enterprise

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 21, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package enterprise provides enterprise-grade features for OK: SSO, RBAC, audit exports, session persistence, air-gap mode, and metrics.

Index

Constants

This section is empty.

Variables

View Source
var DefaultRoles = map[string]Role{
	"admin":   {Name: "admin", AllowAll: true},
	"dev":     {Name: "dev", AllowReads: true, AllowWrites: true, RequireApproval: true, RequireAudit: true},
	"viewer":  {Name: "viewer", AllowReads: true},
	"auditor": {Name: "auditor", AllowReads: true, RequireAudit: true},
}

DefaultRoles maps role names to their definitions.

Functions

func AirGapMiddleware

func AirGapMiddleware(cfg AirGapConfig) func(http.Handler) http.Handler

AirGapMiddleware enforces air-gap restrictions.

func OIDCMiddleware

func OIDCMiddleware(issuerURL, clientID string) func(http.Handler) http.Handler

OIDCMiddleware validates Bearer tokens via OIDC JWKS.

func ParseRSAPublicKey

func ParseRSAPublicKey(pemData []byte) (*rsa.PublicKey, error)

Types

type AdminServer

type AdminServer struct {
	// contains filtered or unexported fields
}

AdminServer provides management REST API endpoints.

func NewAdminServer

func NewAdminServer(ctrl Controller, exporter *AuditExporter, authorizer *Authorizer, apiKey string) *AdminServer

NewAdminServer creates an admin API server.

func (*AdminServer) RegisterRoutes

func (s *AdminServer) RegisterRoutes(mux *http.ServeMux)

RegisterRoutes adds admin API endpoints to the given mux.

type AirGapConfig

type AirGapConfig struct {
	Enabled    bool     // true when running in air-gapped mode
	AllowedCAs []string // allowed certificate authorities for local PKI
}

AirGapConfig holds configuration for air-gapped (offline) mode.

type AuditEntry

type AuditEntry struct {
	Timestamp time.Time              `json:"timestamp"`
	UserID    string                 `json:"user_id"`
	Action    string                 `json:"action"`
	ToolName  string                 `json:"tool_name"`
	Subject   string                 `json:"subject"`
	Args      map[string]interface{} `json:"args,omitempty"`
	Result    string                 `json:"result"`
	ProofHash string                 `json:"proof_hash"`
}

type AuditExporter

type AuditExporter struct {
	// contains filtered or unexported fields
}

func (*AuditExporter) Add

func (e *AuditExporter) Add(entry AuditEntry)

func (*AuditExporter) ExportJSON

func (e *AuditExporter) ExportJSON() ([]byte, error)

func (*AuditExporter) ExportSplunk

func (e *AuditExporter) ExportSplunk() string

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer checks if a user has permission to perform an action.

func NewAuthorizer

func NewAuthorizer(assignments map[string]string) *Authorizer

NewAuthorizer creates an authorizer with the given role assignments.

func (*Authorizer) CanRead

func (a *Authorizer) CanRead(userID string) bool

CanRead checks if a user can read.

func (*Authorizer) CanWrite

func (a *Authorizer) CanWrite(userID string) bool

CanWrite checks if a user can write.

type Controller

type Controller interface {
	SessionCount() int
	TotalToolCalls() int64
	TotalTokens() int64
	ListSessions() []SessionInfo
}

Controller is the minimal interface the admin server needs from control.Controller.

type Role

type Role struct {
	Name            string
	AllowAll        bool
	AllowReads      bool
	AllowWrites     bool
	RequireAudit    bool
	RequireApproval bool
}

Role defines a set of permissions.

type SessionInfo

type SessionInfo struct {
	ID        string    `json:"id"`
	CreatedAt time.Time `json:"created_at"`
	Model     string    `json:"model"`
	Messages  int       `json:"messages"`
}

SessionInfo represents a session in the system.

type SessionStore

type SessionStore struct {
	// contains filtered or unexported fields
}

SessionStore persists sessions for recovery across restarts.

func NewSessionStore

func NewSessionStore() *SessionStore

NewSessionStore creates an in-memory session store.

func (*SessionStore) Delete

func (s *SessionStore) Delete(id string)

func (*SessionStore) List

func (s *SessionStore) List() []string

func (*SessionStore) Load

func (s *SessionStore) Load(id string) ([]byte, error)

func (*SessionStore) Save

func (s *SessionStore) Save(id string, data []byte) error

type UserClaims

type UserClaims struct {
	Sub    string   `json:"sub"`
	Email  string   `json:"email"`
	Name   string   `json:"name"`
	Groups []string `json:"groups"`
	Roles  []string `json:"roles"`
}

UserClaims extracted from a verified OIDC token.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL