PII in logs, sealed at write.

Declare the sensitive fields once. The agent catches anything you missed. The library wraps each one before it hits disk.

Declare it once

Sensitive fields are classified once in the project's configuration. Each classification names a field and the encryption group it belongs to.

Fields without an explicit classification fall under the project's default policy. A project that defaults to private treats unclassified fields as sealed until they receive an explicit group assignment.

The agent catches the rest

When new code is committed, the agent reviews log emission points for fields that may carry sensitive data. Anything that looks like PII and is not already classified is proposed for inclusion in a group.

The output is a configuration change. It arrives as a pull request and gets reviewed alongside the code that introduced the new fields.

Sealed before disk

When a log entry is written, the library encrypts each classified sensitive field to the recipients of its group. Encryption happens in the same process, before the entry is persisted.

The resulting record contains public fields in plaintext and sealed fields as JWE envelopes. Only the readers in a group can decrypt the fields assigned to that group.