Expand description
§NexusShield
Adaptive zero-trust security engine for the Nexus platform.
Protects services from SQL injection, SSRF, command injection, path traversal, and automated attacks through a layered defense architecture:
- SQL Firewall — AST-level SQL parsing (not regex) to detect injection
- SSRF Guard — IP/DNS validation blocking internal network probing
- Rate Governor — Adaptive rate limiting with behavioral escalation
- Request Fingerprinting — Bot detection via header/behavioral analysis
- Data Quarantine — Validates imported data for malicious payloads
- Audit Chain — Hash-chained tamper-evident security event log
- Input Sanitizer — Connection string and path traversal prevention
- Threat Scoring — Multi-signal adaptive threat assessment (0.0–1.0)
Re-exports§
pub use audit_chain::AuditChain;pub use audit_chain::AuditEvent;pub use audit_chain::SecurityEventType;pub use config::ShieldConfig;pub use email_guard::EmailGuardConfig;pub use email_guard::EmailRateLimiter;pub use threat_score::ThreatAction;pub use threat_score::ThreatAssessment;
Modules§
- audit_
chain - Audit Chain — Tamper-evident, hash-chained security event log.
- auth
- Auth — protects sensitive API endpoints with Bearer token authentication.
- compliance_
report - Compliance Report — generates HTML security posture reports for auditors, compliance teams, and management.
- config
- credential_
vault - Credential Vault
- email_
guard - Email Guard — Protects email endpoints from abuse and injection attacks.
- endpoint
- Endpoint Protection Engine
- ferrum_
integration - Ferrum-Mail Integration — sends formatted HTML security alert emails when critical/high severity events are detected.
- fingerprint
- Request Fingerprinting — Behavioral analysis and bot detection.
- journal
- Journal — writes security events to the systemd journal with structured
fields for filtering via
journalctl. - metrics
- Metrics — exposes NexusShield counters in Prometheus text exposition format
at the
/metricsendpoint. - nexuspulse_
integration - NexusPulse Integration — sends SMS security alerts to configured phone numbers when critical or high-severity events are detected.
- quarantine
- Data Quarantine — Validates imported data before it enters the system.
- rate_
governor - Rate Governor — Adaptive rate limiting with behavioral escalation.
- sanitizer
- Input Sanitizer — Connection string validation, path traversal prevention, and error message sanitization.
- siem_
export - SIEM Export — forwards audit chain events to external security information and event management systems in real-time.
- signature_
updater - Signature Updater — periodically fetches malware signatures from a remote NDJSON feed and updates the local signature database.
- sql_
firewall - SQL Firewall — AST-level SQL injection detection.
- sse_
events - SSE Events — streams audit chain events and endpoint detections in real-time
via the
/eventsHTTP endpoint using Server-Sent Events (text/event-stream). - ssrf_
guard - SSRF Guard — Server-Side Request Forgery prevention.
- threat_
score - Threat Scoring Engine — Adaptive multi-signal threat assessment.
- webhook
- Webhook — sends real-time alerts to Slack, Discord, PagerDuty, or any HTTP endpoint when security events exceed a severity threshold.
Structs§
- Shield
- Core security engine that orchestrates all NexusShield components.
Enums§
- Shield
Error - Errors raised by the NexusShield security engine.
Functions§
- shield_
middleware - Axum middleware that performs per-request threat assessment.