Problem / motivation
mech_gov governs the quality and accountability of LLM decisions (hard gates, commit–reveal entropy, I6Q, ambiguity deferral), but it does not govern what data reaches the model. In high-stakes financial decisioning, case material can contain direct identifiers (names, emails, account numbers, national IDs). Sending those to a model is a data-minimization concern under GDPR Art. 5(1)(c) and maps to OWASP LLM06 (Sensitive Information Disclosure).
Proposal
Add a pre-LLM "privacy gate" primitive to the R2 pipeline that:
- reversibly tokenizes direct identifiers before the model is consulted (the model sees
{{EMAIL_1}}, never the raw value);
- mechanically DEFERs a case (fail-closed) when residual identifiers exceed a configurable budget or detection fails — consistent with the existing mechanical-gate model;
- records only counts in
DecisionResult.metadata (the reversible token map is never persisted).
Because R2 decisions are driven by risk_score and regulatory_flags — not identities — tokenization does not change decision quality.
Scope
- Stdlib-only, vendor-neutral, no new dependencies; a pluggable
PiiRecognizer allows an optional NER backend later.
- First of two changes: PR#1 adds the primitive + R2 wiring; a follow-up adds a privacy-leakage metric (alongside CDL/DIU), synthetic narrative data to exercise it end-to-end, and R1/R3 coverage via an
LLMInterface wrapper.
Happy to adjust naming and defaults to fit the project's conventions.
Problem / motivation
mech_govgoverns the quality and accountability of LLM decisions (hard gates, commit–reveal entropy, I6Q, ambiguity deferral), but it does not govern what data reaches the model. In high-stakes financial decisioning, case material can contain direct identifiers (names, emails, account numbers, national IDs). Sending those to a model is a data-minimization concern under GDPR Art. 5(1)(c) and maps to OWASP LLM06 (Sensitive Information Disclosure).Proposal
Add a pre-LLM "privacy gate" primitive to the R2 pipeline that:
{{EMAIL_1}}, never the raw value);DecisionResult.metadata(the reversible token map is never persisted).Because R2 decisions are driven by
risk_scoreandregulatory_flags— not identities — tokenization does not change decision quality.Scope
PiiRecognizerallows an optional NER backend later.LLMInterfacewrapper.Happy to adjust naming and defaults to fit the project's conventions.