npm - mask-privacy - Versions diffs - 3.0.0 → 3.2.0 - Mend

mask-privacy 3.0.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/README.md +5 -17
package/dist/index.d.mts +58 -27
package/dist/index.d.ts +58 -27
package/dist/index.js +394 -310
package/dist/index.js.map +1 -1
package/dist/index.mjs +394 -310
package/dist/index.mjs.map +1 -1
package/package.json +1 -1
package/src/core/dlp/assessor.ts +3 -26
package/src/core/dlp/handlers.ts +44 -31
package/src/core/dlp/index.ts +0 -2
package/src/core/dlp/registry.ts +119 -107
package/src/core/dlp/scorer.ts +4 -4
package/src/core/fpe.ts +85 -32
package/src/core/fpe_utils.ts +20 -20
package/src/core/scanner.ts +146 -151
package/src/core/span.ts +76 -0
package/src/core/transformers_scanner.ts +2 -2
package/src/core/vault.ts +2 -1
package/tests/async.test.ts +2 -2
package/tests/dlp_hardened.test.ts +21 -0
package/tests/fpe.test.ts +4 -4
package/tests/hooks.test.ts +2 -2
package/tests/langchain.test.ts +2 -2
package/tests/llamaindex.test.ts +1 -1
package/tests/scanner.test.ts +0 -1
package/tests/substring.test.ts +1 -1
package/tests/vault.test.ts +1 -1

package/dist/index.js CHANGED Viewed

@@ -256,10 +256,13 @@ var init_exceptions = __esm({
 function looksLikeToken(value) {
   if (typeof value !== "string") return false;
   const v7 = value.trim();
-  if (v7.startsWith("tkn-") && v7.includes("@email.com")) {
-    return true;
+  if (v7.startsWith("tkn-") && v7.includes("@")) {
+    const parts = v7.split("@");
+    if (parts.length === 2 && parts[0].length >= 12 && parts[1].includes(".")) {
+      return true;
+    }
   }
-  if (v7.startsWith("+1-555-") && v7.length === 14) {
+  if (/^\+[1-9]\d{0,3}-555-\d{7}$/.test(v7)) {
     return true;
   }
   if (v7.startsWith("000-00-") && v7.length === 11) {
@@ -271,16 +274,13 @@ function looksLikeToken(value) {
   if (v7.startsWith("000000") && v7.length === 9) {
     return true;
   }
-  if (v7.startsWith("784-0000-") && v7.length === 18) {
-    return true;
-  }
-  if (v7.length === 11 && v7.startsWith("990000") && /^\d+$/.test(v7) && parseInt(v7[v7.length - 1], 10) % 2 === 0) {
+  if (v7.length === 9 && v7.startsWith("000") && /[A-Z]$/.test(v7)) {
     return true;
   }
-  if (v7.length === 10 && v7.startsWith("100000") && /^\d+$/.test(v7)) {
+  if (/^[A-Z]{2}00[A-F0-9]{4,16}$/.test(v7)) {
     return true;
   }
-  if (/^[A-Z]{2}00[A-F0-9]{4,16}$/.test(v7)) {
+  if (/^<(PER|LOC|ORG):[^>]+>$/.test(v7)) {
     return true;
   }
   if (v7.startsWith("[TKN-") && v7.endsWith("]")) {
@@ -292,7 +292,7 @@ var TOKEN_PATTERN;
 var init_fpe_utils = __esm({
   "src/core/fpe_utils.ts"() {
     TOKEN_PATTERN = new RegExp(
-      "tkn-[a-f0-9]{8,64}@email\\.com|\\+1-555-\\d{7}|000-00-\\d{4}|4000-0000-0000-\\d{4}|000000\\d{3}|990000\\d{4}[02468]|100000\\d{4}|784-0000-\\d{7}-\\d|[A-Z]{2}00[A-F0-9]{4,16}|\\[TKN-[a-f0-9]{8,64}\\]",
+      "tkn-[a-f0-9]{8,64}@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}|\\+[1-9]\\d{0,3}-555-\\d{7}|000-00-\\d{4}|4000-0000-0000-\\d{4}|000000\\d{3}|000\\d{5}[A-Z]|[A-Z]{2}00[A-F0-9]{4,16}|<(?:PER|LOC|ORG):[^>]+>|\\[TKN-[a-f0-9]{8,64}\\]",
       // Opaque
       "g"
     );
@@ -341,42 +341,87 @@ async function _hmacDigits(plaintext, n6, offset = 0) {
   }
   return result.join("");
 }
-async function generateFPEToken(rawText) {
-  const text = rawText.trim();
-  if (_EMAIL_RE.test(text)) {
-    return `tkn-${await _hmacHex(text)}@email.com`;
-  }
-  if (_PHONE_RE.test(text)) {
-    return `+1-555-${await _hmacDigits(text, 7)}`;
+async function _pickFromArray(plaintext, array) {
+  const digits = await _hmacDigits(plaintext, 8);
+  const num = parseInt(digits, 10);
+  return array[num % array.length];
+}
+function _computeLuhnDigit(partialNum) {
+  const digits = partialNum.split("").map(Number);
+  let sum = 0;
+  let shouldDouble = true;
+  for (let i6 = digits.length - 1; i6 >= 0; i6--) {
+    let digit = digits[i6];
+    if (shouldDouble) {
+      digit *= 2;
+      if (digit > 9) digit -= 9;
+    }
+    sum += digit;
+    shouldDouble = !shouldDouble;
   }
-  if (_SSN_RE.test(text)) {
+  return ((10 - sum % 10) % 10).toString();
+}
+function _computeEsIdCheck(num) {
+  return "TRWAGMYFPDXBNJZSQVHLCKE"[num % 23];
+}
+async function generateFPEToken(rawText, entityType = "UNKNOWN") {
+  const text = rawText.trim();
+  let type = (entityType || "UNKNOWN").toUpperCase();
+  if (type === "UNKNOWN") {
+    if (_EMAIL_RE.test(text)) type = "EMAIL_ADDRESS";
+    else if (_SSN_RE.test(text)) type = "US_SSN";
+    else if (_CC_RE.test(text)) type = "CREDIT_CARD";
+    else if (_ROUTING_RE.test(text)) type = "US_ROUTING_NUMBER";
+    else if (_ES_ID_RE.test(text)) type = "ES_DNI";
+    else if (_IBAN_RE.test(text)) type = "INTL_BANK_IBAN";
+    else if (_PHONE_RE.test(text)) type = "PHONE_NUMBER";
+  }
+  if (type === "EMAIL_ADDRESS" || type === "EMAIL_ADDR") {
+    const parts = text.split("@");
+    const domain = parts.length === 2 ? parts[1] : "email.com";
+    return `tkn-${await _hmacHex(text)}@${domain}`;
+  }
+  if (type === "PHONE_NUMBER" || type === "PHONE_NUM" || type === "PHONE_NUM_INTL") {
+    const m6 = text.match(/^\+([1-9]\d{0,3})/);
+    const cc = m6 ? m6[1] : "1";
+    return `+${cc}-555-${await _hmacDigits(text, 7)}`;
+  }
+  if (type === "US_SSN") {
     return `000-00-${await _hmacDigits(text, 4)}`;
   }
-  if (_CC_RE.test(text)) {
-    return `4000-0000-0000-${await _hmacDigits(text, 4)}`;
+  if (type === "CREDIT_CARD" || type === "CREDIT_CARD_NUMBER") {
+    const base = `400000000000${await _hmacDigits(text, 3)}`;
+    const checkDig = _computeLuhnDigit(base);
+    const full = base + checkDig;
+    return `${full.slice(0, 4)}-${full.slice(4, 8)}-${full.slice(8, 12)}-${full.slice(12, 16)}`;
   }
-  if (_ROUTING_RE.test(text)) {
+  if (type === "US_ROUTING_NUMBER" || type === "US_ABA_ROUTING") {
     return `000000${await _hmacDigits(text, 3)}`;
   }
-  if (_TCID_RE.test(text)) {
-    const tail = await _hmacDigits(text, 5);
-    let lastD = parseInt(tail[tail.length - 1], 10);
-    if (lastD % 2 !== 0) lastD = (lastD + 1) % 10;
-    return `990000${tail.slice(0, 4)}${lastD}`;
+  if (type === "INTL_BANK_IBAN" || type === "IBAN_CODE") {
+    const countryCode = text.length >= 2 && /[a-zA-Z]{2}/.test(text.slice(0, 2)) ? text.slice(0, 2).toUpperCase() : "US";
+    return `${countryCode}00${(await _hmacHex(text, 8)).toUpperCase()}`;
+  }
+  if (type === "ES_DNI") {
+    const digits = `000${await _hmacDigits(text, 5)}`;
+    return digits + _computeEsIdCheck(parseInt(digits, 10));
   }
-  if (_SAUDI_NID_RE.test(text)) {
-    return `100000${await _hmacDigits(text, 4)}`;
+  if (type === "PERSON" || type === "PERSON_NAME") {
+    const f6 = await _pickFromArray(text, _FIRST_NAMES);
+    const l6 = await _pickFromArray(text + "last", _LAST_NAMES);
+    return `<PER:${f6}_${l6}>`;
   }
-  if (_UAE_EID_RE.test(text)) {
-    return `784-0000-${await _hmacDigits(text, 7)}-${await _hmacDigits(text, 1, 20)}`;
+  if (type === "LOCATION" || type === "PHYS_ADDRESS") {
+    const c6 = await _pickFromArray(text, _CITIES);
+    return `<LOC:${c6}>`;
   }
-  if (_IBAN_RE.test(text)) {
-    const countryCode = text.slice(0, 2);
-    return `${countryCode}00${(await _hmacHex(text, 8)).toUpperCase()}`;
+  if (type === "ORGANIZATION") {
+    const c6 = await _pickFromArray(text, _LAST_NAMES);
+    return `<ORG:${c6}_Inc>`;
   }
   return `[TKN-${await _hmacHex(text)}]`;
 }
-var _masterKey, _EMAIL_RE, _PHONE_RE, _SSN_RE, _CC_RE, _ROUTING_RE, _TCID_RE, _SAUDI_NID_RE, _UAE_EID_RE, _IBAN_RE;
+var _masterKey, _EMAIL_RE, _PHONE_RE, _SSN_RE, _CC_RE, _ROUTING_RE, _ES_ID_RE, _IBAN_RE, _FIRST_NAMES, _LAST_NAMES, _CITIES;
 var init_fpe = __esm({
   "src/core/fpe.ts"() {
     init_config();
@@ -385,14 +430,15 @@ var init_fpe = __esm({
     init_fpe_utils();
     _masterKey = null;
     _EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-    _PHONE_RE = /^\+?1?[\s\-.]?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}$|^\d{3}[\s\-.]?\d{4}$/;
+    _PHONE_RE = /(?<!\d)(?:\+?1?[\s\-.]?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}|\d{3}[\s\-.]?\d{4})(?!\d)/;
     _SSN_RE = /^\d{3}-\d{2}-\d{4}$/;
     _CC_RE = /^(?:\d{4}[ \-]?){3}\d{4}$/;
     _ROUTING_RE = /^\d{9}$/;
-    _TCID_RE = /^[1-9]\d{9}[02468]$/;
-    _SAUDI_NID_RE = /^1\d{9}$/;
-    _UAE_EID_RE = /^784-\d{4}-\d{7}-\d$/;
+    _ES_ID_RE = /^(?:\d{8}[A-Z]|[XYZ]\d{7}[A-Z])$/;
     _IBAN_RE = /^[A-Z]{2}\d{2}[A-Z0-9]{4,30}$/;
+    _FIRST_NAMES = ["Taylor", "Jordan", "Casey", "Morgan", "Riley", "Avery", "Rowan", "Quinn", "Charlie", "Peyton", "Blake", "Dakota", "Reese", "Skyler", "Finley", "Eden", "Harley", "Rory", "Emerson", "Remi"];
+    _LAST_NAMES = ["Smith", "Johnson", "Williams", "Brown", "Jones", "Garcia", "Miller", "Davis", "Rodriguez", "Martinez", "Hernandez", "Lopez", "Gonzalez", "Wilson", "Anderson", "Thomas", "Taylor", "Moore", "Jackson", "Martin"];
+    _CITIES = ["London", "Paris", "Berlin", "Tokyo", "Rome", "Madrid", "Vienna", "Sydney", "Toronto", "Chicago", "Seattle", "Austin", "Boston", "Denver", "Dallas", "Miami", "Seoul", "Dubai", "Mumbai", "Cairo"];
   }
 });
@@ -42993,7 +43039,7 @@ async function encode(rawText, options = {}) {
       return existingToken;
     }
   }
-  const token = await generateFPEToken(text);
+  const token = await generateFPEToken(text, options.entityType || "UNKNOWN");
   const ciphertext = cryptoEngine.encrypt(text);
   const ttl = options.ttl || DEFAULT_TTL;
   await vault.store(token, ciphertext, ttl, ptHash);
@@ -43445,19 +43491,8 @@ var SCRIPT_SIGNATURES; exports.LanguageContextResolver = void 0;
 var init_assessor = __esm({
   "src/core/dlp/assessor.ts"() {
     SCRIPT_SIGNATURES = [
-      // CJK / East-Asian — checked first because they are unambiguous
-      { tag: "zh", pattern: /[\u4e00-\u9fff\u3400-\u4dbf]/g },
-      { tag: "ja", pattern: /[\u3040-\u309f\u30a0-\u30ff\u31f0-\u31ff]/g },
-      // Arabic script — covers Standard Arabic, Urdu overlap, etc.
-      { tag: "ar", pattern: /[\u0600-\u06ff\u0750-\u077f\u08a0-\u08ff\ufb50-\ufdff\ufe70-\ufeff]/g },
-      // Turkish — distinguished by dotless-i (ı), soft-g (ğ), ş, and cedilla ç
-      { tag: "tr", pattern: /[ğıİşŞ]/g },
-      // German — umlauts and Eszett
-      { tag: "de", pattern: /[äöüÄÖÜß]/g },
       // Spanish — ñ and inverted punctuation
-      { tag: "es", pattern: /[ñÑ¡¿]/g },
-      // French — cedilla, accented vowels with circumflex / diaeresis
-      { tag: "fr", pattern: /[àâçéèêëïîôùûüÿœæ]/gi }
+      { tag: "es", pattern: /[ñÑ¡¿]/g }
     ];
     exports.LanguageContextResolver = class {
       constructor(charThreshold = 1) {
@@ -43515,34 +43550,12 @@ var init_registry = __esm({
     })(exports.SensitiveCategory || {});
     LOCALE_NAME_RULES = {
       en: [
-        /\b[A-Z][a-z]+ [A-Z][a-z]+(?:\s+[A-Z][a-z]+)?\b/g,
-        /\b(?:Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z]+\b/g
+        /\b[A-Z][a-z\-\']+ [A-Z][a-z\-\']+(?:\s+[A-Z][a-z\-\']+)?\b/g,
+        /\b(?:Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z\-\']+\b/g
       ],
       es: [
-        /\b[A-Z][a-záéíóúñ]+ [A-Z][a-záéíóúñ]+(?:\s+[A-Z][a-záéíóúñ]+)?\b/g,
-        /\b(?:Sr|Sra|Srta)\.?\s+[A-Z][a-záéíóúñ]+\b/g
-      ],
-      fr: [
-        /\b[A-Z][a-zàâçéèêëïîôùûü]+ [A-Z][a-zàâçéèêëïîôùûü]+\b/g,
-        /\b(?:M|Mme|Mlle)\.?\s+[A-Z][a-zàâçéèêëïîôùûü]+\b/g
-      ],
-      de: [
-        /\b[A-Z][a-zäöüß]+ [A-Z][a-zäöüß]+\b/g,
-        /\b(?:Herr|Frau)\.?\s+[A-Z][a-zäöüß]+\b/g
-      ],
-      tr: [
-        /\b[A-ZÇĞİÖŞÜ][a-zçğıöşü]+ [A-ZÇĞİÖŞÜ][a-zçğıöşü]+\b/g,
-        /\b(?:Bay|Bayan|Sayın)\.?\s+[A-ZÇĞİÖŞÜ][a-zçğıöşü]+\b/g
-      ],
-      ar: [
-        /[\u0621-\u064a][\u0600-\u06ff]+ [\u0621-\u064a][\u0600-\u06ff]+/g,
-        /(?:أبو|أم|ابن|بنت)\s+[\u0621-\u064a][\u0600-\u06ff]+/gi
-      ],
-      ja: [
-        /\b[A-Z][a-z]+(?:moto|yama|kawa|mura|ta|da|shi|no)\s+[A-Z][a-z]+\b/g
-      ],
-      zh: [
-        /\b[A-Z][a-z]{1,3}\s+[A-Z][a-z]+\b/g
+        /\b[A-Z][a-záéíóúñ\-\']+ [A-Z][a-záéíóúñ\-\']+(?:\s+[A-Z][a-záéíóúñ\-\']+)?\b/g,
+        /\b(?:Sr|Sra|Srta)\.?\s+[A-Z][a-záéíóúñ\-\']+\b/g
       ]
     };
     LOCALE_ADDRESS_RULES = {
@@ -43550,26 +43563,8 @@ var init_registry = __esm({
         /\b\d{1,5}\s+[A-Z][a-z]+(?:\s+[A-Z][a-z]+)*\s+(?:Street|St|Avenue|Ave|Road|Rd|Boulevard|Blvd|Lane|Ln|Drive|Dr|Court|Ct|Way)\b/g,
         /\b[A-Z][a-z]+(?:\s+[A-Z][a-z]+)*,\s*[A-Z]{2}\s+\d{5}(?:-\d{4})?\b/g
       ],
-      fr: [
-        /\b\d{1,4}\s+(?:rue|avenue|boulevard|place|chemin)\s+[A-ZÀ-ÖØ-Ý][a-zà-öø-ÿ]+\b/gi
-      ],
-      de: [
-        /\b[A-ZÄÖÜa-zäöüß]+(?:straße|strasse|weg|gasse|platz)\s+\d{1,4}\b/g
-      ],
-      tr: [
-        /\b[A-ZÇĞİÖŞÜa-zçğıöşü]+\s+(?:Cad|Sok|Mah)\.?\s+/gi,
-        /\b\d{5}\s+[A-ZÇĞİÖŞÜa-zçğıöşü]+\/[A-ZÇĞİÖŞÜa-zçğıöşü]+\b/g
-      ],
-      ar: [
-        /شارع\s+[\u0600-\u06ff]+/g,
-        /حي\s+[\u0600-\u06ff]+/g,
-        /(?:ص\.ب|P\.?O\.?\s*Box)\s*\d{3,6}/gi
-      ],
-      uk_postcode: [
-        /\b[A-Z]{1,2}\d{1,2}[A-Z]?\s*\d[A-Z]{2}\b/g
-      ],
-      ca_postal: [
-        /\b[A-Z]\d[A-Z]\s*\d[A-Z]\d\b/g
+      es: [
+        /\b(?:Calle|Carrera|Avenida|Paseo|Plaza)\s+[A-ZÀ-ÖØ-Ý][a-zà-öø-ÿ]+\b/gi
       ]
     };
     RAW_PATTERNS = [
@@ -43577,7 +43572,6 @@ var init_registry = __esm({
       [
         "US_SSN",
         "\\b(?!000|666|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0000)\\d{4}\\b",
-        "g",
         ["ssn", "social security", "tax id", "taxpayer"],
         0.95,
         "FINANCIAL" /* FINANCIAL */,
@@ -43586,7 +43580,6 @@ var init_registry = __esm({
       [
         "CREDIT_CARD_NUMBER",
         "\\b(?:4\\d{3}|5[1-5]\\d{2}|3[47]\\d{2}|6(?:011|5\\d{2}))[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b",
-        "g",
         ["card", "credit", "visa", "mastercard", "amex", "payment"],
         0.97,
         "FINANCIAL" /* FINANCIAL */,
@@ -43595,7 +43588,6 @@ var init_registry = __esm({
       [
         "INTL_BANK_IBAN",
         "\\b[A-Z]{2}\\d{2}[A-Z0-9]{4}\\d{7}[A-Z0-9]{0,16}\\b",
-        "g",
         ["iban", "swift", "sepa", "wire", "bank transfer"],
         0.96,
         "FINANCIAL" /* FINANCIAL */,
@@ -43604,7 +43596,6 @@ var init_registry = __esm({
       [
         "CRYPTO_BTC",
         "\\b(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})\\b",
-        "g",
         ["bitcoin", "btc", "wallet", "crypto"],
         0.94,
         "FINANCIAL" /* FINANCIAL */,
@@ -43613,7 +43604,6 @@ var init_registry = __esm({
       [
         "CRYPTO_ETH",
         "\\b0x[a-fA-F0-9]{40}\\b",
-        "g",
         ["ethereum", "eth", "wallet", "0x"],
         0.93,
         "FINANCIAL" /* FINANCIAL */,
@@ -43621,8 +43611,7 @@ var init_registry = __esm({
       ],
       [
         "US_ABA_ROUTING",
-        "\\b\\d{9}\\b",
-        "g",
+        /(?<!\d)\d{9}(?!\d)/,
         ["routing", "aba", "wire", "bank"],
         0.88,
         "FINANCIAL" /* FINANCIAL */,
@@ -43630,17 +43619,15 @@ var init_registry = __esm({
       ],
       [
         "BANK_ACCT_NUM",
-        "\\b\\d{8,17}\\b",
-        "g",
+        /(?<!\d)\d{8,17}(?!\d)/,
         ["account", "checking", "savings", "deposit", "bank"],
-        0.83,
+        0.5,
         "FINANCIAL" /* FINANCIAL */,
-        null
+        "luhn_soft"
       ],
       [
         "SWIFT_BIC",
         "\\b[A-Z]{4}[A-Z]{2}[A-Z0-9]{2}(?:[A-Z0-9]{3})?\\b",
-        "gi",
         ["swift", "bic", "bank code", "transfer"],
         0.6,
         "FINANCIAL" /* FINANCIAL */,
@@ -43650,7 +43637,6 @@ var init_registry = __esm({
       [
         "EMAIL_ADDR",
         "\\b[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}\\b",
-        "g",
         ["email", "mail", "contact", "address"],
         0.99,
         "CONTACT" /* CONTACT */,
@@ -43658,26 +43644,23 @@ var init_registry = __esm({
       ],
       [
         "PHONE_NUM",
-        "(?:\\+?[1-9]\\d{0,3}[-.\\s]?)?\\(?\\d{1,4}\\)?[-.\\s]?\\d{1,4}[-.\\s]?\\d{1,4}[-.\\s]?\\d{1,9}",
-        "g",
+        /(?<!\d)(?:\+?[1-9]\d{0,3}[-.\s]?)?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,9}(?!\d)/,
         ["phone", "call", "mobile", "tel", "whatsapp", "number"],
-        0.92,
+        0.8,
         "CONTACT" /* CONTACT */,
         null
       ],
       [
         "PHONE_NUM_INTL",
-        "\\+(?:44|33|49|90|966|971)[-.\\s]?\\(?\\d{1,5}\\)?(?:[-.\\s]?\\d{2,4}){2,4}",
-        "g",
+        /(?<!\d)\+(?:[1-9]\d{0,3})[-.\s]?\(?\d{1,5}\)?(?:[-.\s]?\d{2,4}){2,4}(?!\d)/,
         ["phone", "call", "mobile", "tel"],
-        0.93,
+        0.8,
         "CONTACT" /* CONTACT */,
         null
       ],
       [
         "IPV4_ADDR",
         "\\b(?:(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\b",
-        "g",
         ["ip", "server", "host", "network", "address"],
         0.94,
         "CONTACT" /* CONTACT */,
@@ -43686,7 +43669,6 @@ var init_registry = __esm({
       [
         "IPV6_ADDR",
         "\\b(?:[A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\\b",
-        "g",
         ["ipv6", "ip", "network", "server"],
         0.93,
         "CONTACT" /* CONTACT */,
@@ -43695,7 +43677,6 @@ var init_registry = __esm({
       [
         "HW_MAC_ADDR",
         "\\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\\b",
-        "g",
         ["mac", "hardware", "network", "device"],
         0.91,
         "CONTACT" /* CONTACT */,
@@ -43705,7 +43686,6 @@ var init_registry = __esm({
       [
         "BIRTH_DATE",
         "\\b(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01])[/-](?:19|20)\\d{2}\\b",
-        "g",
         ["birth", "dob", "born", "birthday", "date of birth"],
         0.88,
         "PERSONAL" /* PERSONAL */,
@@ -43714,16 +43694,14 @@ var init_registry = __esm({
       [
         "US_DRIVERS_LIC",
         "\\b(?:[A-Z]\\d{7,12}|\\d{7,12}[A-Z]?)\\b",
-        "g",
         ["driver", "license", "licence", "dl", "dmv"],
-        0.85,
+        0.55,
         "PERSONAL" /* PERSONAL */,
         null
       ],
       [
         "US_PASSPORT_NUM",
         "\\b[A-Z]\\d{8}\\b",
-        "g",
         ["passport", "travel", "visa", "immigration"],
         0.87,
         "PERSONAL" /* PERSONAL */,
@@ -43733,7 +43711,6 @@ var init_registry = __esm({
       [
         "VEHICLE_VIN",
         "\\b[A-HJ-NPR-Z0-9]{17}\\b",
-        "g",
         ["vin", "vehicle", "chassis", "automobile"],
         0.92,
         "VEHICLE" /* VEHICLE */,
@@ -43742,7 +43719,6 @@ var init_registry = __esm({
       [
         "VEHICLE_PLATE",
         "\\b[A-Z0-9]{1,3}[\\-\\s][A-Z0-9]{1,4}[\\-\\s][A-Z0-9]{1,4}\\b",
-        "g",
         ["plate", "registration", "vehicle", "plaka"],
         0.45,
         "VEHICLE" /* VEHICLE */,
@@ -43752,7 +43728,6 @@ var init_registry = __esm({
       [
         "MED_RECORD_ID",
         "\\b(?:MRN|Patient ID|Medical Record)[:\\s]*[A-Z0-9]{6,10}\\b",
-        "g",
         ["patient", "medical", "record", "mrn", "hospital"],
         0.96,
         "HEALTHCARE" /* HEALTHCARE */,
@@ -43761,7 +43736,6 @@ var init_registry = __esm({
       [
         "US_MEDICARE_ID",
         "\\b\\d{3}-\\d{2}-\\d{4}[A-Z]\\b",
-        "g",
         ["medicare", "cms", "beneficiary", "health insurance"],
         0.91,
         "HEALTHCARE" /* HEALTHCARE */,
@@ -43770,7 +43744,6 @@ var init_registry = __esm({
       [
         "US_DEA_NUM",
         "\\b[A-Z]{2}\\d{7}\\b",
-        "g",
         ["dea", "prescriber", "drug", "enforcement"],
         0.89,
         "HEALTHCARE" /* HEALTHCARE */,
@@ -43779,7 +43752,6 @@ var init_registry = __esm({
       [
         "US_NPI_NUM",
         "\\b\\d{10}\\b",
-        "g",
         ["npi", "provider", "national provider", "healthcare"],
         0.87,
         "HEALTHCARE" /* HEALTHCARE */,
@@ -43789,7 +43761,6 @@ var init_registry = __esm({
       [
         "US_EIN_TAX",
         "\\b\\d{2}-\\d{7}\\b",
-        "g",
         ["ein", "federal", "employer", "tax id"],
         0.89,
         "IDENTITY_US" /* IDENTITY_US */,
@@ -43799,71 +43770,33 @@ var init_registry = __esm({
       [
         "UK_NATL_INS",
         "\\b[A-Z]{2}\\d{6}[A-Z]\\b",
-        "g",
         ["nino", "national insurance", "ni number", "uk"],
         0.9,
         "IDENTITY_INTL" /* IDENTITY_INTL */,
-        null
+        "uk_nino"
       ],
       [
         "CA_SOCIAL_INS",
         "\\b\\d{3}[-\\s]?\\d{3}[-\\s]?\\d{3}\\b",
-        "g",
         ["sin", "social insurance", "canada", "canadian"],
         0.89,
         "IDENTITY_INTL" /* IDENTITY_INTL */,
-        null
+        "ca_sin"
       ],
       [
-        "FR_INSEE_NUM",
-        "\\b[12]\\d{2}[01]\\d\\d{8}\\d{2}\\b",
-        "g",
-        ["insee", "s\xE9curit\xE9 sociale", "france", "num\xE9ro"],
-        0.88,
-        "IDENTITY_INTL" /* IDENTITY_INTL */,
-        null
-      ],
-      [
-        "DE_STEUER_ID",
-        "\\b\\d{2}\\s?\\d{3}\\s?\\d{3}\\s?\\d{3}\\b",
-        "g",
-        ["steuer", "steuernummer", "finanzamt", "deutschland"],
-        0.87,
-        "IDENTITY_INTL" /* IDENTITY_INTL */,
-        null
-      ],
-      [
-        "TR_TCID",
-        "\\b[1-9]\\d{9}[02468]\\b",
-        "g",
-        ["tc", "kimlik", "vatanda\u015Fl\u0131k", "n\xFCfus", "t\xFCrkiye"],
-        0.92,
-        "IDENTITY_INTL" /* IDENTITY_INTL */,
-        "tcid"
-      ],
-      [
-        "SA_NATIONAL_ID",
-        "\\b1\\d{9}\\b",
-        "g",
-        ["\u0647\u0648\u064A\u0629", "\u0631\u0642\u0645 \u0627\u0644\u0647\u0648\u064A\u0629", "saudi", "\u0648\u0637\u0646\u064A\u0629", "identity"],
-        0.91,
-        "IDENTITY_INTL" /* IDENTITY_INTL */,
-        "saudi_nid"
-      ],
-      [
-        "UAE_EMIRATES_ID",
-        "\\b784-\\d{4}-\\d{7}-\\d\\b",
-        "g",
-        ["emirates", "\u0647\u0648\u064A\u0629", "uae", "emirati", "identity"],
-        0.93,
+        "ES_DNI",
+        "(?:\\d{8}[A-Z]|[XYZ]\\d{7}[A-Z])",
+        ["dni", "nie", "identidad", "nif", "spain"],
+        0.94,
         "IDENTITY_INTL" /* IDENTITY_INTL */,
-        "luhn"
+        "es_id",
+        true,
+        ["*", "es"]
       ],
       // ── CORPORATE ──────────────────────────────────────────────────────
       [
         "CORP_EMPLOYEE_ID",
-        "\\b(?:EMP|EMPLOYEE|ID)[:\\s]?[A-Z0-9]{5,10}\\b",
-        "gi",
+        "(?:EMP|EMPLOYEE|ID)[:\\s]?[A-Z0-9]{5,10}",
         ["employee", "staff", "personnel", "worker"],
         0.55,
         "CORPORATE" /* CORPORATE */,
@@ -43873,7 +43806,11 @@ var init_registry = __esm({
     exports.DLPPatternRegistry = class {
       constructor(loadGroups) {
         this.catalogue = /* @__PURE__ */ new Map();
+        this.localeCategoryRegexMap = /* @__PURE__ */ new Map();
         this.buildCatalogue(loadGroups ?? null);
+        for (const loc of ["*", "en", "es"]) {
+          this.compileForLocale(loc);
+        }
       }
       get typeNames() {
         return [...this.catalogue.keys()];
@@ -43885,23 +43822,74 @@ var init_registry = __esm({
       descriptorFor(typeName) {
         return this.catalogue.get(typeName);
       }
-      /** Return locale-tuned name regexes, falling back to English. */
       namePatternsFor(lang) {
         return LOCALE_NAME_RULES[lang] ?? LOCALE_NAME_RULES["en"];
       }
-      /** Return locale-tuned address regexes, falling back to English. */
       addressPatternsFor(lang) {
         return LOCALE_ADDRESS_RULES[lang] ?? LOCALE_ADDRESS_RULES["en"];
       }
+      getCategoryRegexesMap(locale = "en") {
+        if (!this.localeCategoryRegexMap.has(locale)) {
+          this.compileForLocale(locale);
+        }
+        return this.localeCategoryRegexMap.get(locale);
+      }
+      getCategoryTypeMap(categoryName, locale = "en") {
+        return this.localeCategoryRegexMap.get(locale)?.get(categoryName)?.typeOrder ?? [];
+      }
+      compileForLocale(locale) {
+        const localePool = /* @__PURE__ */ new Map();
+        for (const [typeName, desc] of this.catalogue.entries()) {
+          if (desc.supportedLocales.includes("*") || desc.supportedLocales.includes(locale)) {
+            const catKey = desc.category;
+            if (!localePool.has(catKey)) localePool.set(catKey, []);
+            localePool.get(catKey).push([typeName, desc]);
+          }
+        }
+        const categoryMap = /* @__PURE__ */ new Map();
+        for (const [catKey, entries] of localePool.entries()) {
+          entries.sort(([, a6], [, b6]) => {
+            const aVal = a6.validatorTag ? 0 : 1;
+            const bVal = b6.validatorTag ? 0 : 1;
+            if (aVal !== bVal) return aVal - bVal;
+            return b6.compiledRe.source.length - a6.compiledRe.source.length;
+          });
+          const parts = [];
+          const typeOrder = [];
+          for (const [typeName, desc] of entries) {
+            parts.push(`(?<${typeName}>${desc.compiledRe.source})`);
+            typeOrder.push(typeName);
+          }
+          const combinedSource = parts.join("|");
+          const needsI = entries.some(([, d6]) => d6.compiledRe.flags.includes("i"));
+          const flags = needsI ? "gi" : "g";
+          try {
+            const re = new RegExp(combinedSource, flags);
+            categoryMap.set(catKey, { re, typeOrder });
+          } catch (err2) {
+            console.error(`[DLPPatternRegistry] Locale [${locale}] category [${catKey}] failed:`, err2);
+          }
+        }
+        this.localeCategoryRegexMap.set(locale, categoryMap);
+      }
       buildCatalogue(restrict) {
-        for (const [typeName, regexStr, flags, terms, risk, cat, vtag] of RAW_PATTERNS) {
+        for (const entry of RAW_PATTERNS) {
+          const [typeName, regexSource, terms, risk, cat, vtag, isHighEntropy, supportedLocales] = entry;
           if (restrict !== null && !restrict.has(cat)) continue;
+          let re;
+          if (regexSource instanceof RegExp) {
+            re = regexSource;
+          } else {
+            re = new RegExp(regexSource, "g");
+          }
           this.catalogue.set(typeName, {
-            compiledRe: new RegExp(regexStr, flags),
+            compiledRe: re,
             proximityTerms: new Set(terms),
             baseRisk: risk,
             category: cat,
-            validatorTag: vtag
+            validatorTag: vtag,
+            isHighEntropy: isHighEntropy ?? vtag !== null,
+            supportedLocales: supportedLocales ?? ["*"]
           });
         }
       }
@@ -43998,29 +43986,13 @@ function checkIpv4Octets(raw) {
   }
   return true;
 }
-function checkTcidNumber(raw) {
-  const digitsStr = raw.replace(/\D/g, "");
-  if (digitsStr.length !== 11) return false;
-  const d6 = digitsStr.split("").map(Number);
-  if (d6[0] === 0) return false;
-  if (d6[10] % 2 !== 0) return false;
-  const oddSum = d6[0] + d6[2] + d6[4] + d6[6] + d6[8];
-  const evenSum = d6[1] + d6[3] + d6[5] + d6[7];
-  const computedD10 = ((oddSum * 7 - evenSum) % 10 + 10) % 10;
-  if (computedD10 !== d6[9]) return false;
-  const firstTenSum = d6.slice(0, 10).reduce((a6, b6) => a6 + b6, 0);
-  if (firstTenSum % 10 !== d6[10]) return false;
-  return true;
-}
-function checkSaudiNid(raw) {
-  const digitsStr = raw.replace(/\D/g, "");
-  if (digitsStr.length !== 10) return false;
-  const d6 = digitsStr.split("").map(Number);
-  if (d6[0] !== 1) return false;
+function checkCaSin(raw) {
+  const digits = raw.replace(/\D/g, "");
+  if (digits.length !== 9) return false;
   let total = 0;
-  for (let idx = 0; idx < 10; idx++) {
-    let val = d6[idx];
-    if (idx % 2 === 0) {
+  for (let idx = 0; idx < digits.length; idx++) {
+    let val = parseInt(digits[idx], 10);
+    if (idx % 2 === 1) {
       val *= 2;
       if (val > 9) val -= 9;
     }
@@ -44028,7 +44000,30 @@ function checkSaudiNid(raw) {
   }
   return total % 10 === 0;
 }
-var IBAN_COUNTRY_LENGTHS, VIN_TRANSLITERATION, VIN_WEIGHTS, VALIDATOR_DISPATCH; exports.DLPValidationEngine = void 0;
+function checkUkNino(raw) {
+  const cleaned = raw.replace(/ /g, "").toUpperCase();
+  if (cleaned.length !== 9) return false;
+  return UK_NINO_REGEX.test(cleaned);
+}
+function checkEsId(raw) {
+  const cleaned = raw.replace(/[\s-]/g, "").toUpperCase();
+  if (cleaned.length !== 9) return false;
+  const mapping = { X: "0", Y: "1", Z: "2" };
+  const firstChar = cleaned[0];
+  let numStr;
+  if (firstChar in mapping) {
+    numStr = mapping[firstChar] + cleaned.slice(1, 8);
+  } else if (/^\d$/.test(firstChar)) {
+    numStr = cleaned.slice(0, 8);
+  } else {
+    return false;
+  }
+  if (!/^\d+$/.test(numStr)) return false;
+  const num = parseInt(numStr, 10);
+  const validLetters = "TRWAGMYFPDXBNJZSQVHLCKE";
+  return cleaned[8] === validLetters[num % 23];
+}
+var IBAN_COUNTRY_LENGTHS, VIN_TRANSLITERATION, VIN_WEIGHTS, UK_NINO_REGEX, VALIDATOR_DISPATCH; exports.DLPValidationEngine = void 0;
 var init_handlers = __esm({
   "src/core/dlp/handlers.ts"() {
     IBAN_COUNTRY_LENGTHS = {
@@ -44131,6 +44126,7 @@ var init_handlers = __esm({
       Z: 9
     };
     VIN_WEIGHTS = [8, 7, 6, 5, 4, 3, 2, 10, 0, 9, 8, 7, 6, 5, 4, 3, 2];
+    UK_NINO_REGEX = /^(?!BG|GB|NK|KN|TN|NT|ZZ)[A-CEGHJ-PR-TW-Z]{2}[0-9]{6}[A-D]$/;
     VALIDATOR_DISPATCH = {
       luhn: checkLuhn,
       ssn_area: checkSsnArea,
@@ -44139,8 +44135,9 @@ var init_handlers = __esm({
       vin_format: checkVinFormat,
       btc_format: checkBtcFormat,
       ipv4: checkIpv4Octets,
-      tcid: checkTcidNumber,
-      saudi_nid: checkSaudiNid
+      ca_sin: checkCaSin,
+      uk_nino: checkUkNino,
+      es_id: checkEsId
     };
     exports.DLPValidationEngine = class {
       /**
@@ -44177,7 +44174,8 @@ var init_scorer = __esm({
       keywordBoost: 0.1,
       validatorOverride: 0.99,
       maxConfidence: 0.99,
-      penaltyFactor: 0.65
+      penaltyFactor: 0.99
+      // Renamed functionally to validator failure penalty subtraction
     };
     exports.DLPConfidenceScorer = class {
       constructor(overrides = {}) {
@@ -44196,7 +44194,7 @@ var init_scorer = __esm({
       score(input) {
         if (input.validatorPassed === true) return this.valOverride;
         if (input.validatorPassed === false) {
-          return Math.min(this.ceil, input.baseRisk * this.penalty);
+          return Math.max(0, input.baseRisk - this.penalty);
         }
         const windowLo = Math.max(0, input.matchStart - this.window);
         const windowHi = Math.min(input.fullText.length, input.matchEnd + this.window);
@@ -44222,6 +44220,47 @@ var init_scorer = __esm({
   }
 });
+// src/core/span.ts
+function resolveOverlaps(spans) {
+  if (spans.length === 0) return [];
+  const sorted = [...spans].sort((a6, b6) => {
+    if (a6.start !== b6.start) return a6.start - b6.start;
+    const lenDiff = b6.end - b6.start - (a6.end - a6.start);
+    if (lenDiff !== 0) return lenDiff;
+    return b6.confidence - a6.confidence;
+  });
+  const resolved = [];
+  let occupiedEnd = -1;
+  for (const span of sorted) {
+    if (span.start >= occupiedEnd) {
+      resolved.push(span);
+      occupiedEnd = span.end;
+    } else if (span.end <= occupiedEnd) {
+      continue;
+    } else {
+      const last = resolved[resolved.length - 1];
+      if (span.confidence > last.confidence) {
+        resolved.pop();
+        resolved.push(span);
+        occupiedEnd = span.end;
+      }
+    }
+  }
+  return resolved.sort((a6, b6) => b6.start - a6.start);
+}
+function reconstruct(text, resolvedSpans) {
+  let result = text;
+  for (const span of resolvedSpans) {
+    if (span.maskedValue == null) continue;
+    result = result.slice(0, span.start) + span.maskedValue + result.slice(span.end);
+  }
+  return result;
+}
+var init_span = __esm({
+  "src/core/span.ts"() {
+  }
+});
 // node_modules/delayed-stream/lib/delayed_stream.js
 var require_delayed_stream = __commonJS({
   "node_modules/delayed-stream/lib/delayed_stream.js"(exports2, module) {
@@ -58892,7 +58931,7 @@ var init_transformers_scanner = __esm({
               confidence = Math.min(1, confidence + 0.2);
             }
             if (confidence >= confidenceThreshold && !looksLikeToken(val) && val.length > 1) {
-              const token = await encodeFn(val);
+              const token = await encodeFn(val, { entityType });
               entities.push({
                 type: entityType,
                 value: val,
@@ -58999,17 +59038,18 @@ var init_scanner = __esm({
     init_registry();
     init_handlers();
     init_scorer();
+    init_span();
     _dlpLanguageResolver = new exports.LanguageContextResolver();
     _dlpPatternRegistry = new exports.DLPPatternRegistry();
     _dlpValidationEngine = new exports.DLPValidationEngine();
     _dlpConfidenceScorer = new exports.DLPConfidenceScorer();
     REGEX_PATTERNS = {
       "EMAIL_ADDRESS": /[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+/g,
-      "PHONE_NUMBER": /\+?1?[\s\-.]?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}|\d{3}[\s\-.]?\d{4}/g,
-      "PHONE_NUMBER_INTL": /\+(?:44|33|49)[\s\-.]?\(?\d{1,5}\)?(?:[\s\-.]?\d{2,4}){2,4}/g,
-      "US_SSN": /\d{3}-\d{2}-\d{4}/g,
-      "CREDIT_CARD": /(?:\d{4}[ \-]?){3}\d{4}/g,
-      "US_ROUTING_NUMBER": /\b\d{9}\b/g,
+      "PHONE_NUMBER": /(?<!\d)(?:\+?1?[\s\-.]?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}|\d{3}[\s\-.]?\d{4})(?!\d)/g,
+      "PHONE_NUMBER_INTL": /(?<!\d)\+(?:[1-9]\d{0,3})[-.\s]?\(?\d{1,5}\)?(?:[-.\s]?\d{2,4}){2,4}(?!\d)/g,
+      "US_SSN": /(?<!\d)\d{3}-\d{2}-\d{4}(?!\d)/g,
+      "CREDIT_CARD": /(?<!\d)(?:\d{4}[ \-]?){3}\d{4}(?!\d)/g,
+      "US_ROUTING_NUMBER": /(?<!\d)\d{9}(?!\d)/g,
       "US_PASSPORT": /\b[A-Z]\d{8}\b/g,
       "DATE_OF_BIRTH": /\b(?:0[1-9]|1[0-2])\/(?:0[1-9]|[12]\d|3[01])\/(?:19|20)\d{2}\b|\b(?:19|20)\d{2}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])\b/g
     };
@@ -59064,26 +59104,55 @@ var init_scanner = __esm({
         const checksum = 3 * (d6[0] + d6[3] + d6[6]) + 7 * (d6[1] + d6[4] + d6[7]) + (d6[2] + d6[5] + d6[8]);
         return checksum % 10 === 0;
       }
-      async _tier0Dlp(text, encodeFn, confidenceThreshold) {
+      async _tier0CollectSpans(text, confidenceThreshold) {
         const detectedLanguage = _dlpLanguageResolver.resolve(text);
-        const rawHits = [];
-        for (const [typeTag, descriptor] of _dlpPatternRegistry.iterDescriptors()) {
-          const re = new RegExp(descriptor.compiledRe.source, descriptor.compiledRe.flags);
+        const spans = [];
+        const categoryMap = _dlpPatternRegistry.getCategoryRegexesMap();
+        for (const [catKey, { re, typeOrder }] of categoryMap.entries()) {
+          const megaRe = new RegExp(re.source, re.flags);
           let m6;
-          while ((m6 = re.exec(text)) !== null) {
+          while ((m6 = megaRe.exec(text)) !== null) {
+            const groups = m6.groups ?? {};
+            let typeTag;
+            for (const name of typeOrder) {
+              if (groups[name] !== void 0) {
+                typeTag = name;
+                break;
+              }
+            }
+            if (!typeTag) continue;
             const matchedStr = m6[0];
             if (looksLikeToken(matchedStr)) continue;
+            const descriptor = _dlpPatternRegistry.descriptorFor(typeTag);
+            if (!descriptor) continue;
             const validatorResult = _dlpValidationEngine.run(descriptor.validatorTag, matchedStr);
-            const conf = _dlpConfidenceScorer.score({
-              baseRisk: descriptor.baseRisk,
-              matchStart: m6.index,
-              matchEnd: m6.index + matchedStr.length,
-              fullText: text,
-              proximityTerms: descriptor.proximityTerms,
-              validatorPassed: validatorResult
-            });
+            let conf;
+            if (validatorResult === false) {
+              if (descriptor.isHighEntropy) {
+                conf = 0.85;
+              } else {
+                continue;
+              }
+            } else {
+              conf = _dlpConfidenceScorer.score({
+                baseRisk: descriptor.baseRisk,
+                matchStart: m6.index,
+                matchEnd: m6.index + matchedStr.length,
+                fullText: text,
+                proximityTerms: descriptor.proximityTerms,
+                validatorPassed: validatorResult
+              });
+            }
             if (conf >= confidenceThreshold) {
-              rawHits.push({ start: m6.index, end: m6.index + matchedStr.length, tag: typeTag, val: matchedStr, conf });
+              spans.push({
+                start: m6.index,
+                end: m6.index + matchedStr.length,
+                entityType: typeTag,
+                originalValue: matchedStr,
+                confidence: conf,
+                method: "dlp_heuristic",
+                language: detectedLanguage
+              });
             }
           }
         }
@@ -59102,7 +59171,15 @@ var init_scanner = __esm({
               validatorPassed: null
             });
             if (conf >= confidenceThreshold) {
-              rawHits.push({ start: m6.index, end: m6.index + m6[0].length, tag: "PERSON_NAME", val: m6[0], conf });
+              spans.push({
+                start: m6.index,
+                end: m6.index + m6[0].length,
+                entityType: "PERSON_NAME",
+                originalValue: m6[0],
+                confidence: conf,
+                method: "dlp_heuristic",
+                language: detectedLanguage
+              });
             }
           }
         }
@@ -59111,85 +59188,78 @@ var init_scanner = __esm({
           let m6;
           while ((m6 = re.exec(text)) !== null) {
             if (looksLikeToken(m6[0])) continue;
-            rawHits.push({ start: m6.index, end: m6.index + m6[0].length, tag: "PHYS_ADDRESS", val: m6[0], conf: 0.55 });
-          }
-        }
-        rawHits.sort((a6, b6) => a6.start - b6.start || b6.end - b6.start - (a6.end - a6.start) || b6.conf - a6.conf);
-        const deduped = [];
-        let occupiedEnd = -1;
-        for (const hit of rawHits) {
-          if (hit.start >= occupiedEnd) {
-            deduped.push(hit);
-            occupiedEnd = hit.end;
+            spans.push({
+              start: m6.index,
+              end: m6.index + m6[0].length,
+              entityType: "PHYS_ADDRESS",
+              originalValue: m6[0],
+              confidence: 0.55,
+              method: "dlp_heuristic",
+              language: detectedLanguage
+            });
           }
         }
+        return spans;
+      }
+      /** Backward-compat wrapper — collects spans then single-pass encodes. */
+      async _tier0Dlp(text, encodeFn, confidenceThreshold) {
+        const spans = await this._tier0CollectSpans(text, confidenceThreshold);
+        const resolved = resolveOverlaps(spans);
         const entities = [];
-        let excised = text;
-        for (const hit of [...deduped].reverse()) {
-          const token = await encodeFn(hit.val);
-          excised = excised.slice(0, hit.start) + token + excised.slice(hit.end);
+        await Promise.all(resolved.map(async (span) => {
+          span.maskedValue = await encodeFn(span.originalValue, { entityType: span.entityType });
           entities.push({
-            type: hit.tag,
-            value: hit.val,
-            method: "dlp_heuristic",
-            confidence: hit.conf,
-            masked_value: token,
-            language: detectedLanguage
+            type: span.entityType,
+            value: span.originalValue,
+            method: span.method,
+            confidence: span.confidence,
+            masked_value: span.maskedValue,
+            language: span.language
           });
-        }
-        return [excised, entities];
+        }));
+        return [reconstruct(text, resolved), entities];
       }
-      async _tier1Regex(text, encodeFn, boostEntities, aggressive, confidenceThreshold) {
-        let entities = [];
-        let excised = text;
-        let allMatches = [];
+      async _tier1CollectSpans(text, boostEntities, aggressive, confidenceThreshold) {
+        const spans = [];
         for (const [entityType, pattern] of Object.entries(REGEX_PATTERNS)) {
           const re = new RegExp(pattern.source, pattern.flags);
           let match;
           while ((match = re.exec(text)) !== null) {
-            let confidence = 0.95;
-            if (aggressive || boostEntities.has(entityType.toLowerCase().replace(/_/g, " "))) {
-              confidence = 1;
-            }
-            if (entityType === "CREDIT_CARD" && _BaseScanner._luhnChecksum(match[0])) {
-              confidence = Math.max(confidence, 0.99);
-            }
-            if (entityType === "US_ROUTING_NUMBER" && !_BaseScanner._abaChecksum(match[0])) {
-              continue;
+            const val = match[0];
+            if (looksLikeToken(val)) continue;
+            let confidence = aggressive || boostEntities.has(entityType.toLowerCase().replace(/_/g, " ")) ? 1 : 0.95;
+            if (entityType === "CREDIT_CARD" && _BaseScanner._luhnChecksum(val)) confidence = Math.max(confidence, 0.99);
+            if (entityType === "US_ROUTING_NUMBER" && !_BaseScanner._abaChecksum(val)) continue;
+            if (confidence >= confidenceThreshold) {
+              spans.push({
+                start: match.index,
+                end: match.index + val.length,
+                entityType,
+                originalValue: val,
+                confidence,
+                method: "regex"
+              });
             }
-            allMatches.push({
-              start: match.index,
-              end: match.index + match[0].length,
-              type: entityType,
-              value: match[0],
-              confidence
-            });
-          }
-        }
-        allMatches.sort((a6, b6) => a6.start - b6.start || b6.end - b6.start - (a6.end - a6.start));
-        let filtered = [];
-        let lastEnd = -1;
-        for (const m6 of allMatches) {
-          if (m6.start >= lastEnd) {
-            filtered.push(m6);
-            lastEnd = m6.end;
           }
         }
-        const sortedFiltered = [...filtered].sort((a6, b6) => b6.start - a6.start);
-        for (const m6 of sortedFiltered) {
-          if (m6.confidence >= confidenceThreshold && !looksLikeToken(m6.value)) {
-            const token = await encodeFn(m6.value);
-            excised = excised.slice(0, m6.start) + token + excised.slice(m6.end);
-            entities.push({
-              type: m6.type,
-              value: m6.value,
-              method: "regex",
-              confidence: m6.confidence,
-              masked_value: token
-            });
-          }
-        }
-        return [excised, entities];
+        return spans;
+      }
+      /** Backward-compat wrapper. */
+      async _tier1Regex(text, encodeFn, boostEntities, aggressive, confidenceThreshold) {
+        const spans = await this._tier1CollectSpans(text, boostEntities, aggressive, confidenceThreshold);
+        const resolved = resolveOverlaps(spans);
+        const entities = [];
+        await Promise.all(resolved.map(async (span) => {
+          span.maskedValue = await encodeFn(span.originalValue, { entityType: span.entityType });
+          entities.push({
+            type: span.entityType,
+            value: span.originalValue,
+            method: span.method,
+            confidence: span.confidence,
+            masked_value: span.maskedValue
+          });
+        }));
+        return [reconstruct(text, resolved), entities];
       }
       async _tier2Nlp(text, encodeFn, boostEntities, aggressive, confidenceThreshold) {
         return [text, []];
@@ -59209,13 +59279,18 @@ var init_scanner = __esm({
         const _encode = options.encodeFn || encode;
         const confidenceThreshold = options.confidenceThreshold ?? 0.7;
         const boost = this._resolveBoost(options.context);
-        let currentText = text;
+        const allSpans = [];
         if (pipeline.includes("dlp")) {
-          [currentText] = await this._tier0Dlp(currentText, _encode, confidenceThreshold);
+          allSpans.push(...await this._tier0CollectSpans(text, confidenceThreshold));
         }
         if (pipeline.includes("regex") || pipeline.includes("checksum")) {
-          [currentText] = await this._tier1Regex(currentText, _encode, boost, !!options.aggressive, confidenceThreshold);
+          allSpans.push(...await this._tier1CollectSpans(text, boost, !!options.aggressive, confidenceThreshold));
         }
+        const resolved = resolveOverlaps(allSpans);
+        await Promise.all(resolved.map(async (span) => {
+          span.maskedValue = await _encode(span.originalValue, { entityType: span.entityType });
+        }));
+        let currentText = reconstruct(text, resolved);
         if (pipeline.includes("nlp")) {
           [currentText] = await this._tier2Nlp(currentText, _encode, boost, !!options.aggressive, confidenceThreshold);
         }
@@ -59227,20 +59302,29 @@ var init_scanner = __esm({
         const _encode = options.encodeFn || encode;
         const confidenceThreshold = options.confidenceThreshold ?? 0.7;
         const boost = this._resolveBoost(options.context);
-        let allEntities = [];
-        let remaining = text;
+        const allEntities = [];
+        const allSpans = [];
         if (pipeline.includes("dlp")) {
-          const [newText, tier0] = await this._tier0Dlp(remaining, _encode, confidenceThreshold);
-          remaining = newText;
-          allEntities.push(...tier0);
+          allSpans.push(...await this._tier0CollectSpans(text, confidenceThreshold));
         }
         if (pipeline.includes("regex") || pipeline.includes("checksum")) {
-          const [newText, tier1] = await this._tier1Regex(remaining, _encode, boost, !!options.aggressive, confidenceThreshold);
-          remaining = newText;
-          allEntities.push(...tier1);
-        }
+          allSpans.push(...await this._tier1CollectSpans(text, boost, !!options.aggressive, confidenceThreshold));
+        }
+        const resolved = resolveOverlaps(allSpans);
+        await Promise.all(resolved.map(async (span) => {
+          span.maskedValue = await _encode(span.originalValue, { entityType: span.entityType });
+          allEntities.push({
+            type: span.entityType,
+            value: span.originalValue,
+            method: span.method,
+            confidence: span.confidence,
+            masked_value: span.maskedValue,
+            language: span.language
+          });
+        }));
+        const remaining = reconstruct(text, resolved);
         if (pipeline.includes("nlp")) {
-          const [_newText, tier2] = await this._tier2Nlp(remaining, _encode, boost, !!options.aggressive, confidenceThreshold);
+          const [, tier2] = await this._tier2Nlp(remaining, _encode, boost, !!options.aggressive, confidenceThreshold);
           allEntities.push(...tier2);
         }
         return allEntities;