@apart-tech/intelligence-core 1.0.6 → 1.1.0

package/dist/services/pii-encryption-service.js

@@ -0,0 +1,216 @@
+import { encryptAesGcm, decryptAesGcm } from "../lib/crypto.js";
+const PII_TOKEN_REGEX = /\[PII:(\w+):([A-Za-z0-9+/=]+:[A-Za-z0-9+/=]+:[A-Za-z0-9+/=]+)\]/g;
+const MAX_METADATA_DEPTH = 5;
+export class PiiEncryptionService {
+    detector;
+    constructor(detector) {
+        this.detector = detector;
+    }
+    /**
+     * Process a text string: detect PII and optionally encrypt matches.
+     */
+    processText(text, options) {
+        const emptyReport = {
+            matchCount: 0,
+            encryptedCount: 0,
+            bypassedCount: 0,
+            types: [],
+            mode: options.mode,
+            bypassed: options.bypass ?? false,
+        };
+        if (options.mode === "disabled") {
+            return { text, report: emptyReport };
+        }
+        const detection = this.detector.detect(text);
+        if (!detection.hasPii) {
+            return { text, report: emptyReport };
+        }
+        const types = [...new Set(detection.matches.map((m) => m.type))];
+        const allowedTypes = new Set(options.allowedPiiTypes ?? []);
+        // Filter out matches whose type is explicitly allowed
+        const matchesToProcess = detection.matches.filter((m) => !allowedTypes.has(m.type));
+        const skippedCount = detection.matches.length - matchesToProcess.length;
+        if (options.mode === "detect-warn" || options.bypass || !options.orgKey) {
+            return {
+                text,
+                report: {
+                    matchCount: detection.matches.length,
+                    encryptedCount: 0,
+                    bypassedCount: detection.matches.length,
+                    types,
+                    mode: options.mode,
+                    bypassed: options.bypass ?? (options.mode === "detect-warn"),
+                },
+            };
+        }
+        // Mode is "encrypt" — replace PII matches with encrypted tokens
+        // Process matches in reverse order to preserve string offsets
+        let result = text;
+        let encryptedCount = 0;
+        const reversedMatches = [...matchesToProcess].reverse();
+        for (const match of reversedMatches) {
+            const encrypted = encryptAesGcm(match.value, options.orgKey);
+            const token = `[PII:${match.type}:${encrypted}]`;
+            result = result.slice(0, match.start) + token + result.slice(match.end);
+            encryptedCount++;
+        }
+        return {
+            text: result,
+            report: {
+                matchCount: detection.matches.length,
+                encryptedCount,
+                bypassedCount: skippedCount,
+                types,
+                mode: options.mode,
+                bypassed: false,
+            },
+        };
+    }
+    /**
+     * Process node fields (title, content, metadata) for PII.
+     */
+    processNodeFields(input, options) {
+        if (options.mode === "disabled") {
+            return {
+                ...input,
+                report: {
+                    matchCount: 0,
+                    encryptedCount: 0,
+                    bypassedCount: 0,
+                    types: [],
+                    mode: "disabled",
+                    bypassed: false,
+                },
+            };
+        }
+        const titleResult = this.processText(input.title, options);
+        const contentResult = this.processText(input.content, options);
+        let processedMetadata = input.metadata;
+        let metadataMatchCount = 0;
+        let metadataEncryptedCount = 0;
+        const metadataTypes = [];
+        if (input.metadata && options.mode === "encrypt" && !options.bypass && options.orgKey) {
+            const { result, matchCount, encryptedCount, types } = this.processMetadata(input.metadata, options, 0);
+            processedMetadata = result;
+            metadataMatchCount = matchCount;
+            metadataEncryptedCount = encryptedCount;
+            metadataTypes.push(...types);
+        }
+        const allTypes = [
+            ...new Set([
+                ...titleResult.report.types,
+                ...contentResult.report.types,
+                ...metadataTypes,
+            ]),
+        ];
+        return {
+            title: titleResult.text,
+            content: contentResult.text,
+            metadata: processedMetadata,
+            report: {
+                matchCount: titleResult.report.matchCount +
+                    contentResult.report.matchCount +
+                    metadataMatchCount,
+                encryptedCount: titleResult.report.encryptedCount +
+                    contentResult.report.encryptedCount +
+                    metadataEncryptedCount,
+                bypassedCount: titleResult.report.bypassedCount +
+                    contentResult.report.bypassedCount,
+                types: allTypes,
+                mode: options.mode,
+                bypassed: options.bypass ?? false,
+            },
+        };
+    }
+    /**
+     * Decrypt all PII tokens in a text string.
+     */
+    decryptText(text, orgKey) {
+        return text.replace(PII_TOKEN_REGEX, (_fullMatch, _type, encrypted) => {
+            try {
+                return decryptAesGcm(encrypted, orgKey);
+            }
+            catch {
+                // If decryption fails (wrong key, corrupted), leave token as-is
+                return _fullMatch;
+            }
+        });
+    }
+    /**
+     * Decrypt PII tokens in node fields.
+     */
+    decryptNodeFields(node, orgKey) {
+        return {
+            ...node,
+            title: this.decryptText(node.title, orgKey),
+            content: this.decryptText(node.content, orgKey),
+            metadata: this.decryptMetadataValues(node.metadata, orgKey, 0),
+        };
+    }
+    processMetadata(value, options, depth) {
+        if (depth > MAX_METADATA_DEPTH) {
+            return { result: value, matchCount: 0, encryptedCount: 0, types: [] };
+        }
+        if (typeof value === "string") {
+            const processed = this.processText(value, options);
+            return {
+                result: processed.text,
+                matchCount: processed.report.matchCount,
+                encryptedCount: processed.report.encryptedCount,
+                types: processed.report.types,
+            };
+        }
+        if (Array.isArray(value)) {
+            let totalMatches = 0;
+            let totalEncrypted = 0;
+            const allTypes = [];
+            const result = value.map((item) => {
+                const processed = this.processMetadata(item, options, depth + 1);
+                totalMatches += processed.matchCount;
+                totalEncrypted += processed.encryptedCount;
+                allTypes.push(...processed.types);
+                return processed.result;
+            });
+            return { result, matchCount: totalMatches, encryptedCount: totalEncrypted, types: allTypes };
+        }
+        if (value !== null && typeof value === "object") {
+            let totalMatches = 0;
+            let totalEncrypted = 0;
+            const allTypes = [];
+            const result = {};
+            for (const [key, val] of Object.entries(value)) {
+                // Skip internal PII report field
+                if (key === "_piiReport") {
+                    result[key] = val;
+                    continue;
+                }
+                const processed = this.processMetadata(val, options, depth + 1);
+                result[key] = processed.result;
+                totalMatches += processed.matchCount;
+                totalEncrypted += processed.encryptedCount;
+                allTypes.push(...processed.types);
+            }
+            return { result, matchCount: totalMatches, encryptedCount: totalEncrypted, types: allTypes };
+        }
+        return { result: value, matchCount: 0, encryptedCount: 0, types: [] };
+    }
+    decryptMetadataValues(value, orgKey, depth) {
+        if (depth > MAX_METADATA_DEPTH)
+            return value;
+        if (typeof value === "string") {
+            return this.decryptText(value, orgKey);
+        }
+        if (Array.isArray(value)) {
+            return value.map((item) => this.decryptMetadataValues(item, orgKey, depth + 1));
+        }
+        if (value !== null && typeof value === "object") {
+            const result = {};
+            for (const [key, val] of Object.entries(value)) {
+                result[key] = this.decryptMetadataValues(val, orgKey, depth + 1);
+            }
+            return result;
+        }
+        return value;
+    }
+}
+//# sourceMappingURL=pii-encryption-service.js.map

package/dist/services/pii-encryption-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-encryption-service.js","sourceRoot":"","sources":["../../src/services/pii-encryption-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAwBhE,MAAM,eAAe,GAAG,kEAAkE,CAAC;AAC3F,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,MAAM,OAAO,oBAAoB;IACX;IAApB,YAAoB,QAA4B;QAA5B,aAAQ,GAAR,QAAQ,CAAoB;IAAG,CAAC;IAEpD;;OAEG;IACH,WAAW,CAAC,IAAY,EAAE,OAA6B;QACrD,MAAM,WAAW,GAAc;YAC7B,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,CAAC;YACjB,aAAa,EAAE,CAAC;YAChB,KAAK,EAAE,EAAE;YACT,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;SAClC,CAAC;QAEF,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QAE5D,sDAAsD;QACtD,MAAM,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACpF,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QAExE,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACxE,OAAO;gBACL,IAAI;gBACJ,MAAM,EAAE;oBACN,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;oBACpC,cAAc,EAAE,CAAC;oBACjB,aAAa,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;oBACvC,KAAK;oBACL,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;iBAC7D;aACF,CAAC;QACJ,CAAC;QAED,gEAAgE;QAChE,8DAA8D;QAC9D,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,MAAM,eAAe,GAAG,CAAC,GAAG,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAC7D,MAAM,KAAK,GAAG,QAAQ,KAAK,CAAC,IAAI,IAAI,SAAS,GAAG,CAAC;YACjD,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxE,cAAc,EAAE,CAAC;QACnB,CAAC;QAED,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE;gBACN,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;gBACpC,cAAc;gBACd,aAAa,EAAE,YAAY;gBAC3B,KAAK;gBACL,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,KAAK;aAChB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,KAA6E,EAC7E,OAA6B;QAO7B,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO;gBACL,GAAG,KAAK;gBACR,MAAM,EAAE;oBACN,UAAU,EAAE,CAAC;oBACb,cAAc,EAAE,CAAC;oBACjB,aAAa,EAAE,CAAC;oBAChB,KAAK,EAAE,EAAE;oBACT,IAAI,EAAE,UAAU;oBAChB,QAAQ,EAAE,KAAK;iBAChB;aACF,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE/D,IAAI,iBAAiB,GAAG,KAAK,CAAC,QAAQ,CAAC;QACvC,IAAI,kBAAkB,GAAG,CAAC,CAAC;QAC3B,IAAI,sBAAsB,GAAG,CAAC,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,IAAI,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACtF,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,eAAe,CACxE,KAAK,CAAC,QAAQ,EACd,OAAO,EACP,CAAC,CACF,CAAC;YACF,iBAAiB,GAAG,MAAiC,CAAC;YACtD,kBAAkB,GAAG,UAAU,CAAC;YAChC,sBAAsB,GAAG,cAAc,CAAC;YACxC,aAAa,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,GAAG,IAAI,GAAG,CAAC;gBACT,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK;gBAC3B,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK;gBAC7B,GAAG,aAAa;aACjB,CAAC;SACH,CAAC;QAEF,OAAO;YACL,KAAK,EAAE,WAAW,CAAC,IAAI;YACvB,OAAO,EAAE,aAAa,CAAC,IAAI;YAC3B,QAAQ,EAAE,iBAAiB;YAC3B,MAAM,EAAE;gBACN,UAAU,EACR,WAAW,CAAC,MAAM,CAAC,UAAU;oBAC7B,aAAa,CAAC,MAAM,CAAC,UAAU;oBAC/B,kBAAkB;gBACpB,cAAc,EACZ,WAAW,CAAC,MAAM,CAAC,cAAc;oBACjC,aAAa,CAAC,MAAM,CAAC,cAAc;oBACnC,sBAAsB;gBACxB,aAAa,EACX,WAAW,CAAC,MAAM,CAAC,aAAa;oBAChC,aAAa,CAAC,MAAM,CAAC,aAAa;gBACpC,KAAK,EAAE,QAAQ;gBACf,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;aAClC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY,EAAE,MAAc;QACtC,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,UAAU,EAAE,KAAa,EAAE,SAAiB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,IAAO,EACP,MAAc;QAEd,OAAO;YACL,GAAG,IAAI;YACP,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC;YAC/C,QAAQ,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;SAC/D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,KAAc,EACd,OAA6B,EAC7B,KAAa;QAEb,IAAI,KAAK,GAAG,kBAAkB,EAAE,CAAC;YAC/B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACxE,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,SAAS,CAAC,IAAI;gBACtB,UAAU,EAAE,SAAS,CAAC,MAAM,CAAC,UAAU;gBACvC,cAAc,EAAE,SAAS,CAAC,MAAM,CAAC,cAAc;gBAC/C,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK;aAC9B,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,cAAc,GAAG,CAAC,CAAC;YACvB,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBACjE,YAAY,IAAI,SAAS,CAAC,UAAU,CAAC;gBACrC,cAAc,IAAI,SAAS,CAAC,cAAc,CAAC;gBAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC,MAAM,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QAC/F,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,cAAc,GAAG,CAAC,CAAC;YACvB,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,MAAM,MAAM,GAA4B,EAAE,CAAC;YAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;gBAC1E,iCAAiC;gBACjC,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;oBACzB,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;oBAClB,SAAS;gBACX,CAAC;gBACD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBAChE,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC;gBAC/B,YAAY,IAAI,SAAS,CAAC,UAAU,CAAC;gBACrC,cAAc,IAAI,SAAS,CAAC,cAAc,CAAC;gBAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QAC/F,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACxE,CAAC;IAEO,qBAAqB,CAAC,KAAc,EAAE,MAAc,EAAE,KAAa;QACzE,IAAI,KAAK,GAAG,kBAAkB;YAAE,OAAO,KAAK,CAAC;QAE7C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;gBAC1E,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACnE,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apart-tech/intelligence-core",
-  "version": "1.0.6",
+  "version": "1.1.0",
   "description": "Core library: database, services, and providers for Apart Intelligence",
   "type": "module",
   "main": "dist/index.js",
@@ -19,6 +19,7 @@
     "access": "public"
   },
   "dependencies": {
+    "@cdssnc/sanitize-pii": "^2.1.2",
     "@prisma/client": "^6.6.0",
     "@prisma/extension-accelerate": "^3.0.1",
     "prisma": "^6.6.0",

package/prisma/schema.prisma

@@ -20,6 +20,7 @@ model Organization {
   apiKeys         ApiKey[]
   workspaces      Workspace[]
   embeddingConfig OrgEmbeddingConfig?
+  piiConfig       OrgPiiConfig?
 
   @@map("organizations")
 }
@@ -39,6 +40,21 @@ model OrgEmbeddingConfig {
   @@map("org_embedding_config")
 }
 
+model OrgPiiConfig {
+  id              String   @id @default(uuid()) @db.Uuid
+  organizationId  String   @unique @map("organization_id") @db.Uuid
+  mode            String   @default("encrypt") @db.VarChar(20)
+  piiKeyEncrypted String   @map("pii_key_encrypted") @db.Text
+  allowedPiiTypes Json     @default("[]") @map("allowed_pii_types")
+  allowBypass     Boolean  @default(false) @map("allow_bypass")
+  updatedAt       DateTime @default(now()) @map("updated_at") @db.Timestamptz
+  updatedBy       String   @default("api") @map("updated_by") @db.VarChar(255)
+
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  @@map("org_pii_config")
+}
+
 model Domain {
   id             String   @id @default(uuid()) @db.Uuid
   name           String   @db.VarChar(200)
@@ -75,6 +91,7 @@ model Node {
   createdAt      DateTime                    @default(now()) @map("created_at") @db.Timestamptz
   updatedAt      DateTime                    @default(now()) @map("updated_at") @db.Timestamptz
   version        Int                         @default(1)
+  hasPii         Boolean                     @default(false) @map("has_pii")
   domainId       String?                     @map("domain_id") @db.Uuid
   organizationId String                      @map("organization_id") @db.Uuid