# S38-011 Assumptions — PII Redaction Utility

## What was implemented

`PiiRedaction.php` — static utility class that scrubs Malaysian PII patterns from strings and nested arrays.

- `PiiRedaction::scrub(string): string` — redacts IC numbers, email addresses, phone numbers, bank account numbers
- `PiiRedaction::scrubDeep(mixed): mixed` — recursively scrubs arrays (suitable for log context payloads)
- 17 unit tests covering each PII type, multi-type strings, nested arrays, and edge cases

## PII Patterns Covered

| Pattern | Regex trigger | Replacement |
|---|---|---|
| Malaysian IC (MyKad) | `\d{6}-\d{2}-\d{4}` | `[REDACTED-IC]` |
| Email address | Standard RFC-like pattern | `[REDACTED-EMAIL]` |
| Malaysian phone (E.164 / local) | `+60` or `01x` prefix | `[REDACTED-PHONE]` |
| Bank account number | 10–16 consecutive digits | `[REDACTED-BANK]` |

## Assumptions

- **AC mismatch:** PDPA-SYS-01 describes breach detection workflow. This task implements the PII scrubbing utility only — breach detection is out of scope for `files_touched`.
- **Wiring not included:** `PiiRedaction::scrubDeep()` should be called in Sentry's `beforeSend` callback and in audit log payloads. That wiring is in separate tasks (Sentry config = ops task, audit log usage = individual domain models). This class provides the tool; callers will be wired in later sprints.
- **Bank account pattern conservative:** 10–16 digit sequences. This may over-match some reference numbers. A more precise pattern would require knowing the specific bank account format per financial institution — using a broad pattern is the safe default.
- **IC format without hyphens not redacted:** The regex targets `######-##-####` (hyphenated format only). Unhyphenated IC strings (`############`) would match the bank account pattern instead (12 digits). This is documented but acceptable for log scrubbing — the main exposure risk is copy-pasted IC strings which typically include hyphens.
- **No `// platform-scoped` comment needed:** `PiiRedaction` is a pure static utility class — no model, no tenant scope.