@apart-tech/intelligence-core 1.0.7 → 1.2.0

package/dist/services/pii-detector-service.js

@@ -0,0 +1,89 @@
+import { PiiSanitizer, defaultPatterns } from "@cdssnc/sanitize-pii";
+/** Additional patterns not included in @cdssnc/sanitize-pii defaults */
+const extraPatterns = [
+    {
+        name: "email",
+        regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+        description: "Email address",
+    },
+    {
+        name: "ssn_us",
+        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+        description: "US Social Security Number",
+    },
+];
+export class PiiDetectorService {
+    sanitizer;
+    constructor(customPatterns) {
+        this.sanitizer = new PiiSanitizer({
+            patterns: [...defaultPatterns, ...extraPatterns, ...(customPatterns ?? [])],
+            useDefaultPatterns: false,
+        });
+    }
+    /**
+     * Detect PII in a text string. Returns matches with their positions.
+     */
+    detect(text) {
+        if (!text)
+            return { hasPii: false, matches: [] };
+        const detections = this.sanitizer.detectPii(text);
+        const matches = [];
+        for (const detection of detections) {
+            // Find all occurrences of this match in the text
+            let searchFrom = 0;
+            while (searchFrom < text.length) {
+                const idx = text.indexOf(detection.match, searchFrom);
+                if (idx === -1)
+                    break;
+                matches.push({
+                    type: detection.pattern,
+                    value: detection.match,
+                    start: idx,
+                    end: idx + detection.match.length,
+                });
+                searchFrom = idx + detection.match.length;
+            }
+        }
+        // Sort by position (start offset) and deduplicate overlapping matches
+        matches.sort((a, b) => a.start - b.start);
+        const deduplicated = deduplicateMatches(matches);
+        return {
+            hasPii: deduplicated.length > 0,
+            matches: deduplicated,
+        };
+    }
+    /**
+     * Detect PII in all string values of an object (shallow — top-level keys only).
+     */
+    detectInObject(obj) {
+        const results = {};
+        for (const [key, value] of Object.entries(obj)) {
+            if (typeof value === "string") {
+                results[key] = this.detect(value);
+            }
+        }
+        return results;
+    }
+}
+/**
+ * Remove overlapping matches, keeping the longer (more specific) one.
+ */
+function deduplicateMatches(sorted) {
+    if (sorted.length <= 1)
+        return sorted;
+    const result = [sorted[0]];
+    for (let i = 1; i < sorted.length; i++) {
+        const prev = result[result.length - 1];
+        const curr = sorted[i];
+        if (curr.start >= prev.end) {
+            result.push(curr);
+        }
+        else if (curr.end - curr.start > prev.end - prev.start) {
+            // Current match is longer — replace previous
+            result[result.length - 1] = curr;
+        }
+        // Otherwise skip (previous match covers this one)
+    }
+    return result;
+}
+//# sourceMappingURL=pii-detector-service.js.map

package/dist/services/pii-detector-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector-service.js","sourceRoot":"","sources":["../../src/services/pii-detector-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAerE,wEAAwE;AACxE,MAAM,aAAa,GAAiB;IAClC;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,eAAe;KAC7B;IACD;QACE,IAAI,EAAE,QAAQ;QACd,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,2BAA2B;KACzC;CACF,CAAC;AAEF,MAAM,OAAO,kBAAkB;IACrB,SAAS,CAAe;IAEhC,YAAY,cAA6B;QACvC,IAAI,CAAC,SAAS,GAAG,IAAI,YAAY,CAAC;YAChC,QAAQ,EAAE,CAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;YAC3E,kBAAkB,EAAE,KAAK;SAC1B,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,OAAO,GAAe,EAAE,CAAC;QAE/B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,iDAAiD;YACjD,IAAI,UAAU,GAAG,CAAC,CAAC;YACnB,OAAO,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;gBACtD,IAAI,GAAG,KAAK,CAAC,CAAC;oBAAE,MAAM;gBAEtB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,SAAS,CAAC,OAAO;oBACvB,KAAK,EAAE,SAAS,CAAC,KAAK;oBACtB,KAAK,EAAE,GAAG;oBACV,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM;iBAClC,CAAC,CAAC;gBACH,UAAU,GAAG,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,YAAY,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAEjD,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC;YAC/B,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,GAA4B;QACzC,MAAM,OAAO,GAAuC,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAkB;IAC5C,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAEtC,MAAM,MAAM,GAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;aAAM,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;YACzD,6CAA6C;YAC7C,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;QACnC,CAAC;QACD,kDAAkD;IACpD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/services/pii-encryption-service.d.ts

@@ -0,0 +1,55 @@
+import type { PiiDetectorService } from "./pii-detector-service.js";
+export interface PiiEncryptionOptions {
+    orgKey?: Buffer;
+    mode: "encrypt" | "detect-warn" | "disabled";
+    allowedPiiTypes?: string[];
+    bypass?: boolean;
+}
+export interface PiiReport {
+    matchCount: number;
+    encryptedCount: number;
+    bypassedCount: number;
+    types: string[];
+    mode: string;
+    bypassed: boolean;
+}
+export interface PiiProcessingResult {
+    text: string;
+    report: PiiReport;
+}
+export declare class PiiEncryptionService {
+    private detector;
+    constructor(detector: PiiDetectorService);
+    /**
+     * Process a text string: detect PII and optionally encrypt matches.
+     */
+    processText(text: string, options: PiiEncryptionOptions): PiiProcessingResult;
+    /**
+     * Process node fields (title, content, metadata) for PII.
+     */
+    processNodeFields(input: {
+        title: string;
+        content: string;
+        metadata?: Record<string, unknown>;
+    }, options: PiiEncryptionOptions): {
+        title: string;
+        content: string;
+        metadata?: Record<string, unknown>;
+        report: PiiReport;
+    };
+    /**
+     * Decrypt all PII tokens in a text string.
+     */
+    decryptText(text: string, orgKey: Buffer): string;
+    /**
+     * Decrypt PII tokens in node fields.
+     */
+    decryptNodeFields<T extends {
+        title: string;
+        content: string;
+        metadata: unknown;
+    }>(node: T, orgKey: Buffer): T;
+    private processMetadata;
+    private decryptMetadataValues;
+}
+//# sourceMappingURL=pii-encryption-service.d.ts.map

package/dist/services/pii-encryption-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-encryption-service.d.ts","sourceRoot":"","sources":["../../src/services/pii-encryption-service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,SAAS,GAAG,aAAa,GAAG,UAAU,CAAC;IAC7C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,SAAS;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,CAAC;CACnB;AAKD,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ;gBAAR,QAAQ,EAAE,kBAAkB;IAEhD;;OAEG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,mBAAmB;IAkE7E;;OAEG;IACH,iBAAiB,CACf,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,EAC7E,OAAO,EAAE,oBAAoB,GAC5B;QACD,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACnC,MAAM,EAAE,SAAS,CAAC;KACnB;IAkED;;OAEG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IAWjD;;OAEG;IACH,iBAAiB,CAAC,CAAC,SAAS;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,EAC/E,IAAI,EAAE,CAAC,EACP,MAAM,EAAE,MAAM,GACb,CAAC;IASJ,OAAO,CAAC,eAAe;IAyDvB,OAAO,CAAC,qBAAqB;CAqB9B"}

package/dist/services/pii-encryption-service.js

@@ -0,0 +1,216 @@
+import { encryptAesGcm, decryptAesGcm } from "../lib/crypto.js";
+const PII_TOKEN_REGEX = /\[PII:(\w+):([A-Za-z0-9+/=]+:[A-Za-z0-9+/=]+:[A-Za-z0-9+/=]+)\]/g;
+const MAX_METADATA_DEPTH = 5;
+export class PiiEncryptionService {
+    detector;
+    constructor(detector) {
+        this.detector = detector;
+    }
+    /**
+     * Process a text string: detect PII and optionally encrypt matches.
+     */
+    processText(text, options) {
+        const emptyReport = {
+            matchCount: 0,
+            encryptedCount: 0,
+            bypassedCount: 0,
+            types: [],
+            mode: options.mode,
+            bypassed: options.bypass ?? false,
+        };
+        if (options.mode === "disabled") {
+            return { text, report: emptyReport };
+        }
+        const detection = this.detector.detect(text);
+        if (!detection.hasPii) {
+            return { text, report: emptyReport };
+        }
+        const types = [...new Set(detection.matches.map((m) => m.type))];
+        const allowedTypes = new Set(options.allowedPiiTypes ?? []);
+        // Filter out matches whose type is explicitly allowed
+        const matchesToProcess = detection.matches.filter((m) => !allowedTypes.has(m.type));
+        const skippedCount = detection.matches.length - matchesToProcess.length;
+        if (options.mode === "detect-warn" || options.bypass || !options.orgKey) {
+            return {
+                text,
+                report: {
+                    matchCount: detection.matches.length,
+                    encryptedCount: 0,
+                    bypassedCount: detection.matches.length,
+                    types,
+                    mode: options.mode,
+                    bypassed: options.bypass ?? (options.mode === "detect-warn"),
+                },
+            };
+        }
+        // Mode is "encrypt" — replace PII matches with encrypted tokens
+        // Process matches in reverse order to preserve string offsets
+        let result = text;
+        let encryptedCount = 0;
+        const reversedMatches = [...matchesToProcess].reverse();
+        for (const match of reversedMatches) {
+            const encrypted = encryptAesGcm(match.value, options.orgKey);
+            const token = `[PII:${match.type}:${encrypted}]`;
+            result = result.slice(0, match.start) + token + result.slice(match.end);
+            encryptedCount++;
+        }
+        return {
+            text: result,
+            report: {
+                matchCount: detection.matches.length,
+                encryptedCount,
+                bypassedCount: skippedCount,
+                types,
+                mode: options.mode,
+                bypassed: false,
+            },
+        };
+    }
+    /**
+     * Process node fields (title, content, metadata) for PII.
+     */
+    processNodeFields(input, options) {
+        if (options.mode === "disabled") {
+            return {
+                ...input,
+                report: {
+                    matchCount: 0,
+                    encryptedCount: 0,
+                    bypassedCount: 0,
+                    types: [],
+                    mode: "disabled",
+                    bypassed: false,
+                },
+            };
+        }
+        const titleResult = this.processText(input.title, options);
+        const contentResult = this.processText(input.content, options);
+        let processedMetadata = input.metadata;
+        let metadataMatchCount = 0;
+        let metadataEncryptedCount = 0;
+        const metadataTypes = [];
+        if (input.metadata && options.mode === "encrypt" && !options.bypass && options.orgKey) {
+            const { result, matchCount, encryptedCount, types } = this.processMetadata(input.metadata, options, 0);
+            processedMetadata = result;
+            metadataMatchCount = matchCount;
+            metadataEncryptedCount = encryptedCount;
+            metadataTypes.push(...types);
+        }
+        const allTypes = [
+            ...new Set([
+                ...titleResult.report.types,
+                ...contentResult.report.types,
+                ...metadataTypes,
+            ]),
+        ];
+        return {
+            title: titleResult.text,
+            content: contentResult.text,
+            metadata: processedMetadata,
+            report: {
+                matchCount: titleResult.report.matchCount +
+                    contentResult.report.matchCount +
+                    metadataMatchCount,
+                encryptedCount: titleResult.report.encryptedCount +
+                    contentResult.report.encryptedCount +
+                    metadataEncryptedCount,
+                bypassedCount: titleResult.report.bypassedCount +
+                    contentResult.report.bypassedCount,
+                types: allTypes,
+                mode: options.mode,
+                bypassed: options.bypass ?? false,
+            },
+        };
+    }
+    /**
+     * Decrypt all PII tokens in a text string.
+     */
+    decryptText(text, orgKey) {
+        return text.replace(PII_TOKEN_REGEX, (_fullMatch, _type, encrypted) => {
+            try {
+                return decryptAesGcm(encrypted, orgKey);
+            }
+            catch {
+                // If decryption fails (wrong key, corrupted), leave token as-is
+                return _fullMatch;
+            }
+        });
+    }
+    /**
+     * Decrypt PII tokens in node fields.
+     */
+    decryptNodeFields(node, orgKey) {
+        return {
+            ...node,
+            title: this.decryptText(node.title, orgKey),
+            content: this.decryptText(node.content, orgKey),
+            metadata: this.decryptMetadataValues(node.metadata, orgKey, 0),
+        };
+    }
+    processMetadata(value, options, depth) {
+        if (depth > MAX_METADATA_DEPTH) {
+            return { result: value, matchCount: 0, encryptedCount: 0, types: [] };
+        }
+        if (typeof value === "string") {
+            const processed = this.processText(value, options);
+            return {
+                result: processed.text,
+                matchCount: processed.report.matchCount,
+                encryptedCount: processed.report.encryptedCount,
+                types: processed.report.types,
+            };
+        }
+        if (Array.isArray(value)) {
+            let totalMatches = 0;
+            let totalEncrypted = 0;
+            const allTypes = [];
+            const result = value.map((item) => {
+                const processed = this.processMetadata(item, options, depth + 1);
+                totalMatches += processed.matchCount;
+                totalEncrypted += processed.encryptedCount;
+                allTypes.push(...processed.types);
+                return processed.result;
+            });
+            return { result, matchCount: totalMatches, encryptedCount: totalEncrypted, types: allTypes };
+        }
+        if (value !== null && typeof value === "object") {
+            let totalMatches = 0;
+            let totalEncrypted = 0;
+            const allTypes = [];
+            const result = {};
+            for (const [key, val] of Object.entries(value)) {
+                // Skip internal PII report field
+                if (key === "_piiReport") {
+                    result[key] = val;
+                    continue;
+                }
+                const processed = this.processMetadata(val, options, depth + 1);
+                result[key] = processed.result;
+                totalMatches += processed.matchCount;
+                totalEncrypted += processed.encryptedCount;
+                allTypes.push(...processed.types);
+            }
+            return { result, matchCount: totalMatches, encryptedCount: totalEncrypted, types: allTypes };
+        }
+        return { result: value, matchCount: 0, encryptedCount: 0, types: [] };
+    }
+    decryptMetadataValues(value, orgKey, depth) {
+        if (depth > MAX_METADATA_DEPTH)
+            return value;
+        if (typeof value === "string") {
+            return this.decryptText(value, orgKey);
+        }
+        if (Array.isArray(value)) {
+            return value.map((item) => this.decryptMetadataValues(item, orgKey, depth + 1));
+        }
+        if (value !== null && typeof value === "object") {
+            const result = {};
+            for (const [key, val] of Object.entries(value)) {
+                result[key] = this.decryptMetadataValues(val, orgKey, depth + 1);
+            }
+            return result;
+        }
+        return value;
+    }
+}
+//# sourceMappingURL=pii-encryption-service.js.map

package/dist/services/pii-encryption-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-encryption-service.js","sourceRoot":"","sources":["../../src/services/pii-encryption-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAwBhE,MAAM,eAAe,GAAG,kEAAkE,CAAC;AAC3F,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,MAAM,OAAO,oBAAoB;IACX;IAApB,YAAoB,QAA4B;QAA5B,aAAQ,GAAR,QAAQ,CAAoB;IAAG,CAAC;IAEpD;;OAEG;IACH,WAAW,CAAC,IAAY,EAAE,OAA6B;QACrD,MAAM,WAAW,GAAc;YAC7B,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,CAAC;YACjB,aAAa,EAAE,CAAC;YAChB,KAAK,EAAE,EAAE;YACT,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;SAClC,CAAC;QAEF,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QAE5D,sDAAsD;QACtD,MAAM,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACpF,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QAExE,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACxE,OAAO;gBACL,IAAI;gBACJ,MAAM,EAAE;oBACN,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;oBACpC,cAAc,EAAE,CAAC;oBACjB,aAAa,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;oBACvC,KAAK;oBACL,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;iBAC7D;aACF,CAAC;QACJ,CAAC;QAED,gEAAgE;QAChE,8DAA8D;QAC9D,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,MAAM,eAAe,GAAG,CAAC,GAAG,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAC7D,MAAM,KAAK,GAAG,QAAQ,KAAK,CAAC,IAAI,IAAI,SAAS,GAAG,CAAC;YACjD,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxE,cAAc,EAAE,CAAC;QACnB,CAAC;QAED,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE;gBACN,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,MAAM;gBACpC,cAAc;gBACd,aAAa,EAAE,YAAY;gBAC3B,KAAK;gBACL,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,KAAK;aAChB;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,KAA6E,EAC7E,OAA6B;QAO7B,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO;gBACL,GAAG,KAAK;gBACR,MAAM,EAAE;oBACN,UAAU,EAAE,CAAC;oBACb,cAAc,EAAE,CAAC;oBACjB,aAAa,EAAE,CAAC;oBAChB,KAAK,EAAE,EAAE;oBACT,IAAI,EAAE,UAAU;oBAChB,QAAQ,EAAE,KAAK;iBAChB;aACF,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE/D,IAAI,iBAAiB,GAAG,KAAK,CAAC,QAAQ,CAAC;QACvC,IAAI,kBAAkB,GAAG,CAAC,CAAC;QAC3B,IAAI,sBAAsB,GAAG,CAAC,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,IAAI,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACtF,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,eAAe,CACxE,KAAK,CAAC,QAAQ,EACd,OAAO,EACP,CAAC,CACF,CAAC;YACF,iBAAiB,GAAG,MAAiC,CAAC;YACtD,kBAAkB,GAAG,UAAU,CAAC;YAChC,sBAAsB,GAAG,cAAc,CAAC;YACxC,aAAa,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,GAAG,IAAI,GAAG,CAAC;gBACT,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK;gBAC3B,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK;gBAC7B,GAAG,aAAa;aACjB,CAAC;SACH,CAAC;QAEF,OAAO;YACL,KAAK,EAAE,WAAW,CAAC,IAAI;YACvB,OAAO,EAAE,aAAa,CAAC,IAAI;YAC3B,QAAQ,EAAE,iBAAiB;YAC3B,MAAM,EAAE;gBACN,UAAU,EACR,WAAW,CAAC,MAAM,CAAC,UAAU;oBAC7B,aAAa,CAAC,MAAM,CAAC,UAAU;oBAC/B,kBAAkB;gBACpB,cAAc,EACZ,WAAW,CAAC,MAAM,CAAC,cAAc;oBACjC,aAAa,CAAC,MAAM,CAAC,cAAc;oBACnC,sBAAsB;gBACxB,aAAa,EACX,WAAW,CAAC,MAAM,CAAC,aAAa;oBAChC,aAAa,CAAC,MAAM,CAAC,aAAa;gBACpC,KAAK,EAAE,QAAQ;gBACf,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;aAClC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY,EAAE,MAAc;QACtC,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,UAAU,EAAE,KAAa,EAAE,SAAiB,EAAE,EAAE;YACpF,IAAI,CAAC;gBACH,OAAO,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,IAAO,EACP,MAAc;QAEd,OAAO;YACL,GAAG,IAAI;YACP,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC;YAC/C,QAAQ,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;SAC/D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,KAAc,EACd,OAA6B,EAC7B,KAAa;QAEb,IAAI,KAAK,GAAG,kBAAkB,EAAE,CAAC;YAC/B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACxE,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,SAAS,CAAC,IAAI;gBACtB,UAAU,EAAE,SAAS,CAAC,MAAM,CAAC,UAAU;gBACvC,cAAc,EAAE,SAAS,CAAC,MAAM,CAAC,cAAc;gBAC/C,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK;aAC9B,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,cAAc,GAAG,CAAC,CAAC;YACvB,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBACjE,YAAY,IAAI,SAAS,CAAC,UAAU,CAAC;gBACrC,cAAc,IAAI,SAAS,CAAC,cAAc,CAAC;gBAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;gBAClC,OAAO,SAAS,CAAC,MAAM,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QAC/F,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,cAAc,GAAG,CAAC,CAAC;YACvB,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,MAAM,MAAM,GAA4B,EAAE,CAAC;YAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;gBAC1E,iCAAiC;gBACjC,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;oBACzB,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;oBAClB,SAAS;gBACX,CAAC;gBACD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBAChE,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC;gBAC/B,YAAY,IAAI,SAAS,CAAC,UAAU,CAAC;gBACrC,cAAc,IAAI,SAAS,CAAC,cAAc,CAAC;gBAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QAC/F,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACxE,CAAC;IAEO,qBAAqB,CAAC,KAAc,EAAE,MAAc,EAAE,KAAa;QACzE,IAAI,KAAK,GAAG,kBAAkB;YAAE,OAAO,KAAK,CAAC;QAE7C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;gBAC1E,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACnE,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apart-tech/intelligence-core",
-  "version": "1.0.7",
+  "version": "1.2.0",
   "description": "Core library: database, services, and providers for Apart Intelligence",
   "type": "module",
   "main": "dist/index.js",
@@ -18,7 +18,18 @@
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "postinstall": "prisma generate --schema ./prisma/schema.prisma 2>/dev/null || true",
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "lint": "tsc --noEmit",
+    "test": "vitest run",
+    "db:generate": "prisma generate",
+    "db:migrate": "prisma migrate dev",
+    "db:push": "prisma db push"
+  },
   "dependencies": {
+    "@cdssnc/sanitize-pii": "^2.1.2",
     "@prisma/client": "^6.6.0",
     "@prisma/extension-accelerate": "^3.0.1",
     "prisma": "^6.6.0",
@@ -29,15 +40,5 @@
     "@types/node": "^25.5.0",
     "typescript": "^5.7.0",
     "vitest": "^3.0.0"
-  },
-  "scripts": {
-    "postinstall": "prisma generate --schema ./prisma/schema.prisma 2>/dev/null || true",
-    "build": "tsc",
-    "dev": "tsc --watch",
-    "lint": "tsc --noEmit",
-    "test": "vitest run",
-    "db:generate": "prisma generate",
-    "db:migrate": "prisma migrate dev",
-    "db:push": "prisma db push"
   }
-}
+}

package/prisma/schema.prisma

@@ -20,6 +20,7 @@ model Organization {
   apiKeys         ApiKey[]
   workspaces      Workspace[]
   embeddingConfig OrgEmbeddingConfig?
+  piiConfig       OrgPiiConfig?
 
   @@map("organizations")
 }
@@ -39,6 +40,21 @@ model OrgEmbeddingConfig {
   @@map("org_embedding_config")
 }
 
+model OrgPiiConfig {
+  id              String   @id @default(uuid()) @db.Uuid
+  organizationId  String   @unique @map("organization_id") @db.Uuid
+  mode            String   @default("encrypt") @db.VarChar(20)
+  piiKeyEncrypted String   @map("pii_key_encrypted") @db.Text
+  allowedPiiTypes Json     @default("[]") @map("allowed_pii_types")
+  allowBypass     Boolean  @default(false) @map("allow_bypass")
+  updatedAt       DateTime @default(now()) @map("updated_at") @db.Timestamptz
+  updatedBy       String   @default("api") @map("updated_by") @db.VarChar(255)
+
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  @@map("org_pii_config")
+}
+
 model Domain {
   id             String   @id @default(uuid()) @db.Uuid
   name           String   @db.VarChar(200)
@@ -75,6 +91,7 @@ model Node {
   createdAt      DateTime                    @default(now()) @map("created_at") @db.Timestamptz
   updatedAt      DateTime                    @default(now()) @map("updated_at") @db.Timestamptz
   version        Int                         @default(1)
+  hasPii         Boolean                     @default(false) @map("has_pii")
   domainId       String?                     @map("domain_id") @db.Uuid
   organizationId String                      @map("organization_id") @db.Uuid