shroud-privacy 2.4.0 → 2.5.1

package/README.md

@@ -17,7 +17,7 @@
   <a href="CHANGELOG.md">Changelog</a>
 </p>
 
-> Apache 2.0 &middot; Zero runtime dependencies &middot; Anthropic + OpenAI + Google supported &middot; Prompt-caching friendly &middot; Works with [OpenClaw](https://openclaw.ai) or any agent via [APP](#agent-privacy-protocol-app)
+> Apache 2.0 &middot; Zero runtime dependencies &middot; Anthropic + OpenAI + Google supported &middot; Prompt-caching friendly &middot; Works with [OpenClaw](https://openclaw.ai), [Hermes Agent](https://github.com/nousresearch/hermes-agent), or any agent via [APP](#agent-privacy-protocol-app)
 
 ---
 
@@ -32,7 +32,7 @@ Frontier LLMs are transformative for infrastructure operations — network troub
 - **Customer PII** — emails, phone numbers, national IDs, credit cards, physical addresses
 - **Internal URLs** — wiki pages, Jira tickets, admin portals, API endpoints
 
-Shroud sits between your agent and the LLM. It detects all of the above (100+ entity types), replaces each with a deterministic format-preserving fake, and reverses the mapping on the way back. The LLM reasons over realistic-looking data. Your real infrastructure stays private.
+Shroud sits between your agent and the LLM. It detects all of the above (130+ entity types), replaces each with a deterministic format-preserving fake, and reverses the mapping on the way back. The LLM reasons over realistic-looking data. Your real infrastructure stays private.
 
 ### Who needs this
 
@@ -56,7 +56,7 @@ Shroud does not guarantee compliance — regex-based detection has limitations (
 
 ## What it does
 
-1. **Detects** 100+ entity types: emails, IPs, phones, API keys, hostnames, SNMP communities, BGP ASNs, credit cards, SSNs, file paths, URLs, person/org/location names, VLANs, route-maps, ACLs, OSPF IDs, IBANs, JWTs, PEM certs, GPS coordinates, ICS/SCADA identifiers, vendor-specific secrets (Cisco, Juniper, Palo Alto, Check Point, Fortinet, F5, Arista), and custom regex patterns.
+1. **Detects** 130+ entity types: emails, IPs, phones, API keys, hostnames, SNMP communities, BGP ASNs, credit cards, SSNs, file paths, URLs, person/org/location names, VLANs, route-maps, ACLs, OSPF IDs, IBANs, JWTs, PEM certs, GPS coordinates, ICS/SCADA identifiers, dates of birth, medical record numbers (MRN/NPI/DEA), bank accounts (routing/sort code/SWIFT), tax IDs (EIN/UTR), passport numbers, driver's licenses, court case/docket/patent numbers, cryptocurrency addresses (Ethereum/Bitcoin), AWS ARNs, vendor-specific secrets (Cisco, Juniper, Palo Alto, Check Point, Fortinet, F5, Arista), and custom regex patterns.
 2. **Replaces** each value with a deterministic fake (same input + key = same fake every time). Fakes are format-preserving: IPv4 stays in CGNAT range (`100.64.0.0/10`), IPv6 uses ULA range (`fd00::/8`), emails keep `@domain` structure, credit cards pass Luhn, etc.
 3. **Passes through public URLs** — external URLs (arxiv.org, docs.stripe.com, etc.) are not obfuscated. Shroud resolves FQDNs via DNS: public IPs pass through, RFC 1918 / NXDOMAIN / internal IPs are obfuscated. Well-known platforms (GitHub, YouTube, Wikipedia, etc.) are always passed through.
 4. **Deobfuscates** LLM responses and tool parameters so the user sees real values and tools receive real arguments.
@@ -102,6 +102,44 @@ openclaw plugins install shroud-privacy
 
 Configure in `~/.openclaw/openclaw.json` under `plugins.entries."shroud-privacy".config`. No OpenClaw file modifications needed — Shroud uses runtime interception only.
 
+### Hermes Agent
+
+```bash
+hermes plugins install wkeything/shroud
+```
+
+That's it. The plugin auto-builds on first session start (requires Node.js). All LLM traffic is obfuscated transparently — no Hermes configuration changes needed.
+
+Per-tool field scoping is enabled by default, reducing false positives on structural fields (IDs, hashes, timestamps). Works with all Hermes-supported providers (OpenRouter, Anthropic, OpenAI, z.ai, local models).
+
+**Config-as-code** is supported — edit `~/.shroud/shroud.config.json` to customize detection rules, field scoping, and confidence thresholds. Changes hot-reload within 2 seconds, no restart needed. The config file is shared with OpenClaw — edits apply to both platforms.
+
+Verify after a conversation:
+```bash
+cat ~/.hermes/shroud-stats.json | python3 -m json.tool
+```
+
+### Claude Code
+
+```bash
+npm install shroud-privacy
+```
+
+Add to your project's `.mcp.json` or `~/.claude/.mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "shroud": {
+      "command": "node",
+      "args": ["node_modules/shroud-privacy/clients/claude-code/shroud-mcp.mjs"]
+    }
+  }
+}
+```
+
+That's it — the MCP server auto-starts the privacy engine. Claude gains six tools: `shroud_obfuscate`, `shroud_deobfuscate`, `shroud_status`, `shroud_scan_tool`, `shroud_configure`, and `shroud_reset`.
+
 ### Any agent (via APP)
 
 The **Agent Privacy Protocol** (APP) lets any AI agent add privacy and infrastructure protection — no OpenClaw required. Shroud ships with an APP server and a Python client.
@@ -230,9 +268,37 @@ Out of the box, Shroud:
 | `redactionLevel` | `"full"` \| `"masked"` \| `"stats"` | `"full"` | Output mode: fake values, partial masking, or category placeholders |
 | `dryRun` | boolean | `false` | Detect entities but don't replace (testing mode) |
 | `maxStoreMappings` | number | `0` | Max mapping store size with LRU eviction (0 = unlimited) |
+| `fieldScoping` | object | — | Per-tool field scoping and per-agent category exemptions (see below) |
 
 > **Env var overrides:** `SHROUD_SECRET_KEY` and `SHROUD_PERSISTENT_SALT` override their respective config keys (priority: env var > plugin config > default).
 
+### Per-tool field scoping
+
+By default Shroud scans every string field in every message. This catches everything but produces false positives — file paths agents need, config values, UUIDs matching credit card patterns.
+
+Field scoping narrows what gets scanned. Add a `fieldScoping` block to `shroud.config.json`:
+
+```jsonc
+{
+  "fieldScoping": {
+    "toolFields": {
+      "Read":     { "scanFields": ["content", "text"] },
+      "Bash":     { "scanFields": ["output", "stdout", "stderr"] },
+      "gmail_*":  { "scanFields": ["subject", "body", "snippet", "from", "to"] },
+      "github_*": { "scanFields": ["title", "body", "description", "comment"] }
+    },
+    "neverScanFields": ["id", "created_at", "updated_at", "sha", "hash", "ref", "type", "status"],
+    "defaultScanFields": []
+  }
+}
+```
+
+**`toolFields`** maps tool name patterns (wildcards `*` `?` supported) to the fields that should be scanned in their results. Unmatched tools fall back to `defaultScanFields` — set it to `[]` to scan everything for unknown tools (safe default).
+
+**`neverScanFields`** lists structural fields that never contain user-generated content. These are skipped regardless of tool.
+
+Hot-reloadable. No config = scan everything (backward compatible).
+
 ### Detection rules as code (hot-reload)
 
 Shroud auto-generates a JSONC config file on first run containing every built-in detection rule:
@@ -409,7 +475,7 @@ shroud-stats --test "Contact john@acme.com"   # test detection
 
 ## Entity categories
 
-`person_name`, `email`, `phone`, `ip_address`, `api_key`, `url`, `org_name`, `location`, `file_path`, `credit_card`, `ssn`, `mac_address`, `hostname`, `snmp_community`, `bgp_asn`, `network_credential`, `vlan_id`, `interface_desc`, `route_map`, `ospf_id`, `acl_name`, `iban`, `national_id`, `jwt`, `ics_identifier`, `gps_coordinate`, `certificate`, `custom`
+`person_name`, `email`, `phone`, `ip_address`, `api_key`, `url`, `org_name`, `location`, `file_path`, `credit_card`, `ssn`, `mac_address`, `hostname`, `snmp_community`, `bgp_asn`, `network_credential`, `vlan_id`, `interface_desc`, `route_map`, `ospf_id`, `acl_name`, `iban`, `national_id`, `jwt`, `ics_identifier`, `gps_coordinate`, `certificate`, `date_of_birth`, `medical_record_number`, `bank_account_number`, `tax_id`, `passport_number`, `drivers_license`, `case_number`, `cryptocurrency_address`, `aws_arn`, `custom`
 
 ---
 

package/dist/config-manager.js

@@ -154,6 +154,19 @@ export class ConfigManager {
             "  // Edit rules here. Changes hot-reload within 2 seconds (no restart needed).",
             "  // Priority: env vars > this file > plugin config > defaults.",
             "  //",
+            "  // Per-tool field scoping — controls which fields get scanned for PII.",
+            "  // Reduces false positives from structural fields (IDs, hashes, timestamps).",
+            '  "fieldScoping": {',
+            '    "toolFields": {',
+            '      "Read":     { "scanFields": ["content", "text"] },',
+            '      "read":     { "scanFields": ["content", "text"] },',
+            '      "Bash":     { "scanFields": ["output", "stdout", "stderr"] },',
+            '      "exec":     { "scanFields": ["output", "stdout", "stderr"] }',
+            "    },",
+            '    "neverScanFields": ["id", "created_at", "updated_at", "sha", "hash", "ref", "type", "status", "state", "mode"],',
+            '    "defaultScanFields": []',
+            "  },",
+            "  //",
             "  // Rule format:",
             '  //   "rule_name": {',
             '  //     "pattern": "regex string",     // override or define the detection regex',

package/dist/config.js

@@ -82,6 +82,31 @@ export function resolveConfig(pluginConfig) {
         dryRun: typeof raw.dryRun === "boolean" ? raw.dryRun : false,
         // LRU store eviction (0 = unlimited)
         maxStoreMappings: typeof raw.maxStoreMappings === "number" ? raw.maxStoreMappings : 0,
+        // Field scoping (optional, backward compatible)
+        fieldScoping: (() => {
+            const fs = raw.fieldScoping;
+            if (!fs || typeof fs !== "object")
+                return undefined;
+            const fsc = fs;
+            const toolFields = {};
+            if (fsc.toolFields && typeof fsc.toolFields === "object") {
+                for (const [pattern, rule] of Object.entries(fsc.toolFields)) {
+                    if (rule && typeof rule === "object" && Array.isArray(rule.scanFields)) {
+                        toolFields[pattern] = { scanFields: rule.scanFields.filter((f) => typeof f === "string") };
+                    }
+                }
+            }
+            return {
+                toolFields,
+                neverScanFields: Array.isArray(fsc.neverScanFields)
+                    ? fsc.neverScanFields.filter((f) => typeof f === "string")
+                    : [],
+                defaultScanFields: Array.isArray(fsc.defaultScanFields)
+                    ? fsc.defaultScanFields.filter((f) => typeof f === "string")
+                    : [],
+                useContractExemptions: typeof fsc.useContractExemptions === "boolean" ? fsc.useContractExemptions : false,
+            };
+        })(),
     };
     return config;
 }

package/dist/field-scope.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Per-tool field scoping and per-agent category exemptions for obfuscation.
+ *
+ * Reduces false positives by only scanning relevant fields per tool and
+ * exempting entity categories that the agent's contract allows.
+ */
+import type { FieldScopingConfig, ScopeDecision } from "./types.js";
+export declare class FieldScopeResolver {
+    private readonly toolPatterns;
+    private readonly neverScanFields;
+    private readonly defaultScanFields;
+    private readonly useContractExemptions;
+    private readonly enabled;
+    constructor(config?: FieldScopingConfig);
+    /** Resolve which fields to scan for a given tool name. */
+    resolveToolScope(toolName: string): ScopeDecision;
+    /**
+     * Resolve which entity categories are exempt from obfuscation for an agent.
+     * Uses the agent contract's allowedDataClasses — those categories are data
+     * the agent is trusted to handle, so obfuscating them is counterproductive.
+     */
+    resolveAgentExemptions(agentLabel: string, role: string): Set<string>;
+    /** Check if a field should be scanned given the resolved scope. */
+    shouldScanField(fieldName: string, scope: ScopeDecision): boolean;
+}

package/dist/field-scope.js

@@ -0,0 +1,92 @@
+/**
+ * Per-tool field scoping and per-agent category exemptions for obfuscation.
+ *
+ * Reduces false positives by only scanning relevant fields per tool and
+ * exempting entity categories that the agent's contract allows.
+ */
+/** Simple wildcard matching (supports * and ?). */
+function wildcardMatch(value, pattern) {
+    const escaped = pattern
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+        .replace(/\*/g, ".*")
+        .replace(/\?/g, ".");
+    return new RegExp(`^${escaped}$`, "i").test(value);
+}
+export class FieldScopeResolver {
+    toolPatterns;
+    neverScanFields;
+    defaultScanFields;
+    useContractExemptions;
+    enabled;
+    constructor(config) {
+        if (!config) {
+            this.enabled = false;
+            this.toolPatterns = [];
+            this.neverScanFields = new Set();
+            this.defaultScanFields = new Set();
+            this.useContractExemptions = false;
+            return;
+        }
+        this.enabled = true;
+        this.neverScanFields = new Set(config.neverScanFields ?? []);
+        this.defaultScanFields = new Set(config.defaultScanFields ?? []);
+        this.useContractExemptions = config.useContractExemptions ?? false;
+        this.toolPatterns = [];
+        for (const [pattern, rule] of Object.entries(config.toolFields ?? {})) {
+            this.toolPatterns.push({ pattern, scanFields: new Set(rule.scanFields) });
+        }
+    }
+    /** Resolve which fields to scan for a given tool name. */
+    resolveToolScope(toolName) {
+        if (!this.enabled) {
+            return { mode: "all", scanFields: new Set(), neverScanFields: new Set() };
+        }
+        // Find first matching tool pattern
+        for (const { pattern, scanFields } of this.toolPatterns) {
+            if (wildcardMatch(toolName, pattern)) {
+                return {
+                    mode: "selected",
+                    scanFields,
+                    neverScanFields: this.neverScanFields,
+                };
+            }
+        }
+        // No match — use default
+        if (this.defaultScanFields.size > 0) {
+            return {
+                mode: "selected",
+                scanFields: this.defaultScanFields,
+                neverScanFields: this.neverScanFields,
+            };
+        }
+        // Empty defaultScanFields = scan everything (backward compatible)
+        return { mode: "all", scanFields: new Set(), neverScanFields: this.neverScanFields };
+    }
+    /**
+     * Resolve which entity categories are exempt from obfuscation for an agent.
+     * Uses the agent contract's allowedDataClasses — those categories are data
+     * the agent is trusted to handle, so obfuscating them is counterproductive.
+     */
+    resolveAgentExemptions(agentLabel, role) {
+        if (!this.enabled || !this.useContractExemptions) {
+            return new Set();
+        }
+        // contracts.ts only exists on feature/transformer — graceful fallback
+        try {
+            const { resolveAgentContract } = require("./contracts.js");
+            const contract = resolveAgentContract(agentLabel, role);
+            return new Set(contract.allowedDataClasses);
+        }
+        catch {
+            return new Set();
+        }
+    }
+    /** Check if a field should be scanned given the resolved scope. */
+    shouldScanField(fieldName, scope) {
+        if (scope.neverScanFields.has(fieldName))
+            return false;
+        if (scope.mode === "all")
+            return true;
+        return scope.scanFields.has(fieldName);
+    }
+}

package/dist/hooks.js

@@ -25,6 +25,7 @@ import { writeFileSync } from "node:fs";
 import { BUILTIN_PATTERNS } from "./detectors/regex.js";
 import { STATS_FILE, IS_TEST } from "./config.js";
 import { DnsCache } from "./dns-cache.js";
+import { FieldScopeResolver } from "./field-scope.js";
 function getSharedObfuscator(fallback) {
     return globalThis.__shroudObfuscator || fallback;
 }
@@ -168,6 +169,36 @@ function walkStrings(value, fn) {
     }
     return value;
 }
+function walkStringsScoped(value, fn, shouldScan, currentField) {
+    if (typeof value === "string") {
+        if (currentField !== undefined && !shouldScan(currentField))
+            return value;
+        return fn(value);
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => {
+            if (typeof item === "object" && item !== null && "text" in item && typeof item.text === "string") {
+                if (!shouldScan("text"))
+                    return item;
+                return { ...item, text: fn(item.text) };
+            }
+            return walkStringsScoped(item, fn, shouldScan);
+        });
+    }
+    if (typeof value === "object" && value !== null) {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            if (typeof v === "string") {
+                out[k] = shouldScan(k) ? fn(v) : v;
+            }
+            else {
+                out[k] = v;
+            }
+        }
+        return out;
+    }
+    return value;
+}
 // ---------------------------------------------------------------------------
 // Hook registration
 // ---------------------------------------------------------------------------
@@ -227,6 +258,16 @@ export function registerHooks(api, obfuscator) {
     const ob = () => getSharedObfuscator(obfuscator);
     const sessionScope = globalThis;
     const config = ob().config;
+    let _fieldScopeResolver;
+    let _fieldScopeConfigRef;
+    function getFieldScopeResolver() {
+        const liveConfig = ob().config.fieldScoping;
+        if (_fieldScopeResolver && _fieldScopeConfigRef === liveConfig)
+            return _fieldScopeResolver;
+        _fieldScopeResolver = new FieldScopeResolver(liveConfig);
+        _fieldScopeConfigRef = liveConfig;
+        return _fieldScopeResolver;
+    }
     const auditActive = config.auditEnabled || config.verboseLogging;
     // -----------------------------------------------------------------------
     // 1. before_prompt_build (async): obfuscate user prompt
@@ -299,12 +340,18 @@ export function registerHooks(api, obfuscator) {
             }
         }
         let totalEntities = 0;
+        // Resolve per-agent category exemptions from contract
+        const _resolver = getFieldScopeResolver();
+        const _exemptCats = new Set();
+        // Note: main branch has no agent session tracker, so contract exemptions
+        // are resolved when useContractExemptions is enabled via config only.
+        // The full agent-aware path is on feature/transformer.
         // Obfuscate the system prompt
         const prompt = event?.prompt;
         let obfuscatedPrompt;
         if (typeof prompt === "string" && prompt) {
             const cleaned = stripSlackLinksForHook(prompt);
-            const result = ob().obfuscate(cleaned);
+            const result = ob().obfuscate(cleaned, undefined, _exemptCats);
             if (result.entities.length > 0 || cleaned !== prompt) {
                 obfuscatedPrompt = result.entities.length > 0 ? result.obfuscated : cleaned;
                 totalEntities += result.entities.length;
@@ -322,7 +369,7 @@ export function registerHooks(api, obfuscator) {
                 // String content (Anthropic/OpenAI)
                 if (typeof msg.content === "string") {
                     const cleaned = stripSlackLinksForHook(msg.content);
-                    const result = ob().obfuscate(cleaned);
+                    const result = ob().obfuscate(cleaned, undefined, _exemptCats);
                     totalEntities += result.entities.length;
                     if (result.entities.length > 0 || cleaned !== msg.content) {
                         msg.content = result.entities.length > 0 ? result.obfuscated : cleaned;
@@ -333,7 +380,7 @@ export function registerHooks(api, obfuscator) {
                     for (const b of msg.content) {
                         if (b?.type === "text" && typeof b.text === "string") {
                             const cleaned = stripSlackLinksForHook(b.text);
-                            const result = ob().obfuscate(cleaned);
+                            const result = ob().obfuscate(cleaned, undefined, _exemptCats);
                             totalEntities += result.entities.length;
                             if (result.entities.length > 0 || cleaned !== b.text) {
                                 b.text = result.entities.length > 0 ? result.obfuscated : cleaned;
@@ -342,7 +389,7 @@ export function registerHooks(api, obfuscator) {
                         // tool_result blocks with string content
                         if (typeof b?.content === "string") {
                             const cleaned = stripSlackLinksForHook(b.content);
-                            const result = ob().obfuscate(cleaned);
+                            const result = ob().obfuscate(cleaned, undefined, _exemptCats);
                             totalEntities += result.entities.length;
                             if (result.entities.length > 0 || cleaned !== b.content) {
                                 b.content = result.entities.length > 0 ? result.obfuscated : cleaned;
@@ -354,7 +401,7 @@ export function registerHooks(api, obfuscator) {
                 if (Array.isArray(msg.tool_calls)) {
                     for (const tc of msg.tool_calls) {
                         if (typeof tc.function?.arguments === "string") {
-                            const result = ob().obfuscate(tc.function.arguments);
+                            const result = ob().obfuscate(tc.function.arguments, undefined, _exemptCats);
                             totalEntities += result.entities.length;
                             if (result.entities.length > 0)
                                 tc.function.arguments = result.obfuscated;
@@ -575,10 +622,15 @@ export function registerHooks(api, obfuscator) {
             return;
         // Exit tool depth
         ob().exitToolCall();
-        const obfuscated = walkStrings(event.message, (s) => {
+        // Resolve per-tool field scope
+        const toolName = event.toolName ?? "";
+        const resolver = getFieldScopeResolver();
+        const toolScope = resolver.resolveToolScope(toolName);
+        const shouldScan = (field) => resolver.shouldScanField(field, toolScope);
+        const obfuscated = walkStringsScoped(event.message, (s) => {
             const result = ob().obfuscate(s);
             return result.obfuscated;
-        });
+        }, shouldScan);
         dumpStatsFile(obfuscator);
         return { message: obfuscated };
     });

package/dist/obfuscator.d.ts

@@ -55,7 +55,7 @@ export declare class Obfuscator {
      * 6. Map and replace (with redaction level)
      * 7. Inject canary if enabled
      */
-    obfuscate(text: string, context?: string): ObfuscationResult;
+    obfuscate(text: string, context?: string, exemptCategories?: Set<string>): ObfuscationResult;
     /**
      * Reverse-map fake values back to real values in text.
      *

package/dist/obfuscator.js

@@ -303,7 +303,7 @@ export class Obfuscator {
      * 6. Map and replace (with redaction level)
      * 7. Inject canary if enabled
      */
-    obfuscate(text, context) {
+    obfuscate(text, context, exemptCategories) {
         const startTime = Date.now();
         // 0. Strip Slack/chat mrkdwn link formatting so detection sees clean text.
         //    Slack wraps emails as <mailto:X|DISPLAY> and URLs as <URL|DISPLAY>,
@@ -348,11 +348,16 @@ export class Obfuscator {
         let belowThreshold = 0;
         let allowlisted = 0;
         let alreadyObfuscated = 0;
+        let exempted = 0;
         const filtered = entities.filter((e) => {
             if (e.confidence < this.config.minConfidence) {
                 belowThreshold++;
                 return false;
             }
+            if (exemptCategories?.has(e.category)) {
+                exempted++;
+                return false;
+            }
             if (allowExact.has(e.value) || allowWild.some((p) => wildcardMatch(e.value, p))) {
                 allowlisted++;
                 return false;
@@ -453,6 +458,7 @@ export class Obfuscator {
             allowlisted,
             docExamples: 0, // doc examples are filtered inside detectors before reaching here
             alreadyObfuscated,
+            exempted,
         };
         this._obfuscationEvents++;
         this._totalEntitiesObfuscated += filtered.length;

package/dist/types.d.ts

@@ -72,6 +72,32 @@ export interface FilterStats {
     docExamples: number;
     /** Entities skipped because they are already-known fakes. */
     alreadyObfuscated: number;
+    /** Entities skipped because their category is exempt (per-agent contract). */
+    exempted: number;
+}
+/** Per-tool field rule: which fields to scan for obfuscation. */
+export interface ToolFieldRule {
+    scanFields: string[];
+}
+/** Configuration for per-tool and per-agent obfuscation scoping. */
+export interface FieldScopingConfig {
+    /** Per-tool field rules. Keys are tool name patterns (supports * and ? wildcards). */
+    toolFields: Record<string, ToolFieldRule>;
+    /** Fields that are NEVER scanned regardless of tool. */
+    neverScanFields: string[];
+    /** Default fields to scan for tools not matching any pattern. Empty = scan everything. */
+    defaultScanFields: string[];
+    /** When true, use agent contract allowedDataClasses to exempt categories from obfuscation. */
+    useContractExemptions: boolean;
+}
+/** Result of resolving field scope for a tool. */
+export interface ScopeDecision {
+    /** "all" = scan every field; "selected" = only scan scanFields. */
+    mode: "all" | "selected";
+    /** Fields to scan (when mode is "selected"). */
+    scanFields: Set<string>;
+    /** Fields to never scan (always applied). */
+    neverScanFields: Set<string>;
 }
 /** Configuration for the Shroud plugin. */
 export interface ShroudConfig {
@@ -120,4 +146,6 @@ export interface ShroudConfig {
     dryRun: boolean;
     /** Max mapping store size; oldest entries evicted when exceeded. 0 = unlimited. */
     maxStoreMappings: number;
+    /** Per-tool and per-agent obfuscation scoping. Undefined = scan everything (backward compatible). */
+    fieldScoping?: FieldScopingConfig;
 }

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "shroud-privacy",
   "name": "Shroud",
-  "version": "2.3.0",
+  "version": "2.5.1",
   "description": "Privacy obfuscation with deterministic fake values and deobfuscation — PII never reaches the LLM, tool calls still work",
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shroud-privacy",
-  "version": "2.4.0",
+  "version": "2.5.1",
   "description": "Privacy and infrastructure protection for AI agents — detects sensitive data (PII, network topology, credentials, OT/SCADA) and replaces with deterministic fakes before anything reaches the LLM.",
   "type": "module",
   "main": "dist/index.js",