Cloak — Masking Engine

Cloak is Sonomos’s real-time masking engine. It automatically intercepts outgoing messages to AI platforms and redacts detected PII before the data leaves your browser.

Prototype scope

Cloak in the prototype browser extension automatically masks on a focused list of web AI platforms. The upcoming Sonomos Desktop app extends Cloak to native AI apps (Claude Desktop, ChatGPT Desktop, Copilot), IDE assistants (Cursor, Windsurf, Copilot Chat), and local LLMs (Ollama, LM Studio) — all of which are outside what a browser extension can reach.

How Cloak works

When you submit a message to a supported AI platform, Cloak runs as a small in-page interceptor:

1. Intercept — Cloak hooks into the platform’s send action just before the network request leaves the page.
2. Scan — Dagger evaluates the outgoing payload for PII.
3. Replace — detected entities are swapped for typed placeholders (e.g. [NAME], [SSN], [EMAIL_1]).
4. Send — the sanitized payload is what the AI platform actually receives.
5. Restore — your local view shows the original text in the conversation, so your workflow isn’t disrupted by reading masked content back to yourself.

This all happens transparently — you type and submit as normal, and Cloak handles the rest. Latency is typically under 100 ms on modern hardware.

Placeholder format

Placeholders are stable within a single message: if a name appears twice, both occurrences become [NAME_1], so the model can still reason about coreference. They don’t currently persist across messages — see Limitations below.

Supported platforms

Platform	Protection	Coverage
Claude.ai	Automatic masking	Full
Gemini	Automatic masking	Full
Grok	Automatic masking	Full
ChatGPT	Send Guard fallback	Warning only
Other sites	Send Guard fallback	Warning only

ChatGPT and other sites use Send Guard as a fallback — see below.

Send Guard

For sites without automatic Cloak masking, Send Guard provides a safety net so PII never silently leaves your browser:

• Banner mode — a non-blocking warning appears when PII is detected in form fields. You can dismiss the banner and proceed, or edit your text first.
• Modal mode — a blocking modal prevents submission until you review and acknowledge each detected entity, or remove it.

Send Guard activates automatically on any site where Cloak doesn’t have platform-specific support. See the Send Guard reference for the full configuration.

Enabling and configuring Cloak

1. Open any supported AI platform (Claude.ai, Gemini, or Grok).
2. Click the Sonomos widget on the page (or the toolbar icon).
3. Toggle Cloak to on.
4. The widget’s shield gains a small lock icon and the border changes to indicate active masking.
5. Submit text as normal — Cloak handles interception transparently.

Cloak is per-platform: you can leave it off for a workspace where masking would interfere (e.g. your own internal tooling) and on for public AI tools.

Bidirectional protection

Cloak’s architecture supports both outgoing and incoming content protection. Masked values are restored in your browser view, so you see the original text while the AI platform only ever receives redacted content. If the model echoes a placeholder back to you, Sonomos rewrites it to the original value in the rendered conversation.

What Cloak does not do

• It does not change what you’ve already sent. Cloak intercepts at submit time. If a message was sent before Cloak was enabled (or on a page that loaded before the extension initialized), the platform has already seen it. Refresh after install to make sure Cloak is fully active.
• It does not encrypt your traffic. Cloak removes PII; it doesn’t take the place of TLS or any other transport security.
• It is not a substitute for thoughtful prompts. If you describe a patient’s situation in detail without using their name, no PII detector will save you from disclosing case-identifying information. Use Cloak as a safety net, not as your only line of defense.

Limitations

• Cross-message consistency — placeholders are stable within a single message but not yet across an entire conversation. A name redacted in turn 1 may receive a different placeholder in turn 5. We’re working on persistent per-conversation mappings.
• Streaming responses — restoration of incoming content is best-effort during streaming. If the model echoes a placeholder mid-stream, the rewrite may briefly show the placeholder before the original value is restored.
• Platform UI changes — when Claude/Gemini/Grok ship UI changes that move the send action, Cloak may need a hotfix. We typically ship within 24–48 hours; see the changelog.
• Browser-only — Cloak in the extension cannot mask prompts sent from native desktop apps. That’s the primary motivation for Sonomos Desktop.

Pairing Cloak with Send Guard

For maximum safety in the prototype, leave both on:

• Cloak removes PII automatically on platforms it supports.
• Send Guard warns or blocks on every other site, so a forgotten paste into a non-AI form (a CRM, a ticket system, an email draft) doesn’t slip through unnoticed.

This defense-in-depth model is the same approach Sonomos Desktop will take, scaled to the entire OS instead of just the browser.