Documentation
¶
Index ¶
Constants ¶
View Source
const ( RequestIDCtxKey contextKey = "request_id" TraceIDCtxKey contextKey = "trace_id" ATLSExpectedCtxKey contextKey = "atls_expected" HeaderXEventType = "X-Event-Type" // HeaderGuardrailsProcessed and other guardrails detection header names for audit logging. HeaderGuardrailsProcessed = "X-Guardrails-Processed" HeaderGuardrailsDecision = "X-Guardrails-Decision" HeaderGuardrailsViolations = "X-Guardrails-Violations" HeaderInputRailsTriggered = "X-Input-Rails-Triggered" HeaderOutputRailsTriggered = "X-Output-Rails-Triggered" HeaderSensitiveDataMasked = "X-Sensitive-Data-Masked" HeaderPromptInjection = "X-Prompt-Injection-Detected" HeaderJailbreakAttempt = "X-Jailbreak-Attempt-Detected" HeaderToxicContent = "X-Toxic-Content-Detected" HeaderOffTopic = "X-Off-Topic-Detected" HeaderHallucinationRisk = "X-Hallucination-Risk" HeaderGuardrailsLatencyMs = "X-Guardrails-Latency-Ms" HeaderGuardrailsError = "X-Guardrails-Error" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AttestationResult ¶
type AttestationResult struct {
// Handshake details
ATLSHandshake bool `json:"atls_handshake"`
HandshakeDuration time.Duration `json:"handshake_duration"`
// Attestation verification
AttestationOK bool `json:"attestation_ok"`
AttestationError string `json:"attestation_error,omitempty"`
// Platform details
AttestationType string `json:"attestation_type,omitempty"` // SNP, TDX, Azure, NoCC
AttestationNonce string `json:"attestation_nonce,omitempty"`
// Report details (platform-specific)
Report map[string]any `json:"report,omitempty"`
// TLS details
TLSVersion string `json:"tls_version,omitempty"`
CipherSuite string `json:"cipher_suite,omitempty"`
ServerName string `json:"server_name,omitempty"`
PeerCertIssuer string `json:"peer_cert_issuer,omitempty"`
PeerCertSerial string `json:"peer_cert_serial,omitempty"`
}
AttestationResult holds the results of an aTLS handshake and attestation verification.
type Event ¶
type Event struct {
// Core identification
TraceID string `json:"trace_id"`
RequestID string `json:"request_id"`
Timestamp time.Time `json:"timestamp"`
EventType string `json:"event_type"`
// Authentication & Authorization
Session authn.Session `json:"session,omitzero"`
AuthMethod string `json:"auth_method,omitempty"`
AttestationType string `json:"attestation_type,omitempty"`
AttestationOK bool `json:"attestation_ok,omitempty"`
// Request details
Method string `json:"method"`
Path string `json:"path"`
Endpoint string `json:"endpoint"`
UserAgent string `json:"user_agent"`
ClientIP string `json:"client_ip"`
Headers map[string]string `json:"headers,omitempty"`
// Response details
StatusCode int `json:"status_code"`
ResponseSize int64 `json:"response_size"`
RequestSize int64 `json:"request_size"`
Duration time.Duration `json:"duration"`
DurationMs float64 `json:"duration_ms"`
UpstreamDuration time.Duration `json:"upstream_duration,omitempty"`
UpstreamMs float64 `json:"upstream_ms,omitempty"`
// LLM specific
Model string `json:"model,omitempty"`
InputTokens int `json:"input_tokens,omitempty"`
OutputTokens int `json:"output_tokens,omitempty"`
Temperature float64 `json:"temperature,omitempty"`
MaxTokens int `json:"max_tokens,omitempty"`
// Security & Compliance
TLSVersion string `json:"tls_version,omitempty"`
CipherSuite string `json:"cipher_suite,omitempty"`
PeerCertIssuer string `json:"peer_cert_issuer,omitempty"`
ContentFiltered bool `json:"content_filtered"`
PIIDetected bool `json:"pii_detected"`
ComplianceTags []string `json:"compliance_tags,omitempty"`
// Guardrails Detection & Violations
GuardrailsProcessed bool `json:"guardrails_processed"`
GuardrailsDecision string `json:"guardrails_decision,omitempty"` // ALLOW, BLOCK, MODIFY
GuardrailsViolations []GuardrailsResult `json:"guardrails_violations,omitempty"` // List of detected violations
TriggeredInputRails []string `json:"triggered_input_rails,omitempty"`
TriggeredOutputRails []string `json:"triggered_output_rails,omitempty"`
SensitiveDataMasked bool `json:"sensitive_data_masked"`
PromptInjection bool `json:"prompt_injection"`
JailbreakAttempt bool `json:"jailbreak_attempt"`
ToxicContent bool `json:"toxic_content"`
OffTopicDetected bool `json:"off_topic_detected"`
HallucinationRisk bool `json:"hallucination_risk"`
GuardrailsLatencyMs float64 `json:"guardrails_latency_ms,omitempty"`
GuardrailsError string `json:"guardrails_error,omitempty"`
// aTLS & Attestation (extends Auth section above)
ATLSHandshake bool `json:"atls_handshake"`
ATLSHandshakeMs float64 `json:"atls_handshake_ms,omitempty"`
AttestationError string `json:"attestation_error,omitempty"`
AttestationNonce string `json:"attestation_nonce,omitempty"`
AttestationReport map[string]any `json:"attestation_report,omitempty"`
// Error handling
Error string `json:"error,omitempty"`
ErrorCode string `json:"error_code,omitempty"`
// Additional metadata
Metadata map[string]any `json:"metadata,omitempty"`
}
Event represents a complete audit log entry.
type GuardrailsResult ¶
type GuardrailsResult struct {
Type string `json:"type"` // e.g., "pii", "prompt_injection"
Category string `json:"category,omitempty"` // e.g., "input_validation", "output_validation"
Severity string `json:"severity,omitempty"` // e.g., "low", "medium", "high", "critical"
Description string `json:"description,omitempty"` // Human-readable description
Entity string `json:"entity,omitempty"` // e.g., "EMAIL_ADDRESS", "CREDIT_CARD" for PII
Confidence float64 `json:"confidence,omitempty"` // Detection confidence score (0.0-1.0)
Action string `json:"action,omitempty"` // e.g., "blocked", "masked", "allowed"
Rail string `json:"rail,omitempty"` // Name of the rail that triggered
}
GuardrailsResult represents a single guardrails detection/violation result.
type InstrumentedTransport ¶
type InstrumentedTransport struct {
// contains filtered or unexported fields
}
InstrumentedTransport wraps an http.RoundTripper to capture aTLS and attestation details.
func NewInstrumentedTransport ¶
func NewInstrumentedTransport(base http.RoundTripper, attestationType string) *InstrumentedTransport
NewInstrumentedTransport creates a new instrumented transport wrapper.
func (*InstrumentedTransport) GetLastResult ¶
func (it *InstrumentedTransport) GetLastResult() *AttestationResult
GetLastResult returns the last attestation result (thread-safe).
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware provides structured audit logging.
func NewMiddleware ¶
func NewMiddleware(logger *slog.Logger, config Config) *Middleware
NewMiddleware creates a new audit middleware instance.
func (*Middleware) ExtractEventType ¶
func (am *Middleware) ExtractEventType(headers http.Header) string
ExtractEventType extracts aTLS/attestation information from response headers.
func (*Middleware) Middleware ¶
func (am *Middleware) Middleware(next http.Handler) http.Handler
Middleware returns the HTTP middleware function.
Source Files
Click to show internal directories.
Click to hide internal directories.