PlanTwin: Privacy-Preserving Planning Abstractions for Cloud-Assisted LLM Agents

Abstract

Cloud-hosted large language models (LLMs) have become the de facto planners in agentic systems, coordinating tools and guiding execution over local environments. In many deployments, however, the environment being planned over is private, containing source code, files, credentials, and metadata that cannot be exposed to the cloud. Existing solutions address adjacent concerns, such as execution isolation, access control, or confidential inference, but they do not control what cloud planners observe during planning: within the permitted scope, \textit{raw environment state is still exposed}. We introduce PlanTwin, a privacy-preserving architecture for cloud-assisted planning without exposing raw local context. The key idea is to project the real environment into a \textit{planning-oriented digital twin}: a schema-constrained and de-identified abstract graph that preserves planning-relevant structure while removing reconstructable details. The cloud planner operates solely on this sanitized twin through a bounded capability interface, while a local gatekeeper enforces safety policies and cumulative disclosure budgets. We further formalize the privacy-utility trade-off as a capability granularity problem, define architectural privacy goals using $(k,δ)$-anonymity and $ε$-unlinkability, and mitigate compositional leakage through multi-turn disclosure control. We implement PlanTwin as middleware between local agents and cloud planners and evaluate it on 60 agentic tasks across ten domains with four cloud planners. PlanTwin achieves full sensitive-item non-disclosure (SND = 1.0) while maintaining planning quality close to full-context systems: three of four planners achieve PQS $> 0.79$, and the full pipeline incurs less than 2.2\% utility loss.

Figures (9)

• Figure 1: End-to-end architecture of PlanTwin. The trusted local edge layer (left) transforms raw context $X_t$ through a four-stage privacy projection pipeline into a sanitized digital twin $Z_t$, which crosses the trust boundary to the cloud planner (center-right). The planner reasons over the typed abstract graph and capability catalog to produce a declarative plan $P_t$. The trusted local execution plane (right) validates each step through a gatekeeper, executes on raw data, and sanitizes outputs via $\Pi_{\text{out}}$ before returning results $Y_t$. The cloud never observes raw files, paths, credentials, or code.
• Figure 2: The 4-stage privacy projection pipeline. Raw local context enters Stage 1 (typed extraction via local small language model (SLM) and heuristics), proceeds through Stage 2 (sensitive entity redaction via deterministic regex patterns with code-specific rules), Stage 3 (value generalization into bounded buckets), and Stage 4 (schema projection into fixed JSON). The output is a planning-sufficient digital twin $Z_t$ that contains no raw text, filenames, paths, or credentials. A companion output sanitizer $\Pi_{\text{out}}$ applies Stages 2--4 to execution results before cloud exposure.
• Figure 3: Privacy-utility trade-off for 19 configurations over 60 tasks in 10 domains. Only PlanTwin reaches the ideal high-privacy/utility region, achieving SND=1.0 with PQS$>$0.7. Error bars show per-task standard deviation.
• Figure 4: Adversarial re-identification accuracy by strategy with $k=15$ candidate files. Error bars show standard deviation, and the dashed line marks the random baseline $1/k$. Full fingerprint matching reaches 94.1% accuracy.
• Figure 5: Pipeline stage ablation across four variants. All maintain SND = 1.0, while PQS stays within 0.773--0.790, indicating minimal utility loss from privacy hardening. Error bars show per-task standard deviation.

Theorems & Definitions (7)

• proposition 1: Synthetic-population privacy bound
• theorem 1: Re-identification Bound
• proof
• theorem 2: Cross-Session Unlinkability
• proof
• theorem 3: Sequential Composition
• proof