sanctum_ai/lib.rs
1//! # sanctum-core
2//!
3//! Pure, synchronous credential vault library for AI agent infrastructure.
4//!
5//! `sanctum-core` provides in-process secret management with policy enforcement
6//! and tamper-evident audit logging — no daemon, no sockets, no async runtime.
7//!
8//! ## Quick Start
9//!
10//! ```no_run
11//! use sanctum_ai::{Vault, VaultError};
12//!
13//! // Create a new vault
14//! let vault = Vault::init("/tmp/my-vault", b"strong-passphrase")?;
15//!
16//! // Store a credential
17//! vault.store("OPENAI_API_KEY", b"sk-abc123", "my-agent", None)?;
18//!
19//! // Retrieve it
20//! let secret = vault.retrieve("OPENAI_API_KEY", "my-agent")?;
21//! assert_eq!(secret, b"sk-abc123");
22//!
23//! // Query the audit log
24//! use sanctum_ai::AuditFilter;
25//! let entries = vault.audit_log(&AuditFilter::new().agent("my-agent"))?;
26//! # Ok::<(), VaultError>(())
27//! ```
28//!
29//! ## Architecture
30//!
31//! The [`Vault`] facade composes three subsystems:
32//!
33//! - **Store** ([`VaultStore`]) — SQLite metadata + [`SealedVault`](sealed::SealedVault) encrypted storage
34//! - **Policy** ([`PolicyEngine`]) — glob-based access control with rate limiting
35//! - **Audit** ([`AuditLogger`](audit::AuditLogger)) — hash-chained, tamper-evident logging
36
37#![allow(dead_code)]
38
39// ── Modules (always available — pure Rust) ───────────────────────────
40pub mod agent;
41pub mod anomaly;
42pub mod audit;
43pub mod baseline;
44pub mod crypto;
45pub mod error;
46pub mod export;
47pub mod policy;
48pub mod protocol;
49pub mod compliance;
50pub mod use_audit;
51
52// ── Modules (storage-sqlite — require SQLite/C dependencies) ─────────
53#[cfg(feature = "storage-sqlite")]
54pub mod migration;
55#[cfg(feature = "storage-sqlite")]
56pub mod sealed;
57#[cfg(feature = "storage-sqlite")]
58pub mod store;
59#[cfg(feature = "storage-sqlite")]
60pub mod vault;
61#[cfg(all(feature = "storage-sqlite", target_os = "macos"))]
62pub mod keychain;
63#[cfg(all(feature = "storage-sqlite", feature = "cli", feature = "filesystem"))]
64pub mod env_migration_cli;
65
66// ── Modules (filesystem — require filesystem dependencies) ───────────
67#[cfg(feature = "filesystem")]
68pub mod env_migration;
69#[cfg(all(feature = "filesystem", feature = "cli", feature = "storage-sqlite"))]
70pub mod scanner;
71
72// ── Modules (cli — require terminal output dependencies) ─────────────
73#[cfg(feature = "cli")]
74pub mod output;
75
76// ── Modules (TLS only) ──────────────────────────────────────────────
77#[cfg(feature = "tls")]
78pub mod tls;
79
80// ── Primary API ──────────────────────────────────────────────────────
81#[cfg(feature = "storage-sqlite")]
82pub use vault::{AuditFilter, Vault};
83
84// ── Core types ───────────────────────────────────────────────────────
85// Errors
86pub use error::{Result, VaultError};
87
88// Policy
89pub use policy::{Action, Policy, PolicyConditions, PolicyDecision, PolicyEngine};
90
91// Storage (storage-sqlite only)
92#[cfg(feature = "storage-sqlite")]
93pub use store::{AgentInfo, CredentialMeta, VaultStore};
94
95// Audit
96pub use audit::AuditEntry;
97
98// Compliance
99pub use compliance::{ComplianceReport, ReportConfig, ReportGenerator, SecurityPosture};
100
101// Baseline & Anomaly
102pub use baseline::{AccessBaseline, BaselineEngine};
103pub use anomaly::{AnomalyAlert, AnomalyConfig, AnomalyDetector, AlertKind, Severity};
104
105// Protocol (for daemon integration)
106pub use protocol::{RpcError, RpcRequest, RpcResponse};