pi-privacy-filter

A pi extension that runs every prompt through a local privacy classifier (openai/privacy-filter via @huggingface/transformers) before it is sent to the LLM, and transparently restores the original values in the LLM's response.

user input ──► [redact] ──► LLM
                  │
                  └── placeholder→original mapping (in memory)

LLM response ──► [unredact via mapping] ──► you see the real values

Example:

• you type: My AWS account number is 22922829292
• LLM sees: My AWS account number is [ACCOUNT_NUMBER_1]
• you see: ... My AWS account number is 22922829292 ... (assistant's reply, restored)

The mapping lives in memory for the session only — nothing is written to disk by this extension. Your original message is still stored in the session file (since that's where pi keeps it); only the bytes leaving for the model are redacted.

How it works

• Hooks the context event to mutate the deep-cloned messages pi is about to send to the model. User messages and tool results have their text run through the classifier; matched spans are replaced with stable placeholders like [ACCOUNT_NUMBER_1].
• Hooks the message_end event to swap any placeholders back to their original values in the assistant's finalized message before pi displays / persists it.
• Identical values reuse the same placeholder for the whole session.

Install

cd pi-privacy-filter
npm install   # or: bun install

Then wire it into pi using any one of:

Quick test

pi -e ./index.ts

Project-local

mkdir -p .pi/extensions
ln -s "$PWD" .pi/extensions/pi-privacy-filter

Global

mkdir -p ~/.pi/agent/extensions
ln -s "$PWD" ~/.pi/agent/extensions/pi-privacy-filter

Or via pi settings (~/.pi/settings.json)

{
  "extensions": ["/absolute/path/to/pi-privacy-filter"]
}

Commands

• /privacy-mapping — dump the current placeholder→value mapping (handy for debugging).

Files

• index.ts — the extension
• sample.ts — original standalone POC (bun run sample.ts)