The Cloak

Tier 2 Classification ● live

Format-preserving encryption and tokenization. Masks sensitive fields while preserving data utility for analytics.

Tier
Tier 2
Phase
Classification
Pricing
$0.00012 USDC/row
MCP Tool
the_cloak_mask
Dependencies
sentinel-tag
View source on GitHub

What It Does

The Cloak applies format-preserving encryption (AES-FF1) and tokenization to sensitive fields identified by Sentinel Tag. FPE produces output that looks like the original data — a masked credit card number still looks like a credit card number — keeping data analytically useful while protecting sensitive values.

Capabilities

  • Format-preserving encryption (AES-FF1)
  • Deterministic tokenization (HMAC-SHA256)
  • Reversible masking (with key)
  • Irreversible pseudonymization
  • Partial masking (show last 4 digits)
  • Consistent cross-dataset tokenization

Example

the-cloak-example.ts 
const result = await mcp.call('the_cloak_mask', {
  payload: classifiedPayload,
  stream_uuid: streamUUID,
  sensitive_fields: sentinelResult.sensitive_fields,
  mode: 'tokenize',
});
// "4532-1234-5678-9012" → "4532-XXXX-XXXX-9012"

Configuration

the-cloak.yaml 
agent: the-cloak
version: "1.0"
encryption:
  algorithm: AES-FF1
  key_source: vault
  key_id: "${CLOAK_KEY_ID}"
tokenization:
  algorithm: HMAC-SHA256
  deterministic: true

MCP Tool

the_cloak_mask

Try in MCP Explorer →

Pricing

$0.00012 USDC/row

View full pricing →

Related Agents

Sentinel Tag

PII/PCI/PHI classification at ingestion. Automatically identifies and tags sensitive data fields before they enter the lakehouse.

Tier 1 Classification

Ledger Guard

Cryptographic hash verification. Computes SHA-256 hashes of every payload for tamper detection and audit trail integrity.

Tier 1 Classification

Cipher Scribe

Blockchain audit trail anchoring. Anchors Merkle roots to Base L2 for immutable, publicly verifiable audit records.

Tier 2 Classification