Skip to main content
ProvenLog automatically redacts sensitive data before it enters the audit trail. Redaction runs in the processing pipeline on both server and embedded mode.

Built-in patterns

17 patterns are included out of the box:
CategoryPatterns
CredentialsEmail addresses, AWS keys, GitHub PATs, API keys (sk-*, pk-*), Bearer tokens, JWTs
IdentityUS SSN, Canadian SIN, UK NINO
FinancialCredit cards (Visa, MC, Amex, Discover), IBAN
ContactPhone numbers (E.164, US/Canada)
NetworkIPv4 addresses

What gets redacted

Redaction applies to content fields:
  • action_input
  • action_output
  • error_message
  • metadata values
  • labels values
Structural fields (agent_id, action_name, action_type, etc.) are never touched. Label and metadata keys are never modified — only their values.

Server-side redaction (Go)

Redaction is automatic when using plog serve. Add custom patterns via provenlog.yaml: 
redaction:
  rules:
    - name: internal_id
      pattern: "INTERNAL-[A-Z0-9]{12}"
      replace: "[REDACTED:internal_id]"
    - name: mrn
      pattern: "MRN-\\d{10}"
      replace: "[REDACTED:mrn]"
Custom rules are additive — built-in patterns are always active.

Embedded mode redaction (Python)

In embedded mode, redaction is also automatic. The client loads rules from the config file on startup. Custom rules in provenlog.yaml apply the same way as server-side.

Standalone usage

Use the Redactor class independently for any string processing: 
from provenlog import Redactor

redactor = Redactor.default()
clean, count = redactor.redact_string("Contact john@example.com or call 555-123-4567")
# clean = "Contact [REDACTED:email] or call [REDACTED:phone]"
# count = 2
Add custom patterns programmatically: 
import re
from provenlog import Redactor, RedactionRule

redactor = Redactor.default_with_rules([
    RedactionRule("mrn", re.compile(r"MRN-\d{10}"), "[REDACTED:mrn]"),
    RedactionRule("employee_id", re.compile(r"EMP-[A-Z0-9]{8}"), "[REDACTED:employee_id]"),
])
clean, count = redactor.redact_string("Patient MRN-1234567890")
# clean = "Patient [REDACTED:mrn]"
RedactionRule.pattern expects a compiled regex (re.compile(...)) not a raw string.

Configuration file discovery

The redaction config file is resolved in order:
  1. PROVENLOG_CONFIG environment variable
  2. ./provenlog.yaml (current directory)
  3. ~/.provenlog/config.yaml