zerodds_security_runtime/lib.rs
1// SPDX-License-Identifier: Apache-2.0
2// Copyright 2026 ZeroDDS Contributors
3
4//! Crate `zerodds-security-runtime`. Safety classification: **SAFE** (reiner Adapter ohne eigene Crypto-Primitiven — delegiert an `security-crypto` + `security-rtps`).
5//!
6//! Security-Runtime: Governance-driven Plugin-Lifecycle, Peer-Capabilities-Cache,
7//! Outbound-/Inbound-Verdict-Engine, Built-in DataTagging, Anti-Squatter,
8//! Heterogeneous-Mesh-Gateway-Bridge. Adapter-Schicht zwischen Governance-XML-Policy
9//! und dem Secure-Submessage-Wrapper.
10//!
11//! ## Schichten-Position
12//!
13//! Layer 4 — Core Services. Konsumiert `zerodds-security` (SPI) +
14//! `zerodds-security-crypto` + `-permissions` + `-pki` + `-rtps` +
15//! `zerodds-rtps` + `zerodds-qos`. Wird vom DCPS-Runtime via
16//! `Box<dyn ...>`-Plugins gefuettert (Feature `security`).
17//!
18//! ## Public API (Stand 1.0.0-rc.1)
19//!
20//! - [`SecurityGate`] — High-Level-Adapter zwischen Governance + Crypto + RTPS-Wrap.
21//! - `engine::*` — `GovernancePolicyEngine`-Default-Impl + `PolicyEngine`-Trait.
22//! - `policy::*` — `PolicyDecision` mit Suite, Receiver-MACs, Topic-Class.
23//! - `caps::*` — `PeerCapabilities` + `PeerCapabilitiesCache`.
24//! - `caps_wire::*` — SPDP-Mapping fuer Peer-Capabilities (Wire-Codec).
25//! - `peer_class::*` — `<peer_class>`-Match (CIDR, Subject-Patterns).
26//! - `endpoint::*` — Endpoint-Slot-Lookup.
27//! - `data_tagging::*` — Built-in DataTaggingPlugin (Spec §8.7).
28//! - `builtin_topics::*` — DCPSParticipantStatelessMessage + DCPSParticipantVolatileMessageSecure.
29//! - `anti_squatter::*` — Spec §8.5.3 Anti-Squatter-Logik.
30//! - `gateway_bridge::*` — Heterogeneous-Mesh-Gateway-Bridge (Edge ↔ Backend).
31//! - `shared::*` — Shared-Inbound/Outbound-Verdict-Types.
32//!
33//! # Beispiel
34//!
35//! ```no_run
36//! use zerodds_security_crypto::AesGcmCryptoPlugin;
37//! use zerodds_security_permissions::parse_governance_xml;
38//! use zerodds_security_runtime::SecurityGate;
39//!
40//! let governance = parse_governance_xml(GOVERNANCE_XML).unwrap();
41//! let mut crypto = AesGcmCryptoPlugin::new();
42//! let mut gate = SecurityGate::new(0, governance, &mut crypto);
43//!
44//! // Outbound:
45//! let wire = gate.encode_outbound("Chatter", b"hello").unwrap();
46//!
47//! // Inbound (am Peer):
48//! let plain = gate.decode_inbound("Chatter", &wire).unwrap();
49//! # const GOVERNANCE_XML: &str = "";
50//! ```
51
52#![cfg_attr(not(feature = "std"), no_std)]
53#![forbid(unsafe_code)]
54#![warn(missing_docs)]
55
56extern crate alloc;
57
58pub mod anti_squatter;
59pub mod builtin_topics;
60pub mod caps;
61pub mod caps_wire;
62pub mod data_tagging;
63pub mod endpoint;
64mod engine;
65mod gate;
66pub mod gateway_bridge;
67pub mod peer_class;
68pub mod policy;
69mod shared;
70
71pub use anti_squatter::{BindingDecision, GuidPrefixBytes, IdentityBindingCache};
72pub use caps::{PeerCache, PeerCapabilities, Validity};
73pub use caps_wire::{advertise_security_caps, parse_peer_caps};
74pub use data_tagging::{BuiltinDataTaggingPlugin, TAG_PROPERTY_PREFIX};
75pub use endpoint::{EndpointMatch, EndpointProtection, MatchRejectReason, match_endpoints};
76pub use engine::GovernancePolicyEngine;
77pub use gate::{SecurityGate, SecurityGateError};
78pub use gateway_bridge::{
79 GatewayBridge, GatewayBridgeConfig, GatewayBridgeError, GatewayBridgeResult,
80};
81pub use peer_class::{
82 interface_accepts_class, peer_matches_class, resolve_peer_class, resolve_protection,
83};
84pub use policy::{
85 InboundCtx, InterfaceConfig, IpRange, NetInterface, OutboundCtx, PolicyDecision, PolicyEngine,
86 ProtectionLevel, SuiteHint, classify_interface,
87};
88pub use shared::{InboundVerdict, PeerKey, SharedSecurityGate};
89
90// Re-exports aus zerodds-security fuer Downstream-Crates, die nur
91// `zerodds-security-runtime` depen (vor allem `dcps` fuer die Security-
92// Logger-Integration).
93pub use zerodds_security::logging::{LogLevel, LoggingPlugin};