| title | Ocultar PII Refinery Extension |
|---|---|
| description | Add zero-egress PII detection and redaction to your goose workflows |
| unlisted | true |
import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; import GooseDesktopInstaller from '@site/src/components/GooseDesktopInstaller';
This tutorial will get you started with the Ocultar PII Refinery as a goose extension. Ocultar detects and tokenizes personally identifiable information — names, emails, IBANs, phone numbers, addresses and more — in-place before any text reaches an upstream API. No raw PII ever leaves your infrastructure.
:::info Prerequisites You need a running Ocultar instance before using this extension. The fastest way:
docker compose -f docker-compose.community.yml upSee the Ocultar repository for full setup instructions. :::
:::tip Quick Install Launch the installer Command
uvx ocultar-goose-mcp:::info
You need uv installed on your system to run this command, as it uses uvx.
:::
- Choose to add a
Command-line Extension
┌ goose-configure
│
◇ What would you like to configure?
│ Add Extension (Connect to a new extension)
│
◆ What type of extension would you like to add?
│ ○ Built-in Extension
// highlight-start
│ ● Command-line Extension (Run a local command or script)
// highlight-end
│ ○ Remote Extension (Streamable HTTP)
└- Give your extension a name
┌ goose-configure
│
// highlight-start
◆ What would you like to call this extension?
│ ocultar-pii
// highlight-end
└- Enter the command
┌ goose-configure
│
// highlight-start
◆ What command should be run?
│ uvx ocultar-goose-mcp
// highlight-end
└- Set the timeout (default 300s is fine)
┌ goose-configure
│
// highlight-start
◆ Please set the timeout for this tool (in secs):
│ 300
// highlight-end
└- Add environment variables if your Ocultar instance is not on
localhost:8080
┌ goose-configure
│
// highlight-start
◆ Would you like to add environment variables?
│ Yes
│
◇ Environment variable name:
│ OCULTAR_URL
│
◇ Environment variable value:
│ http://localhost:8080
│
◇ Add another environment variable?
│ No
// highlight-end
└ Added ocultar-pii extensionThe Ocultar PII Refinery extension exposes a single refine_text tool. goose calls it automatically when you ask it to sanitize or redact content before sending it anywhere sensitive.
( O)> I need to send this support ticket to our AI summarizer, but it contains customer PII.
Redact it first: "Hi, I'm Jean-Pierre Dumont, my email is jp.dumont@societe-generale.fr
and my IBAN is FR76 3000 6000 0112 3456 7890 189. I have a billing issue."
I'll redact the PII from that ticket before it goes anywhere.
refine_text
input: "Hi, I'm Jean-Pierre Dumont, my email is jp.dumont@societe-generale.fr
and my IBAN is FR76 3000 6000 0112 3456 7890 189. I have a billing issue."
Redacted result:
"Hi, I'm [PERSON_181bc039], my email is [EMAIL_b227fb2b] and my IBAN is
[IBAN_72eb0d24]. I have a billing issue."
3 PII tokens detected and replaced:
- PERSON_181bc039 → name
- EMAIL_b227fb2b → email address
- IBAN_72eb0d24 → French IBAN
The sanitized text is safe to forward. Tokens are stored encrypted in your
local Ocultar vault and can be re-hydrated by authorized callers only.
Ocultar's community tier runs five detection layers with no external API calls:
| Layer | What it catches |
|---|---|
| Dictionary shield | Named entities from your protected list |
| Pattern + entropy | High-entropy strings, secrets, tokens |
| Regex rules | Email, SSN, phone, credit card, IBAN, passport |
| Phone validator | International numbers via libphonenumber |
| Address heuristics | Street addresses across formats |
Enterprise tier adds a Tier 2 AI scanner (local SLM) for contextual name and entity detection.