# Security: Anonymization, Audit, Encryption, Guardrails
Built security-first. Every feature designed to protect your data and your agent.
---
## Anonymization (PII Protection)
**For ICP 3 (Security-Conscious), but valuable to all ICPs handling sensitive data.**
### Three Layers of PII Detection
**1. Regex Detection (always enabled, no setup)**
Detects and replaces:
- EMAIL: `john@company.com` → `[EMAIL:a3f9b2]`
- PHONE: `+1-555-0123` → `[PHONE:c8d1e2]`
- CREDIT_CARD: `4111-1111-1111-1111` → `[CREDIT_CARD:f4g5h6]`
- IBAN: `DE89370400440532013000` → `[IBAN:i7j8k9]`
- SSN: `123-45-6789` → `[SSN:l0m1n2]`
- IP: `192.168.1.1` → `[IP:o3p4q5]`
**2. NER Detection (with `--features ner` build)**
Local ONNX model detects:
- PERSON: `John Smith` → `[PERSON:r6s7t8]`
- ORG: `Acme Corp` → `[ORG:u9v0w1]`
Model is ~65 MB, downloaded once with `pagerunner download-model`. **Never leaves your machine**.
**3. Custom Patterns (in ~/.pagerunner/config.toml)**
Define domain-specific patterns:
```toml
[[anonymization.profiles]]
name = "jira-work"
domains = ["jira.acme.com", "*.atlassian.net"]
mode = "tokenize"
entities = ["EMAIL", "PHONE", "CREDIT_CARD"]
custom_patterns = [
{ name = "JIRA_CODE", pattern = "(?:PROJ|INFRA)-\\d+" },
{ name = "INTERNAL_ID", pattern = "[A-Z]{3}-\\d{6}" }
]
```
Then use:
```javascript
const sessionId = await open_session({
profile: "jira",
anonymization_profile: "jira-work" // Uses config above
});
```
### Two Anonymization Modes
#### Mode 1: Tokenize (Default, Recommended)
PII replaced with tokens. Tokens flow through your entire pipeline safely:
```javascript
const sessionId = await open_session({
profile: "sensitive",
anonymize: true,
anonymization_mode: "tokenize" // Default
});
// Page contains: "john@company.com has 5 unread messages"
const content = await get_content(sessionId, tabId);
// Returns: "[EMAIL:a3f9b2] has 5 unread messages"
// Agent extracts the email token
// Agent decides to reply to [EMAIL:a3f9b2]
// When filling a form, agent passes the token
await fill(sessionId, tabId, "input[name='reply-to']", "[EMAIL:a3f9b2]");
// Pagerunner de-tokenizes automatically
// DOM receives: john@company.com
```
**Token Vault:**
- Tokens are encrypted, stored locally (AES-256-GCM)
- Key in macOS Keychain (never on disk in plaintext)
- De-tokenization happens only in Pagerunner (before writing to DOM)
- Agent never sees the real value
**Use tokenize when:** Agent needs to work with PII (fill forms, send emails, etc.)
#### Mode 2: Redact (One-Way, No De-tokenization)
PII replaced with generic labels. Permanent.
```javascript
const sessionId = await open_session({
profile: "sensitive",
anonymize: true,
anonymization_mode: "redact"
});
// Page contains: "john@company.com"
const content = await get_content(sessionId, tabId);
// Returns: "[EMAIL]"
// No token vault. No de-tokenization possible.
// Agent can't recover the real email.
```
**Use redact when:** Agent only needs to read/analyze PII, never write it.
### ICP 3 Workflow
```javascript
// Setup
const sessionId = await open_session({
profile: "agent-sensitive",
anonymize: true,
anonymization_mode: "tokenize",
allowed_domains: ["hr.company.com"] // Containment + anonymization
});
// Read page with employee data
const content = await get_content(sessionId, tabId);
// Page HTML: | john@company.com | , Jane Smith |
// Returned to agent: "[EMAIL:a3f9b2] | , [PERSON:r6s7t8] | "
// Agent uses NLP to understand structure
// Agent extracts: "Emails: [EMAIL:a3f9b2]"
// Agent fills reply form with token
await fill(sessionId, tabId, "input[name='email']", "[EMAIL:a3f9b2]");
// Pagerunner de-tokenizes: john@company.com
// Audit log (see below) records:
// { event: "get_content", pii_entities: { EMAIL: 1, PERSON: 1 } }
// Real values never logged.
```
### Common Patterns
**PII-aware form submission:**
```javascript
// Get form field labels (no PII)
const labels = await get_content(sessionId, tabId);
// Returns: "[EMAIL]" (no token for read-only fields)
// Extract fields that need filling
const email_field = await evaluate(sessionId, tabId, `
document.querySelector('input[name="email"]').placeholder
`);
// Returns: "Enter your email"
// Get pre-filled PII from previous page
const previousEmail = await get_content(sessionId, tabId);
// Returns: "[EMAIL:abc123]"
// Fill the form with token
await fill(sessionId, tabId, "input[name='email']", "[EMAIL:abc123]");
// De-tokenized automatically before typing
```
---
## Sealed-Secret Trust Boundary (v0.7.0+)
Tokenization protects PII that the agent needs to *handle*. Sealed secrets go further: they protect credentials the agent should **never see** — not even as tokens.
### Threat Model
An agent scraping an admin dashboard stumbles onto a freshly-generated API token. You want the token in your CI secret manager, not in the agent's context window, not in the audit log.
Anonymization can't help here — the agent would need the *real* token to ship it anywhere useful. A traditional "pass it through a variable" approach puts the token in the LLM prompt, risking prompt leaks, training contamination, or logged context.
### How It Works
```
Page DOM Subprocess
"secret_token=sk_abc..." extract stdin
│ ─────────────▶ ┌──────────┐
▼ │ gh CLI │
┌──────────────┐ seal ┌──────────┐ └──────────┘
│ Pagerunner │──────────────▶ Sealed KV │ ▲
│ runtime │ │ (AES-256)│──────────┘
└──────────────┘ └──────────┘ use_secret
│
▼
LLM (Claude)
NEVER SEES RAW
VALUE
```
1. **`extract_secret`** evaluates JS in a tab; the result is written directly into the encrypted sealed table. The tool response is `{ name, stored: true }` — no value.
2. **`use_secret`** runs a subprocess with the sealed value piped to stdin. The child reads it, the buffer is zeroed, and the value never enters Pagerunner's stdout or the audit log.
3. **`list_secrets`** returns names only; **`delete_secret`** removes a sealed entry.
### Example — Rotate an npm Token
```javascript
// 1. Agent navigates to npmjs.com token dashboard and generates a token.
await click(sessionId, tabId, ".generate-token-btn");
await wait_for(sessionId, tabId, { selector: ".token-value", ms: 5000 });
// 2. Seal it. Value never echoed.
await extract_secret(
sessionId, tabId,
`document.querySelector('.token-value').textContent.trim()`,
"npm_token"
);
// 3. Push to GitHub secrets via gh CLI — value flows via stdin only.
// (CLI equivalent; same flow if called via MCP.)
// $ pagerunner use-secret npm_token -- gh secret set NPM_TOKEN --repos owner/repo
// 4. Discard the sealed entry.
await delete_secret("npm_token");
```
At no point does the token appear in:
- The agent's tool-call context.
- `get_content` or `evaluate` responses.
- The audit log.
- Pagerunner logs.
### When to Use Sealed Secrets vs Tokenization
| Data | Use |
|---|---|
| Email / phone / name the agent must *send* | Tokenization (`anonymize: tokenize`) |
| API token the agent must *hand to another system* | Sealed secret |
| Password the user typed that Pagerunner saw | Sealed secret |
| Social security number the agent is *reading for a report* | Redact (`anonymize: redact`) |
### Caveats
- Sealed secrets are one-way for the LLM by design. There is no `get_secret`. Build a helper script and pipe via `use_secret`.
- The sealed table is encrypted with the same per-user key as the main DB (macOS Keychain or equivalent). Lose the key, lose the secrets.
- `extract_secret` stores whatever the JS expression returns. If you point it at the wrong element, you seal the wrong thing — you won't know until `use_secret` pipes garbage to your subprocess.
---
## Credential Scrubbing & Gap Detection (v0.7.0+)
Pagerunner actively scans anonymized output for residual credentials — a *second* anonymization pass that specifically targets developer secrets.
### Scrubbed Patterns
Built-in, always on when `anonymize: true`:
| Provider | Pattern family |
|---|---|
| OpenAI | Classic keys (`sk-...T3BlbkFJ...`), project keys, service-account keys |
| GitLab | Personal access tokens (`glpat-...`) |
| Stripe | Live + test keys (`sk_live_`, `pk_test_`) |
| AWS | Access key IDs (`AKIA...`), secret keys |
| Slack | xapp-1 tokens, bot/user tokens |
| HashiCorp Vault | `hvs.*`, `hvb.*` |
| Linear | Personal tokens |
| HuggingFace | Org tokens |
| PEM | `-----BEGIN ... PRIVATE KEY-----` blocks (RSA, EC, Ed25519) |
These come from a gitleaks gap analysis — they're the patterns most likely to escape generic regex anonymization.
### Gap Detection — Residual Scan
After the main anonymization pass, Pagerunner re-runs every credential pattern against the *output* (what the agent is about to see). If anything matches, the response is **blocked** and an `AnonymizationGap` event is written to the audit log:
```json
{
"timestamp": "2026-04-05T...",
"event": "AnonymizationGap",
"pattern": "aws_access_key",
"position": 420,
"sample": "AKIA████████████████",
"action": "blocked"
}
```
The sample is masked — the real value is never in the log.
### Entropy Heuristic — Catching Unknown Formats
Credential patterns miss novel formats (your internal service-account keys, for example). Pagerunner runs a **Shannon entropy** fallback:
- Any span ≥ 20 characters with entropy ≥ 3.5 bits/char near a context keyword (`token`, `key`, `secret`, `password`, `apikey`) is flagged.
- Flagged spans are replaced with `[ENTROPY_BLOCK]` and emit an `AnonymizationGap` audit event with `pattern: "entropy"`.
This catches most bespoke credential formats without a hand-written regex. False positives (high-entropy non-secrets like base64-encoded images) are rare in text content; if they happen, pin a `custom_patterns` entry in config to whitelist.
### How to Verify Scrubbing Works
```bash
# After a run, look for AnonymizationGap events in the audit log
cat ~/.pagerunner/audit.log | jq 'select(.event == "AnonymizationGap")'
# Count gaps by pattern
cat ~/.pagerunner/audit.log \
| jq -r 'select(.event == "AnonymizationGap") | .pattern' \
| sort | uniq -c
```
A healthy production run has **zero** `AnonymizationGap` events. A non-zero count means *something* pushed a credential through the first pass — investigate which tool call produced it and tighten upstream (maybe the tab was rendering credentials the agent shouldn't have opened at all).
### Compliance Angle
Gap detection gives you a concrete answer to "how do you know no secret leaked to the LLM?" — the audit trail of `AnonymizationGap` events is the evidence. Pair with `AnonymizationGap` alerting in your log pipeline for a hard signal.
---
## Audit Log (Compliance Trail)
Append-only JSON-lines log at `~/.pagerunner/audit.log`. Every browser action recorded.
### Format
```json
{
"timestamp": "2026-03-22T14:35:12.456Z",
"session_id": "sess_abc123",
"profile": "agent-sensitive",
"event": "get_content",
"target_id": "TAB_123",
"url": "https://hr.company.com/employees",
"pii_entities": { "EMAIL": 2, "PERSON": 3 },
"args_summary": "Extracted content from HR page"
}
```
### What Gets Logged
Every event:
- `open_session` — profile, stealth mode, anonymization settings
- `navigate` — URL
- `get_content` — URL, PII entity counts
- `evaluate` — expression (first 100 chars), result type
- `click`, `fill`, `type_text`, `select`, `scroll` — element/selector
- `screenshot` — (recording that it happened)
- `save_snapshot`, `restore_snapshot` — origin
- `kv_set`, `kv_get` — namespace, key (not values)
- `extract_secret`, `use_secret`, `delete_secret` — secret name only (v0.7.0+)
- `AnonymizationGap` — residual credential detected in anonymized output; pattern name + masked sample + action (`blocked` / `masked`) (v0.7.0+)
- `SessionHealthChange` — session transitioned between `Alive`/`Reconnecting`/`Recovering`/`Dead` (v0.7.0+)
### What's NOT Logged
- Real PII values
- Page HTML
- Screenshot contents
- Actual form inputs (just that fill() was called)
- KV store values
### Compliance Use
**ICP 3 use case — prove PII was never exposed:**
```bash
# View audit log
tail -f ~/.pagerunner/audit.log | jq .
# Filter by session
cat ~/.pagerunner/audit.log | jq 'select(.session_id == "sess_abc123")'
# Count PII exposure events
cat ~/.pagerunner/audit.log | jq '.pii_entities | values' | wc -l
# Prove no PII to external systems
cat ~/.pagerunner/audit.log | grep -v "get_content\|evaluate" | jq .
# (These are the only points where PII reaches the agent)
```
**Share with security team:**
- Audit log proves every action
- PII never in raw form
- All anonymization applied
- Compliant with GDPR, HIPAA, etc.
---
## Encrypted State at Rest
All persistent data encrypted with AES-256-GCM.
### What's Encrypted
- **Snapshots** (cookies + localStorage)
- **KV store values** (config, checkpoints, secrets)
- **Session metadata**
### Where's the Key?
- **macOS:** Keychain (system-managed, secure)
- **Linux:** File-based (configurable location)
- **Never:** On-disk in plaintext
### Snapshot Encryption
```javascript
// save_snapshot encrypts to ReDB
await save_snapshot(sessionId, tabId, origin: "https://jira.company.com");
// Stored: encrypted blob in ~/.pagerunner/state.db
// restore_snapshot decrypts transparently
await restore_snapshot(sessionId2, tabId2, origin: "https://jira.company.com");
// Agent never sees key, never sees raw cookies
```
### Why It Matters
**ICP 2 & 3 scenario:**
- Laptop stolen
- Attacker finds `~/.pagerunner/state.db`
- Can't read it (encrypted, no key in plaintext)
- Snapshots are useless without decryption
**On macOS:**
- Keychain requires user password or Face ID
- Encrypted key inaccessible even if user account is compromised
---
## Domain Allowlisting (Per-Session Guardrails)
Restrict where an agent can navigate. Hard boundary, not a suggestion.
### Usage
```javascript
const sessionId = await open_session({
profile: "agent-work",
allowed_domains: ["jira.mycompany.com", "github.com", "slack.com"]
});
// ✅ Allowed
await navigate(sessionId, tabId, "https://jira.mycompany.com/board");
await navigate(sessionId, tabId, "https://github.com/my-repo");
// ❌ Blocked (error)
await navigate(sessionId, tabId, "https://personal-banking.com");
// Error: "Domain not in allowed list"
```
### Wildcard Support
```javascript
await open_session({
profile: "agent",
allowed_domains: [
"*.mycompany.com", // All company subdomains
"github.com", // Exact domain only
"*.github.io" // GitHub Pages
]
});
// ✅ Allowed
await navigate(sessionId, tabId, "https://jira.mycompany.com");
await navigate(sessionId, tabId, "https://wiki.mycompany.com");
await navigate(sessionId, tabId, "https://user.github.io");
// ❌ Blocked
await navigate(sessionId, tabId, "https://example.com"); // Not in list
await navigate(sessionId, tabId, "https://external-site.com");
```
### ICP 2 & 3 Pattern
```javascript
// ICP 2: Agent profile contained to work tools
const sessionId = await open_session({
profile: "agent-work",
stealth: true,
allowed_domains: ["jira.mycompany.com", "github.com", "slack.com"]
});
// ICP 3: Agent profile contained + anonymized
const sessionId = await open_session({
profile: "agent-hr",
anonymize: true,
allowed_domains: ["hr.company.com"]
});
```
### Why Containment Matters
Prevents:
- Accidental navigation to personal sites (banking, email)
- Malicious prompts ("navigate to attacker.com and steal cookies")
- Scope creep (agent stays focused on assigned domains)
---
## SSRF Protection
Blocks navigation to private/internal networks.
### What's Blocked
- **Loopback:** `http://localhost`, `http://127.0.0.1`, `http://[::1]`
- **Private IPs:** `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`
- **Link-local:** `169.254.0.0/16`
- **File protocol:** `file://`, `javascript:`, `data:`
- **Metadata endpoints:** `http://169.254.169.254` (AWS EC2 metadata)
### Example
```javascript
// ❌ Blocked
await navigate(sessionId, tabId, "http://localhost:8000"); // Loopback
await navigate(sessionId, tabId, "http://192.168.1.1:8080"); // Private IP
await navigate(sessionId, tabId, "http://169.254.169.254"); // AWS metadata
await navigate(sessionId, tabId, "file:///etc/passwd"); // File protocol
// ✅ Allowed
await navigate(sessionId, tabId, "https://public-api.example.com");
await navigate(sessionId, tabId, "https://jira.company.com");
```
### Why SSRF Protection
Prevents:
- Agents accessing internal services (databases, admin panels)
- Exfiltrating credentials from metadata endpoints
- Reading local files
---
## Prompt Injection Sanitization
Untrusted web content sanitized before it reaches the agent.
### What Gets Sanitized
**In `get_content` results:**
- Hidden HTML elements (`display: none`, `visibility: hidden`, etc.)
- Zero-width Unicode characters (`\u200b`, `\u200c`, `\u200d`)
- HTML tags (kept as text, not parsed)
- Wrapped in `<<>>` markers
**Example:**
```html
```
**In `get_content`, agent receives:**
```
<<>>
[Hidden content removed]
[Zero-width characters stripped]
Script tags removed
<<>>
```
### In `evaluate`
Results from JavaScript execution are JSON-serialized, so they're safe. HTML from `document.innerHTML` is returned as text, not parsed.
### Defense in Depth
1. **Sanitization** — Hidden elements, injection patterns removed
2. **Wrapping** — Content marked as untrusted
3. **Anonymization** — PII removed before agent sees it
4. **Audit** — Every get_content logged
---
## Security Best Practices
### ICP 1 (Solo Developer)
- Use your personal profile — already trusted
- No special security needed for dev workflows
- Use `anonymize: false` (default)
### ICP 2 (Power User)
- **Separate agent profile** — never mix with personal
- **Domain allowlist** — restrict to work tools
- **Snapshots** — pre-authenticate agent
- Optional `stealth: true` for external sites (flight bookings)
```javascript
await open_session({
profile: "agent-work", // Separate profile
stealth: true, // Hide automation
allowed_domains: [ // Containment
"jira.mycompany.com",
"github.com",
"slack.com"
]
});
```
### ICP 3 (Security-Conscious)
- **Anonymization mandatory** — `anonymize: true`
- **Tokenize mode** — agent uses tokens, real values never visible
- **Domain allowlist** — strict containment
- **Audit log** — compliance proof
- **Custom patterns** — domain-specific PII
```javascript
await open_session({
profile: "agent-sensitive",
anonymize: true, // PII protection
anonymization_mode: "tokenize",
anonymization_profile: "hr-work", // Custom patterns
allowed_domains: ["hr.company.com"]
});
```
### ICP 4 (Server-Side)
- **Daemon mode** — single DB lock, shared state
- **KV store secrets** — never in code
- **Snapshots** — auth handoff between agents
- **Audit log** — compliance for scheduled tasks
```javascript
// ~/.pagerunner/config.toml
[daemon]
enabled = true
bind = "unix:///path/to/daemon.sock"
[[profiles]]
name = "agent-pipeline"
# ... profile config
```
---
## Checklist: Securing Your Pagerunner Setup
- [ ] Create dedicated agent profiles (don't mix human + agent)
- [ ] Enable `anonymize: true` if handling any PII
- [ ] Set `allowed_domains` to restrict agent navigation
- [ ] Review `~/.pagerunner/audit.log` regularly
- [ ] Rotate snapshot credentials periodically
- [ ] Run Pagerunner daemon on private VPS only (not exposed)
- [ ] Back up `~/.pagerunner/state.db` encrypted
- [ ] Monitor unauthorized domain access attempts in audit log
- [ ] Test anonymization with sample data before production
---
## FAQ
**Q: Can Pagerunner read PII from the page?**
A: Yes, but only you can see it. With `anonymize: true`, the agent gets tokens instead.
**Q: Are snapshots safe to backup?**
A: Yes, they're encrypted. But keep the encrypted file and the Keychain key in sync.
**Q: What if the laptop is stolen?**
A: Keychain is locked. Attacker can't decrypt snapshots or KV store without the user's password.
**Q: Can agents access `http://localhost`?**
A: No. SSRF protection blocks private IPs. Use `allowed_domains` for exceptions (not recommended).
**Q: Is audit.log encrypted?**
A: No, but it contains only metadata (PII entity counts, event types). Never real values.
**Q: Can I use anonymization on non-PII sites?**
A: Yes, it's cheap. Won't hurt, might help if PII appears unexpectedly.