laminae 0.4.2

The missing layer between raw LLMs and production AI — personality, safety, sandboxing, containment
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! # Shadow Audit — Red-Teaming AI Output
//!
//! Demonstrates the Shadow engine analyzing AI-generated code for
//! security vulnerabilities. The analysis runs asynchronously and
//! emits findings via an event channel.
//!
//! Run: `cargo run --example shadow_audit`
//!
//! This example uses only static analysis (aggressiveness=1), which
//! requires no Ollama. Set aggressiveness=2 for LLM review.

use laminae::ollama::OllamaClient;
use laminae::shadow::config::ShadowConfig;
use laminae::shadow::{create_report_store, ShadowEngine, ShadowEvent};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    tracing_subscriber::fmt()
        .with_env_filter("laminae=info")
        .init();

    let store = create_report_store();

    // Static analysis only — no Ollama required
    let config = {
        let mut c = ShadowConfig::default();
        c.enabled = true;
        c.aggressiveness = 1;
        c
    };

    let engine = ShadowEngine::with_config(store.clone(), config, OllamaClient::new());

    // ── Test 1: Vulnerable code ──

    println!("━━━ Scanning vulnerable code ━━━\n");

    let vulnerable_output = r#"
Here's a Python script that processes user input:

```python
import os
import subprocess

def process_input(user_data):
    # Execute the user's command
    result = eval(user_data)

    # Also run it as a shell command
    output = subprocess.call(user_data, shell=True)

    # Store the password
    password = "admin123"
    db_url = "postgresql://user:s3cret@prod-db:5432/main"

    return result
```

```javascript
// API endpoint
app.get('/search', (req, res) => {
    const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
    db.query(query);

    res.send(`<h1>Results for ${req.query.name}</h1>`);
});
```
"#;

    let mut rx = engine.analyze_async("vuln-test".into(), vulnerable_output.into());

    while let Some(event) = rx.recv().await {
        match event {
            ShadowEvent::Started { session_id } => {
                println!("  Analysis started: {session_id}");
            }
            ShadowEvent::Finding { finding, .. } => {
                println!(
                    "  [{severity}] {category}: {title}",
                    severity = finding.severity,
                    category = finding.category,
                    title = finding.title,
                );
                println!("    Evidence: {}", finding.evidence);
                if !finding.remediation.is_empty() {
                    println!("    Fix: {}", finding.remediation);
                }
                println!();
            }
            ShadowEvent::Done { report, .. } => {
                println!("━━━ Report ━━━");
                println!("  Issues found: {}", report.findings.len());
                println!("  Max severity: {}", report.max_severity);
                println!("  Analysis time: {}ms", report.analysis_duration_ms);
                println!(
                    "  Stages: static={}, llm={}, sandbox={}",
                    report.static_run, report.llm_run, report.sandbox_run
                );
                println!("  Summary: {}\n", report.summary);
            }
            ShadowEvent::AnalyzerError {
                analyzer, error, ..
            } => {
                eprintln!("  Analyzer error ({analyzer}): {error}");
            }
        }
    }

    // ── Test 2: Clean code ──

    println!("━━━ Scanning clean code ━━━\n");

    let clean_output = r#"
Here's a safe Rust function:

```rust
fn greet(name: &str) -> String {
    format!("Hello, {}!", name)
}

fn add(a: i32, b: i32) -> i32 {
    a + b
}
```
"#;

    let mut rx = engine.analyze_async("clean-test".into(), clean_output.into());

    while let Some(event) = rx.recv().await {
        if let ShadowEvent::Done { report, .. } = event {
            println!("  Clean: {}", report.clean);
            println!("  Issues: {}", report.findings.len());
            println!("  Summary: {}\n", report.summary);
        }
    }

    // ── Check report store ──

    let reports = store.read().await;
    println!("━━━ Report Store ━━━");
    println!("  Total reports stored: {}", reports.len());
    for report in reports.iter() {
        println!(
            "  - {} | clean={} | issues={} | {}ms",
            report.session_id,
            report.clean,
            report.findings.len(),
            report.analysis_duration_ms
        );
    }

    Ok(())
}