openredaction 1.0.8 → 1.0.10

package/dist/index.d.mts

@@ -0,0 +1,3932 @@
+import { NextFunction, Request, Response } from "express";
+
+//#region src/types.d.ts
+/**
+ * Core types for PII Shield
+ */
+/**
+ * PII pattern definition with validation
+ */
+interface PIIPattern {
+  /** Pattern type identifier (e.g., "EMAIL", "PHONE_UK_MOBILE") */
+  type: string;
+  /** Regular expression for matching */
+  regex: RegExp;
+  /** Priority for detection order (higher = checked first) */
+  priority: number;
+  /** Optional validator function for false positive reduction */
+  validator?: (match: string, context: string) => boolean;
+  /** Placeholder template (e.g., "[EMAIL_{n}]") */
+  placeholder: string;
+  /** Optional description */
+  description?: string;
+  /** Severity level */
+  severity?: 'critical' | 'high' | 'medium' | 'low';
+}
+/**
+ * Detected PII instance
+ */
+interface PIIDetection {
+  /** Type of PII detected */
+  type: string;
+  /** Original detected value */
+  value: string;
+  /** Placeholder used for redaction */
+  placeholder: string;
+  /** Position in text [start, end] */
+  position: [number, number];
+  /** Severity level */
+  severity: 'critical' | 'high' | 'medium' | 'low';
+  /** Confidence score (0-1) based on context analysis */
+  confidence?: number;
+}
+/**
+ * PII match (used internally for processing)
+ */
+interface PIIMatch {
+  /** Type of PII */
+  type: string;
+  /** Matched value */
+  value: string;
+  /** Start position */
+  start: number;
+  /** End position */
+  end: number;
+  /** Confidence score (0-1) */
+  confidence: number;
+  /** Context around match */
+  context: {
+    before: string;
+    after: string;
+  };
+}
+/**
+ * Detection result
+ */
+interface DetectionResult {
+  /** Original text */
+  original: string;
+  /** Redacted text */
+  redacted: string;
+  /** Array of detections */
+  detections: PIIDetection[];
+  /** Map of placeholders to original values for restoration */
+  redactionMap: Record<string, string>;
+  /** Statistics */
+  stats?: {
+    /** Processing time in milliseconds */processingTime?: number; /** Total PII count */
+    piiCount: number;
+  };
+}
+/**
+ * Redaction mode - controls how PII is replaced
+ */
+type RedactionMode = 'placeholder' | 'mask-middle' | 'mask-all' | 'format-preserving' | 'token-replace';
+/**
+ * Configuration options for OpenRedaction
+ */
+type PresetName = 'gdpr' | 'hipaa' | 'ccpa' | 'healthcare' | 'healthcare-provider' | 'healthcare-research' | 'finance' | 'financial-services' | 'education' | 'transport-logistics' | 'transportation' | 'logistics';
+interface OpenRedactionOptions {
+  /** Include name detection (default: true) */
+  includeNames?: boolean;
+  /** Include address detection (default: true) */
+  includeAddresses?: boolean;
+  /** Include phone detection (default: true) */
+  includePhones?: boolean;
+  /** Include email detection (default: true) */
+  includeEmails?: boolean;
+  /** Pattern categories to include (e.g., ['personal', 'financial']) */
+  categories?: string[];
+  /** Whitelist specific patterns only */
+  patterns?: string[];
+  /** Add custom patterns */
+  customPatterns?: PIIPattern[];
+  /** Whitelist of terms to ignore (e.g., company names) */
+  whitelist?: string[];
+  /** Enable deterministic placeholders (default: true) */
+  deterministic?: boolean;
+  /** Redaction mode (default: 'placeholder') */
+  redactionMode?: RedactionMode;
+  /** Compliance preset */
+  preset?: PresetName;
+  /** Enable context-aware detection (default: true) */
+  enableContextAnalysis?: boolean;
+  /** Minimum confidence threshold for detections (0-1, default: 0.5) */
+  confidenceThreshold?: number;
+  /** Enable false positive filtering (default: false, experimental) */
+  enableFalsePositiveFilter?: boolean;
+  /** False positive confidence threshold (0-1, default: 0.7) */
+  falsePositiveThreshold?: number;
+  /** Enable multi-pass detection for better accuracy (default: false, experimental) */
+  enableMultiPass?: boolean;
+  /** Number of detection passes (2-5, default: 3) */
+  multiPassCount?: number;
+  /** Enable result caching for repeated inputs (default: false) */
+  enableCache?: boolean;
+  /** Maximum cache size (default: 100) */
+  cacheSize?: number;
+  /** Enable debug logging (default: false) */
+  debug?: boolean;
+  /** Enable audit logging (default: false) */
+  enableAuditLog?: boolean;
+  /** Audit logger instance (optional, default: in-memory logger) */
+  auditLogger?: IAuditLogger;
+  /** User context for audit logs */
+  auditUser?: string;
+  /** Session ID for audit logs */
+  auditSessionId?: string;
+  /** Additional metadata for audit logs */
+  auditMetadata?: Record<string, unknown>;
+  /** Enable metrics collection (default: false) */
+  enableMetrics?: boolean;
+  /** Metrics collector instance (optional, default: in-memory collector) */
+  metricsCollector?: IMetricsCollector;
+  /** Enable RBAC (Role-Based Access Control) (default: false) */
+  enableRBAC?: boolean;
+  /** RBAC manager instance (optional, default: admin role) */
+  rbacManager?: IRBACManager;
+  /** Predefined role name (admin, analyst, operator, viewer) */
+  role?: RoleName;
+  /** Optional AI assist configuration */
+  ai?: AIOptions;
+}
+/**
+ * AI assist configuration options
+ */
+interface AIOptions {
+  /** Enable AI assist mode (default: false) */
+  enabled?: boolean;
+  /** AI endpoint URL (defaults to OPENREDACTION_AI_ENDPOINT env var if available) */
+  endpoint?: string;
+}
+/**
+ * Validator function type
+ */
+type Validator = (value: string, context?: string) => boolean;
+/**
+ * Audit log entry for tracking redaction operations
+ */
+interface AuditLogEntry {
+  /** Unique identifier for this audit entry */
+  id: string;
+  /** Timestamp of the operation (ISO 8601) */
+  timestamp: string;
+  /** Operation type */
+  operation: 'redact' | 'detect' | 'restore';
+  /** Number of PII items found/processed */
+  piiCount: number;
+  /** Types of PII detected (e.g., ["EMAIL", "SSN", "PHONE"]) */
+  piiTypes: string[];
+  /** Text length processed */
+  textLength: number;
+  /** Processing time in milliseconds */
+  processingTimeMs: number;
+  /** Redaction mode used */
+  redactionMode?: RedactionMode;
+  /** Success status */
+  success: boolean;
+  /** Error message if operation failed */
+  error?: string;
+  /** Optional user context */
+  user?: string;
+  /** Optional session/request identifier */
+  sessionId?: string;
+  /** Optional metadata */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Audit logger interface
+ */
+interface IAuditLogger {
+  /** Log an audit entry */
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  /** Get all audit logs */
+  getLogs(): AuditLogEntry[];
+  /** Get audit logs filtered by operation type */
+  getLogsByOperation(operation: AuditLogEntry['operation']): AuditLogEntry[];
+  /** Get audit logs filtered by date range */
+  getLogsByDateRange(startDate: Date, endDate: Date): AuditLogEntry[];
+  /** Export audit logs as JSON */
+  exportAsJson(): string;
+  /** Export audit logs as CSV */
+  exportAsCsv(): string;
+  /** Clear all audit logs */
+  clear(): void;
+  /** Get audit statistics */
+  getStats(): AuditStats;
+}
+/**
+ * Audit statistics
+ */
+interface AuditStats {
+  /** Total number of operations */
+  totalOperations: number;
+  /** Total PII items detected */
+  totalPiiDetected: number;
+  /** Average processing time in milliseconds */
+  averageProcessingTime: number;
+  /** Most common PII types */
+  topPiiTypes: Array<{
+    type: string;
+    count: number;
+  }>;
+  /** Operations by type */
+  operationsByType: Record<string, number>;
+  /** Success rate (0-1) */
+  successRate: number;
+}
+/**
+ * Metrics for monitoring redaction operations
+ */
+interface RedactionMetrics {
+  /** Total number of redaction operations */
+  totalRedactions: number;
+  /** Total number of PII items detected */
+  totalPiiDetected: number;
+  /** Total processing time in milliseconds */
+  totalProcessingTime: number;
+  /** Average processing time in milliseconds */
+  averageProcessingTime: number;
+  /** Total text length processed (characters) */
+  totalTextLength: number;
+  /** PII detection counts by type */
+  piiByType: Record<string, number>;
+  /** Operation counts by redaction mode */
+  byRedactionMode: Record<string, number>;
+  /** Error count */
+  totalErrors: number;
+  /** Timestamp of last update */
+  lastUpdated: string;
+}
+/**
+ * Metrics exporter interface
+ */
+interface IMetricsExporter {
+  /** Export metrics in Prometheus format */
+  exportPrometheus(metrics: RedactionMetrics, prefix?: string): string;
+  /** Export metrics in StatsD format */
+  exportStatsD(metrics: RedactionMetrics, prefix?: string): string[];
+  /** Get current metrics snapshot */
+  getMetrics(): RedactionMetrics;
+  /** Reset all metrics */
+  reset(): void;
+}
+/**
+ * Metrics collector interface
+ */
+interface IMetricsCollector {
+  /** Record a redaction operation */
+  recordRedaction(result: DetectionResult, processingTimeMs: number, redactionMode: RedactionMode): void;
+  /** Record an error */
+  recordError(): void;
+  /** Get metrics exporter */
+  getExporter(): IMetricsExporter;
+}
+/**
+ * RBAC Permission - granular access control
+ */
+type Permission = 'pattern:read' | 'pattern:write' | 'pattern:delete' | 'detection:detect' | 'detection:redact' | 'detection:restore' | 'audit:read' | 'audit:export' | 'audit:delete' | 'metrics:read' | 'metrics:export' | 'metrics:reset' | 'config:read' | 'config:write';
+/**
+ * RBAC Role - collection of permissions
+ */
+interface Role {
+  /** Role identifier */
+  name: string;
+  /** Role description */
+  description?: string;
+  /** Permissions granted to this role */
+  permissions: Permission[];
+}
+/**
+ * Predefined role names
+ */
+type RoleName = 'admin' | 'analyst' | 'operator' | 'viewer' | 'custom';
+/**
+ * RBAC manager interface for access control
+ */
+interface IRBACManager {
+  /** Check if user has specific permission */
+  hasPermission(permission: Permission): boolean;
+  /** Check if user has all specified permissions */
+  hasAllPermissions(permissions: Permission[]): boolean;
+  /** Check if user has any of the specified permissions */
+  hasAnyPermission(permissions: Permission[]): boolean;
+  /** Get current role */
+  getRole(): Role;
+  /** Set role */
+  setRole(role: Role): void;
+  /** Get all permissions for current role */
+  getPermissions(): Permission[];
+  /** Filter patterns based on read permissions */
+  filterPatterns(patterns: PIIPattern[]): PIIPattern[];
+}
+//#endregion
+//#region src/document/types.d.ts
+/**
+ * Supported document formats
+ */
+type DocumentFormat = 'pdf' | 'docx' | 'txt' | 'image' | 'json' | 'csv' | 'xlsx';
+/**
+ * Supported image formats for OCR
+ */
+type ImageFormat = 'png' | 'jpg' | 'jpeg' | 'tiff' | 'bmp' | 'webp';
+/**
+ * OCR language codes (Tesseract format)
+ */
+type OCRLanguage = 'eng' | 'spa' | 'fra' | 'deu' | 'por' | 'ita' | 'rus' | 'chi_sim' | 'chi_tra' | 'jpn' | 'kor';
+/**
+ * OCR options
+ */
+interface OCROptions {
+  /** OCR language (default: 'eng' for English) */
+  language?: OCRLanguage | OCRLanguage[];
+  /** OCR engine mode (0-3, default: 3 for best accuracy) */
+  oem?: 0 | 1 | 2 | 3;
+  /** Page segmentation mode (0-13, default: 3 for automatic) */
+  psm?: number;
+}
+/**
+ * Document processing options
+ */
+interface DocumentOptions {
+  /** Document format (auto-detected if not specified) */
+  format?: DocumentFormat;
+  /** Extract text from specific pages (PDF only, 1-indexed) */
+  pages?: number[];
+  /** Password for encrypted PDFs */
+  password?: string;
+  /** Maximum document size in bytes (default: 50MB) */
+  maxSize?: number;
+  /** Enable OCR for image-based content (default: false) */
+  enableOCR?: boolean;
+  /** OCR configuration options */
+  ocrOptions?: OCROptions;
+}
+/**
+ * Document processing result
+ */
+interface DocumentResult {
+  /** Extracted text from document */
+  text: string;
+  /** Document metadata */
+  metadata: DocumentMetadata;
+  /** Detection result with PII findings */
+  detection: DetectionResult;
+  /** Original file size in bytes */
+  fileSize: number;
+  /** Text extraction time in milliseconds */
+  extractionTime: number;
+}
+/**
+ * Document metadata
+ */
+interface DocumentMetadata {
+  /** Document format */
+  format: DocumentFormat;
+  /** Number of pages (if applicable) */
+  pages?: number;
+  /** Document title */
+  title?: string;
+  /** Document author */
+  author?: string;
+  /** Creation date */
+  creationDate?: Date;
+  /** Last modified date */
+  modifiedDate?: Date;
+  /** OCR confidence (0-100) if OCR was used */
+  ocrConfidence?: number;
+  /** Whether OCR was used for extraction */
+  usedOCR?: boolean;
+  /** Additional custom metadata */
+  custom?: Record<string, unknown>;
+}
+/**
+ * OCR processor interface
+ */
+interface IOCRProcessor {
+  /** Extract text from image buffer using OCR */
+  recognizeText(buffer: Buffer, options?: OCROptions): Promise<OCRResult>;
+  /** Check if OCR is available (tesseract.js installed) */
+  isAvailable(): boolean;
+}
+/**
+ * OCR recognition result
+ */
+interface OCRResult {
+  /** Recognized text */
+  text: string;
+  /** Confidence score (0-100) */
+  confidence: number;
+  /** Processing time in milliseconds */
+  processingTime: number;
+}
+/**
+ * Document processor interface
+ */
+interface IDocumentProcessor {
+  /** Extract text from document buffer */
+  extractText(buffer: Buffer, options?: DocumentOptions): Promise<string>;
+  /** Get document metadata */
+  getMetadata(buffer: Buffer, options?: DocumentOptions): Promise<DocumentMetadata>;
+  /** Detect supported format from buffer */
+  detectFormat(buffer: Buffer): DocumentFormat | null;
+  /** Check if format is supported */
+  isFormatSupported(format: DocumentFormat): boolean;
+}
+//#endregion
+//#region src/learning/LocalLearningStore.d.ts
+interface WhitelistEntry {
+  pattern: string;
+  confidence: number;
+  occurrences: number;
+  firstSeen: number;
+  lastSeen: number;
+  contexts: string[];
+}
+interface PatternAdjustment {
+  type: string;
+  issue: string;
+  suggestion: string;
+  confidence: number;
+  examples: string[];
+  occurrences: number;
+}
+interface LearningStats {
+  totalDetections: number;
+  falsePositives: number;
+  falseNegatives: number;
+  accuracy: number;
+  lastUpdated: number;
+}
+interface LearningData {
+  version: string;
+  whitelist: WhitelistEntry[];
+  patternAdjustments: PatternAdjustment[];
+  stats: LearningStats;
+}
+declare class LocalLearningStore {
+  private filePath;
+  private data;
+  private autoSave;
+  private confidenceThreshold;
+  constructor(filePath?: string, options?: {
+    autoSave?: boolean;
+    confidenceThreshold?: number;
+  });
+  /**
+   * Load learning data from file
+   */
+  private load;
+  /**
+   * Save learning data to file
+   */
+  private save;
+  /**
+   * Record a false positive detection
+   */
+  recordFalsePositive(text: string, _type: string, context: string): void;
+  /**
+   * Record a false negative (missed detection)
+   */
+  recordFalseNegative(text: string, type: string, _context: string): void;
+  /**
+   * Record a correct detection
+   */
+  recordCorrectDetection(): void;
+  /**
+   * Update accuracy calculation
+   */
+  private updateAccuracy;
+  /**
+   * Get whitelist entries above confidence threshold
+   */
+  getWhitelist(): string[];
+  /**
+   * Get all whitelist entries with metadata
+   */
+  getWhitelistEntries(): WhitelistEntry[];
+  /**
+   * Get pattern adjustments above confidence threshold
+   */
+  getPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Get all pattern adjustments
+   */
+  getAllPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Get learning statistics
+   */
+  getStats(): LearningStats;
+  /**
+   * Get confidence score for a specific pattern
+   */
+  getConfidence(pattern: string): number;
+  /**
+   * Get occurrences count for a specific pattern
+   */
+  getOccurrences(pattern: string): number;
+  /**
+   * Manually add pattern to whitelist
+   */
+  addToWhitelist(pattern: string, confidence?: number): void;
+  /**
+   * Remove pattern from whitelist
+   */
+  removeFromWhitelist(pattern: string): void;
+  /**
+   * Clear all learning data
+   */
+  clear(): void;
+  /**
+   * Export learning data (for sharing)
+   */
+  export(options?: {
+    includeContexts?: boolean;
+    minConfidence?: number;
+  }): LearningData;
+  /**
+   * Import learning data (merge with existing)
+   */
+  import(data: LearningData, merge?: boolean): void;
+  /**
+   * Manually save data
+   */
+  flush(): void;
+}
+//#endregion
+//#region src/context/ContextRules.d.ts
+/**
+ * Proximity rule for context-based confidence adjustment
+ */
+interface ProximityRule {
+  /** Pattern type this rule applies to (e.g., 'EMAIL', 'PHONE', 'SSN') */
+  patternType: string | string[];
+  /** Keywords to look for near the match */
+  keywords: string[];
+  /** Maximum word distance from match (default: 10) */
+  proximityWindow?: number;
+  /** Confidence boost if keyword found (0-1) */
+  confidenceBoost?: number;
+  /** Confidence penalty if keyword found (0-1) */
+  confidencePenalty?: number;
+  /** Whether match must come AFTER keyword (default: both directions) */
+  keywordBefore?: boolean;
+  /** Whether match must come BEFORE keyword (default: both directions) */
+  keywordAfter?: boolean;
+  /** Rule description */
+  description?: string;
+}
+/**
+ * Domain-specific vocabulary for context detection
+ */
+interface DomainVocabulary {
+  /** Domain name */
+  domain: 'medical' | 'legal' | 'financial' | 'technical' | 'hr' | 'custom';
+  /** Domain-specific terms */
+  terms: string[];
+  /** Pattern types to boost in this domain */
+  boostPatterns?: string[];
+  /** Confidence boost amount (default: 0.15) */
+  boostAmount?: number;
+}
+/**
+ * Contextual rules configuration
+ */
+interface ContextRulesConfig {
+  /** Proximity rules */
+  proximityRules?: ProximityRule[];
+  /** Domain vocabularies */
+  domainVocabularies?: DomainVocabulary[];
+  /** Enable default rules (default: true) */
+  useDefaultRules?: boolean;
+}
+/**
+ * Default proximity rules for common PII patterns
+ */
+declare const DEFAULT_PROXIMITY_RULES: ProximityRule[];
+/**
+ * Default domain vocabularies
+ */
+declare const DEFAULT_DOMAIN_VOCABULARIES: DomainVocabulary[];
+/**
+ * Contextual Rules Engine
+ */
+declare class ContextRulesEngine {
+  private proximityRules;
+  private domainVocabularies;
+  constructor(config?: ContextRulesConfig);
+  /**
+   * Apply proximity rules to adjust confidence
+   */
+  applyProximityRules(match: PIIMatch, text: string): PIIMatch;
+  /**
+   * Apply domain vocabulary boosting
+   */
+  applyDomainBoosting(matches: PIIMatch[], text: string): PIIMatch[];
+  /**
+   * Check if keywords are within proximity window
+   */
+  private checkProximity;
+  /**
+   * Detect which domains the text belongs to
+   */
+  private detectDomains;
+  /**
+   * Add custom proximity rule
+   */
+  addProximityRule(rule: ProximityRule): void;
+  /**
+   * Add custom domain vocabulary
+   */
+  addDomainVocabulary(vocabulary: DomainVocabulary): void;
+  /**
+   * Get all proximity rules
+   */
+  getProximityRules(): ProximityRule[];
+  /**
+   * Get all domain vocabularies
+   */
+  getDomainVocabularies(): DomainVocabulary[];
+}
+/**
+ * Create a context rules engine instance
+ */
+declare function createContextRulesEngine(config?: ContextRulesConfig): ContextRulesEngine;
+//#endregion
+//#region src/context/ContextAnalyzer.d.ts
+/**
+ * Context Analysis for PII Detection
+ * Provides NLP-lite features to reduce false positives
+ */
+interface ContextAnalysis {
+  /** 5 words before detection */
+  beforeWords: string[];
+  /** 5 words after detection */
+  afterWords: string[];
+  /** Full sentence containing detection */
+  sentence: string;
+  /** Inferred document type */
+  documentType: 'email' | 'document' | 'code' | 'chat' | 'unknown';
+  /** Confidence that this is actual PII (0-1) */
+  confidence: number;
+}
+interface ContextFeatures {
+  /** Contains technical terms */
+  hasTechnicalContext: boolean;
+  /** Contains business/corporate terms */
+  hasBusinessContext: boolean;
+  /** Contains medical/healthcare terms */
+  hasMedicalContext: boolean;
+  /** Contains financial terms */
+  hasFinancialContext: boolean;
+  /** Contains example/test indicators */
+  hasExampleContext: boolean;
+  /** Position in document (0-1, 0 = start, 1 = end) */
+  relativePosition: number;
+}
+/**
+ * Extract context around a detection
+ */
+declare function extractContext(text: string, startPos: number, endPos: number, wordsBefore?: number, wordsAfter?: number): {
+  before: string;
+  after: string;
+  beforeWords: string[];
+  afterWords: string[];
+  sentence: string;
+};
+/**
+ * Infer document type from content
+ */
+declare function inferDocumentType(text: string): ContextAnalysis['documentType'];
+/**
+ * Extract context features for classification
+ */
+declare function analyzeContextFeatures(fullContext: string): ContextFeatures;
+/**
+ * Calculate confidence score for a detection based on context
+ */
+declare function calculateContextConfidence(_value: string, patternType: string, context: {
+  before: string;
+  after: string;
+  sentence: string;
+  documentType: ContextAnalysis['documentType'];
+  features: ContextFeatures;
+}): number;
+/**
+ * Perform full context analysis
+ */
+declare function analyzeFullContext(text: string, value: string, patternType: string, startPos: number, endPos: number): ContextAnalysis;
+//#endregion
+//#region src/explain/ExplainAPI.d.ts
+/**
+ * Pattern match result for explain
+ */
+interface PatternMatchResult {
+  /** Pattern that was tested */
+  pattern: PIIPattern;
+  /** Whether the pattern matched */
+  matched: boolean;
+  /** Matched value (if matched) */
+  matchedValue?: string;
+  /** Position of match (if matched) */
+  position?: [number, number];
+  /** Why it didn't match or was filtered */
+  reason?: string;
+  /** Validator result (if validator exists) */
+  validatorPassed?: boolean;
+  /** Context analysis (if enabled) */
+  contextAnalysis?: ContextAnalysis;
+  /** False positive check (if enabled) */
+  falsePositiveCheck?: {
+    isFalsePositive: boolean;
+    confidence: number;
+    reason?: string;
+  };
+}
+/**
+ * Explanation for a specific text
+ */
+interface TextExplanation {
+  /** Original text */
+  text: string;
+  /** All pattern match results */
+  patternResults: PatternMatchResult[];
+  /** Patterns that matched */
+  matchedPatterns: PatternMatchResult[];
+  /** Patterns that didn't match */
+  unmatchedPatterns: PatternMatchResult[];
+  /** Patterns that matched but were filtered */
+  filteredPatterns: PatternMatchResult[];
+  /** Final detections */
+  detections: PIIDetection[];
+  /** Summary statistics */
+  summary: {
+    totalPatternsChecked: number;
+    patternsMatched: number;
+    patternsFiltered: number;
+    finalDetections: number;
+  };
+}
+/**
+ * Explain API for debugging
+ */
+declare class ExplainAPI {
+  private detector;
+  private patterns;
+  private options;
+  constructor(detector: OpenRedaction);
+  /**
+   * Explain why text was or wasn't detected as PII
+   */
+  explain(text: string): Promise<TextExplanation>;
+  /**
+   * Explain a specific detection
+   */
+  explainDetection(detection: PIIDetection, text: string): Promise<{
+    detection: PIIDetection;
+    pattern?: PIIPattern;
+    contextAnalysis?: ContextAnalysis;
+    reasoning: string[];
+    suggestions: string[];
+  }>;
+  /**
+   * Suggest why text wasn't detected
+   */
+  suggestWhy(text: string, expectedType: string): Promise<{
+    text: string;
+    expectedType: string;
+    suggestions: string[];
+    similarPatterns: PIIPattern[];
+  }>;
+  /**
+   * Get debugging information for entire detection process
+   */
+  debug(text: string): Promise<{
+    text: string;
+    textLength: number;
+    enabledFeatures: string[];
+    patternCount: number;
+    explanation: TextExplanation;
+    performance: {
+      estimatedTime: string;
+    };
+  }>;
+}
+/**
+ * Helper to create explain API from detector
+ */
+declare function createExplainAPI(detector: OpenRedaction): ExplainAPI;
+//#endregion
+//#region src/reports/ReportGenerator.d.ts
+/**
+ * Report format options
+ */
+type ReportFormat = 'html' | 'markdown';
+/**
+ * Report type options
+ */
+type ReportType = 'summary' | 'detailed' | 'compliance';
+/**
+ * Report generation options
+ */
+interface ReportOptions {
+  /** Report format */
+  format: ReportFormat;
+  /** Report type */
+  type?: ReportType;
+  /** Report title */
+  title?: string;
+  /** Include original text (default: false for privacy) */
+  includeOriginalText?: boolean;
+  /** Include redacted text (default: true) */
+  includeRedactedText?: boolean;
+  /** Include detection details (default: true) */
+  includeDetectionDetails?: boolean;
+  /** Include statistics (default: true) */
+  includeStatistics?: boolean;
+  /** Include explanation (requires ExplainAPI, default: false) */
+  includeExplanation?: boolean;
+  /** Company/project name for compliance reports */
+  organizationName?: string;
+  /** Additional metadata */
+  metadata?: Record<string, string>;
+}
+/**
+ * Report generator for PII detection results
+ */
+declare class ReportGenerator {
+  constructor(_detector: OpenRedaction);
+  /**
+   * Generate a report from detection results
+   */
+  generate(result: DetectionResult, options: ReportOptions): string;
+  /**
+   * Generate HTML report
+   */
+  private generateHTML;
+  /**
+   * Generate Markdown report
+   */
+  private generateMarkdown;
+  /**
+   * Calculate statistics from detection results
+   */
+  private calculateStatistics;
+  /**
+   * Escape HTML special characters
+   */
+  private escapeHtml;
+}
+/**
+ * Helper to create report generator
+ */
+declare function createReportGenerator(detector: OpenRedaction): ReportGenerator;
+//#endregion
+//#region src/optimizer/PriorityOptimizer.d.ts
+interface PatternStats {
+  type: string;
+  totalDetections: number;
+  falsePositives: number;
+  falseNegatives: number;
+  accuracy: number;
+  priority: number;
+  adjustedPriority: number;
+}
+interface OptimizerOptions {
+  learningWeight: number;
+  minSampleSize: number;
+  maxPriorityAdjustment: number;
+}
+/**
+ * Priority Optimizer - Dynamically adjusts pattern priorities based on learning data
+ */
+declare class PriorityOptimizer {
+  private learningStore;
+  private options;
+  constructor(learningStore: LocalLearningStore, options?: Partial<OptimizerOptions>);
+  /**
+   * Optimize pattern priorities based on learning data
+   */
+  optimizePatterns(patterns: PIIPattern[]): PIIPattern[];
+  /**
+   * Get pattern statistics with learning data
+   */
+  getPatternStats(patterns: PIIPattern[]): PatternStats[];
+  /**
+   * Infer pattern type from a whitelisted value
+   * This is a heuristic - in production we'd track this explicitly
+   */
+  private inferPatternType;
+  /**
+   * Reset all priority adjustments
+   */
+  resetPriorities(patterns: PIIPattern[]): PIIPattern[];
+  /**
+   * Get optimizer configuration
+   */
+  getOptions(): OptimizerOptions;
+  /**
+   * Update optimizer configuration
+   */
+  setOptions(options: Partial<OptimizerOptions>): void;
+}
+/**
+ * Create a priority optimizer instance
+ */
+declare function createPriorityOptimizer(learningStore: LocalLearningStore, options?: Partial<OptimizerOptions>): PriorityOptimizer;
+//#endregion
+//#region src/detector.d.ts
+declare class OpenRedaction {
+  private patterns;
+  private compiledPatterns;
+  private options;
+  private multiPassConfig?;
+  private resultCache?;
+  private valueToPlaceholder;
+  private placeholderCounter;
+  private learningStore?;
+  private priorityOptimizer?;
+  private enableLearning;
+  private auditLogger?;
+  private auditUser?;
+  private auditSessionId?;
+  private auditMetadata?;
+  private metricsCollector?;
+  private rbacManager?;
+  private nerDetector?;
+  private contextRulesEngine?;
+  private severityClassifier;
+  constructor(options?: OpenRedactionOptions & {
+    configPath?: string;
+    enableLearning?: boolean;
+    learningStorePath?: string;
+    enablePriorityOptimization?: boolean;
+    optimizerOptions?: Partial<OptimizerOptions>;
+    enableNER?: boolean;
+    enableContextRules?: boolean;
+    contextRulesConfig?: ContextRulesConfig;
+    maxInputSize?: number;
+    regexTimeout?: number;
+  });
+  /**
+   * Create OpenRedaction instance from config file
+   */
+  static fromConfig(configPath?: string): Promise<OpenRedaction>;
+  /**
+   * Build the list of patterns based on options
+   * Supports three filtering modes (in order of priority):
+   * 1. Specific pattern types (patterns option)
+   * 2. Pattern categories (categories option) - NEW!
+   * 3. All patterns with type-specific filters (includeNames, etc.)
+   */
+  private buildPatternList;
+  /**
+   * Validate all patterns to prevent malicious regex injection
+   * ONLY validates custom patterns - built-in patterns are already vetted
+   * Timeout protection in safeExec() is the primary defense against ReDoS
+   */
+  private validatePatterns;
+  /**
+   * Pre-compile all regex patterns for performance
+   * Avoids creating new RegExp objects on every detect() call
+   */
+  private precompilePatterns;
+  /**
+   * Process patterns and detect PII
+   * Used by both single-pass and multi-pass detection
+   */
+  private processPatterns;
+  /**
+   * Detect PII in text
+   * Now async to support optional AI assist
+   */
+  detect(text: string): Promise<DetectionResult>;
+  /**
+   * Restore redacted text using redaction map
+   */
+  restore(redactedText: string, redactionMap: Record<string, string>): string;
+  /**
+   * Generate placeholder for a detected value
+   */
+  private generatePlaceholder;
+  /**
+   * Check if a range overlaps with existing detections
+   */
+  private overlapsWithExisting;
+  /**
+   * Escape special regex characters
+   */
+  private escapeRegex;
+  /**
+   * Get the list of active patterns
+   */
+  getPatterns(): PIIPattern[];
+  /**
+   * Get severity-based scan results
+   */
+  scan(text: string): Promise<{
+    high: PIIDetection[];
+    medium: PIIDetection[];
+    low: PIIDetection[];
+    total: number;
+  }>;
+  /**
+   * Record a false positive (incorrectly detected as PII)
+   */
+  recordFalsePositive(detection: PIIDetection, context?: string): void;
+  /**
+   * Record a false negative (missed PII that should have been detected)
+   */
+  recordFalseNegative(text: string, expectedType: string, context?: string): void;
+  /**
+   * Record a correct detection (for accuracy tracking)
+   */
+  recordCorrectDetection(): void;
+  /**
+   * Get learning statistics
+   */
+  getLearningStats(): LearningStats | null;
+  /**
+   * Get learned whitelist entries
+   */
+  getLearnedWhitelist(): WhitelistEntry[];
+  /**
+   * Get pattern adjustment suggestions
+   */
+  getPatternAdjustments(): PatternAdjustment[];
+  /**
+   * Export learned patterns for sharing
+   */
+  exportLearnings(options?: {
+    includeContexts?: boolean;
+    minConfidence?: number;
+  }): LearningData | null;
+  /**
+   * Import learned patterns from another source
+   */
+  importLearnings(data: any, merge?: boolean): void;
+  /**
+   * Manually add a term to the whitelist
+   */
+  addToWhitelist(pattern: string, confidence?: number): void;
+  /**
+   * Remove a term from the whitelist
+   */
+  removeFromWhitelist(pattern: string): void;
+  /**
+   * Get the learning store instance
+   */
+  getLearningStore(): LocalLearningStore | undefined;
+  /**
+   * Get the priority optimizer instance
+   */
+  getPriorityOptimizer(): PriorityOptimizer | undefined;
+  /**
+   * Optimize pattern priorities based on learning data
+   * Call this to re-optimize priorities after accumulating new learning data
+   */
+  optimizePriorities(): void;
+  /**
+   * Get pattern statistics with learning data
+   */
+  getPatternStats(): PatternStats[] | null;
+  /**
+   * Clear the result cache (if caching is enabled)
+   */
+  clearCache(): void;
+  /**
+   * Get cache statistics
+   */
+  getCacheStats(): {
+    size: number;
+    maxSize: number;
+    enabled: boolean;
+  };
+  /**
+   * Get the audit logger instance (if audit logging is enabled)
+   */
+  getAuditLogger(): IAuditLogger | undefined;
+  /**
+   * Get the metrics collector instance (if metrics collection is enabled)
+   */
+  getMetricsCollector(): IMetricsCollector | undefined;
+  /**
+   * Get the RBAC manager instance (if RBAC is enabled)
+   */
+  getRBACManager(): IRBACManager | undefined;
+  /**
+   * Create an explain API for debugging detections
+   */
+  explain(): ExplainAPI;
+  /**
+   * Generate a report from detection results
+   */
+  generateReport(result: DetectionResult, options: ReportOptions): string;
+  /**
+   * Export current configuration
+   */
+  exportConfig(metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  }): string;
+  /**
+   * Run health check
+   */
+  healthCheck(options?: {
+    testDetection?: boolean;
+    checkPerformance?: boolean;
+    performanceThreshold?: number;
+    memoryThreshold?: number;
+  }): Promise<any>;
+  /**
+   * Quick health check (minimal overhead)
+   */
+  quickHealthCheck(): Promise<{
+    status: 'healthy' | 'unhealthy';
+    message: string;
+  }>;
+  /**
+   * Detect PII in a document (PDF, DOCX, TXT)
+   * Requires optional peer dependencies:
+   * - pdf-parse for PDF support
+   * - mammoth for DOCX support
+   */
+  detectDocument(buffer: Buffer, options?: DocumentOptions): Promise<DocumentResult>;
+  /**
+   * Detect PII in a document file from filesystem
+   * Convenience method that reads file and calls detectDocument
+   */
+  detectDocumentFile(filePath: string, options?: DocumentOptions): Promise<DocumentResult>;
+  /**
+   * Batch detect PII in multiple texts using worker threads (parallel)
+   * Significantly faster for processing many texts
+   */
+  static detectBatch(texts: string[], options?: OpenRedactionOptions & {
+    numWorkers?: number;
+  }): Promise<DetectionResult[]>;
+  /**
+   * Batch process multiple documents using worker threads (parallel)
+   * Efficient for processing many documents at once
+   */
+  static detectDocumentsBatch(buffers: Buffer[], options?: DocumentOptions & {
+    numWorkers?: number;
+  }): Promise<DocumentResult[]>;
+}
+//#endregion
+//#region src/audit/AuditLogger.d.ts
+/**
+ * In-memory audit logger implementation
+ * Stores audit logs in memory with support for filtering, export, and statistics
+ */
+declare class InMemoryAuditLogger implements IAuditLogger {
+  private logs;
+  private maxLogs;
+  constructor(maxLogs?: number);
+  /**
+   * Log an audit entry
+   */
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  /**
+   * Get all audit logs
+   */
+  getLogs(): AuditLogEntry[];
+  /**
+   * Get audit logs filtered by operation type
+   */
+  getLogsByOperation(operation: AuditLogEntry['operation']): AuditLogEntry[];
+  /**
+   * Get audit logs filtered by date range
+   */
+  getLogsByDateRange(startDate: Date, endDate: Date): AuditLogEntry[];
+  /**
+   * Export audit logs as JSON
+   */
+  exportAsJson(): string;
+  /**
+   * Export audit logs as CSV
+   */
+  exportAsCsv(): string;
+  /**
+   * Clear all audit logs
+   */
+  clear(): void;
+  /**
+   * Get audit statistics
+   */
+  getStats(): AuditStats;
+  /**
+   * Generate a unique ID for audit entries
+   */
+  private generateId;
+  /**
+   * Escape CSV values
+   */
+  private escapeCsv;
+}
+/**
+ * Console audit logger implementation
+ * Outputs audit logs to console (useful for debugging)
+ */
+declare class ConsoleAuditLogger implements IAuditLogger {
+  private delegate;
+  constructor(maxLogs?: number);
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  getLogs(): AuditLogEntry[];
+  getLogsByOperation(operation: AuditLogEntry['operation']): AuditLogEntry[];
+  getLogsByDateRange(startDate: Date, endDate: Date): AuditLogEntry[];
+  exportAsJson(): string;
+  exportAsCsv(): string;
+  clear(): void;
+  getStats(): AuditStats;
+}
+//#endregion
+//#region src/audit/PersistentAuditLogger.d.ts
+/**
+ * Supported database backends
+ */
+type AuditBackend = 'sqlite' | 'postgresql' | 'mongodb' | 's3' | 'file';
+/**
+ * Database connection configuration
+ */
+interface AuditDatabaseConfig {
+  /** Backend type */
+  backend: AuditBackend;
+  /** Connection string (for PostgreSQL/MongoDB) */
+  connectionString?: string;
+  /** Database file path (for SQLite/file backend) */
+  filePath?: string;
+  /** S3 bucket configuration */
+  s3Config?: {
+    bucket: string;
+    region: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    prefix?: string;
+  };
+  /** Table/collection name (default: 'audit_logs') */
+  tableName?: string;
+  /** Enable compression (default: false) */
+  enableCompression?: boolean;
+  /** Batch size for bulk inserts (default: 100) */
+  batchSize?: number;
+}
+/**
+ * Retention policy configuration
+ */
+interface RetentionPolicy {
+  /** Maximum age of logs in days (default: 90) */
+  maxAgeDays?: number;
+  /** Maximum number of logs to keep (default: unlimited) */
+  maxLogs?: number;
+  /** Enable automatic cleanup (default: false) */
+  autoCleanup?: boolean;
+  /** Cleanup interval in hours (default: 24) */
+  cleanupIntervalHours?: number;
+}
+/**
+ * Persistent audit logger options
+ */
+interface PersistentAuditLoggerOptions {
+  /** Database configuration */
+  database: AuditDatabaseConfig;
+  /** Retention policy */
+  retention?: RetentionPolicy;
+  /** Enable cryptographic hashing for tamper detection (default: true) */
+  enableHashing?: boolean;
+  /** Hash algorithm (default: 'sha256') */
+  hashAlgorithm?: 'sha256' | 'sha512';
+  /** Enable write-ahead logging for crash recovery (default: true) */
+  enableWAL?: boolean;
+  /** Secret key for HMAC hashing (optional, recommended for production) */
+  secretKey?: string;
+}
+/**
+ * Audit log entry with cryptographic hash
+ */
+interface HashedAuditLogEntry extends AuditLogEntry {
+  /** Cryptographic hash of this entry */
+  hash: string;
+  /** Hash of previous entry for chain verification */
+  previousHash?: string;
+  /** Sequence number in the log chain */
+  sequence: number;
+}
+/**
+ * Audit database adapter interface
+ */
+interface IAuditDatabaseAdapter {
+  /** Initialize the database/table/collection */
+  initialize(): Promise<void>;
+  /** Insert a single log entry */
+  insert(entry: HashedAuditLogEntry): Promise<void>;
+  /** Batch insert multiple entries */
+  batchInsert(entries: HashedAuditLogEntry[]): Promise<void>;
+  /** Query logs with filters */
+  query(filter: AuditQueryFilter): Promise<HashedAuditLogEntry[]>;
+  /** Get total count of logs */
+  count(filter?: Partial<AuditQueryFilter>): Promise<number>;
+  /** Delete logs older than date */
+  deleteOlderThan(date: Date): Promise<number>;
+  /** Get the last log entry */
+  getLastEntry(): Promise<HashedAuditLogEntry | null>;
+  /** Verify log chain integrity */
+  verifyChain(startSequence?: number, endSequence?: number): Promise<{
+    valid: boolean;
+    brokenAt?: number;
+  }>;
+  /** Close connection */
+  close(): Promise<void>;
+}
+/**
+ * Audit query filter
+ */
+interface AuditQueryFilter {
+  /** Filter by operation type */
+  operation?: AuditLogEntry['operation'];
+  /** Filter by user */
+  user?: string;
+  /** Filter by session ID */
+  sessionId?: string;
+  /** Filter by date range (start) */
+  startDate?: Date;
+  /** Filter by date range (end) */
+  endDate?: Date;
+  /** Filter by success status */
+  success?: boolean;
+  /** Limit results */
+  limit?: number;
+  /** Offset for pagination */
+  offset?: number;
+  /** Sort order */
+  sort?: 'asc' | 'desc';
+}
+/**
+ * Persistent Audit Logger with cryptographic chain verification
+ */
+declare class PersistentAuditLogger implements IAuditLogger {
+  private adapter;
+  private options;
+  private batchBuffer;
+  private lastHash;
+  private sequence;
+  private cleanupTimer?;
+  private initialized;
+  constructor(options: PersistentAuditLoggerOptions);
+  /**
+   * Initialize the logger (must be called before use)
+   */
+  initialize(): Promise<void>;
+  /**
+   * Log an audit entry
+   */
+  log(entry: Omit<AuditLogEntry, 'id' | 'timestamp'>): void;
+  /**
+   * Get all audit logs
+   */
+  getLogs(): AuditLogEntry[];
+  /**
+   * Query logs with filters (async)
+   */
+  queryLogs(filter?: AuditQueryFilter): Promise<HashedAuditLogEntry[]>;
+  /**
+   * Get logs by operation type
+   */
+  getLogsByOperation(_operation: AuditLogEntry['operation']): AuditLogEntry[];
+  /**
+   * Get logs by date range
+   */
+  getLogsByDateRange(_startDate: Date, _endDate: Date): AuditLogEntry[];
+  /**
+   * Export logs as JSON
+   */
+  exportAsJson(): string;
+  /**
+   * Export logs as JSON (async)
+   */
+  exportAsJsonAsync(filter?: AuditQueryFilter): Promise<string>;
+  /**
+   * Export logs as CSV
+   */
+  exportAsCsv(): string;
+  /**
+   * Export logs as CSV (async)
+   */
+  exportAsCsvAsync(filter?: AuditQueryFilter): Promise<string>;
+  /**
+   * Clear all audit logs (dangerous!)
+   */
+  clear(): void;
+  /**
+   * Delete logs older than specified date
+   */
+  deleteOlderThan(date: Date): Promise<number>;
+  /**
+   * Get audit statistics
+   */
+  getStats(): AuditStats;
+  /**
+   * Get audit statistics (async)
+   */
+  getStatsAsync(filter?: AuditQueryFilter): Promise<AuditStats>;
+  /**
+   * Verify log chain integrity
+   */
+  verifyChainIntegrity(startSequence?: number, endSequence?: number): Promise<{
+    valid: boolean;
+    brokenAt?: number;
+    message: string;
+  }>;
+  /**
+   * Flush batch buffer to database
+   */
+  flushBatch(): Promise<void>;
+  /**
+   * Close the logger and flush any pending logs
+   */
+  close(): Promise<void>;
+  /**
+   * Create hashed entry with chain linking
+   */
+  private createHashedEntry;
+  /**
+   * Calculate cryptographic hash of entry
+   */
+  private calculateHash;
+  /**
+   * Generate unique ID
+   */
+  private generateId;
+  /**
+   * Create database adapter based on backend
+   */
+  private createAdapter;
+  /**
+   * Start automatic cleanup schedule
+   */
+  private startCleanupSchedule;
+  /**
+   * Run cleanup based on retention policy
+   */
+  private runCleanup;
+}
+/**
+ * Create a persistent audit logger
+ */
+declare function createPersistentAuditLogger(options: PersistentAuditLoggerOptions): PersistentAuditLogger;
+//#endregion
+//#region src/metrics/MetricsCollector.d.ts
+/**
+ * In-memory metrics collector and exporter
+ * Collects metrics and provides Prometheus and StatsD export formats
+ */
+declare class InMemoryMetricsCollector implements IMetricsCollector, IMetricsExporter {
+  private metrics;
+  constructor();
+  /**
+   * Create empty metrics object
+   */
+  private createEmptyMetrics;
+  /**
+   * Record a redaction operation
+   */
+  recordRedaction(result: DetectionResult, processingTimeMs: number, redactionMode: RedactionMode): void;
+  /**
+   * Record an error
+   */
+  recordError(): void;
+  /**
+   * Get metrics exporter
+   */
+  getExporter(): IMetricsExporter;
+  /**
+   * Get current metrics snapshot
+   */
+  getMetrics(): RedactionMetrics;
+  /**
+   * Reset all metrics
+   */
+  reset(): void;
+  /**
+   * Export metrics in Prometheus format
+   */
+  exportPrometheus(metrics?: RedactionMetrics, prefix?: string): string;
+  /**
+   * Export metrics in StatsD format
+   */
+  exportStatsD(metrics?: RedactionMetrics, prefix?: string): string[];
+}
+//#endregion
+//#region src/metrics/PrometheusServer.d.ts
+/**
+ * Prometheus server options
+ */
+interface PrometheusServerOptions {
+  /** Port to listen on (default: 9090) */
+  port?: number;
+  /** Host to bind to (default: '0.0.0.0') */
+  host?: string;
+  /** Metrics path (default: '/metrics') */
+  metricsPath?: string;
+  /** Metrics prefix (default: 'openredaction') */
+  prefix?: string;
+  /** Health check path (default: '/health') */
+  healthPath?: string;
+  /** Enable CORS (default: false) */
+  enableCors?: boolean;
+  /** Basic auth username (optional) */
+  username?: string;
+  /** Basic auth password (optional) */
+  password?: string;
+}
+/**
+ * Prometheus metrics HTTP server
+ * Provides a lightweight HTTP server for exposing metrics to Prometheus
+ */
+declare class PrometheusServer {
+  private server?;
+  private metricsCollector;
+  private options;
+  private isRunning;
+  private requestCount;
+  private lastScrapeTime?;
+  constructor(metricsCollector: IMetricsCollector, options?: PrometheusServerOptions);
+  /**
+   * Start the Prometheus metrics server
+   */
+  start(): Promise<void>;
+  /**
+   * Stop the server
+   */
+  stop(): Promise<void>;
+  /**
+   * Handle incoming HTTP requests
+   */
+  private handleRequest;
+  /**
+   * Handle /metrics endpoint
+   */
+  private handleMetrics;
+  /**
+   * Handle /health endpoint
+   */
+  private handleHealth;
+  /**
+   * Handle / root endpoint
+   */
+  private handleRoot;
+  /**
+   * Validate basic authentication
+   */
+  private validateAuth;
+  /**
+   * Get server-specific metrics in Prometheus format
+   */
+  private getServerMetrics;
+  /**
+   * Get server statistics
+   */
+  getStats(): {
+    isRunning: boolean;
+    requestCount: number;
+    lastScrapeTime?: Date;
+    uptime: number;
+    host: string;
+    port: number;
+    metricsPath: string;
+  };
+}
+/**
+ * Create a Prometheus server instance
+ */
+declare function createPrometheusServer(metricsCollector: IMetricsCollector, options?: PrometheusServerOptions): PrometheusServer;
+/**
+ * Example Grafana dashboard JSON for OpenRedaction metrics
+ * Can be imported directly into Grafana
+ */
+declare const GRAFANA_DASHBOARD_TEMPLATE: {
+  dashboard: {
+    title: string;
+    tags: string[];
+    timezone: string;
+    panels: {
+      id: number;
+      title: string;
+      type: string;
+      targets: {
+        expr: string;
+        legendFormat: string;
+      }[];
+    }[];
+  };
+};
+//#endregion
+//#region src/rbac/RBACManager.d.ts
+/**
+ * Default RBAC Manager implementation
+ * Provides role-based permission checking and pattern filtering
+ */
+declare class RBACManager implements IRBACManager {
+  private role;
+  constructor(role?: Role);
+  /**
+   * Check if current role has a specific permission
+   */
+  hasPermission(permission: Permission): boolean;
+  /**
+   * Check if current role has all specified permissions
+   */
+  hasAllPermissions(permissions: Permission[]): boolean;
+  /**
+   * Check if current role has any of the specified permissions
+   */
+  hasAnyPermission(permissions: Permission[]): boolean;
+  /**
+   * Get current role
+   */
+  getRole(): Role;
+  /**
+   * Set role (updates permissions)
+   */
+  setRole(role: Role): void;
+  /**
+   * Get all permissions for current role
+   */
+  getPermissions(): Permission[];
+  /**
+   * Filter patterns based on read permissions
+   * Returns empty array if user lacks pattern:read permission
+   */
+  filterPatterns(patterns: PIIPattern[]): PIIPattern[];
+}
+/**
+ * Create RBAC manager with predefined or custom role
+ */
+declare function createRBACManager(role: Role): RBACManager;
+//#endregion
+//#region src/rbac/roles.d.ts
+/**
+ * All available permissions
+ */
+declare const ALL_PERMISSIONS: Permission[];
+/**
+ * Admin role - full access to all operations
+ */
+declare const ADMIN_ROLE: Role;
+/**
+ * Analyst role - can perform analysis and read audit/metrics
+ */
+declare const ANALYST_ROLE: Role;
+/**
+ * Operator role - can perform detections and basic operations
+ */
+declare const OPERATOR_ROLE: Role;
+/**
+ * Viewer role - read-only access to patterns, audit logs, and metrics
+ */
+declare const VIEWER_ROLE: Role;
+/**
+ * Get predefined role by name
+ */
+declare function getPredefinedRole(roleName: string): Role | undefined;
+/**
+ * Create a custom role with specific permissions
+ */
+declare function createCustomRole(name: string, permissions: Permission[], description?: string): Role;
+//#endregion
+//#region src/document/OCRProcessor.d.ts
+/**
+ * OCR processor with optional Tesseract.js support
+ * Requires peer dependency: tesseract.js
+ */
+declare class OCRProcessor implements IOCRProcessor {
+  private tesseract?;
+  private scheduler?;
+  constructor();
+  /**
+   * Extract text from image buffer using OCR
+   */
+  recognizeText(buffer: Buffer, options?: OCROptions): Promise<OCRResult>;
+  /**
+   * Check if OCR is available (tesseract.js installed)
+   */
+  isAvailable(): boolean;
+  /**
+   * Create a scheduler for batch OCR processing
+   * More efficient for processing multiple images
+   */
+  createScheduler(workerCount?: number): Promise<any>;
+  /**
+   * Batch process multiple images
+   */
+  recognizeBatch(buffers: Buffer[], _options?: OCROptions): Promise<OCRResult[]>;
+  /**
+   * Terminate any running scheduler
+   */
+  cleanup(): Promise<void>;
+}
+/**
+ * Create an OCR processor instance
+ */
+declare function createOCRProcessor(): OCRProcessor;
+//#endregion
+//#region src/document/JsonProcessor.d.ts
+/**
+ * JSON processing options
+ */
+interface JsonProcessorOptions {
+  /** Maximum depth for nested object traversal (default: 100) */
+  maxDepth?: number;
+  /** Whether to scan object keys for PII (default: false) */
+  scanKeys?: boolean;
+  /** Field paths to always redact (e.g., ['user.password', 'auth.token']) */
+  alwaysRedact?: string[];
+  /** Field paths to never scan (e.g., ['metadata.id', 'timestamp']) */
+  skipPaths?: string[];
+  /** Field names that indicate PII (boost confidence) */
+  piiIndicatorKeys?: string[];
+  /** Preserve JSON structure in redacted output (default: true) */
+  preserveStructure?: boolean;
+}
+/**
+ * JSON detection result with path tracking
+ */
+interface JsonDetectionResult extends DetectionResult {
+  /** Paths where PII was detected (e.g., 'user.email', 'contacts[0].phone') */
+  pathsDetected: string[];
+  /** PII matches with path information */
+  matchesByPath: Record<string, PIIDetection[]>;
+}
+/**
+ * Processor for JSON documents
+ */
+declare class JsonProcessor {
+  private readonly defaultOptions;
+  /**
+   * Parse JSON from buffer or string
+   */
+  parse(input: Buffer | string): any;
+  /**
+   * Detect PII in JSON data
+   */
+  detect(data: any, detector: OpenRedaction, options?: JsonProcessorOptions): Promise<JsonDetectionResult>;
+  /**
+   * Redact PII in JSON data
+   */
+  redact(data: any, detectionResult: JsonDetectionResult, options?: JsonProcessorOptions): any;
+  /**
+   * Redact specific paths in JSON while preserving structure
+   */
+  private redactPreservingStructure;
+  /**
+   * Simple text-based redaction (fallback)
+   */
+  private redactText;
+  /**
+   * Traverse JSON structure and call callback for each value
+   */
+  private traverse;
+  /**
+   * Check if value is primitive (string, number, boolean)
+   */
+  private isPrimitive;
+  /**
+   * Check if path should be skipped
+   */
+  private shouldSkip;
+  /**
+   * Check if path should always be redacted
+   */
+  private shouldAlwaysRedact;
+  /**
+   * Boost confidence if key name indicates PII
+   */
+  private boostConfidenceFromKey;
+  /**
+   * Extract all text values from JSON for simple text-based detection
+   */
+  extractText(data: any, options?: JsonProcessorOptions): string;
+  /**
+   * Validate JSON buffer/string
+   */
+  isValid(input: Buffer | string): boolean;
+  /**
+   * Get JSON Lines (JSONL) support - split by newlines and parse each line
+   */
+  parseJsonLines(input: Buffer | string): any[];
+  /**
+   * Detect PII in JSON Lines format
+   */
+  detectJsonLines(input: Buffer | string, detector: OpenRedaction, options?: JsonProcessorOptions): Promise<JsonDetectionResult[]>;
+}
+/**
+ * Create a JSON processor instance
+ */
+declare function createJsonProcessor(): JsonProcessor;
+//#endregion
+//#region src/document/CsvProcessor.d.ts
+/**
+ * CSV processing options
+ */
+interface CsvProcessorOptions {
+  /** CSV delimiter (default: auto-detect from ',', '\t', ';', '|') */
+  delimiter?: string;
+  /** Whether CSV has header row (default: auto-detect) */
+  hasHeader?: boolean;
+  /** Quote character (default: '"') */
+  quote?: string;
+  /** Escape character (default: '"') */
+  escape?: string;
+  /** Skip empty lines (default: true) */
+  skipEmptyLines?: boolean;
+  /** Maximum rows to process (default: unlimited) */
+  maxRows?: number;
+  /** Column indices to always redact (0-indexed) */
+  alwaysRedactColumns?: number[];
+  /** Column names to always redact (requires hasHeader: true) */
+  alwaysRedactColumnNames?: string[];
+  /** Column indices to skip scanning (0-indexed) */
+  skipColumns?: number[];
+  /** Column names that indicate PII (boost confidence) */
+  piiIndicatorNames?: string[];
+  /** Treat first row as header for detection purposes */
+  treatFirstRowAsHeader?: boolean;
+}
+/**
+ * CSV detection result with column tracking
+ */
+interface CsvDetectionResult extends DetectionResult {
+  /** Total rows processed */
+  rowCount: number;
+  /** Column count */
+  columnCount: number;
+  /** Column headers (if detected) */
+  headers?: string[];
+  /** PII statistics by column index */
+  columnStats: Record<number, ColumnStats>;
+  /** PII matches by row and column */
+  matchesByCell: CellMatch[];
+  /** Original text */
+  original: string;
+  /** Redacted text */
+  redacted: string;
+  /** Array of detections */
+  detections: PIIDetection[];
+  /** Redaction map */
+  redactionMap: Record<string, string>;
+  /** Statistics */
+  stats?: {
+    processingTime?: number;
+    piiCount: number;
+  };
+}
+/**
+ * Column PII statistics
+ */
+interface ColumnStats {
+  /** Column index */
+  columnIndex: number;
+  /** Column name (if header available) */
+  columnName?: string;
+  /** Number of PII instances found */
+  piiCount: number;
+  /** Percentage of rows with PII (0-100) */
+  piiPercentage: number;
+  /** PII types found in this column */
+  piiTypes: string[];
+}
+/**
+ * Cell-level PII match
+ */
+interface CellMatch {
+  /** Row index (0-indexed, excluding header if present) */
+  row: number;
+  /** Column index (0-indexed) */
+  column: number;
+  /** Column name (if header available) */
+  columnName?: string;
+  /** Cell value */
+  value: string;
+  /** PII matches in this cell */
+  matches: PIIDetection[];
+}
+/**
+ * Parsed CSV row
+ */
+interface CsvRow {
+  /** Row index */
+  index: number;
+  /** Cell values */
+  values: string[];
+}
+/**
+ * CSV processor for tabular data
+ */
+declare class CsvProcessor {
+  private readonly defaultOptions;
+  /**
+   * Parse CSV from buffer or string
+   */
+  parse(input: Buffer | string, options?: CsvProcessorOptions): CsvRow[];
+  /**
+   * Detect PII in CSV data
+   */
+  detect(input: Buffer | string, detector: OpenRedaction, options?: CsvProcessorOptions): Promise<CsvDetectionResult>;
+  /**
+   * Redact PII in CSV data
+   */
+  redact(input: Buffer | string, detectionResult: CsvDetectionResult, options?: CsvProcessorOptions): string;
+  /**
+   * Parse a single CSV row
+   */
+  private parseRow;
+  /**
+   * Format a row as CSV
+   */
+  private formatRow;
+  /**
+   * Auto-detect CSV delimiter
+   */
+  private detectDelimiter;
+  /**
+   * Detect if first row is likely a header
+   */
+  private detectHeader;
+  /**
+   * Boost confidence if column name indicates PII
+   */
+  private boostConfidenceFromColumnName;
+  /**
+   * Extract all cell values as text
+   */
+  extractText(input: Buffer | string, options?: CsvProcessorOptions): string;
+  /**
+   * Get column statistics without full PII detection
+   */
+  getColumnInfo(input: Buffer | string, options?: CsvProcessorOptions): {
+    columnCount: number;
+    rowCount: number;
+    headers?: string[];
+    sampleRows: string[][];
+  };
+}
+/**
+ * Create a CSV processor instance
+ */
+declare function createCsvProcessor(): CsvProcessor;
+//#endregion
+//#region src/document/XlsxProcessor.d.ts
+/**
+ * XLSX processing options
+ */
+interface XlsxProcessorOptions {
+  /** Sheet names to process (default: all sheets) */
+  sheets?: string[];
+  /** Sheet indices to process (0-indexed, default: all sheets) */
+  sheetIndices?: number[];
+  /** Whether to treat first row as header (default: auto-detect) */
+  hasHeader?: boolean;
+  /** Maximum rows per sheet to process (default: unlimited) */
+  maxRows?: number;
+  /** Column indices to always redact (0-indexed) */
+  alwaysRedactColumns?: number[];
+  /** Column names to always redact (requires hasHeader: true) */
+  alwaysRedactColumnNames?: string[];
+  /** Column indices to skip scanning (0-indexed) */
+  skipColumns?: number[];
+  /** Column names that indicate PII (boost confidence) */
+  piiIndicatorNames?: string[];
+  /** Preserve cell formatting (default: true) */
+  preserveFormatting?: boolean;
+  /** Preserve formulas (default: true, redact values but keep formula) */
+  preserveFormulas?: boolean;
+}
+/**
+ * XLSX detection result with sheet and cell tracking
+ */
+interface XlsxDetectionResult extends DetectionResult {
+  /** Results by sheet */
+  sheetResults: SheetDetectionResult[];
+  /** Total sheets processed */
+  sheetCount: number;
+}
+/**
+ * Sheet-level detection result
+ */
+interface SheetDetectionResult {
+  /** Sheet name */
+  sheetName: string;
+  /** Sheet index */
+  sheetIndex: number;
+  /** Total rows in sheet */
+  rowCount: number;
+  /** Column count */
+  columnCount: number;
+  /** Column headers (if detected) */
+  headers?: string[];
+  /** Column statistics */
+  columnStats: Record<number, ColumnStats$1>;
+  /** Cell matches */
+  matchesByCell: CellMatch$1[];
+}
+/**
+ * Column PII statistics
+ */
+interface ColumnStats$1 {
+  /** Column index */
+  columnIndex: number;
+  /** Column letter (A, B, C, etc.) */
+  columnLetter: string;
+  /** Column name (if header available) */
+  columnName?: string;
+  /** Number of PII instances found */
+  piiCount: number;
+  /** Percentage of rows with PII (0-100) */
+  piiPercentage: number;
+  /** PII types found in this column */
+  piiTypes: string[];
+}
+/**
+ * Cell-level PII match
+ */
+interface CellMatch$1 {
+  /** Cell reference (e.g., 'A1', 'B5') */
+  cell: string;
+  /** Row index (1-indexed, Excel style) */
+  row: number;
+  /** Column index (0-indexed) */
+  column: number;
+  /** Column letter */
+  columnLetter: string;
+  /** Column name (if header available) */
+  columnName?: string;
+  /** Cell value */
+  value: string;
+  /** Cell formula (if any) */
+  formula?: string;
+  /** PII matches in this cell */
+  matches: PIIDetection[];
+}
+/**
+ * XLSX processor for spreadsheet data
+ */
+declare class XlsxProcessor {
+  private xlsx?;
+  private readonly defaultOptions;
+  constructor();
+  /**
+   * Check if XLSX support is available
+   */
+  isAvailable(): boolean;
+  /**
+   * Parse XLSX from buffer
+   */
+  parse(buffer: Buffer): any;
+  /**
+   * Detect PII in XLSX data
+   */
+  detect(buffer: Buffer, detector: OpenRedaction, options?: XlsxProcessorOptions): Promise<XlsxDetectionResult>;
+  /**
+   * Detect PII in a single sheet
+   */
+  private detectSheet;
+  /**
+   * Redact PII in XLSX data
+   */
+  redact(buffer: Buffer, detectionResult: XlsxDetectionResult, options?: XlsxProcessorOptions): Buffer;
+  /**
+   * Get cell value as string
+   */
+  private getCellValue;
+  /**
+   * Get row values
+   */
+  private getRowValues;
+  /**
+   * Detect if first row is likely a header
+   */
+  private detectHeader;
+  /**
+   * Convert column index to letter (0 = A, 25 = Z, 26 = AA)
+   */
+  private columnToLetter;
+  /**
+   * Get sheet names to process based on options
+   */
+  private getSheetNamesToProcess;
+  /**
+   * Boost confidence if column name indicates PII
+   */
+  private boostConfidenceFromColumnName;
+  /**
+   * Extract all cell values as text
+   */
+  extractText(buffer: Buffer, options?: XlsxProcessorOptions): string;
+  /**
+   * Get workbook metadata
+   */
+  getMetadata(buffer: Buffer): {
+    sheetNames: string[];
+    sheetCount: number;
+  };
+}
+/**
+ * Create an XLSX processor instance
+ */
+declare function createXlsxProcessor(): XlsxProcessor;
+//#endregion
+//#region src/document/DocumentProcessor.d.ts
+/**
+ * Document processor with optional PDF, DOCX, OCR, JSON, CSV, and XLSX support
+ * Requires peer dependencies:
+ * - pdf-parse (for PDF)
+ * - mammoth (for DOCX)
+ * - tesseract.js (for OCR/images)
+ * - xlsx (for Excel/XLSX)
+ */
+declare class DocumentProcessor implements IDocumentProcessor {
+  private pdfParse?;
+  private mammoth?;
+  private ocrProcessor;
+  private jsonProcessor;
+  private csvProcessor;
+  private xlsxProcessor;
+  constructor();
+  /**
+   * Extract text from document buffer
+   */
+  extractText(buffer: Buffer, options?: DocumentOptions): Promise<string>;
+  /**
+   * Get document metadata
+   */
+  getMetadata(buffer: Buffer, options?: DocumentOptions): Promise<DocumentMetadata>;
+  /**
+   * Detect document format from buffer
+   */
+  detectFormat(buffer: Buffer): DocumentFormat | null;
+  /**
+   * Check if format is supported
+   */
+  isFormatSupported(format: DocumentFormat): boolean;
+  /**
+   * Extract text from PDF
+   */
+  private extractPdfText;
+  /**
+   * Extract text from DOCX
+   */
+  private extractDocxText;
+  /**
+   * Get PDF metadata
+   */
+  private getPdfMetadata;
+  /**
+   * Get DOCX metadata
+   */
+  private getDocxMetadata;
+  /**
+   * Extract text from image using OCR
+   */
+  private extractImageText;
+  /**
+   * Get image metadata
+   */
+  private getImageMetadata;
+  /**
+   * Extract text from JSON
+   */
+  private extractJsonText;
+  /**
+   * Extract text from CSV
+   */
+  private extractCsvText;
+  /**
+   * Extract text from XLSX
+   */
+  private extractXlsxText;
+  /**
+   * Get JSON metadata
+   */
+  private getJsonMetadata;
+  /**
+   * Get CSV metadata
+   */
+  private getCsvMetadata;
+  /**
+   * Get XLSX metadata
+   */
+  private getXlsxMetadata;
+  /**
+   * Get OCR processor instance
+   */
+  getOCRProcessor(): OCRProcessor;
+  /**
+   * Get JSON processor instance
+   */
+  getJsonProcessor(): JsonProcessor;
+  /**
+   * Get CSV processor instance
+   */
+  getCsvProcessor(): CsvProcessor;
+  /**
+   * Get XLSX processor instance
+   */
+  getXlsxProcessor(): XlsxProcessor;
+}
+/**
+ * Create a document processor instance
+ */
+declare function createDocumentProcessor(): DocumentProcessor;
+//#endregion
+//#region src/patterns/personal.d.ts
+declare const personalPatterns: PIIPattern[];
+//#endregion
+//#region src/patterns/financial.d.ts
+declare const financialPatterns: PIIPattern[];
+//#endregion
+//#region src/patterns/government.d.ts
+declare const governmentPatterns: PIIPattern[];
+//#endregion
+//#region src/patterns/contact.d.ts
+declare const contactPatterns: PIIPattern[];
+//#endregion
+//#region src/patterns/network.d.ts
+declare const networkPatterns: PIIPattern[];
+//#endregion
+//#region src/patterns/index.d.ts
+/**
+ * All default PII patterns
+ */
+declare const allPatterns: PIIPattern[];
+/**
+ * Get patterns by category
+ */
+declare function getPatternsByCategory(category: string): PIIPattern[];
+//#endregion
+//#region src/validators/index.d.ts
+/**
+ * Validators for PII pattern matching
+ */
+/**
+ * Luhn algorithm validator for credit cards
+ * https://en.wikipedia.org/wiki/Luhn_algorithm
+ */
+declare function validateLuhn(cardNumber: string, _context?: string): boolean;
+/**
+ * IBAN validator with checksum verification
+ */
+declare function validateIBAN(iban: string, _context?: string): boolean;
+/**
+ * UK National Insurance Number validator
+ */
+declare function validateNINO(nino: string, _context?: string): boolean;
+/**
+ * UK NHS Number validator with checksum
+ */
+declare function validateNHS(nhs: string, _context?: string): boolean;
+/**
+ * UK Passport validator
+ */
+declare function validateUKPassport(passport: string, _context?: string): boolean;
+/**
+ * US Social Security Number validator (format check only)
+ */
+declare function validateSSN(ssn: string, _context?: string): boolean;
+/**
+ * UK Sort Code validator (format check)
+ */
+declare function validateSortCode(sortCode: string, _context?: string): boolean;
+/**
+ * Context-aware name validator to reduce false positives
+ */
+declare function validateName(name: string, context: string): boolean;
+/**
+ * Email validator with DNS check capability
+ */
+declare function validateEmail(email: string, _context?: string): boolean;
+//#endregion
+//#region src/utils/presets.d.ts
+/**
+ * GDPR compliance preset - European Union data protection
+ */
+declare const gdprPreset: Partial<OpenRedactionOptions>;
+/**
+ * HIPAA compliance preset - US healthcare data protection
+ */
+declare const hipaaPreset: Partial<OpenRedactionOptions>;
+/**
+ * CCPA compliance preset - California consumer privacy
+ */
+declare const ccpaPreset: Partial<OpenRedactionOptions>;
+/**
+ * Healthcare operations preset - provider-centric coverage
+ */
+declare const healthcarePreset: Partial<OpenRedactionOptions>;
+/**
+ * Healthcare research preset - clinical research and trials
+ */
+declare const healthcareResearchPreset: Partial<OpenRedactionOptions>;
+/**
+ * Financial services preset - banking, trading, and payments
+ */
+declare const financePreset: Partial<OpenRedactionOptions>;
+/**
+ * Education preset - FERPA-style coverage for schools and universities
+ */
+declare const educationPreset: Partial<OpenRedactionOptions>;
+/**
+ * Transportation and logistics preset - fleet, shipping, and mobility
+ */
+declare const transportLogisticsPreset: Partial<OpenRedactionOptions>;
+/**
+ * Get preset configuration by name
+ */
+declare function getPreset(name: string): Partial<OpenRedactionOptions>;
+//#endregion
+//#region src/config/ConfigLoader.d.ts
+interface OpenRedactionConfig extends OpenRedactionOptions {
+  extends?: string | string[];
+  learnedPatterns?: string;
+  learningOptions?: {
+    autoSave?: boolean;
+    confidenceThreshold?: number;
+  };
+}
+/**
+ * Load configuration from .openredaction.config.js
+ */
+declare class ConfigLoader {
+  private configPath;
+  private searchPaths;
+  constructor(configPath?: string, cwd?: string);
+  /**
+   * Find config file in search paths
+   */
+  private findConfigFile;
+  /**
+   * Load config file
+   */
+  load(): Promise<OpenRedactionConfig | null>;
+  /**
+   * Resolve presets and extends
+   */
+  resolveConfig(config: OpenRedactionConfig): OpenRedactionOptions;
+  /**
+   * Load built-in preset
+   */
+  private loadPreset;
+  /**
+   * Create a default config file
+   */
+  static createDefaultConfig(outputPath?: string): void;
+}
+//#endregion
+//#region src/ml/NERDetector.d.ts
+/**
+ * NER entity types supported
+ */
+type NEREntityType = 'PERSON' | 'ORGANIZATION' | 'PLACE' | 'DATE' | 'MONEY' | 'PHONE' | 'EMAIL' | 'URL';
+/**
+ * NER detection result
+ */
+interface NERMatch {
+  /** Entity type */
+  type: NEREntityType;
+  /** Matched text */
+  text: string;
+  /** Start position in text */
+  start: number;
+  /** End position in text */
+  end: number;
+  /** Confidence from NER (0-1) */
+  confidence: number;
+  /** Additional context */
+  context?: {
+    sentence?: string;
+    tags?: string[];
+  };
+}
+/**
+ * Hybrid detection result (regex + NER)
+ */
+interface HybridMatch extends PIIMatch {
+  /** Whether this match was confirmed by NER */
+  nerConfirmed: boolean;
+  /** NER confidence if confirmed */
+  nerConfidence?: number;
+}
+/**
+ * NER Detector using compromise.js
+ * Lightweight NLP library (7KB) for English text analysis
+ */
+declare class NERDetector {
+  private nlp?;
+  private available;
+  constructor();
+  /**
+   * Check if NER is available (compromise.js installed)
+   */
+  isAvailable(): boolean;
+  /**
+   * Detect named entities in text
+   */
+  detect(text: string): NERMatch[];
+  /**
+   * Check if a regex match is confirmed by NER
+   */
+  isConfirmedByNER(regexMatch: PIIMatch, nerMatches: NERMatch[]): {
+    confirmed: boolean;
+    confidence?: number;
+  };
+  /**
+   * Boost confidence of regex matches that are confirmed by NER
+   */
+  hybridDetection(regexMatches: PIIMatch[], text: string): HybridMatch[];
+  /**
+   * Calculate overlap between two ranges (0-1)
+   */
+  private calculateOverlap;
+  /**
+   * Remove duplicate NER matches
+   */
+  private deduplicateMatches;
+  /**
+   * Extract sentence containing the match
+   */
+  private getSentence;
+  /**
+   * Find start of sentence
+   */
+  private findSentenceStart;
+  /**
+   * Find end of sentence
+   */
+  private findSentenceEnd;
+  /**
+   * Extract additional NER-only detections (entities not caught by regex)
+   */
+  extractNEROnly(nerMatches: NERMatch[], regexMatches: PIIMatch[]): NERMatch[];
+}
+/**
+ * Create an NER detector instance
+ */
+declare function createNERDetector(): NERDetector;
+//#endregion
+//#region src/severity/SeverityClassifier.d.ts
+/**
+ * Severity level for PII types
+ */
+type SeverityLevel = 'critical' | 'high' | 'medium' | 'low';
+/**
+ * Severity classification with reasoning
+ */
+interface SeverityClassification {
+  /** Severity level */
+  level: SeverityLevel;
+  /** Numeric score (0-10) */
+  score: number;
+  /** Reasoning for classification */
+  reason?: string;
+}
+/**
+ * Risk score calculation result
+ */
+interface RiskScore {
+  /** Overall risk score (0-1) */
+  score: number;
+  /** Risk level */
+  level: 'very-high' | 'high' | 'medium' | 'low' | 'minimal';
+  /** Contributing factors */
+  factors: {
+    piiCount: number;
+    avgSeverity: number;
+    avgConfidence: number;
+    criticalCount: number;
+    highCount: number;
+  };
+}
+/**
+ * Default severity mappings by pattern type
+ */
+declare const DEFAULT_SEVERITY_MAP: Record<string, SeverityLevel>;
+/**
+ * Severity scores (for numeric calculations)
+ */
+declare const SEVERITY_SCORES: Record<SeverityLevel, number>;
+/**
+ * Severity Classifier
+ */
+declare class SeverityClassifier {
+  private severityMap;
+  constructor(customMap?: Record<string, SeverityLevel>);
+  /**
+   * Classify severity for a pattern type
+   */
+  classify(patternType: string): SeverityClassification;
+  /**
+   * Ensure pattern has severity assigned
+   */
+  ensurePatternSeverity(pattern: PIIPattern): PIIPattern;
+  /**
+   * Ensure all patterns have severity
+   */
+  ensureAllSeverity(patterns: PIIPattern[]): PIIPattern[];
+  /**
+   * Calculate risk score for a set of detections
+   */
+  calculateRiskScore(detections: PIIDetection[]): RiskScore;
+  /**
+   * Get severity for a pattern type
+   */
+  getSeverity(patternType: string): SeverityLevel;
+  /**
+   * Get severity score for a pattern type
+   */
+  getSeverityScore(patternType: string): number;
+  /**
+   * Add custom severity mapping
+   */
+  addSeverityMapping(patternType: string, severity: SeverityLevel): void;
+  /**
+   * Get all severity mappings
+   */
+  getSeverityMap(): Record<string, SeverityLevel>;
+  /**
+   * Filter detections by severity threshold
+   */
+  filterBySeverity(detections: PIIDetection[], minSeverity: SeverityLevel): PIIDetection[];
+  /**
+   * Group detections by severity
+   */
+  groupBySeverity(detections: PIIDetection[]): Record<SeverityLevel, PIIDetection[]>;
+}
+/**
+ * Create a severity classifier instance
+ */
+declare function createSeverityClassifier(customMap?: Record<string, SeverityLevel>): SeverityClassifier;
+/**
+ * Quick helper to get severity for a pattern type
+ */
+declare function getSeverity(patternType: string): SeverityLevel;
+/**
+ * Quick helper to calculate risk score
+ */
+declare function calculateRisk(detections: PIIDetection[]): RiskScore;
+//#endregion
+//#region src/filters/FalsePositiveFilter.d.ts
+/**
+ * False Positive Detection and Filtering
+ * Identifies and filters out common false positives
+ */
+interface FalsePositiveRule {
+  /** Pattern type this rule applies to */
+  patternType: string | string[];
+  /** Matching function */
+  matcher: (value: string, context: string) => boolean;
+  /** Description of the false positive */
+  description: string;
+  /** Severity of the false positive (how confident we are it's not PII) */
+  severity: 'high' | 'medium' | 'low';
+}
+/**
+ * Common false positive rules
+ */
+declare const commonFalsePositives: FalsePositiveRule[];
+/**
+ * Check if a detection is a false positive
+ */
+declare function isFalsePositive(value: string, patternType: string, context: string, rules?: FalsePositiveRule[]): {
+  isFalsePositive: boolean;
+  matchedRule?: FalsePositiveRule;
+  confidence: number;
+};
+/**
+ * Filter out false positives from detections
+ */
+declare function filterFalsePositives<T extends {
+  value: string;
+  type: string;
+}>(detections: T[], getText: (detection: T) => {
+  value: string;
+  context: string;
+}, threshold?: number): T[];
+//#endregion
+//#region src/multipass/MultiPassDetector.d.ts
+/**
+ * Detection pass configuration
+ */
+interface DetectionPass {
+  /** Pass name for debugging */
+  name: string;
+  /** Minimum priority for this pass */
+  minPriority: number;
+  /** Maximum priority for this pass */
+  maxPriority: number;
+  /** Pattern types to include (optional filter) */
+  includeTypes?: string[];
+  /** Pattern types to exclude (optional filter) */
+  excludeTypes?: string[];
+  /** Description of what this pass detects */
+  description: string;
+}
+/**
+ * Default multi-pass configuration
+ * Processes patterns in priority order from highest to lowest
+ */
+declare const defaultPasses: DetectionPass[];
+/**
+ * Group patterns into passes based on priority
+ */
+declare function groupPatternsByPass(patterns: PIIPattern[], passes?: DetectionPass[]): Map<string, PIIPattern[]>;
+/**
+ * Statistics for multi-pass detection
+ */
+interface MultiPassStats {
+  /** Total passes executed */
+  totalPasses: number;
+  /** Detections per pass */
+  detectionsPerPass: Map<string, number>;
+  /** Patterns processed per pass */
+  patternsPerPass: Map<string, number>;
+  /** Time spent per pass (ms) */
+  timePerPass: Map<string, number>;
+  /** Total processing time (ms) */
+  totalTime: number;
+}
+/**
+ * Merge detections from multiple passes
+ * Earlier passes (higher priority) take precedence for overlapping ranges
+ */
+declare function mergePassDetections(passDetections: Map<string, PIIDetection[]>, passes: DetectionPass[]): PIIDetection[];
+/**
+ * Create a simple multi-pass configuration for common use cases
+ */
+declare function createSimpleMultiPass(options?: {
+  /** Number of passes (2-5, default: 3) */numPasses?: number; /** Prioritize credentials first */
+  prioritizeCredentials?: boolean;
+}): DetectionPass[];
+//#endregion
+//#region src/streaming/StreamingDetector.d.ts
+/**
+ * Chunk result for streaming detection
+ */
+interface ChunkResult {
+  /** Chunk index */
+  chunkIndex: number;
+  /** Detections found in this chunk */
+  detections: PIIDetection[];
+  /** Redacted chunk text */
+  redactedChunk: string;
+  /** Original chunk text */
+  originalChunk: string;
+  /** Byte offset of this chunk in the original document */
+  byteOffset: number;
+}
+/**
+ * Streaming detection options
+ */
+interface StreamingOptions {
+  /** Chunk size in characters (default: 2048) */
+  chunkSize?: number;
+  /** Overlap between chunks to catch patterns at boundaries (default: 100) */
+  overlap?: number;
+  /** Enable progressive redaction (default: true) */
+  progressiveRedaction?: boolean;
+}
+/**
+ * Streaming detector for large documents
+ */
+declare class StreamingDetector {
+  private detector;
+  private options;
+  constructor(detector: OpenRedaction, options?: StreamingOptions);
+  /**
+   * Process a large text in chunks
+   * Returns an async generator that yields chunk results
+   */
+  processStream(text: string): AsyncGenerator<ChunkResult, void, undefined>;
+  /**
+   * Process entire stream and collect all results
+   */
+  processComplete(text: string): Promise<DetectionResult>;
+  /**
+   * Process a file stream (Node.js only)
+   */
+  processFileStream(readableStream: ReadableStream<Uint8Array> | NodeJS.ReadableStream): AsyncGenerator<ChunkResult, void, undefined>;
+  /**
+   * Get chunk statistics
+   */
+  getChunkStats(textLength: number): {
+    numChunks: number;
+    chunkSize: number;
+    overlap: number;
+    estimatedMemory: number;
+  };
+  private escapeRegex;
+}
+/**
+ * Helper to create a streaming detector from OpenRedaction instance
+ */
+declare function createStreamingDetector(detector: OpenRedaction, options?: StreamingOptions): StreamingDetector;
+//#endregion
+//#region src/workers/types.d.ts
+/**
+ * Worker task for text detection
+ */
+interface DetectTask {
+  type: 'detect';
+  id: string;
+  text: string;
+  options?: OpenRedactionOptions;
+}
+/**
+ * Worker task for document processing
+ */
+interface DocumentTask {
+  type: 'document';
+  id: string;
+  buffer: Buffer;
+  options?: any;
+}
+/**
+ * Worker task union type
+ */
+type WorkerTask = DetectTask | DocumentTask;
+/**
+ * Worker result
+ */
+interface WorkerResult {
+  id: string;
+  result: DetectionResult | any;
+  error?: string;
+  processingTime: number;
+}
+/**
+ * Worker pool configuration
+ */
+interface WorkerPoolConfig {
+  /** Number of worker threads (default: CPU count) */
+  numWorkers?: number;
+  /** Maximum queue size (default: 100) */
+  maxQueueSize?: number;
+  /** Worker idle timeout in ms (default: 30000) */
+  idleTimeout?: number;
+}
+/**
+ * Worker pool statistics
+ */
+interface WorkerPoolStats {
+  /** Number of active workers */
+  activeWorkers: number;
+  /** Number of idle workers */
+  idleWorkers: number;
+  /** Current queue size */
+  queueSize: number;
+  /** Total tasks processed */
+  totalProcessed: number;
+  /** Total errors */
+  totalErrors: number;
+  /** Average processing time */
+  avgProcessingTime: number;
+}
+//#endregion
+//#region src/workers/WorkerPool.d.ts
+/**
+ * Worker pool for parallel text detection and document processing
+ */
+declare class WorkerPool {
+  private workers;
+  private availableWorkers;
+  private taskQueue;
+  private config;
+  private stats;
+  private workerPath;
+  private totalProcessingTime;
+  constructor(config?: WorkerPoolConfig);
+  /**
+   * Initialize worker pool
+   */
+  initialize(): Promise<void>;
+  /**
+   * Create a new worker
+   */
+  private createWorker;
+  /**
+   * Execute a task on the worker pool
+   */
+  execute<T = any>(task: WorkerTask): Promise<T>;
+  /**
+   * Process task queue
+   */
+  private processQueue;
+  /**
+   * Handle worker result
+   */
+  private handleWorkerResult;
+  /**
+   * Remove worker from pool
+   */
+  private removeWorker;
+  /**
+   * Get pool statistics
+   */
+  getStats(): WorkerPoolStats;
+  /**
+   * Terminate all workers
+   */
+  terminate(): Promise<void>;
+}
+/**
+ * Create a worker pool instance
+ */
+declare function createWorkerPool(config?: WorkerPoolConfig): WorkerPool;
+//#endregion
+//#region src/batch/BatchProcessor.d.ts
+/**
+ * Batch processing options
+ */
+interface BatchOptions {
+  /** Enable parallel processing (default: false) */
+  parallel?: boolean;
+  /** Maximum concurrency for parallel processing (default: 4) */
+  maxConcurrency?: number;
+  /** Progress callback */
+  onProgress?: (completed: number, total: number) => void;
+}
+/**
+ * Batch processing result
+ */
+interface BatchResult {
+  /** Individual results for each document */
+  results: DetectionResult[];
+  /** Total processing stats */
+  stats: {
+    /** Total documents processed */totalDocuments: number; /** Total PII detections across all documents */
+    totalDetections: number; /** Total processing time in milliseconds */
+    totalTime: number; /** Average time per document */
+    avgTimePerDocument: number;
+  };
+}
+/**
+ * Batch processor for processing multiple documents
+ */
+declare class BatchProcessor {
+  private detector;
+  constructor(detector: OpenRedaction);
+  /**
+   * Process multiple documents sequentially
+   */
+  processSequential(documents: string[], options?: BatchOptions): Promise<BatchResult>;
+  /**
+   * Process multiple documents in parallel
+   */
+  processParallel(documents: string[], options?: BatchOptions): Promise<BatchResult>;
+  /**
+   * Process multiple documents (automatically chooses sequential or parallel)
+   */
+  process(documents: string[], options?: BatchOptions): Promise<BatchResult>;
+  /**
+   * Process documents with automatic batching
+   * Useful for very large arrays of documents
+   */
+  processStream(documents: string[], batchSize?: number): AsyncGenerator<DetectionResult, void, undefined>;
+  /**
+   * Get aggregated statistics across multiple results
+   */
+  getAggregatedStats(results: DetectionResult[]): {
+    totalDetections: number;
+    detectionsByType: Record<string, number>;
+    detectionsBySeverity: Record<string, number>;
+    avgConfidence: number;
+  };
+}
+/**
+ * Helper to create a batch processor
+ */
+declare function createBatchProcessor(detector: OpenRedaction): BatchProcessor;
+//#endregion
+//#region src/integrations/express.d.ts
+/**
+ * Middleware options
+ */
+interface OpenRedactionMiddlewareOptions extends OpenRedactionOptions {
+  /** Auto-redact request body (default: false) */
+  autoRedact?: boolean;
+  /** Fields to check in request body (default: all) */
+  fields?: string[];
+  /** Skip detection for certain routes (regex patterns) */
+  skipRoutes?: RegExp[];
+  /** Add PII detection results to request object (default: true) */
+  attachResults?: boolean;
+  /** Custom handler for PII detection */
+  onDetection?: (req: Request, result: DetectionResult) => void;
+  /** Fail request if PII detected (default: false) */
+  failOnPII?: boolean;
+  /** Add response headers with PII info (default: false) */
+  addHeaders?: boolean;
+}
+/**
+ * Extended Express Request with PII detection results
+ */
+interface OpenRedactionRequest extends Request {
+  pii?: {
+    detected: boolean;
+    count: number;
+    result: DetectionResult;
+    redacted?: any;
+  };
+}
+/**
+ * Create Express middleware for PII detection
+ */
+declare function openredactionMiddleware(options?: OpenRedactionMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+/**
+ * Express route handler for PII detection
+ */
+declare function detectPII(options?: OpenRedactionOptions): (req: Request, res: Response) => Promise<void>;
+/**
+ * Express route handler for generating reports
+ */
+declare function generateReport(options?: OpenRedactionOptions): (req: Request, res: Response) => Promise<void>;
+//#endregion
+//#region src/errors/OpenRedactionError.d.ts
+/**
+ * Custom error class for OpenRedaction with helpful messages and suggestions
+ */
+interface ErrorSuggestion {
+  message: string;
+  code?: string;
+  docs?: string;
+}
+declare class OpenRedactionError extends Error {
+  code: string;
+  suggestion?: ErrorSuggestion;
+  context?: Record<string, unknown>;
+  constructor(message: string, code?: string, suggestion?: ErrorSuggestion, context?: Record<string, unknown>);
+  /**
+   * Get formatted error message with suggestions
+   */
+  getFormattedMessage(): string;
+}
+/**
+ * Factory functions for common error scenarios
+ */
+declare function createInvalidPatternError(patternType: string, reason: string): OpenRedactionError;
+declare function createValidationError(value: string, patternType: string): OpenRedactionError;
+declare function createHighMemoryError(textSize: number): OpenRedactionError;
+declare function createConfigLoadError(path: string, reason: string): OpenRedactionError;
+declare function createLearningDisabledError(): OpenRedactionError;
+declare function createOptimizationDisabledError(): OpenRedactionError;
+declare function createMultiPassDisabledError(): OpenRedactionError;
+declare function createCacheDisabledError(): OpenRedactionError;
+//#endregion
+//#region src/tenancy/TenantManager.d.ts
+/**
+ * Tenant configuration
+ */
+interface TenantConfig {
+  /** Tenant unique identifier */
+  tenantId: string;
+  /** Tenant display name */
+  name: string;
+  /** Tenant-specific OpenRedaction options */
+  options?: OpenRedactionOptions;
+  /** Tenant-specific custom patterns */
+  customPatterns?: PIIPattern[];
+  /** Tenant-specific whitelist */
+  whitelist?: string[];
+  /** Tenant quota limits */
+  quotas?: TenantQuotas;
+  /** Tenant API key (for authentication) */
+  apiKey?: string;
+  /** Tenant metadata */
+  metadata?: Record<string, unknown>;
+  /** Tenant status */
+  status: 'active' | 'suspended' | 'trial';
+  /** Trial expiry date (for trial tenants) */
+  trialExpiresAt?: Date;
+  /** Created timestamp */
+  createdAt: Date;
+  /** Last updated timestamp */
+  updatedAt: Date;
+}
+/**
+ * Tenant quota limits
+ */
+interface TenantQuotas {
+  /** Maximum requests per month (undefined = unlimited) */
+  maxRequestsPerMonth?: number;
+  /** Maximum text length per request (characters) */
+  maxTextLength?: number;
+  /** Maximum patterns allowed */
+  maxPatterns?: number;
+  /** Maximum audit logs to retain */
+  maxAuditLogs?: number;
+  /** Rate limit: requests per minute */
+  rateLimit?: number;
+}
+/**
+ * Tenant usage statistics
+ */
+interface TenantUsage {
+  /** Tenant ID */
+  tenantId: string;
+  /** Total requests this month */
+  requestsThisMonth: number;
+  /** Total text processed this month (characters) */
+  textProcessedThisMonth: number;
+  /** Total PII detected this month */
+  piiDetectedThisMonth: number;
+  /** Last request timestamp */
+  lastRequestAt?: Date;
+  /** Monthly usage reset date */
+  monthlyResetDate: Date;
+}
+/**
+ * Tenant quota exceeded error
+ */
+declare class TenantQuotaExceededError extends Error {
+  tenantId: string;
+  quota: string;
+  limit: number;
+  current: number;
+  constructor(tenantId: string, quota: string, limit: number, current: number);
+}
+/**
+ * Tenant not found error
+ */
+declare class TenantNotFoundError extends Error {
+  tenantId: string;
+  constructor(tenantId: string);
+}
+/**
+ * Tenant suspended error
+ */
+declare class TenantSuspendedError extends Error {
+  tenantId: string;
+  constructor(tenantId: string);
+}
+/**
+ * Multi-tenant manager for SaaS deployments
+ */
+declare class TenantManager {
+  private tenants;
+  private usage;
+  private detectors;
+  private rateLimitTracking;
+  private auditLoggers;
+  private metricsCollectors;
+  /**
+   * Register a new tenant
+   */
+  registerTenant(config: Omit<TenantConfig, 'createdAt' | 'updatedAt'>): TenantConfig;
+  /**
+   * Update tenant configuration
+   */
+  updateTenant(tenantId: string, updates: Partial<Omit<TenantConfig, 'tenantId' | 'createdAt'>>): TenantConfig;
+  /**
+   * Get tenant configuration
+   */
+  getTenantConfig(tenantId: string): TenantConfig;
+  /**
+   * Get or create tenant-specific detector instance
+   */
+  getDetector(tenantId: string): OpenRedaction;
+  /**
+   * Perform detection with tenant isolation and quota checks
+   */
+  detect(tenantId: string, text: string): Promise<any>;
+  /**
+   * Validate tenant status (active, trial expiry)
+   */
+  private validateTenantStatus;
+  /**
+   * Check tenant quotas before processing
+   */
+  private checkQuotas;
+  /**
+   * Track request for usage and rate limiting
+   */
+  private trackRequest;
+  /**
+   * Get number of requests in last minute
+   */
+  private getRequestsInLastMinute;
+  /**
+   * Reset monthly usage statistics
+   */
+  private resetMonthlyUsage;
+  /**
+   * Get next monthly reset date (1st of next month)
+   */
+  private getNextMonthlyResetDate;
+  /**
+   * Get tenant usage statistics
+   */
+  getTenantUsage(tenantId: string): TenantUsage;
+  /**
+   * Get all tenants
+   */
+  getAllTenants(): TenantConfig[];
+  /**
+   * Get tenants by status
+   */
+  getTenantsByStatus(status: TenantConfig['status']): TenantConfig[];
+  /**
+   * Authenticate tenant by API key
+   */
+  authenticateByApiKey(apiKey: string): TenantConfig | null;
+  /**
+   * Suspend a tenant
+   */
+  suspendTenant(tenantId: string): void;
+  /**
+   * Activate a tenant
+   */
+  activateTenant(tenantId: string): void;
+  /**
+   * Delete a tenant and all associated data
+   */
+  deleteTenant(tenantId: string): void;
+  /**
+   * Set tenant-specific audit logger
+   */
+  setAuditLogger(tenantId: string, logger: IAuditLogger): void;
+  /**
+   * Get tenant-specific audit logger
+   */
+  getAuditLogger(tenantId: string): IAuditLogger | undefined;
+  /**
+   * Set tenant-specific metrics collector
+   */
+  setMetricsCollector(tenantId: string, collector: IMetricsCollector): void;
+  /**
+   * Get tenant-specific metrics collector
+   */
+  getMetricsCollector(tenantId: string): IMetricsCollector | undefined;
+  /**
+   * Get aggregate statistics across all tenants
+   */
+  getAggregateStats(): {
+    totalTenants: number;
+    activeTenants: number;
+    trialTenants: number;
+    suspendedTenants: number;
+    totalRequestsThisMonth: number;
+    totalTextProcessedThisMonth: number;
+    totalPiiDetectedThisMonth: number;
+  };
+  /**
+   * Validate tenant exists
+   */
+  private validateTenantExists;
+  /**
+   * Export tenant configuration as JSON
+   */
+  exportTenantConfig(tenantId: string): string;
+  /**
+   * Import tenant configuration from JSON
+   */
+  importTenantConfig(json: string): TenantConfig;
+}
+/**
+ * Create a tenant manager instance
+ */
+declare function createTenantManager(): TenantManager;
+/**
+ * Default tenant quotas for different tiers
+ */
+declare const DEFAULT_TIER_QUOTAS: {
+  readonly free: {
+    readonly maxRequestsPerMonth: 1000;
+    readonly maxTextLength: 10000;
+    readonly maxPatterns: 10;
+    readonly maxAuditLogs: 100;
+    readonly rateLimit: 10;
+  };
+  readonly starter: {
+    readonly maxRequestsPerMonth: 10000;
+    readonly maxTextLength: 50000;
+    readonly maxPatterns: 50;
+    readonly maxAuditLogs: 1000;
+    readonly rateLimit: 50;
+  };
+  readonly professional: {
+    readonly maxRequestsPerMonth: 100000;
+    readonly maxTextLength: 100000;
+    readonly maxPatterns: 200;
+    readonly maxAuditLogs: 10000;
+    readonly rateLimit: 200;
+  };
+  readonly enterprise: {
+    readonly maxRequestsPerMonth: undefined;
+    readonly maxTextLength: undefined;
+    readonly maxPatterns: undefined;
+    readonly maxAuditLogs: undefined;
+    readonly rateLimit: undefined;
+  };
+};
+//#endregion
+//#region src/webhooks/WebhookManager.d.ts
+/**
+ * Webhook event types
+ */
+type WebhookEventType = 'pii.detected.high_risk' | 'pii.detected.bulk' | 'pii.processing.failed' | 'pii.processing.slow' | 'quota.exceeded' | 'tenant.suspended' | 'audit.tamper_detected' | 'custom';
+/**
+ * Webhook event payload
+ */
+interface WebhookEvent {
+  /** Event unique ID */
+  id: string;
+  /** Event type */
+  type: WebhookEventType;
+  /** Event timestamp (ISO 8601) */
+  timestamp: string;
+  /** Event severity */
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  /** Event data */
+  data: Record<string, unknown>;
+  /** Source identifier (e.g., tenant ID) */
+  source?: string;
+  /** Custom metadata */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Webhook configuration
+ */
+interface WebhookConfig {
+  /** Webhook unique ID */
+  id: string;
+  /** Webhook URL to POST events to */
+  url: string;
+  /** Event types to subscribe to (empty = all events) */
+  events?: WebhookEventType[];
+  /** Minimum severity to trigger webhook */
+  minSeverity?: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  /** Custom headers to include in requests */
+  headers?: Record<string, string>;
+  /** Secret for HMAC signature (optional but recommended) */
+  secret?: string;
+  /** Enable webhook (default: true) */
+  enabled?: boolean;
+  /** Retry configuration */
+  retry?: {
+    /** Maximum retry attempts (default: 3) */maxAttempts?: number; /** Initial delay in ms (default: 1000) */
+    initialDelay?: number; /** Maximum delay in ms (default: 60000) */
+    maxDelay?: number; /** Backoff multiplier (default: 2) */
+    backoffMultiplier?: number;
+  };
+  /** Timeout in ms (default: 5000) */
+  timeout?: number;
+  /** Tenant ID (for multi-tenant setups) */
+  tenantId?: string;
+}
+/**
+ * Webhook delivery status
+ */
+type WebhookDeliveryStatus = 'pending' | 'success' | 'failed' | 'circuit_open';
+/**
+ * Webhook delivery record
+ */
+interface WebhookDelivery {
+  /** Delivery ID */
+  id: string;
+  /** Webhook ID */
+  webhookId: string;
+  /** Event that was delivered */
+  event: WebhookEvent;
+  /** Delivery status */
+  status: WebhookDeliveryStatus;
+  /** HTTP status code */
+  statusCode?: number;
+  /** Delivery timestamp */
+  timestamp: Date;
+  /** Attempt number */
+  attempt: number;
+  /** Error message if failed */
+  error?: string;
+  /** Response body */
+  responseBody?: string;
+  /** Delivery duration in ms */
+  durationMs?: number;
+}
+/**
+ * Webhook statistics
+ */
+interface WebhookStats {
+  /** Webhook ID */
+  webhookId: string;
+  /** Total deliveries */
+  totalDeliveries: number;
+  /** Successful deliveries */
+  successfulDeliveries: number;
+  /** Failed deliveries */
+  failedDeliveries: number;
+  /** Average delivery time in ms */
+  avgDeliveryTimeMs: number;
+  /** Last delivery time */
+  lastDeliveryTime?: Date;
+  /** Circuit breaker state */
+  circuitState: 'closed' | 'open' | 'half_open';
+}
+/**
+ * Webhook Manager
+ * Manages webhook subscriptions, delivery, retries, and circuit breaking
+ */
+declare class WebhookManager {
+  private webhooks;
+  private deliveryHistory;
+  private circuitBreakers;
+  private pendingRetries;
+  private maxHistorySize;
+  private readonly FAILURE_THRESHOLD;
+  private readonly RESET_TIMEOUT_MS;
+  constructor(options?: {
+    maxHistorySize?: number;
+  });
+  /**
+   * Register a webhook
+   */
+  registerWebhook(config: WebhookConfig): void;
+  /**
+   * Update webhook configuration
+   */
+  updateWebhook(id: string, updates: Partial<Omit<WebhookConfig, 'id'>>): void;
+  /**
+   * Delete webhook
+   */
+  deleteWebhook(id: string): void;
+  /**
+   * Get webhook configuration
+   */
+  getWebhook(id: string): WebhookConfig | undefined;
+  /**
+   * Get all webhooks
+   */
+  getAllWebhooks(): WebhookConfig[];
+  /**
+   * Emit an event to all subscribed webhooks
+   */
+  emitEvent(event: Omit<WebhookEvent, 'id' | 'timestamp'>): Promise<void>;
+  /**
+   * Emit high-risk PII detection event
+   */
+  emitHighRiskPII(result: DetectionResult, tenantId?: string): Promise<void>;
+  /**
+   * Emit bulk PII detection event
+   */
+  emitBulkPII(result: DetectionResult, threshold?: number, tenantId?: string): Promise<void>;
+  /**
+   * Emit processing error event
+   */
+  emitProcessingError(error: Error, tenantId?: string): Promise<void>;
+  /**
+   * Emit slow processing event
+   */
+  emitSlowProcessing(durationMs: number, threshold?: number, tenantId?: string): Promise<void>;
+  /**
+   * Find webhooks that match the event
+   */
+  private findMatchingWebhooks;
+  /**
+   * Deliver webhook with retry logic
+   */
+  private deliverWebhook;
+  /**
+   * Make HTTP request to webhook URL
+   */
+  private makeHttpRequest;
+  /**
+   * Calculate HMAC signature for webhook verification
+   */
+  private calculateHmacSignature;
+  /**
+   * Calculate retry delay with exponential backoff
+   */
+  private calculateRetryDelay;
+  /**
+   * Record delivery in history
+   */
+  private recordDelivery;
+  /**
+   * Get delivery history for a webhook
+   */
+  getDeliveryHistory(webhookId: string, limit?: number): WebhookDelivery[];
+  /**
+   * Get webhook statistics
+   */
+  getWebhookStats(webhookId: string): WebhookStats;
+  /**
+   * Get aggregate statistics for all webhooks
+   */
+  getAggregateStats(): {
+    totalWebhooks: number;
+    enabledWebhooks: number;
+    totalDeliveries: number;
+    successfulDeliveries: number;
+    failedDeliveries: number;
+    avgDeliveryTimeMs: number;
+  };
+  /**
+   * Clear delivery history
+   */
+  clearHistory(): void;
+  /**
+   * Generate unique ID
+   */
+  private generateId;
+}
+/**
+ * Create a webhook manager instance
+ */
+declare function createWebhookManager(options?: {
+  maxHistorySize?: number;
+}): WebhookManager;
+/**
+ * Verify webhook HMAC signature
+ */
+declare function verifyWebhookSignature(payload: string, signature: string, secret: string, algorithm?: 'sha256' | 'sha512'): boolean;
+//#endregion
+//#region src/api/APIServer.d.ts
+/**
+ * API Server configuration
+ */
+interface APIServerConfig {
+  /** Server port (default: 3000) */
+  port?: number;
+  /** Server host (default: '0.0.0.0') */
+  host?: string;
+  /** Enable CORS (default: true) */
+  enableCors?: boolean;
+  /** CORS origin (default: '*') */
+  corsOrigin?: string | string[];
+  /** API key for authentication (optional) */
+  apiKey?: string;
+  /** Enable rate limiting (default: true) */
+  enableRateLimit?: boolean;
+  /** Rate limit: requests per minute (default: 60) */
+  rateLimit?: number;
+  /** Request body size limit (default: '10mb') */
+  bodyLimit?: string;
+  /** Enable request logging (default: true) */
+  enableLogging?: boolean;
+  /** Tenant manager (for multi-tenant mode) */
+  tenantManager?: TenantManager;
+  /** Webhook manager */
+  webhookManager?: WebhookManager;
+  /** Persistent audit logger */
+  auditLogger?: PersistentAuditLogger;
+  /** Prometheus server */
+  prometheusServer?: PrometheusServer;
+  /** Default OpenRedaction options (for non-tenant mode) */
+  defaultOptions?: OpenRedactionOptions;
+}
+/**
+ * API request with authentication
+ */
+interface APIRequest {
+  /** Request body */
+  body: any;
+  /** Headers */
+  headers: Record<string, string | string[] | undefined>;
+  /** Query parameters */
+  query: Record<string, string | string[] | undefined>;
+  /** Path parameters */
+  params: Record<string, string>;
+  /** Authenticated tenant ID (if multi-tenant) */
+  tenantId?: string;
+  /** Client IP address */
+  ip?: string;
+}
+/**
+ * API response
+ */
+interface APIResponse {
+  /** Status code */
+  status: number;
+  /** Response body */
+  body: any;
+  /** Headers */
+  headers?: Record<string, string>;
+}
+/**
+ * REST API Server
+ * Lightweight HTTP server for OpenRedaction with Express-like interface
+ */
+declare class APIServer {
+  private server?;
+  private config;
+  private detector?;
+  private isRunning;
+  private rateLimitTracking;
+  constructor(config?: APIServerConfig);
+  /**
+   * Start the API server
+   */
+  start(): Promise<void>;
+  /**
+   * Stop the server
+   */
+  stop(): Promise<void>;
+  /**
+   * Handle incoming HTTP requests
+   */
+  private handleRequest;
+  /**
+   * Parse HTTP request
+   */
+  private parseRequest;
+  /**
+   * Parse request body
+   */
+  private parseBody;
+  /**
+   * Route request to appropriate handler
+   */
+  private routeRequest;
+  /**
+   * Handle POST /api/detect
+   */
+  private handleDetect;
+  /**
+   * Handle POST /api/redact
+   */
+  private handleRedact;
+  /**
+   * Handle POST /api/restore
+   */
+  private handleRestore;
+  /**
+   * Handle GET /api/audit/logs
+   */
+  private handleAuditLogs;
+  /**
+   * Handle GET /api/audit/stats
+   */
+  private handleAuditStats;
+  /**
+   * Handle GET /api/metrics
+   */
+  private handleMetrics;
+  /**
+   * Handle GET /api/patterns
+   */
+  private handleGetPatterns;
+  /**
+   * Handle GET /api/health
+   */
+  private handleHealth;
+  /**
+   * Handle GET /api/docs
+   */
+  private handleDocs;
+  /**
+   * Handle GET /
+   */
+  private handleRoot;
+  /**
+   * Send HTTP response
+   */
+  private sendResponse;
+  /**
+   * Check rate limit
+   */
+  private checkRateLimit;
+}
+/**
+ * Create an API server instance
+ */
+declare function createAPIServer(config?: APIServerConfig): APIServer;
+//#endregion
+//#region src/config/ConfigExporter.d.ts
+interface ExportedConfig {
+  version: string;
+  timestamp: string;
+  options: {
+    includeNames?: boolean;
+    includeAddresses?: boolean;
+    includePhones?: boolean;
+    includeEmails?: boolean;
+    patterns?: string[];
+    categories?: string[];
+    whitelist?: string[];
+    deterministic?: boolean;
+    redactionMode?: string;
+    preset?: string;
+    enableContextAnalysis?: boolean;
+    confidenceThreshold?: number;
+    enableFalsePositiveFilter?: boolean;
+    falsePositiveThreshold?: number;
+    enableMultiPass?: boolean;
+    multiPassCount?: number;
+    enableCache?: boolean;
+    cacheSize?: number;
+    maxInputSize?: number;
+    regexTimeout?: number;
+  };
+  customPatterns?: Array<{
+    type: string;
+    regex: string;
+    flags: string;
+    priority: number;
+    placeholder: string;
+    description?: string;
+    severity?: string;
+  }>;
+  metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  };
+}
+declare class ConfigExporter {
+  private static readonly CONFIG_VERSION;
+  /**
+   * Export configuration to JSON
+   */
+  static exportConfig(options: OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  }, metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  }): ExportedConfig;
+  /**
+   * Import configuration from JSON
+   */
+  static importConfig(exported: ExportedConfig, _options?: {
+    mergeWithDefaults?: boolean;
+    validatePatterns?: boolean;
+  }): OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  };
+  /**
+   * Export configuration to JSON string
+   */
+  static exportToString(options: OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  }, metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  }, pretty?: boolean): string;
+  /**
+   * Import configuration from JSON string
+   */
+  static importFromString(json: string): OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  };
+  /**
+   * Export configuration to file (Node.js only)
+   */
+  static exportToFile(filePath: string, options: OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  }, metadata?: {
+    description?: string;
+    author?: string;
+    tags?: string[];
+  }): Promise<void>;
+  /**
+   * Import configuration from file (Node.js only)
+   */
+  static importFromFile(filePath: string): Promise<OpenRedactionOptions & {
+    categories?: string[];
+    maxInputSize?: number;
+    regexTimeout?: number;
+  }>;
+  /**
+   * Validate exported config structure
+   */
+  static validateConfig(exported: ExportedConfig): {
+    valid: boolean;
+    errors: string[];
+  };
+  /**
+   * Merge two configurations (useful for extending base configs)
+   */
+  static mergeConfigs(base: ExportedConfig, override: ExportedConfig): ExportedConfig;
+}
+/**
+ * Convenience functions for common use cases
+ */
+/**
+ * Create a shareable config preset
+ */
+declare function createConfigPreset(name: string, description: string, options: OpenRedactionOptions & {
+  categories?: string[];
+  maxInputSize?: number;
+  regexTimeout?: number;
+}): string;
+/**
+ * Quick export for version control
+ */
+declare function exportForVersionControl(options: OpenRedactionOptions & {
+  categories?: string[];
+  maxInputSize?: number;
+  regexTimeout?: number;
+}): string;
+//#endregion
+//#region src/health/HealthCheck.d.ts
+interface HealthCheckResult {
+  status: 'healthy' | 'degraded' | 'unhealthy';
+  timestamp: string;
+  checks: {
+    detector: HealthCheckStatus;
+    patterns: HealthCheckStatus;
+    performance: HealthCheckStatus;
+    memory: HealthCheckStatus;
+  };
+  metrics: {
+    totalPatterns: number;
+    compiledPatterns: number;
+    cacheSize?: number;
+    cacheEnabled: boolean;
+    uptime: number;
+  };
+  errors: string[];
+  warnings: string[];
+}
+interface HealthCheckStatus {
+  status: 'pass' | 'warn' | 'fail';
+  message: string;
+  value?: any;
+  threshold?: any;
+}
+interface HealthCheckOptions {
+  testDetection?: boolean;
+  checkPerformance?: boolean;
+  performanceThreshold?: number;
+  memoryThreshold?: number;
+}
+declare class HealthChecker {
+  private detector;
+  private initTime;
+  constructor(detector: OpenRedaction);
+  /**
+   * Run complete health check
+   */
+  check(options?: HealthCheckOptions): Promise<HealthCheckResult>;
+  /**
+   * Check detector functionality
+   */
+  private checkDetector;
+  /**
+   * Check patterns are loaded
+   */
+  private checkPatterns;
+  /**
+   * Check performance
+   */
+  private checkPerformance;
+  /**
+   * Check memory usage
+   */
+  private checkMemory;
+  /**
+   * Collect metrics
+   */
+  private collectMetrics;
+  /**
+   * Determine overall status
+   */
+  private determineOverallStatus;
+  /**
+   * Quick health check (minimal overhead)
+   */
+  quickCheck(): Promise<{
+    status: 'healthy' | 'unhealthy';
+    message: string;
+  }>;
+  /**
+   * Get system info for debugging
+   */
+  getSystemInfo(): {
+    version: string;
+    patterns: {
+      total: number;
+      types: number;
+    };
+    cache: {
+      enabled: boolean;
+      size: number;
+      maxSize: number;
+    };
+    uptime: number;
+    timestamp: string;
+  };
+}
+/**
+ * Create health checker for a detector
+ */
+declare function createHealthChecker(detector: OpenRedaction): HealthChecker;
+/**
+ * Express middleware for health check endpoint
+ */
+declare function healthCheckMiddleware(detector: OpenRedaction): (_req: any, res: any) => Promise<void>;
+//#endregion
+//#region src/utils/safe-regex.d.ts
+/**
+ * Safe regex execution utilities with ReDoS protection
+ * Zero-dependency implementation using time-based checks
+ */
+interface SafeRegexOptions {
+  timeout?: number;
+  maxMatches?: number;
+}
+declare class RegexTimeoutError extends Error {
+  constructor(pattern: string, timeout: number);
+}
+declare class RegexMaxMatchesError extends Error {
+  constructor(pattern: string, maxMatches: number);
+}
+/**
+ * Safely execute regex with timeout protection
+ * Uses periodic time checks to prevent catastrophic backtracking
+ *
+ * Note: Does NOT reset lastIndex - caller is responsible for managing state
+ */
+declare function safeExec(regex: RegExp, text: string, options?: SafeRegexOptions): RegExpExecArray | null;
+/**
+ * Safely execute regex.exec() in a loop with timeout and match limit protection
+ * Returns all matches or throws on timeout/limit exceeded
+ */
+declare function safeExecAll(regex: RegExp, text: string, options?: SafeRegexOptions): RegExpExecArray[];
+/**
+ * Test if a regex pattern is potentially unsafe (basic static analysis)
+ * Detects common ReDoS patterns
+ *
+ * Note: This is a very basic heuristic check. The real protection comes from
+ * the execution timeout in safeExec(). This just catches obvious mistakes.
+ */
+declare function isUnsafePattern(pattern: string): boolean;
+/**
+ * Validate a regex pattern before use
+ * Throws error if pattern is potentially unsafe
+ */
+declare function validatePattern(pattern: string | RegExp): void;
+/**
+ * Compile a regex with validation and return a safe wrapper
+ */
+declare function compileSafeRegex(pattern: string | RegExp, flags?: string): RegExp;
+//#endregion
+//#region src/utils/ai-assist.d.ts
+/**
+ * AI endpoint response entity structure
+ */
+interface AIEntity {
+  type: string;
+  value: string;
+  start: number;
+  end: number;
+  confidence?: number;
+}
+/**
+ * AI endpoint response structure
+ */
+interface AIResponse {
+  entities: AIEntity[];
+  aiUsed: boolean;
+}
+/**
+ * Get the AI endpoint URL from options or environment
+ */
+declare function getAIEndpoint(aiOptions?: {
+  enabled?: boolean;
+  endpoint?: string;
+}): string | null;
+/**
+ * Call the AI endpoint to get additional PII entities
+ * Returns null if AI is disabled, endpoint unavailable, or on error
+ */
+declare function callAIDetect(text: string, endpoint: string, debug?: boolean): Promise<AIEntity[] | null>;
+/**
+ * Validate an AI entity
+ */
+declare function validateAIEntity(entity: AIEntity, textLength: number): boolean;
+/**
+ * Check if two detections overlap significantly
+ * Returns true if they overlap by more than 50% of the shorter detection
+ */
+declare function detectionsOverlap(det1: PIIDetection, det2: PIIDetection): boolean;
+/**
+ * Convert AI entity to PIIDetection format
+ */
+declare function convertAIEntityToDetection(entity: AIEntity, text: string): PIIDetection | null;
+/**
+ * Merge AI entities with regex detections
+ * Prefers regex detections on conflicts
+ */
+declare function mergeAIEntities(regexDetections: PIIDetection[], aiEntities: AIEntity[], text: string): PIIDetection[];
+//#endregion
+export { ADMIN_ROLE, type AIEntity, type AIOptions, type AIResponse, ALL_PERMISSIONS, ANALYST_ROLE, type APIRequest, type APIResponse, APIServer, type APIServerConfig, type AuditBackend, type AuditDatabaseConfig, type AuditLogEntry, type AuditQueryFilter, type AuditStats, type BatchOptions, BatchProcessor, type BatchResult, type CellMatch, type ChunkResult, type ColumnStats, ConfigExporter, ConfigLoader, ConsoleAuditLogger, type ContextAnalysis, type ContextFeatures, type ContextRulesConfig, ContextRulesEngine, type CsvDetectionResult, CsvProcessor, type CsvProcessorOptions, DEFAULT_DOMAIN_VOCABULARIES, DEFAULT_PROXIMITY_RULES, DEFAULT_SEVERITY_MAP, DEFAULT_TIER_QUOTAS, type DetectTask, type DetectionPass, type DetectionResult, type DocumentFormat, type DocumentMetadata, type DocumentOptions, DocumentProcessor, type DocumentResult, type DocumentTask, type DomainVocabulary, type ErrorSuggestion, ExplainAPI, type ExportedConfig, type FalsePositiveRule, GRAFANA_DASHBOARD_TEMPLATE, type HashedAuditLogEntry, type HealthCheckOptions, type HealthCheckResult, type HealthCheckStatus, HealthChecker, type HybridMatch, type IAuditDatabaseAdapter, type IAuditLogger, type IDocumentProcessor, type IMetricsCollector, type IMetricsExporter, type IOCRProcessor, type IRBACManager, type ImageFormat, InMemoryAuditLogger, InMemoryMetricsCollector, type JsonDetectionResult, JsonProcessor, type JsonProcessorOptions, type LearningData, type LearningStats, LocalLearningStore, type MultiPassStats, NERDetector, type NEREntityType, type NERMatch, type OCRLanguage, type OCROptions, OCRProcessor, type OCRResult, OPERATOR_ROLE, OpenRedaction, type OpenRedactionConfig, OpenRedactionError, type OpenRedactionMiddlewareOptions, type OpenRedactionOptions, type OpenRedactionRequest, type OptimizerOptions, type PIIDetection, type PIIMatch, type PIIPattern, type PatternAdjustment, type PatternMatchResult, type PatternStats, type Permission, PersistentAuditLogger, type PersistentAuditLoggerOptions, type PresetName, PriorityOptimizer, PrometheusServer, type PrometheusServerOptions, type ProximityRule, RBACManager, type RedactionMetrics, type RedactionMode, RegexMaxMatchesError, RegexTimeoutError, type ReportFormat, ReportGenerator, type ReportOptions, type ReportType, type RetentionPolicy, type RiskScore, type Role, type RoleName, SEVERITY_SCORES, type SafeRegexOptions, type SeverityClassification, SeverityClassifier, type SeverityLevel, type SheetDetectionResult, StreamingDetector, type StreamingOptions, type TenantConfig, TenantManager, TenantNotFoundError, TenantQuotaExceededError, type TenantQuotas, TenantSuspendedError, type TenantUsage, type TextExplanation, VIEWER_ROLE, type Validator, type WebhookConfig, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookEvent, type WebhookEventType, WebhookManager, type WebhookStats, type WhitelistEntry, WorkerPool, type WorkerPoolConfig, type WorkerPoolStats, type WorkerResult, type WorkerTask, type XlsxDetectionResult, XlsxProcessor, type XlsxProcessorOptions, allPatterns, analyzeContextFeatures, analyzeFullContext, calculateContextConfidence, calculateRisk, callAIDetect, ccpaPreset, commonFalsePositives, compileSafeRegex, contactPatterns, convertAIEntityToDetection, createAPIServer, createBatchProcessor, createCacheDisabledError, createConfigLoadError, createConfigPreset, createContextRulesEngine, createCsvProcessor, createCustomRole, createDocumentProcessor, createExplainAPI, createHealthChecker, createHighMemoryError, createInvalidPatternError, createJsonProcessor, createLearningDisabledError, createMultiPassDisabledError, createNERDetector, createOCRProcessor, createOptimizationDisabledError, createPersistentAuditLogger, createPriorityOptimizer, createPrometheusServer, createRBACManager, createReportGenerator, createSeverityClassifier, createSimpleMultiPass, createStreamingDetector, createTenantManager, createValidationError, createWebhookManager, createWorkerPool, createXlsxProcessor, defaultPasses, detectPII, detectionsOverlap, educationPreset, exportForVersionControl, extractContext, filterFalsePositives, financePreset, financialPatterns, gdprPreset, generateReport, getAIEndpoint, getPatternsByCategory, getPredefinedRole, getPreset, getSeverity, governmentPatterns, groupPatternsByPass, healthCheckMiddleware, healthcarePreset, healthcareResearchPreset, hipaaPreset, inferDocumentType, isFalsePositive, isUnsafePattern, mergeAIEntities, mergePassDetections, networkPatterns, openredactionMiddleware, personalPatterns, safeExec, safeExecAll, transportLogisticsPreset, validateAIEntity, validateEmail, validateIBAN, validateLuhn, validateNHS, validateNINO, validateName, validatePattern, validateSSN, validateSortCode, validateUKPassport, verifyWebhookSignature };
+//# sourceMappingURL=index.d.mts.map