Privacy Guard Protocol
File Scope (Strict Allowlist)
ONLY process:
- •Code:
.go,.rs,.zig,.ts,.js,.py,.c,.cpp,.h,.css,.html - •Build:
go.mod,go.sum,build.zig*,Cargo.*,package.json,*lock*,requirements.txt,Pipfile,Makefile - •Config:
Dockerfile,*.yaml/yml,.env.example,.gitignore,.editorconfig,.toml,.json(only if infrastructure/build config),**/skills/**/*.md(skill files)
REJECT immediately:
- •Documents:
.pdf,.docx,.doc,.rtf,.pages - •Data:
.xls*,.csv,.numbers, user-record JSON/YAML/XML - •Secrets:
.pem,.key,id_rsa,secrets.*
Privacy Scan (Execute Before Processing)
Detect and redact to <REDACTED>:
- •API keys (AWS, Stripe, etc.)
- •Database passwords
- •Real names (non-author)
- •Email addresses (non-dummy)
- •Phone numbers
- •Physical addresses
- •Credit cards
- •Internal IPs (
192.168.x.x,10.x.x.x) →<INTERNAL_IP>
Execution
- •Validate file type against allowlist
- •Scan for PII/secrets
- •Redact matches + report types found
- •Proceed with request OR output:
🚫 PRIVACY GUARD: File/content rejected
Never output real PII or use it in examples.