PII firewall for LLM calls
Cloak swaps every email, card, and secret for a reversible token before your prompt hits OpenAI or Claude — then restores the real values in the reply.
Why it matters
How it works
Cloak is a boundary, not a rewrite. It redacts on the way out, lets the model reason over stable tokens, and restores the real values on the way back — so the same customer is still the same customer to the model.
Every detected value becomes a stable token. The same email always maps to the same token, so context survives.
Only tokens cross the wire. The model summarises, classifies, and reasons exactly as before — it never sees a real value.
Tokens in the response are swapped back to the real values, in-process. Your app gets a normal answer.
Drop-in, three ways
Dependency-free, ~300 lines of Node. Wrap a function, call it manually, or run it as an OpenAI-compatible proxy and change nothing but the base URL.
// PII redacted out, restored back — automatically const safeChat = cloak.guard(openaiChat); const reply = await safeChat( "refund john@acme.com on card 4242 4242 4242 4242" );
const { redacted, vault } = cloak.redact(text); const out = await llm(redacted); return cloak.restore(out, vault); // vault never leaves the process
$ node examples/proxy.js # /v1/chat/completions on :8787 # then, in your app: new OpenAI({ baseURL: "http://localhost:8787" }) // ← the only change # every message is redacted before it forwards upstream, and the # model's reply is un-redacted on the way back to you.
Out of the box
Regex-plus-validation detectors — credit cards are Luhn-checked, so an order number never gets mistaken for a card. Black chips are PII; red chips are secrets.
Pricing
The core engine is free and self-hosted forever. Pro adds the things an auditor wants to see.