Skip to main content

Module compliance

Module compliance 

Source
Expand description

Data governance — cross-cutting compliance machinery.

Lives at the top level (like messaging/) because its consumers span every layer: HTTP responses (web), the audit trail (observability), outbox payloads (data), and dead-lettered messages (messaging).

ModuleResponsibility
maskingPII redaction at every durable sink (#[MaskFields])
cryptoField-level envelope encryption + crypto-shredding (#[EncryptFields])

Modules§

crypto
Field-level envelope encryption + crypto-shredding.
masking
PII masking — classification-driven redaction at every data sink.

Structs§

CryptoVault
Process-wide encryption service. Provide once via ctx.provide(CryptoVault::bootstrap(source).await?), resolve anywhere with Inject<CryptoVault> / ctx.inject::<CryptoVault>().
DataKey
One unwrapped AES-256 DEK version. Material is zeroized on drop (secrecy) and never serialized.
EncryptedField
Self-describing ciphertext for one field: enc:v1:<key_id>:<key_version>:<b64(nonce ‖ ciphertext ‖ tag)>. Records the key version so rotation never forces immediate re-encryption.
KeyId
Identifies one DEK lineage. Conventional scopes: tenant:<id> (tenant-wide) and subject:<id> (per-person, shreddable).
MaskRule
A field rule: where + how.
Masker
Hot-swappable redaction point. Provide via ctx.provide(Masker::new(…)).
MaskingPolicy
Versioned, immutable rule set (hot-swapped whole, like PolicySet).

Enums§

CryptoError
MaskStrategy
How a matched field is transformed.

Traits§

EncryptRecord
Implemented by #[EncryptFields(...)] on a DTO. The default methods are the whole write/read contract:
KekSource