1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
//! Field-classification rule sets for the write-boundary sanitizer.
/// Keys whose values are **never** persisted. Stripped recursively at every
/// depth of the event tree before an audit row is constructed.
///
/// This is the union of the spec's "確定不用存" (must NOT store) list
/// (spec lines 7551–7572) and the expanded observability-payload keys called
/// out in AAASM-2397: raw LLM prompt / completion, full tool-call payloads,
/// eBPF packet bodies, and the per-heartbeat sequence counter. A superset is
/// deliberate — defense-in-depth means erring toward dropping.
pub const BANNED_KEYS: & = &;
/// Top-level metadata keys the sanitizer keeps. Mirrors the `audit_events`
/// columns plus the event-routing fields a sender may set (`kind`,
/// `event_type`, `session_id`, `org_id`, `timestamp`, `policy_version`). The
/// `payload` container is kept — its dangerous contents are removed by the
/// recursive [`BANNED_KEYS`] pass, not by dropping the whole object.
///
/// Anything else at the top level is dropped and counted via
/// `aa_audit_dropped_unknown_field_total`, so we notice when a sender starts
/// emitting a field we have not vetted.
pub const ALLOWED_TOP_LEVEL_KEYS: & = &;
/// Returns `true` if `key` is on the recursive banned list.
///
/// AAASM-3136: the comparison is case-insensitive. A sender that emits
/// `Prompt`, `TOOL_PAYLOAD`, or `Tool_Args` must not slip a secret past a
/// case-sensitive `==` match — JSON keys are not case-normalized on the wire,
/// so the banned list has to fold case to be a real control.
pub
/// Returns `true` if `key` is an allowed top-level metadata key.
///
/// AAASM-3136: case-insensitive, for the same reason as [`is_banned`] — an
/// unexpected field must not survive merely because its case differs from the
/// allowlist entry.
pub