n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/audit.js

@@ -0,0 +1,192 @@
+"use strict";
+/**
+ * Persistent Audit Log
+ *
+ * JSONL (JSON Lines) audit logger for compliance recording.
+ * One JSON object per line, append-only, auto-rotating.
+ *
+ * Compliant with:
+ *   - GDPR Article 30 (Records of Processing Activities)
+ *   - HIPAA (6-year retention)
+ *   - SOX (7-year retention)
+ *   - PCI DSS (1-year minimum)
+ *
+ * Format: JSONL (compatible with Splunk, ELK, Datadog, CloudWatch)
+ * Location: ~/.n8n/pii-audit/pii-audit-YYYY-MM-DD.jsonl
+ * Rotation: Daily + 100MB size limit
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeAuditLog = writeAuditLog;
+exports.readAuditLog = readAuditLog;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const MAX_FILE_SIZE = 104857600; // 100MB
+const DEFAULT_AUDIT_DIR = path.join(process.env.HOME || '/tmp', '.n8n', 'pii-audit');
+/**
+ * Generate a simple UUID v4.
+ */
+function generateEventId() {
+    const bytes = new Array(16).fill(0).map(() => Math.floor(Math.random() * 256));
+    bytes[6] = (bytes[6] & 0x0f) | 0x40;
+    bytes[8] = (bytes[8] & 0x3f) | 0x80;
+    const hex = bytes.map((b) => b.toString(16).padStart(2, '0')).join('');
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/**
+ * Get today's audit log file path.
+ */
+function getLogFilePath(auditDir) {
+    const today = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
+    return path.join(auditDir, `pii-audit-${today}.jsonl`);
+}
+/**
+ * Determine severity from classification level and hit count.
+ */
+function determineSeverity(classificationLevel, totalHits = 0) {
+    if (classificationLevel === 'RESTRICTED' || totalHits >= 50)
+        return 'CRITICAL';
+    if (classificationLevel === 'CONFIDENTIAL' || totalHits >= 20)
+        return 'HIGH';
+    if (classificationLevel === 'INTERNAL' || totalHits >= 5)
+        return 'MEDIUM';
+    return 'LOW';
+}
+/**
+ * Write an audit log entry.
+ * Creates the audit directory if it doesn't exist.
+ * Handles file rotation (daily + size-based).
+ * Graceful: never throws, never blocks the workflow.
+ */
+function writeAuditLog(action, mode, hits, inputItemCount, processingTimeMs, patternsUsed, presidioEnabled, classification, sessionId, auditDir) {
+    try {
+        const dir = auditDir || DEFAULT_AUDIT_DIR;
+        // Ensure directory exists
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        // Build hit summaries
+        const hitsByCategory = {};
+        const hitsByPattern = {};
+        for (const hit of hits) {
+            hitsByCategory[hit.category] = (hitsByCategory[hit.category] || 0) + 1;
+            hitsByPattern[hit.patternLabel] = (hitsByPattern[hit.patternLabel] || 0) + 1;
+        }
+        const entry = {
+            version: '1.0',
+            timestamp: new Date().toISOString(),
+            eventId: generateEventId(),
+            severity: determineSeverity(classification?.level, hits.length),
+            action,
+            mode,
+            status: 'SUCCESS',
+            totalHits: hits.length,
+            hitsByCategory,
+            hitsByPattern,
+            classificationLevel: classification?.level,
+            inputItemCount,
+            processingTimeMs,
+            patternsUsed,
+            presidioEnabled,
+            sessionId,
+        };
+        // Get log file path
+        let logFile = getLogFilePath(dir);
+        // Size-based rotation
+        try {
+            if (fs.existsSync(logFile)) {
+                const stats = fs.statSync(logFile);
+                if (stats.size >= MAX_FILE_SIZE) {
+                    // Rotate: rename current file with sequence number
+                    let seq = 1;
+                    while (fs.existsSync(`${logFile}.${seq}`))
+                        seq++;
+                    fs.renameSync(logFile, `${logFile}.${seq}`);
+                }
+            }
+        }
+        catch {
+            // Rotation failed, continue writing to current file
+        }
+        // Append entry as JSONL (one JSON object per line)
+        fs.appendFileSync(logFile, JSON.stringify(entry) + '\n', 'utf-8');
+    }
+    catch {
+        // Audit logging should NEVER crash the workflow
+        // Silently fail — the redaction itself already succeeded
+    }
+}
+/**
+ * Read audit log entries for a given date range.
+ * Returns parsed entries. Used by Stats operation for audit review.
+ */
+function readAuditLog(startDate, endDate, auditDir) {
+    try {
+        const dir = auditDir || DEFAULT_AUDIT_DIR;
+        if (!fs.existsSync(dir))
+            return [];
+        const files = fs.readdirSync(dir)
+            .filter((f) => f.startsWith('pii-audit-') && f.endsWith('.jsonl'))
+            .sort();
+        const entries = [];
+        for (const file of files) {
+            // Filter by date range if provided
+            const fileDate = file.replace('pii-audit-', '').replace('.jsonl', '');
+            if (startDate && fileDate < startDate)
+                continue;
+            if (endDate && fileDate > endDate)
+                continue;
+            try {
+                const content = fs.readFileSync(path.join(dir, file), 'utf-8');
+                const lines = content.split('\n').filter((l) => l.trim().length > 0);
+                for (const line of lines) {
+                    try {
+                        entries.push(JSON.parse(line));
+                    }
+                    catch {
+                        // Skip malformed lines
+                    }
+                }
+            }
+            catch {
+                // Skip unreadable files
+            }
+        }
+        return entries;
+    }
+    catch {
+        return [];
+    }
+}

package/dist/nodes/PiiRedactor/classification.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Data Classification Engine
+ *
+ * Assigns sensitivity labels to data based on what PII categories were found.
+ * Modeled on Microsoft Purview and Google Cloud DLP classification taxonomy.
+ *
+ * Levels:
+ *   PUBLIC (0)     - No PII detected
+ *   INTERNAL (1)   - Low-sensitivity PII (network, location, vehicle, temporal)
+ *   CONFIDENTIAL (2) - Personal PII (names, emails, phones, addresses, identity docs)
+ *   RESTRICTED (3) - High-sensitivity PII (financial, medical, biometric, enterprise secrets)
+ *
+ * Escalation rules (based on Purview instance-count thresholds):
+ *   - Any RESTRICTED-category hit -> RESTRICTED
+ *   - 10+ CONFIDENTIAL hits -> escalate to RESTRICTED
+ *   - 5+ INTERNAL hits -> escalate to CONFIDENTIAL
+ */
+import { PiiCategory, RedactionHit } from './types';
+export type SensitivityLevel = 'PUBLIC' | 'INTERNAL' | 'CONFIDENTIAL' | 'RESTRICTED';
+export interface ClassificationLabel {
+    level: SensitivityLevel;
+    numericLevel: 0 | 1 | 2 | 3;
+    reason: string;
+    topCategory: PiiCategory | 'none';
+    hitCountByLevel: Record<SensitivityLevel, number>;
+    escalated: boolean;
+    totalHits: number;
+    averageConfidence: number;
+}
+/**
+ * Classify data sensitivity based on detected PII hits.
+ */
+export declare function classifyData(hits: RedactionHit[]): ClassificationLabel;

package/dist/nodes/PiiRedactor/classification.js

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * Data Classification Engine
+ *
+ * Assigns sensitivity labels to data based on what PII categories were found.
+ * Modeled on Microsoft Purview and Google Cloud DLP classification taxonomy.
+ *
+ * Levels:
+ *   PUBLIC (0)     - No PII detected
+ *   INTERNAL (1)   - Low-sensitivity PII (network, location, vehicle, temporal)
+ *   CONFIDENTIAL (2) - Personal PII (names, emails, phones, addresses, identity docs)
+ *   RESTRICTED (3) - High-sensitivity PII (financial, medical, biometric, enterprise secrets)
+ *
+ * Escalation rules (based on Purview instance-count thresholds):
+ *   - Any RESTRICTED-category hit -> RESTRICTED
+ *   - 10+ CONFIDENTIAL hits -> escalate to RESTRICTED
+ *   - 5+ INTERNAL hits -> escalate to CONFIDENTIAL
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyData = classifyData;
+/** Map PII categories to base sensitivity levels */
+const CATEGORY_SENSITIVITY = {
+    // RESTRICTED (3) - highest sensitivity
+    financial: 'RESTRICTED',
+    medical: 'RESTRICTED',
+    biometric: 'RESTRICTED',
+    enterprise: 'RESTRICTED',
+    crypto: 'RESTRICTED',
+    // CONFIDENTIAL (2) - personal data
+    identity: 'CONFIDENTIAL',
+    contact: 'CONFIDENTIAL',
+    // INTERNAL (1) - low sensitivity
+    network: 'INTERNAL',
+    location: 'INTERNAL',
+    vehicle: 'INTERNAL',
+    temporal: 'INTERNAL',
+    other: 'INTERNAL',
+};
+const LEVEL_NUMERIC = {
+    PUBLIC: 0,
+    INTERNAL: 1,
+    CONFIDENTIAL: 2,
+    RESTRICTED: 3,
+};
+/**
+ * Classify data sensitivity based on detected PII hits.
+ */
+function classifyData(hits) {
+    if (hits.length === 0) {
+        return {
+            level: 'PUBLIC',
+            numericLevel: 0,
+            reason: 'No sensitive data detected.',
+            topCategory: 'none',
+            hitCountByLevel: { PUBLIC: 0, INTERNAL: 0, CONFIDENTIAL: 0, RESTRICTED: 0 },
+            escalated: false,
+            totalHits: 0,
+            averageConfidence: 0,
+        };
+    }
+    // Count hits by sensitivity level
+    const hitCountByLevel = {
+        PUBLIC: 0,
+        INTERNAL: 0,
+        CONFIDENTIAL: 0,
+        RESTRICTED: 0,
+    };
+    const categoryCounts = {};
+    let totalConfidence = 0;
+    for (const hit of hits) {
+        const catLevel = CATEGORY_SENSITIVITY[hit.category] || 'INTERNAL';
+        hitCountByLevel[catLevel]++;
+        categoryCounts[hit.category] = (categoryCounts[hit.category] || 0) + 1;
+        totalConfidence += hit.confidence || 0.65;
+    }
+    // Determine base level from highest-sensitivity hit
+    let level = 'PUBLIC';
+    if (hitCountByLevel.RESTRICTED > 0)
+        level = 'RESTRICTED';
+    else if (hitCountByLevel.CONFIDENTIAL > 0)
+        level = 'CONFIDENTIAL';
+    else if (hitCountByLevel.INTERNAL > 0)
+        level = 'INTERNAL';
+    // Escalation rules
+    let escalated = false;
+    // 10+ CONFIDENTIAL hits -> RESTRICTED
+    if (level === 'CONFIDENTIAL' && hitCountByLevel.CONFIDENTIAL >= 10) {
+        level = 'RESTRICTED';
+        escalated = true;
+    }
+    // 5+ INTERNAL hits -> CONFIDENTIAL
+    if (level === 'INTERNAL' && hitCountByLevel.INTERNAL >= 5) {
+        level = 'CONFIDENTIAL';
+        escalated = true;
+    }
+    // Find top category
+    const topCategory = Object.entries(categoryCounts)
+        .sort((a, b) => b[1] - a[1])[0][0];
+    // Build reason string
+    const reasonParts = [];
+    for (const [cat, count] of Object.entries(categoryCounts).sort((a, b) => b[1] - a[1])) {
+        reasonParts.push(`${count} ${cat}`);
+    }
+    let reason = `Contains: ${reasonParts.join(', ')}.`;
+    if (escalated) {
+        reason += ` Escalated due to high volume of detections.`;
+    }
+    return {
+        level,
+        numericLevel: LEVEL_NUMERIC[level],
+        reason,
+        topCategory,
+        hitCountByLevel,
+        escalated,
+        totalHits: hits.length,
+        averageConfidence: Math.round((totalConfidence / hits.length) * 100) / 100,
+    };
+}

package/dist/nodes/PiiRedactor/context.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Context words and confidence scoring for PII patterns.
+ *
+ * Context words are keywords that appear near a PII match and boost confidence.
+ * For example, "SSN" appearing before "123-45-6789" boosts confidence from 0.60 to 0.85.
+ *
+ * Base confidence scores reflect how reliable a pattern is:
+ * - 0.95: Checksum validated (Luhn, IBAN, PESEL, etc.)
+ * - 0.90: Semantic field-name match
+ * - 0.85: Context-aware ambiguous field
+ * - 0.80: Regex match WITH context words nearby
+ * - 0.60: Regex match WITHOUT context words (bare pattern)
+ * - 0.70: Custom pattern match
+ */
+/** Context words by pattern name. Case-insensitive matching. */
+export declare const CONTEXT_WORDS: Record<string, string[]>;
+/**
+ * Base confidence scores by pattern name.
+ * Patterns with checksum validation get higher scores.
+ */
+export declare const BASE_CONFIDENCE: Record<string, number>;
+/**
+ * Default base confidence for patterns not in the BASE_CONFIDENCE map.
+ */
+export declare const DEFAULT_BASE_CONFIDENCE = 0.65;
+/**
+ * Confidence boost when context words are found nearby.
+ */
+export declare const CONTEXT_BOOST = 0.2;
+/**
+ * Confidence score for semantic field-name matches.
+ */
+export declare const SEMANTIC_CONFIDENCE = 0.9;
+/**
+ * Confidence score for context-aware ambiguous field matches.
+ */
+export declare const AMBIGUOUS_FIELD_CONFIDENCE = 0.85;
+/**
+ * Confidence score for custom pattern matches.
+ */
+export declare const CUSTOM_PATTERN_CONFIDENCE = 0.7;
+/**
+ * Confidence score for deny list matches.
+ */
+export declare const DENY_LIST_CONFIDENCE = 1;
+/**
+ * Window size (characters) to search for context words around a match.
+ */
+export declare const CONTEXT_WINDOW = 80;
+/**
+ * Check if any context words appear near a match position in the text.
+ */
+export declare function hasContextWords(text: string, matchStart: number, matchEnd: number, words: string[]): boolean;
+/**
+ * Calculate confidence score for a pattern match.
+ */
+export declare function calculateConfidence(patternName: string, hasValidator: boolean, validatorPassed: boolean, text: string, matchStart: number, matchEnd: number): number;

package/dist/nodes/PiiRedactor/context.js

@@ -0,0 +1,260 @@
+"use strict";
+/**
+ * Context words and confidence scoring for PII patterns.
+ *
+ * Context words are keywords that appear near a PII match and boost confidence.
+ * For example, "SSN" appearing before "123-45-6789" boosts confidence from 0.60 to 0.85.
+ *
+ * Base confidence scores reflect how reliable a pattern is:
+ * - 0.95: Checksum validated (Luhn, IBAN, PESEL, etc.)
+ * - 0.90: Semantic field-name match
+ * - 0.85: Context-aware ambiguous field
+ * - 0.80: Regex match WITH context words nearby
+ * - 0.60: Regex match WITHOUT context words (bare pattern)
+ * - 0.70: Custom pattern match
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONTEXT_WINDOW = exports.DENY_LIST_CONFIDENCE = exports.CUSTOM_PATTERN_CONFIDENCE = exports.AMBIGUOUS_FIELD_CONFIDENCE = exports.SEMANTIC_CONFIDENCE = exports.CONTEXT_BOOST = exports.DEFAULT_BASE_CONFIDENCE = exports.BASE_CONFIDENCE = exports.CONTEXT_WORDS = void 0;
+exports.hasContextWords = hasContextWords;
+exports.calculateConfidence = calculateConfidence;
+/** Context words by pattern name. Case-insensitive matching. */
+exports.CONTEXT_WORDS = {
+    // Contact
+    email: ['email', 'e-mail', 'mail', 'contact', 'reach', 'send', 'Kontakt', 'correo', 'posta'],
+    phone: ['phone', 'call', 'mobile', 'cell', 'tel', 'telephone', 'dial', 'ring', 'Telefon', 'anrufen', 'Handy', 'appeler', 'llamar'],
+    phoneDE: ['Telefon', 'anrufen', 'Handy', 'Rufnummer', 'Festnetz', 'mobil'],
+    phoneUK: ['phone', 'call', 'mobile', 'ring', 'dial', 'landline'],
+    phoneAT: ['Telefon', 'anrufen', 'Handy'],
+    phoneCH: ['Telefon', 'anrufen', 'Natel', 'Handy'],
+    phoneFR: ['telephone', 'appeler', 'portable', 'fixe', 'numero'],
+    phoneNL: ['telefoon', 'bellen', 'mobiel'],
+    phoneES: ['telefono', 'llamar', 'movil', 'celular'],
+    phoneIT: ['telefono', 'chiamare', 'cellulare'],
+    phoneAU: ['phone', 'call', 'mobile'],
+    phoneIN: ['phone', 'call', 'mobile'],
+    phoneBR: ['telefone', 'ligar', 'celular'],
+    phoneCN: ['phone', 'call', 'mobile'],
+    phoneKR: ['phone', 'call'],
+    phoneRU: ['telefon', 'pozvonit'],
+    phoneMX: ['telefono', 'llamar', 'celular'],
+    phoneZA: ['phone', 'call', 'mobile'],
+    // Identity - person names
+    personName: ['name', 'person', 'contact', 'customer', 'client', 'patient', 'employee', 'user', 'Mr', 'Mrs', 'Ms', 'Dr', 'Herr', 'Frau'],
+    // Identity - government IDs
+    ssn: ['social security', 'SSN', 'social', 'security number', 'Sozialversicherung'],
+    itinUS: ['ITIN', 'taxpayer', 'individual taxpayer'],
+    sinCA: ['SIN', 'social insurance', 'insurance number'],
+    ninoUK: ['national insurance', 'NINO', 'NI number'],
+    nhsNumber: ['NHS', 'national health', 'health service', 'patient'],
+    passportUS: ['passport', 'travel document', 'Reisepass'],
+    passportEU: ['passport', 'travel document', 'Reisepass', 'passeport'],
+    passportDE: ['Reisepass', 'passport', 'Passnummer'],
+    nationalIdDE: ['Personalausweis', 'Ausweis', 'ID card', 'identity card'],
+    taxIdUS: ['EIN', 'employer identification', 'tax ID', 'federal tax'],
+    taxIdDE: ['Steuer', 'Identifikationsnummer', 'Finanzamt'],
+    sozialversicherungDE: ['Sozialversicherung', 'Rentenversicherung', 'SV-Nummer'],
+    ahvCH: ['AHV', 'AVS', 'Sozialversicherung', 'assurance'],
+    nationalIdFR: ['securite sociale', 'NIR', 'numero national'],
+    codiceFiscaleIT: ['codice fiscale', 'fiscal code', 'CF'],
+    dniES: ['DNI', 'documento nacional', 'identidad'],
+    nieES: ['NIE', 'extranjero', 'foreigner'],
+    peselPL: ['PESEL', 'numer identyfikacyjny'],
+    bsnNL: ['BSN', 'burgerservicenummer', 'burger service'],
+    ppsIE: ['PPS', 'personal public service'],
+    tfnAU: ['TFN', 'tax file', 'tax number'],
+    nricSG: ['NRIC', 'identity card', 'IC'],
+    panIN: ['PAN', 'permanent account', 'income tax'],
+    aadhaarIN: ['Aadhaar', 'UID', 'unique identification'],
+    cpfBR: ['CPF', 'cadastro', 'pessoa fisica'],
+    hetuFI: ['HETU', 'henkilotunnus', 'personal identity'],
+    personnummerSE: ['personnummer', 'personal number'],
+    fodselsnummerNO: ['fodselsnummer', 'personal number'],
+    cprDK: ['CPR', 'personnummer'],
+    nifPT: ['NIF', 'numero fiscal', 'contribuinte'],
+    nationalIdCN: ['identity card', 'resident card', 'shenfenzheng'],
+    nationalIdTR: ['TC Kimlik', 'kimlik no', 'identity'],
+    curpMX: ['CURP', 'poblacion'],
+    rfcMX: ['RFC', 'registro federal'],
+    emiratesIdUAE: ['emirates ID', 'UAE ID'],
+    // Financial
+    creditCard: ['card', 'credit', 'debit', 'visa', 'mastercard', 'amex', 'payment', 'Kreditkarte', 'carte', 'tarjeta'],
+    amex: ['amex', 'american express', 'card', 'payment'],
+    iban: ['IBAN', 'bank account', 'Kontonummer', 'compte', 'cuenta', 'conto'],
+    bic: ['BIC', 'SWIFT', 'bank', 'routing'],
+    vatEU: ['VAT', 'MwSt', 'Umsatzsteuer', 'TVA', 'IVA', 'BTW'],
+    abaRouting: ['routing', 'ABA', 'bank', 'transfer'],
+    sortCodeUK: ['sort code', 'bank', 'branch'],
+    cardExpiry: ['expiry', 'expiration', 'valid', 'exp', 'Gultig'],
+    cvvCtx: ['CVV', 'CVC', 'security code', 'verification'],
+    bankAccountCtx: ['account', 'bank', 'checking', 'savings', 'Konto'],
+    insurancePolicyCtx: ['insurance', 'policy', 'Versicherung', 'assurance', 'polizza'],
+    salaryCtx: ['salary', 'compensation', 'pay', 'wage', 'Gehalt', 'salaire'],
+    // Network
+    ipv4: ['IP', 'address', 'server', 'host', 'network'],
+    ipv6: ['IP', 'address', 'server', 'IPv6'],
+    macAddress: ['MAC', 'hardware', 'network', 'device', 'adapter'],
+    url: ['URL', 'link', 'website', 'http', 'visit'],
+    privateIp: ['internal', 'private', 'LAN', 'intranet', 'network'],
+    // Location
+    addressDE: ['Adresse', 'Anschrift', 'wohnt', 'Straße', 'address'],
+    addressLabeledEN: ['address', 'lives', 'located', 'residing'],
+    addressLabeledDE: ['Adresse', 'Anschrift', 'wohnt', 'Wohnort'],
+    gpsCoordinates: ['GPS', 'coordinates', 'location', 'latitude', 'longitude', 'Standort'],
+    // Medical
+    medicalRecordNumber: ['MRN', 'medical record', 'patient', 'chart', 'Krankenakte'],
+    deaNumber: ['DEA', 'drug enforcement', 'prescriber'],
+    npiNumber: ['NPI', 'provider', 'physician', 'doctor'],
+    rxNumber: ['prescription', 'Rx', 'pharmacy', 'medication', 'Rezept'],
+    healthPlanCtx: ['health plan', 'insurance', 'member', 'subscriber', 'beneficiary'],
+    bloodTypeCtx: ['blood', 'type', 'group', 'Blutgruppe'],
+    // Enterprise
+    awsAccessKey: ['AWS', 'amazon', 'access key', 'credential'],
+    gcpApiKey: ['Google', 'GCP', 'API key', 'cloud'],
+    stripeKey: ['Stripe', 'payment', 'API key'],
+    openaiKey: ['OpenAI', 'API key', 'GPT'],
+    githubToken: ['GitHub', 'token', 'personal access'],
+    slackToken: ['Slack', 'token', 'bot'],
+    jwtToken: ['JWT', 'token', 'auth', 'bearer', 'session'],
+    pemPrivateKey: ['private key', 'RSA', 'certificate', 'SSL', 'TLS'],
+    sshPublicKey: ['SSH', 'key', 'public key', 'authorized'],
+    genericSecret: ['password', 'secret', 'credential', 'API key', 'token'],
+    dbConnectionString: ['database', 'connection', 'JDBC', 'mongo', 'postgres', 'mysql'],
+    internalHostname: ['server', 'host', 'internal', 'intranet'],
+    // Vehicle
+    vin: ['VIN', 'vehicle', 'chassis', 'Fahrgestell', 'vehicule'],
+    // Crypto
+    bitcoinAddress: ['bitcoin', 'BTC', 'wallet', 'crypto'],
+    ethereumAddress: ['ethereum', 'ETH', 'wallet', 'crypto', 'contract'],
+};
+/**
+ * Base confidence scores by pattern name.
+ * Patterns with checksum validation get higher scores.
+ */
+exports.BASE_CONFIDENCE = {
+    // Checksum validated = 0.95
+    creditCard: 0.95,
+    amex: 0.95,
+    iban: 0.95,
+    nhsNumber: 0.95,
+    sinCA: 0.95,
+    peselPL: 0.95,
+    bsnNL: 0.95,
+    nifPT: 0.95,
+    tfnAU: 0.95,
+    abaRouting: 0.95,
+    // Strong format (unique structure) = 0.85
+    email: 0.90,
+    codiceFiscaleIT: 0.90,
+    hetuFI: 0.90,
+    ahvCH: 0.90,
+    nricSG: 0.90,
+    panIN: 0.90,
+    passportUS: 0.85,
+    passportEU: 0.85,
+    passportDE: 0.85,
+    ssn: 0.85,
+    ninoUK: 0.85,
+    dniES: 0.85,
+    nieES: 0.85,
+    nationalIdCN: 0.85,
+    nationalIdTH: 0.85,
+    emiratesIdUAE: 0.85,
+    curpMX: 0.85,
+    bitcoinAddress: 0.85,
+    ethereumAddress: 0.85,
+    vin: 0.85,
+    jwtToken: 0.85,
+    awsAccessKey: 0.90,
+    gcpApiKey: 0.90,
+    stripeKey: 0.90,
+    openaiKey: 0.90,
+    githubToken: 0.90,
+    pemPrivateKey: 0.90,
+    sshPublicKey: 0.90,
+    // Medium format = 0.70
+    phone: 0.70,
+    phoneDE: 0.75,
+    phoneUK: 0.75,
+    phoneAT: 0.75,
+    phoneCH: 0.75,
+    phoneFR: 0.75,
+    personName: 0.80,
+    ipv4: 0.70,
+    ipv6: 0.80,
+    macAddress: 0.80,
+    url: 0.75,
+    vatEU: 0.80,
+    bic: 0.65,
+    // Broad patterns (high false positive risk) = 0.50-0.60
+    postalCodeDE: 0.40,
+    postalCodeAT: 0.40,
+    postalCodeCH: 0.40,
+    postalCodeUS: 0.50,
+    postalCodeIT: 0.40,
+    postalCodeES: 0.50,
+    postalCodeIN: 0.40,
+    dateSlash: 0.50,
+    dateDash: 0.50,
+    dateDot: 0.50,
+    sortCodeUK: 0.50,
+    cardExpiry: 0.50,
+    socialHandle: 0.60,
+    licensePlateDE: 0.55,
+    dnaSequence: 0.50,
+};
+/**
+ * Default base confidence for patterns not in the BASE_CONFIDENCE map.
+ */
+exports.DEFAULT_BASE_CONFIDENCE = 0.65;
+/**
+ * Confidence boost when context words are found nearby.
+ */
+exports.CONTEXT_BOOST = 0.20;
+/**
+ * Confidence score for semantic field-name matches.
+ */
+exports.SEMANTIC_CONFIDENCE = 0.90;
+/**
+ * Confidence score for context-aware ambiguous field matches.
+ */
+exports.AMBIGUOUS_FIELD_CONFIDENCE = 0.85;
+/**
+ * Confidence score for custom pattern matches.
+ */
+exports.CUSTOM_PATTERN_CONFIDENCE = 0.70;
+/**
+ * Confidence score for deny list matches.
+ */
+exports.DENY_LIST_CONFIDENCE = 1.0;
+/**
+ * Window size (characters) to search for context words around a match.
+ */
+exports.CONTEXT_WINDOW = 80;
+/**
+ * Check if any context words appear near a match position in the text.
+ */
+function hasContextWords(text, matchStart, matchEnd, words) {
+    if (!words || words.length === 0)
+        return false;
+    const windowStart = Math.max(0, matchStart - exports.CONTEXT_WINDOW);
+    const windowEnd = Math.min(text.length, matchEnd + exports.CONTEXT_WINDOW);
+    const surrounding = text.slice(windowStart, windowEnd).toLowerCase();
+    return words.some((word) => surrounding.includes(word.toLowerCase()));
+}
+/**
+ * Calculate confidence score for a pattern match.
+ */
+function calculateConfidence(patternName, hasValidator, validatorPassed, text, matchStart, matchEnd) {
+    // Start with base confidence
+    let confidence = exports.BASE_CONFIDENCE[patternName] ?? exports.DEFAULT_BASE_CONFIDENCE;
+    // If has validator and passed, boost to at least 0.95
+    if (hasValidator && validatorPassed) {
+        confidence = Math.max(confidence, 0.95);
+    }
+    // Check context words
+    const contextWords = exports.CONTEXT_WORDS[patternName];
+    if (contextWords && hasContextWords(text, matchStart, matchEnd, contextWords)) {
+        confidence = Math.min(1.0, confidence + exports.CONTEXT_BOOST);
+    }
+    return Math.round(confidence * 100) / 100;
+}