mask-privacy 3.0.0 → 3.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mask-privacy",
-  "version": "3.0.0",
+  "version": "3.2.0",
   "description": "Enterprise-grade AI Data Loss Prevention (DLP) SDK for TypeScript",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/core/dlp/assessor.ts

@@ -8,40 +8,17 @@
  * Supported language tags:
  *   en — English (default / Latin-only fallback)
  *   es — Spanish
- *   fr — French
- *   de — German
- *   tr — Turkish
- *   ar — Arabic
- *   zh — Chinese
- *   ja — Japanese
  */
 
-export type LanguageTag =
-  | "en" | "es" | "fr" | "de" | "tr" | "ar" | "zh" | "ja";
+export type LanguageTag = "en" | "es";
 
 /**
  * Ordered array of script signatures — more specific blocks are checked first
  * to avoid misclassification (e.g. ş/ğ/ı for Turkish before generic accented-Latin).
  */
 const SCRIPT_SIGNATURES: ReadonlyArray<{ tag: LanguageTag; pattern: RegExp }> = [
-  // CJK / East-Asian — checked first because they are unambiguous
-  { tag: "zh", pattern: /[\u4e00-\u9fff\u3400-\u4dbf]/g },
-  { tag: "ja", pattern: /[\u3040-\u309f\u30a0-\u30ff\u31f0-\u31ff]/g },
-
-  // Arabic script — covers Standard Arabic, Urdu overlap, etc.
-  { tag: "ar", pattern: /[\u0600-\u06ff\u0750-\u077f\u08a0-\u08ff\ufb50-\ufdff\ufe70-\ufeff]/g },
-
-  // Turkish — distinguished by dotless-i (ı), soft-g (ğ), ş, and cedilla ç
-  { tag: "tr", pattern: /[ğıİşŞ]/g },
-
-  // German — umlauts and Eszett
-  { tag: "de", pattern: /[äöüÄÖÜß]/g },
-
   // Spanish — ñ and inverted punctuation
   { tag: "es", pattern: /[ñÑ¡¿]/g },
-
-  // French — cedilla, accented vowels with circumflex / diaeresis
-  { tag: "fr", pattern: /[àâçéèêëïîôùûüÿœæ]/gi },
 ];
 
 export interface LanguageBreakdown {
@@ -57,8 +34,8 @@ export interface LanguageBreakdown {
  * @example
  * ```ts
  * const resolver = new LanguageContextResolver();
- * const tag = resolver.resolve("Merhaba, TC Kimlik Numaram 12345678901");
- * // tag === "tr"
+ * const tag = resolver.resolve("Hola, mi DNI es 12345678Z");
+ * // tag === "es"
  * ```
  */
 export class LanguageContextResolver {

package/src/core/dlp/handlers.ts

@@ -146,44 +146,56 @@ export function checkIpv4Octets(raw: string): boolean {
   return true;
 }
 
-// ── Turkish TCID (11-digit Kimlik No) ──────────────────────────────────────
+// ── Canadian SIN (Luhn-9) ──────────────────────────────────────────────────
 
-export function checkTcidNumber(raw: string): boolean {
-  const digitsStr = raw.replace(/\D/g, "");
-  if (digitsStr.length !== 11) return false;
-  const d = digitsStr.split("").map(Number);
-  if (d[0] === 0) return false;
-  if (d[10] % 2 !== 0) return false;
+export function checkCaSin(raw: string): boolean {
+  const digits = raw.replace(/\D/g, "");
+  if (digits.length !== 9) return false;
+  
+  let total = 0;
+  for (let idx = 0; idx < digits.length; idx++) {
+    let val = parseInt(digits[idx], 10);
+    if (idx % 2 === 1) { // 1st is 0, 2nd is 1...
+      val *= 2;
+      if (val > 9) val -= 9;
+    }
+    total += val;
+  }
+  return total % 10 === 0;
+}
 
-  const oddSum = d[0] + d[2] + d[4] + d[6] + d[8];
-  const evenSum = d[1] + d[3] + d[5] + d[7];
-  const computedD10 = ((oddSum * 7 - evenSum) % 10 + 10) % 10;
-  if (computedD10 !== d[9]) return false;
+// ── UK National Insurance Number (NINO) ────────────────────────────────────
 
-  const firstTenSum = d.slice(0, 10).reduce((a, b) => a + b, 0);
-  if (firstTenSum % 10 !== d[10]) return false;
+const UK_NINO_REGEX = /^(?!BG|GB|NK|KN|TN|NT|ZZ)[A-CEGHJ-PR-TW-Z]{2}[0-9]{6}[A-D]$/;
 
-  return true;
+export function checkUkNino(raw: string): boolean {
+  const cleaned = raw.replace(/ /g, "").toUpperCase();
+  if (cleaned.length !== 9) return false;
+  return UK_NINO_REGEX.test(cleaned);
 }
 
-// ── Saudi National ID (10-digit, starts with 1) ────────────────────────────
+// ── Spanish DNI/NIE (8 digits + 1 letter) ───────────────────────────────────
 
-export function checkSaudiNid(raw: string): boolean {
-  const digitsStr = raw.replace(/\D/g, "");
-  if (digitsStr.length !== 10) return false;
-  const d = digitsStr.split("").map(Number);
-  if (d[0] !== 1) return false;
+export function checkEsId(raw: string): boolean {
+  const cleaned = raw.replace(/[\s-]/g, "").toUpperCase();
+  if (cleaned.length !== 9) return false;
 
-  let total = 0;
-  for (let idx = 0; idx < 10; idx++) {
-    let val = d[idx];
-    if (idx % 2 === 0) { // 0-indexed odd positions
-      val *= 2;
-      if (val > 9) val -= 9;
-    }
-    total += val;
+  const mapping: Record<string, string> = { X: "0", Y: "1", Z: "2" };
+  const firstChar = cleaned[0];
+  let numStr: string;
+
+  if (firstChar in mapping) {
+    numStr = mapping[firstChar] + cleaned.slice(1, 8);
+  } else if (/^\d$/.test(firstChar)) {
+    numStr = cleaned.slice(0, 8);
+  } else {
+    return false;
   }
-  return total % 10 === 0;
+
+  if (!/^\d+$/.test(numStr)) return false;
+  const num = parseInt(numStr, 10);
+  const validLetters = "TRWAGMYFPDXBNJZSQVHLCKE";
+  return cleaned[8] === validLetters[num % 23];
 }
 
 // ── Dispatcher ─────────────────────────────────────────────────────────────
@@ -198,8 +210,9 @@ const VALIDATOR_DISPATCH: Record<string, ValidatorFn> = {
   vin_format: checkVinFormat,
   btc_format: checkBtcFormat,
   ipv4: checkIpv4Octets,
-  tcid: checkTcidNumber,
-  saudi_nid: checkSaudiNid,
+  ca_sin: checkCaSin,
+  uk_nino: checkUkNino,
+  es_id: checkEsId,
 };
 
 /**

package/src/core/dlp/index.ts

@@ -21,8 +21,6 @@ export {
   checkVinFormat,
   checkBtcFormat,
   checkIpv4Octets,
-  checkTcidNumber,
-  checkSaudiNid,
 } from "./handlers";
 
 export { DLPConfidenceScorer } from "./scorer";

package/src/core/dlp/registry.ts

@@ -33,40 +33,20 @@ export interface PatternDescriptor {
   baseRisk: number;
   category: SensitiveCategory;
   validatorTag: string | null;
+  isHighEntropy: boolean;
+  supportedLocales: string[];
 }
 
 // ── Locale-specific auxiliary patterns ──────────────────────────────────────
 
 export const LOCALE_NAME_RULES: Record<string, RegExp[]> = {
   en: [
-    /\b[A-Z][a-z]+ [A-Z][a-z]+(?:\s+[A-Z][a-z]+)?\b/g,
-    /\b(?:Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z]+\b/g,
+    /\b[A-Z][a-z\-\']+ [A-Z][a-z\-\']+(?:\s+[A-Z][a-z\-\']+)?\b/g,
+    /\b(?:Mr|Mrs|Ms|Dr|Prof)\.?\s+[A-Z][a-z\-\']+\b/g,
   ],
   es: [
-    /\b[A-Z][a-záéíóúñ]+ [A-Z][a-záéíóúñ]+(?:\s+[A-Z][a-záéíóúñ]+)?\b/g,
-    /\b(?:Sr|Sra|Srta)\.?\s+[A-Z][a-záéíóúñ]+\b/g,
-  ],
-  fr: [
-    /\b[A-Z][a-zàâçéèêëïîôùûü]+ [A-Z][a-zàâçéèêëïîôùûü]+\b/g,
-    /\b(?:M|Mme|Mlle)\.?\s+[A-Z][a-zàâçéèêëïîôùûü]+\b/g,
-  ],
-  de: [
-    /\b[A-Z][a-zäöüß]+ [A-Z][a-zäöüß]+\b/g,
-    /\b(?:Herr|Frau)\.?\s+[A-Z][a-zäöüß]+\b/g,
-  ],
-  tr: [
-    /\b[A-ZÇĞİÖŞÜ][a-zçğıöşü]+ [A-ZÇĞİÖŞÜ][a-zçğıöşü]+\b/g,
-    /\b(?:Bay|Bayan|Sayın)\.?\s+[A-ZÇĞİÖŞÜ][a-zçğıöşü]+\b/g,
-  ],
-  ar: [
-    /[\u0621-\u064a][\u0600-\u06ff]+ [\u0621-\u064a][\u0600-\u06ff]+/g,
-    /(?:أبو|أم|ابن|بنت)\s+[\u0621-\u064a][\u0600-\u06ff]+/gi,
-  ],
-  ja: [
-    /\b[A-Z][a-z]+(?:moto|yama|kawa|mura|ta|da|shi|no)\s+[A-Z][a-z]+\b/g,
-  ],
-  zh: [
-    /\b[A-Z][a-z]{1,3}\s+[A-Z][a-z]+\b/g,
+    /\b[A-Z][a-záéíóúñ\-\']+ [A-Z][a-záéíóúñ\-\']+(?:\s+[A-Z][a-záéíóúñ\-\']+)?\b/g,
+    /\b(?:Sr|Sra|Srta)\.?\s+[A-Z][a-záéíóúñ\-\']+\b/g,
   ],
 };
 
@@ -75,26 +55,8 @@ export const LOCALE_ADDRESS_RULES: Record<string, RegExp[]> = {
     /\b\d{1,5}\s+[A-Z][a-z]+(?:\s+[A-Z][a-z]+)*\s+(?:Street|St|Avenue|Ave|Road|Rd|Boulevard|Blvd|Lane|Ln|Drive|Dr|Court|Ct|Way)\b/g,
     /\b[A-Z][a-z]+(?:\s+[A-Z][a-z]+)*,\s*[A-Z]{2}\s+\d{5}(?:-\d{4})?\b/g,
   ],
-  fr: [
-    /\b\d{1,4}\s+(?:rue|avenue|boulevard|place|chemin)\s+[A-ZÀ-ÖØ-Ý][a-zà-öø-ÿ]+\b/gi,
-  ],
-  de: [
-    /\b[A-ZÄÖÜa-zäöüß]+(?:straße|strasse|weg|gasse|platz)\s+\d{1,4}\b/g,
-  ],
-  tr: [
-    /\b[A-ZÇĞİÖŞÜa-zçğıöşü]+\s+(?:Cad|Sok|Mah)\.?\s+/gi,
-    /\b\d{5}\s+[A-ZÇĞİÖŞÜa-zçğıöşü]+\/[A-ZÇĞİÖŞÜa-zçğıöşü]+\b/g,
-  ],
-  ar: [
-    /شارع\s+[\u0600-\u06ff]+/g,
-    /حي\s+[\u0600-\u06ff]+/g,
-    /(?:ص\.ب|P\.?O\.?\s*Box)\s*\d{3,6}/gi,
-  ],
-  uk_postcode: [
-    /\b[A-Z]{1,2}\d{1,2}[A-Z]?\s*\d[A-Z]{2}\b/g,
-  ],
-  ca_postal: [
-    /\b[A-Z]\d[A-Z]\s*\d[A-Z]\d\b/g,
+  es: [
+    /\b(?:Calle|Carrera|Avenida|Paseo|Plaza)\s+[A-ZÀ-ÖØ-Ý][a-zà-öø-ÿ]+\b/gi,
   ],
 };
 
@@ -102,117 +64,106 @@ export const LOCALE_ADDRESS_RULES: Record<string, RegExp[]> = {
 
 type RawEntry = [
   typeName: string,
-  regexStr: string,
-  flags: string,
+  regexSource: string | RegExp,
   terms: string[],
   risk: number,
-  cat: SensitiveCategory,
-  vtag: string | null,
+  category: SensitiveCategory,
+  validatorTag: string | null,
+  isHighEntropy?: boolean,
+  supportedLocales?: string[],
 ];
 
 const RAW_PATTERNS: RawEntry[] = [
   // ── FINANCIAL ──────────────────────────────────────────────────────
-  ["US_SSN", "\\b(?!000|666|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0000)\\d{4}\\b", "g",
+  ["US_SSN", "\\b(?!000|666|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0000)\\d{4}\\b",
     ["ssn", "social security", "tax id", "taxpayer"], 0.95, SensitiveCategory.FINANCIAL, "ssn_area"],
 
-  ["CREDIT_CARD_NUMBER", "\\b(?:4\\d{3}|5[1-5]\\d{2}|3[47]\\d{2}|6(?:011|5\\d{2}))[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b", "g",
+  ["CREDIT_CARD_NUMBER", "\\b(?:4\\d{3}|5[1-5]\\d{2}|3[47]\\d{2}|6(?:011|5\\d{2}))[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b",
     ["card", "credit", "visa", "mastercard", "amex", "payment"], 0.97, SensitiveCategory.FINANCIAL, "luhn"],
 
-  ["INTL_BANK_IBAN", "\\b[A-Z]{2}\\d{2}[A-Z0-9]{4}\\d{7}[A-Z0-9]{0,16}\\b", "g",
+  ["INTL_BANK_IBAN", "\\b[A-Z]{2}\\d{2}[A-Z0-9]{4}\\d{7}[A-Z0-9]{0,16}\\b",
     ["iban", "swift", "sepa", "wire", "bank transfer"], 0.96, SensitiveCategory.FINANCIAL, "iban"],
 
-  ["CRYPTO_BTC", "\\b(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})\\b", "g",
+  ["CRYPTO_BTC", "\\b(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})\\b",
     ["bitcoin", "btc", "wallet", "crypto"], 0.94, SensitiveCategory.FINANCIAL, "btc_format"],
 
-  ["CRYPTO_ETH", "\\b0x[a-fA-F0-9]{40}\\b", "g",
+  ["CRYPTO_ETH", "\\b0x[a-fA-F0-9]{40}\\b",
     ["ethereum", "eth", "wallet", "0x"], 0.93, SensitiveCategory.FINANCIAL, null],
 
-  ["US_ABA_ROUTING", "\\b\\d{9}\\b", "g",
+  ["US_ABA_ROUTING", /(?<!\d)\d{9}(?!\d)/,
     ["routing", "aba", "wire", "bank"], 0.88, SensitiveCategory.FINANCIAL, "aba_check"],
 
-  ["BANK_ACCT_NUM", "\\b\\d{8,17}\\b", "g",
-    ["account", "checking", "savings", "deposit", "bank"], 0.83, SensitiveCategory.FINANCIAL, null],
+  ["BANK_ACCT_NUM", /(?<!\d)\d{8,17}(?!\d)/,
+    ["account", "checking", "savings", "deposit", "bank"], 0.50, SensitiveCategory.FINANCIAL, "luhn_soft"],
 
-  ["SWIFT_BIC", "\\b[A-Z]{4}[A-Z]{2}[A-Z0-9]{2}(?:[A-Z0-9]{3})?\\b", "gi",
+  ["SWIFT_BIC", "\\b[A-Z]{4}[A-Z]{2}[A-Z0-9]{2}(?:[A-Z0-9]{3})?\\b",
     ["swift", "bic", "bank code", "transfer"], 0.60, SensitiveCategory.FINANCIAL, null],
 
   // ── CONTACT ────────────────────────────────────────────────────────
-  ["EMAIL_ADDR", "\\b[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}\\b", "g",
+  ["EMAIL_ADDR", "\\b[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}\\b",
     ["email", "mail", "contact", "address"], 0.99, SensitiveCategory.CONTACT, null],
 
-  ["PHONE_NUM", "(?:\\+?[1-9]\\d{0,3}[-.\\s]?)?\\(?\\d{1,4}\\)?[-.\\s]?\\d{1,4}[-.\\s]?\\d{1,4}[-.\\s]?\\d{1,9}", "g",
-    ["phone", "call", "mobile", "tel", "whatsapp", "number"], 0.92, SensitiveCategory.CONTACT, null],
+  ["PHONE_NUM", /(?<!\d)(?:\+?[1-9]\d{0,3}[-.\s]?)?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,9}(?!\d)/,
+    ["phone", "call", "mobile", "tel", "whatsapp", "number"], 0.80, SensitiveCategory.CONTACT, null],
 
-  ["PHONE_NUM_INTL", "\\+(?:44|33|49|90|966|971)[-.\\s]?\\(?\\d{1,5}\\)?(?:[-.\\s]?\\d{2,4}){2,4}", "g",
-    ["phone", "call", "mobile", "tel"], 0.93, SensitiveCategory.CONTACT, null],
+  ["PHONE_NUM_INTL", /(?<!\d)\+(?:[1-9]\d{0,3})[-.\s]?\(?\d{1,5}\)?(?:[-.\s]?\d{2,4}){2,4}(?!\d)/,
+    ["phone", "call", "mobile", "tel"], 0.80, SensitiveCategory.CONTACT, null],
 
-  ["IPV4_ADDR", "\\b(?:(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\b", "g",
+  ["IPV4_ADDR", "\\b(?:(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\b",
     ["ip", "server", "host", "network", "address"], 0.94, SensitiveCategory.CONTACT, "ipv4"],
 
-  ["IPV6_ADDR", "\\b(?:[A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\\b", "g",
+  ["IPV6_ADDR", "\\b(?:[A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\\b",
     ["ipv6", "ip", "network", "server"], 0.93, SensitiveCategory.CONTACT, null],
 
-  ["HW_MAC_ADDR", "\\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\\b", "g",
+  ["HW_MAC_ADDR", "\\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\\b",
     ["mac", "hardware", "network", "device"], 0.91, SensitiveCategory.CONTACT, null],
 
   // ── PERSONAL ───────────────────────────────────────────────────────
-  ["BIRTH_DATE", "\\b(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01])[/-](?:19|20)\\d{2}\\b", "g",
+  ["BIRTH_DATE", "\\b(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01])[/-](?:19|20)\\d{2}\\b",
     ["birth", "dob", "born", "birthday", "date of birth"], 0.88, SensitiveCategory.PERSONAL, null],
 
-  ["US_DRIVERS_LIC", "\\b(?:[A-Z]\\d{7,12}|\\d{7,12}[A-Z]?)\\b", "g",
-    ["driver", "license", "licence", "dl", "dmv"], 0.85, SensitiveCategory.PERSONAL, null],
+  ["US_DRIVERS_LIC", "\\b(?:[A-Z]\\d{7,12}|\\d{7,12}[A-Z]?)\\b",
+    ["driver", "license", "licence", "dl", "dmv"], 0.55, SensitiveCategory.PERSONAL, null],
 
-  ["US_PASSPORT_NUM", "\\b[A-Z]\\d{8}\\b", "g",
+  ["US_PASSPORT_NUM", "\\b[A-Z]\\d{8}\\b",
     ["passport", "travel", "visa", "immigration"], 0.87, SensitiveCategory.PERSONAL, null],
 
   // ── VEHICLE ────────────────────────────────────────────────────────
-  ["VEHICLE_VIN", "\\b[A-HJ-NPR-Z0-9]{17}\\b", "g",
+  ["VEHICLE_VIN", "\\b[A-HJ-NPR-Z0-9]{17}\\b",
     ["vin", "vehicle", "chassis", "automobile"], 0.92, SensitiveCategory.VEHICLE, "vin_format"],
 
-  ["VEHICLE_PLATE", "\\b[A-Z0-9]{1,3}[\\-\\s][A-Z0-9]{1,4}[\\-\\s][A-Z0-9]{1,4}\\b", "g",
+  ["VEHICLE_PLATE", "\\b[A-Z0-9]{1,3}[\\-\\s][A-Z0-9]{1,4}[\\-\\s][A-Z0-9]{1,4}\\b",
     ["plate", "registration", "vehicle", "plaka"], 0.45, SensitiveCategory.VEHICLE, null],
 
   // ── HEALTHCARE ─────────────────────────────────────────────────────
-  ["MED_RECORD_ID", "\\b(?:MRN|Patient ID|Medical Record)[:\\s]*[A-Z0-9]{6,10}\\b", "g",
+  ["MED_RECORD_ID", "\\b(?:MRN|Patient ID|Medical Record)[:\\s]*[A-Z0-9]{6,10}\\b",
     ["patient", "medical", "record", "mrn", "hospital"], 0.96, SensitiveCategory.HEALTHCARE, null],
 
-  ["US_MEDICARE_ID", "\\b\\d{3}-\\d{2}-\\d{4}[A-Z]\\b", "g",
+  ["US_MEDICARE_ID", "\\b\\d{3}-\\d{2}-\\d{4}[A-Z]\\b",
     ["medicare", "cms", "beneficiary", "health insurance"], 0.91, SensitiveCategory.HEALTHCARE, null],
 
-  ["US_DEA_NUM", "\\b[A-Z]{2}\\d{7}\\b", "g",
+  ["US_DEA_NUM", "\\b[A-Z]{2}\\d{7}\\b",
     ["dea", "prescriber", "drug", "enforcement"], 0.89, SensitiveCategory.HEALTHCARE, null],
 
-  ["US_NPI_NUM", "\\b\\d{10}\\b", "g",
+  ["US_NPI_NUM", "\\b\\d{10}\\b",
     ["npi", "provider", "national provider", "healthcare"], 0.87, SensitiveCategory.HEALTHCARE, null],
 
   // ── IDENTITY_US ────────────────────────────────────────────────────
-  ["US_EIN_TAX", "\\b\\d{2}-\\d{7}\\b", "g",
+  ["US_EIN_TAX", "\\b\\d{2}-\\d{7}\\b",
     ["ein", "federal", "employer", "tax id"], 0.89, SensitiveCategory.IDENTITY_US, null],
 
   // ── IDENTITY_INTL ──────────────────────────────────────────────────
-  ["UK_NATL_INS", "\\b[A-Z]{2}\\d{6}[A-Z]\\b", "g",
-    ["nino", "national insurance", "ni number", "uk"], 0.90, SensitiveCategory.IDENTITY_INTL, null],
-
-  ["CA_SOCIAL_INS", "\\b\\d{3}[-\\s]?\\d{3}[-\\s]?\\d{3}\\b", "g",
-    ["sin", "social insurance", "canada", "canadian"], 0.89, SensitiveCategory.IDENTITY_INTL, null],
-
-  ["FR_INSEE_NUM", "\\b[12]\\d{2}[01]\\d\\d{8}\\d{2}\\b", "g",
-    ["insee", "sécurité sociale", "france", "numéro"], 0.88, SensitiveCategory.IDENTITY_INTL, null],
+  ["UK_NATL_INS", "\\b[A-Z]{2}\\d{6}[A-Z]\\b",
+    ["nino", "national insurance", "ni number", "uk"], 0.90, SensitiveCategory.IDENTITY_INTL, "uk_nino"],
 
-  ["DE_STEUER_ID", "\\b\\d{2}\\s?\\d{3}\\s?\\d{3}\\s?\\d{3}\\b", "g",
-    ["steuer", "steuernummer", "finanzamt", "deutschland"], 0.87, SensitiveCategory.IDENTITY_INTL, null],
+  ["CA_SOCIAL_INS", "\\b\\d{3}[-\\s]?\\d{3}[-\\s]?\\d{3}\\b",
+    ["sin", "social insurance", "canada", "canadian"], 0.89, SensitiveCategory.IDENTITY_INTL, "ca_sin"],
 
-  ["TR_TCID", "\\b[1-9]\\d{9}[02468]\\b", "g",
-    ["tc", "kimlik", "vatandaşlık", "nüfus", "türkiye"], 0.92, SensitiveCategory.IDENTITY_INTL, "tcid"],
-
-  ["SA_NATIONAL_ID", "\\b1\\d{9}\\b", "g",
-    ["هوية", "رقم الهوية", "saudi", "وطنية", "identity"], 0.91, SensitiveCategory.IDENTITY_INTL, "saudi_nid"],
-
-  ["UAE_EMIRATES_ID", "\\b784-\\d{4}-\\d{7}-\\d\\b", "g",
-    ["emirates", "هوية", "uae", "emirati", "identity"], 0.93, SensitiveCategory.IDENTITY_INTL, "luhn"],
+  ["ES_DNI", "(?:\\d{8}[A-Z]|[XYZ]\\d{7}[A-Z])",
+    ["dni", "nie", "identidad", "nif", "spain"], 0.94, SensitiveCategory.IDENTITY_INTL, "es_id", true, ["*", "es"]],
 
   // ── CORPORATE ──────────────────────────────────────────────────────
-  ["CORP_EMPLOYEE_ID", "\\b(?:EMP|EMPLOYEE|ID)[:\\s]?[A-Z0-9]{5,10}\\b", "gi",
+  ["CORP_EMPLOYEE_ID", "(?:EMP|EMPLOYEE|ID)[:\\s]?[A-Z0-9]{5,10}",
     ["employee", "staff", "personnel", "worker"], 0.55, SensitiveCategory.CORPORATE, null],
 ];
 
@@ -220,18 +171,16 @@ const RAW_PATTERNS: RawEntry[] = [
 
 /**
  * Immutable catalogue of sensitive-data regex signatures.
- *
- * @example
- * ```ts
- * const reg = new DLPPatternRegistry(); // load everything
- * const reg = new DLPPatternRegistry(new Set([SensitiveCategory.FINANCIAL]));
- * ```
  */
 export class DLPPatternRegistry {
   private readonly catalogue: Map<string, PatternDescriptor> = new Map();
+  private readonly localeCategoryRegexMap: Map<string, Map<string, { re: RegExp; typeOrder: string[] }>> = new Map();
 
   constructor(loadGroups?: ReadonlySet<SensitiveCategory>) {
     this.buildCatalogue(loadGroups ?? null);
+    for (const loc of ["*", "en", "es"]) {
+      this.compileForLocale(loc);
+    }
   }
 
   get typeNames(): string[] {
@@ -247,25 +196,88 @@ export class DLPPatternRegistry {
     return this.catalogue.get(typeName);
   }
 
-  /** Return locale-tuned name regexes, falling back to English. */
   namePatternsFor(lang: LanguageTag | string): RegExp[] {
     return LOCALE_NAME_RULES[lang] ?? LOCALE_NAME_RULES["en"];
   }
 
-  /** Return locale-tuned address regexes, falling back to English. */
   addressPatternsFor(lang: LanguageTag | string): RegExp[] {
     return LOCALE_ADDRESS_RULES[lang] ?? LOCALE_ADDRESS_RULES["en"];
   }
 
+  getCategoryRegexesMap(locale: string = "en"): Map<string, { re: RegExp; typeOrder: string[] }> {
+    if (!this.localeCategoryRegexMap.has(locale)) {
+      this.compileForLocale(locale);
+    }
+    return this.localeCategoryRegexMap.get(locale)!;
+  }
+
+  getCategoryTypeMap(categoryName: string, locale: string = "en"): string[] {
+    return this.localeCategoryRegexMap.get(locale)?.get(categoryName)?.typeOrder ?? [];
+  }
+
+  private compileForLocale(locale: string): void {
+    const localePool = new Map<string, [string, PatternDescriptor][]>();
+
+    for (const [typeName, desc] of this.catalogue.entries()) {
+      if (desc.supportedLocales.includes("*") || desc.supportedLocales.includes(locale)) {
+        const catKey = desc.category;
+        if (!localePool.has(catKey)) localePool.set(catKey, []);
+        localePool.get(catKey)!.push([typeName, desc]);
+      }
+    }
+
+    const categoryMap = new Map<string, { re: RegExp; typeOrder: string[] }>();
+
+    for (const [catKey, entries] of localePool.entries()) {
+      entries.sort(([, a], [, b]) => {
+        const aVal = a.validatorTag ? 0 : 1;
+        const bVal = b.validatorTag ? 0 : 1;
+        if (aVal !== bVal) return aVal - bVal;
+        return b.compiledRe.source.length - a.compiledRe.source.length;
+      });
+
+      const parts: string[] = [];
+      const typeOrder: string[] = [];
+      for (const [typeName, desc] of entries) {
+        parts.push(`(?<${typeName}>${desc.compiledRe.source})`);
+        typeOrder.push(typeName);
+      }
+
+      const combinedSource = parts.join('|');
+      const needsI = entries.some(([, d]) => d.compiledRe.flags.includes('i'));
+      const flags = needsI ? 'gi' : 'g';
+
+      try {
+        const re = new RegExp(combinedSource, flags);
+        categoryMap.set(catKey, { re, typeOrder });
+      } catch (err) {
+        console.error(`[DLPPatternRegistry] Locale [${locale}] category [${catKey}] failed:`, err);
+      }
+    }
+
+    this.localeCategoryRegexMap.set(locale, categoryMap);
+  }
+
   private buildCatalogue(restrict: ReadonlySet<SensitiveCategory> | null): void {
-    for (const [typeName, regexStr, flags, terms, risk, cat, vtag] of RAW_PATTERNS) {
+    for (const entry of RAW_PATTERNS) {
+      const [typeName, regexSource, terms, risk, cat, vtag, isHighEntropy, supportedLocales] = entry;
       if (restrict !== null && !restrict.has(cat)) continue;
+
+      let re: RegExp;
+      if (regexSource instanceof RegExp) {
+        re = regexSource;
+      } else {
+        re = new RegExp(regexSource, "g");
+      }
+
       this.catalogue.set(typeName, {
-        compiledRe: new RegExp(regexStr, flags),
+        compiledRe: re,
         proximityTerms: new Set(terms),
         baseRisk: risk,
         category: cat,
         validatorTag: vtag,
+        isHighEntropy: isHighEntropy ?? (vtag !== null),
+        supportedLocales: supportedLocales ?? ["*"],
       });
     }
   }

package/src/core/dlp/scorer.ts

@@ -23,7 +23,7 @@ const DEFAULT_CONFIG: Required<ScorerConfig> = {
   keywordBoost: 0.10,
   validatorOverride: 0.99,
   maxConfidence: 0.99,
-  penaltyFactor: 0.65,
+  penaltyFactor: 0.99, // Renamed functionally to validator failure penalty subtraction
 };
 
 export interface ScoreInput {
@@ -45,8 +45,8 @@ export interface ScoreInput {
  *   baseRisk: 0.92,
  *   matchStart: 10,
  *   matchEnd: 21,
- *   fullText: "TC Kimlik No: 10000000146",
- *   proximityTerms: new Set(["kimlik", "tc"]),
+ *   fullText: "Mi número de DNI es 12345678Z",
+ *   proximityTerms: new Set(["dni", "número"]),
  *   validatorPassed: true,
  * });
  * // score === 0.99 (validator override)
@@ -77,7 +77,7 @@ export class DLPConfidenceScorer {
     // Hard-validator short-circuits
     if (input.validatorPassed === true) return this.valOverride;
     if (input.validatorPassed === false) {
-      return Math.min(this.ceil, input.baseRisk * this.penalty);
+      return Math.max(0.0, input.baseRisk - this.penalty);
     }
 
     // Extract the context window around the match