nexus_shield/config.rs
1// ============================================================================
2// File: config.rs
3// Description: Shield security engine configuration for all defense layers
4// Author: Andrew Jewell Sr. - AutomataNexus
5// Updated: March 24, 2026
6//
7// DISCLAIMER: This software is provided "as is", without warranty of any kind,
8// express or implied. Use at your own risk. AutomataNexus and the author assume
9// no liability for any damages arising from the use of this software.
10// ============================================================================
11use std::collections::HashSet;
12use crate::email_guard::EmailGuardConfig;
13
14/// Complete configuration for the Shield security engine.
15#[derive(Debug, Clone)]
16pub struct ShieldConfig {
17 /// Threat score threshold above which requests are blocked (0.0–1.0).
18 pub block_threshold: f64,
19 /// Threat score threshold for logging warnings (0.0–1.0).
20 pub warn_threshold: f64,
21 /// SQL firewall configuration.
22 pub sql: SqlFirewallConfig,
23 /// SSRF guard configuration.
24 pub ssrf: SsrfConfig,
25 /// Rate limiting configuration.
26 pub rate: RateConfig,
27 /// Data quarantine configuration.
28 pub quarantine: QuarantineConfig,
29 /// Maximum audit chain events to keep in memory before pruning.
30 pub audit_max_events: usize,
31 /// Email guard configuration.
32 pub email: EmailGuardConfig,
33}
34
35#[derive(Debug, Clone)]
36pub struct SqlFirewallConfig {
37 /// Allow SQL comments (-- and /* */) in queries. Default: false.
38 pub allow_comments: bool,
39 /// Maximum query length in bytes. Default: 10_000.
40 pub max_query_length: usize,
41 /// Maximum nesting depth for subqueries. Default: 3.
42 pub max_subquery_depth: u32,
43 /// Additional function names to block (beyond built-in dangerous list).
44 pub blocked_functions: Vec<String>,
45 /// Additional schema names to block (beyond built-in system schemas).
46 pub blocked_schemas: Vec<String>,
47}
48
49#[derive(Debug, Clone)]
50pub struct SsrfConfig {
51 /// Block requests to private/internal IP ranges. Default: true.
52 pub block_private_ips: bool,
53 /// Block requests to loopback addresses. Default: true.
54 pub block_loopback: bool,
55 /// Block requests to link-local addresses (169.254.x.x). Default: true.
56 pub block_link_local: bool,
57 /// Block requests to cloud metadata endpoints (169.254.169.254). Default: true.
58 pub block_metadata_endpoints: bool,
59 /// Allowed URL schemes. Default: ["http", "https"].
60 pub allowed_schemes: Vec<String>,
61 /// Explicit IP/host allowlist (bypasses all checks).
62 pub allowlist: HashSet<String>,
63 /// Explicit IP/host blocklist (checked before allowlist).
64 pub blocklist: HashSet<String>,
65 /// Blocked ports (e.g., 22 SSH, 6379 Redis). Default: common internal service ports.
66 pub blocked_ports: Vec<u16>,
67}
68
69#[derive(Debug, Clone)]
70pub struct RateConfig {
71 /// Maximum requests per second per IP. Default: 50.
72 pub requests_per_second: f64,
73 /// Burst allowance (token bucket capacity). Default: 100.
74 pub burst_capacity: f64,
75 /// Number of violations before escalating to warn. Default: 3.
76 pub warn_after: u32,
77 /// Number of violations before throttling. Default: 8.
78 pub throttle_after: u32,
79 /// Number of violations before blocking. Default: 15.
80 pub block_after: u32,
81 /// Number of violations before temporary ban. Default: 30.
82 pub ban_after: u32,
83 /// Ban duration in seconds. Default: 300 (5 minutes).
84 pub ban_duration_secs: u64,
85 /// Violation decay period in seconds. Default: 60.
86 pub violation_decay_secs: u64,
87}
88
89#[derive(Debug, Clone)]
90pub struct QuarantineConfig {
91 /// Maximum rows allowed in imported data. Default: 5_000_000.
92 pub max_rows: usize,
93 /// Maximum total size in bytes. Default: 500 MB.
94 pub max_size_bytes: usize,
95 /// Maximum columns allowed. Default: 500.
96 pub max_columns: usize,
97 /// Check for formula injection (=, +, -, @). Default: true.
98 pub check_formula_injection: bool,
99 /// Check for embedded scripts. Default: true.
100 pub check_embedded_scripts: bool,
101}
102
103impl Default for ShieldConfig {
104 fn default() -> Self {
105 Self {
106 block_threshold: 0.7,
107 warn_threshold: 0.4,
108 sql: SqlFirewallConfig::default(),
109 ssrf: SsrfConfig::default(),
110 rate: RateConfig::default(),
111 quarantine: QuarantineConfig::default(),
112 audit_max_events: 100_000,
113 email: EmailGuardConfig::default(),
114 }
115 }
116}
117
118impl Default for SqlFirewallConfig {
119 fn default() -> Self {
120 Self {
121 allow_comments: false,
122 max_query_length: 10_000,
123 max_subquery_depth: 3,
124 blocked_functions: Vec::new(),
125 blocked_schemas: Vec::new(),
126 }
127 }
128}
129
130impl Default for SsrfConfig {
131 fn default() -> Self {
132 Self {
133 block_private_ips: true,
134 block_loopback: true,
135 block_link_local: true,
136 block_metadata_endpoints: true,
137 allowed_schemes: vec!["http".into(), "https".into()],
138 allowlist: HashSet::new(),
139 blocklist: HashSet::new(),
140 blocked_ports: vec![
141 22, 23, 25, 53, 111, 135, 139, 445, 514, 873,
142 2049, 3306, 5432, 6379, 6380, 9200, 9300,
143 11211, 27017, 27018, 50070,
144 ],
145 }
146 }
147}
148
149impl Default for RateConfig {
150 fn default() -> Self {
151 Self {
152 requests_per_second: 50.0,
153 burst_capacity: 100.0,
154 warn_after: 3,
155 throttle_after: 8,
156 block_after: 15,
157 ban_after: 30,
158 ban_duration_secs: 300,
159 violation_decay_secs: 60,
160 }
161 }
162}
163
164impl Default for QuarantineConfig {
165 fn default() -> Self {
166 Self {
167 max_rows: 5_000_000,
168 max_size_bytes: 500 * 1024 * 1024,
169 max_columns: 500,
170 check_formula_injection: true,
171 check_embedded_scripts: true,
172 }
173 }
174}