pseudonym-mcp 0.4.0 → 0.4.1

package/README.md

@@ -441,6 +441,18 @@ In `hybrid` mode, Ollama runs after the regex pass so the LLM never sees already
 - **No model training.** The local Ollama model operates entirely offline. Your data is not used to train any model.
 - **Strict validation by default.** Invalid SSNs (area 000/666/900+), failed-Luhn credit card numbers, and invalid-checksum PESELs are not masked, preventing false positives from OCR errors or random digit sequences.
 
+## Limitations
+
+pseudonym-mcp is a technical privacy control, not a legal guarantee of compliance.
+
+- Detection is best-effort — false negatives and false positives are possible.
+- Indirect references (e.g. _"the tall guy from accounting"_) are not detected.
+- If plaintext is logged before being passed to `mask_text`, pseudonym-mcp cannot protect it.
+- The mapping store is process-local; restarting the server ends the session.
+- Re-identification is possible for anyone with access to the local mapping store — this is pseudonymization, not anonymization.
+
+> Under GDPR Art. 4(5), pseudonymized data is still personal data in your system. pseudonym-mcp substantially reduces risk but does not eliminate your legal obligations.
+
 ## Development
 
 ```sh
@@ -469,10 +481,6 @@ Contributions are welcome. Please follow [Conventional Commits](https://www.conv
 
 Language pack contributions are especially welcome — German (Personalausweis, Steuer-ID), French (NIR, SIRET), Spanish (DNI/NIE) and others would significantly expand the tool's usefulness.
 
-## Keyword index
-
-> For discoverability: **AI privacy**, **LLM data privacy**, **PII masking**, **PII redaction**, **PII detection**, **data pseudonymization**, **GDPR LLM compliance**, **GDPR AI**, **EU AI Act**, **CCPA compliance**, **HIPAA AI**, **PCI DSS tokenization**, **SOC 2 data handling**, **personal data protection**, **sensitive data scrubbing**, **NER anonymization**, **named entity recognition privacy**, **Claude privacy layer**, **MCP privacy proxy**, **local AI processing**, **on-premise AI**, **zero-trust AI**, **data minimisation**, **privacy by design**, **SSN masking**, **credit card masking**, **Luhn validation**, **PESEL masking**, **Polish PII**, **RODO**, **UODO compliance**, **healthcare AI privacy**, **financial data redaction**, **PSD2 privacy**, **tokenization NLP**, **prompt sanitization**, **context window privacy**, **offline NER**, **Ollama privacy**, **local LLM privacy**, **cross-border data transfer**, **data protection by design**, **PIPEDA**, **LGPD**, **POPIA**.
-
 ## License
 
 MIT — Adrian Wolczuk

package/dist/languages/pl/rules.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../../src/languages/pl/rules.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAOhD,eAAO,MAAM,WAAW,EAAE,aAEzB,CAAA"}
+{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../../src/languages/pl/rules.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAQhD,eAAO,MAAM,WAAW,EAAE,aAEzB,CAAA"}

package/dist/languages/pl/rules.js

@@ -2,8 +2,9 @@ import { toPatternDef } from '../../patterns/types.js';
 import { peselRule } from '../../patterns/locale/pl/pesel.js';
 import { plIbanRule } from '../../patterns/locale/pl/iban.js';
 import { plPhoneRule } from '../../patterns/locale/pl/phone.js';
+import { nipRule } from '../../patterns/locale/pl/nip.js';
 import { emailRule } from '../../patterns/global/email.js';
 export const PolishRules = {
-    patterns: [peselRule, plIbanRule, emailRule, plPhoneRule].map(toPatternDef),
+    patterns: [peselRule, plIbanRule, emailRule, plPhoneRule, nipRule].map(toPatternDef),
 };
 //# sourceMappingURL=rules.js.map

package/dist/languages/pl/rules.js.map

@@ -1 +1 @@
-{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../../src/languages/pl/rules.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,mCAAmC,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,kCAAkC,CAAA;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAA;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAA;AAE1D,MAAM,CAAC,MAAM,WAAW,GAAkB;IACxC,QAAQ,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;CAC5E,CAAA"}
+{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../../src/languages/pl/rules.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,mCAAmC,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,kCAAkC,CAAA;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAA;AACzD,OAAO,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAA;AAE1D,MAAM,CAAC,MAAM,WAAW,GAAkB;IACxC,QAAQ,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;CACrF,CAAA"}

package/dist/patterns/locale/pl/nip.js

@@ -16,8 +16,8 @@ function nipChecksum(raw) {
 export const nipRule = {
     id: 'pl.nip',
     entityType: 'NIP',
-    // 10 digits, optionally separated by spaces or dashes in groups: XXX-XXX-XX-XX or XXX-XX-XX-XXX
-    pattern: /\b\d{3}[\s\-]?\d{3}[\s\-]?\d{2}[\s\-]?\d{2}\b/g,
+    // 10 digits in XXX-XXX-XX-XX format (hyphens required)
+    pattern: /\b\d{3}-\d{3}-\d{2}-\d{2}\b/g,
     locales: ['pl'],
     engines: ['strict', 'paranoid'],
     description: 'Polish tax identification number (NIP) — 10 digits with checksum',

package/dist/patterns/locale/pl/nip.js.map

@@ -1 +1 @@
-{"version":3,"file":"nip.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/nip.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAC1C,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;IAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IAC5D,MAAM,KAAK,GAAG,GAAG,GAAG,EAAE,CAAA;IACtB,OAAO,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;AACvC,CAAC;AAED,MAAM,CAAC,MAAM,OAAO,GAAgB;IAClC,EAAE,EAAE,QAAQ;IACZ,UAAU,EAAE,KAAK;IACjB,gGAAgG;IAChG,OAAO,EAAE,gDAAgD;IACzD,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC/B,WAAW,EAAE,kEAAkE;IAC/E,QAAQ,EAAE,WAAW;CACtB,CAAA"}
+{"version":3,"file":"nip.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/nip.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAC1C,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;IAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IAC5D,MAAM,KAAK,GAAG,GAAG,GAAG,EAAE,CAAA;IACtB,OAAO,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;AACvC,CAAC;AAED,MAAM,CAAC,MAAM,OAAO,GAAgB;IAClC,EAAE,EAAE,QAAQ;IACZ,UAAU,EAAE,KAAK;IACjB,uDAAuD;IACvD,OAAO,EAAE,8BAA8B;IACvC,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC/B,WAAW,EAAE,kEAAkE;IAC/E,QAAQ,EAAE,WAAW;CACtB,CAAA"}

package/dist/patterns/locale/pl/pesel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pesel.d.ts","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/pesel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAgBjD,eAAO,MAAM,SAAS,EAAE,WASvB,CAAA"}
+{"version":3,"file":"pesel.d.ts","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/pesel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAiBjD,eAAO,MAAM,SAAS,EAAE,WASvB,CAAA"}

package/dist/patterns/locale/pl/pesel.js

@@ -3,20 +3,21 @@
  * Weights: [1, 3, 7, 9, 1, 3, 7, 9, 1, 3]
  * Check digit = (10 - (weighted_sum % 10)) % 10
  */
-function peselChecksum(pesel) {
-    if (!/^\d{11}$/.test(pesel))
+function peselChecksum(input) {
+    const digits = input.replace(/\D/g, '');
+    if (digits.length !== 11)
         return false;
     const weights = [1, 3, 7, 9, 1, 3, 7, 9, 1, 3];
-    const digits = pesel.split('').map(Number);
-    const sum = weights.reduce((acc, w, i) => acc + w * digits[i], 0);
+    const d = digits.split('').map(Number);
+    const sum = weights.reduce((acc, w, i) => acc + w * d[i], 0);
     const check = (10 - (sum % 10)) % 10;
-    return check === digits[10];
+    return check === d[10];
 }
 export const peselRule = {
     id: 'pl.pesel',
     entityType: 'PESEL',
-    // Exactly 11 consecutive digits NOT adjacent to another digit
-    pattern: /(?<!\d)\d{11}(?!\d)/g,
+    // Matches "PESEL XXXXXXXXXXX" (whole phrase) or standalone 11 digits
+    pattern: /(?:PESEL\s+)?(?<!\d)\d{11}(?!\d)/g,
     locales: ['pl'],
     engines: ['balanced', 'strict', 'paranoid'],
     description: 'Polish national identification number (PESEL) — 11 digits with checksum',

package/dist/patterns/locale/pl/pesel.js.map

@@ -1 +1 @@
-{"version":3,"file":"pesel.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/pesel.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACzC,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IACjE,MAAM,KAAK,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;IACpC,OAAO,KAAK,KAAK,MAAM,CAAC,EAAE,CAAC,CAAA;AAC7B,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAgB;IACpC,EAAE,EAAE,UAAU;IACd,UAAU,EAAE,OAAO;IACnB,8DAA8D;IAC9D,OAAO,EAAE,sBAAsB;IAC/B,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC;IAC3C,WAAW,EAAE,yEAAyE;IACtF,QAAQ,EAAE,aAAa;CACxB,CAAA"}
+{"version":3,"file":"pesel.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/pesel.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IACvC,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAA;IACtC,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;IAC9C,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IAC5D,MAAM,KAAK,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;IACpC,OAAO,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAgB;IACpC,EAAE,EAAE,UAAU;IACd,UAAU,EAAE,OAAO;IACnB,qEAAqE;IACrE,OAAO,EAAE,mCAAmC;IAC5C,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC;IAC3C,WAAW,EAAE,yEAAyE;IACtF,QAAQ,EAAE,aAAa;CACxB,CAAA"}

package/dist/patterns/locale/pl/phone.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"phone.d.ts","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/phone.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAEjD,eAAO,MAAM,WAAW,EAAE,WAYzB,CAAA"}
+{"version":3,"file":"phone.d.ts","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/phone.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAEjD,eAAO,MAAM,WAAW,EAAE,WAazB,CAAA"}

package/dist/patterns/locale/pl/phone.js

@@ -1,11 +1,12 @@
 export const plPhoneRule = {
     id: 'pl.phone',
     entityType: 'PHONE',
-    // Three alternatives:
+    // Four alternatives:
     // 1. International prefix: +48 or 0048, then 9 digits (with optional spaces/dashes)
     // 2. 9-digit mobile starting with 4–8 (Polish numbering plan)
     // 3. Landline with area code in parens: (XX) XXX-XX-XX
-    pattern: /(?:\+48|0048)[\s\-]?\d{3}[\s\-]?\d{3}[\s\-]?\d{3}|\b[4-8]\d{2}[\s\-]?\d{3}[\s\-]?\d{3}\b|\(\d{2}\)[\s\-]?\d{3}[\s\-]?\d{2}[\s\-]?\d{2}/g,
+    // 4. Landline without prefix: 2-digit area code + 7 digits (XX XXX XX XX or XX XXXXXXX)
+    pattern: /(?:\+48|0048)[\s\-]?\d{3}[\s\-]?\d{3}[\s\-]?\d{3}|\b[4-8]\d{2}[\s\-]?\d{3}[\s\-]?\d{3}\b|\(\d{2}\)[\s\-]?\d{3}[\s\-]?\d{2}[\s\-]?\d{2}|\b[1-9]\d[\s\-]?\d{3}[\s\-]?\d{2}[\s\-]?\d{2}\b/g,
     locales: ['pl'],
     engines: ['balanced', 'strict', 'paranoid'],
     description: 'Polish phone number (+48 / 0048 prefix, 9-digit mobile, landline)',

package/dist/patterns/locale/pl/phone.js.map

@@ -1 +1 @@
-{"version":3,"file":"phone.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/phone.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,EAAE,EAAE,UAAU;IACd,UAAU,EAAE,OAAO;IACnB,sBAAsB;IACtB,oFAAoF;IACpF,8DAA8D;IAC9D,uDAAuD;IACvD,OAAO,EACL,yIAAyI;IAC3I,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC;IAC3C,WAAW,EAAE,mEAAmE;CACjF,CAAA"}
+{"version":3,"file":"phone.js","sourceRoot":"","sources":["../../../../src/patterns/locale/pl/phone.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,EAAE,EAAE,UAAU;IACd,UAAU,EAAE,OAAO;IACnB,qBAAqB;IACrB,oFAAoF;IACpF,8DAA8D;IAC9D,uDAAuD;IACvD,wFAAwF;IACxF,OAAO,EACL,yLAAyL;IAC3L,OAAO,EAAE,CAAC,IAAI,CAAC;IACf,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC;IAC3C,WAAW,EAAE,mEAAmE;CACjF,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pseudonym-mcp",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "mcpName": "io.github.woladi/pseudonym-mcp",
   "description": "MCP server for privacy-preserving pseudonymization of sensitive data before cloud LLM processing",
   "type": "module",
@@ -109,7 +109,8 @@
     "git": {
       "commitMessage": "chore: release v${version}",
       "tagName": "v${version}",
-      "push": false
+      "push": false,
+      "requireCleanWorkingDir": false
     },
     "npm": {
       "publish": true