Add mask outcome for non-blocking data redaction

New PolicyOutcome "mask" that redacts sensitive data instead of
blocking. Includes masking helpers, presets (maskSensitiveOutput,
maskOutputPattern), and maskedText field on EnforcementDecision.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: scotty595

packages/governance/package.json

@@ -1,6 +1,6 @@
 {
   "name": "governance-sdk",
-  "version": "0.5.2",
+  "version": "0.6.0",
   "description": "AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents",
   "type": "module",
   "main": "./dist/index.js",

packages/governance/src/dry-run.ts

@@ -62,6 +62,7 @@ export interface DryRunSummary {
   wouldAllow: number;
   wouldRequireApproval: number;
   wouldWarn: number;
+  wouldMask: number;
   blockRate: number;
   rulesTriggered: string[];
 }
@@ -129,6 +130,7 @@ export async function dryRun(
   let wouldAllow = 0;
   let wouldRequireApproval = 0;
   let wouldWarn = 0;
+  let wouldMask = 0;
 
   for (const action of scenario.actions) {
     const ctx = {
@@ -164,6 +166,8 @@ export async function dryRun(
       wouldBlock++;
     } else if (decision.outcome === "warn") {
       wouldWarn++;
+    } else if (decision.outcome === "mask") {
+      wouldMask++;
     } else {
       wouldAllow++;
     }
@@ -182,6 +186,7 @@ export async function dryRun(
       wouldAllow,
       wouldRequireApproval,
       wouldWarn,
+      wouldMask,
       blockRate: totalActions > 0 ? wouldBlock / totalActions : 0,
       rulesTriggered: [...rulesTriggered],
     },

packages/governance/src/index.ts

@@ -391,6 +391,7 @@ export { RemoteEnforcementError } from "./remote-enforce.js";
 export { composePolicies, securityBaseline, complianceOverlay, platformDefaults } from "./policy-compose.js";
 export type { PolicySet, ConflictStrategy, ComposeConfig, ComposeResult, PolicyConflict } from "./policy-compose.js";
 export { getDefaultStage } from "./policy-stage-defaults.js";
-export { inputBlocklist, inputLength, inputPattern, networkAllowlist, scopeBoundary, costBudget, concurrentLimit, outputLength, outputPattern, sensitiveDataFilter } from "./policy-presets-extended.js";
+export { inputBlocklist, inputLength, inputPattern, networkAllowlist, scopeBoundary, costBudget, concurrentLimit, outputLength, outputPattern, sensitiveDataFilter, maskSensitiveOutput, maskOutputPattern } from "./policy-presets-extended.js";
 export { SENSITIVE_PATTERNS, getSensitivePatterns } from "./conditions/sensitive-patterns.js";
 export type { SensitivePattern } from "./conditions/sensitive-patterns.js";
+export { maskSensitiveData, maskPattern, maskBlocklistTerms } from "./mask.js";

packages/governance/src/mask.ts

@@ -0,0 +1,50 @@
+/**
+ * Masking helpers — redact sensitive data instead of blocking.
+ *
+ * Used by the policy engine when a rule's outcome is "mask".
+ * Applies the same detection patterns as the condition evaluators
+ * but replaces matched content with [REDACTED].
+ */
+
+import { getSensitivePatterns } from "./conditions/sensitive-patterns.js";
+
+const REDACTED = "[REDACTED]";
+
+/**
+ * Mask sensitive data detected by the built-in sensitive_data_filter patterns.
+ * Returns the text with all matches replaced by [REDACTED].
+ */
+export function maskSensitiveData(text: string, patternIds?: string[]): string {
+  const patterns = getSensitivePatterns(patternIds);
+  let result = text;
+  for (const p of patterns) {
+    // Clone with global flag to replace all occurrences
+    const global = new RegExp(p.pattern.source, p.pattern.flags.includes("g") ? p.pattern.flags : p.pattern.flags + "g");
+    result = result.replace(global, REDACTED);
+  }
+  return result;
+}
+
+/**
+ * Mask text matching a custom regex pattern.
+ * Used for output_pattern / input_pattern conditions with mask outcome.
+ */
+export function maskPattern(text: string, pattern: string, flags?: string): string {
+  const f = flags ?? "";
+  const global = new RegExp(pattern, f.includes("g") ? f : f + "g");
+  return text.replace(global, REDACTED);
+}
+
+/**
+ * Mask blocklisted terms in text.
+ * Used for blocklist condition with mask outcome.
+ */
+export function maskBlocklistTerms(text: string, terms: string[]): string {
+  let result = text;
+  for (const term of terms) {
+    const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const regex = new RegExp(escaped, "gi");
+    result = result.replace(regex, REDACTED);
+  }
+  return result;
+}

packages/governance/src/policy-presets-extended.ts

@@ -146,3 +146,31 @@ export function sensitiveDataFilter(patterns?: string[], reason?: string): Polic
     stage: "postprocess",
   };
 }
+
+/** Mask (redact) leaked credentials/keys instead of blocking */
+export function maskSensitiveOutput(patterns?: string[], reason?: string): PolicyRule {
+  return {
+    id: `mask-sensitive-data`,
+    name: `Mask sensitive data`,
+    condition: { type: "sensitive_data_filter", params: { patterns } },
+    outcome: "mask",
+    reason: reason ?? `Sensitive data redacted from output`,
+    priority: 95,
+    enabled: true,
+    stage: "postprocess",
+  };
+}
+
+/** Mask (redact) patterns in output instead of blocking */
+export function maskOutputPattern(pattern: string, flags?: string, reason?: string): PolicyRule {
+  return {
+    id: `mask-output-pattern-${pattern.slice(0, 20).replace(/[^a-z0-9]/gi, "")}`,
+    name: `Mask output pattern: /${pattern}/`,
+    condition: { type: "output_pattern", params: { pattern, flags } },
+    outcome: "mask",
+    reason: reason ?? `Output pattern redacted`,
+    priority: 90,
+    enabled: true,
+    stage: "postprocess",
+  };
+}

packages/governance/src/policy.test.ts

@@ -492,3 +492,76 @@ describe("decision metadata", () => {
     assert.equal(d.rulesEvaluated, 2);
   });
 });
+
+describe("mask outcome", () => {
+  test("mask outcome is non-blocking", () => {
+    const engine = createPolicyEngine({
+      rules: [makeRule({ outcome: "mask" })],
+    });
+    const d = engine.evaluate(makeCtx({ tool: "danger" }));
+    assert.equal(d.blocked, false);
+    assert.equal(d.outcome, "mask");
+  });
+
+  test("mask populates maskedText for sensitive_data_filter", () => {
+    const engine = createPolicyEngine({
+      rules: [makeRule({
+        condition: { type: "sensitive_data_filter", params: {} },
+        outcome: "mask",
+        reason: "Sensitive data masked",
+        stage: "postprocess",
+      })],
+    });
+    const d = engine.evaluateStage(
+      makeCtx({ outputText: "Here is your key: sk-proj-abc123def456ghi789jkl" }),
+      "postprocess",
+    );
+    assert.equal(d.outcome, "mask");
+    assert.equal(d.blocked, false);
+    assert.ok(d.maskedText);
+    assert.ok(!d.maskedText!.includes("sk-proj-"), "API key should be redacted");
+    assert.ok(d.maskedText!.includes("[REDACTED]"), "Should contain [REDACTED]");
+  });
+
+  test("mask populates maskedText for output_pattern", () => {
+    const engine = createPolicyEngine({
+      rules: [makeRule({
+        condition: { type: "output_pattern", params: { pattern: "\\b\\d{3}-\\d{2}-\\d{4}\\b" } },
+        outcome: "mask",
+        reason: "SSN masked",
+        stage: "postprocess",
+      })],
+    });
+    const d = engine.evaluateStage(
+      makeCtx({ outputText: "SSN is 123-45-6789 thanks" }),
+      "postprocess",
+    );
+    assert.equal(d.outcome, "mask");
+    assert.ok(d.maskedText);
+    assert.ok(!d.maskedText!.includes("123-45-6789"), "SSN should be redacted");
+  });
+
+  test("mask does not populate maskedText when no text available", () => {
+    const engine = createPolicyEngine({
+      rules: [makeRule({
+        condition: { type: "tool_blocked", params: { tools: ["danger"] } },
+        outcome: "mask",
+      })],
+    });
+    const d = engine.evaluate(makeCtx({ tool: "danger" }));
+    assert.equal(d.outcome, "mask");
+    // maskedText may be undefined when there's no text to mask
+  });
+
+  test("block outcome takes priority over mask at same level", () => {
+    const engine = createPolicyEngine({
+      rules: [
+        makeRule({ id: "block-rule", outcome: "block", priority: 100 }),
+        makeRule({ id: "mask-rule", outcome: "mask", priority: 50 }),
+      ],
+    });
+    const d = engine.evaluate(makeCtx({ tool: "danger" }));
+    assert.equal(d.outcome, "block");
+    assert.equal(d.blocked, true);
+  });
+});

packages/governance/src/policy.ts

@@ -7,6 +7,7 @@
 
 import { getBuiltinConditions } from "./conditions/builtins.js";
 import { getDefaultStage } from "./policy-stage-defaults.js";
+import { maskSensitiveData, maskPattern, maskBlocklistTerms } from "./mask.js";
 
 // ─── Types ──────────────────────────────────────────────────────
 
@@ -20,7 +21,7 @@ export type PolicyAction =
   | "payment"
   | "custom";
 
-export type PolicyOutcome = "allow" | "block" | "warn" | "require_approval";
+export type PolicyOutcome = "allow" | "block" | "warn" | "require_approval" | "mask";
 
 export type PolicyStage = "preprocess" | "process" | "postprocess";
 
@@ -80,6 +81,8 @@ export interface EnforcementDecision {
   outcome: PolicyOutcome;
   evaluatedAt: string;
   rulesEvaluated: number;
+  /** Redacted text when outcome is "mask" — the transformed version with sensitive data replaced */
+  maskedText?: string;
 }
 
 // ─── Condition Registry ─────────────────────────────────────────
@@ -179,19 +182,43 @@ export function createPolicyEngine(config: PolicyEngineConfig = {}): PolicyEngin
   const rules: PolicyRule[] = [...(config.rules ?? [])];
   const defaultOutcome = config.defaultOutcome ?? "allow";
 
+  /** Compute masked text when outcome is "mask" based on the condition type and context. */
+  function computeMaskedText(rule: PolicyRule, ctx: EnforcementContext): string | undefined {
+    const { type, params } = rule.condition;
+    const text = ctx.outputText ?? (ctx.input?.prompt as string | undefined) ?? "";
+    if (!text) return undefined;
+
+    if (type === "sensitive_data_filter") {
+      return maskSensitiveData(text, params.patterns as string[] | undefined);
+    }
+    if (type === "output_pattern" || type === "input_pattern") {
+      return maskPattern(text, params.pattern as string, params.flags as string | undefined);
+    }
+    if (type === "blocklist") {
+      return maskBlocklistTerms(text, params.terms as string[]);
+    }
+    // Fallback: return text unchanged (condition detected something but we don't know how to mask)
+    return text;
+  }
+
+  function buildDecision(rule: PolicyRule, ctx: EnforcementContext, rulesEvaluated: number): EnforcementDecision {
+    return {
+      blocked: rule.outcome === "block" || rule.outcome === "require_approval",
+      reason: rule.reason,
+      ruleId: rule.id,
+      outcome: rule.outcome,
+      evaluatedAt: new Date().toISOString(),
+      rulesEvaluated,
+      ...(rule.outcome === "mask" ? { maskedText: computeMaskedText(rule, ctx) } : {}),
+    };
+  }
+
   function evaluate(ctx: EnforcementContext): EnforcementDecision {
     const active = rules.filter((r) => r.enabled).sort((a, b) => b.priority - a.priority);
 
     for (const rule of active) {
       if (evaluateCondition(rule.condition, ctx)) {
-        return {
-          blocked: rule.outcome === "block" || rule.outcome === "require_approval",
-          reason: rule.reason,
-          ruleId: rule.id,
-          outcome: rule.outcome,
-          evaluatedAt: new Date().toISOString(),
-          rulesEvaluated: active.length,
-        };
+        return buildDecision(rule, ctx, active.length);
       }
     }
 
@@ -223,14 +250,7 @@ export function createPolicyEngine(config: PolicyEngineConfig = {}): PolicyEngin
 
     for (const rule of active) {
       if (evaluateCondition(rule.condition, ctx)) {
-        return {
-          blocked: rule.outcome === "block" || rule.outcome === "require_approval",
-          reason: rule.reason,
-          ruleId: rule.id,
-          outcome: rule.outcome,
-          evaluatedAt: new Date().toISOString(),
-          rulesEvaluated: active.length,
-        };
+        return buildDecision(rule, ctx, active.length);
       }
     }