coreason_urn_authority/
lib.rs

1// Copyright (c) 2026 CoReason, Inc.
2// All rights reserved.
3
4pub mod ceremony;
5pub mod cost_tracker;
6pub mod crypto;
7pub mod epistemic;
8pub mod init;
9pub mod ledger;
10pub mod nats_registry;
11pub mod routing;
12
13use regex::Regex;
14use std::sync::OnceLock;
15
16struct DlpScanner {
17    vault_token: Regex,
18    aws_access_key: Regex,
19    base64_seq: Regex,
20    aws_secret_context: Regex,
21    ssn: Regex,
22    credit_card: Regex,
23    github_pat: Regex,
24    coreason_key: Regex,
25}
26
27impl DlpScanner {
28    fn new() -> Self {
29        Self {
30            vault_token: Regex::new(r"hvs\.[a-zA-Z0-9_-]{20,}").unwrap(),
31            aws_access_key: Regex::new(r"AKIA[0-9A-Z]{16}").unwrap(),
32            base64_seq: Regex::new(r"[A-Za-z0-9/+=]+").unwrap(),
33            aws_secret_context: Regex::new(
34                r"(?i)(?:secret|key|token|password|credential)[\x22':\s]*[A-Za-z0-9/+=]{40}",
35            )
36            .unwrap(),
37            ssn: Regex::new(r"\b\d{3}-\d{2}-\d{4}\b").unwrap(),
38            credit_card: Regex::new(
39                r"\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})\b",
40            )
41            .unwrap(),
42            github_pat: Regex::new(r"ghp_[a-zA-Z0-9]{36}").unwrap(),
43            coreason_key: Regex::new(r"COREASON_(?:ROOT_CA|DEV)_KEY[\x22':\s]*[a-fA-F0-9]{64}")
44                .unwrap(),
45        }
46    }
47
48    fn scan(&self, text: &str) -> Vec<String> {
49        let mut violations = Vec::new();
50
51        if self.vault_token.is_match(text) {
52            violations.push("vault_token".to_string());
53        }
54        if self.aws_access_key.is_match(text) {
55            violations.push("aws_access_key".to_string());
56        }
57        let has_isolated_40_base64 = self
58            .base64_seq
59            .find_iter(text)
60            .any(|m| m.as_str().len() == 40);
61        if has_isolated_40_base64 && self.aws_secret_context.is_match(text) {
62            violations.push("aws_secret_key".to_string());
63        }
64        if text.contains("-----BEGIN") && text.contains("PRIVATE KEY-----") {
65            violations.push("pem_private_key".to_string());
66        }
67        if text.contains("-----BEGIN OPENSSH PRIVATE KEY-----") {
68            violations.push("ssh_private_key".to_string());
69        }
70        if self.ssn.is_match(text) {
71            violations.push("ssn".to_string());
72        }
73        if self.credit_card.is_match(text) {
74            violations.push("credit_card".to_string());
75        }
76        if self.github_pat.is_match(text) {
77            violations.push("github_pat".to_string());
78        }
79        if self.coreason_key.is_match(text) {
80            violations.push("coreason_signing_key".to_string());
81        }
82
83        violations
84    }
85}
86
87static SCANNER: OnceLock<DlpScanner> = OnceLock::new();
88
89pub fn scan_dlp_violations(text: &str) -> Vec<String> {
90    let scanner = SCANNER.get_or_init(DlpScanner::new);
91    scanner.scan(text)
92}
coreason_urn_authority/lib.rs

coreason_urn_authority/
lib.rs
