llm-shield-cloud 0.1.0

Cloud abstraction layer for LLM Shield - unified traits for AWS, GCP, and Azure
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190

# llm-shield-cloud

Cloud abstraction layer for LLM Shield providing unified traits for AWS, GCP, and Azure integrations.

## Overview

This crate provides trait-based abstractions for cloud services, enabling LLM Shield to leverage cloud-native features while maintaining portability across providers.

## Features

- **Secret Management**: Unified `CloudSecretManager` trait for AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault
- **Object Storage**: `CloudStorage` trait for AWS S3, GCP Cloud Storage, and Azure Blob Storage
- **Observability**: `CloudMetrics`, `CloudLogger`, and `CloudTracer` traits for cloud-native monitoring
- **Configuration**: Type-safe configuration structures for all cloud providers
- **Caching**: Built-in secret caching with TTL support
- **Error Handling**: Unified error types across all cloud operations

## Architecture

```
┌────────────────────────────────────┐
│   LLM Shield Application           │
└────────────────────────────────────┘
┌────────────────────────────────────┐
│   llm-shield-cloud (traits)        │
│   - CloudSecretManager             │
│   - CloudStorage                   │
│   - CloudMetrics/Logger/Tracer     │
└────────────────────────────────────┘
      │             │             │
      ▼             ▼             ▼
┌──────────┐  ┌──────────┐  ┌──────────┐
│   AWS    │  │   GCP    │  │  Azure   │
│ Provider │  │ Provider │  │ Provider │
└──────────┘  └──────────┘  └──────────┘
```

## Usage

### Basic Example

```rust
use llm_shield_cloud::{CloudSecretManager, SecretValue, Result};

async fn load_api_keys(
    secret_manager: &dyn CloudSecretManager
) -> Result<Vec<String>> {
    // Fetch API keys from cloud secret manager
    let secret = secret_manager.get_secret("llm-shield/api-keys").await?;

    // Parse the secret value
    let api_keys: Vec<String> = serde_json::from_str(secret.as_string())?;

    Ok(api_keys)
}
```

### Secret Caching

```rust
use llm_shield_cloud::SecretCache;
use std::time::Duration;

let cache = SecretCache::new(300); // 5 minute TTL

// Set a secret in cache
cache.set("my-key".to_string(), secret_value).await;

// Get from cache (returns None if expired)
if let Some(value) = cache.get("my-key").await {
    println!("Cache hit!");
}
```

### Storage Operations

```rust
use llm_shield_cloud::{CloudStorage, PutObjectOptions};

async fn upload_model(storage: &dyn CloudStorage) -> Result<()> {
    let model_data = tokio::fs::read("model.onnx").await?;

    let options = PutObjectOptions {
        content_type: Some("application/octet-stream".to_string()),
        storage_class: Some("STANDARD".to_string()),
        ..Default::default()
    };

    storage.put_object_with_options(
        "models/toxicity.onnx",
        &model_data,
        &options
    ).await?;

    Ok(())
}
```

## Configuration

Cloud integrations are configured via `CloudConfig`:

```yaml
cloud:
  provider: aws  # or gcp, azure, none

  aws:
    region: us-east-1
    secrets_manager:
      enabled: true
      cache_ttl_seconds: 300
    s3:
      bucket: llm-shield-models
      models_prefix: models/
      results_prefix: scan-results/
    cloudwatch:
      enabled: true
      namespace: LLMShield
      log_group: /llm-shield/api
```

## Providers

Concrete implementations are provided by separate crates:

- **`llm-shield-cloud-aws`**: AWS integrations (Secrets Manager, S3, CloudWatch, X-Ray)
- **`llm-shield-cloud-gcp`**: GCP integrations (Secret Manager, Cloud Storage, Cloud Logging, Cloud Trace)
- **`llm-shield-cloud-azure`**: Azure integrations (Key Vault, Blob Storage, Azure Monitor, App Insights)

Enable provider-specific features in your `Cargo.toml`:

```toml
[dependencies]
llm-shield-cloud = "0.1"
llm-shield-cloud-aws = { version = "0.1", optional = true }

[features]
cloud-aws = ["llm-shield-cloud-aws"]
```

## Error Handling

All cloud operations return `Result<T, CloudError>`:

```rust
use llm_shield_cloud::{CloudError, Result};

match secret_manager.get_secret("my-secret").await {
    Ok(value) => println!("Secret: {}", value.as_string()),
    Err(CloudError::SecretNotFound(name)) => {
        eprintln!("Secret not found: {}", name);
    }
    Err(e) => {
        eprintln!("Failed to fetch secret: {}", e);
    }
}
```

## Testing

Run tests:

```bash
cargo test -p llm-shield-cloud
```

Run tests with output:

```bash
cargo test -p llm-shield-cloud -- --nocapture
```

## Performance

- **Caching**: Built-in secret caching reduces API calls by >90%
- **Async**: All operations are fully async with tokio
- **Zero-cost abstractions**: Trait-based design adds <5% overhead

## Security

- Zero plain-text secrets in code or configuration
- Automatic credential rotation support
- Constant-time comparison for sensitive data
- Comprehensive audit logging

## License

MIT OR Apache-2.0