Expand description
Public library surface for KeyClaw.
KeyClaw is a local MITM proxy that rewrites secrets out of outbound LLM traffic before it leaves the machine, then resolves placeholders back into inbound responses for the local client.
Re-exports§
pub use config::Config;
Modules§
- allowlist
- Operator-controlled allowlist primitives for suppressing known-safe matches.
- audit
- Persistent audit-log helpers for recording redaction events without raw secrets.
- certgen
- Runtime CA certificate generation and validation. Runtime generation and validation of the local KeyClaw certificate authority.
- config
- Runtime configuration loaded from defaults,
~/.keyclaw/config.toml, and env vars. Runtime configuration loaded from defaults, an optional TOML file, and environment variable overrides. - entropy
- High-entropy token detection used alongside provider-specific rules. Shannon entropy calculation and high-entropy token detection.
- errors
- Error types and deterministic error-code helpers. Error types and deterministic error-code helpers used throughout KeyClaw.
- gitleaks_
rules - Bundled gitleaks rule loading, compilation, and matching. Bundled gitleaks rule loading, compilation, and matching.
- kingfisher
- Second-pass secret scanning backed by Kingfisher.
Second-pass secret scanning via the external
kingfisherbinary. - launcher
- CLI entrypoints and launched-tool integration.
- logging
- Operator-facing runtime logging utilities.
- logscrub
- Log scrubbing utilities for redacting secrets from operator-visible output.
- pipeline
- Request rewrite and placeholder-resolution pipeline. Request rewrite and placeholder-resolution pipeline shared by the proxy and CLI helpers.
- placeholder
- Placeholder generation, parsing, and resolution helpers. Placeholder generation, parsing, and resolution helpers.
- proxy
- Proxy server entrypoint and handler wiring. Proxy server entrypoint and handler wiring.
- redaction
- JSON-walking utilities and redaction-notice injection. JSON-walking utilities and redaction-notice injection.
- stats
- Audit-log backed CLI stats summaries.
- vault
- AES-GCM encrypted local secret storage. AES-GCM encrypted local storage for placeholder-to-secret mappings.