Skip to content
Cosmictron Docs

Selective Redaction

Overview

Section titled “Overview”

Selective redaction allows you to produce an audit bundle with specific fields replaced by [REDACTED] markers — without modifying the original event log. The redacted bundle carries a redaction proof that cryptographically demonstrates which fields were removed and that the underlying event is otherwise unmodified.

Use cases:

  • Deliver an audit bundle to an external auditor that proves financial transactions occurred, without revealing patient names
  • Provide regulators with evidence of workflow execution, redacting third-party credentials embedded in tool call payloads
  • Share a support bundle with Cosmictron support without exposing customer data

Redacting a bundle

Section titled “Redacting a bundle”
Terminal window
cosmictron-cli audit export \
  --from 2026-01-01 --to 2026-01-31 \
  --redact "patient_records.name,patient_records.ssn,tool_calls.arguments" \
  --output audit-jan-2026-redacted.bundle

The --redact flag accepts a comma-separated list of table.field paths.

Redaction proof

Section titled “Redaction proof”

Each redacted field is replaced with a Merkle proof stub:

{
  "field": "patient_records.name",
  "value": "[REDACTED]",
  "redaction_proof": {
    "field_hash": "sha256:a3f2...",
    "merkle_path": ["b1c3...", "d4e5...", "..."],
    "redacted_at": "2026-04-01T12:00:00Z",
    "redaction_signature": "ed25519:9f8a..."
  }
}

The proof allows a verifier to confirm:

  1. A value existed in this field (via the field hash)
  2. The event is otherwise unmodified (via the Merkle path to the event root hash)
  3. The redaction was authorized (via the redaction signature from the exporting node’s key)

Verifying a redacted bundle

Section titled “Verifying a redacted bundle”
Terminal window
cosmictron-cli audit verify-bundle audit-jan-2026-redacted.bundle

The verifier treats redacted fields as valid as long as the redaction proof verifies. Output:

  ✓ Hash chain integrity (12,847 events)
  ✓ Ed25519 signatures (12,847/12,847 valid)
  ✓ 847 fields redacted with valid proofs
  ✓ RFC 3161 timestamps (12,847/12,847 valid)


Result: PASS (with 847 authorized redactions)

Redaction policy

Section titled “Redaction policy”

Define standing redaction policies to automatically apply when exporting:

[compliance.redaction_policy.external_auditor]
redact = [
  "patient_records.name",
  "patient_records.ssn",
  "patient_records.date_of_birth",
  "tool_calls.arguments",
]


[compliance.redaction_policy.regulator]
redact = [
  "patient_records.ssn",  # Redact SSN only
]

Apply a named policy:

Terminal window
cosmictron-cli audit export \
  --from 2026-01-01 \
  --policy external_auditor \
  --output audit-redacted.bundle