Log Purifier

Open a log file or drag & drop here streams up to ~2 GB · zero upload

What gets redacted?

Works across plain text, log files, stack traces, Markdown, JSON, CSV, YAML, transcripts, and email threads — the pipeline is format-agnostic.

🔑 Secrets & API tokens

• JWTs (eyJ…)
• AWS access keys (AKIA / ASIA / AGPA…)
• AWS secret access keys
• GitHub PATs (ghp_/gho_/ghs_…)
• Slack tokens (xoxb/xoxp…)
• OpenAI / Anthropic keys (sk-…)
• Google API keys (AIza…)
• Stripe keys (sk_live_/pk_test_…)
• Authorization: Bearer … headers
• Authorization: Basic … headers
• URLs with embedded credentials
• PEM private keys (RSA / EC / OpenSSH / PGP)
• Generic password/api_key/secret = "…"

🪪 Government / Identity

• US SSN (XXX-XX-XXXX)
• Driver license numbers
• Passport numbers
• Tax ID / EIN / National Insurance
• Date of birth
• Medical record numbers (MRN)
• Insurance / member IDs

💳 Financial

• Credit card numbers (Luhn-validated)
• CVV / CVC security codes
• Card expiration dates
• Bank routing numbers (ABA)
• Bank account numbers
• SWIFT / BIC codes

📞 Contact & device

• Email addresses (replaced with stable hash)
• Phone numbers
• Street addresses (street / ave / blvd …)
• City, State ZIP
• Public IPv4 (private ranges preserved)
• MAC addresses
• IMEI & ICCID / SIM numbers
• UUIDs

👤 Labeled people / opaque IDs

• Labeled names (Customer Name:, Patient:, Agent:, JSON customer_name…)
• Usernames / logins
• Ticket / case / incident / employee / device / tracking IDs
• OTP codes, backup codes, recovery codes, session tokens

Optional AI pass: if your Chrome exposes the built-in LanguageModel / Rewriter APIs and the on-device model is already cached locally, a second pass tries to mask residual PII (free-text names, unusual addresses). The pass is refused if the browser would need to download the model — that would silently send bytes off your machine and break the zero-server guarantee. In every case the deterministic regex pipeline still runs and the status pill tells you exactly which engine (if any) ran.