Transparent privacy filter for the AI era. By drig.ai
Redact intercepts all traffic between your Linux machine and AI services — browser-based and API-based alike — and automatically anonymizes personally identifiable information (PII) before it leaves your device.
Run sudo redact start once. Continue using AI tools exactly as before. Your real names, emails, phone numbers, addresses, and credentials are replaced with consistent tagged substitutes ([NAME-1], [EMAIL-1], etc.) — preserving AI response coherence while ensuring no personal data reaches third-party servers.
Every time you use ChatGPT, Claude, Gemini, or any AI assistant, you share personal context in natural conversation. There is no tool today that sits between you and these services to prevent PII leakage transparently — without requiring you to think about it, configure it per-app, or change your workflow.
Redact fills that gap at the network layer — the only abstraction that works universally across all apps and protocols without per-application integration.
- Zero configuration — no proxy settings, no browser extensions, no per-tool setup
- Transparent interception — works automatically with every AI tool on your machine
- Consistent substitutions — tagged replacements stay consistent across a session (
[NAME-1]always maps to the same original name) - Observation mode — see what would be anonymized before committing to live filtering
- Open source — fully auditable, no black boxes
| Feature | Redact | OpenAI Privacy Filter | LiteLLM PII | Manual Scrubbing |
|---|---|---|---|---|
| Transparent (no config per tool) | Yes | No (requires integration) | No (requires LiteLLM proxy setup) | No |
| Works with browser AI | Yes | No (model only) | No (API only) | Manual |
| Works with API tools | Yes | Yes | Yes | Manual |
| Network-layer (universal) | Yes | No (application-level) | No (proxy-level, per-route) | N/A |
| Multi-signal detection | Yes (regex + NLP + fuzzy + custom rules) | Single model | Single model | Human judgment |
| Runs fully offline | Yes | Yes | Partially (needs LiteLLM) | Yes |
| No vendor lock-in | Yes | OpenAI ecosystem | LiteLLM ecosystem | N/A |
| Consistent tagged substitutes | Yes (project-scoped maps) | Masking only | Masking only | N/A |
OpenAI Privacy Filter is a 1.5B-parameter model for PII token classification. It's a detection model, not a network filter. You must integrate it into your application code to use it. Redact operates below your applications — it protects everything on your machine without touching a single line of application code.
LiteLLM is an API proxy that requires you to route each tool's traffic through it explicitly (environment variables, SDK configuration). It only covers API calls — not browser-based AI usage. Redact intercepts at the network layer: no OPENAI_BASE_URL overrides, no SDK changes, no per-tool setup.
Redact is a transparent proxy — it automatically intercepts AI-bound traffic using nftables without requiring any application or browser to be configured to use a proxy.
┌─────────────────────────────────────────────────────┐
│ Your Machine │
│ │
│ Browser/CLI ──→ nftables REDIRECT ──→ Redact Proxy │
│ │ │ │
│ │ PII Detection Pipeline │ │
│ │ (regex + NLP + fuzzy map) │ │
│ │ │ │
│ │ Anonymize: "Nathan" → [NAME-1] │
│ │ ▼ │
│ └──────────────────────────── AI Service ─────→│
└─────────────────────────────────────────────────────┘
sudo redact startactivates nftables rules that redirect AI-bound traffic to the local proxy- The proxy (built on mitmproxy) terminates TLS, inspects request bodies for PII
- A multi-signal detection pipeline scores text spans for PII confidence
- Confirmed PII is replaced with consistent, tagged substitutes (
[NAME-1],[EMAIL-1], etc.) - The modified request continues to the AI service — your real data never leaves your device
- Non-AI traffic is never touched — no inspection, no modification, no added latency
sudo redact start
│
├─ Phase 1 (root): Create drig-proxy user, configure nftables, install CA cert
├─ Phase 2: Drop privileges to drig-proxy, retain CAP_NET_ADMIN
└─ Phase 3 (drig-proxy): Run proxy, process AI traffic, handle signals
The proxy process runs as a dedicated drig-proxy system user — your personal user's traffic is intercepted, but the proxy's own upstream connections are excluded (preventing infinite loops). This is the mitmproxy-documented approach for same-machine transparent proxying.
Redact is a privacy tool. Its credibility depends on practicing what it preaches:
- No telemetry beyond an optional daily anonymous install-count ping (opt-out via
redact config set heartbeat_enabled false) - No outbound connections during normal operation — all filtering is local
- No data collection — PII substitution maps are encrypted at rest and never transmitted
- No silent behavior changes — version updates never change anonymization behavior without explicit user action
- No cloud dependency — everything runs on your machine
- Open source — read every line of code at github.com/drig-ai/redact
redact status --verify— confirms network rules are active and proxy is healthyredact watch— live feed showing exactly what's being anonymized, when, for which serviceredact watch --diff <event-id>— drill down to see original vs. anonymized content- Wireshark audit — Redact makes zero outbound connections you can't see
- Registry signatures — AI service endpoint updates are cryptographically signed; unsigned updates are rejected
- mitmproxy (MIT licensed) — the industry-standard TLS-intercepting proxy used by security researchers worldwide since 2013
- Presidio (MIT licensed) — Microsoft's open-source PII detection framework
- nftables — the Linux kernel's native packet filtering framework
# Clone the repository
git clone https://github.com/drig-ai/redact.git && cd redact
# Create virtualenv and install (requires uv — https://docs.astral.sh/uv/)
uv sync
# Download the spaCy NLP model (required for NLP-based PII detection)
.venv/bin/python -m spacy download en_core_web_lg# Start the privacy filter (requires root for nftables + privilege drop)
sudo .venv/bin/redact start
# Stop (sudo needed — daemon runs as drig-proxy after privilege drop)
sudo .venv/bin/redact stop
# Check status
.venv/bin/redact status
.venv/bin/redact status --verify # includes network verificationWhy
sudo? The daemon needs root to configure nftables and drop privileges to thedrig-proxyuser. After startup, the proxy runs unprivileged.sudoresetsPATH, so the full virtualenv path is required until Redact is installed system-wide.
# Help
redact --help
redact --version
# Subcommand groups
redact registry --help
redact map --help
redact config --help
# Examples
redact registry list # Show known AI service endpoints
redact map inspect # View your substitution map
redact config get # Show current configuration
# Observation mode (detect PII without modifying traffic)
sudo redact start --observe
# Live activity stream
redact watch # Compact one-line-per-event
redact watch --diff <id> # Drill down into specific event
redact watch --json # Machine-readable output
# File scanning (reuses same detection pipeline)
redact scan ./my-project/ # Scan files for PII
redact scan --staged # Scan git-staged files (pre-commit hook)
redact scan --diff HEAD~1 # Scan files changed in a git range (pre-push hook)- Ubuntu 24.04 LTS (kernel 6.x) — primary development and testing platform
- Google Chrome
- Chromium
- Mozilla Firefox
- Brave
- ChatGPT — browser (chatgpt.com) and API (api.openai.com)
- Claude — browser (claude.ai) and API (api.anthropic.com)
- Gemini — browser (gemini.google.com) and API (generativelanguage.googleapis.com)
- Claude Code (CLI)
- Any tool using OpenAI-compatible APIs
- Linux with kernel 5.x or 6.x (nftables support required)
- Root access at startup (for nftables rules and privilege drop)
- Python 3.12+
- ~500MB disk for spaCy NLP model (
en_core_web_lg) - nftables (
nftbinary) must be installed
| Limitation | Explanation |
|---|---|
| Linux only (for now) | macOS and Windows support planned for future releases |
| First-run CA cert install | Browsers need to trust the proxy's CA certificate. Redact handles this automatically, but it's a one-time system modification. |
| QUIC/HTTP3 forced fallback | Redact blocks QUIC to force HTTP/2 fallback for interception coverage. This adds negligible latency but may appear in browser developer tools. |
| Cannot intercept cert-pinned apps | Applications with certificate pinning (some mobile apps, some Electron apps) cannot be intercepted by any TLS proxy. Phase 2 plans eBPF-based interception for these. |
| English-optimized NLP | The spaCy model is trained primarily on English text. PII detection accuracy may be lower for other languages. |
| Steganographic/adversarial bypass | PII encoded in variable names, base64, Unicode homoglyphs, or deliberately spread across messages may evade detection. |
To reverse everything redact start sets up (nftables rules, CA certificate, local directories):
scripts/uninstall.sh # interactive — choose stop / soft / full
scripts/uninstall.sh stop # stop daemon + flush nftables only
scripts/uninstall.sh soft # stop + remove CA cert + state/data (keeps config)
scripts/uninstall.sh full # remove everything including config + pip packagemake test # Run all unit/integration tests
make check # Lint + typecheck + testsSee CONTRIBUTING.md for testing documentation.
We welcome contributions! See CONTRIBUTING.md for guidelines.
For security vulnerabilities, please see SECURITY.md.
Redact was designed and implemented with the help of:
- Claude by Anthropic — AI-assisted development using Claude Code
- BMAD Method — the AI-native software development methodology that guided architecture, planning, and sprint execution
MIT — see LICENSE for details.
Copyright 2026 drig.ai
Contact: hello@drig.ai Repository: github.com/drig-ai/redact