openredaction 1.0.10 → 1.1.0

package/dist/server.d.mts

@@ -0,0 +1,1809 @@
+//#region src/types.d.ts
+/**
+ * Core types for OpenRedaction
+ */
+/**
+ * PII pattern definition with validation
+ */
+interface PIIPattern {
+  /** Pattern type identifier (e.g., "EMAIL", "PHONE_UK_MOBILE") */
+  type: string;
+  /** Regular expression for matching */
+  regex: RegExp;
+  /** Priority for detection order (higher = checked first) */
+  priority: number;
+  /** Optional validator function for false positive reduction */
+  validator?: (match: string, context: string) => boolean;
+  /** Placeholder template (e.g., "[EMAIL_{n}]") */
+  placeholder: string;
+  /** Optional description */
+  description?: string;
+  /** Severity level */
+  severity?: 'critical' | 'high' | 'medium' | 'low';
+}
+/**
+ * Detected PII instance
+ */
+interface PIIDetection {
+  /** Type of PII detected */
+  type: string;
+  /** Original detected value */
+  value: string;
+  /** Placeholder used for redaction */
+  placeholder: string;
+  /** Position in text [start, end] */
+  position: [number, number];
+  /** Severity level */
+  severity: 'critical' | 'high' | 'medium' | 'low';
+  /** Confidence score (0-1) based on context analysis */
+  confidence?: number;
+}
+/**
+ * Detection result
+ */
+interface DetectionResult {
+  /** Original text */
+  original: string;
+  /** Redacted text */
+  redacted: string;
+  /** Array of detections */
+  detections: PIIDetection[];
+  /** Map of placeholders to original values for restoration */
+  redactionMap: Record<string, string>;
+  /** Statistics */
+  stats?: {
+    /** Processing time in milliseconds */processingTime?: number; /** Total PII count */
+    piiCount: number;
+  };
+}
+/**
+ * Redaction mode - controls how PII is replaced
+ */
+type RedactionMode = 'placeholder' | 'mask-middle' | 'mask-all' | 'format-preserving' | 'token-replace';
+/**
+ * Configuration options for OpenRedaction
+ */
+type PresetName = 'gdpr' | 'hipaa' | 'ccpa' | 'healthcare' | 'healthcare-provider' | 'healthcare-research' | 'finance' | 'financial-services' | 'education' | 'transport-logistics' | 'transportation' | 'logistics' | 'pci-dss' | 'soc2';
+interface OpenRedactionOptions {
+  /** Include name detection (default: true) */
+  includeNames?: boolean;
+  /** Include address detection (default: true) */
+  includeAddresses?: boolean;
+  /** Include phone detection (default: true) */
+  includePhones?: boolean;
+  /** Include email detection (default: true) */
+  includeEmails?: boolean;
+  /** Pattern categories to include (e.g., ['personal', 'financial']) */
+  categories?: string[];
+  /** Whitelist specific patterns only */
+  patterns?: string[];
+  /** Add custom patterns */
+  customPatterns?: PIIPattern[];
+  /** Whitelist of terms to ignore (e.g., company names) */
+  whitelist?: string[];
+  /** Enable deterministic placeholders (default: true) */
+  deterministic?: boolean;
+  /** Redaction mode (default: 'placeholder') */
+  redactionMode?: RedactionMode;
+  /** Compliance preset */
+  preset?: PresetName;
+  /** Enable context-aware detection (default: true) */
+  enableContextAnalysis?: boolean;
+  /** Minimum confidence threshold for detections (0-1, default: 0.5) */
+  confidenceThreshold?: number;
+  /** Enable false positive filtering (default: false, experimental) */
+  enableFalsePositiveFilter?: boolean;
+  /** False positive confidence threshold (0-1, default: 0.7) */
+  falsePositiveThreshold?: number;
+  /** Enable multi-pass detection for better accuracy (default: false, experimental) */
+  enableMultiPass?: boolean;
+  /** Number of detection passes (2-5, default: 3) */
+  multiPassCount?: number;
+  /** Enable result caching for repeated inputs (default: false) */
+  enableCache?: boolean;
+  /** Maximum cache size (default: 100) */
+  cacheSize?: number;
+  /** Enable debug logging (default: false) */
+  debug?: boolean;
+  /** Enable audit logging (default: false) */
+  enableAuditLog?: boolean;
+  /** Audit logger instance (optional, default: in-memory logger) */
+  auditLogger?: IAuditLogger;
+  /** User context for audit logs */
+  auditUser?: string;
+  /** Session ID for audit logs */
+  auditSessionId?: string;
+  /** Additional metadata for audit logs */
+  auditMetadata?: Record<string, unknown>;
+  /** Enable metrics collection (default: false) */
+  enableMetrics?: boolean;
+  /** Metrics collector instance (optional, default: in-memory collector) */
+  metricsCollector?: IMetricsCollector;
+  /** Enable RBAC (Role-Based Access Control) (default: false) */
+  enableRBAC?: boolean;
+  /** RBAC manager instance (optional, default: admin role) */
+  rbacManager?: IRBACManager;
+  /** Predefined role name (admin, analyst, operator, viewer) */
+  role?: RoleName;
+}
+/**
+ * Audit log entry for tracking redaction operations
+ */
+interface AuditLogEntry {
+  /** Unique identifier for this audit entry */
+  id: string;
+  /** Timestamp of the operation (ISO 8601) */
+  timestamp: string;
+  /** Operation type */
+  operation: 'redact' | 'detect' | 'restore';
+  /** Number of PII items found/processed */
+  piiCount: number;
+  /** Types of PII detected (e.g., ["EMAIL", "SSN", "PHONE"]) */
+  piiTypes: string[];
+  /** Text length processed */
+  textLength: number;
+  /** Processing time in milliseconds */
+  processingTimeMs: number;
+  /** Redaction mode used */
+  redactionMode?: RedactionMode;
+  /** Success status */
+  success: boolean;
+  /** Error message if operation failed */
+  error?: string;
+  /** Optional user context */
+  user?: string;
+  /** Optional session/request identifier */
+  sessionId?: string;
+  /** Optional metadata */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Audit logger interface
+ */
+interface IAuditLogger {
+  /** Log an audit entry */
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  /** Get all audit logs */
+  getLogs(): AuditLogEntry[];
+  /** Get audit logs filtered by operation type */
+  getLogsByOperation(operation: AuditLogEntry['operation']): AuditLogEntry[];
+  /** Get audit logs filtered by date range */
+  getLogsByDateRange(startDate: Date, endDate: Date): AuditLogEntry[];
+  /** Export audit logs as JSON */
+  exportAsJson(): string;
+  /** Export audit logs as CSV */
+  exportAsCsv(): string;
+  /** Clear all audit logs */
+  clear(): void;
+  /** Get audit statistics */
+  getStats(): AuditStats;
+}
+/**
+ * Audit statistics
+ */
+interface AuditStats {
+  /** Total number of operations */
+  totalOperations: number;
+  /** Total PII items detected */
+  totalPiiDetected: number;
+  /** Average processing time in milliseconds */
+  averageProcessingTime: number;
+  /** Most common PII types */
+  topPiiTypes: Array<{
+    type: string;
+    count: number;
+  }>;
+  /** Operations by type */
+  operationsByType: Record<string, number>;
+  /** Success rate (0-1) */
+  successRate: number;
+}
+/**
+ * Metrics for monitoring redaction operations
+ */
+interface RedactionMetrics {
+  /** Total number of redaction operations */
+  totalRedactions: number;
+  /** Total number of PII items detected */
+  totalPiiDetected: number;
+  /** Total processing time in milliseconds */
+  totalProcessingTime: number;
+  /** Average processing time in milliseconds */
+  averageProcessingTime: number;
+  /** Total text length processed (characters) */
+  totalTextLength: number;
+  /** PII detection counts by type */
+  piiByType: Record<string, number>;
+  /** Operation counts by redaction mode */
+  byRedactionMode: Record<string, number>;
+  /** Error count */
+  totalErrors: number;
+  /** Timestamp of last update */
+  lastUpdated: string;
+}
+/**
+ * Metrics exporter interface
+ */
+interface IMetricsExporter {
+  /** Export metrics in Prometheus format */
+  exportPrometheus(metrics: RedactionMetrics, prefix?: string): string;
+  /** Export metrics in StatsD format */
+  exportStatsD(metrics: RedactionMetrics, prefix?: string): string[];
+  /** Get current metrics snapshot */
+  getMetrics(): RedactionMetrics;
+  /** Reset all metrics */
+  reset(): void;
+}
+/**
+ * Metrics collector interface
+ */
+interface IMetricsCollector {
+  /** Record a redaction operation */
+  recordRedaction(result: DetectionResult, processingTimeMs: number, redactionMode: RedactionMode): void;
+  /** Record an error */
+  recordError(): void;
+  /** Get metrics exporter */
+  getExporter(): IMetricsExporter;
+}
+/**
+ * RBAC Permission - granular access control
+ */
+type Permission = 'pattern:read' | 'pattern:write' | 'pattern:delete' | 'detection:detect' | 'detection:redact' | 'detection:restore' | 'audit:read' | 'audit:export' | 'audit:delete' | 'metrics:read' | 'metrics:export' | 'metrics:reset' | 'config:read' | 'config:write';
+/**
+ * RBAC Role - collection of permissions
+ */
+interface Role {
+  /** Role identifier */
+  name: string;
+  /** Role description */
+  description?: string;
+  /** Permissions granted to this role */
+  permissions: Permission[];
+}
+/**
+ * Predefined role names
+ */
+type RoleName = 'admin' | 'analyst' | 'operator' | 'viewer' | 'custom';
+/**
+ * RBAC manager interface for access control
+ */
+interface IRBACManager {
+  /** Check if user has specific permission */
+  hasPermission(permission: Permission): boolean;
+  /** Check if user has all specified permissions */
+  hasAllPermissions(permissions: Permission[]): boolean;
+  /** Check if user has any of the specified permissions */
+  hasAnyPermission(permissions: Permission[]): boolean;
+  /** Get current role */
+  getRole(): Role;
+  /** Set role */
+  setRole(role: Role): void;
+  /** Get all permissions for current role */
+  getPermissions(): Permission[];
+  /** Filter patterns based on read permissions */
+  filterPatterns(patterns: PIIPattern[]): PIIPattern[];
+}
+//#endregion
+//#region src/learning/LocalLearningStore.d.ts
+interface WhitelistEntry {
+  pattern: string;
+  confidence: number;
+  occurrences: number;
+  firstSeen: number;
+  lastSeen: number;
+  contexts: string[];
+}
+interface PatternAdjustment {
+  type: string;
+  issue: string;
+  suggestion: string;
+  confidence: number;
+  examples: string[];
+  occurrences: number;
+}
+interface LearningStats {
+  totalDetections: number;
+  falsePositives: number;
+  falseNegatives: number;
+  accuracy: number;
+  lastUpdated: number;
+}
+interface LearningData {
+  version: string;
+  whitelist: WhitelistEntry[];
+  patternAdjustments: PatternAdjustment[];
+  stats: LearningStats;
+}
+declare class LocalLearningStore {
+  private filePath;
+  private data;
+  private autoSave;
+  private confidenceThreshold;
+  constructor(filePath?: string, options?: {
+    autoSave?: boolean;
+    confidenceThreshold?: number;
+  });
+  /**
+   * Load learning data from file
+   */
+  private load;
+  /**
+   * Save learning data to file
+   */
+  private save;
+  /**
+   * Record a false positive detection
+   */
+  recordFalsePositive(text: string, _type: string, context: string): void;
+  /**
+   * Record a false negative (missed detection)
+   */
+  recordFalseNegative(text: string, type: string, _context: string): void;
+  /**
+   * Record a correct detection
+   */
+  recordCorrectDetection(): void;
+  /**
+   * Update accuracy calculation
+   */
+  private updateAccuracy;
+  /**
+   * Get whitelist entries above confidence threshold
+   */
+  getWhitelist(): string[];
+  /**
+   * Get all whitelist entries with metadata
+   */
+  getWhitelistEntries(): WhitelistEntry[];
+  /**
+   * Get pattern adjustments above confidence threshold
+   */
+  getPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Get all pattern adjustments
+   */
+  getAllPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Get learning statistics
+   */
+  getStats(): LearningStats;
+  /**
+   * Get confidence score for a specific pattern
+   */
+  getConfidence(pattern: string): number;
+  /**
+   * Get occurrences count for a specific pattern
+   */
+  getOccurrences(pattern: string): number;
+  /**
+   * Manually add pattern to whitelist
+   */
+  addToWhitelist(pattern: string, confidence?: number): void;
+  /**
+   * Remove pattern from whitelist
+   */
+  removeFromWhitelist(pattern: string): void;
+  /**
+   * Clear all learning data
+   */
+  clear(): void;
+  /**
+   * Export learning data (for sharing)
+   */
+  export(options?: {
+    includeContexts?: boolean;
+    minConfidence?: number;
+  }): LearningData;
+  /**
+   * Import learning data (merge with existing)
+   */
+  import(data: LearningData, merge?: boolean): void;
+  /**
+   * Manually save data
+   */
+  flush(): void;
+}
+//#endregion
+//#region src/optimizer/PriorityOptimizer.d.ts
+interface PatternStats {
+  type: string;
+  totalDetections: number;
+  falsePositives: number;
+  falseNegatives: number;
+  accuracy: number;
+  priority: number;
+  adjustedPriority: number;
+}
+interface OptimizerOptions {
+  learningWeight: number;
+  minSampleSize: number;
+  maxPriorityAdjustment: number;
+}
+/**
+ * Priority Optimizer - Dynamically adjusts pattern priorities based on learning data
+ */
+declare class PriorityOptimizer {
+  private learningStore;
+  private options;
+  constructor(learningStore: LocalLearningStore, options?: Partial<OptimizerOptions>);
+  /**
+   * Optimize pattern priorities based on learning data
+   */
+  optimizePatterns(patterns: PIIPattern[]): PIIPattern[];
+  /**
+   * Get pattern statistics with learning data
+   */
+  getPatternStats(patterns: PIIPattern[]): PatternStats[];
+  /**
+   * Infer pattern type from a whitelisted value
+   * This is a heuristic - in production we'd track this explicitly
+   */
+  private inferPatternType;
+  /**
+   * Reset all priority adjustments
+   */
+  resetPriorities(patterns: PIIPattern[]): PIIPattern[];
+  /**
+   * Get optimizer configuration
+   */
+  getOptions(): OptimizerOptions;
+  /**
+   * Update optimizer configuration
+   */
+  setOptions(options: Partial<OptimizerOptions>): void;
+}
+//#endregion
+//#region src/document/types.d.ts
+/**
+ * Supported document formats
+ */
+type DocumentFormat = 'pdf' | 'docx' | 'txt' | 'image' | 'json' | 'csv' | 'xlsx';
+/**
+ * OCR language codes (Tesseract format)
+ */
+type OCRLanguage = 'eng' | 'spa' | 'fra' | 'deu' | 'por' | 'ita' | 'rus' | 'chi_sim' | 'chi_tra' | 'jpn' | 'kor';
+/**
+ * OCR options
+ */
+interface OCROptions {
+  /** OCR language (default: 'eng' for English) */
+  language?: OCRLanguage | OCRLanguage[];
+  /** OCR engine mode (0-3, default: 3 for best accuracy) */
+  oem?: 0 | 1 | 2 | 3;
+  /** Page segmentation mode (0-13, default: 3 for automatic) */
+  psm?: number;
+}
+/**
+ * Document processing options
+ */
+interface DocumentOptions {
+  /** Document format (auto-detected if not specified) */
+  format?: DocumentFormat;
+  /** Extract text from specific pages (PDF only, 1-indexed) */
+  pages?: number[];
+  /** Password for encrypted PDFs */
+  password?: string;
+  /** Maximum document size in bytes (default: 50MB) */
+  maxSize?: number;
+  /** Enable OCR for image-based content (default: false) */
+  enableOCR?: boolean;
+  /** OCR configuration options */
+  ocrOptions?: OCROptions;
+}
+/**
+ * Document processing result
+ */
+interface DocumentResult {
+  /** Extracted text from document */
+  text: string;
+  /** Document metadata */
+  metadata: DocumentMetadata;
+  /** Detection result with PII findings */
+  detection: DetectionResult;
+  /** Original file size in bytes */
+  fileSize: number;
+  /** Text extraction time in milliseconds */
+  extractionTime: number;
+}
+/**
+ * Document metadata
+ */
+interface DocumentMetadata {
+  /** Document format */
+  format: DocumentFormat;
+  /** Number of pages (if applicable) */
+  pages?: number;
+  /** Document title */
+  title?: string;
+  /** Document author */
+  author?: string;
+  /** Creation date */
+  creationDate?: Date;
+  /** Last modified date */
+  modifiedDate?: Date;
+  /** OCR confidence (0-100) if OCR was used */
+  ocrConfidence?: number;
+  /** Whether OCR was used for extraction */
+  usedOCR?: boolean;
+  /** Additional custom metadata */
+  custom?: Record<string, unknown>;
+}
+//#endregion
+//#region src/context/ContextRules.d.ts
+/**
+ * Proximity rule for context-based confidence adjustment
+ */
+interface ProximityRule {
+  /** Pattern type this rule applies to (e.g., 'EMAIL', 'PHONE', 'SSN') */
+  patternType: string | string[];
+  /** Keywords to look for near the match */
+  keywords: string[];
+  /** Maximum word distance from match (default: 10) */
+  proximityWindow?: number;
+  /** Confidence boost if keyword found (0-1) */
+  confidenceBoost?: number;
+  /** Confidence penalty if keyword found (0-1) */
+  confidencePenalty?: number;
+  /** Whether match must come AFTER keyword (default: both directions) */
+  keywordBefore?: boolean;
+  /** Whether match must come BEFORE keyword (default: both directions) */
+  keywordAfter?: boolean;
+  /** Rule description */
+  description?: string;
+}
+/**
+ * Domain-specific vocabulary for context detection
+ */
+interface DomainVocabulary {
+  /** Domain name */
+  domain: 'medical' | 'legal' | 'financial' | 'technical' | 'hr' | 'custom';
+  /** Domain-specific terms */
+  terms: string[];
+  /** Pattern types to boost in this domain */
+  boostPatterns?: string[];
+  /** Confidence boost amount (default: 0.15) */
+  boostAmount?: number;
+}
+/**
+ * Contextual rules configuration
+ */
+interface ContextRulesConfig {
+  /** Proximity rules */
+  proximityRules?: ProximityRule[];
+  /** Domain vocabularies */
+  domainVocabularies?: DomainVocabulary[];
+  /** Enable default rules (default: true) */
+  useDefaultRules?: boolean;
+}
+//#endregion
+//#region src/context/ContextAnalyzer.d.ts
+/**
+ * Context Analysis for PII Detection
+ * Provides NLP-lite features to reduce false positives
+ */
+interface ContextAnalysis {
+  /** 5 words before detection */
+  beforeWords: string[];
+  /** 5 words after detection */
+  afterWords: string[];
+  /** Full sentence containing detection */
+  sentence: string;
+  /** Inferred document type */
+  documentType: 'email' | 'document' | 'code' | 'chat' | 'unknown';
+  /** Confidence that this is actual PII (0-1) */
+  confidence: number;
+}
+//#endregion
+//#region src/explain/ExplainAPI.d.ts
+/**
+ * Pattern match result for explain
+ */
+interface PatternMatchResult {
+  /** Pattern that was tested */
+  pattern: PIIPattern;
+  /** Whether the pattern matched */
+  matched: boolean;
+  /** Matched value (if matched) */
+  matchedValue?: string;
+  /** Position of match (if matched) */
+  position?: [number, number];
+  /** Why it didn't match or was filtered */
+  reason?: string;
+  /** Validator result (if validator exists) */
+  validatorPassed?: boolean;
+  /** Context analysis (if enabled) */
+  contextAnalysis?: ContextAnalysis;
+  /** False positive check (if enabled) */
+  falsePositiveCheck?: {
+    isFalsePositive: boolean;
+    confidence: number;
+    reason?: string;
+  };
+}
+/**
+ * Explanation for a specific text
+ */
+interface TextExplanation {
+  /** Original text */
+  text: string;
+  /** All pattern match results */
+  patternResults: PatternMatchResult[];
+  /** Patterns that matched */
+  matchedPatterns: PatternMatchResult[];
+  /** Patterns that didn't match */
+  unmatchedPatterns: PatternMatchResult[];
+  /** Patterns that matched but were filtered */
+  filteredPatterns: PatternMatchResult[];
+  /** Final detections */
+  detections: PIIDetection[];
+  /** Summary statistics */
+  summary: {
+    totalPatternsChecked: number;
+    patternsMatched: number;
+    patternsFiltered: number;
+    finalDetections: number;
+  };
+}
+/**
+ * Explain API for debugging
+ */
+declare class ExplainAPI {
+  private detector;
+  private patterns;
+  private options;
+  constructor(detector: OpenRedaction);
+  /**
+   * Explain why text was or wasn't detected as PII
+   */
+  explain(text: string): Promise<TextExplanation>;
+  /**
+   * Explain a specific detection
+   */
+  explainDetection(detection: PIIDetection, text: string): Promise<{
+    detection: PIIDetection;
+    pattern?: PIIPattern;
+    contextAnalysis?: ContextAnalysis;
+    reasoning: string[];
+    suggestions: string[];
+  }>;
+  /**
+   * Suggest why text wasn't detected
+   */
+  suggestWhy(text: string, expectedType: string): Promise<{
+    text: string;
+    expectedType: string;
+    suggestions: string[];
+    similarPatterns: PIIPattern[];
+  }>;
+  /**
+   * Get debugging information for entire detection process
+   */
+  debug(text: string): Promise<{
+    text: string;
+    textLength: number;
+    enabledFeatures: string[];
+    patternCount: number;
+    explanation: TextExplanation;
+    performance: {
+      estimatedTime: string;
+    };
+  }>;
+}
+//#endregion
+//#region src/reports/ReportGenerator.d.ts
+/**
+ * Report format options
+ */
+type ReportFormat = 'html' | 'markdown';
+/**
+ * Report type options
+ */
+type ReportType = 'summary' | 'detailed' | 'compliance';
+/**
+ * Report generation options
+ */
+interface ReportOptions {
+  /** Report format */
+  format: ReportFormat;
+  /** Report type */
+  type?: ReportType;
+  /** Report title */
+  title?: string;
+  /** Include original text (default: false for privacy) */
+  includeOriginalText?: boolean;
+  /** Include redacted text (default: true) */
+  includeRedactedText?: boolean;
+  /** Include detection details (default: true) */
+  includeDetectionDetails?: boolean;
+  /** Include statistics (default: true) */
+  includeStatistics?: boolean;
+  /** Include explanation (requires ExplainAPI, default: false) */
+  includeExplanation?: boolean;
+  /** Company/project name for compliance reports */
+  organizationName?: string;
+  /** Additional metadata */
+  metadata?: Record<string, string>;
+}
+//#endregion
+//#region src/detector.d.ts
+declare class OpenRedaction {
+  private patterns;
+  private compiledPatterns;
+  private options;
+  private multiPassConfig?;
+  private resultCache?;
+  private valueToPlaceholder;
+  private placeholderCounter;
+  private learningStore?;
+  private priorityOptimizer?;
+  private enableLearning;
+  private auditLogger?;
+  private auditUser?;
+  private auditSessionId?;
+  private auditMetadata?;
+  private metricsCollector?;
+  private rbacManager?;
+  private nerDetector?;
+  private contextRulesEngine?;
+  private severityClassifier;
+  constructor(options?: OpenRedactionOptions & {
+    configPath?: string;
+    enableLearning?: boolean;
+    learningStorePath?: string;
+    enablePriorityOptimization?: boolean;
+    optimizerOptions?: Partial<OptimizerOptions>;
+    enableNER?: boolean;
+    enableContextRules?: boolean;
+    contextRulesConfig?: ContextRulesConfig;
+    maxInputSize?: number;
+    regexTimeout?: number;
+  });
+  /**
+   * Create OpenRedaction instance from config file
+   */
+  static fromConfig(configPath?: string): Promise<OpenRedaction>;
+  /**
+   * Build the list of patterns based on options
+   * Supports three filtering modes (in order of priority):
+   * 1. Specific pattern types (patterns option)
+   * 2. Pattern categories (categories option) - NEW!
+   * 3. All patterns with type-specific filters (includeNames, etc.)
+   */
+  private buildPatternList;
+  /**
+   * Validate all patterns to prevent malicious regex injection
+   * ONLY validates custom patterns - built-in patterns are already vetted
+   * Timeout protection in safeExec() is the primary defense against ReDoS
+   */
+  private validatePatterns;
+  /**
+   * Pre-compile all regex patterns for performance
+   * Avoids creating new RegExp objects on every detect() call
+   */
+  private precompilePatterns;
+  /**
+   * Process patterns and detect PII
+   * Used by both single-pass and multi-pass detection
+   */
+  private processPatterns;
+  /**
+   * Detect PII in text
+   * Async API for detection pipeline (NER, multi-pass, etc.)
+   */
+  detect(text: string): Promise<DetectionResult>;
+  /**
+   * Restore redacted text using redaction map
+   */
+  restore(redactedText: string, redactionMap: Record<string, string>): string;
+  /**
+   * Generate placeholder for a detected value
+   */
+  private generatePlaceholder;
+  /**
+   * Check if a range overlaps with existing detections
+   */
+  private overlapsWithExisting;
+  /**
+   * Escape special regex characters
+   */
+  private escapeRegex;
+  /**
+   * Get the list of active patterns
+   */
+  getPatterns(): PIIPattern[];
+  /**
+   * Get severity-based scan results
+   */
+  scan(text: string): Promise<{
+    high: PIIDetection[];
+    medium: PIIDetection[];
+    low: PIIDetection[];
+    total: number;
+  }>;
+  /**
+   * Record a false positive (incorrectly detected as PII)
+   */
+  recordFalsePositive(detection: PIIDetection, context?: string): void;
+  /**
+   * Record a false negative (missed PII that should have been detected)
+   */
+  recordFalseNegative(text: string, expectedType: string, context?: string): void;
+  /**
+   * Record a correct detection (for accuracy tracking)
+   */
+  recordCorrectDetection(): void;
+  /**
+   * Get learning statistics
+   */
+  getLearningStats(): LearningStats | null;
+  /**
+   * Get learned whitelist entries
+   */
+  getLearnedWhitelist(): WhitelistEntry[];
+  /**
+   * Get pattern adjustment suggestions
+   */
+  getPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Export learned patterns for sharing
+   */
+  exportLearnings(options?: {
+    includeContexts?: boolean;
+    minConfidence?: number;
+  }): LearningData | null;
+  /**
+   * Import learned patterns from another source
+   */
+  importLearnings(data: any, merge?: boolean): void;
+  /**
+   * Manually add a term to the whitelist
+   */
+  addToWhitelist(pattern: string, confidence?: number): void;
+  /**
+   * Remove a term from the whitelist
+   */
+  removeFromWhitelist(pattern: string): void;
+  /**
+   * Get the learning store instance
+   */
+  getLearningStore(): LocalLearningStore | undefined;
+  /**
+   * Get the priority optimizer instance
+   */
+  getPriorityOptimizer(): PriorityOptimizer | undefined;
+  /**
+   * Optimize pattern priorities based on learning data
+   * Call this to re-optimize priorities after accumulating new learning data
+   */
+  optimizePriorities(): void;
+  /**
+   * Get pattern statistics with learning data
+   */
+  getPatternStats(): PatternStats[] | null;
+  /**
+   * Clear the result cache (if caching is enabled)
+   */
+  clearCache(): void;
+  /**
+   * Get cache statistics
+   */
+  getCacheStats(): {
+    size: number;
+    maxSize: number;
+    enabled: boolean;
+  };
+  /**
+   * Get the audit logger instance (if audit logging is enabled)
+   */
+  getAuditLogger(): IAuditLogger | undefined;
+  /**
+   * Get the metrics collector instance (if metrics collection is enabled)
+   */
+  getMetricsCollector(): IMetricsCollector | undefined;
+  /**
+   * Get the RBAC manager instance (if RBAC is enabled)
+   */
+  getRBACManager(): IRBACManager | undefined;
+  /**
+   * Create an explain API for debugging detections
+   */
+  explain(): ExplainAPI;
+  /**
+   * Generate a report from detection results
+   */
+  generateReport(result: DetectionResult, options: ReportOptions): string;
+  /**
+   * Export current configuration
+   */
+  exportConfig(metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  }): string;
+  /**
+   * Run health check
+   */
+  healthCheck(options?: {
+    testDetection?: boolean;
+    checkPerformance?: boolean;
+    performanceThreshold?: number;
+    memoryThreshold?: number;
+  }): Promise<any>;
+  /**
+   * Quick health check (minimal overhead)
+   */
+  quickHealthCheck(): Promise<{
+    status: 'healthy' | 'unhealthy';
+    message: string;
+  }>;
+  /**
+   * Detect PII in a document (PDF, DOCX, TXT)
+   * Requires optional peer dependencies:
+   * - pdf-parse for PDF support
+   * - mammoth for DOCX support
+   */
+  detectDocument(buffer: Buffer, options?: DocumentOptions): Promise<DocumentResult>;
+  /**
+   * Detect PII in a document file from filesystem
+   * Convenience method that reads file and calls detectDocument
+   */
+  detectDocumentFile(filePath: string, options?: DocumentOptions): Promise<DocumentResult>;
+  /**
+   * Batch detect PII in multiple texts using worker threads (parallel)
+   * Significantly faster for processing many texts
+   */
+  static detectBatch(texts: string[], options?: OpenRedactionOptions & {
+    numWorkers?: number;
+  }): Promise<DetectionResult[]>;
+  /**
+   * Batch process multiple documents using worker threads (parallel)
+   * Efficient for processing many documents at once
+   */
+  static detectDocumentsBatch(buffers: Buffer[], options?: DocumentOptions & {
+    numWorkers?: number;
+  }): Promise<DocumentResult[]>;
+}
+//#endregion
+//#region src/tenancy/TenantManager.d.ts
+/**
+ * Tenant configuration
+ */
+interface TenantConfig {
+  /** Tenant unique identifier */
+  tenantId: string;
+  /** Tenant display name */
+  name: string;
+  /** Tenant-specific OpenRedaction options */
+  options?: OpenRedactionOptions;
+  /** Tenant-specific custom patterns */
+  customPatterns?: PIIPattern[];
+  /** Tenant-specific whitelist */
+  whitelist?: string[];
+  /** Tenant quota limits */
+  quotas?: TenantQuotas;
+  /** Tenant API key (for authentication) */
+  apiKey?: string;
+  /** Tenant metadata */
+  metadata?: Record<string, unknown>;
+  /** Tenant status */
+  status: 'active' | 'suspended' | 'trial';
+  /** Trial expiry date (for trial tenants) */
+  trialExpiresAt?: Date;
+  /** Created timestamp */
+  createdAt: Date;
+  /** Last updated timestamp */
+  updatedAt: Date;
+}
+/**
+ * Tenant quota limits
+ */
+interface TenantQuotas {
+  /** Maximum requests per month (undefined = unlimited) */
+  maxRequestsPerMonth?: number;
+  /** Maximum text length per request (characters) */
+  maxTextLength?: number;
+  /** Maximum patterns allowed */
+  maxPatterns?: number;
+  /** Maximum audit logs to retain */
+  maxAuditLogs?: number;
+  /** Rate limit: requests per minute */
+  rateLimit?: number;
+}
+/**
+ * Tenant usage statistics
+ */
+interface TenantUsage {
+  /** Tenant ID */
+  tenantId: string;
+  /** Total requests this month */
+  requestsThisMonth: number;
+  /** Total text processed this month (characters) */
+  textProcessedThisMonth: number;
+  /** Total PII detected this month */
+  piiDetectedThisMonth: number;
+  /** Last request timestamp */
+  lastRequestAt?: Date;
+  /** Monthly usage reset date */
+  monthlyResetDate: Date;
+}
+/**
+ * Multi-tenant manager for SaaS deployments
+ */
+declare class TenantManager {
+  private tenants;
+  private usage;
+  private detectors;
+  private rateLimitTracking;
+  private auditLoggers;
+  private metricsCollectors;
+  /**
+   * Register a new tenant
+   */
+  registerTenant(config: Omit<TenantConfig, 'createdAt' | 'updatedAt'>): TenantConfig;
+  /**
+   * Update tenant configuration
+   */
+  updateTenant(tenantId: string, updates: Partial<Omit<TenantConfig, 'tenantId' | 'createdAt'>>): TenantConfig;
+  /**
+   * Get tenant configuration
+   */
+  getTenantConfig(tenantId: string): TenantConfig;
+  /**
+   * Get or create tenant-specific detector instance
+   */
+  getDetector(tenantId: string): OpenRedaction;
+  /**
+   * Perform detection with tenant isolation and quota checks
+   */
+  detect(tenantId: string, text: string): Promise<any>;
+  /**
+   * Validate tenant status (active, trial expiry)
+   */
+  private validateTenantStatus;
+  /**
+   * Check tenant quotas before processing
+   */
+  private checkQuotas;
+  /**
+   * Track request for usage and rate limiting
+   */
+  private trackRequest;
+  /**
+   * Get number of requests in last minute
+   */
+  private getRequestsInLastMinute;
+  /**
+   * Reset monthly usage statistics
+   */
+  private resetMonthlyUsage;
+  /**
+   * Get next monthly reset date (1st of next month)
+   */
+  private getNextMonthlyResetDate;
+  /**
+   * Get tenant usage statistics
+   */
+  getTenantUsage(tenantId: string): TenantUsage;
+  /**
+   * Get all tenants
+   */
+  getAllTenants(): TenantConfig[];
+  /**
+   * Get tenants by status
+   */
+  getTenantsByStatus(status: TenantConfig['status']): TenantConfig[];
+  /**
+   * Authenticate tenant by API key
+   */
+  authenticateByApiKey(apiKey: string): TenantConfig | null;
+  /**
+   * Suspend a tenant
+   */
+  suspendTenant(tenantId: string): void;
+  /**
+   * Activate a tenant
+   */
+  activateTenant(tenantId: string): void;
+  /**
+   * Delete a tenant and all associated data
+   */
+  deleteTenant(tenantId: string): void;
+  /**
+   * Set tenant-specific audit logger
+   */
+  setAuditLogger(tenantId: string, logger: IAuditLogger): void;
+  /**
+   * Get tenant-specific audit logger
+   */
+  getAuditLogger(tenantId: string): IAuditLogger | undefined;
+  /**
+   * Set tenant-specific metrics collector
+   */
+  setMetricsCollector(tenantId: string, collector: IMetricsCollector): void;
+  /**
+   * Get tenant-specific metrics collector
+   */
+  getMetricsCollector(tenantId: string): IMetricsCollector | undefined;
+  /**
+   * Get aggregate statistics across all tenants
+   */
+  getAggregateStats(): {
+    totalTenants: number;
+    activeTenants: number;
+    trialTenants: number;
+    suspendedTenants: number;
+    totalRequestsThisMonth: number;
+    totalTextProcessedThisMonth: number;
+    totalPiiDetectedThisMonth: number;
+  };
+  /**
+   * Validate tenant exists
+   */
+  private validateTenantExists;
+  /**
+   * Export tenant configuration as JSON
+   */
+  exportTenantConfig(tenantId: string): string;
+  /**
+   * Import tenant configuration from JSON
+   */
+  importTenantConfig(json: string): TenantConfig;
+}
+//#endregion
+//#region src/webhooks/WebhookManager.d.ts
+/**
+ * Webhook event types
+ */
+type WebhookEventType = 'pii.detected.high_risk' | 'pii.detected.bulk' | 'pii.processing.failed' | 'pii.processing.slow' | 'quota.exceeded' | 'tenant.suspended' | 'audit.tamper_detected' | 'custom';
+/**
+ * Webhook event payload
+ */
+interface WebhookEvent {
+  /** Event unique ID */
+  id: string;
+  /** Event type */
+  type: WebhookEventType;
+  /** Event timestamp (ISO 8601) */
+  timestamp: string;
+  /** Event severity */
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  /** Event data */
+  data: Record<string, unknown>;
+  /** Source identifier (e.g., tenant ID) */
+  source?: string;
+  /** Custom metadata */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Webhook configuration
+ */
+interface WebhookConfig {
+  /** Webhook unique ID */
+  id: string;
+  /** Webhook URL to POST events to */
+  url: string;
+  /** Event types to subscribe to (empty = all events) */
+  events?: WebhookEventType[];
+  /** Minimum severity to trigger webhook */
+  minSeverity?: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  /** Custom headers to include in requests */
+  headers?: Record<string, string>;
+  /** Secret for HMAC signature (optional but recommended) */
+  secret?: string;
+  /** Enable webhook (default: true) */
+  enabled?: boolean;
+  /** Retry configuration */
+  retry?: {
+    /** Maximum retry attempts (default: 3) */maxAttempts?: number; /** Initial delay in ms (default: 1000) */
+    initialDelay?: number; /** Maximum delay in ms (default: 60000) */
+    maxDelay?: number; /** Backoff multiplier (default: 2) */
+    backoffMultiplier?: number;
+  };
+  /** Timeout in ms (default: 5000) */
+  timeout?: number;
+  /** Tenant ID (for multi-tenant setups) */
+  tenantId?: string;
+}
+/**
+ * Webhook delivery status
+ */
+type WebhookDeliveryStatus = 'pending' | 'success' | 'failed' | 'circuit_open';
+/**
+ * Webhook delivery record
+ */
+interface WebhookDelivery {
+  /** Delivery ID */
+  id: string;
+  /** Webhook ID */
+  webhookId: string;
+  /** Event that was delivered */
+  event: WebhookEvent;
+  /** Delivery status */
+  status: WebhookDeliveryStatus;
+  /** HTTP status code */
+  statusCode?: number;
+  /** Delivery timestamp */
+  timestamp: Date;
+  /** Attempt number */
+  attempt: number;
+  /** Error message if failed */
+  error?: string;
+  /** Response body */
+  responseBody?: string;
+  /** Delivery duration in ms */
+  durationMs?: number;
+}
+/**
+ * Webhook statistics
+ */
+interface WebhookStats {
+  /** Webhook ID */
+  webhookId: string;
+  /** Total deliveries */
+  totalDeliveries: number;
+  /** Successful deliveries */
+  successfulDeliveries: number;
+  /** Failed deliveries */
+  failedDeliveries: number;
+  /** Average delivery time in ms */
+  avgDeliveryTimeMs: number;
+  /** Last delivery time */
+  lastDeliveryTime?: Date;
+  /** Circuit breaker state */
+  circuitState: 'closed' | 'open' | 'half_open';
+}
+/**
+ * Webhook Manager
+ * Manages webhook subscriptions, delivery, retries, and circuit breaking
+ */
+declare class WebhookManager {
+  private webhooks;
+  private deliveryHistory;
+  private circuitBreakers;
+  private pendingRetries;
+  private maxHistorySize;
+  private readonly FAILURE_THRESHOLD;
+  private readonly RESET_TIMEOUT_MS;
+  constructor(options?: {
+    maxHistorySize?: number;
+  });
+  /**
+   * Register a webhook
+   */
+  registerWebhook(config: WebhookConfig): void;
+  /**
+   * Update webhook configuration
+   */
+  updateWebhook(id: string, updates: Partial<Omit<WebhookConfig, 'id'>>): void;
+  /**
+   * Delete webhook
+   */
+  deleteWebhook(id: string): void;
+  /**
+   * Get webhook configuration
+   */
+  getWebhook(id: string): WebhookConfig | undefined;
+  /**
+   * Get all webhooks
+   */
+  getAllWebhooks(): WebhookConfig[];
+  /**
+   * Emit an event to all subscribed webhooks
+   */
+  emitEvent(event: Omit<WebhookEvent, 'id' | 'timestamp'>): Promise<void>;
+  /**
+   * Emit high-risk PII detection event
+   */
+  emitHighRiskPII(result: DetectionResult, tenantId?: string): Promise<void>;
+  /**
+   * Emit bulk PII detection event
+   */
+  emitBulkPII(result: DetectionResult, threshold?: number, tenantId?: string): Promise<void>;
+  /**
+   * Emit processing error event
+   */
+  emitProcessingError(error: Error, tenantId?: string): Promise<void>;
+  /**
+   * Emit slow processing event
+   */
+  emitSlowProcessing(durationMs: number, threshold?: number, tenantId?: string): Promise<void>;
+  /**
+   * Find webhooks that match the event
+   */
+  private findMatchingWebhooks;
+  /**
+   * Deliver webhook with retry logic
+   */
+  private deliverWebhook;
+  /**
+   * Make HTTP request to webhook URL
+   */
+  private makeHttpRequest;
+  /**
+   * Calculate HMAC signature for webhook verification
+   */
+  private calculateHmacSignature;
+  /**
+   * Calculate retry delay with exponential backoff
+   */
+  private calculateRetryDelay;
+  /**
+   * Record delivery in history
+   */
+  private recordDelivery;
+  /**
+   * Get delivery history for a webhook
+   */
+  getDeliveryHistory(webhookId: string, limit?: number): WebhookDelivery[];
+  /**
+   * Get webhook statistics
+   */
+  getWebhookStats(webhookId: string): WebhookStats;
+  /**
+   * Get aggregate statistics for all webhooks
+   */
+  getAggregateStats(): {
+    totalWebhooks: number;
+    enabledWebhooks: number;
+    totalDeliveries: number;
+    successfulDeliveries: number;
+    failedDeliveries: number;
+    avgDeliveryTimeMs: number;
+  };
+  /**
+   * Clear delivery history
+   */
+  clearHistory(): void;
+  /**
+   * Generate unique ID
+   */
+  private generateId;
+}
+//#endregion
+//#region src/audit/PersistentAuditLogger.d.ts
+/**
+ * Supported database backends
+ */
+type AuditBackend = 'sqlite' | 'postgresql' | 'mongodb' | 's3' | 'file';
+/**
+ * Database connection configuration
+ */
+interface AuditDatabaseConfig {
+  /** Backend type */
+  backend: AuditBackend;
+  /** Connection string (for PostgreSQL/MongoDB) */
+  connectionString?: string;
+  /** Database file path (for SQLite/file backend) */
+  filePath?: string;
+  /** S3 bucket configuration */
+  s3Config?: {
+    bucket: string;
+    region: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    prefix?: string;
+  };
+  /** Table/collection name (default: 'audit_logs') */
+  tableName?: string;
+  /** Enable compression (default: false) */
+  enableCompression?: boolean;
+  /** Batch size for bulk inserts (default: 100) */
+  batchSize?: number;
+}
+/**
+ * Retention policy configuration
+ */
+interface RetentionPolicy {
+  /** Maximum age of logs in days (default: 90) */
+  maxAgeDays?: number;
+  /** Maximum number of logs to keep (default: unlimited) */
+  maxLogs?: number;
+  /** Enable automatic cleanup (default: false) */
+  autoCleanup?: boolean;
+  /** Cleanup interval in hours (default: 24) */
+  cleanupIntervalHours?: number;
+}
+/**
+ * Persistent audit logger options
+ */
+interface PersistentAuditLoggerOptions {
+  /** Database configuration */
+  database: AuditDatabaseConfig;
+  /** Retention policy */
+  retention?: RetentionPolicy;
+  /** Enable cryptographic hashing for tamper detection (default: true) */
+  enableHashing?: boolean;
+  /** Hash algorithm (default: 'sha256') */
+  hashAlgorithm?: 'sha256' | 'sha512';
+  /** Enable write-ahead logging for crash recovery (default: true) */
+  enableWAL?: boolean;
+  /** Secret key for HMAC hashing (optional, recommended for production) */
+  secretKey?: string;
+}
+/**
+ * Audit log entry with cryptographic hash
+ */
+interface HashedAuditLogEntry extends AuditLogEntry {
+  /** Cryptographic hash of this entry */
+  hash: string;
+  /** Hash of previous entry for chain verification */
+  previousHash?: string;
+  /** Sequence number in the log chain */
+  sequence: number;
+}
+/**
+ * Audit query filter
+ */
+interface AuditQueryFilter {
+  /** Filter by operation type */
+  operation?: AuditLogEntry['operation'];
+  /** Filter by user */
+  user?: string;
+  /** Filter by session ID */
+  sessionId?: string;
+  /** Filter by date range (start) */
+  startDate?: Date;
+  /** Filter by date range (end) */
+  endDate?: Date;
+  /** Filter by success status */
+  success?: boolean;
+  /** Limit results */
+  limit?: number;
+  /** Offset for pagination */
+  offset?: number;
+  /** Sort order */
+  sort?: 'asc' | 'desc';
+}
+/**
+ * Persistent Audit Logger with cryptographic chain verification
+ */
+declare class PersistentAuditLogger implements IAuditLogger {
+  private adapter;
+  private options;
+  private batchBuffer;
+  private lastHash;
+  private sequence;
+  private cleanupTimer?;
+  private initialized;
+  constructor(options: PersistentAuditLoggerOptions);
+  /**
+   * Initialize the logger (must be called before use)
+   */
+  initialize(): Promise<void>;
+  /**
+   * Log an audit entry
+   */
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  /**
+   * Get all audit logs
+   */
+  getLogs(): AuditLogEntry[];
+  /**
+   * Query logs with filters (async)
+   */
+  queryLogs(filter?: AuditQueryFilter): Promise<HashedAuditLogEntry[]>;
+  /**
+   * Get logs by operation type
+   */
+  getLogsByOperation(_operation: AuditLogEntry['operation']): AuditLogEntry[];
+  /**
+   * Get logs by date range
+   */
+  getLogsByDateRange(_startDate: Date, _endDate: Date): AuditLogEntry[];
+  /**
+   * Export logs as JSON
+   */
+  exportAsJson(): string;
+  /**
+   * Export logs as JSON (async)
+   */
+  exportAsJsonAsync(filter?: AuditQueryFilter): Promise<string>;
+  /**
+   * Export logs as CSV
+   */
+  exportAsCsv(): string;
+  /**
+   * Export logs as CSV (async)
+   */
+  exportAsCsvAsync(filter?: AuditQueryFilter): Promise<string>;
+  /**
+   * Clear all audit logs (dangerous!)
+   */
+  clear(): void;
+  /**
+   * Delete logs older than specified date
+   */
+  deleteOlderThan(date: Date): Promise<number>;
+  /**
+   * Get audit statistics
+   */
+  getStats(): AuditStats;
+  /**
+   * Get audit statistics (async)
+   */
+  getStatsAsync(filter?: AuditQueryFilter): Promise<AuditStats>;
+  /**
+   * Verify log chain integrity
+   */
+  verifyChainIntegrity(startSequence?: number, endSequence?: number): Promise<{
+    valid: boolean;
+    brokenAt?: number;
+    message: string;
+  }>;
+  /**
+   * Flush batch buffer to database
+   */
+  flushBatch(): Promise<void>;
+  /**
+   * Close the logger and flush any pending logs
+   */
+  close(): Promise<void>;
+  /**
+   * Create hashed entry with chain linking
+   */
+  private createHashedEntry;
+  /**
+   * Calculate cryptographic hash of entry
+   */
+  private calculateHash;
+  /**
+   * Generate unique ID
+   */
+  private generateId;
+  /**
+   * Create database adapter based on backend
+   */
+  private createAdapter;
+  /**
+   * Start automatic cleanup schedule
+   */
+  private startCleanupSchedule;
+  /**
+   * Run cleanup based on retention policy
+   */
+  private runCleanup;
+}
+//#endregion
+//#region src/api/APIServer.d.ts
+/**
+ * API Server configuration
+ */
+interface APIServerConfig {
+  /** Server port (default: 3000) */
+  port?: number;
+  /** Server host (default: '0.0.0.0') */
+  host?: string;
+  /** Enable CORS (default: true) */
+  enableCors?: boolean;
+  /** CORS origin (default: '*') */
+  corsOrigin?: string | string[];
+  /** API key for authentication (optional) */
+  apiKey?: string;
+  /** Enable rate limiting (default: true) */
+  enableRateLimit?: boolean;
+  /** Rate limit: requests per minute (default: 60) */
+  rateLimit?: number;
+  /** Request body size limit (default: '10mb') */
+  bodyLimit?: string;
+  /** Enable request logging (default: true) */
+  enableLogging?: boolean;
+  /** Tenant manager (for multi-tenant mode) */
+  tenantManager?: TenantManager;
+  /** Webhook manager */
+  webhookManager?: WebhookManager;
+  /** Persistent audit logger */
+  auditLogger?: PersistentAuditLogger;
+  /** Default OpenRedaction options (for non-tenant mode) */
+  defaultOptions?: OpenRedactionOptions;
+}
+/**
+ * API request with authentication
+ */
+interface APIRequest {
+  /** HTTP method (e.g. GET, POST) */
+  method: string;
+  /** URL pathname (e.g. /api/detect) */
+  pathname: string;
+  /** Request body */
+  body: any;
+  /** Headers */
+  headers: Record<string, string | string[] | undefined>;
+  /** Query parameters */
+  query: Record<string, string | string[] | undefined>;
+  /** Path parameters */
+  params: Record<string, string>;
+  /** Authenticated tenant ID (if multi-tenant) */
+  tenantId?: string;
+  /** Client IP address */
+  ip?: string;
+}
+/**
+ * API response
+ */
+interface APIResponse {
+  /** Status code */
+  status: number;
+  /** Response body */
+  body: any;
+  /** Headers */
+  headers?: Record<string, string>;
+}
+/**
+ * REST API Server
+ * Lightweight HTTP server for OpenRedaction with Express-like interface
+ */
+declare class APIServer {
+  private server?;
+  private config;
+  private detector?;
+  private isRunning;
+  private rateLimitTracking;
+  constructor(config?: APIServerConfig);
+  /**
+   * Start the API server
+   */
+  start(): Promise<void>;
+  /**
+   * Stop the server
+   */
+  stop(): Promise<void>;
+  /**
+   * Handle incoming HTTP requests
+   */
+  private handleRequest;
+  /**
+   * Parse HTTP request
+   */
+  private parseRequest;
+  /**
+   * Parse body size limit (e.g. "10mb", "512kb") to bytes
+   */
+  private parseBodyLimitBytes;
+  /**
+   * Parse request body
+   */
+  private parseBody;
+  /**
+   * Route request to appropriate handler
+   */
+  private routeRequest;
+  /**
+   * Handle POST /api/detect
+   */
+  private handleDetect;
+  /**
+   * Handle POST /api/redact
+   */
+  private handleRedact;
+  /**
+   * Handle POST /api/restore
+   */
+  private handleRestore;
+  /**
+   * Handle GET /api/audit/logs
+   */
+  private handleAuditLogs;
+  /**
+   * Handle GET /api/audit/stats
+   */
+  private handleAuditStats;
+  /**
+   * Handle GET /api/metrics
+   */
+  private handleMetrics;
+  /**
+   * Handle GET /api/patterns
+   */
+  private handleGetPatterns;
+  /**
+   * Handle GET /api/health
+   */
+  private handleHealth;
+  /**
+   * Handle GET /api/docs
+   */
+  private handleDocs;
+  /**
+   * Handle GET /
+   */
+  private handleRoot;
+  /**
+   * Send HTTP response
+   */
+  private sendResponse;
+  /**
+   * Check rate limit
+   */
+  private checkRateLimit;
+}
+/**
+ * Create an API server instance
+ */
+declare function createAPIServer(config?: APIServerConfig): APIServer;
+//#endregion
+//#region src/metrics/PrometheusServer.d.ts
+/**
+ * Prometheus server options
+ */
+interface PrometheusServerOptions {
+  /** Port to listen on (default: 9090) */
+  port?: number;
+  /** Host to bind to (default: '0.0.0.0') */
+  host?: string;
+  /** Metrics path (default: '/metrics') */
+  metricsPath?: string;
+  /** Metrics prefix (default: 'openredaction') */
+  prefix?: string;
+  /** Health check path (default: '/health') */
+  healthPath?: string;
+  /** Enable CORS (default: false) */
+  enableCors?: boolean;
+  /** Basic auth username (optional) */
+  username?: string;
+  /** Basic auth password (optional) */
+  password?: string;
+}
+/**
+ * Prometheus metrics HTTP server
+ * Provides a lightweight HTTP server for exposing metrics to Prometheus
+ */
+declare class PrometheusServer {
+  private server?;
+  private metricsCollector;
+  private options;
+  private isRunning;
+  private requestCount;
+  private lastScrapeTime?;
+  constructor(metricsCollector: IMetricsCollector, options?: PrometheusServerOptions);
+  /**
+   * Start the Prometheus metrics server
+   */
+  start(): Promise<void>;
+  /**
+   * Stop the server
+   */
+  stop(): Promise<void>;
+  /**
+   * Handle incoming HTTP requests
+   */
+  private handleRequest;
+  /**
+   * Handle /metrics endpoint
+   */
+  private handleMetrics;
+  /**
+   * Handle /health endpoint
+   */
+  private handleHealth;
+  /**
+   * Handle / root endpoint
+   */
+  private handleRoot;
+  /**
+   * Validate basic authentication
+   */
+  private validateAuth;
+  /**
+   * Get server-specific metrics in Prometheus format
+   */
+  private getServerMetrics;
+  /**
+   * Get server statistics
+   */
+  getStats(): {
+    isRunning: boolean;
+    requestCount: number;
+    lastScrapeTime?: Date;
+    uptime: number;
+    host: string;
+    port: number;
+    metricsPath: string;
+  };
+}
+/**
+ * Create a Prometheus server instance
+ */
+declare function createPrometheusServer(metricsCollector: IMetricsCollector, options?: PrometheusServerOptions): PrometheusServer;
+//#endregion
+export { type APIRequest, type APIResponse, APIServer, type APIServerConfig, PrometheusServer, type PrometheusServerOptions, createAPIServer, createPrometheusServer };
+//# sourceMappingURL=server.d.mts.map