Privacy plugin

What it does #

The privacy plugin redacts personally identifiable information (PII) on the agent’s data flow. Three hook points:

• BeforeModelCallback — redacts the outbound prompt before it reaches the model. The model sees redacted tokens, never raw PII.
• AfterModelCallback — re-redacts the model’s response on the way back. Defends against models leaking memorised training-set PII.
• Memory writes — when the session writes to long-term memory (via MemoryService), the plugin re-redacts on write to avoid persisting raw PII in stored context.

Pattern catalogue #

Patterns ship by jurisdiction. The default catalogue includes UK NINO, EU IBAN, US SSN, NHS Number, dates of birth, email, phone, postcode, credit-card numbers, and a configurable name detector that uses a locale-aware blocklist (not a model — deterministic).

Custom patterns extend PiiPattern:

public class CustomerIdPattern implements PiiPattern {
  @Override public String name() { return "customer_id"; }
  @Override public Pattern regex() { return Pattern.compile("CUST-\\d{8}"); }
  @Override public String replacement() { return "<REDACTED:customer_id>"; }
}

Register via the Spring Boot starter:

regulus:
  privacy:
    patterns:
      - com.example.privacy.CustomerIdPattern

Purpose limitation (GDPR Article 5(1)(b)) #

The privacy plugin is half the GDPR story. The other half is purpose limitation — what the agent can do with the data once decoded. Purpose limitation is enforced by the policy plugin, which reads the purpose claim on the calling Principal and denies tool calls whose declared purpose doesn’t match the agent’s registered purpose.

The two plugins together provide the round-trip: data-minimisation inbound (privacy), purpose-binding on use (policy).

Configuration #

regulus:
  privacy:
    enabled: true
    redaction-policy: token-with-type   # alt: hash, drop, full-mask
    jurisdiction: uk
    patterns-from-profile: true         # uses active profile's catalogue