> ## Documentation Index
> Fetch the complete documentation index at: https://docs.entire.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy and Redaction

> Configure redaction, telemetry, and checkpoint commit signing.

Use this page to configure privacy-related behavior for a repository or for your local machine.

By default, Entire redacts common secrets such as API keys, access tokens, credentialed URLs, database connection strings, and private keys before checkpoint metadata is stored.

For the full data storage and security model, see [Security & Privacy](/security).

## Start here if

Use this page to:

* add PII or custom redaction rules
* opt in or out of anonymous CLI analytics
* change checkpoint commit signing

## PII redaction

PII redaction is disabled by default. Enable it when checkpoint metadata may include personal information such as email addresses, phone numbers, or addresses.

<Tabs>
  <Tab title="Project settings">
    Use project settings when PII redaction should apply to everyone working in the repository.

    ```json .entire/settings.json theme={null}
    {
      "redaction": {
        "pii": {
          "enabled": true,
          "email": true,
          "phone": true,
          "address": false
        }
      }
    }
    ```
  </Tab>

  <Tab title="Local settings">
    Use local settings when PII redaction should apply only to your machine.

    ```json .entire/settings.local.json theme={null}
    {
      "redaction": {
        "pii": {
          "enabled": true
        }
      }
    }
    ```
  </Tab>
</Tabs>

See [PII redaction](/security#pii-redaction-optional) for categories, defaults, and limitations.

## User-defined redaction

User-defined redaction lets you redact project-specific strings that Entire's built-in secret detection may not catch.

<Tabs>
  <Tab title="Inline rules">
    Use inline rules for a small number of patterns.

    ```json .entire/settings.json theme={null}
    {
      "redaction": {
        "custom_redactions": {
          "acme_token": "ACME_TOKEN_[A-Za-z0-9]{20,}",
          "internal_id": "INTERNAL_[a-z]{6}_[0-9]{4}"
        }
      }
    }
    ```

    Put shared rules in `.entire/settings.json`. Put private rules in `.entire/settings.local.json`.
  </Tab>

  <Tab title="Rule packs">
    Use rule packs for larger reusable sets of redaction rules.

    Shared rule packs go in `.entire/redactors/`. Personal rule packs go in `.entire/redactors/local/`.
  </Tab>
</Tabs>

See [User-defined redaction](/security#user-defined-redaction) for rule pack format, supported regex behavior, and validation details.

## Telemetry

Telemetry controls anonymous CLI usage analytics. It does not send prompts, transcripts, source code, file paths, repository names, or flag values.

<Tabs>
  <Tab title="Settings file">
    To opt out in this repository, set:

    ```json .entire/settings.json theme={null}
    {
      "telemetry": false
    }
    ```

    Use `.entire/settings.local.json` instead when the telemetry preference should apply only to your machine.
  </Tab>

  <Tab title="Environment variable">
    To opt out for a single command or shell environment, set:

    ```bash theme={null}
    ENTIRE_TELEMETRY_OPTOUT=1 entire status
    ```
  </Tab>
</Tabs>

See [Telemetry and analytics](/security#telemetry-and-analytics) for what is and is not captured.

## Checkpoint commit signing

Checkpoint commits are signed by default when your Git signing setup is available.

To disable signing for the repository, set:

```json .entire/settings.json theme={null}
{
  "sign_checkpoint_commits": false
}
```

Use `.entire/settings.local.json` instead when the signing preference should apply only to your machine.

See [Checkpoint commit signing](/security#checkpoint-commit-signing) for requirements and best-effort behavior.

## Verify privacy settings

After changing privacy settings, run:

```bash theme={null}
entire status --detailed
```

For redaction changes, run a normal Entire workflow after updating settings. Invalid regexes or malformed rule packs are skipped and written to the logs instead of stopping the CLI.
