Free · Apache-2.0 · Local-only · Audit-ready

@veladon/mcp-pii-redactor

Drop-in MCP server that redacts PII, PHI, credentials, credit cards, and SSNs before they leave your AI agent. Runs in Claude Code, Cursor, Continue, or any MCP-compatible client.

Deterministic. Local. Auditable. Apache-2.0. Zero network calls in the free tier — you can test-drive the same 16 rules in your browser without installing anything.

Try in browser →View on npm →GitHub →

Install

Recommended one-liner — downloads the v0.1.0 tarball, verifies the SHA-256 against the hardcoded expected hash, then runs npm install -g:

curl -sSf https://veladon.grindworks.ai/install.sh | sh

The checksum verification happens before any code executes — the script refuses to run on tarball tampering. Read the script first if you want: /install.sh.

Or install directly from the tarball URL:

# Global install from tarball (16 KB)
npm install -g https://veladon.grindworks.ai/veladon-mcp-pii-redactor-0.1.0.tgz

# Or run ephemerally (recommended inside MCP config)
npx -y https://veladon.grindworks.ai/veladon-mcp-pii-redactor-0.1.0.tgz

# Shortly (once the npm registry name is claimed):
npm install -g @veladon/mcp-pii-redactor

Node 20+ required. Package ships as pure JavaScript (no native dependencies). Built tarball is ~16 KB.

Checksum: sha256:3470a7c27650d9233f00245fd9da09d20665094659edfc63ba30199cb72c6f3b. Verify before installing in a regulated environment: curl -sSf https://veladon.grindworks.ai/veladon-mcp-pii-redactor-0.1.0.tgz | shasum -a 256

Wire into Claude Code

Add to ~/.claude/config.json (global) or .claude/mcp.json (project):

{
  "mcpServers": {
    "veladon-redactor": {
      "command": "npx",
      "args": ["-y", "https://veladon.grindworks.ai/veladon-mcp-pii-redactor-0.1.0.tgz"]
    }
  }
}

Restart Claude Code. The redact_prompt tool will appear in the tool list.

Wire into Cursor

Add to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "veladon-redactor": {
      "command": "npx",
      "args": ["-y", "https://veladon.grindworks.ai/veladon-mcp-pii-redactor-0.1.0.tgz"]
    }
  }
}

Usage

Call redact_prompt(text) before sending user content to any public LLM. You get back the redacted text plus structured spans — never plaintext in the spans, only SHA-256 digests — and an audit log entry is appended to ~/.veladon/audit.jsonl.

// Example agent workflow (pseudocode)
const userPrompt = getUserInput();
const { redactedText, spans } = await mcp.call("redact_prompt", {
  text: userPrompt
});

// Forward the REDACTED text to your LLM
await llm.chat({ prompt: redactedText });

// spans[] contains {ruleId, category, matchDigest} — audit trail

Preview without logging

For UI surfaces that want to show a user what would be redacted before they confirm a send, use preview_redaction(text) — same output, no audit log write.

What it catches

16 built-in rules across 5 categories:

Credentials (high confidence)

  • AWS access keys + secrets (AKIA/ASIA prefixes)
  • OpenAI keys (sk-…)
  • Anthropic keys (sk-ant-…)
  • GitHub PATs (ghp_, gho_, ghu_, ghs_, ghr_)
  • Slack tokens (xoxb-, xoxp-, xoxr-, xoxs-, xoxa-)
  • JSON Web Tokens (eyJ…)
  • PEM private key blocks (RSA, EC, DSA, OPENSSH, ENCRYPTED)

Identity

  • Email addresses
  • US Social Security Numbers (with invalid-range exclusion)
  • US phone numbers (NANP)
  • IPv4 addresses

Financial

  • Credit cards (Visa / MC / Amex / Discover / JCB BIN prefixes)
  • IBAN numbers

Health

  • US Medical Record Number patterns
  • ICD-10 codes (opt-in; off by default)

Location

  • US ZIP+4

Call list_rules() to see exact regex, replacement tokens, category, and confidence for every rule.

Audit log format

Every redact_prompt call appends one JSONL line to ~/.veladon/audit.jsonl:

{"ts":"2026-04-17T09:45:12.345Z","session_id":"a1b2c3d4e5f60708",
 "event":"redact_prompt","input_len":412,"output_len":388,
 "input_digest":"8f2a7c1e9b4d5a62",
 "spans":[{"ruleId":"pii.email","category":"identity",
           "matchDigest":"d7a4f1e09c6b3520"}]}

No plaintext is ever logged. Only lengths and SHA-256 digests (truncated to 16 hex chars). This is intentional: the audit log must not become a new liability for the CISO.

EU AI Act Article 26(1) mapping

Article 26(1) requires “maintained records of AI system use.” This log satisfies that by proving (a) redaction ran on every prompt, (b) which rule fired, and (c) a tamper-evident digest of the original input — without retaining the original input. Rotate on your own schedule; ship to SIEM if required.

ISO 42001 A.6.2.3 mapping

“AI Data Handling” maps directly. Redaction is the handling; the log is evidence. Point your ISO 42001 auditor at ~/.veladon/audit.jsonl.

NIST AI RMF MAP-4.1

MAP-4.1 requires “approaches to enhance data privacy and minimize impacts on individuals are documented.” The rules themselves (readable in src/rules.ts) are the documentation.

Environment variables

VarDefaultPurpose
VELADON_LOG_DIR~/.veladon/Directory where the audit log is written
VELADON_LOG_PATH{LOG_DIR}/audit.jsonlFull audit log path override
VELADON_RULES(unset)Path to custom rules JSON — v0.2 roadmap

What this MCP server does NOT do

Clear-eyed scope statement for v0.1:

  • No browser-side enforcement. If a user pastes PII directly into chat.openai.com, this server doesn’t see it. For browser coverage, see the paid product.
  • No ML classifier. Built-in rules are regex only. Custom classifiers are in the paid product roadmap.
  • No centralized admin console. The audit log lives on each user’s disk. For fleet-wide rollout, see the paid product.
  • No guaranteed zero false positives. Regex is best-effort. Test before trusting. Contribute improvements via GitHub PR.

Upgrade to the hosted product

The open-source MCP server is the start. When you need:

  • Browser-side enforcement across chat.openai.com, claude.ai, and gemini.google.com
  • 500+ rules across 15 industry-specific packs (healthcare, financial services, defense, legal, education)
  • Fleet-wide deployment via Intune / Jamf / Chrome Enterprise managed policy
  • One-click evidence export wizard for EU AI Act Article 26, ISO 42001, NIST AI RMF, SOC 2, HIPAA, PCI-DSS audits
  • Admin console with policy-level rules and exceptions
  • ML-classifier tier for content that doesn’t match a deterministic regex (e.g., customer-identifiable internal project codenames)

Join the design-partner waitlist. Reply with “veladon-mcp user” to seungdo@grindworks.ai for a 15-min design-partner conversation this week.