feat(pii): NER tier engine — privacy-filter.cpp backend + NER-centric PII filter (#10360)

Squashed feat/pii-ner-tier-engine rebased onto master (was 45 commits; see
backup/pii-ner-tier-engine-prerebase). Net change:

- privacy-filter.cpp: standalone GGML engine for the openai-privacy-filter
  PII/NER token classifier, wired as a LocalAI gRPC backend (CPU/CUDA/Vulkan).
  TokenClassify moves off the patched llama.cpp path onto this backend.
- PII filter reworked to be NER-centric (encoder/NER detection tier scanning
  whole conversations as one document), with a recreated bounded restricted-
  regex secret-matching pattern detector tier alongside it (per-model
  pii_detection.builtins / .patterns + core/services/routing/piipattern).
- Detection labelled by source (ner vs pattern); backend trace / confidence /
  debug observability; analyze/redact exposed as a synchronous API.
- Instance-wide default detector policy + per-usecase default-on; request
  filtering extended to completions, embeddings, edits & Ollama.
- React UI: NER-centric PII editor, detector-models table, pattern/builtins
  editor, middleware default-policy UI.
- Gallery: privacy-filter-multilingual token-classify model + NER install
  filter; token_classify known_usecase; batch sized to context for NER models.
  privacy-filter backend registered in the backend gallery (cpu/vulkan/cuda-13
  meta + image entries with a capabilities map) matching its CI matrix jobs,
  and an /import-model auto-detect importer (PrivacyFilterImporter, narrow
  privacy-filter GGUF detection) replacing the prior pref-only registration.

Reconciled against master's independent evolution:

- Dropped master's PIIPatternOverrides feature (global-pattern runtime
  overrides + /api/pii/patterns API + runtime_settings.json persistence). The
  per-model NER + pattern-detector design supersedes it; it was built on the
  global redactor pattern set this branch replaced.
- Reverted the llama.cpp Score carry-patch (0006-server-task-type-score):
  removed the patch and restored master's grpc-server.cpp Score RPC (direct
  llama_decode, slot-loop bypass) and LLAMA_VERSION pin, plus master's
  model_config validation forbidding score + chat/completion/embeddings on
  llama-cpp. token_classify is unaffected (it runs on the privacy-filter
  backend, not llama-cpp).

Assisted-by: Claude:claude-opus-4-8 [Claude Code]

Signed-off-by: Richard Palethorpe <io@richiejp.com>

tests/e2e/cloud_proxy_helpers_test.go

@@ -184,23 +184,11 @@ func nonStreamingOpenAIToolCallScript() (status int, body string, contentType st
 	return 200, `{"id":"chatcmpl-y","choices":[{"index":0,"message":{"role":"assistant","content":"","tool_calls":[{"id":"call_lookup","type":"function","function":{"name":"lookup","arguments":"{\"q\":\"clouds\"}"}}]},"finish_reason":"tool_calls"}],"usage":{"prompt_tokens":12,"completion_tokens":7,"total_tokens":19}}`, "application/json"
 }
 
-// emailLeakOpenAIScript returns a non-streaming response containing an
-// email address. The streaming PII filter doesn't apply to buffered
-// responses, but the response is JSON the client receives unchanged —
-// used to verify the wire path without PII assertions. The streaming
-// PII variant uses an SSE response.
-func emailLeakOpenAIStreamingScript() (status int, body string, contentType string) {
-	frames := []string{
-		`{"choices":[{"index":0,"delta":{"content":"contact alice@"}}]}`,
-		`{"choices":[{"index":0,"delta":{"content":"example.com please"}}]}`,
-		`{"choices":[{"index":0,"delta":{},"finish_reason":"stop"}]}`,
-	}
-	var b strings.Builder
-	for _, f := range frames {
-		b.WriteString("data: ")
-		b.WriteString(f)
-		b.WriteString("\n\n")
-	}
-	b.WriteString("data: [DONE]\n\n")
-	return 200, b.String(), "text/event-stream"
-}
+// leakedAnthropicKey is a synthetic Anthropic API key (sk-ant-… shape) used by
+// the translate-mode PII test: the client sends it inside a user message and
+// the request-side pattern detector (anthropic_api_key builtin, which matches
+// sk-ant-[A-Za-z0-9_-]{20,}) must catch it and block the request before the
+// cloud-proxy forwards anything upstream. An email is deliberately not used —
+// the pattern tier rejects open-ended shapes (that's the NER tier's job, and
+// the NER model can't run in this hermetic suite).
+const leakedAnthropicKey = "sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"

tests/e2e/e2e_cloud_proxy_test.go

@@ -225,36 +225,31 @@ var _ = Describe("Cloud-proxy backend E2E", func() {
 	})
 
 	Context("Translate mode + PII filter", func() {
-		It("applies the streaming PII filter to translate-mode content", func() {
-			// Default PII config redacts email addresses. Split the
-			// email across two SSE deltas so the filter has to buffer
-			// the partial match — proves the streaming filter is wired
-			// up in translate mode, not just passthrough.
+		It("blocks request-side secrets before they reach the upstream", func() {
+			// Our NER/pattern PII tier is request-side by design: it scans
+			// inbound content, not upstream responses. cp-translate-openai
+			// wires the in-process pattern detector (e2e-secret-filter, block
+			// action), so a leaked secret in the user's message must trip the
+			// request-side filter and the request must be rejected before the
+			// cloud-proxy ever forwards it to the provider.
+			var upstreamHit bool
 			cpOpenAIUpstream.SetScript(func([]byte) (int, string, string) {
-				return emailLeakOpenAIStreamingScript()
+				upstreamHit = true
+				return 200, `{"id":"x","choices":[{"index":0,"message":{"role":"assistant","content":"ok"},"finish_reason":"stop"}],"usage":{"prompt_tokens":1,"completion_tokens":1,"total_tokens":2}}`, "application/json"
 			})
 
 			cp := openai.NewClient(option.WithBaseURL(apiURL))
-			stream := cp.Chat.Completions.NewStreaming(context.TODO(), openai.ChatCompletionNewParams{
+			_, err := cp.Chat.Completions.New(context.TODO(), openai.ChatCompletionNewParams{
 				Model: "cp-translate-openai",
 				Messages: []openai.ChatCompletionMessageParamUnion{
-					openai.UserMessage("share contact info"),
+					openai.UserMessage("my key is " + leakedAnthropicKey + " please keep it"),
 				},
 			})
-
-			var assembled strings.Builder
-			for stream.Next() {
-				for _, ch := range stream.Current().Choices {
-					assembled.WriteString(ch.Delta.Content)
-				}
-			}
-			Expect(stream.Err()).NotTo(HaveOccurred())
-			out := assembled.String()
-			// If PII is wired up, the email is redacted before reaching
-			// the client. If not, "alice@example.com" leaks through.
-			// This is the lock-in test for gap #3.
-			Expect(out).NotTo(ContainSubstring("alice@example.com"),
-				"email leaked through translate-mode stream — PII filter not applied")
+			// Lock-in: request-side PII fires in translate mode, the request is
+			// rejected by content policy, and the secret never leaves the box.
+			Expect(err).To(HaveOccurred(), "request carrying a leaked secret must be rejected")
+			Expect(err.Error()).To(ContainSubstring("pii_blocked"))
+			Expect(upstreamHit).To(BeFalse(), "blocked request must not reach the upstream provider")
 		})
 	})
 })

tests/e2e/e2e_suite_test.go

@@ -458,6 +458,27 @@ var _ = BeforeSuite(func() {
 					"upstream_url": cpOpenAIUpstream.URL() + "/v1/chat/completions",
 					"api_key_env":  "CLOUD_PROXY_E2E_OPENAI_KEY",
 				},
+				// Wire the in-process pattern detector so the streaming PII
+				// filter has something to redact in translate mode. The NER
+				// tier needs the privacy-filter model (unavailable in this
+				// hermetic suite); the pattern tier runs in-process with no
+				// backend load, so it's what exercises the streaming plumbing.
+				"pii": map[string]any{
+					"detectors": []string{"e2e-secret-filter"},
+				},
+			},
+			{
+				// In-process pattern detector: backend "pattern" is resolved by
+				// the PII NER resolver directly from this config (no backend is
+				// ever loaded). It matches high-entropy anchored secrets;
+				// cp-translate-openai references it above via pii.detectors.
+				"name":           "e2e-secret-filter",
+				"backend":        "pattern",
+				"known_usecases": []string{"token_classify"},
+				"pii_detection": map[string]any{
+					"default_action": "block",
+					"builtins":       []string{"anthropic_api_key", "openai_api_key"},
+				},
 			},
 			{
 				"name":    "cp-translate-anthropic",