Expand description
Security features.
Secret detection, PII filtering, content redaction, and audit logging.
§Overview
This module provides security features for protecting sensitive content:
- Secret Detection: Identifies API keys, tokens, credentials in content
- PII Detection: Finds personally identifiable information
- Content Redaction: Masks or removes sensitive content before storage
- Audit Logging: SOC2/GDPR-compliant event logging
§Redaction Patterns
§Secret Patterns
| Pattern | Regex | Example |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40} | aws_secret_key = wJalrXUtnFEMI... |
| GitHub Token | gh[pousr]_[A-Za-z0-9_]{36,} | ghp_xxxxxxxxxxxx... |
| GitHub PAT | github_pat_[A-Za-z0-9_]{22,} | github_pat_xxxxx... |
| Generic API Key | api[_-]?key\s*[=:]\s*[A-Za-z0-9_\-]{24,} | api_key = sk-xxxxx... |
| Generic Secret | (?:secret|password)\s*[=:]\s*[^\s]{8,} | password = mypassword |
| Private Key | -----BEGIN (?:RSA )?PRIVATE KEY----- | PEM headers |
| JWT | eyJ[...].eyJ[...].[...] | Base64-encoded JWT |
| Slack Token | xox[baprs]-[0-9]{10,13}-... | xoxb-123456789012-... |
| Slack Webhook | https://hooks.slack.com/services/T.../B.../... | Webhook URLs |
| Google API Key | AIza[0-9A-Za-z_-]{35} | AIzaSyC... |
| Stripe Key | (?:sk|pk)_(?:live|test)_[A-Za-z0-9]{24,} | sk_live_xxxxx... |
| Database URL | (?:postgres|mysql)://user:pass@host | Connection strings |
| Bearer Token | bearer\s+[A-Za-z0-9_\-.]{20,} | Bearer eyJhbGci... |
OpenAI API Key | sk-[A-Za-z0-9]{48} | sk-xxxxxxxx... |
| Anthropic API Key | sk-ant-api[A-Za-z0-9_-]{90,} | sk-ant-api03-xxx... |
§PII Patterns
| Pattern | Regex | Example |
|---|---|---|
| Email Address | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} | user@example.com |
| SSN | \d{3}-\d{2}-\d{4} | 123-45-6789 |
| Phone Number | \(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4} | (555) 123-4567 |
| Credit Card | 4[0-9]{12}(?:[0-9]{3})? (Visa) | 4111111111111111 |
| IP Address | (?:\d{1,3}\.){3}\d{1,3} | 192.168.1.1 |
| Date of Birth | (?:dob|birth\s*date)\s*[:=]?\s*\d{1,2}[/-]\d{1,2}[/-]\d{2,4} | DOB: 01/15/1990 |
| ZIP Code | \d{5}(?:-\d{4})? | 90210 |
| Driver’s License | (?:driver's?\s*license|dl)\s*#?\s*[A-Z0-9]{6,12} | DL: D12345678 |
| Passport | passport\s*#?\s*[A-Z0-9]{6,9} | Passport: AB123456 |
§Redaction Modes
| Mode | Output | Example |
|---|---|---|
Mask (default) | [REDACTED] | Key: [REDACTED] |
TypedMask | [REDACTED:TYPE] | Key: [REDACTED:AWS_ACCESS_KEY_ID] |
Asterisks | ****... | Key: ******************** |
Remove | (empty) | Key: |
§Usage
use subcog::security::{ContentRedactor, RedactionConfig, RedactionMode, SecretDetector};
// Basic secret detection
let detector = SecretDetector::new();
assert!(detector.contains_secrets("AKIAIOSFODNN7EXAMPLE"));
// Redact secrets with custom mode
let config = RedactionConfig::new()
.with_mode(RedactionMode::TypedMask)
.with_pii(); // Also redact PII
let redactor = ContentRedactor::with_config(config);
let redacted = redactor.redact("Key: AKIAIOSFODNN7EXAMPLE");
assert!(redacted.contains("[REDACTED:AWS_ACCESS_KEY_ID]"));§False Positive Prevention
Generic patterns (API keys, secrets, bearer tokens) include placeholder filtering:
use subcog::security::SecretDetector;
let detector = SecretDetector::new();
// Placeholders are NOT flagged
assert!(!detector.contains_secrets("api_key = your_api_key_here"));
assert!(!detector.contains_secrets("api_key = example_key_12345678"));Filtered placeholder patterns: example, test, demo, your_, placeholder,
changeme, xxx, foo, bar, sample, fake, dummy, mock.
§Graceful Degradation
All detection is performed locally without external dependencies:
- No network calls required
- No LLM fallback needed
- Regex patterns are statically compiled at startup
- Detection completes in <5ms for typical content
Re-exports§
pub use encryption::EncryptionConfig;pub use encryption::Encryptor;pub use encryption::is_encrypted;pub use rbac::AccessControl;pub use rbac::AccessResult;pub use rbac::Permission;pub use rbac::PermissionCategory;pub use rbac::RbacSummary;pub use rbac::Role;pub use rbac::RoleSummary;
Modules§
- audit 🔒
- Audit logging.
- encryption
- Encryption at rest for filesystem storage (CRIT-005).
- pii 🔒
- PII detection.
- rbac
- Role-Based Access Control (RBAC) Foundation.
- redactor 🔒
- Content redaction.
- secrets 🔒
- Secret detection patterns.
Structs§
- Access
Review Report - Access review report for SOC2 compliance.
- Actor
Access Summary - Summary of access events for a single actor.
- Audit
Config - Audit logger configuration.
- Audit
Entry - Audit log entry.
- Audit
Logger - Audit logger for SOC2/GDPR compliance.
- Content
Redactor - Redacts sensitive content from text.
- Outcome
Summary - Summary of outcomes across all events.
- PiiDetector
- Detector for personally identifiable information.
- PiiMatch
- A detected PII match.
- Redaction
Config - Configuration for content redaction.
- Secret
Detector - Detector for secrets in content.
- Secret
Match - A detected secret match.
Enums§
- Audit
Outcome - Outcome of an audited action.
- Redaction
Mode - Redaction mode.
Functions§
- global_
logger - Returns the global audit logger, if initialized.
- init_
global - Initializes the global audit logger.
- record_
event - Records a memory event through the global audit logger.