zuplo 6.70.69 → 6.70.71

package/docs/mcp-gateway/observability/logging.mdx

@@ -141,33 +141,40 @@ structured entries described above with their `event` field preserved.
 Registering both plugins is a small addition to `modules/zuplo.runtime.ts`:
 
 ```ts title="modules/zuplo.runtime.ts"
-import { RuntimeExtensions } from "@zuplo/runtime";
+import { OpenTelemetryPlugin } from "@zuplo/otel";
+import { environment, RuntimeExtensions } from "@zuplo/runtime";
 import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
-import { OpenTelemetryPlugin } from "@zuplo/runtime";
 
 export function runtimeInit(runtime: RuntimeExtensions) {
   runtime.addPlugin(new McpGatewayPlugin());
   runtime.addPlugin(
     new OpenTelemetryPlugin({
-      url: process.env.OTLP_TRACES_ENDPOINT,
-      logUrl: process.env.OTLP_LOGS_ENDPOINT,
-      authorization: process.env.OTLP_AUTHORIZATION,
+      traceUrl: environment.OTLP_TRACES_ENDPOINT,
+      logUrl: environment.OTLP_LOGS_ENDPOINT,
+      headers: {
+        Authorization: environment.OTLP_AUTHORIZATION,
+      },
+      service: {
+        name: "mcp-gateway",
+      },
     }),
   );
 }
 ```
 
-Grafana Cloud is one common destination — define the endpoint and credentials in
-`.env`:
+Logs are only exported when `logUrl` is set alongside `traceUrl` — configuring
+only `exporter.url` exports traces alone. Grafana Cloud is one common
+destination — define the endpoints and credentials as
+[environment variables](../../articles/environment-variables.mdx):
 
 ```bash
-GRAFANA_OTLP_ENDPOINT=https://otlp-gateway-prod-<region>.grafana.net/otlp
-GRAFANA_OTLP_INSTANCE_ID=<instance-id>
-GRAFANA_OTLP_API_TOKEN=glc_<token>
+OTLP_TRACES_ENDPOINT=https://otlp-gateway-prod-<region>.grafana.net/otlp/v1/traces
+OTLP_LOGS_ENDPOINT=https://otlp-gateway-prod-<region>.grafana.net/otlp/v1/logs
+OTLP_AUTHORIZATION=Basic <base64 of instance-id:api-token>
 ```
 
-Use the base OTLP endpoint that ends in `/otlp` — the runtime appends
-`/v1/traces` and `/v1/logs` itself. Other OTLP-compatible destinations
+The plugin sends OTLP data to the configured URLs exactly as given, so include
+the full `/v1/traces` and `/v1/logs` paths. Other OTLP-compatible destinations
 (Honeycomb, Dynatrace, New Relic, Tempo, self-hosted Jaeger) work the same way;
 substitute the endpoint and credential headers.
 

package/docs/mcp-server/resources.mdx

@@ -191,27 +191,36 @@ Response:
   "result": {
     "resources": [
       {
-        "name": "html",
-        "uri": "mcp://resources/html",
-        "title": "html",
-        "description": "Returns the AI applet's HTML",
-        "mimeType": "text/plain"
+        "name": "html_doc",
+        "uri": "ui://html",
+        "title": "html_doc",
+        "description": "The HTML document for the AI applet",
+        "mimeType": "text/html"
       },
       {
-        "name": "css_doc",
-        "uri": "ui://css",
-        "title": "css_doc",
-        "description": "The CSS resource",
-        "mimeType": "text/css"
+        "name": "css",
+        "uri": "mcp://resources/css",
+        "title": "css",
+        "description": "Returns the AI applet's CSS",
+        "mimeType": "text/plain"
       }
     ]
   }
 }
 ```
 
+The `html_doc` resource uses the custom `name`, `uri`, `description`, and
+`mimeType` from the route configuration shown earlier. The `css` resource sets
+only `"mcp": { "type": "resource" }`, so the defaults apply: the name comes from
+the `operationId`, the URI defaults to `mcp://resources/{name}`, the description
+falls back to the operation's `description`, and the MIME type defaults to
+`text/plain`.
+
 ### Read a Resource
 
-Use the MCP `resources/read` method to read a resource by its URI:
+Use the MCP `resources/read` method to read a resource by its URI. Resources
+configured without a custom `uri` use the default `mcp://resources/{name}`
+format:
 
 ```bash
 curl https://my-gateway.zuplo.dev/mcp \
@@ -222,7 +231,7 @@ curl https://my-gateway.zuplo.dev/mcp \
     "id": "0",
     "method": "resources/read",
     "params": {
-      "uri": "mcp://resources/html"
+      "uri": "mcp://resources/css"
     }
   }'
 ```
@@ -236,9 +245,9 @@ Response:
   "result": {
     "contents": [
       {
-        "uri": "mcp://resources/html",
+        "uri": "mcp://resources/css",
         "mimeType": "text/plain",
-        "text": "<div id=\"my-ai-applet\"></div>"
+        "text": "div { color: blue; }"
       }
     ]
   }
@@ -247,6 +256,9 @@ Response:
 
 ### Read a Resource with Custom URI
 
+Resources configured with a custom `uri`, like the `html_doc` resource above,
+are read using that URI:
+
 ```bash
 curl https://my-gateway.zuplo.dev/mcp \
   -X POST \
@@ -256,7 +268,7 @@ curl https://my-gateway.zuplo.dev/mcp \
     "id": "0",
     "method": "resources/read",
     "params": {
-      "uri": "ui://css"
+      "uri": "ui://html"
     }
   }'
 ```

package/docs/mcp-server/testing.mdx

@@ -3,8 +3,6 @@ title: MCP Server Testing
 sidebar_label: Testing
 ---
 
-# Testing Tools
-
 ## Using MCP Inspector
 
 The [MCP Inspector](https://github.com/modelcontextprotocol/inspector) is ideal

package/docs/policies/_index.md

@@ -37,6 +37,8 @@
 | curity-phantom-token-inbound | Curity Phantom Token Auth | Authenticate users using the Curity Phantom Token Pattern. | api-gateway |
 | custom-code-inbound | Custom Code Inbound | Enables a custom code policy written in TypeScript. Change YOUR_MODULE to the name of your module (without .ts extension) | api-gateway |
 | custom-code-outbound | Custom Code Outbound | A custom outbound response policy. | api-gateway |
+| data-loss-prevention-outbound | Data Loss Prevention | Scans the upstream response body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.  The action is one of `mask` (redact matches before returning the response), `block` (replace the response with a `422` listing the detected entity names only), or `log` (record a warning and return unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the client still receives the original stream. | api-gateway |
+| data-loss-prevention-inbound | Data Loss Prevention | Scans the incoming request body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.  The action is one of `mask` (redact matches before forwarding the request), `block` (reject with a `422` listing the detected entity names only), or `log` (record a warning and forward unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the upstream still receives the original stream. | api-gateway |
 | firebase-jwt-inbound | Firebase JWT Auth | Authenticate users using Firebase issued JWT tokens. | api-gateway |
 | formdata-to-json-inbound | Form Data to JSON | Converts form data in the incoming request to JSON. | api-gateway |
 | galileo-tracing-inbound | Galileo Tracing | Galileo Tracing Inbound Policy | ai-gateway |

package/docs/policies/archive-request-azure-storage-inbound/doc.md

@@ -20,7 +20,7 @@ can generate one of these on the `Shared access tokens` tab.
 Note, you should minimize the permissions - and select only the `Create`
 permission. Choose a sensible start and expiration time for your token. Note, we
 don't recommend restricting IP addresses because Zuplo runs at the edge in over
-200 data-centers world-wide.
+300 data centers worldwide.
 
 ![Permissions](../../public/media/guides/archiving-requests-to-storage/Untitled_1.png)
 

package/docs/policies/archive-response-azure-storage-outbound/doc.md

@@ -20,7 +20,7 @@ can generate one of these on the `Shared access tokens` tab.
 Note, you should minimize the permissions - and select only the `Create`
 permission. Choose a sensible start and expiration time for your token. Note, we
 don't recommend restricting IP addresses because Zuplo runs at the edge in over
-200 data-centers world-wide.
+300 data centers worldwide.
 
 ![Create permission](../../public/media/guides/archiving-requests-to-storage/Untitled_1.png)
 

package/docs/policies/data-loss-prevention-inbound/doc.md

@@ -0,0 +1,116 @@
+This policy inspects the body of each incoming request for sensitive data and
+applies a configurable action. It is the inbound counterpart to the
+[Data Loss Prevention - Outbound](/docs/policies/data-loss-prevention-outbound)
+policy, which inspects upstream responses.
+
+Detection happens entirely inside the gateway isolate — request bodies are never
+sent to a third-party service.
+
+## Actions
+
+- **`mask`** (default) — every detected value is replaced with the `mask` string
+  and the modified body is forwarded upstream. Overlapping matches are merged
+  and masked once.
+- **`block`** — the request is rejected with a `422 Unprocessable Content`. The
+  problem detail lists only the names of the detected entities, never the
+  matched values, so the policy never leaks the data it caught.
+- **`log`** — a structured warning is written (entity ids and counts only) and
+  the request is forwarded unchanged.
+
+## Built-in recognizers
+
+Enable entities individually or by **group selector** in the `entities`
+option, or omit it to use the full catalog. Entity ids follow a
+`{category}-{scope}-{name}` taxonomy, and any dash-aligned prefix of an id is a
+valid selector: `secret` enables every secret, `id-au` enables Australia's
+identifiers, `secret-aws` enables both AWS entities. Two named groups (`pii`,
+`region-eu`) bundle entities across categories.
+
+| Group         | Entities                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `secret`     | `secret-private-key`, `secret-jwt`, `secret-aws-access-key`, `secret-aws-bedrock`, `secret-github`, `secret-gitlab`, `secret-zuplo`, `secret-openai`, `secret-anthropic`, `secret-google-api-key`, `secret-stripe`, `secret-slack`, `secret-discord-webhook`, `secret-npm`, `secret-pypi`, `secret-sendgrid`, `secret-twilio`, `secret-hugging-face`, `secret-databricks`, `secret-shopify`, `secret-square`, `secret-mailchimp`, `secret-mailgun`, `secret-postman`, `secret-terraform`, `secret-sentry`, `secret-digitalocean`, `secret-heroku`, `secret-perplexity`, `secret-azure-client`, `secret-telegram-bot` |
+| `finance`   | `finance-credit-card` (Luhn), `finance-iban` (per-country length + mod-97), `finance-crypto-wallet`, `finance-us-aba-routing` (checksum), `finance-swift-bic`, `finance-us-bank-account`, `finance-cvv`                                                                                                                                                                                                                                                                                                                                                                              |
+| `id` | `id-us-ssn`, `id-us-itin`, `id-us-passport`, `id-uk-nino`, `id-uk-nhs` (mod-11), `id-ca-sin` (Luhn), `id-au-abn`, `id-au-acn`, `id-au-tfn`, `id-au-medicare` (all checksummed), `id-in-aadhaar` (Verhoeff), `id-in-pan`, `id-sg-nric` (checksum), `id-es-nif` (checksum), `id-it-fiscal-code` (checksum), `id-pl-pesel` (checksum), `id-nl-bsn` (11-proef), `id-br-cpf` (checksum), `id-fr-nir` (mod-97)                                                                                                                                                                            |
+| `contact`     | `contact-email`, `contact-phone`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| `network`     | `network-ipv4`, `network-ipv6`, `network-mac`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `pii`         | `contact` + `id`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Prefixes      | `id-us`, `id-uk`, `id-au`, `id-ca`, `id-in`, `id-sg`, `id-es`, `id-it`, `id-pl`, `id-nl`, `id-br`, `id-fr`, `finance-us`, `secret-aws` — everything whose id starts with that prefix                                                                                                                                                                                                                                                                                                  |
+| `region-eu`   | `id-es-nif`, `id-it-fiscal-code`, `id-pl-pesel`, `id-nl-bsn`, `id-fr-nir`, `finance-iban`                                                                                                                                                                                                                                                                                                                                                                                              |
+
+## Context-word scoring
+
+Every match gets a confidence score. Recognizers whose raw pattern is just "a
+run of digits" (bank accounts, routing numbers, NHS numbers, …) carry a low
+base confidence and a list of **context words**; when one of those words
+appears near the match — in prose, or in a JSON key, form field, or header-like
+label (`nhsNumber`, `routing_number`, `cvv:`) — the confidence is boosted above
+the detection threshold.
+
+For example, with the `id-uk-nhs` entity enabled, `{"nhsNumber": "9434765919"}` is
+masked while the same digits in `{"orderId": "9434765919"}` pass through
+untouched.
+
+The threshold is configurable via `minConfidence` (default `0.5`): lower it to
+detect context-dependent entities everywhere, raise it to keep only prefix- and
+checksum-validated matches.
+
+## Custom patterns
+
+Add your own recognizers with `customPatterns`. Each entry has a `name`, a
+JavaScript regular expression `pattern`, and optionally a `confidence` and
+`context` words to participate in context scoring. Invalid patterns are logged
+and skipped rather than failing the request. Remember to escape backslashes for
+JSON (for example `\\d` to match a digit).
+
+## Content types
+
+Only text-based bodies (JSON, XML, form-encoded, and `text/*`) are scanned;
+binary bodies pass through untouched. Override the allow-list with the
+`contentTypes` option if you need to scan a different set of content types.
+
+## Configuration
+
+- `engine`: The detection engine. Only `builtin` is available today. **Default:**
+  `builtin`
+- `entities`: Recognizer ids and/or group selectors (prefixes, `pii`,
+  `region-eu`) to enable. **Default:** all
+  recognizers
+- `customPatterns`: Additional `{ name, pattern, confidence?, context? }` regex
+  recognizers
+- `action`: `mask`, `block`, or `log`. **Default:** `mask`
+- `mask`: Replacement string used when `action` is `mask`. **Default:**
+  `[REDACTED]`
+- `minConfidence`: Detection threshold (0-1). **Default:** `0.5`
+- `contentTypes`: Override the scannable content-type allow-list
+
+## Usage
+
+Apply this policy to inbound requests in your route configuration:
+
+```json
+{
+  "policies": [
+    {
+      "name": "data-loss-prevention-inbound",
+      "policyType": "data-loss-prevention-inbound",
+      "handler": {
+        "export": "DataLossPreventionInboundPolicy",
+        "module": "$import(@zuplo/runtime)",
+        "options": {
+          "action": "mask",
+          "entities": ["secret", "finance", "id-us", "contact-email"],
+          "mask": "[REDACTED]",
+          "customPatterns": [
+            {
+              "name": "employee-id",
+              "pattern": "EMP-\\d{6}",
+              "confidence": 0.3,
+              "context": ["employee"]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
+```

package/docs/policies/data-loss-prevention-inbound/intro.md

@@ -0,0 +1,15 @@
+The Data Loss Prevention (DLP) policy scans incoming request bodies for
+sensitive data — personally identifiable information (PII), secrets and API
+keys for dozens of vendors, payment and bank identifiers, and national IDs for
+many countries — using a catalog of 60+ built-in recognizers plus any custom
+patterns you add. When a match is found it takes a configurable action: mask
+the matches, block the request, or log a warning and let it through.
+
+Recognizers are selected individually or via entity groups (`secret`,
+`finance`, `pii`, `id-us`, `id-uk`, `region-eu`, …). Detection runs entirely in the
+gateway isolate using regular expressions, checksums (Luhn, mod-97, Verhoeff,
+and friends), and context-word scoring — no request data leaves the gateway.
+
+Pair with the
+[Data Loss Prevention - Outbound](/docs/policies/data-loss-prevention-outbound)
+policy to also scan upstream responses before they're returned to the client.

package/docs/policies/data-loss-prevention-inbound/schema.json

@@ -0,0 +1,220 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "https://cdn.zuplo.com/policies/runtime/schemas/data-loss-prevention-inbound.json",
+  "type": "object",
+  "title": "Data Loss Prevention",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "requiresAI": false,
+  "products": ["api-gateway"],
+  "description": "Scans the incoming request body for sensitive data — PII, secrets, and financial identifiers — using an extensible catalog of built-in recognizers plus any custom patterns, and takes a configurable action when a match is found.\n\nThe action is one of `mask` (redact matches before forwarding the request), `block` (reject with a `422` listing the detected entity names only), or `log` (record a warning and forward unchanged). Only text content types are inspected; binary bodies pass through untouched, and the body is read from a clone so the upstream still receives the original stream.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "DataLossPreventionInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "DataLossPreventionInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for the Data Loss Prevention inbound policy. Scans the incoming request body for sensitive data and applies the configured action (mask, block, or log).",
+          "additionalProperties": false,
+          "required": [],
+          "examples": [
+            {
+              "action": "mask",
+              "entities": ["secret", "finance", "contact-email", "id-us-ssn"],
+              "mask": "[REDACTED]"
+            }
+          ],
+          "properties": {
+            "engine": {
+              "type": "string",
+              "enum": ["builtin"],
+              "default": "builtin",
+              "description": "The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change."
+            },
+            "entities": {
+              "type": "array",
+              "description": "Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.",
+              "items": {
+                "type": "string",
+                "enum": [
+                  "contact",
+                  "finance",
+                  "finance-us",
+                  "id",
+                  "id-au",
+                  "id-br",
+                  "id-ca",
+                  "id-es",
+                  "id-fr",
+                  "id-in",
+                  "id-it",
+                  "id-nl",
+                  "id-pl",
+                  "id-sg",
+                  "id-uk",
+                  "id-us",
+                  "network",
+                  "pii",
+                  "region-eu",
+                  "secret",
+                  "secret-aws",
+                  "contact-email",
+                  "contact-phone",
+                  "finance-credit-card",
+                  "finance-crypto-wallet",
+                  "finance-cvv",
+                  "finance-iban",
+                  "finance-swift-bic",
+                  "finance-us-aba-routing",
+                  "finance-us-bank-account",
+                  "id-au-abn",
+                  "id-au-acn",
+                  "id-au-medicare",
+                  "id-au-tfn",
+                  "id-br-cpf",
+                  "id-ca-sin",
+                  "id-es-nif",
+                  "id-fr-nir",
+                  "id-in-aadhaar",
+                  "id-in-pan",
+                  "id-it-fiscal-code",
+                  "id-nl-bsn",
+                  "id-pl-pesel",
+                  "id-sg-nric",
+                  "id-uk-nhs",
+                  "id-uk-nino",
+                  "id-us-itin",
+                  "id-us-passport",
+                  "id-us-ssn",
+                  "network-ipv4",
+                  "network-ipv6",
+                  "network-mac",
+                  "secret-anthropic",
+                  "secret-aws-access-key",
+                  "secret-aws-bedrock",
+                  "secret-azure-client",
+                  "secret-databricks",
+                  "secret-digitalocean",
+                  "secret-discord-webhook",
+                  "secret-github",
+                  "secret-gitlab",
+                  "secret-google-api-key",
+                  "secret-heroku",
+                  "secret-hugging-face",
+                  "secret-jwt",
+                  "secret-mailchimp",
+                  "secret-mailgun",
+                  "secret-npm",
+                  "secret-openai",
+                  "secret-perplexity",
+                  "secret-postman",
+                  "secret-private-key",
+                  "secret-pypi",
+                  "secret-sendgrid",
+                  "secret-sentry",
+                  "secret-shopify",
+                  "secret-slack",
+                  "secret-square",
+                  "secret-stripe",
+                  "secret-telegram-bot",
+                  "secret-terraform",
+                  "secret-twilio",
+                  "secret-zuplo"
+                ]
+              }
+            },
+            "customPatterns": {
+              "type": "array",
+              "description": "Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the request.",
+              "items": {
+                "type": "object",
+                "title": "DlpCustomPattern",
+                "additionalProperties": false,
+                "required": ["name", "pattern"],
+                "properties": {
+                  "name": {
+                    "type": "string",
+                    "description": "Identifier reported in findings and block details for this pattern."
+                  },
+                  "pattern": {
+                    "type": "string",
+                    "description": "A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\\\d` for a digit)."
+                  },
+                  "confidence": {
+                    "type": "number",
+                    "minimum": 0,
+                    "maximum": 1,
+                    "default": 0.85,
+                    "description": "Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context."
+                  },
+                  "context": {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    },
+                    "description": "Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key)."
+                  }
+                }
+              }
+            },
+            "action": {
+              "type": "string",
+              "enum": ["mask", "block", "log"],
+              "default": "mask",
+              "description": "What to do when sensitive data is detected. `mask` redacts matches before forwarding the request, `block` rejects with a 422 listing only the detected entity names, and `log` records a warning and forwards the request unchanged."
+            },
+            "mask": {
+              "type": "string",
+              "default": "[REDACTED]",
+              "examples": ["[REDACTED]"],
+              "description": "The string that replaces detected values when `action` is `mask`."
+            },
+            "minConfidence": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "default": 0.5,
+              "x-show-example": false,
+              "description": "Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches."
+            },
+            "contentTypes": {
+              "type": "array",
+              "description": "Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/\\*) is used.",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "DataLossPreventionInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "action": "mask",
+            "entities": ["secret", "finance", "contact-email", "id-us-ssn"],
+            "mask": "[REDACTED]"
+          }
+        }
+      ]
+    }
+  }
+}