Options
| Option | Default | Description |
|---|---|---|
driver | sqlite | Storage backend: sqlite or postgres |
database | ./data/pasteguard.db | SQLite database path (used when driver is sqlite) |
postgres_url | — | Postgres connection string (required when driver is postgres) |
retention_days | 30 | Days to keep logs. 0 = forever |
log_masked_content | true | Store request text in the dashboard after masking |
Database
Both backends share the same schema; the dashboard works identically on either. The schema is created and migrated automatically on startup.SQLite (default)
Postgres
Use Postgres for shared or higher-volume deployments:postgres_url is required when driver is postgres; startup fails with a clear error if it is
missing. The value supports environment-variable substitution, so you can keep credentials out of
the config file.
Existing SQLite databases are not migrated to Postgres automatically — switching driver starts
logging into the new backend. An existing SQLite database created by an older PasteGuard version is
upgraded in place the first time the new version starts.
Retention
Logs older thanretention_days are automatically deleted:
Content Logging
Masked Content
Stores a dashboard preview for text that PasteGuard scanned:scan_roles, after PII and secrets are replaced
with placeholders. System prompts, developer prompts, assistant messages, and agent context do not
appear in the preview.
No Content
Disable content logging:Security
- The dashboard preview stores only scanned spans (
scan_roles) after masking; other roles never appear. - With
secrets_detection.action: route_local, content is not logged when secrets are detected. - Secret logs store secret types only, never the raw secret value.
- Placeholders look like
[[EMAIL_ADDRESS_1]]or[[API_KEY_SK_1]].