Context
TextStrategy::Tokenize was removed in alongside Pseudonymize because the existing implementation was a placeholder — it routed through the same string-substitution path as Replace, providing no actual token vault.
What's needed
Re-introduce TextStrategy::Tokenize { vault_id } (and TabularStrategy::Tokenize if scope warrants) backed by:
- Vault integration: pluggable backend (in-memory for dev; external vault for prod) keyed by
vault_id.
- Token format: opaque, non-guessable (UUID, ULID, or vault-specific).
- Reversibility: vault round-trip — given a token +
vault_id, return the original value (with auth).
leak_profile(): LeakProfile::Recoverable.
Acceptance
TextStrategy::Tokenize { vault_id: "ssn-vault" } produces opaque tokens.- Same original always produces the same token within a vault.
- Round-trip test: tokenise → look up → recover original.
- Vault config wired through
RuntimeConfig so operators can swap backends.
Why removed
Same as #241 (Pseudonymize) — placeholder routing was misleading. Removed to keep the strategy surface honest until a real vault integration lands.
Context
TextStrategy::Tokenizewas removed in alongsidePseudonymizebecause the existing implementation was a placeholder — it routed through the same string-substitution path asReplace, providing no actual token vault.What's needed
Re-introduce
TextStrategy::Tokenize { vault_id }(andTabularStrategy::Tokenizeif scope warrants) backed by:vault_id.vault_id, return the original value (with auth).leak_profile():LeakProfile::Recoverable.Acceptance
TextStrategy::Tokenize { vault_id: "ssn-vault" }produces opaque tokens.RuntimeConfigso operators can swap backends.Why removed
Same as #241 (Pseudonymize) — placeholder routing was misleading. Removed to keep the strategy surface honest until a real vault integration lands.