Demonstrates AxonFlow's built-in PII (Personally Identifiable Information) detection capabilities.
AxonFlow detects and redacts requests containing sensitive PII patterns (Issue #891: tiered defaults):
| PII Type | Pattern | Region |
|---|---|---|
| SSN | 123-45-6789 |
US |
| Credit Card | 4111-1111-1111-1111 |
Global |
| PAN | ABCDE1234F |
India |
| Aadhaar | 1234 5678 9012 |
India |
[email protected] |
Global | |
| Phone | +1-555-123-4567 |
Global |
# Start AxonFlow
cd /path/to/axonflow
docker compose up -d
# Verify it's running
curl http://localhost:8080/healthcd go
go run main.gocd python
pip install -r requirements.txt
python main.pycd typescript
npm install
npx ts-node index.tscd java
mvn compile exec:javacd http
# Basic PII detection (default redact mode)
./pii-detection.sh
# PII modes — tests request-side + response-side detection with assertions
./pii-modes.shEach example tests multiple PII patterns:
- Safe query (no PII) - APPROVED
- SSN pattern - REDACTED
- Credit card pattern - REDACTED
- India PAN - REDACTED
- India Aadhaar - REDACTED (with Verhoeff checksum validation)
Note: PII detection defaults to
redactmode. UsePII_ACTIONto control behavior:
| PII_ACTION | Request-side | Response-side | Audit |
|---|---|---|---|
block |
Rejected | Rejected | Yes |
redact (default) |
Approved* | Redacted | Yes |
warn |
Approved | Pass-through | Yes |
log |
Approved | Pass-through | Yes |
* Approved with requires_redaction=true flag.
To change: set PII_ACTION in docker-compose.yml and restart.
PII_ACTION=block docker compose up -d- Client sends query to AxonFlow
- Policy engine scans for PII patterns
- If PII detected, it is redacted before the request reaches the LLM
- Response indicates which PII type was detected and redacted
Tiered Detection (Issue #891): PII is redacted by default to preserve UX. SQLi and dangerous queries are still blocked (high-confidence threats).
PII detection is enabled by default via system policies:
pii_ssn_detectionpii_credit_card_detectionpii_pan_detectionpii_aadhaar_detectionpii_email_detectionpii_phone_detection
To customize, create tenant-level policy overrides.
PII detection behavior is controlled via environment variables:
| Variable | Default | Description |
|---|---|---|
PII_ACTION |
redact |
Controls PII detection action for all modes |
GATEWAY_PII_ACTION |
(inherits PII_ACTION) |
Override for gateway mode only |
Supported values:
| Value | Behavior |
|---|---|
redact |
(Default) PII is detected and flagged for downstream redaction. Requests are approved with requires_redaction=true. |
block |
PII is detected and the request is blocked. Requests are rejected with a block reason. |
log |
PII is detected and logged but passes through unmodified. No blocking or redaction. |
Example:
# Block all requests containing PII
PII_ACTION=block go run main.go
# Log PII but allow requests through
PII_ACTION=log python main.pyEach SDK example includes conditional tests that adapt to the configured PII_ACTION value.
- Policies Example - Create custom policies
- Code Governance - Detect secrets in code
- Gateway Mode - Full LLM integration