mask-privacy 3.2.0 → 3.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mask-privacy",
-  "version": "3.2.0",
+  "version": "3.4.0",
   "description": "Enterprise-grade AI Data Loss Prevention (DLP) SDK for TypeScript",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/core/dlp/handlers.ts

@@ -198,12 +198,58 @@ export function checkEsId(raw: string): boolean {
   return cleaned[8] === validLetters[num % 23];
 }
 
+// ── Spanish Social Security (NUSS) ──────────────────────────────────────────
+
+export function checkEsNuss(raw: string): boolean {
+  const digits = raw.replace(/\D/g, "");
+  if (digits.length !== 12) return false;
+
+  const a = parseInt(digits.slice(0, 2), 10);   // Province
+  const b = parseInt(digits.slice(2, 10), 10);  // Number
+  const c = parseInt(digits.slice(10), 10);     // Control
+
+  let check: number;
+  if (b < 10000000) {
+    check = (a * 10000000 + b) % 97;
+  } else {
+    check = Number(BigInt(digits.slice(0, 10)) % 97n);
+  }
+
+  return check === c;
+}
+
+// ── Spanish Bank Account (CCC) ──────────────────────────────────────────────
+
+export function checkEsCcc(raw: string): boolean {
+  const digits = raw.replace(/\D/g, "");
+  if (digits.length !== 20) return false;
+
+  const weights = [1, 2, 4, 8, 5, 10, 9, 7, 3, 6];
+
+  const calcDigit = (block: string): number => {
+    let s = 0;
+    for (let i = 0; i < block.length; i++) {
+      s += parseInt(block[i], 10) * weights[i];
+    }
+    let rem = 11 - (s % 11);
+    if (rem === 10) return 1;
+    if (rem === 11) return 0;
+    return rem;
+  };
+
+  const d1 = calcDigit("00" + digits.slice(0, 8));
+  const d2 = calcDigit(digits.slice(10));
+
+  return parseInt(digits[8], 10) === d1 && parseInt(digits[9], 10) === d2;
+}
+
 // ── Dispatcher ─────────────────────────────────────────────────────────────
 
 type ValidatorFn = (raw: string) => boolean;
 
 const VALIDATOR_DISPATCH: Record<string, ValidatorFn> = {
   luhn: checkLuhn,
+  luhn_soft: checkLuhn,
   ssn_area: checkSsnArea,
   iban: checkIbanStructure,
   aba_check: checkAbaRouting,
@@ -213,6 +259,8 @@ const VALIDATOR_DISPATCH: Record<string, ValidatorFn> = {
   ca_sin: checkCaSin,
   uk_nino: checkUkNino,
   es_id: checkEsId,
+  es_nuss: checkEsNuss,
+  es_ccc: checkEsCcc,
 };
 
 /**

package/src/core/dlp/registry.ts

@@ -79,10 +79,10 @@ const RAW_PATTERNS: RawEntry[] = [
     ["ssn", "social security", "tax id", "taxpayer"], 0.95, SensitiveCategory.FINANCIAL, "ssn_area"],
 
   ["CREDIT_CARD_NUMBER", "\\b(?:4\\d{3}|5[1-5]\\d{2}|3[47]\\d{2}|6(?:011|5\\d{2}))[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b",
-    ["card", "credit", "visa", "mastercard", "amex", "payment"], 0.97, SensitiveCategory.FINANCIAL, "luhn"],
+    ["card", "credit", "visa", "mastercard", "amex", "payment", "tarjeta", "credito", "debito", "pago"], 0.97, SensitiveCategory.FINANCIAL, "luhn"],
 
   ["INTL_BANK_IBAN", "\\b[A-Z]{2}\\d{2}[A-Z0-9]{4}\\d{7}[A-Z0-9]{0,16}\\b",
-    ["iban", "swift", "sepa", "wire", "bank transfer"], 0.96, SensitiveCategory.FINANCIAL, "iban"],
+    ["iban", "swift", "sepa", "wire", "bank transfer", "cuenta", "banco", "transferencia"], 0.96, SensitiveCategory.FINANCIAL, "iban"],
 
   ["CRYPTO_BTC", "\\b(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[a-z0-9]{39,59})\\b",
     ["bitcoin", "btc", "wallet", "crypto"], 0.94, SensitiveCategory.FINANCIAL, "btc_format"],
@@ -96,15 +96,18 @@ const RAW_PATTERNS: RawEntry[] = [
   ["BANK_ACCT_NUM", /(?<!\d)\d{8,17}(?!\d)/,
     ["account", "checking", "savings", "deposit", "bank"], 0.50, SensitiveCategory.FINANCIAL, "luhn_soft"],
 
+  ["ES_CCC", "\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{2}[-\\s]?\\d{10}\\b",
+    ["cuenta", "ccc", "banco", "sucursal", "entidad", "codigo cuenta cliente"], 0.90, SensitiveCategory.FINANCIAL, "es_ccc", true, ["*", "es"]],
+
   ["SWIFT_BIC", "\\b[A-Z]{4}[A-Z]{2}[A-Z0-9]{2}(?:[A-Z0-9]{3})?\\b",
     ["swift", "bic", "bank code", "transfer"], 0.60, SensitiveCategory.FINANCIAL, null],
 
   // ── CONTACT ────────────────────────────────────────────────────────
   ["EMAIL_ADDR", "\\b[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}\\b",
-    ["email", "mail", "contact", "address"], 0.99, SensitiveCategory.CONTACT, null],
+    ["email", "mail", "contact", "address", "correo", "electronico"], 0.99, SensitiveCategory.CONTACT, null],
 
-  ["PHONE_NUM", /(?<!\d)(?:\+?[1-9]\d{0,3}[-.\s]?)?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,9}(?!\d)/,
-    ["phone", "call", "mobile", "tel", "whatsapp", "number"], 0.80, SensitiveCategory.CONTACT, null],
+  ["PHONE_NUM", /(?<!\d)(?:\+?[1-9]\d{0,3}[-.\s]?)?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,4}[-.\s]?\d{1,9}(?!\d)/,
+    ["phone", "call", "mobile", "tel", "whatsapp", "number", "teléfono", "telefono", "movil", "celular", "llamada"], 0.80, SensitiveCategory.CONTACT, null],
 
   ["PHONE_NUM_INTL", /(?<!\d)\+(?:[1-9]\d{0,3})[-.\s]?\(?\d{1,5}\)?(?:[-.\s]?\d{2,4}){2,4}(?!\d)/,
     ["phone", "call", "mobile", "tel"], 0.80, SensitiveCategory.CONTACT, null],
@@ -119,8 +122,8 @@ const RAW_PATTERNS: RawEntry[] = [
     ["mac", "hardware", "network", "device"], 0.91, SensitiveCategory.CONTACT, null],
 
   // ── PERSONAL ───────────────────────────────────────────────────────
-  ["BIRTH_DATE", "\\b(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01])[/-](?:19|20)\\d{2}\\b",
-    ["birth", "dob", "born", "birthday", "date of birth"], 0.88, SensitiveCategory.PERSONAL, null],
+  ["BIRTH_DATE", "\\b(?:(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01])[/-](?:19|20)\\d{2}|(?:19|20)\\d{2}[/-](?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\\d|3[01]))\\b",
+    ["birth", "dob", "born", "birthday", "date of birth", "nacimiento", "fecha", "cumpleaños"], 0.88, SensitiveCategory.PERSONAL, null],
 
   ["US_DRIVERS_LIC", "\\b(?:[A-Z]\\d{7,12}|\\d{7,12}[A-Z]?)\\b",
     ["driver", "license", "licence", "dl", "dmv"], 0.55, SensitiveCategory.PERSONAL, null],
@@ -162,6 +165,9 @@ const RAW_PATTERNS: RawEntry[] = [
   ["ES_DNI", "(?:\\d{8}[A-Z]|[XYZ]\\d{7}[A-Z])",
     ["dni", "nie", "identidad", "nif", "spain"], 0.94, SensitiveCategory.IDENTITY_INTL, "es_id", true, ["*", "es"]],
 
+  ["ES_NUSS", "\\b\\d{2}[-\\s]?\\d{8}[-\\s]?\\d{2}\\b",
+    ["seguridad social", "nuss", "naf", "afiliacion"], 0.90, SensitiveCategory.IDENTITY_INTL, "es_nuss", true, ["*", "es"]],
+
   // ── CORPORATE ──────────────────────────────────────────────────────
   ["CORP_EMPLOYEE_ID", "(?:EMP|EMPLOYEE|ID)[:\\s]?[A-Z0-9]{5,10}",
     ["employee", "staff", "personnel", "worker"], 0.55, SensitiveCategory.CORPORATE, null],

package/src/core/scanner.ts

@@ -27,31 +27,12 @@ const _dlpPatternRegistry = new DLPPatternRegistry();
 const _dlpValidationEngine = new DLPValidationEngine();
 const _dlpConfidenceScorer = new DLPConfidenceScorer();
 
-/** Regex patterns for Tier 1 deterministic detection */
-export const REGEX_PATTERNS: Record<string, RegExp> = {
-  "EMAIL_ADDRESS": /[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+/g,
-  "PHONE_NUMBER": /(?<!\d)(?:\+?1?[\s\-.]?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}|\d{3}[\s\-.]?\d{4})(?!\d)/g,
-  "PHONE_NUMBER_INTL": /(?<!\d)\+(?:[1-9]\d{0,3})[-.\s]?\(?\d{1,5}\)?(?:[-.\s]?\d{2,4}){2,4}(?!\d)/g,
-  "US_SSN": /(?<!\d)\d{3}-\d{2}-\d{4}(?!\d)/g,
-  "CREDIT_CARD": /(?<!\d)(?:\d{4}[ \-]?){3}\d{4}(?!\d)/g,
-  "US_ROUTING_NUMBER": /(?<!\d)\d{9}(?!\d)/g,
-  "US_PASSPORT": /\b[A-Z]\d{8}\b/g,
-  "DATE_OF_BIRTH": /\b(?:0[1-9]|1[0-2])\/(?:0[1-9]|[12]\d|3[01])\/(?:19|20)\d{2}\b|\b(?:19|20)\d{2}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])\b/g,
-};
-
-/** Keywords whose presence boosts detection aggressiveness */
-export const CONTEXT_KEYWORDS = new Set([
-  "account number", "ssn", "phone", "credit card",
-  "iban", "bank", "email", "pii", "personal info",
-]);
-
 export class BaseScanner {
   protected _supportedEntities: string[];
 
   constructor() {
     this._supportedEntities = [
-      "EMAIL_ADDRESS", "PHONE_NUMBER", "US_SSN", "CREDIT_CARD",
-      "US_BANK_NUMBER", "CRYPTO", "IBAN_CODE", "IP_ADDRESS", "PERSON",
+      "PERSON", "LOCATION", "ORGANIZATION",
     ];
   }
 
@@ -190,32 +171,17 @@ export class BaseScanner {
     return [reconstruct(text, resolved), entities];
   }
 
+  /** Tier 1 — Deterministic detection (Legacy: Redirected to DLP) */
   protected async _tier1CollectSpans(
     text: string,
     boostEntities: Set<string>,
     aggressive: boolean,
     confidenceThreshold: number,
   ): Promise<Span[]> {
-    const spans: Span[] = [];
-    for (const [entityType, pattern] of Object.entries(REGEX_PATTERNS)) {
-      const re = new RegExp(pattern.source, pattern.flags);
-      let match: RegExpExecArray | null;
-      while ((match = re.exec(text)) !== null) {
-        const val = match[0];
-        if (looksLikeToken(val)) continue;
-        let confidence = (aggressive || boostEntities.has(entityType.toLowerCase().replace(/_/g, ' '))) ? 1.0 : 0.95;
-        if (entityType === 'CREDIT_CARD' && BaseScanner._luhnChecksum(val)) confidence = Math.max(confidence, 0.99);
-        if (entityType === 'US_ROUTING_NUMBER' && !BaseScanner._abaChecksum(val)) continue;
-        if (confidence >= confidenceThreshold) {
-          spans.push({ start: match.index, end: match.index + val.length,
-            entityType, originalValue: val, confidence, method: 'regex' });
-        }
-      }
-    }
-    return spans;
+    return this._tier0CollectSpans(text, confidenceThreshold);
   }
 
-  /** Backward-compat wrapper. */
+  /** Backward-compat wrapper. Redirected to DLP. */
   protected async _tier1Regex(
     text: string,
     encodeFn: (val: string, options?: any) => Promise<string>,
@@ -223,15 +189,7 @@ export class BaseScanner {
     aggressive: boolean,
     confidenceThreshold: number,
   ): Promise<[string, any[]]> {
-    const spans = await this._tier1CollectSpans(text, boostEntities, aggressive, confidenceThreshold);
-    const resolved = resolveOverlaps(spans);
-    const entities: any[] = [];
-    await Promise.all(resolved.map(async (span) => {
-      span.maskedValue = await encodeFn(span.originalValue, { entityType: span.entityType });
-      entities.push({ type: span.entityType, value: span.originalValue,
-        method: span.method, confidence: span.confidence, masked_value: span.maskedValue });
-    }));
-    return [reconstruct(text, resolved), entities];
+    return this._tier0Dlp(text, encodeFn, confidenceThreshold);
   }
 
   protected async _tier2Nlp(
@@ -248,8 +206,14 @@ export class BaseScanner {
     if (!context) return new Set();
     const lowered = context.toLowerCase();
     const boosted = new Set<string>();
-    for (const kw of CONTEXT_KEYWORDS) {
-      if (lowered.includes(kw)) boosted.add(kw);
+    // Scan registry descriptors to see if any proximity terms match the context
+    for (const [, desc] of _dlpPatternRegistry.iterDescriptors()) {
+      for (const term of desc.proximityTerms) {
+        if (lowered.includes(term)) {
+          boosted.add(desc.category.toLowerCase());
+          break;
+        }
+      }
     }
     return boosted;
   }
@@ -266,7 +230,7 @@ export class BaseScanner {
   ): Promise<string> {
     if (!text || typeof text !== 'string') return text;
 
-    const pipeline = options.pipeline || ['dlp', 'regex', 'checksum', 'nlp'];
+    const pipeline = options.pipeline || ['dlp', 'nlp'];
     const _encode = options.encodeFn || encode;
     const confidenceThreshold = options.confidenceThreshold ?? 0.7;
     const boost = this._resolveBoost(options.context);
@@ -274,12 +238,9 @@ export class BaseScanner {
     // ── Span-accumulation phase (no string mutation) ─────────────────────
     const allSpans: Span[] = [];
 
-    if (pipeline.includes('dlp')) {
+    if (pipeline.includes('dlp') || pipeline.includes('regex') || pipeline.includes('checksum')) {
       allSpans.push(...await this._tier0CollectSpans(text, confidenceThreshold));
     }
-    if (pipeline.includes('regex') || pipeline.includes('checksum')) {
-      allSpans.push(...await this._tier1CollectSpans(text, boost, !!options.aggressive, confidenceThreshold));
-    }
 
     // ── Single-pass resolve + reconstruct ────────────────────────────────
     const resolved = resolveOverlaps(allSpans);
@@ -308,7 +269,7 @@ export class BaseScanner {
   ): Promise<any[]> {
     if (!text || typeof text !== 'string') return [];
 
-    const pipeline = options.pipeline || ['dlp', 'regex', 'checksum', 'nlp'];
+    const pipeline = options.pipeline || ['dlp', 'nlp'];
     const _encode = options.encodeFn || encode;
     const confidenceThreshold = options.confidenceThreshold ?? 0.7;
     const boost = this._resolveBoost(options.context);
@@ -316,12 +277,9 @@ export class BaseScanner {
 
     // ── Span-accumulation phase ──────────────────────────────────────────
     const allSpans: Span[] = [];
-    if (pipeline.includes('dlp')) {
+    if (pipeline.includes('dlp') || pipeline.includes('regex') || pipeline.includes('checksum')) {
       allSpans.push(...await this._tier0CollectSpans(text, confidenceThreshold));
     }
-    if (pipeline.includes('regex') || pipeline.includes('checksum')) {
-      allSpans.push(...await this._tier1CollectSpans(text, boost, !!options.aggressive, confidenceThreshold));
-    }
 
     const resolved = resolveOverlaps(allSpans);
     await Promise.all(resolved.map(async (span) => {

package/src/core/transformers_scanner.ts

@@ -129,6 +129,8 @@ export class LocalTransformersScanner extends BaseScanner {
         const val = text.slice(start, end);
 
         const entityType = this._mapEntityType(r.entity);
+        if (!this._supportedEntities.includes(entityType)) continue;
+
         let confidence = r.score || 0.7;
 
         if (aggressive || boostEntities.has(entityType.toLowerCase().replace(/_/g, " "))) {

package/src/index.ts

@@ -6,7 +6,7 @@
  * and framework-agnostic tool interception hooks.
  */
 
-export const VERSION = "2.0.0";
+export const VERSION = "3.4.0";
 
 export {
     getVault,

package/tests/scanner.test.ts

@@ -1,8 +1,16 @@
 import { describe, test, expect } from '@jest/globals';
-import { REGEX_PATTERNS, PresidioScanner } from '../src/core/scanner';
+import { DLPPatternRegistry } from '../src/core/dlp/registry';
+import { checkAbaRouting } from '../src/core/dlp/handlers';
+
+const registry = new DLPPatternRegistry();
+const getPattern = (name: string) => {
+  const desc = registry.descriptorFor(name);
+  if (!desc) throw new Error(`Pattern ${name} not found in registry`);
+  return new RegExp(desc.compiledRe.source, 'g');
+};
 
 describe('TestInternationalPhonePatterns', () => {
-  const pattern = new RegExp(REGEX_PATTERNS["PHONE_NUMBER_INTL"].source, 'g');
+  const pattern = getPattern("PHONE_NUM_INTL");
 
   test.each([
     "+44 20 7946 0958",
@@ -27,7 +35,7 @@ describe('TestInternationalPhonePatterns', () => {
 });
 
 describe('TestUSRoutingNumber', () => {
-  const pattern = new RegExp(REGEX_PATTERNS["US_ROUTING_NUMBER"].source, 'g');
+  const pattern = getPattern("US_ABA_ROUTING");
 
   test('test_regex_matches_9_digit_number', () => {
     pattern.lastIndex = 0;
@@ -40,23 +48,20 @@ describe('TestUSRoutingNumber', () => {
   });
 
   test('test_aba_checksum_valid', () => {
-    // @ts-ignore - accessing protected static for test
-    expect(PresidioScanner._abaChecksum("021000021")).toBe(true);
+    expect(checkAbaRouting("021000021")).toBe(true);
   });
 
   test('test_aba_checksum_invalid', () => {
-    // @ts-ignore
-    expect(PresidioScanner._abaChecksum("123456789")).toBe(false);
+    expect(checkAbaRouting("123456789")).toBe(false);
   });
 
   test('test_aba_checksum_wrong_length', () => {
-    // @ts-ignore
-    expect(PresidioScanner._abaChecksum("12345")).toBe(false);
+    expect(checkAbaRouting("12345")).toBe(false);
   });
 });
 
 describe('TestUSPassport', () => {
-  const pattern = new RegExp(REGEX_PATTERNS["US_PASSPORT"].source, 'g');
+  const pattern = getPattern("US_PASSPORT_NUM");
 
   test.each([
     "C12345678",
@@ -79,7 +84,7 @@ describe('TestUSPassport', () => {
 });
 
 describe('TestDateOfBirth', () => {
-  const pattern = new RegExp(REGEX_PATTERNS["DATE_OF_BIRTH"].source, 'g');
+  const pattern = getPattern("BIRTH_DATE");
 
   test.each([
     "01/15/1990",

package/tests/test_cross.ts

@@ -1,4 +1,4 @@
-import { CryptoEngine } from './src/core/crypto';
+import { CryptoEngine } from '../src/core/crypto';
 import * as process from 'process';
 
 async function test() {

package/tsconfig.json

@@ -17,6 +17,6 @@
     "types": ["node", "jest"],
     "typeRoots": ["./node_modules/@types"]
   },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules", "tests", "dist"]
+  "include": ["src/**/*", "tests/**/*"],
+  "exclude": ["node_modules", "dist"]
 }