Documentation
¶
Index ¶
- type MemoryConfig
- type Message
- type PIIMatch
- type PIIType
- type Policy
- func (p *Policy) CheckModel(model string) error
- func (p *Policy) CheckRules(content string) error
- func (p *Policy) CompiledModelRegex() *regexp.Regexp
- func (p *Policy) InjectPrompts(messages []map[string]interface{}) []map[string]interface{}
- func (p *Policy) JSON() string
- func (p *Policy) ProviderNames() []string
- func (p *Policy) ResolveForModel(model string) *ResolvedPolicy
- func (p *Policy) ResolveProvider(providerName string) *ResolvedPolicy
- func (p *Policy) Validate() error
- type ProviderPolicy
- type RateLimitConfig
- type RateLimitRule
- type ResolvedPolicy
- func (rp *ResolvedPolicy) CheckModel(model string) error
- func (rp *ResolvedPolicy) CheckRules(content string, scope string) ([]RuleMatch, error)
- func (rp *ResolvedPolicy) CompiledModelRegex() *regexp.Regexp
- func (rp *ResolvedPolicy) HasOutputRules() bool
- func (rp *ResolvedPolicy) InjectPrompts(messages []map[string]interface{}) []map[string]interface{}
- func (rp *ResolvedPolicy) MaskContent(content string, scope string) string
- type RetryConfig
- type Rule
- type RuleList
- type RuleMatch
- type RuleSet
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MemoryConfig ¶
type MemoryConfig struct {
Enabled bool `json:"enabled,omitempty"`
FilePath string `json:"file_path,omitempty"` // Directory for per-session files, or single file path when FileName is empty
FileName string `json:"file_name,omitempty"` // Per-session file name pattern, e.g. "{token_hash}.md" or "{date}/{token_hash}.md"
Redis bool `json:"redis,omitempty"` // Push to Redis collection by session
MaxSizeMB int `json:"max_size_mb,omitempty"` // Max file size before rotation (0 = unlimited, default: 100 MB)
CompressOld bool `json:"compress_old,omitempty"` // Gzip compress rotated files (default: true)
}
MemoryConfig controls session memory (conversation logging).
type PIIMatch ¶
type PIIMatch struct {
Type PIIType `json:"type"`
Label string `json:"label"`
Value string `json:"value"`
}
PIIMatch represents a detected PII occurrence.
type PIIType ¶
type PIIType string
PIIType represents a category of personally identifiable information.
const ( PIITypeSSN PIIType = "ssn" PIITypeCreditCard PIIType = "credit_card" PIITypeEmail PIIType = "email" PIITypePhone PIIType = "phone" PIITypeIPAddress PIIType = "ip_address" PIITypeAWSKey PIIType = "aws_key" PIITypeAPIKey PIIType = "api_key" PIITypeJWT PIIType = "jwt" PIITypePrivateKey PIIType = "private_key" PIITypeConnectionString PIIType = "connection_string" PIITypeGitHubToken PIIType = "github_token" )
type Policy ¶
type Policy struct {
// Global policy fields — applied first to every request
BaseKeyEnv string `json:"base_key_env,omitempty"`
UpstreamURL string `json:"upstream_url,omitempty"`
MaxTokens int64 `json:"max_tokens,omitempty"`
Model string `json:"model,omitempty"`
ModelRegex string `json:"model_regex,omitempty"`
Prompts []Message `json:"prompts,omitempty"`
Rules RuleList `json:"rules,omitempty"`
// Per-provider policy arrays keyed by provider name.
// Each provider has an array of policies — one per model or model pattern.
// Example: {"openai": [{model:"gpt-4o",...}, {model_regex:"^gpt-3.*",...}]}
Providers map[string][]*ProviderPolicy `json:"providers,omitempty"`
// DefaultProvider specifies which provider to use when ResolveForModel
// returns a policy with no explicit ProviderName (i.e., when using global settings).
// Used to route requests to the correct provider's upstream URL and auth scheme.
DefaultProvider string `json:"default_provider,omitempty"`
// Session memory configuration
Memory MemoryConfig `json:"memory,omitempty"`
// Rate limiting
RateLimit *RateLimitConfig `json:"rate_limit,omitempty"`
// Retry and fallback
Retry *RetryConfig `json:"retry,omitempty"`
// Per-request timeout in seconds (0 = use default)
Timeout int `json:"timeout,omitempty"`
// Metadata tags for analytics and cost attribution
Metadata map[string]string `json:"metadata,omitempty"`
// contains filtered or unexported fields
}
Policy is the top-level policy for a wrapper token. Global settings apply to all requests. Providers map holds arrays of model-scoped policies per provider. The proxy resolves by matching the request model against provider policies.
func (*Policy) CheckModel ¶
CheckModel verifies the model on the global policy directly (backward compat).
func (*Policy) CheckRules ¶
CheckRules checks rules on the global policy directly (backward compat).
func (*Policy) CompiledModelRegex ¶
func (*Policy) InjectPrompts ¶
InjectPrompts injects prompts from the global policy directly (backward compat).
func (*Policy) ProviderNames ¶
ProviderNames returns all configured provider names.
func (*Policy) ResolveForModel ¶
func (p *Policy) ResolveForModel(model string) *ResolvedPolicy
ResolveForModel finds the best matching provider policy for the given model, applies global policy first, then merges the matching provider policy on top. It searches all providers for a model match.
func (*Policy) ResolveProvider ¶
func (p *Policy) ResolveProvider(providerName string) *ResolvedPolicy
ResolveProvider returns the effective policy for a named provider. If model is empty, returns the first policy for that provider (or global if not found).
type ProviderPolicy ¶
type ProviderPolicy struct {
BaseKeyEnv string `json:"base_key_env"`
UpstreamURL string `json:"upstream_url,omitempty"`
MaxTokens int64 `json:"max_tokens,omitempty"`
Model string `json:"model,omitempty"`
ModelRegex string `json:"model_regex,omitempty"`
Prompts []Message `json:"prompts,omitempty"`
Rules RuleList `json:"rules,omitempty"`
Timeout int `json:"timeout,omitempty"` // Per-request timeout in seconds
// contains filtered or unexported fields
}
ProviderPolicy holds a single model-scoped policy within a provider. Each provider can have multiple policies, each targeting different models.
type RateLimitConfig ¶
type RateLimitConfig struct {
Rules []RateLimitRule `json:"rules,omitempty"`
MaxParallel int `json:"max_parallel,omitempty"` // Max concurrent requests
}
RateLimitConfig controls request and token throughput. Supports multiple rules with different windows and strategies.
type RateLimitRule ¶
type RateLimitRule struct {
Requests int `json:"requests,omitempty"` // Max requests per window (0 = unlimited)
Tokens int `json:"tokens,omitempty"` // Max tokens per window (0 = unlimited)
Window string `json:"window,omitempty"` // Duration: "1s", "1m" (default), "1h", "24h"
Strategy string `json:"strategy,omitempty"` // "sliding" (default) or "fixed"
}
RateLimitRule defines a single rate limit window.
type ResolvedPolicy ¶
type ResolvedPolicy struct {
BaseKeyEnv string
UpstreamURL string
MaxTokens int64
Model string
ModelRegex string
ProviderName string // Which provider was matched (key from Providers map)
Prompts []Message
Rules []Rule
Memory MemoryConfig
RateLimit *RateLimitConfig
Retry *RetryConfig
Timeout int
Metadata map[string]string
// contains filtered or unexported fields
}
ResolvedPolicy is the effective policy after merging global + provider. This is what the proxy handler works with.
func (*ResolvedPolicy) CheckModel ¶
func (rp *ResolvedPolicy) CheckModel(model string) error
CheckModel verifies that the requested model is allowed by the resolved policy.
func (*ResolvedPolicy) CheckRules ¶
func (rp *ResolvedPolicy) CheckRules(content string, scope string) ([]RuleMatch, error)
CheckRules checks content against all rules with the given scope. Returns a list of matches. The caller decides how to handle each action. For backward compatibility, also returns a blocking error if any "fail" rule matches.
func (*ResolvedPolicy) CompiledModelRegex ¶
func (rp *ResolvedPolicy) CompiledModelRegex() *regexp.Regexp
func (*ResolvedPolicy) HasOutputRules ¶
func (rp *ResolvedPolicy) HasOutputRules() bool
HasOutputRules returns true if any rules apply to the "output" scope.
func (*ResolvedPolicy) InjectPrompts ¶
func (rp *ResolvedPolicy) InjectPrompts(messages []map[string]interface{}) []map[string]interface{}
InjectPrompts prepends the policy's system prompts to a messages list.
func (*ResolvedPolicy) MaskContent ¶
func (rp *ResolvedPolicy) MaskContent(content string, scope string) string
MaskContent applies all "mask" rules to the content for the given scope and returns the modified content.
type RetryConfig ¶
type RetryConfig struct {
MaxRetries int `json:"max_retries,omitempty"` // Max retry attempts (default 0)
Fallbacks []string `json:"fallbacks,omitempty"` // Fallback model names to try in order
RetryOn []int `json:"retry_on,omitempty"` // HTTP status codes that trigger retry (default: 429,500,502,503)
}
RetryConfig controls retry and fallback behavior on upstream errors.
type Rule ¶
type Rule struct {
Name string `json:"name,omitempty"` // Human-readable rule name
Type string `json:"type"` // "regex", "keyword", "pii"
Pattern string `json:"pattern,omitempty"` // For regex type
Keywords []string `json:"keywords,omitempty"` // For keyword type
Detect []string `json:"detect,omitempty"` // For pii type
Action string `json:"action"` // "fail", "warn", "log", "mask"
Scope string `json:"scope,omitempty"` // "input" (default), "output", "both"
// contains filtered or unexported fields
}
Rule defines a content inspection rule with a type, match criteria, and action.
Rule types:
- "regex": Match content against a Go regular expression (Pattern field)
- "keyword": Match against a list of case-insensitive keywords (Keywords field)
- "pii": Detect personally identifiable information (Detect field: ssn, credit_card, email, phone, ip_address, aws_key, api_key)
Actions:
- "fail": Block the request with 403 Forbidden (default)
- "warn": Allow the request but log a warning
- "log": Silently log the match
- "mask": Redact matched content before forwarding (replaces with [REDACTED])
Scope:
- "input": Check user messages only (default)
- "output": Check response content only
- "both": Check both input and output
type RuleList ¶
type RuleList []Rule
RuleList supports both old string-array format and new object-array format. Old format: ["regex1", "regex2"] → converted to [{type:"regex", pattern:"regex1", action:"fail"}, ...] New format: [{type:"regex", pattern:"...", action:"fail"}, {type:"pii", detect:["ssn"], action:"mask"}, ...]
func (*RuleList) UnmarshalJSON ¶
UnmarshalJSON handles backward compatibility: accepts both ["string"] and [{...}] formats.