PII Redaction Configuration
Use this page when you want to configure the built-in PII redaction plugin
component. The component kind is pii_redaction.
The CLI and primary language bindings register this component. Direct Rust
applications must call
nemo_relay_pii_redaction::component::register_pii_redaction_component()
before they validate or initialize a pii_redaction component.
For plugin file discovery, precedence, merge behavior, editor controls, and gateway conflict rules, refer to Plugin Configuration Files.
NeMo Relay plugin configuration uses the generic plugin document shape, so
field names stay snake_case in every binding and in plugins.toml.
Relation to Raw Middleware
This plugin uses the same sanitize-guardrail middleware family documented in Middleware.
The difference between raw middleware and pii_redaction is the layer of
abstraction:
- Raw middleware asks you to register sanitize callbacks directly in code.
pii_redactiongives you a first-party, config-driven privacy contract on top of those same runtime hooks.
Choose pii_redaction when you want a reusable built-in policy surface.
Choose raw middleware when you need bespoke callback logic that does not fit
the plugin contract.
Plugin Versus Middleware
Use this matrix when deciding whether to use the built-in pii_redaction
plugin or raw sanitize-guardrail middleware directly.
Component Shape
The top-level PII redaction object contains:
At least one managed redaction surface must be enabled.
Backend Support
The following table compares the available PII redaction backends:
Built-in Mode
Use builtin mode when NeMo Relay should sanitize emitted observability
payloads with a deterministic first-party backend.
This is the recommended mode when the privacy behavior is common enough to be described declaratively with built-in actions, detector presets, exact target paths, and supported codecs.
Requirements
To use mode = "builtin":
builtinsettings are required.codecis required wheninputoroutputis enabled.builtin.actionmust beremove,redact,regex_replace,hash, ormask.builtin.patternorbuiltin.detectoris required whenbuiltin.action = "regex_replace"orbuiltin.action = "redact".
plugins.toml Example
You can write this config directly in plugins.toml, or create and edit it
through the CLI with nemo-relay plugins edit. For plugin file discovery,
precedence, merge behavior, and editor controls, refer to
Plugin Configuration Files.
This example configures the built-in backend for:
- LLM request redaction from the normalized request path
/messages/0/content - LLM response redaction from the normalized response path
/message - tool argument redaction at
/api_key - tool result redaction at
/result/secret
CLI Editor Support
The NeMo Relay CLI plugin editor now exposes pii_redaction directly through
nemo-relay plugins edit.
Use the editor when you want to:
- Toggle the component on or off
- Choose
builtinorlocal_model - Set the LLM
codec - Edit
builtinaction settings such asaction,target_paths,pattern,detector,replacement, and masking fields - Edit
local.backendfor a runtime-provided future local-model backend
The editor preserves unknown fields when it rewrites an existing
pii_redaction component, so future or runtime-specific settings are not
discarded by the interactive edit flow.
If your policy needs callback code instead of editor or configuration fields, use raw middleware.
Built-in Settings
The builtin section contains:
Action Semantics
remove
remove is structural.
When a target matches:
- Object fields are removed.
- Array elements become
null. - Targeted scalar or root values become
null.
regex_replace
regex_replace applies the configured regex to matching string leaves and
replaces matches with the configured replacement.
If you set detector instead of pattern, the built-in backend uses the
detector’s stock matcher regex.
redact
redact is the deterministic whole-match replacement lane.
It uses the same pattern or detector matcher flow as regex_replace, but
defaults the replacement token to [REDACTED] and is intended for cases where
you do not want to preserve any matched secret characters.
Use redact when you want:
- credential-style secrets fully replaced
- a consistent redaction token across detectors
- clearer policy intent than a custom
regex_replace
hash
hash replaces matching string leaves with their SHA-256 hex digest.
When pattern or detector is set, hash only replaces the matching
substring instead of hashing the entire string leaf.
mask
mask replaces the middle portion of each matching string leaf with the
configured mask_char.
Use unmasked_prefix and unmasked_suffix when you want to preserve a small
leading or trailing segment for correlation or debugging, such as the last four
characters of a token.
When pattern or detector is set, mask only masks matching substrings
inside the string leaf.
When detector is set and you do not specify unmasked_prefix or
unmasked_suffix, the built-in backend applies detector-aware defaults:
email: Preserves the domain and the first local-part characterphone: Preserves the last four digits while keeping separators intactapi_key: Preserves the vendor-style prefix such assk-and the last four charactersip_address: Preserves the last octetipv6: Preserves the last segmenturl: Preserves the scheme and host, then collapses the path/query tailuuid: Preserves the last four charactersbearer_token: Preserves the auth scheme and the last four charactersjwt: Preserves the header segment and the tail of the signaturecredit_card: Preserves the last four digits while keeping separators intactaws_access_key_id: Preserves the provider prefix and the last four charactersaws_secret_access_key: Preserves the last four charactersgcp_api_key: Preserves theAIza-style prefix and the last four charactersazure_storage_account_key: Preserves the last four characters
Path Semantics
target_paths are exact JSON-pointer matches.
The plugin uses different payload boundaries for tools and LLMs:
- Tools use JSON-native payloads. Paths point into the emitted tool args or tool result shape directly.
- LLMs use the selected built-in codec. Prefer normalized Relay paths such as:
/messages/0/contentfor request message content/messagefor the normalized assistant response text
The current implementation also preserves provider-shaped response-path compatibility for the supported codecs, but normalized LLM paths are the recommended contract for new configuration.
Decision Rule
Use pii_redaction for reusable, config-driven privacy behavior. Use raw
middleware when the policy depends on application-specific runtime state or
custom callback logic. Refer to Plugin Versus Middleware
for the full comparison.
Detector Presets
The built-in detector presets are grouped into three deterministic families:
Common PII
emailphoneip_addressipv6url
Structured Secrets
api_keyuuidbearer_tokenjwtcredit_card
bearer_token is heuristic rather than vendor-specific. It can still match
benign bearer-style values, so prefer a narrower detector when you know the
credential family.
Cloud Credentials
aws_access_key_idaws_secret_access_keygcp_api_keyazure_storage_account_key
They are deterministic regex-backed helpers, not model inference.
If target_paths is empty, the built-in backend sanitizes every matching
string leaf in the selected payload boundary.
Observability Semantics
The built-in plugin uses sanitize guardrails.
That means:
- The real provider response value remains unchanged.
- The plugin sanitizes emitted NeMo Relay start and end event payloads.
- The plugin populates
annotated_responsefrom the sanitized end-event payload when a response codec is available.
Local Model Mode
local_model is reserved for a future in-process local-model backend.
Current Status
The current local-model status is:
- The plugin contract accepts
mode = "local_model". - The
localsection supports:backendmodel_iddetector_profileallow_networkmax_latency_ms
- Actual behavior depends on a runtime-installed local backend provider.
Without a provider, runtimes report the local backend as unavailable during plugin initialization.