We need the ability to mark resource properties as sensitive during catalog compilation, but we don't have a good way of passing the planned data type all the way through Puppet. There are two issues - we can't serialize catalogs with rich data types to JSON and the Puppet RAL doesn't know how to unpack sensitive data types.
The current PSON catalog serialization format is restricted to basic JSON types. There's no readily available way to attach metadata to values in a JSON document or extend information on some object directly; the structure of the document itself must be changed to incorporate metadata. This means that in order to serialize this sensitive context for properties we need to include this on resources that have sensitive properties.
As an interim solution to this, we can add a per-resource field to contain this information; either an implementation specific sensitive key or a general metadata key that can include such information as sensitive. This information would be serialized for each resource when the catalog is serialized, would be transported within Puppet::Resource objects, and that information would be carried along when a Puppet::Resource object was converted to a Puppet::Type object.