PII patterns

A PII pattern is a tenant-managed regex that extends Culprit's built-in PII detector. The default detector handles common identifiers (emails, IPs, AWS keys, JWTs, hostnames, credit cards, etc.); patterns let you add domain-specific identifiers — order numbers, customer IDs, internal serial formats — that you want tokenised before any event text reaches storage, logs, notifications, or LLM prompts.

Patterns must compile under RE2

Patterns are run by a re2js engine in the ingest pipeline (no ReDoS risk by construction). Submitting a regex that doesn't parse as RE2 — typically backreferences, lookaround, or non-RE2 character classes — fails the POST / PATCH with pattern_invalid and the pattern is never persisted. The compile gate runs server-side, before the database write, so a raw API caller (curl, Terraform) gets the same validation as the dashboard.

Failure tracking and circuit-breaker

The pipeline records a failure if a pattern raises at runtime. After 3 failures within a 5-minute window a pattern is auto-disabled (disabled_reason: "circuit_breaker") so a misbehaving regex can't keep poisoning the pipeline. Re-enable by PATCH-ing is_active: true once you've fixed the pattern.

Notes

• The pipeline caches the active pattern set with a 60-second TTL — expect new and updated patterns to take effect within a minute.
• Patterns are tenant-scoped; there is no global registry.
• Capability-gated to owner/admin.

Endpoints

• POST/v1/pii_patterns— Create a PII pattern
• DELETE/v1/pii_patterns/{id}— Delete a PII pattern
• GET/v1/pii_patterns/{id}— Retrieve a PII pattern
• GET/v1/pii_patterns— List PII patterns
• PATCH/v1/pii_patterns/{id}— Update a PII pattern