agentid-sdk 0.1.7 → 0.1.8

package/dist/index.js

@@ -82,8 +82,863 @@ var OpenAIAdapter = class {
   }
 };
 
-// src/pii.ts
+// src/pii-national-identifiers.ts
+var MAX_CANDIDATES_PER_RULE = 256;
+var MAX_PREFILTER_HITS = 512;
+var DEFAULT_DEADLINE_MS = 100;
+var DEFAULT_PREFILTER_DEADLINE_MS = 12;
+var ANCHOR_WINDOW_CHARS = 20;
+var ADDRESS_WINDOW_CHARS = 40;
+var symbolHintRegex = /[\/<\-]/;
+var longDigitHintRegex = /\d{8,}/;
+var czBirthNumberRegex = /\b\d{2}(?:0[1-9]|1[0-2]|2[1-9]|3[0-2]|5[1-9]|6[0-2]|7[1-9]|8[0-2])(?:0[1-9]|[12]\d|3[01])\/?\d{3,4}\b/g;
+var czBirthNumberContextRegex = /\b(?:rodne?\s*(?:cislo|c\.)|r\.?\s*c\.?)\b[^0-9]{0,12}\d{6}(?:\/?\d{0,4})?\b/iu;
+var peselRegex = /\b\d{11}\b/g;
+var cnpRegex = /\b[1-9]\d{12}\b/g;
+var deTaxIdRegex = /\b\d{11}\b/g;
+var huTajRegex = /\b\d{9}\b/g;
+var plNipRegex = /\b\d{10}\b/g;
+var ukNinoRegex = /\b[A-CEGHJ-PR-TW-Z]{2}\d{6}[A-D]\b/gi;
+var frInseeRegex = /\b[12]\s?\d{2}\s?(0[1-9]|1[0-2]|[23]\d|4[0-2]|[5-9]\d)\s?(2[AB]|\d{2})\s?\d{3}\s?\d{3}\s?\d{2}\b/gi;
+var esDniRegex = /\b\d{8}[A-Z]\b/gi;
+var esNieRegex = /\b[XYZ]\d{7}[A-Z]\b/gi;
+var itCodiceFiscaleRegex = /\b[A-Z]{6}\d{2}[A-Z]\d{2}[A-Z]\d{3}[A-Z]\b/gi;
+var nlBsnRegex = /\b\d{8,9}\b/g;
+var atSvnrRegex = /\b\d{4}\s?\d{6}\b/g;
+var euVatRegex = /\b[A-Z]{2}[A-Z0-9]{8,12}\b/g;
+var ukDriverRegex = /\b[A-Z9]{5}\d{6}[A-Z9]{2}\d[A-Z]{2}\b/g;
+var genericDriverRegex = /\b[A-Z0-9]{8,18}\b/g;
+var postalCodeRegex = /\b(?:\d{3}\s?\d{2}|\d{4}|\d{5})\b/g;
+var mrzBlockRegex = /(?:^|\r?\n)([A-Z0-9< ]{10,44}(?:\r?\n[A-Z0-9< ]{10,44}){1,5})(?=\r?\n|$)/g;
+var peselChecksumWeights = [1, 3, 7, 9, 1, 3, 7, 9, 1, 3];
+var cnpChecksumWeights = [2, 7, 9, 1, 4, 6, 3, 5, 8, 2, 7, 9];
+var polishNipWeights = [6, 5, 7, 2, 3, 4, 5, 6, 7];
+var atSvnrWeights = [3, 7, 9, 5, 8, 4, 2, 1, 6];
+var mrzWeights = [7, 3, 1];
+var dniNieControlLetters = "TRWAGMYFPDXBNJZSQVHLCKE";
+var italianOddControlMap = {
+  "0": 1,
+  "1": 0,
+  "2": 5,
+  "3": 7,
+  "4": 9,
+  "5": 13,
+  "6": 15,
+  "7": 17,
+  "8": 19,
+  "9": 21,
+  A: 1,
+  B: 0,
+  C: 5,
+  D: 7,
+  E: 9,
+  F: 13,
+  G: 15,
+  H: 17,
+  I: 19,
+  J: 21,
+  K: 2,
+  L: 4,
+  M: 18,
+  N: 20,
+  O: 11,
+  P: 3,
+  Q: 6,
+  R: 8,
+  S: 12,
+  T: 14,
+  U: 16,
+  V: 10,
+  W: 22,
+  X: 25,
+  Y: 24,
+  Z: 23
+};
+var REGION_ANCHORS = {
+  czsk: ["rodne cislo", "rc", "cislo", "birth number", "personal number"],
+  pl: ["pesel", "nip", "dowod", "poland"],
+  ro: ["cnp", "romania"],
+  de: ["steuer id", "steuer-id", "steueridentifikationsnummer", "ust-idnr", "deutschland"],
+  hu: ["taj", "szemelyi", "hungary"],
+  gb: ["nino", "national insurance", "gb", "great britain", "driving licence", "driver licence"],
+  fr: ["insee", "nir", "securite sociale", "france"],
+  es: ["dni", "nie", "nif", "cif", "espana", "spain"],
+  it: ["codice fiscale", "fiscal code", "italia", "italy"],
+  nl: ["bsn", "burgerservicenummer", "nederland", "netherlands"],
+  at: ["svnr", "sozialversicherung", "sozialversicherungsnummer", "austria", "oesterreich"]
+};
+var TAX_ANCHORS = [
+  "vat",
+  "vat number",
+  "tax",
+  "tax id",
+  "tin",
+  "dic",
+  "nip",
+  "nino",
+  "steuernummer",
+  "steuer id",
+  "steuer-id",
+  "ust-idnr",
+  "insee",
+  "nir",
+  "dni",
+  "nie",
+  "nif",
+  "cif",
+  "codice fiscale",
+  "fiscal code",
+  "bsn",
+  "burgerservicenummer",
+  "svnr",
+  "sozialversicherung",
+  "sozialversicherungsnummer",
+  "fiscal"
+];
+var NL_BSN_ANCHORS = ["bsn", "burgerservicenummer"];
+var AT_SVNR_ANCHORS = ["svnr", "sozialversicherung", "sozialversicherungsnummer", "ssn"];
+var DRIVER_ANCHORS = [
+  "driver licence",
+  "driving licence",
+  "drivers license",
+  "driving license",
+  "ridicsky prukaz",
+  "vodicsky preukaz",
+  "prawo jazdy",
+  "fuhrerschein",
+  "fuehrerschein",
+  "permis",
+  "driving permit"
+];
+var ADDRESS_ANCHORS = [
+  "street",
+  "st.",
+  "strasse",
+  "str.",
+  "ulice",
+  "ul.",
+  "ulica",
+  "road",
+  "rd.",
+  "avenue",
+  "ave.",
+  "postcode",
+  "postal code",
+  "zip",
+  "psc",
+  "plz"
+];
+var MRZ_ANCHORS = ["mrz", "machine readable zone", "passport", "id card", "travel document"];
+var ALL_ANCHORS = dedupeAnchors([
+  ...TAX_ANCHORS,
+  ...DRIVER_ANCHORS,
+  ...ADDRESS_ANCHORS,
+  ...MRZ_ANCHORS,
+  ...REGION_ANCHORS.czsk,
+  ...REGION_ANCHORS.pl,
+  ...REGION_ANCHORS.ro,
+  ...REGION_ANCHORS.de,
+  ...REGION_ANCHORS.hu,
+  ...REGION_ANCHORS.gb,
+  ...REGION_ANCHORS.fr,
+  ...REGION_ANCHORS.es,
+  ...REGION_ANCHORS.it,
+  ...REGION_ANCHORS.nl,
+  ...REGION_ANCHORS.at
+]);
+var TAX_ANCHOR_SET = new Set(TAX_ANCHORS.map(normalizeAnchorWord));
+var DRIVER_ANCHOR_SET = new Set(DRIVER_ANCHORS.map(normalizeAnchorWord));
+var ADDRESS_ANCHOR_SET = new Set(ADDRESS_ANCHORS.map(normalizeAnchorWord));
+var MRZ_ANCHOR_SET = new Set(MRZ_ANCHORS.map(normalizeAnchorWord));
+var NL_BSN_ANCHOR_SET = new Set(NL_BSN_ANCHORS.map(normalizeAnchorWord));
+var AT_SVNR_ANCHOR_SET = new Set(AT_SVNR_ANCHORS.map(normalizeAnchorWord));
+var anchorTrie = buildTrie(ALL_ANCHORS);
+function dedupeAnchors(anchors) {
+  const unique = /* @__PURE__ */ new Set();
+  for (const anchor of anchors) {
+    const normalized = normalizeAnchorWord(anchor);
+    if (normalized.length > 0) unique.add(normalized);
+  }
+  return Array.from(unique);
+}
+function foldForMatching(value) {
+  return value.toLowerCase().normalize("NFD").replace(/\p{M}+/gu, "");
+}
+function normalizeAnchorWord(value) {
+  return foldForMatching(value).trim().replace(/\s+/g, " ");
+}
+function createTrieNode() {
+  return { children: /* @__PURE__ */ new Map(), terminalWords: [] };
+}
+function buildTrie(words) {
+  const root = createTrieNode();
+  for (const word of words) {
+    let node = root;
+    for (const char of word) {
+      const next = node.children.get(char);
+      if (next) {
+        node = next;
+      } else {
+        const created = createTrieNode();
+        node.children.set(char, created);
+        node = created;
+      }
+    }
+    node.terminalWords.push(word);
+  }
+  return root;
+}
+function isWordChar(char) {
+  if (!char) return false;
+  return /[a-z0-9]/i.test(char);
+}
+function hasWordBoundaries(text, start, end) {
+  const before = start > 0 ? text[start - 1] : void 0;
+  const after = end < text.length ? text[end] : void 0;
+  return !isWordChar(before) && !isWordChar(after);
+}
+function hasExpired(startTimeMs, deadlineMs) {
+  return Date.now() - startTimeMs > deadlineMs;
+}
+function toInt(value) {
+  return Number.parseInt(value, 10);
+}
 function countDigits(value) {
+  let count = 0;
+  for (const char of value) {
+    if (char >= "0" && char <= "9") count += 1;
+  }
+  return count;
+}
+function countLetters(value) {
+  let count = 0;
+  for (const char of value) {
+    if (char >= "A" && char <= "Z" || char >= "a" && char <= "z") count += 1;
+  }
+  return count;
+}
+function normalizeCompactIdentifier(value) {
+  return foldForMatching(value).toUpperCase().replace(/[^A-Z0-9]/g, "");
+}
+function alphaNumericOrdinalValue(char) {
+  if (char >= "0" && char <= "9") return Number(char);
+  if (char >= "A" && char <= "Z") return char.charCodeAt(0) - 65;
+  return -1;
+}
+function mod97FromDigits(value) {
+  let remainder = 0;
+  for (const char of value) {
+    if (char < "0" || char > "9") return -1;
+    remainder = (remainder * 10 + Number(char)) % 97;
+  }
+  return remainder;
+}
+function daysInMonth(year, month) {
+  return new Date(Date.UTC(year, month, 0)).getUTCDate();
+}
+function isValidDate(year, month, day) {
+  if (!Number.isInteger(year) || year < 1800 || year > 2299) return false;
+  if (!Number.isInteger(month) || month < 1 || month > 12) return false;
+  if (!Number.isInteger(day) || day < 1 || day > 31) return false;
+  return day <= daysInMonth(year, month);
+}
+function isValidDayMonthWithTwoDigitYear(day, month, yearTwoDigits) {
+  return isValidDate(1900 + yearTwoDigits, month, day) || isValidDate(2e3 + yearTwoDigits, month, day);
+}
+function resolveCzechMonth(rawMonth) {
+  if (rawMonth >= 1 && rawMonth <= 12) return rawMonth;
+  if (rawMonth >= 21 && rawMonth <= 32) return rawMonth - 20;
+  if (rawMonth >= 51 && rawMonth <= 62) return rawMonth - 50;
+  if (rawMonth >= 71 && rawMonth <= 82) return rawMonth - 70;
+  return null;
+}
+function resolveCzechYear(twoDigits, length) {
+  if (length === 9) return 1900 + twoDigits;
+  return twoDigits >= 54 ? 1900 + twoDigits : 2e3 + twoDigits;
+}
+function resolveCnpYear(centuryCode, twoDigits) {
+  if (centuryCode === 1 || centuryCode === 2) return 1900 + twoDigits;
+  if (centuryCode === 3 || centuryCode === 4) return 1800 + twoDigits;
+  if (centuryCode === 5 || centuryCode === 6) return 2e3 + twoDigits;
+  if (centuryCode === 7 || centuryCode === 8) return 2e3 + twoDigits;
+  if (centuryCode === 9) return 1900 + twoDigits;
+  return null;
+}
+function pushUnique(items, candidate) {
+  const exists = items.some(
+    (item) => item.start === candidate.start && item.end === candidate.end && item.type === candidate.type
+  );
+  if (!exists) items.push(candidate);
+}
+function scanRegexMatches(regex, text, startTimeMs, deadlineMs, onMatch) {
+  regex.lastIndex = 0;
+  let scanned = 0;
+  let match;
+  while ((match = regex.exec(text)) !== null) {
+    if (hasExpired(startTimeMs, deadlineMs)) return;
+    scanned += 1;
+    if (scanned > MAX_CANDIDATES_PER_RULE) return;
+    const value = match[0] ?? "";
+    const start = match.index;
+    const end = start + value.length;
+    onMatch(value, start, end);
+  }
+}
+function scanAnchorHits(text, startTimeMs, deadlineMs) {
+  const normalized = foldForMatching(text);
+  const hits = [];
+  for (let i = 0; i < normalized.length; i += 1) {
+    if (hasExpired(startTimeMs, deadlineMs) || hits.length >= MAX_PREFILTER_HITS) {
+      break;
+    }
+    let node = anchorTrie.children.get(normalized[i] ?? "");
+    if (!node) continue;
+    let cursor = i;
+    while (node) {
+      if (node.terminalWords.length > 0) {
+        for (const word of node.terminalWords) {
+          const end = i + word.length;
+          if (end > normalized.length) continue;
+          if (normalized.slice(i, end) !== word) continue;
+          if (!hasWordBoundaries(normalized, i, end)) continue;
+          hits.push({ word, start: i, end });
+          if (hits.length >= MAX_PREFILTER_HITS) break;
+        }
+      }
+      cursor += 1;
+      if (cursor >= normalized.length) break;
+      node = node.children.get(normalized[cursor] ?? "");
+    }
+  }
+  return hits;
+}
+function hasAnchorNear(hits, start, end, anchorSet, windowChars = ANCHOR_WINDOW_CHARS) {
+  const left = Math.max(0, start - windowChars);
+  const right = end + windowChars;
+  for (const hit of hits) {
+    if (!anchorSet.has(hit.word)) continue;
+    if (hit.end < left) continue;
+    if (hit.start > right) continue;
+    return true;
+  }
+  return false;
+}
+function hasAnyAnchor(hits) {
+  return hits.length > 0;
+}
+function buildPrefilterState(text, startTimeMs, deadlineMs) {
+  const hits = scanAnchorHits(text, startTimeMs, deadlineMs);
+  return {
+    hits,
+    hasLongDigitHint: longDigitHintRegex.test(text),
+    hasSymbolHint: symbolHintRegex.test(text)
+  };
+}
+function parseLocaleRegion(locale) {
+  if (!locale) return null;
+  const normalized = locale.toLowerCase();
+  if (normalized.startsWith("cs") || normalized.startsWith("sk")) return "czsk";
+  if (normalized.startsWith("pl")) return "pl";
+  if (normalized.startsWith("ro")) return "ro";
+  if (normalized.startsWith("de")) return "de";
+  if (normalized.startsWith("hu")) return "hu";
+  if (normalized === "en" || normalized.startsWith("en-gb") || normalized === "gb" || normalized.startsWith("gb-")) {
+    return "gb";
+  }
+  if (normalized.startsWith("fr")) return "fr";
+  if (normalized.startsWith("es")) return "es";
+  if (normalized.startsWith("it")) return "it";
+  if (normalized.startsWith("nl")) return "nl";
+  if (normalized.startsWith("at")) return "at";
+  return null;
+}
+function inferRegionsFromAnchors(hits) {
+  const regions = /* @__PURE__ */ new Set();
+  const regionEntries = Object.entries(REGION_ANCHORS);
+  for (const hit of hits) {
+    for (const [region, words] of regionEntries) {
+      if (words.includes(hit.word)) {
+        regions.add(region);
+      }
+    }
+  }
+  return Array.from(regions);
+}
+function resolveRegions(text, locale) {
+  const localeRegion = parseLocaleRegion(locale);
+  if (localeRegion) return [localeRegion];
+  const normalizedLocale = locale?.toLowerCase().trim() ?? "";
+  const inferred = inferRegionsFromAnchors(
+    scanAnchorHits(text, Date.now(), DEFAULT_PREFILTER_DEADLINE_MS)
+  );
+  if (inferred.length > 0) return inferred;
+  if (normalizedLocale.startsWith("uk")) {
+    return ["czsk", "pl", "ro", "de", "hu", "fr", "es", "it", "nl", "at"];
+  }
+  return ["czsk", "pl", "ro", "de", "hu", "gb", "fr", "es", "it", "nl", "at"];
+}
+function mrzCharValue(char) {
+  if (char === "<") return 0;
+  if (char >= "0" && char <= "9") return Number(char);
+  if (char >= "A" && char <= "Z") return char.charCodeAt(0) - 55;
+  return -1;
+}
+function computeMrzCheckDigit(payload) {
+  let sum = 0;
+  for (let i = 0; i < payload.length; i += 1) {
+    const value = mrzCharValue(payload[i] ?? "");
+    if (value < 0) return -1;
+    sum += value * mrzWeights[i % mrzWeights.length];
+  }
+  return sum % 10;
+}
+function isValidMrzCheck(payload, checkChar) {
+  if (!/^\d$/.test(checkChar)) return false;
+  const expected = computeMrzCheckDigit(payload);
+  return expected >= 0 && expected === Number(checkChar);
+}
+function isValidOptionalMrzCheck(payload, checkChar) {
+  if (checkChar === "<") {
+    return /^[<]+$/.test(payload);
+  }
+  return isValidMrzCheck(payload, checkChar);
+}
+function validateTd3(lines) {
+  if (lines.length !== 2) return false;
+  const [line1, line2] = lines;
+  if (line1.length !== 44 || line2.length !== 44) return false;
+  if (!/^[A-Z][<A-Z]/.test(line1.slice(0, 2))) return false;
+  const passportNumber = line2.slice(0, 9);
+  const passportCheck = line2[9] ?? "";
+  const birthDate = line2.slice(13, 19);
+  const birthCheck = line2[19] ?? "";
+  const expiryDate = line2.slice(21, 27);
+  const expiryCheck = line2[27] ?? "";
+  const optionalData = line2.slice(28, 42);
+  const optionalCheck = line2[42] ?? "";
+  const finalCheck = line2[43] ?? "";
+  if (!isValidMrzCheck(passportNumber, passportCheck)) return false;
+  if (!isValidMrzCheck(birthDate, birthCheck)) return false;
+  if (!isValidMrzCheck(expiryDate, expiryCheck)) return false;
+  if (!isValidOptionalMrzCheck(optionalData, optionalCheck)) return false;
+  const composite = `${line2.slice(0, 10)}${line2.slice(13, 20)}${line2.slice(21, 43)}`;
+  return isValidMrzCheck(composite, finalCheck);
+}
+function validateTd2(lines) {
+  if (lines.length !== 2) return false;
+  const [line1, line2] = lines;
+  if (line1.length !== 36 || line2.length !== 36) return false;
+  if (!/^[A-Z][<A-Z]/.test(line1.slice(0, 2))) return false;
+  const documentNumber = line2.slice(0, 9);
+  const documentCheck = line2[9] ?? "";
+  const birthDate = line2.slice(13, 19);
+  const birthCheck = line2[19] ?? "";
+  const expiryDate = line2.slice(21, 27);
+  const expiryCheck = line2[27] ?? "";
+  const optionalData = line2.slice(28, 35);
+  const optionalCheck = line2[35] ?? "";
+  if (!isValidMrzCheck(documentNumber, documentCheck)) return false;
+  if (!isValidMrzCheck(birthDate, birthCheck)) return false;
+  if (!isValidMrzCheck(expiryDate, expiryCheck)) return false;
+  return isValidOptionalMrzCheck(optionalData, optionalCheck);
+}
+function validateTd1(lines) {
+  if (lines.length !== 3) return false;
+  const [line1, line2, line3] = lines;
+  if (line1.length !== 30 || line2.length !== 30 || line3.length !== 30) return false;
+  if (!/^[A-Z][<A-Z]/.test(line1.slice(0, 2))) return false;
+  const documentNumber = line1.slice(5, 14);
+  const documentCheck = line1[14] ?? "";
+  const birthDate = line2.slice(0, 6);
+  const birthCheck = line2[6] ?? "";
+  const expiryDate = line2.slice(8, 14);
+  const expiryCheck = line2[14] ?? "";
+  const composite = `${line1.slice(5, 30)}${line2.slice(0, 7)}${line2.slice(8, 15)}${line2.slice(18, 29)}`;
+  const finalCheck = line2[29] ?? "";
+  if (!isValidMrzCheck(documentNumber, documentCheck)) return false;
+  if (!isValidMrzCheck(birthDate, birthCheck)) return false;
+  if (!isValidMrzCheck(expiryDate, expiryCheck)) return false;
+  return isValidMrzCheck(composite, finalCheck);
+}
+function validateMrzLines(lines) {
+  const normalized = lines.map((line) => line.replace(/\s+/g, "").toUpperCase()).filter((line) => line.length > 0);
+  const merged = normalized.join("");
+  const reframed = normalized.length >= 2 && normalized.length <= 3 ? normalized : merged.length === 88 ? [merged.slice(0, 44), merged.slice(44)] : merged.length === 72 ? [merged.slice(0, 36), merged.slice(36)] : merged.length === 90 ? [merged.slice(0, 30), merged.slice(30, 60), merged.slice(60)] : normalized;
+  if (reframed.length === 2 && reframed[0]?.length === 44 && reframed[1]?.length === 44) {
+    return validateTd3(reframed);
+  }
+  if (reframed.length === 2 && reframed[0]?.length === 36 && reframed[1]?.length === 36) {
+    return validateTd2(reframed);
+  }
+  if (reframed.length === 3 && reframed[0]?.length === 30 && reframed[1]?.length === 30 && reframed[2]?.length === 30) {
+    return validateTd1(reframed);
+  }
+  return false;
+}
+function isValidPesel(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{11}$/.test(digitsOnly)) return false;
+  const yy = toInt(digitsOnly.slice(0, 2));
+  const mmRaw = toInt(digitsOnly.slice(2, 4));
+  const dd = toInt(digitsOnly.slice(4, 6));
+  const centuryOffset = Math.floor((mmRaw - 1) / 20);
+  const month = (mmRaw - 1) % 20 + 1;
+  const century = centuryOffset === 0 ? 1900 : centuryOffset === 1 ? 2e3 : centuryOffset === 2 ? 2100 : centuryOffset === 3 ? 2200 : centuryOffset === 4 ? 1800 : null;
+  if (century === null) return false;
+  if (!isValidDate(century + yy, month, dd)) return false;
+  let sum = 0;
+  for (let i = 0; i < 10; i += 1) {
+    sum += toInt(digitsOnly[i] ?? "0") * peselChecksumWeights[i];
+  }
+  const checkDigit = (10 - sum % 10) % 10;
+  return checkDigit === toInt(digitsOnly[10] ?? "0");
+}
+function isValidRomanianCnp(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{13}$/.test(digitsOnly)) return false;
+  const centuryCode = toInt(digitsOnly[0] ?? "0");
+  const yy = toInt(digitsOnly.slice(1, 3));
+  const mm = toInt(digitsOnly.slice(3, 5));
+  const dd = toInt(digitsOnly.slice(5, 7));
+  const year = resolveCnpYear(centuryCode, yy);
+  if (year === null) return false;
+  if (!isValidDate(year, mm, dd)) return false;
+  let sum = 0;
+  for (let i = 0; i < 12; i += 1) {
+    sum += toInt(digitsOnly[i] ?? "0") * cnpChecksumWeights[i];
+  }
+  let checkDigit = sum % 11;
+  if (checkDigit === 10) checkDigit = 1;
+  return checkDigit === toInt(digitsOnly[12] ?? "0");
+}
+function isValidCzechBirthNumber(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{9,10}$/.test(digitsOnly)) return false;
+  const yy = toInt(digitsOnly.slice(0, 2));
+  const mmRaw = toInt(digitsOnly.slice(2, 4));
+  const dd = toInt(digitsOnly.slice(4, 6));
+  const month = resolveCzechMonth(mmRaw);
+  if (month === null) return false;
+  const year = resolveCzechYear(yy, digitsOnly.length);
+  if (!isValidDate(year, month, dd)) return false;
+  if (digitsOnly.length === 10) {
+    const body = toInt(digitsOnly.slice(0, 9));
+    const expected = body % 11 === 10 ? 0 : body % 11;
+    const check = toInt(digitsOnly[9] ?? "0");
+    return expected === check;
+  }
+  return true;
+}
+function isValidGermanTaxId(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{11}$/.test(digitsOnly)) return false;
+  if (/^(\d)\1{10}$/.test(digitsOnly)) return false;
+  let product = 10;
+  for (let i = 0; i < 10; i += 1) {
+    let sum = (toInt(digitsOnly[i] ?? "0") + product) % 10;
+    if (sum === 0) sum = 10;
+    product = 2 * sum % 11;
+  }
+  let check = 11 - product;
+  if (check === 10 || check === 11) check = 0;
+  return check === toInt(digitsOnly[10] ?? "0");
+}
+function isValidHungarianTaj(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{9}$/.test(digitsOnly)) return false;
+  let sum = 0;
+  for (let i = 0; i < 8; i += 1) {
+    const weight = i % 2 === 0 ? 3 : 7;
+    sum += toInt(digitsOnly[i] ?? "0") * weight;
+  }
+  return sum % 10 === toInt(digitsOnly[8] ?? "0");
+}
+function isValidPolishNip(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{10}$/.test(digitsOnly)) return false;
+  let sum = 0;
+  for (let i = 0; i < 9; i += 1) {
+    sum += toInt(digitsOnly[i] ?? "0") * polishNipWeights[i];
+  }
+  const check = sum % 11;
+  if (check === 10) return false;
+  return check === toInt(digitsOnly[9] ?? "0");
+}
+function isLikelyUkNino(value) {
+  const normalized = value.replace(/\s+/g, "").toUpperCase();
+  if (!/^[A-CEGHJ-PR-TW-Z]{2}\d{6}[A-D]$/.test(normalized)) return false;
+  const prefix = normalized.slice(0, 2);
+  const disallowedPrefixes = /* @__PURE__ */ new Set(["BG", "GB", "NK", "KN", "TN", "NT", "ZZ"]);
+  if (disallowedPrefixes.has(prefix)) return false;
+  if (normalized[0] === "D" || normalized[0] === "F" || normalized[0] === "I" || normalized[0] === "Q" || normalized[0] === "U" || normalized[0] === "V") {
+    return false;
+  }
+  if (normalized[1] === "D" || normalized[1] === "F" || normalized[1] === "I" || normalized[1] === "O" || normalized[1] === "Q" || normalized[1] === "U" || normalized[1] === "V") {
+    return false;
+  }
+  return true;
+}
+function isValidFrenchInsee(value) {
+  const normalized = normalizeCompactIdentifier(value);
+  if (!/^[12]\d{2}(0[1-9]|1[0-2]|[23]\d|4[0-2]|[5-9]\d)(2A|2B|\d{2})\d{3}\d{3}\d{2}$/.test(normalized)) {
+    return false;
+  }
+  const body = normalized.slice(0, 13);
+  const checkDigits = normalized.slice(13);
+  const bodyForChecksum = body.replace("2A", "19").replace("2B", "18");
+  if (!/^\d{13}$/.test(bodyForChecksum)) return false;
+  const remainder = mod97FromDigits(bodyForChecksum);
+  if (remainder < 0) return false;
+  const expectedNumber = 97 - remainder;
+  return expectedNumber === toInt(checkDigits);
+}
+function isValidSpanishDniNie(value) {
+  const normalized = normalizeCompactIdentifier(value);
+  let numberPortion = "";
+  let checkLetter = "";
+  if (/^\d{8}[A-Z]$/.test(normalized)) {
+    numberPortion = normalized.slice(0, 8);
+    checkLetter = normalized[8] ?? "";
+  } else if (/^[XYZ]\d{7}[A-Z]$/.test(normalized)) {
+    const prefixMap = { X: "0", Y: "1", Z: "2" };
+    numberPortion = `${prefixMap[normalized[0] ?? ""] ?? ""}${normalized.slice(1, 8)}`;
+    checkLetter = normalized[8] ?? "";
+  } else {
+    return false;
+  }
+  const expected = dniNieControlLetters[toInt(numberPortion) % 23] ?? "";
+  return checkLetter === expected;
+}
+function isValidItalianCodiceFiscale(value) {
+  const normalized = normalizeCompactIdentifier(value);
+  if (!/^[A-Z]{6}\d{2}[A-Z]\d{2}[A-Z]\d{3}[A-Z]$/.test(normalized)) return false;
+  let sum = 0;
+  for (let i = 0; i < 15; i += 1) {
+    const char = normalized[i] ?? "";
+    const position = i + 1;
+    if (position % 2 === 0) {
+      const evenValue = alphaNumericOrdinalValue(char);
+      if (evenValue < 0) return false;
+      sum += evenValue;
+    } else {
+      const oddValue = italianOddControlMap[char];
+      if (typeof oddValue !== "number") return false;
+      sum += oddValue;
+    }
+  }
+  const expected = String.fromCharCode(65 + sum % 26);
+  return normalized[15] === expected;
+}
+function isValidDutchBsn(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{8,9}$/.test(digitsOnly)) return false;
+  const normalized = digitsOnly.padStart(9, "0");
+  if (normalized === "000000000") return false;
+  let sum = 0;
+  for (let i = 0; i < 8; i += 1) {
+    const weight = 9 - i;
+    sum += toInt(normalized[i] ?? "0") * weight;
+  }
+  sum -= toInt(normalized[8] ?? "0");
+  return sum % 11 === 0;
+}
+function isValidAustrianSvnr(value) {
+  const digitsOnly = value.replace(/\D/g, "");
+  if (!/^\d{10}$/.test(digitsOnly)) return false;
+  const day = toInt(digitsOnly.slice(4, 6));
+  const month = toInt(digitsOnly.slice(6, 8));
+  const yearTwoDigits = toInt(digitsOnly.slice(8, 10));
+  if (!isValidDayMonthWithTwoDigitYear(day, month, yearTwoDigits)) return false;
+  const bodyIndexes = [0, 1, 2, 4, 5, 6, 7, 8, 9];
+  let sum = 0;
+  for (let i = 0; i < bodyIndexes.length; i += 1) {
+    const digit = toInt(digitsOnly[bodyIndexes[i] ?? 0] ?? "0");
+    sum += digit * atSvnrWeights[i];
+  }
+  const expected = sum % 11;
+  if (expected === 10) return false;
+  return expected === toInt(digitsOnly[3] ?? "0");
+}
+function isLikelyEuVat(value) {
+  const normalized = value.replace(/\s+/g, "").toUpperCase();
+  if (!/^[A-Z]{2}[A-Z0-9]{8,12}$/.test(normalized)) return false;
+  const country = normalized.slice(0, 2);
+  return country !== "XX";
+}
+function isLikelyGenericDriverId(value) {
+  const normalized = value.replace(/\s+/g, "").toUpperCase();
+  if (normalized.length < 8 || normalized.length > 18) return false;
+  const letters = countLetters(normalized);
+  const digits = countDigits(normalized);
+  if (letters < 2 || digits < 4) return false;
+  if (!/^[A-Z0-9]+$/.test(normalized)) return false;
+  return true;
+}
+function detectMrzBlocks(text, startTimeMs, deadlineMs, results) {
+  mrzBlockRegex.lastIndex = 0;
+  let scanned = 0;
+  let match;
+  while ((match = mrzBlockRegex.exec(text)) !== null) {
+    if (hasExpired(startTimeMs, deadlineMs)) return;
+    scanned += 1;
+    if (scanned > MAX_CANDIDATES_PER_RULE) return;
+    const rawBlock = match[1] ?? "";
+    const lines = rawBlock.split(/\r?\n/);
+    if (!validateMrzLines(lines)) continue;
+    const wholeMatch = match[0] ?? "";
+    const startsWithCrlf = wholeMatch.startsWith("\r\n");
+    const startsWithLf = !startsWithCrlf && wholeMatch.startsWith("\n");
+    const prefixShift = startsWithCrlf ? 2 : startsWithLf ? 1 : 0;
+    const start = (match.index ?? 0) + prefixShift;
+    const end = start + rawBlock.length;
+    pushUnique(results, {
+      type: "mrz_document",
+      value: rawBlock,
+      start,
+      end
+    });
+  }
+}
+function detectNationalIdentifiers(text, options = {}) {
+  if (!text) return [];
+  const startTimeMs = options.startTimeMs ?? Date.now();
+  const deadlineMs = options.deadlineMs ?? DEFAULT_DEADLINE_MS;
+  const prefilter = buildPrefilterState(text, startTimeMs, deadlineMs);
+  if (!hasAnyAnchor(prefilter.hits) && !prefilter.hasLongDigitHint && !prefilter.hasSymbolHint) {
+    return [];
+  }
+  const results = [];
+  const regions = resolveRegions(text, options.locale ?? null);
+  const hasTaxAnchors = prefilter.hits.some((hit) => TAX_ANCHOR_SET.has(hit.word));
+  const hasNlBsnAnchors = prefilter.hits.some((hit) => NL_BSN_ANCHOR_SET.has(hit.word));
+  const hasAtSvnrAnchors = prefilter.hits.some((hit) => AT_SVNR_ANCHOR_SET.has(hit.word));
+  const hasDriverAnchors = prefilter.hits.some((hit) => DRIVER_ANCHOR_SET.has(hit.word));
+  const hasAddressAnchors = prefilter.hits.some((hit) => ADDRESS_ANCHOR_SET.has(hit.word));
+  const hasMrzAnchors = prefilter.hits.some((hit) => MRZ_ANCHOR_SET.has(hit.word));
+  if (prefilter.hasSymbolHint || hasMrzAnchors) {
+    detectMrzBlocks(text, startTimeMs, deadlineMs, results);
+  }
+  if (regions.includes("czsk")) {
+    scanRegexMatches(czBirthNumberRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidCzechBirthNumber(value)) return;
+      pushUnique(results, { type: "birth_number", value, start, end });
+    });
+  }
+  if (regions.includes("pl")) {
+    scanRegexMatches(peselRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidPesel(value)) return;
+      pushUnique(results, { type: "pl_pesel", value, start, end });
+    });
+  }
+  if (regions.includes("ro")) {
+    scanRegexMatches(cnpRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidRomanianCnp(value)) return;
+      pushUnique(results, { type: "ro_cnp", value, start, end });
+    });
+  }
+  if (regions.includes("de") && hasTaxAnchors) {
+    scanRegexMatches(deTaxIdRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, TAX_ANCHOR_SET)) return;
+      if (!isValidGermanTaxId(value)) return;
+      pushUnique(results, { type: "de_tax_id", value, start, end });
+    });
+  }
+  if (regions.includes("hu")) {
+    scanRegexMatches(huTajRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidHungarianTaj(value)) return;
+      pushUnique(results, { type: "hu_taj", value, start, end });
+    });
+  }
+  if (regions.includes("pl") && hasTaxAnchors) {
+    scanRegexMatches(plNipRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, TAX_ANCHOR_SET)) return;
+      if (!isValidPolishNip(value)) return;
+      pushUnique(results, { type: "pl_nip", value, start, end });
+    });
+  }
+  if (regions.includes("gb")) {
+    scanRegexMatches(ukNinoRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, TAX_ANCHOR_SET)) return;
+      if (!isLikelyUkNino(value)) return;
+      pushUnique(results, { type: "uk_nino", value, start, end });
+    });
+  }
+  if (regions.includes("fr")) {
+    scanRegexMatches(frInseeRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidFrenchInsee(value)) return;
+      pushUnique(results, { type: "fr_insee", value, start, end });
+    });
+  }
+  if (regions.includes("es")) {
+    scanRegexMatches(esDniRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidSpanishDniNie(value)) return;
+      pushUnique(results, { type: "es_dni_nie", value, start, end });
+    });
+    scanRegexMatches(esNieRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidSpanishDniNie(value)) return;
+      pushUnique(results, { type: "es_dni_nie", value, start, end });
+    });
+  }
+  if (regions.includes("it")) {
+    scanRegexMatches(itCodiceFiscaleRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!isValidItalianCodiceFiscale(value)) return;
+      pushUnique(results, { type: "it_codice_fiscale", value, start, end });
+    });
+  }
+  if (regions.includes("nl") && hasNlBsnAnchors) {
+    scanRegexMatches(nlBsnRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, NL_BSN_ANCHOR_SET)) return;
+      if (!isValidDutchBsn(value)) return;
+      pushUnique(results, { type: "nl_bsn", value, start, end });
+    });
+  }
+  if (regions.includes("at") && hasAtSvnrAnchors) {
+    scanRegexMatches(atSvnrRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, AT_SVNR_ANCHOR_SET)) return;
+      if (!isValidAustrianSvnr(value)) return;
+      pushUnique(results, { type: "at_svnr", value, start, end });
+    });
+  }
+  if (hasTaxAnchors) {
+    scanRegexMatches(euVatRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, TAX_ANCHOR_SET)) return;
+      if (!isLikelyEuVat(value)) return;
+      pushUnique(results, { type: "eu_vat", value, start, end });
+    });
+  }
+  if (hasDriverAnchors) {
+    scanRegexMatches(ukDriverRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, DRIVER_ANCHOR_SET)) return;
+      pushUnique(results, { type: "driver_license", value, start, end });
+    });
+    scanRegexMatches(genericDriverRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, DRIVER_ANCHOR_SET)) return;
+      if (!isLikelyGenericDriverId(value)) return;
+      pushUnique(results, { type: "driver_license", value, start, end });
+    });
+  }
+  if (hasAddressAnchors) {
+    scanRegexMatches(postalCodeRegex, text, startTimeMs, deadlineMs, (value, start, end) => {
+      if (!hasAnchorNear(prefilter.hits, start, end, ADDRESS_ANCHOR_SET, ADDRESS_WINDOW_CHARS)) {
+        return;
+      }
+      pushUnique(results, { type: "address_postal", value, start, end });
+    });
+  }
+  if (options.allowContextBirthNumberFallback && !results.some((item) => item.type === "birth_number") && !/\d{6}\/?\d{3,4}/.test(text) && czBirthNumberContextRegex.test(text)) {
+    pushUnique(results, {
+      type: "birth_number",
+      value: "contextual_birth_number",
+      start: 0,
+      end: 0
+    });
+  }
+  return results;
+}
+
+// src/pii.ts
+var defaultScanDeadlineMs = 100;
+function countDigits2(value) {
   let count = 0;
   for (const ch of value) {
     if (ch >= "0" && ch <= "9") count += 1;
@@ -118,111 +973,36 @@ function normalizeDetections(text, detections) {
   return kept;
 }
 var PHONE_CONTEXT_KEYWORDS = [
-  // --- 🌍 GLOBAL / SYMBOLS / TECH ---
   "tel",
   "phone",
   "mobile",
-  "mobil",
   "cell",
   "call",
-  "fax",
-  "sms",
-  "whatsapp",
-  "signal",
-  "telegram",
-  "viber",
-  "skype",
-  "dial",
   "contact",
   "number",
   "hotline",
-  "helpdesk",
   "support",
   "infoline",
   "customer service",
   "client service",
-  "reach me",
-  "text me",
-  // --- 🇨🇿 CS (Czech) / 🇸🇰 SK (Slovak) ---
-  "volat",
-  "vola\u0165",
   "telefon",
-  "telef\xF3n",
-  "\u010D\xEDslo",
-  "cislo",
-  "kontakt",
-  "mobiln\xED",
-  "mobiln\xFD",
-  "ozvi se",
-  "ozvi sa",
-  "napi\u0161",
-  "nap\xED\u0161",
-  "zavolej",
-  "zavolaj",
-  "pevn\xE1 linka",
-  "klapka",
-  "spojovatelka",
-  "z\xE1kaznick\xE1 linka",
-  "podpora",
-  // --- 🇩🇪 DE (German) ---
+  "telefonu",
+  "telefonszam",
   "telefonnummer",
-  "handy",
-  "anruf",
-  "klingeln",
   "rufnummer",
-  "faxnummer",
-  "kontaktieren",
-  "erreichen",
-  "kundenservice",
-  "support",
-  "mobilfunk",
-  "festnetz",
-  "durchwahl",
-  // --- 🇵🇱 PL (Polish) ---
-  "telefon",
-  "telefonu",
-  "kom\xF3rka",
-  "komorkowy",
-  "zadzwo\u0144",
-  "numer",
-  "kontakt",
-  "infolinia",
+  "zadzwon",
+  "hivas",
   "wsparcie",
-  "fax",
-  "smsowa\u0107",
-  "wybierz",
-  // --- 🇭🇺 HU (Hungarian) ---
-  "h\xEDv\xE1s",
-  "telefonsz\xE1m",
-  "sz\xE1m",
-  "mobiltelefon",
-  "mobil",
-  "vezet\xE9kes",
-  "el\xE9rhet\u0151s\xE9g",
-  "\xFCgyf\xE9lszolg\xE1lat",
-  "fax",
-  "t\xE1rcs\xE1zza",
-  "cs\xF6r\xF6gj\xF6n",
-  // --- 🇺🇦 UA (Ukrainian) ---
-  "\u0442\u0435\u043B\u0435\u0444\u043E\u043D",
-  "\u043C\u043E\u0431\u0456\u043B\u044C\u043D\u0438\u0439",
-  "\u0434\u0437\u0432\u043E\u043D\u0438\u0442\u0438",
-  "\u043D\u043E\u043C\u0435\u0440",
-  "\u043A\u043E\u043D\u0442\u0430\u043A\u0442",
-  "\u0437\u0432'\u044F\u0437\u043E\u043A",
-  "\u0433\u0430\u0440\u044F\u0447\u0430 \u043B\u0456\u043D\u0456\u044F",
-  "\u043F\u0456\u0434\u0442\u0440\u0438\u043C\u043A\u0430",
-  "\u0441\u043C\u0441",
-  "\u0444\u0430\u043A\u0441",
-  "\u043F\u043E\u0437\u0432\u043E\u043D\u0438\u0442\u044C",
-  "\u043D\u0430\u0431\u0440\u0430\u0442\u0438"
+  "podpora",
+  "kontakt",
+  "dial"
 ];
 function escapeRegex(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 var PHONE_CONTEXT_RE = new RegExp(
   `(?:^|[^\\p{L}])(?:${PHONE_CONTEXT_KEYWORDS.map(escapeRegex).join("|")})(?:$|[^\\p{L}])`,
-  "u"
+  "iu"
 );
 function hasPhoneContext(text, matchStartIndex, windowSize = 50) {
   const start = Math.max(0, matchStartIndex - windowSize);
@@ -233,62 +1013,79 @@ var PIIManager = class {
   /**
    * Reversible local-first masking using <TYPE_INDEX> placeholders.
    *
-   * Zero-dep (regex-based). Designed for "good enough" privacy first-pass.
+   * Zero-dependency fallback with strict checksum validation for CEE national IDs.
    */
   anonymize(text) {
     if (!text) return { maskedText: text, mapping: {} };
-    const detections = [];
-    const emailRe = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi;
-    for (const m of text.matchAll(emailRe)) {
-      if (m.index == null) continue;
-      detections.push({ start: m.index, end: m.index + m[0].length, type: "EMAIL", text: m[0] });
-    }
-    const ibanRe = /\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b/gi;
-    for (const m of text.matchAll(ibanRe)) {
-      if (m.index == null) continue;
-      detections.push({ start: m.index, end: m.index + m[0].length, type: "IBAN", text: m[0] });
-    }
-    const ccRe = /(?:\b\d[\d -]{10,22}\d\b)/g;
-    for (const m of text.matchAll(ccRe)) {
-      if (m.index == null) continue;
-      const digits = countDigits(m[0]);
-      if (digits < 12 || digits > 19) continue;
-      if (!luhnCheck(m[0])) continue;
-      detections.push({ start: m.index, end: m.index + m[0].length, type: "CREDIT_CARD", text: m[0] });
-    }
-    const phoneRe = /(?<!\d)(?:\+?\d[\d\s().-]{7,}\d)(?!\d)/g;
-    for (const m of text.matchAll(phoneRe)) {
-      if (m.index == null) continue;
-      const candidate = m[0];
-      const digits = countDigits(candidate);
-      if (digits < 9 || digits > 15) continue;
-      const isStrongInternational = candidate.startsWith("+") || candidate.startsWith("00");
-      if (!isStrongInternational) {
-        const hasContext = hasPhoneContext(text, m.index);
-        if (!hasContext) continue;
+    try {
+      const detections = [];
+      const emailRe = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi;
+      for (const m of text.matchAll(emailRe)) {
+        if (m.index == null) continue;
+        detections.push({ start: m.index, end: m.index + m[0].length, type: "EMAIL", text: m[0] });
       }
-      detections.push({ start: m.index, end: m.index + m[0].length, type: "PHONE", text: m[0] });
-    }
-    const personRe = /(?<!\p{L})\p{Lu}\p{Ll}{2,}\s+\p{Lu}\p{Ll}{2,}(?!\p{L})/gu;
-    for (const m of text.matchAll(personRe)) {
-      if (m.index == null) continue;
-      detections.push({ start: m.index, end: m.index + m[0].length, type: "PERSON", text: m[0] });
-    }
-    const kept = normalizeDetections(text, detections);
-    if (!kept.length) return { maskedText: text, mapping: {} };
-    const counters = {};
-    const mapping = {};
-    const replacements = kept.map((d) => {
-      counters[d.type] = (counters[d.type] ?? 0) + 1;
-      const placeholder = `<${d.type}_${counters[d.type]}>`;
-      mapping[placeholder] = d.text;
-      return { ...d, placeholder };
-    });
-    let masked = text;
-    for (const r of replacements.sort((a, b) => b.start - a.start)) {
-      masked = masked.slice(0, r.start) + r.placeholder + masked.slice(r.end);
+      const ibanRe = /\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b/gi;
+      for (const m of text.matchAll(ibanRe)) {
+        if (m.index == null) continue;
+        detections.push({ start: m.index, end: m.index + m[0].length, type: "IBAN", text: m[0] });
+      }
+      const ccRe = /(?:\b\d[\d -]{10,22}\d\b)/g;
+      for (const m of text.matchAll(ccRe)) {
+        if (m.index == null) continue;
+        const digits = countDigits2(m[0]);
+        if (digits < 12 || digits > 19) continue;
+        if (!luhnCheck(m[0])) continue;
+        detections.push({ start: m.index, end: m.index + m[0].length, type: "CREDIT_CARD", text: m[0] });
+      }
+      const phoneRe = /(?<!\d)(?:\+?\d[\d\s().-]{7,}\d)(?!\d)/g;
+      for (const m of text.matchAll(phoneRe)) {
+        if (m.index == null) continue;
+        const candidate = m[0];
+        const digits = countDigits2(candidate);
+        if (digits < 9 || digits > 15) continue;
+        const isStrongInternational = candidate.startsWith("+") || candidate.startsWith("00");
+        if (!isStrongInternational) {
+          const hasContext = hasPhoneContext(text, m.index);
+          if (!hasContext) continue;
+        }
+        detections.push({ start: m.index, end: m.index + m[0].length, type: "PHONE", text: m[0] });
+      }
+      const personRe = /(?<!\p{L})\p{Lu}\p{Ll}{2,}\s+\p{Lu}\p{Ll}{2,}(?!\p{L})/gu;
+      for (const m of text.matchAll(personRe)) {
+        if (m.index == null) continue;
+        detections.push({ start: m.index, end: m.index + m[0].length, type: "PERSON", text: m[0] });
+      }
+      const nationalIdMatches = detectNationalIdentifiers(text, {
+        deadlineMs: defaultScanDeadlineMs,
+        allowContextBirthNumberFallback: false
+      });
+      for (const match of nationalIdMatches) {
+        if (match.start < 0 || match.end <= match.start) continue;
+        detections.push({
+          start: match.start,
+          end: match.end,
+          type: "NATIONAL_ID",
+          text: text.slice(match.start, match.end)
+        });
+      }
+      const kept = normalizeDetections(text, detections);
+      if (!kept.length) return { maskedText: text, mapping: {} };
+      const counters = {};
+      const mapping = {};
+      const replacements = kept.map((d) => {
+        counters[d.type] = (counters[d.type] ?? 0) + 1;
+        const placeholder = `<${d.type}_${counters[d.type]}>`;
+        mapping[placeholder] = d.text;
+        return { ...d, placeholder };
+      });
+      let masked = text;
+      for (const r of replacements.sort((a, b) => b.start - a.start)) {
+        masked = masked.slice(0, r.start) + r.placeholder + masked.slice(r.end);
+      }
+      return { maskedText: masked, mapping };
+    } catch {
+      return { maskedText: text, mapping: {} };
     }
-    return { maskedText: masked, mapping };
   }
   deanonymize(text, mapping) {
     if (!text || !mapping || !Object.keys(mapping).length) return text;
@@ -307,6 +1104,7 @@ var PIIManager = class {
 
 // src/local-security-enforcer.ts
 var DEFAULT_STRICT_CONFIG = {
+  shadow_mode: false,
   block_pii_leakage: true,
   block_db_access: true,
   block_code_execution: true,
@@ -353,6 +1151,12 @@ var LocalSecurityEnforcer = class {
   }
   enforce(params) {
     const { input, stream, config } = params;
+    if (config.shadow_mode) {
+      return {
+        sanitizedInput: input,
+        events: []
+      };
+    }
     const violationType = detectCapabilityViolation(input, config);
     if (violationType) {
       throw new SecurityPolicyViolationError(
@@ -418,12 +1222,23 @@ function readBooleanField(body, primaryKey, aliasKey) {
   }
   throw new Error(`Missing config field: ${primaryKey}`);
 }
+function readOptionalBooleanField(body, key, fallback) {
+  if (!(key in body)) {
+    return fallback;
+  }
+  const value = body[key];
+  if (typeof value === "boolean") {
+    return value;
+  }
+  throw new Error(`Invalid config field: ${key}`);
+}
 function normalizeCapabilityConfig(payload) {
   if (!payload || typeof payload !== "object") {
     throw new Error("Invalid config payload");
   }
   const body = payload;
   return {
+    shadow_mode: readOptionalBooleanField(body, "shadow_mode", false),
     block_pii_leakage: readBooleanField(body, "block_pii_leakage", "block_pii"),
     block_db_access: readBooleanField(body, "block_db_access", "block_db"),
     block_code_execution: readBooleanField(
@@ -981,9 +1796,9 @@ function getInjectionScanner() {
 
 // src/agentid.ts
 var AGENTID_SDK_VERSION_HEADER2 = "js-1.0.7";
-var DEFAULT_GUARD_TIMEOUT_MS = 6e3;
-var MIN_GUARD_TIMEOUT_MS = 1e3;
-var MAX_GUARD_TIMEOUT_MS = 3e4;
+var DEFAULT_GUARD_TIMEOUT_MS = 800;
+var MIN_GUARD_TIMEOUT_MS = 500;
+var MAX_GUARD_TIMEOUT_MS = 1e4;
 function normalizeBaseUrl3(baseUrl) {
   return baseUrl.replace(/\/+$/, "");
 }
@@ -992,6 +1807,12 @@ function isAbortSignalLike(value) {
   const candidate = value;
   return typeof candidate.aborted === "boolean" && typeof candidate.addEventListener === "function";
 }
+function isAsyncIterable(value) {
+  if (!value || typeof value !== "object" && typeof value !== "function") {
+    return false;
+  }
+  return typeof value[Symbol.asyncIterator] === "function";
+}
 function normalizeOpenAICreateArgs(rawArgs) {
   if (!Array.isArray(rawArgs) || rawArgs.length === 0) {
     return rawArgs;
@@ -1052,6 +1873,70 @@ async function safeReadJson2(response) {
     return null;
   }
 }
+function createCompletionChunkCollector() {
+  if (typeof TransformStream === "function") {
+    const stream = new TransformStream({
+      transform(chunk, controller) {
+        controller.enqueue(chunk);
+      }
+    });
+    const writer = stream.writable.getWriter();
+    const result2 = (async () => {
+      const reader = stream.readable.getReader();
+      let combined = "";
+      try {
+        while (true) {
+          const { value, done: done2 } = await reader.read();
+          if (done2) break;
+          if (typeof value === "string") {
+            combined += value;
+          }
+        }
+        return combined;
+      } finally {
+        reader.releaseLock();
+      }
+    })();
+    return {
+      push: async (chunk) => {
+        if (!chunk) return;
+        await writer.write(chunk);
+      },
+      close: async () => {
+        await writer.close();
+      },
+      abort: async (reason) => {
+        await writer.abort(reason instanceof Error ? reason : new Error(String(reason)));
+      },
+      result: result2
+    };
+  }
+  let done = false;
+  const chunks = [];
+  let resolveResult = null;
+  let rejectResult = null;
+  const result = new Promise((resolve, reject) => {
+    resolveResult = resolve;
+    rejectResult = reject;
+  });
+  return {
+    push: async (chunk) => {
+      if (done || !chunk) return;
+      chunks.push(chunk);
+    },
+    close: async () => {
+      if (done) return;
+      done = true;
+      resolveResult?.(chunks.join(""));
+    },
+    abort: async (reason) => {
+      if (done) return;
+      done = true;
+      rejectResult?.(reason instanceof Error ? reason : new Error(String(reason)));
+    },
+    result
+  };
+}
 var AgentID = class {
   constructor(config) {
     this.injectionScanner = getInjectionScanner();
@@ -1207,6 +2092,26 @@ var AgentID = class {
       }
     }, { apiKey: params.apiKey });
   }
+  logGuardFallback(params) {
+    this.log(
+      {
+        system_id: params.guardParams.system_id,
+        user_id: params.guardParams.user_id,
+        input: params.guardParams.input,
+        output: "",
+        model: params.guardParams.model ?? "unknown",
+        event_type: "security_alert",
+        severity: "warning",
+        metadata: {
+          source: "guard",
+          status: params.status,
+          guard_reason: params.reason,
+          shadow_mode: false
+        }
+      },
+      { apiKey: params.apiKey }
+    );
+  }
   /**
    * GUARD: Checks limits, PII, and security before execution.
    * strictMode=false (default): FAIL-OPEN on connectivity/timeouts.
@@ -1234,10 +2139,16 @@ var AgentID = class {
       const responseBody = await safeReadJson2(res);
       if (responseBody && typeof responseBody.allowed === "boolean") {
         const verdict = responseBody;
-        if (!this.strictMode && verdict.allowed === false && (isInfrastructureGuardReason(verdict.reason) || res.status >= 500)) {
+        if (verdict.allowed === false && (isInfrastructureGuardReason(verdict.reason) || res.status >= 500)) {
           console.warn(
             `[AgentID] Guard API infrastructure fallback in fail-open mode (${verdict.reason ?? `http_${res.status}`}).`
           );
+          this.logGuardFallback({
+            reason: verdict.reason ?? `http_${res.status}`,
+            status: "upstream_error",
+            guardParams: params,
+            apiKey: effectiveApiKey
+          });
           return { allowed: true, reason: "system_failure_fail_open" };
         }
         return verdict;
@@ -1250,55 +2161,159 @@ var AgentID = class {
       const isAbortError2 = error && typeof error === "object" && error.name === "AbortError";
       if (isAbortError2) {
         const timeoutMessage = "AgentID API Warning: Connection timeout exceeded.";
-        if (this.strictMode) {
-          throw new Error(timeoutMessage);
-        }
         console.warn(timeoutMessage);
+        this.logGuardFallback({
+          reason: "timeout_fallback",
+          status: "latency_timeout",
+          guardParams: params,
+          apiKey: effectiveApiKey
+        });
         return { allowed: true, reason: "timeout_fallback" };
       }
-      if (this.strictMode) {
-        if (error instanceof Error) {
-          throw error;
-        }
-        throw new Error("AgentID API Error: Guard request failed.");
-      }
       console.warn("[AgentID] Guard check failed (Fail-Open active):", error);
+      this.logGuardFallback({
+        reason: "guard_unreachable",
+        status: "guard_unreachable",
+        guardParams: params,
+        apiKey: effectiveApiKey
+      });
       return { allowed: true, reason: "guard_unreachable" };
     } finally {
       clearTimeout(timeoutId);
     }
   }
+  extractStreamChunkText(chunk) {
+    if (typeof chunk === "string") {
+      return chunk;
+    }
+    if (!chunk || typeof chunk !== "object") {
+      return "";
+    }
+    const choices = chunk.choices;
+    if (!Array.isArray(choices)) {
+      return "";
+    }
+    let text = "";
+    for (const choice of choices) {
+      if (!choice || typeof choice !== "object") continue;
+      const delta = choice.delta;
+      const message = choice.message;
+      const contentCandidate = delta?.content ?? message?.content;
+      if (typeof contentCandidate === "string") {
+        text += contentCandidate;
+        continue;
+      }
+      if (Array.isArray(contentCandidate)) {
+        for (const part of contentCandidate) {
+          if (!part || typeof part !== "object") continue;
+          const partText = part.text;
+          if (typeof partText === "string") {
+            text += partText;
+          }
+        }
+      }
+    }
+    return text;
+  }
+  wrapCompletion(completion) {
+    if (typeof completion === "string") {
+      const masked = this.pii.anonymize(completion);
+      return {
+        mode: "static",
+        rawOutput: completion,
+        transformedOutput: masked.maskedText,
+        outputMasked: masked.maskedText !== completion
+      };
+    }
+    if (!isAsyncIterable(completion)) {
+      const asText = String(completion ?? "");
+      const masked = this.pii.anonymize(asText);
+      return {
+        mode: "static",
+        rawOutput: asText,
+        transformedOutput: masked.maskedText,
+        outputMasked: masked.maskedText !== asText
+      };
+    }
+    const source = completion;
+    const collector = createCompletionChunkCollector();
+    const self = this;
+    let resolveDone = null;
+    let rejectDone = null;
+    const done = new Promise((resolve, reject) => {
+      resolveDone = resolve;
+      rejectDone = reject;
+    });
+    const wrapped = {
+      [Symbol.asyncIterator]: async function* () {
+        try {
+          for await (const chunk of source) {
+            const chunkText = self.extractStreamChunkText(chunk);
+            if (chunkText) {
+              await collector.push(chunkText);
+            }
+            yield chunk;
+          }
+          await collector.close();
+          const rawOutput = await collector.result;
+          const masked = self.pii.anonymize(rawOutput);
+          resolveDone?.({
+            mode: "static",
+            rawOutput,
+            transformedOutput: masked.maskedText,
+            outputMasked: masked.maskedText !== rawOutput
+          });
+        } catch (error) {
+          await collector.abort(error);
+          rejectDone?.(error instanceof Error ? error : new Error(String(error)));
+          throw error;
+        }
+      }
+    };
+    return {
+      mode: "stream",
+      completion: wrapped,
+      done
+    };
+  }
   /**
    * LOG: Sends telemetry after execution.
    * Non-blocking / Fire-and-forget.
    */
   log(params, options) {
-    const effectiveApiKey = this.resolveApiKey(options?.apiKey);
-    const eventId = params.event_id ?? (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `evt_${Date.now()}_${Math.random().toString(36).slice(2)}`);
-    const timestamp = params.timestamp ?? (/* @__PURE__ */ new Date()).toISOString();
-    void this.getCapabilityConfig(false, { apiKey: effectiveApiKey }).catch(() => void 0);
-    const metadata = {
-      ...params.metadata ?? {}
-    };
-    if (!Object.prototype.hasOwnProperty.call(metadata, "agentid_base_url")) {
-      metadata.agentid_base_url = this.baseUrl;
-    }
-    void fetch(`${this.baseUrl}/ingest`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "x-agentid-api-key": effectiveApiKey,
-        "X-AgentID-SDK-Version": AGENTID_SDK_VERSION_HEADER2
-      },
-      body: JSON.stringify({
-        ...params,
-        event_id: eventId,
-        timestamp,
-        metadata,
-        client_capabilities: params.client_capabilities ?? this.buildClientCapabilities()
-      })
-    }).catch((error) => {
-      console.error("[AgentID] Log failed:", error);
+    queueMicrotask(() => {
+      void (async () => {
+        try {
+          const effectiveApiKey = this.resolveApiKey(options?.apiKey);
+          const eventId = params.event_id ?? (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `evt_${Date.now()}_${Math.random().toString(36).slice(2)}`);
+          const timestamp = params.timestamp ?? (/* @__PURE__ */ new Date()).toISOString();
+          void this.getCapabilityConfig(false, { apiKey: effectiveApiKey }).catch(() => void 0);
+          const metadata = {
+            ...params.metadata ?? {}
+          };
+          if (!Object.prototype.hasOwnProperty.call(metadata, "agentid_base_url")) {
+            metadata.agentid_base_url = this.baseUrl;
+          }
+          await fetch(`${this.baseUrl}/ingest`, {
+            method: "POST",
+            keepalive: true,
+            headers: {
+              "Content-Type": "application/json",
+              "x-agentid-api-key": effectiveApiKey,
+              "X-AgentID-SDK-Version": AGENTID_SDK_VERSION_HEADER2
+            },
+            body: JSON.stringify({
+              ...params,
+              event_id: eventId,
+              timestamp,
+              metadata,
+              client_capabilities: params.client_capabilities ?? this.buildClientCapabilities()
+            })
+          });
+        } catch (error) {
+          console.error("[AgentID] Log failed:", error);
+        }
+      })();
     });
   }
   /**
@@ -1399,6 +2414,7 @@ var AgentID = class {
                 const verdict = await this.guard({
                   input: maskedText,
                   system_id: systemId,
+                  model: adapter.getModelName(maskedReq),
                   user_id: options.user_id,
                   client_capabilities: this.buildClientCapabilities("openai", false)
                 }, requestOptions);
@@ -1407,27 +2423,81 @@ var AgentID = class {
                     `AgentID: Security Blocked (${verdict.reason ?? "guard_denied"})`
                   );
                 }
+                const isShadowMode = verdict.shadow_mode === true;
+                const transformedInput = isShadowMode ? maskedText : typeof verdict.transformed_input === "string" && verdict.transformed_input.length > 0 ? verdict.transformed_input : maskedText;
+                if (transformedInput !== maskedText) {
+                  maskedText = transformedInput;
+                  maskedReq = this.withMaskedOpenAIRequest(
+                    req,
+                    transformedInput
+                  );
+                  const nextCreateArgs = [...normalizedCreateArgs];
+                  nextCreateArgs[0] = maskedReq;
+                  createArgs = nextCreateArgs;
+                }
                 if (stream) {
-                  console.warn(
-                    "AgentID: Automatic logging for streaming responses is not yet supported."
+                  const streamResponse = await originalCreate.apply(compTarget, createArgs);
+                  const wrappedCompletion = this.wrapCompletion(
+                    isAsyncIterable(streamResponse) ? streamResponse : (async function* () {
+                      if (typeof streamResponse !== "undefined") {
+                        yield streamResponse;
+                      }
+                    })()
                   );
-                  return await originalCreate.apply(compTarget, createArgs);
+                  if (maskedText && wrappedCompletion.mode === "stream") {
+                    void wrappedCompletion.done.then((result) => {
+                      const outputForLog = isShadowMode ? result.rawOutput : result.transformedOutput;
+                      this.log({
+                        system_id: systemId,
+                        user_id: options.user_id,
+                        input: maskedText,
+                        output: outputForLog,
+                        model: adapter.getModelName(maskedReq),
+                        usage: void 0,
+                        latency: void 0,
+                        metadata: {
+                          transformed_input: maskedText,
+                          transformed_output: result.transformedOutput,
+                          output_masked: result.outputMasked,
+                          shadow_mode: isShadowMode,
+                          simulated_decision: verdict.simulated_decision ?? null,
+                          simulated_output_decision: isShadowMode && result.outputMasked ? "masked" : "allowed",
+                          response_streamed: true
+                        },
+                        client_capabilities: this.buildClientCapabilities("openai", false)
+                      }, requestOptions);
+                    }).catch((error) => {
+                      console.error("[AgentID] Stream completion wrapping failed:", error);
+                    });
+                  }
+                  return wrappedCompletion.mode === "stream" ? wrappedCompletion.completion : streamResponse;
                 }
                 const start = Date.now();
                 const res = await originalCreate.apply(compTarget, createArgs);
                 const latency = Date.now() - start;
                 if (maskedText) {
                   const output = adapter.extractOutput(res);
+                  const wrappedCompletion = this.wrapCompletion(output);
                   const model = adapter.getModelName(maskedReq, res);
                   const usage = adapter.getTokenUsage(res);
+                  const outputForLog = isShadowMode ? wrappedCompletion.rawOutput : wrappedCompletion.transformedOutput;
                   this.log({
                     system_id: systemId,
                     user_id: options.user_id,
                     input: maskedText,
-                    output,
+                    output: outputForLog,
                     model,
                     usage,
                     latency,
+                    metadata: {
+                      transformed_input: maskedText,
+                      transformed_output: wrappedCompletion.transformedOutput,
+                      output_masked: wrappedCompletion.outputMasked,
+                      shadow_mode: isShadowMode,
+                      simulated_decision: verdict.simulated_decision ?? null,
+                      simulated_output_decision: isShadowMode && wrappedCompletion.outputMasked ? "masked" : "allowed",
+                      response_streamed: false
+                    },
                     client_capabilities: this.buildClientCapabilities("openai", false)
                   }, requestOptions);
                 }
@@ -1638,8 +2708,17 @@ var AgentIDCallbackHandler = class {
     if (!verdict.allowed) {
       throw new Error(`AgentID: Security Blocked (${verdict.reason ?? "guard_denied"})`);
     }
+    const transformedInput = typeof verdict.transformed_input === "string" && verdict.transformed_input.length > 0 ? verdict.transformed_input : sanitizedInput;
+    if (transformedInput !== sanitizedInput) {
+      const mutated = setPromptInPrompts(prompts, transformedInput);
+      if (!mutated) {
+        throw new Error(
+          "AgentID: Guard transformed input could not be applied to LangChain prompt payload."
+        );
+      }
+    }
     this.runs.set(id, {
-      input: sanitizedInput,
+      input: transformedInput,
       startedAtMs: Date.now(),
       model: extractModel(serialized, extraParams)
     });
@@ -1668,8 +2747,17 @@ var AgentIDCallbackHandler = class {
     if (!verdict.allowed) {
       throw new Error(`AgentID: Security Blocked (${verdict.reason ?? "guard_denied"})`);
     }
+    const transformedInput = typeof verdict.transformed_input === "string" && verdict.transformed_input.length > 0 ? verdict.transformed_input : sanitizedInput;
+    if (transformedInput !== sanitizedInput) {
+      const mutated = setPromptInMessages(messages, transformedInput);
+      if (!mutated) {
+        throw new Error(
+          "AgentID: Guard transformed input could not be applied to LangChain message payload."
+        );
+      }
+    }
     this.runs.set(id, {
-      input: sanitizedInput,
+      input: transformedInput,
       startedAtMs: Date.now(),
       model: extractModel(serialized, extraParams)
     });