Counters reset on `reset()` or gateway restart.
+---
 
 ## Redaction levels
 
@@ -269,25 +270,7 @@ Three output modes for different audiences:
 "redactionLevel": "masked"
 ```
 
-## Enterprise Edition
-
-The **Shroud Enterprise Edition** adds features for teams and regulated environments:
-
-- **Multi-tenant isolation** — per-tenant HMAC keying and mapping stores
-- **SIEM integration** — real-time event streaming to webhooks (JSON/CEF)
-- **Key rotation** — rotate secrets without losing existing mappings
-- **Active monitoring** — anomaly detection with alerting pipeline
-- **Policy-as-code** — external JSON policy files with glob/regex rules
-- **Shared store** — cross-agent file-backed mapping synchronization
-- **Compliance mode** — locked category enforcement with audit trail
-- **Exposure tracking** — rate-of-exposure alerting per category
-- **Hot-reload** — live rule updates without restart
-- **Session isolation** — per-session stores and mapping engines
-- **Session handoff** — encrypted export/import for session continuity
-- **Provenance tagging** — invisible audit markers in output
-- **Corpus pre-scanning** — batch obfuscation for RAG pipelines
-
-Contact for licensing: https://github.com/wkeything/shroud
+---
 
 ## Detection intelligence
 
@@ -297,15 +280,17 @@ Shroud includes a `ContextDetector` that wraps the regex engine with post-detect
 - **Proximity clustering**: When a name, email, and phone appear within 200 characters, each gets a confidence boost.
 - **Hostname propagation**: `hostname FCNETR1` in one place → bare `FCNETR1` detected everywhere in the text.
 - **Learned entities**: Hostnames and infra identifiers seen in previous messages are remembered and detected in future messages without requiring config-line context.
-- **Documentation filtering**: RFC 5737 TEST-NET IPs (192.0.2.x, 198.51.100.x, 203.0.113.x), RFC 3849 IPv6 doc prefix (`2001:db8::/32`), IPv6 loopback (`::1`), `example.com` emails, and well-known placeholders are automatically skipped.
-- **Public URL filtering**: URLs pointing to well-known public platforms (YouTube, GitHub, Wikipedia, Google, Reddit, Stack Overflow, npm, PyPI, Docker Hub, etc.) are never obfuscated — they aren't PII. Emails at these domains are still detected.
+- **Documentation filtering**: RFC 3849 IPv6 doc prefix (`2001:db8::/32`), IPv6 loopback (`::1`), `example.com` emails, and well-known placeholders are automatically skipped.
+- **DNS-based URL classification**: External URLs pass through to the LLM; internal URLs are obfuscated. See [URL handling](#url-handling).
 - **Common word decay**: Words like `permit`, `deny`, `default` that happen to match patterns get 50% confidence reduction.
 - **Recursive deobfuscation**: Up to 3 passes for nested structures (fakes inside JSON-encoded strings).
-- **Subnet-aware deobfuscation**: When an LLM derives network/broadcast addresses from fake host IPs (e.g., computing `.0` or `.255`), Shroud reverse-maps them via the SubnetMapper. Works for both CGNAT (IPv4) and ULA (IPv6) fake ranges, including LLM-compressed IPv6 forms.
+- **Subnet-aware deobfuscation**: When an LLM derives network/broadcast addresses from fake host IPs, Shroud reverse-maps them via the SubnetMapper. Works for both CGNAT (IPv4) and ULA (IPv6) fake ranges.
+
+---
 
 ## Verify it works
 
-After restarting OpenClaw, send a message containing PII (e.g. an email or IP). Then check the logs:
+After restarting OpenClaw, send a message containing sensitive data (e.g. an email, IP, or config snippet). Then check the logs:
 
 ```bash
 tail -f ~/.openclaw/logs/openclaw.log \
@@ -326,41 +311,44 @@ With proof hashes enabled:
 [shroud][audit] OBFUSCATE req=a3f1bc9e02d4e7f1 | entities=4 | chars=1200->1218 (delta=+18) | modified=YES | byCat=email:1,ip_address:2,hostname:1 | byRule=regex:email:1,regex:ipv4:2,regex:hostname:1 | proof_in=8a3c1f0e2b4d proof_out=f7d2a1c9e084 | fakes=[jsmith@corp.net|100.64.0.12|SW-LAB-01]
 ```
 
-### Audit field reference
+### Conversational tools
 
-| Field | Meaning |
-|-------|---------|
-| `req` | Random request ID (hex) — correlates obfuscate ↔ deobfuscate |
-| `entities` | Total entities detected and replaced |
-| `chars` | Input → output character count |
-| `delta` | Character count change (fakes may be longer/shorter) |
-| `modified` | `YES` if text was changed, `NO` if pass-through |
-| `byCat` | Entity counts by category |
-| `byRule` | Entity counts by detector rule |
-| `proof_in` | Truncated salted SHA-256 of input text (opt-in) |
-| `proof_out` | Truncated salted SHA-256 of output text (opt-in) |
-| `fakes` | Sample of fake replacement values (opt-in, never real values) |
+| Tool | What it does |
+|------|-------------|
+| `shroud-stats` | Show all detection rules with status, confidence, hit counts, store size, and config summary |
 
-### Note on log duplication
+CLI:
 
-OpenClaw logs each plugin message twice (once under the plugin subsystem logger, once under the parent `openclaw` logger). This is normal OpenClaw behavior. Filter to `"name":"openclaw"` to get one line per event, as shown in the verify command above.
+```bash
+shroud-stats                          # live rule table
+shroud-stats --json                   # JSON output
+shroud-stats --test "Contact john@acme.com"   # test detection
+```
+
+---
+
+## Entity categories
+
+`person_name`, `email`, `phone`, `ip_address`, `api_key`, `url`, `org_name`, `location`, `file_path`, `credit_card`, `ssn`, `mac_address`, `hostname`, `snmp_community`, `bgp_asn`, `network_credential`, `vlan_id`, `interface_desc`, `route_map`, `ospf_id`, `acl_name`, `iban`, `national_id`, `jwt`, `ics_identifier`, `gps_coordinate`, `certificate`, `custom`
+
+---
 
 ## Agent Privacy Protocol (APP)
 
-APP is an open protocol for adding privacy obfuscation to any AI agent. Shroud is the reference implementation.
+APP is an open protocol for adding privacy and infrastructure protection to any AI agent. Shroud is the reference implementation.
 
 ### Overview
 
 ```
-┌─────────────────┐     stdin/stdout     ┌──────────────────┐
-│   Your Agent    │ ◄──── JSON-RPC ────► │  APP Server      │
-│  (any language) │                      │  (app-server.mjs)│
-└─────────────────┘                      └──────────────────┘
-        │                                        │
-        │ 1. obfuscate(user_input)               │ detects PII,
-        │ 2. send to LLM ──────────────►         │ returns fakes
-        │ 3. deobfuscate(llm_response)           │ restores reals
-        │ 4. show to user                        │
++-------------------+     stdin/stdout     +------------------+
+|   Your Agent      | <---- JSON-RPC ----> |  APP Server      |
+|  (any language)   |                      |  (app-server.mjs)|
++-------------------+                      +------------------+
+        |                                        |
+        | 1. obfuscate(user_input)               | detects entities,
+        | 2. send to LLM                         | returns fakes
+        | 3. deobfuscate(llm_response)           | restores reals
+        | 4. show to user                        |
 ```
 
 ### Protocol specification
@@ -369,20 +357,6 @@ APP is an open protocol for adding privacy obfuscation to any AI agent. Shroud i
 - **Encoding**: UTF-8
 - **Process model**: Agent spawns APP server as subprocess, one per agent instance
 
-### Handshake
-
-On startup, the server writes a single JSON line to stdout:
-
-```json
-{"app":"1.0","engine":"shroud","version":"2.1.0","capabilities":["obfuscate","deobfuscate","batch","stats","health","configure","audit","partitions"]}
-```
-
-The agent must read this line before sending requests. Fields:
-- `app` — protocol version (always `"1.0"`)
-- `engine` — implementation name
-- `version` — implementation version
-- `capabilities` — supported methods
-
 ### Methods
 
 | Method | Params | Returns | Description |
@@ -396,38 +370,8 @@ The agent must read this line before sending requests. Fields:
 | `batch` | `{operations: [{direction, text}]}` | `{results: [...]}` | Batch obfuscate/deobfuscate |
 | `shutdown` | `{}` | `{ok}` | Graceful shutdown (flushes stats) |
 
-### Request/response format
-
-```
-→ {"id":1,"method":"obfuscate","params":{"text":"Server 10.1.0.1 is down"}}
-← {"id":1,"result":{"text":"Server 100.64.0.12 is down","entityCount":1,"categories":{"ip_address":1},"modified":true,"audit":{"requestId":"a1b2c3","proofIn":"8a3c1f","proofOut":"f7d2a1"}}}
-```
-
-Errors:
-```
-← {"id":1,"error":{"code":-32602,"message":"Missing required param: text"}}
-```
-
-### Heartbeat
-
-The server writes JSON heartbeats to stderr every 30 seconds:
-```json
-{"heartbeat":true,"pid":12345,"uptime":120,"requests":42,"avgLatencyMs":1.2,"storeSize":15,"memoryMB":28}
-```
-
-### Integration checklist
-
-1. `npm install shroud-privacy`
-2. Spawn: `node node_modules/shroud-privacy/app-server.mjs node_modules/shroud-privacy/dist`
-3. Read handshake line from stdout
-4. Before LLM: send `obfuscate`, use returned `text`
-5. After LLM: send `deobfuscate`, show returned `text` to user
-6. On agent shutdown: send `shutdown`
-
 ### Python client
 
-A ready-made Python client is included at `clients/python/shroud_client.py`:
-
 ```python
 from shroud_client import ShroudClient
 
@@ -446,72 +390,25 @@ print(real.residual_fakes) # any CGNAT/ULA IPs that survived
 client.stop()
 ```
 
-Supports context manager, auto-restart on crash, residual fake detection, and hot-reload via `configure()`.
+---
 
 ## Development
 
 ```bash
 npm install
-npm test          # run vitest (777 tests)
+npm test          # all 3 suites: unit + harness + openclaw
+npm run test:unit      # vitest (819 tests)
+npm run test:integration  # APP harness (359 tests)
+npm run test:openclaw  # OpenClaw sandbox (14 tests)
 npm run build     # compile TypeScript
 npm run lint      # type-check without emitting
 ```
 
-### Deploy after changes
-
-```bash
-npm run build
-openclaw plugins install --path .
-openclaw gateway restart
-```
-
-## Release workflow
-
-### Tagging a release
-
-```bash
-# 1. Update version in package.json and openclaw.plugin.json
-# 2. Update CHANGELOG.md
-# 3. Commit and tag
-git add -A
-git commit -m "release: vX.Y.Z"
-git tag vX.Y.Z
-git push && git push --tags
-```
-
-Then create a GitHub Release from the tag (attach the changelog entry as notes).
-
-### npm publish (maintainers only)
-
-```bash
-# Pre-flight (always run before publishing)
-npm pack --dry-run             # verify only dist/, openclaw.plugin.json, LICENSE are included
-npm run prepublishOnly         # lint + test + build (runs automatically on npm publish)
-
-# One-time setup (when you decide to publish)
-npm login
-npm profile enable-2fa auth-and-writes
-
-# Publish
-npm publish                    # publishConfig.access = "public" is already set
-```
-
-**Security notes:**
-- Enable 2FA for both login and publish (`auth-and-writes`). This prevents token-only takeover.
-- Never commit npm tokens to git. Use `npm login` interactively or set `NPM_TOKEN` as a GitHub Actions secret.
-- Use `npm publish --provenance` in CI to add Sigstore attestation (links the package to the exact source commit).
-
-### CI
-
-The repo includes `.github/workflows/ci.yml` which runs lint + test + build on every push and PR. The publish job is present but only triggers on `v*` tags and requires `NPM_TOKEN` as a repository secret — it will no-op until that secret is configured.
-
-## Entity categories
-
-`person_name`, `email`, `phone`, `ip_address`, `api_key`, `url`, `org_name`, `location`, `file_path`, `credit_card`, `ssn`, `mac_address`, `hostname`, `snmp_community`, `bgp_asn`, `network_credential`, `vlan_id`, `interface_desc`, `route_map`, `ospf_id`, `acl_name`, `iban`, `national_id`, `jwt`, `ics_identifier`, `gps_coordinate`, `certificate`, `custom`
+---
 
 ## Disclaimer
 
-This software is provided "as is", without warranty of any kind, express or implied. Shroud uses regex-based detection which may not catch all sensitive data. It reduces PII exposure but does not eliminate it. See [SECURITY.md](SECURITY.md) for known limitations. The authors assume no responsibility for data leakage, compliance failures, or any damages arising from use of this software.
+This software is provided "as is", without warranty of any kind, express or implied. Shroud uses regex-based detection which may not catch all sensitive data. It reduces exposure but does not eliminate it. See [SECURITY.md](SECURITY.md) for known limitations. The authors assume no responsibility for data leakage, compliance failures, or any damages arising from use of this software.
 
 ## License
 

package/dist/detectors/regex.js

@@ -98,6 +98,15 @@ export function isDocExample(value, category) {
                         return true;
                     }
                 }
+                // DNS-based public URL detection: if the FQDN resolves to a public IP,
+                // the URL is external and should not be obfuscated. The cache is warmed
+                // asynchronously in before_prompt_build; cache miss → obfuscate (safe default).
+                const dnsCache = globalThis.__shroudDnsCache;
+                if (dnsCache) {
+                    const isPublic = dnsCache.isPublic(value);
+                    if (isPublic === true)
+                        return true;
+                }
             }
             return false;
         }
@@ -1208,6 +1217,9 @@ export class RegexDetector {
                         }
                         // Skip documentation/example values (#7)
                         if (isDocExample(grp, pdef.category)) {
+                            // Still register the span to prevent other detectors
+                            // (e.g., file_path) from matching inside a skipped URL
+                            spans.add(grpStart, grpEnd);
                             continue;
                         }
                         spans.add(grpStart, grpEnd);
@@ -1234,6 +1246,9 @@ export class RegexDetector {
                     }
                     // Skip documentation/example values (#7)
                     if (isDocExample(value, pdef.category)) {
+                        // Still register the span to prevent other detectors
+                        // (e.g., file_path) from matching inside a skipped URL
+                        spans.add(start, end);
                         continue;
                     }
                     spans.add(start, end);

package/dist/dns-cache.d.ts

@@ -0,0 +1,61 @@
+/**
+ * DNS resolution cache for URL classification.
+ *
+ * Resolves FQDNs to determine whether they point to public (external) or
+ * private (internal/RFC 1918) addresses. Public URLs are passed through
+ * without obfuscation — the LLM needs to see real URLs to make tool call
+ * decisions (e.g., "fetch this page").
+ *
+ * Design:
+ *   - warmCache() is async — called in the before_prompt_build hook
+ *   - isPublic() is sync — checked in the obfuscation pipeline's isDocExample()
+ *   - Cache miss = null (unknown) → obfuscate (safe default, privacy-first)
+ *   - Uses only Node.js builtins (dns, net). Zero runtime dependencies.
+ */
+/**
+ * RFC 1918 + other private/reserved IPv4 ranges.
+ * Returns true if the IP should be treated as internal.
+ */
+export declare function isPrivateIPv4(ip: string): boolean;
+/**
+ * Check if an IPv6 address is private/reserved.
+ */
+export declare function isPrivateIPv6(ip: string): boolean;
+/**
+ * Extract FQDN from a URL string.
+ * Returns null if the URL is malformed or the host is an IP literal.
+ */
+export declare function extractFqdn(url: string): string | null;
+export declare class DnsCache {
+    private _cache;
+    private _ttlMs;
+    private _pending;
+    constructor(ttlMs?: number);
+    /**
+     * Resolve an array of URLs and warm the cache.
+     * Called from the async before_prompt_build hook.
+     * Resolves all FQDNs in parallel for speed.
+     */
+    warmCache(urls: string[]): Promise<void>;
+    /**
+     * Check if a URL points to a public (external) host.
+     *
+     * Returns:
+     *   true  — resolved to a public IP, safe to pass through
+     *   false — resolved to a private IP, should be obfuscated
+     *   null  — not in cache (DNS not yet resolved), obfuscate as safe default
+     */
+    isPublic(url: string): boolean | null;
+    /**
+     * Get the resolved address for a URL (for logging/audit).
+     */
+    getAddress(url: string): string | null;
+    /** Number of cached entries. */
+    get size(): number;
+    /** Clear the cache. */
+    clear(): void;
+    /** Pre-seed the cache (for testing with /etc/hosts or mocks). */
+    seed(fqdn: string, address: string | null, isPublic: boolean): void;
+    private _isCached;
+    private _resolve;
+}

package/dist/dns-cache.js

@@ -0,0 +1,224 @@
+/**
+ * DNS resolution cache for URL classification.
+ *
+ * Resolves FQDNs to determine whether they point to public (external) or
+ * private (internal/RFC 1918) addresses. Public URLs are passed through
+ * without obfuscation — the LLM needs to see real URLs to make tool call
+ * decisions (e.g., "fetch this page").
+ *
+ * Design:
+ *   - warmCache() is async — called in the before_prompt_build hook
+ *   - isPublic() is sync — checked in the obfuscation pipeline's isDocExample()
+ *   - Cache miss = null (unknown) → obfuscate (safe default, privacy-first)
+ *   - Uses only Node.js builtins (dns, net). Zero runtime dependencies.
+ */
+import { lookup } from "node:dns";
+import { isIPv4, isIPv6 } from "node:net";
+/** Default cache TTL: 1 hour. */
+const DEFAULT_TTL_MS = 60 * 60 * 1000;
+/**
+ * RFC 1918 + other private/reserved IPv4 ranges.
+ * Returns true if the IP should be treated as internal.
+ */
+export function isPrivateIPv4(ip) {
+    const parts = ip.split(".").map(Number);
+    if (parts.length !== 4 || parts.some((p) => isNaN(p)))
+        return true; // malformed → treat as private
+    const [a, b] = parts;
+    // 10.0.0.0/8 — RFC 1918
+    if (a === 10)
+        return true;
+    // 172.16.0.0/12 — RFC 1918 (172.16.0.0 – 172.31.255.255)
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    // 192.168.0.0/16 — RFC 1918
+    if (a === 192 && b === 168)
+        return true;
+    // 127.0.0.0/8 — loopback
+    if (a === 127)
+        return true;
+    // 169.254.0.0/16 — link-local
+    if (a === 169 && b === 254)
+        return true;
+    // 100.64.0.0/10 — CGNAT (Shroud's fake range — definitely private)
+    if (a === 100 && b >= 64 && b <= 127)
+        return true;
+    // 0.0.0.0/8 — "this" network
+    if (a === 0)
+        return true;
+    // 224.0.0.0/4 — multicast
+    if (a >= 224 && a <= 239)
+        return true;
+    // 240.0.0.0/4 — reserved
+    if (a >= 240)
+        return true;
+    return false;
+}
+/**
+ * Check if an IPv6 address is private/reserved.
+ */
+export function isPrivateIPv6(ip) {
+    const lower = ip.toLowerCase();
+    // ::1 — loopback
+    if (lower === "::1")
+        return true;
+    // fc00::/7 — unique local (ULA)
+    if (lower.startsWith("fc") || lower.startsWith("fd"))
+        return true;
+    // fe80::/10 — link-local
+    if (lower.startsWith("fe80"))
+        return true;
+    // :: — unspecified
+    if (lower === "::")
+        return true;
+    return false;
+}
+/**
+ * Extract FQDN from a URL string.
+ * Returns null if the URL is malformed or the host is an IP literal.
+ */
+export function extractFqdn(url) {
+    // Match protocol://host[:port][/path]
+    const match = url.match(/^https?:\/\/([^/:]+)/i);
+    if (!match)
+        return null;
+    const host = match[1].toLowerCase();
+    // Skip IP literals — they're handled by the IP detector, not the URL detector
+    if (isIPv4(host) || isIPv6(host) || host.startsWith("["))
+        return null;
+    // Skip localhost
+    if (host === "localhost")
+        return null;
+    // Must have at least one dot (skip bare hostnames)
+    if (!host.includes("."))
+        return null;
+    return host;
+}
+export class DnsCache {
+    _cache = new Map();
+    _ttlMs;
+    _pending = new Map();
+    constructor(ttlMs = DEFAULT_TTL_MS) {
+        this._ttlMs = ttlMs;
+    }
+    /**
+     * Resolve an array of URLs and warm the cache.
+     * Called from the async before_prompt_build hook.
+     * Resolves all FQDNs in parallel for speed.
+     */
+    async warmCache(urls) {
+        const fqdns = new Set();
+        for (const url of urls) {
+            const fqdn = extractFqdn(url);
+            if (fqdn && !this._isCached(fqdn)) {
+                fqdns.add(fqdn);
+            }
+        }
+        if (fqdns.size === 0)
+            return;
+        const promises = [...fqdns].map((fqdn) => this._resolve(fqdn));
+        await Promise.allSettled(promises);
+    }
+    /**
+     * Check if a URL points to a public (external) host.
+     *
+     * Returns:
+     *   true  — resolved to a public IP, safe to pass through
+     *   false — resolved to a private IP, should be obfuscated
+     *   null  — not in cache (DNS not yet resolved), obfuscate as safe default
+     */
+    isPublic(url) {
+        const fqdn = extractFqdn(url);
+        if (!fqdn)
+            return null;
+        const entry = this._cache.get(fqdn);
+        if (!entry)
+            return null;
+        // Check TTL
+        if (Date.now() - entry.resolvedAt > this._ttlMs) {
+            this._cache.delete(fqdn);
+            return null;
+        }
+        return entry.isPublic;
+    }
+    /**
+     * Get the resolved address for a URL (for logging/audit).
+     */
+    getAddress(url) {
+        const fqdn = extractFqdn(url);
+        if (!fqdn)
+            return null;
+        return this._cache.get(fqdn)?.address ?? null;
+    }
+    /** Number of cached entries. */
+    get size() {
+        return this._cache.size;
+    }
+    /** Clear the cache. */
+    clear() {
+        this._cache.clear();
+        this._pending.clear();
+    }
+    /** Pre-seed the cache (for testing with /etc/hosts or mocks). */
+    seed(fqdn, address, isPublic) {
+        this._cache.set(fqdn.toLowerCase(), {
+            address,
+            isPublic,
+            resolvedAt: Date.now(),
+        });
+    }
+    _isCached(fqdn) {
+        const entry = this._cache.get(fqdn);
+        if (!entry)
+            return false;
+        return Date.now() - entry.resolvedAt <= this._ttlMs;
+    }
+    _resolve(fqdn) {
+        // Deduplicate concurrent lookups for the same FQDN
+        const existing = this._pending.get(fqdn);
+        if (existing)
+            return existing;
+        const promise = new Promise((resolve) => {
+            // 3-second timeout to avoid blocking the hook
+            const timer = setTimeout(() => {
+                const entry = {
+                    address: null,
+                    isPublic: false, // timeout → treat as private (safe default)
+                    resolvedAt: Date.now(),
+                };
+                this._cache.set(fqdn, entry);
+                this._pending.delete(fqdn);
+                resolve(entry);
+            }, 3000);
+            lookup(fqdn, { all: false }, (err, address, family) => {
+                clearTimeout(timer);
+                let entry;
+                if (err || !address) {
+                    // NXDOMAIN, ENOTFOUND, etc. → treat as private
+                    entry = {
+                        address: null,
+                        isPublic: false,
+                        resolvedAt: Date.now(),
+                    };
+                }
+                else {
+                    const isPrivate = family === 4
+                        ? isPrivateIPv4(address)
+                        : family === 6
+                            ? isPrivateIPv6(address)
+                            : true; // unknown family → private
+                    entry = {
+                        address,
+                        isPublic: !isPrivate,
+                        resolvedAt: Date.now(),
+                    };
+                }
+                this._cache.set(fqdn, entry);
+                this._pending.delete(fqdn);
+                resolve(entry);
+            });
+        });
+        this._pending.set(fqdn, promise);
+        return promise;
+    }
+}

package/dist/hooks.js

@@ -24,6 +24,7 @@ import { createHash, randomBytes } from "node:crypto";
 import { writeFileSync } from "node:fs";
 import { BUILTIN_PATTERNS } from "./detectors/regex.js";
 import { STATS_FILE, IS_TEST } from "./config.js";
+import { DnsCache } from "./dns-cache.js";
 function getSharedObfuscator(fallback) {
     return globalThis.__shroudObfuscator || fallback;
 }
@@ -191,6 +192,10 @@ export function registerHooks(api, obfuscator) {
         else {
             g.__shroudObfuscator = obfuscator;
         }
+        // DNS cache for public URL detection — shared across plugin instances
+        if (!g.__shroudDnsCache) {
+            g.__shroudDnsCache = new DnsCache();
+        }
     }
     // All hook closures must use the shared obfuscator, not the local parameter.
     // OpenClaw loads the plugin multiple times; only one instance has the mappings.
@@ -206,6 +211,44 @@ export function registerHooks(api, obfuscator) {
         if (ob().toolDepth > 0) {
             ob().resetToolDepth();
         }
+        // ── DNS cache warming ──
+        // Extract all URLs from the prompt and messages, resolve their FQDNs
+        // to determine public vs private. This runs BEFORE obfuscation so
+        // the sync pipeline's isDocExample() can check the cache.
+        const dnsCache = globalThis.__shroudDnsCache;
+        if (dnsCache) {
+            const urlRe = /https?:\/\/[^\s<>"')\]]+[^\s<>"')\].,;:!?]/g;
+            const allUrls = [];
+            if (typeof event?.prompt === "string") {
+                for (const m of event.prompt.matchAll(urlRe))
+                    allUrls.push(m[0]);
+            }
+            if (Array.isArray(event?.messages)) {
+                for (const msg of event.messages) {
+                    const texts = [];
+                    if (typeof msg.content === "string")
+                        texts.push(msg.content);
+                    else if (Array.isArray(msg.content)) {
+                        for (const b of msg.content) {
+                            if (b?.type === "text" && typeof b.text === "string")
+                                texts.push(b.text);
+                        }
+                    }
+                    for (const text of texts) {
+                        for (const m of text.matchAll(urlRe))
+                            allUrls.push(m[0]);
+                    }
+                }
+            }
+            if (allUrls.length > 0) {
+                try {
+                    await dnsCache.warmCache(allUrls);
+                }
+                catch {
+                    // DNS failure is non-fatal — URLs will be obfuscated (safe default)
+                }
+            }
+        }
         let totalEntities = 0;
         // Obfuscate the system prompt
         const prompt = event?.prompt;

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "shroud-privacy",
   "name": "Shroud",
-  "version": "2.2.3",
+  "version": "2.2.7",
   "description": "Privacy obfuscation with deterministic fake values and deobfuscation — PII never reaches the LLM, tool calls still work",
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "shroud-privacy",
-  "version": "2.2.5",
-  "description": "Privacy obfuscation for AI agents — detects PII and replaces with deterministic fake values before anything reaches the LLM. Works with OpenClaw (plugin) or any agent (APP protocol).",
+  "version": "2.2.7",
+  "description": "Privacy and infrastructure protection for AI agents — detects sensitive data (PII, network topology, credentials, OT/SCADA) and replaces with deterministic fakes before anything reaches the LLM.",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",