Expand description
Data governance — cross-cutting compliance machinery.
Lives at the top level (like messaging/) because its consumers span
every layer: HTTP responses (web), the audit trail (observability),
outbox payloads (data), and dead-lettered messages (messaging).
Modules§
- crypto
- Field-level envelope encryption + crypto-shredding.
- masking
- PII masking — classification-driven redaction at every data sink.
Structs§
- Crypto
Vault - Process-wide encryption service. Provide once via
ctx.provide(CryptoVault::bootstrap(source).await?), resolve anywhere withInject<CryptoVault>/ctx.inject::<CryptoVault>(). - DataKey
- One unwrapped AES-256 DEK version. Material is zeroized on drop
(
secrecy) and never serialized. - Encrypted
Field - Self-describing ciphertext for one field:
enc:v1:<key_id>:<key_version>:<b64(nonce ‖ ciphertext ‖ tag)>. Records the key version so rotation never forces immediate re-encryption. - KeyId
- Identifies one DEK lineage. Conventional scopes:
tenant:<id>(tenant-wide) andsubject:<id>(per-person, shreddable). - Mask
Rule - A field rule: where + how.
- Masker
- Hot-swappable redaction point. Provide via
ctx.provide(Masker::new(…)). - Masking
Policy - Versioned, immutable rule set (hot-swapped whole, like
PolicySet).
Enums§
- Crypto
Error - Mask
Strategy - How a matched field is transformed.
Traits§
- Encrypt
Record - Implemented by
#[EncryptFields(...)]on a DTO. The default methods are the whole write/read contract: - KekSource