The query language for PII operations

PhiSQL

Q: "Is PhiSQL stable?"

"Not yet. v0.1 is a public draft: the grammar and semantics may change before a 1.0 release. The redaction subset works today through the Java reference implementation, but pin a version if you depend on it."

Q: "Does PhiSQL replace Phileas JSON policies?"

"No. PhiSQL is a convenience authoring layer that compiles to the same JSON. The JSON schema remains the canonical execution contract, and you can keep hand-writing JSON wherever you prefer."

Q: "What can PhiSQL express today?"

"The redaction subset: \u003ccode\u003ePOLICY\u003c/code\u003e declarations, \u003ccode\u003eREDACT\u003c/code\u003e and \u003ccode\u003eDEIDENTIFY\u003c/code\u003e statements across entity types and strategies, \u003ccode\u003eWHERE\u003c/code\u003e predicates such as confidence thresholds, and \u003ccode\u003eIGNORE\u003c/code\u003e clauses for allowlisted terms and patterns."

Q: "How do I run the compiler?"

"Clone the repository, then run \u003ccode\u003emvn verify\u003c/code\u003e in the \u003ccode\u003ereference/\u003c/code\u003e directory, or add \u003ccode\u003eai.philterd:phisql\u003c/code\u003e as a Maven dependency. The compiler turns a \u003ccode\u003e.phisql\u003c/code\u003e file into a Phileas JSON policy."

Q: "How does PhiSQL relate to the Redaction Policy Editor?"

"They solve the same problem from two directions. The \u003ca href=\"/redaction-policy-editor/\"\u003eRedaction Policy Editor\u003c/a\u003e is a visual, no-code way to build policies; PhiSQL is a text-first, version-controllable way. Both produce standard Phileas JSON."

PhiSQL is a declarative query language for PII privacy operations across the Philterd toolkit. Write a few readable lines instead of hand-editing JSON, and PhiSQL compiles them to the same Phileas policy schema that Philter and Phileas already run. One language for redaction rules, version-controlled and reviewable like any other code.

Read the specification → View on GitHub

Star

Write the rule. PhiSQL compiles it to a Phileas policy.

-- Redact U.S. Social Security Numbers.
POLICY ssn_only;

REDACT SSN WITH MASK;

-- Compiles to a standard Phileas JSON policy.

GitHub → Read the specification →

Why PhiSQL

Readable by humans

REDACT SSN WITH MASK says exactly what it does. Policies become something a compliance reviewer can read in a pull request, not a wall of nested JSON.

One language across the toolkit

The same policy drives detection and redaction in Philter and Phileas. Author once in PhiSQL; run everywhere the JSON policy runs.

Maps to regulations

Express HIPAA Safe Harbor, PCI DSS scope reduction, or court-filing redaction as a short, auditable policy. The shipped examples mirror the rules auditors cite.

Version-controlled and reviewable

.phisql files diff cleanly in Git. Policy changes go through the same review and CI pipeline as the rest of your code.

No new runtime

PhiSQL compiles to the Phileas JSON your stack already executes. Adopt it for authoring without changing anything downstream.

Open and Apache-2.0

The specification, grammar, reference implementation, and examples are all open source under the permissive Apache 2.0 license.

A specification with a reference implementation

PhiSQL is defined as an open specification, with a Java reference implementation that proves it. Both live in one Apache-2.0 repository.

The specification

Versioned under spec/v0.1/: an ANTLR4 grammar and EBNF, a catalog of entity types, strategies, keywords, and predicates, plus worked examples that pair each .phisql file with the JSON it compiles to.

The reference implementation

A Java parser and compiler published to Maven as ai.philterd:phisql. Build it with mvn verify in the reference/ directory, or pull it in as a dependency.

Phileas JSON leads, PhiSQL follows

PhiSQL never adds capabilities the JSON schema does not already have. Anything you express in PhiSQL maps cleanly to a Phileas policy, so there is no lock-in and no second source of truth.

How PhiSQL works

PhiSQL is an authoring layer, not a new runtime. Your .phisql source compiles to a standard Phileas JSON policy, which Philter, Phileas, and the rest of the toolkit already execute. The JSON schema stays the source of truth: Phileas JSON leads, PhiSQL follows.

PhiSQL source

a .phisql file

PhiSQL compiler ai.philterd:phisql

Parse ANTLR4 grammar (PhiSQL.g4) · POLICY, REDACT, DEIDENTIFY, and IGNORE statements · comments and named arguments
Validate entity-type catalog · strategy catalog · WHERE predicates such as CONFIDENCE thresholds · IGNORE terms and patterns
Emit canonical Phileas JSON policy · one-to-one with hand-written JSON · no proprietary extensions

Phileas JSON policy

run by Philter, Phileas, and the toolkit

Example queries

PhiSQL v0.1 covers the redaction subset: REDACT, DEIDENTIFY, and IGNORE. Each query below is a complete, working policy drawn from the specification's worked examples.

Every example compiles to a standard Phileas JSON policy. The same rules you would otherwise hand-write in JSON, expressed in a few readable lines.

-- Minimal example: redact U.S. Social Security Numbers.
POLICY ssn_only;

REDACT SSN WITH MASK;

-- HIPAA Safe Harbor de-identification (45 CFR 164.514(b)(2)).
POLICY hipaa_safe_harbor
  DESCRIPTION 'HIPAA Safe Harbor de-identification.';

DEIDENTIFY
  PHYSICIAN_NAME  AS RANDOM_REPLACE,
  HOSPITAL        AS RANDOM_REPLACE,
  DATE            AS TRUNCATE,
  AGE             AS REDACT,
  SSN             AS REDACT,
  PHONE_NUMBER    AS REDACT,
  EMAIL_ADDRESS   AS REDACT,
  STREET_ADDRESS  AS REDACT,
  CITY            AS REDACT,
  STATE           AS REDACT,
  ZIP_CODE        AS REDACT;

-- PCI DSS v4.0 Req 3.2-3.4: PAN to last 4 only.
-- A WHERE predicate gates the rule on detection confidence.
POLICY pci_dss_scope_reduction
  DESCRIPTION 'PCI DSS v4.0 scope reduction.';

REDACT CREDIT_CARD WITH LAST_4 WHERE CONFIDENCE > 0.85;

-- Customer support tickets, with an allowlist for company names.
POLICY support_tickets
  DESCRIPTION 'Customer support ticket redaction with allowlist.';

REDACT FIRST_NAME, SURNAME WITH STATIC_REPLACE(value='Customer', scope=document);
REDACT EMAIL_ADDRESS WITH MASK;
REDACT PHONE_NUMBER WITH MASK;

IGNORE TERMS ('Acme', 'AcmeCorp') FOR FIRST_NAME;
IGNORE TERMS ('Corp', 'Support', 'Engineering') FOR SURNAME;

-- Format-preserving encryption keeps the surface format of an
-- identifier while making the value cryptographically opaque.
POLICY fpe_ssn;

REDACT SSN WITH FPE_ENCRYPT;

On the roadmap

The v0.1 draft is focused on redaction. Later versions extend the same language to the rest of the toolkit: discovery, monitoring, and benchmarking. The syntax below illustrates the direction and is not yet implemented.

-- Discovery (planned): inventory where PII lives.
FIND PII IN 's3://patient-records/' WHERE CONFIDENCE > 0.8;

-- Benchmarking (planned): score a policy on precision and recall.
BENCHMARK POLICY hipaa_safe_harbor AGAINST 'gold-standard/';

-- Monitoring (planned): alert on unexpected PII flow.
MONITOR PII ON 'kafka://topic/events' ALERT WHEN VOLUME > 1000;

Grammar and semantics for these statements are still being designed in the open. Follow the repository and its RFCs to weigh in.

Frequently asked questions

If something here isn’t covered, get in touch and we’ll answer.

Is PhiSQL stable?

Not yet. v0.1 is a public draft: the grammar and semantics may change before a 1.0 release. The redaction subset works today through the Java reference implementation, but pin a version if you depend on it.

Does PhiSQL replace Phileas JSON policies?

No. PhiSQL is a convenience authoring layer that compiles to the same JSON. The JSON schema remains the canonical execution contract, and you can keep hand-writing JSON wherever you prefer.

What can PhiSQL express today?

The redaction subset: POLICY declarations, REDACT and DEIDENTIFY statements across entity types and strategies, WHERE predicates such as confidence thresholds, and IGNORE clauses for allowlisted terms and patterns.

How do I run the compiler?

Clone the repository, then run mvn verify in the reference/ directory, or add ai.philterd:phisql as a Maven dependency. The compiler turns a .phisql file into a Phileas JSON policy.

How does PhiSQL relate to the Redaction Policy Editor?

They solve the same problem from two directions. The Redaction Policy Editor is a visual, no-code way to build policies; PhiSQL is a text-first, version-controllable way. Both produce standard Phileas JSON.

Ready to use PhiSQL?

Three ways to get going: deploy the open source yourself, spin it up from a cloud marketplace, or work with our team directly. Pick the path that fits.

See your options