Documentation
¶
Index ¶
- func ConfigPath() string
- func DataDir() string
- func GetConfigDir() string
- func GetRulesDir() string
- func ProjectConfigPath() string
- func SanitizeCategory(s string) string
- func SanitizeNERLanguage(s string) string
- func SanitizePatternValue(s string) string
- type AuditDBConfig
- type Config
- type KeywordPattern
- type LogConfig
- type Manager
- type NERConfig
- type PatternsConfig
- type ProxyConfig
- type RegexPattern
- type RuleListConfig
- type SecretFileConfig
- type SessionConfig
- type TargetConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetRulesDir ¶ added in v0.2.2
func GetRulesDir() string
GetRulesDir returns the rules directory path (for local rule lists and subscription cache).
func ProjectConfigPath ¶
func ProjectConfigPath() string
ProjectConfigPath returns the project-level config path
func SanitizeCategory ¶
SanitizeCategory sanitizes and normalizes a category name so placeholders can be reliably recognized and restored. Rules: - keep only [A-Z0-9_] - normalize whitespace and '-' into '_' - uppercase; return empty on empty result (caller should apply a default)
func SanitizeNERLanguage ¶ added in v0.2.2
SanitizeNERLanguage sanitizes and normalizes the NER language parameter (patterns.ner.language). Allowed values: - auto - other BCP47-like tags (e.g. en / zh / zh-cn / fr ...), normalized to lowercase with illegal chars removed
func SanitizePatternValue ¶
SanitizePatternValue sanitizes a user-provided pattern value: - trim leading/trailing whitespace - remove invisible control/format characters (e.g. 0x1F, BOM, zero-width chars)
Goal: avoid "looks the same but doesn't match" issues caused by invisible characters.
Types ¶
type AuditDBConfig ¶ added in v0.2.2
type AuditDBConfig struct {
Enabled bool `yaml:"enabled"`
// Path is the SQLite file path (supports ~).
Path string `yaml:"path"`
// Retention is the retention duration (time.ParseDuration; also supports "7d" for days).
Retention string `yaml:"retention"`
}
AuditDBConfig holds SQLite audit persistence settings. Note: when enabled, audit events are written to disk (by default only preview values are persisted; if privacy mode is disabled, truncated originals may be persisted).
type Config ¶
type Config struct {
Proxy ProxyConfig `yaml:"proxy"`
Patterns PatternsConfig `yaml:"patterns"`
Targets []TargetConfig `yaml:"targets"`
Session SessionConfig `yaml:"session"`
Log LogConfig `yaml:"log"`
// AuditDB controls whether audit events are persisted to SQLite (only available in the "full" build; disabled by default).
AuditDB AuditDBConfig `yaml:"audit_db"`
}
Config represents the main configuration structure
type KeywordPattern ¶
type KeywordPattern struct {
Value string `yaml:"value" json:"value"`
Category string `yaml:"category" json:"category"`
}
KeywordPattern represents a keyword to match
type LogConfig ¶
type LogConfig struct {
Level string `yaml:"level"`
File string `yaml:"file"`
RedactLog bool `yaml:"redact_log"`
}
LogConfig holds logging configuration
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles config loading, merging, and hot-reload
func (*Manager) SetPatternEncryptionKey ¶
SetPatternEncryptionKey enables "at-rest encryption" for persisted pattern values. key32 must be 32 bytes (AES-256).
Note: this only configures the encryptor and does not rewrite the config file automatically; callers typically run Load() again afterwards to decrypt an already-loaded config.
type NERConfig ¶ added in v0.2.2
type NERConfig struct {
Enabled bool `yaml:"enabled"`
// PresidioURL is the Presidio Analyzer service URL (e.g. http://127.0.0.1:5001).
// Note: VibeGuard does not bundle Presidio; it only calls an external service.
PresidioURL string `yaml:"presidio_url"`
// Language is passed to Presidio (e.g. en / zh / fr ...).
// Note: Presidio requires a language; for backward compatibility, "auto" is treated as "en".
Language string `yaml:"language"`
// Entities specifies enabled entity types (e.g. PERSON/ORG/LOCATION/DATE...). Empty means the implementation default set.
Entities []string `yaml:"entities"`
// MinScore is the Presidio confidence threshold (0~1; 0 means Presidio default).
MinScore float64 `yaml:"min_score"`
}
NERConfig controls the optional NER-based recognizers (e.g. PERSON/ORG/LOCATION). Note: this config does not contain sensitive data; it only controls enablement and entity types.
type PatternsConfig ¶
type PatternsConfig struct {
Keywords []KeywordPattern `yaml:"keywords"`
Regex []RegexPattern `yaml:"regex"`
Builtin []string `yaml:"builtin"`
Exclude []string `yaml:"exclude"`
SecretFiles []SecretFileConfig `yaml:"secret_files"`
RuleLists []RuleListConfig `yaml:"rule_lists"`
// NER toggles and configures named-entity recognition (external Presidio engine; off by default).
NER NERConfig `yaml:"ner"`
}
PatternsConfig holds pattern matching configuration
type ProxyConfig ¶
type ProxyConfig struct {
Listen string `yaml:"listen"`
PlaceholderPrefix string `yaml:"placeholder_prefix"`
// InterceptMode controls how HTTPS CONNECT is handled:
// - global: MITM for all hosts (default; best for HTTP(S)_PROXY env usage)
// - targets: MITM only for enabled hosts in targets (safer; avoids impacting non-target traffic)
InterceptMode string `yaml:"intercept_mode"`
// WebSocketRedactionBeta enables best-effort WebSocket text-message redaction/restore.
// It is intentionally off by default because some servers/extensions may be incompatible.
WebSocketRedactionBeta bool `yaml:"websocket_redaction_beta"`
}
ProxyConfig holds proxy server settings
type RegexPattern ¶
type RegexPattern struct {
Pattern string `yaml:"pattern" json:"pattern"`
Category string `yaml:"category" json:"category"`
}
RegexPattern represents a regex pattern to match
type RuleListConfig ¶ added in v0.2.0
type RuleListConfig struct {
// ID is a stable identifier (generated by the admin UI); may be empty.
ID string `yaml:"id" json:"id"`
// Name is a display name (editable in the admin UI); may be empty.
Name string `yaml:"name" json:"name"`
// Path is the local rule file path (supports ~); mutually exclusive with URL.
Path string `yaml:"path" json:"path"`
// URL is the remote subscription URL (http/https); mutually exclusive with Path.
URL string `yaml:"url" json:"url"`
// UpdateInterval is the subscription update interval (e.g. 24h/6h); applies to URL mode only. Default is 24h.
UpdateInterval string `yaml:"update_interval" json:"update_interval"`
// AllowHTTP allows http:// subscriptions when true (unsafe; default only allows https://).
AllowHTTP bool `yaml:"allow_http" json:"allow_http"`
// Enabled controls whether this rule list participates in matching.
Enabled bool `yaml:"enabled" json:"enabled"`
// Priority controls priority (1~99); higher wins on overlaps.
Priority int `yaml:"priority" json:"priority"`
}
RuleListConfig describes a rule list file (line-based rules).
type SecretFileConfig ¶ added in v0.2.3
type SecretFileConfig struct {
// Path is a local file path (supports ~). Relative paths are resolved relative to the config file that defined it.
Path string `yaml:"path" json:"path"`
// Format controls how the file is parsed:
// - dotenv: parse KEY=VALUE lines and import VALUEs as keywords (recommended for .env)
// - lines: treat each non-empty non-comment line as a keyword
Format string `yaml:"format" json:"format"`
// Category is the match category used in audit/logging. Defaults to DOTENV/SECRET_FILE based on format.
Category string `yaml:"category" json:"category"`
// MinValueLen filters out short values to reduce false positives. Default is 8.
MinValueLen int `yaml:"min_value_len" json:"min_value_len"`
// Enabled defaults to true when omitted.
Enabled *bool `yaml:"enabled" json:"enabled"`
}
SecretFileConfig describes a local file whose contents should be treated as secrets and redacted if they appear in prompts. Note: this does not prevent the client from reading files; it only prevents accidental exfiltration to upstream LLM APIs.
type SessionConfig ¶
type SessionConfig struct {
TTL string `yaml:"ttl"`
MaxMappings int `yaml:"max_mappings"`
WALEnabled bool `yaml:"wal_enabled"`
WALPath string `yaml:"wal_path"`
DeterministicPlaceholders bool `yaml:"deterministic_placeholders"`
}
SessionConfig holds session management settings
type TargetConfig ¶
TargetConfig represents a target host configuration