aa_security/lib.rs
1//! Security primitives for Agent Assembly.
2//!
3//! This crate owns the credential-detection scanner, the redaction primitives,
4//! the audit-normalization types, and the canonical [`policy`] AST relied on by
5//! the trusted enforcement layers (`aa-runtime`, `aa-gateway`, `aa-proxy`, and
6//! the privilege-separated eBPF loader).
7//!
8//! It is deliberately a **leaf** crate: it does *not* depend on `aa-core`, so
9//! security authority comes from *where a primitive runs*, not from the core
10//! domain crate. Because `aa-core` itself depends on `aa-security`, the shared
11//! policy AST is hosted here (not in `aa-core`) so the gateway and the eBPF
12//! layer can depend on the same types without a dependency cycle (AAASM-3606).
13//!
14//! # Feature Flags
15//!
16//! - `serde`: enables `Serialize`/`Deserialize` derives on the public types and
17//! the YAML parsing of the canonical [`policy::PolicyDocument`].
18#![warn(missing_docs)]
19
20pub mod policy;
21pub mod redaction;
22pub mod scanner;
23pub mod sdk_identity;
24
25pub use redaction::Redaction;
26pub use scanner::{CredentialFinding, CredentialKind, CredentialScanner, ScanResult, ScannerConfig};
27pub use sdk_identity::{ObservedSdkIdentity, SdkIdentityVerdict, VerifiedSdkIdentity};