PIINERResolver returns the resolver the chat PII middleware uses to turn a configured detector model name into a ready-to-use NERConfig: a token-classifier bound over the shared model loader (lazy — the model loads on first Detect) plus the detection policy read from that model's own pii_detection b
()
| 267 | // model's own pii_detection block. Unknown names resolve to (zero, |
| 268 | // false) so the middleware fails closed. Pass it via pii.WithNERResolver. |
| 269 | func (a *Application) PIINERResolver() pii.NERDetectorResolver { |
| 270 | return func(modelName string) (pii.NERConfig, bool) { |
| 271 | if modelName == "" { |
| 272 | return pii.NERConfig{}, false |
| 273 | } |
| 274 | cfg, ok := a.ModelConfigLoader().GetModelConfig(modelName) |
| 275 | if !ok { |
| 276 | return pii.NERConfig{}, false |
| 277 | } |
| 278 | |
| 279 | // Pattern detectors match secrets with the restricted-regex tier |
| 280 | // in-process (no backend load). Build a pattern matcher instead of the |
| 281 | // gRPC token-classifier; on a compile error fail closed with an error |
| 282 | // detector so the request is blocked, not silently unscanned. |
| 283 | if cfg.IsPatternDetector() { |
| 284 | det, err := piidetector.NewPattern(cfg, a.ApplicationConfig()) |
| 285 | if err != nil { |
| 286 | det = pii.NewErrNERDetector(err.Error()) |
| 287 | } |
| 288 | return pii.NERConfigFromRaw( |
| 289 | det, |
| 290 | 0, // patterns are deterministic — no confidence floor |
| 291 | cfg.PIIDetectionDefaultAction(), |
| 292 | patternEntityActions(cfg), |
| 293 | pii.SourcePattern, |
| 294 | ), true |
| 295 | } |
| 296 | |
| 297 | det := piidetector.New(a.ModelLoader(), cfg, a.ApplicationConfig()) |
| 298 | return pii.NERConfigFromRaw( |
| 299 | det, |
| 300 | cfg.PIIDetectionMinScore(), |
| 301 | cfg.PIIDetectionDefaultAction(), |
| 302 | cfg.PIIDetectionEntityActions(), |
| 303 | pii.SourceNER, |
| 304 | ), true |
| 305 | } |
| 306 | } |
| 307 | |
| 308 | // patternEntityActions merges a pattern detector's per-pattern Action overrides |
| 309 | // into its entity_actions map. A pattern reports matches under its Name, so a |
no test coverage detected