Cloud-hosted large language models (LLMs) have become the de facto planners in agentic systems, coordinating tools and guiding execution over local environments. In many deployments, however, the environment being planned over is private, containing source code, files, credentials, and metadata that cannot be exposed to the cloud. Existing solutions address adjacent concerns, such as execution isolation, access control, or confidential inference, but they do not control what cloud planners observe during planning: within the permitted scope, \textit{raw environment state is still exposed}. We introduce PlanTwin, a privacy-preserving architecture for cloud-assisted planning without exposing raw local context. The key idea is to project the real environment into a \textit{planning-oriented digital twin}: a schema-constrained and de-identified abstract graph that preserves planning-relevant structure while removing reconstructable details. The cloud planner operates solely on this sanitized twin through a bounded capability interface, while a local gatekeeper enforces safety policies and cumulative disclosure budgets. We further formalize the privacy-utility trade-off as a capability granularity problem, define architectural privacy goals using $(k,δ)$-anonymity and $ε$-unlinkability, and mitigate compositional leakage through multi-turn disclosure control. We implement PlanTwin as middleware between local agents and cloud planners and evaluate it on 60 agentic tasks across ten domains with four cloud planners. PlanTwin achieves full sensitive-item non-disclosure (SND = 1.0) while maintaining planning quality close to full-context systems: three of four planners achieve PQS $> 0.79$, and the full pipeline incurs less than 2.2\% utility loss.

翻译：摘要: 云端托管的大型语言模型已成为代理系统中的事实规划器，协调工具使用并指导在本地环境中的执行。然而，在许多部署场景中，被规划的环境是私密的，包含源代码、文件、凭证及元数据等不可向云端暴露的信息。现有解决方案涉及相邻问题，如执行隔离、访问控制或机密推理，但未能约束云端规划器在规划过程中的观测范围：在允许的范围内，原始环境状态仍会被暴露。我们提出PlanTwin——一种在无需暴露原始本地上下文的前提下实现云辅助规划的隐私保护架构。其核心思想是将真实环境投影为面向规划的数字孪生体：一种遵循模式约束且经去标识化的抽象图结构，在保留规划相关结构的同时消除可重建细节。云端规划器通过受限能力接口仅操作此净化孪生体，而本地守门者强制执行安全策略与累积披露预算。我们进一步将隐私-效用权衡形式化为能力粒度问题，利用$(k,δ)$-匿名性和$ε$-非关联性定义架构隐私目标，并通过多轮披露控制缓解组合泄漏。PlanTwin作为本地代理与云端规划器之间的中间件实现，在十个领域的60个代理任务上使用四种云端规划器进行评估。PlanTwin在保持接近全上下文系统规划质量的同时，实现了敏感信息完全非披露（SND = 1.0）：四种规划器中有三种的规划质量得分（PQS）> 0.79，完整流水线的效用损失低于2.2%。