I am very concerned that when using AI agents, sensitive data does not leave my on-premises environment (particularly not to LLMs), yet it is still possible to set up automations within my environment that use common data such as credentials, API keys, bearer tokens and the like, for example in scripts or CLI commands.
To this end, I have developed a runbook/prompt and would appreciate your feedback and suggestions for optimisation.
runbook
Operations Runbook: AI Systems Data Privacy, Secret Injection, PII-Guard, and Audit
Classification: STRICT CONFIDENTIAL / ON-PREMISE ONLY
Target Systems: Hermes, AgentZero, OpenClaw
Environment: Local NethServer 8, internal macOS and Linux systems
Purpose
This runbook defines the operational execution for data privacy, secret injection, PII-Guard hardening, system-specific implementation, and auditing. It serves as an executable working document for AI systems to prepare, implement, verify, and document changes.
Scope
This runbook applies to:
- The Hermes agent and associated plugins, specifically
pii_guard. - AgentZero workflows and local automations.
- OpenClaw instances and comparable internal agent systems.
- Local scripts, shell commands, Python automations, SSH-based processes, and configuration files.
Operating Principles
- Sensitive data may be used functionally on a local level but must not be unnecessarily exposed externally.
- Secrets must never be hardcoded; they must only be provided via secret injection.
- Whitelist domains and private IPv4 addresses remain functionally operational internally.
- Explicit approval and auditing are mandatory if sensitive data needs to be exposed externally.
- Semantic data privacy complements technical Regex detection.
Security Header
Place this header at the beginning of relevant system prompts:
[CRITICAL SECURITY & DATA PRIVACY POLICY]
You operate in a closed on-premise environment. Your absolute priority is the protection of confidential data (GDPR Art. 6/9 PII, health data, passwords, API keys, private keys).
- Never leak PII and real secrets in plain text to users, external LLMs, or third-party services. Use placeholders.
- Never hardcode secrets in generated scripts or CLI commands. Mandatory use of environment variables is required.
- FQDNs and internal IPs for
domain1.de,domain2.de,tertilts.de,domain4.de, as well as private IPv4 networks, may be functionally used unmasked internally, but must never be sent externally combined with secrets in an uncontrolled manner.- If a task requires the external transmission of sensitive data, pause, state the rule conflict, obtain approval, and use an auditable approval mechanism.
Data Classes
Protection Classes
| Class | Examples | Handling |
|---|---|---|
| Classic PII | Email, phone, address, DOB, IBAN | Mask or minimize |
| Art. 9 Data | Health data, political opinions, religion | Strictly protect, semantic anonymization |
| IT Secrets | API key, Bearer token, JWT, password, private key | Never expose externally in plain text |
| Infrastructure | FQDN, hostname, internal IP | Internally allowed, minimize externally |
System Roles
Hermes
- Technically expand the PII-Guard.
- Integrate whitelist logic into
__init__.py. - Enforce the audit and approval flow for edge cases.
AgentZero
- Implement secret injection in shell and agent workflows.
- Establish
.env-based runtime usage. - Ensure no secrets are hardcoded in prompt or code templates.
OpenClaw
- Apply the same data privacy model.
- Use semantic detection of sensitive content as a supplement.
- Keep internal infrastructure usable while preventing external leakage.
Runbook Execution Flow
Phase 1: Preparation
Goal
Before any change, the system must determine which component is being altered, which sensitive data classes are affected, and whether the change will take effect locally or externally.
Tasks
- Identify the target system.
- Determine the affected files, modules, and runtime paths.
- Check if secrets, whitelist domains, or private IPs are involved.
- Determine whether an approval or audit requirement arises.
Guiding Questions
- Is the work strictly local?
- Are external APIs or external LLMs touched?
- Does the task contain credentials, health data, or other highly sensitive content?
- Must Regex detection, semantic fallback, or both be applied?
Phase 2: PII-Guard Implementation
Goal
The Hermes PII-Guard is expanded so that new secret types are detected and internally permitted infrastructure values are not unnecessarily redacted.
Target File
~/.hermes/plugins/pii_guard/__init__.py
Implementation Task
Add the following logic:
ALLOWED_DOMAINS = (
"domain1.de",
"domain2.de",
"tertilts.de",
"domain4.de",
)
def is_private_ipv4(value: str) -> bool:
return bool(re.match(
r'^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)',
value
))
def is_whitelisted(value: str, type_id: str) -> bool:
val = value.lower().strip()
if type_id == "ipv4":
return is_private_ipv4(val)
if type_id in ("fqdn", "email", "ssh_user_host"):
return any(
val == domain
or val.endswith("." + domain)
or val.endswith("@" + domain)
for domain in ALLOWED_DOMAINS
)
return False
Regex Expansion
Place these patterns at the beginning of PII_PATTERNS:
("ssh_private_key_header", "SSH Private Key", re.compile(
r'-----BEGIN (?:RSA|OPENSSH|DSA|EC|PGP) PRIVATE KEY-----',
re.IGNORECASE
)),
("jwt_token", "Bearer/JWT Token", re.compile(
r'\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b'
)),
("bearer_token", "Bearer Token", re.compile(
r'\bBearer\s+[A-Za-z0-9\-._~+/]+=*\b',
re.IGNORECASE
)),
("api_key_generic", "API Key", re.compile(
r'\b(?:api[_-]?key|apikey|secret|client[_-]?secret|access[_-]?token|refresh[_-]?token)["\']?\s*[:=]\s*["\']?[A-Za-z0-9\-._~+/=]{12,}["\']?',
re.IGNORECASE
)),
("password_assignment", "Passwort/Zugangsdaten", re.compile(
r'\b(?:password|passwd|pwd|passwort)["\']?\s*[:=]\s*["\']?.{6,}["\']?',
re.IGNORECASE
)),
("ssh_user_host", "SSH Login", re.compile(
r'\b[a-z_][a-z0-9._-]{0,31}@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b',
re.IGNORECASE
)),
("fqdn", "FQDN/Hostname", re.compile(
r'\b(?=.{4,253}\b)(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+(?:[A-Za-z]{2,63})\b'
)),
("ipv4", "IPv4-Adresse", re.compile(
r'\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)\b'
)),
Function Adjustments
In scan_for_pii():
matched = match.group(0)
if is_whitelisted(matched, type_id):
continue
In redact_pii():
if is_whitelisted(matched, type_id):
return matched
Implementation Rules
- Secret patterns must be placed before general infrastructure patterns.
- Whitelist exceptions apply internally only.
- Real secrets must never needlessly enter model contexts, despite internal use.
- Regex detection does not replace semantic evaluation.
Phase 3: Setting up Secret Injection
Goal
Secrets are stored in a local, restrictively protected structure and injected at runtime.
Target Structure
Preferred paths:
~/.hermes/.secrets//a0/.secrets/
Mandatory Steps
- Create directory
.secrets/. - Set permissions to
700. - Use a
global.envfile with permissions set to600. - Only allow runtime inclusion via
sourceoros.getenv().
Script Task: add_secret.sh
Requirements:
- Accepts a Key and Value.
- Creates
global.envif it doesn’t exist. - Updates existing keys idempotently.
- Never outputs secret values into logs or standard output.
Script Task: audit_secrets.sh
Requirements:
- Enforces
chmod 600 global.env. - Lists only the existing keys.
- Never outputs secret values.
Example output:
API_TOKEN
DB_PASSWORD
SSH_DEPLOY_KEY
Runtime Rule
Shell commands involving secrets must load the env file beforehand:
source /path/to/.secrets/global.env
Python code must utilize environment variables:
import os
api_token = os.getenv("API_TOKEN")
Phase 4: Semantic Data Privacy Fallback
Goal
Even if Regex patterns don’t trigger, the system must recognize when sensitive information is present based on the context.
Mandatory Behavior
- Never replicate Art. 9 data in plain text.
- Treat unstructured credentials as sensitive.
- Anonymize free text containing diagnoses, political statements, or other highly sensitive details.
- Use placeholders, such as
[DIAGNOSE_REDACTED]or[SECRET_REDACTED].
Example
Not allowed:
- Full reproduction of a diagnosis with identifiable details.
- Repeating an API secret posted by the user in the response.
Allowed:
- Describing the function.
- Abstracted, anonymized, or masked representation.
Phase 5: Testing and Verification
Mandatory Tests for PII-Guard
| Test Case | Expectation |
|---|---|
admin@domain1.de |
Remains unredacted internally |
ssh root@host.domain1.de |
Remains unredacted internally |
hermes.home.domain1.de |
Remains unredacted internally |
192.168.3.21 |
Remains unredacted internally |
Bearer eyJ... |
Is redacted |
password=SuperSecret123 |
Is redacted |
-----BEGIN OPENSSH PRIVATE KEY----- |
Is redacted |
Mandatory Tests for Secret Injection
global.envexists.- Permissions are correct.
audit_secrets.shshows only keys.- Scripts function without hardcoding.
- Logs contain no plain-text secrets.
Mandatory Tests for Semantic Fallback
- Health-related free texts are anonymized.
- Political or religious details are not unnecessarily repeated.
- Unstructured secrets are masked rather than paraphrased.
Phase 6: Audit
Goal
A traceable audit is conducted after every change.
Audit Checklist
- Was the correct file modified?
- Was a backup or patch documentation created?
- Are Regex patterns sorted in a logical order?
- Do whitelist domains and private IPs remain functional internally?
- Are secrets reliably detected and redacted?
- Was secret injection implemented instead of hardcoding?
- Are permissions on
.secretsandglobal.envcorrect? - Were only keys logged, not values?
- Does the semantic data privacy apply in non-regular cases?
- Is there any external leakage of sensitive data?
Audit Log Template
## Audit Log
- Date/Time:
- Target System:
- Affected Component:
- Modified File(s):
- Goal of Change:
- Tests Performed:
- Test Results:
- Open Risks:
- Approval Status:
- Next Steps:
Phase 7: Approval and Escalation Logic
Rule
If a task requires the external transmission of sensitive data, the system must pause and obtain explicit approval.
Mandatory Process
- Identify the conflict.
- State the risk.
- Identify the affected data class.
- Obtain user approval.
- Use an auditable approval mechanism.
- Execute only the approved individual case.
Standard Phrasing
This step would transmit sensitive data, credentials, or protected content to an external system. Explicit approval is required for this single action. The process must be audited.
Phase 8: Rollback
Goal
If tests fail or the change produces unwanted side effects, a safe rollback must be possible.
Minimum Requirements
- Backup the original file before changes.
- Cleanly isolate modified Regex and whitelist blocks.
- Document rollback steps.
- Perform a smoke test again after rollback.
Rollback Check
- Original state restored.
- Plugin loads without errors.
- No unintended exposure of sensitive data.
- Internal workflows remain operational.
Phase 9: Sign-off
Approval Criteria
The change is only considered accepted if all the following points are met:
- PII-Guard detects the new secret types.
- Whitelist domains and private IPs remain functional internally.
- Secret injection is configured and usable.
- Hardcoding has been avoided.
- Audit was fully completed.
- There is no uncontrolled external leakage of sensitive data.
Appendix A: Example Work Instruction to an AI System
Analyze the target system and strictly apply this runbook.
1. Identify affected components.
2. Implement necessary changes system-specifically.
3. Use secret injection instead of hardcoding.
4. Patch the PII-Guard according to the defined Regex and Whitelist rules.
5. Perform tests and audits.
6. Document results, risks, and approval status.
7. Mandatory: ask for approval if external exposure of sensitive data is involved.
Appendix B: Impermissible Patterns
Specifically not allowed:
- Secrets in the prompt in plain text.
- Secrets in generated code in plain text.
- External transmission of health data or credentials without approval.
- Bypassing redacted tool outputs.
- Logging of secret values during the audit.
Appendix C: Permissible Patterns
Specifically allowed:
- Local usage of secrets via env variables.
- Internal usage of whitelist FQDNs and private IPs.
- Redacted or anonymized representation of sensitive content.
- Audited approval processes for justified individual cases.
