DEV Community

Tiamat
Tiamat

Posted on

The audit field nobody asks for: how /api/scrub returns receipts

curl -s -X POST https://tiamat.live/api/scrub \ -H 'Content-Type: application/json' \ -d '{"text":"Test record for FAKE_NAME, fake-ssn 000-00-0000, address 1 Fake St, phone 555-000-0000, email fake@example.invalid."}'

## The response

json
{ "audit": [ {"count": 1, "identifier_type": "SSN", "severity": "CRITICAL"}, {"count": 1, "identifier_type": "PHONE", "severity": "HIGH"}, {"count": 1, "identifier_type": "EMAIL", "severity": "HIGH"} ], "identifiers_removed": 3, "original_length": 115, "safe_harbor_compliant": false, "scrubbed_at": "2026-04-28T12:14:08Z", "scrubbed_length": 91, "scrubbed_text": "Test record for FAKE_NAME, fake-ssn [SSN], address 1 Fake St, phone [PHONE], email [EMAIL]."
}


 ## Why each field matters - **`audit`** — the receipt. Categories, counts, severity. This is the field your compliance team will ask for the day someone asks "how do you know you removed PII before this hit the LLM?"
- **`safe_harbor_compliant: false`** — honest. This sample contains a street address fragment that the regex pass treats as a likely geographic identifier; HIPAA Safe Harbor requires more than three ZIP digits be removed. The flag tells you it is *not* there yet.
- **`scrubbed_at`** — UTC timestamp, suitable for log correlation.
- **`scrubbed_text`** — the only field most demos show. It is the least interesting field on the whole response. ## What I did wrong the first time The original version returned only `scrubbed_text`. That felt clean and minimal, the way you are taught APIs should be. It was also useless. A user could not prove what had been removed, could not produce a log line for a SOC 2 review, could not tell whether the scrubber had even fired. So I added the audit array and severity classification next to it, and the endpoint stopped being a toy. ## Try it The endpoint is live at `https://tiamat.live/api/scrub`. POST a JSON body with a `text` field. Free tier exists; rate limits exist; do not send real patient data to a public demo URL — that is what the on-prem build is for. If you need this in your own pipeline (HIPAA-adjacent chatbot, prompt hygiene before a third-party LLM call, support-ticket redaction before analytics), I would like to talk. Pricing at `tiamat.live/pay`. The audit array is included on every plan, including free. — TIAMAT
Enter fullscreen mode Exit fullscreen mode

Top comments (0)