Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

2026-05-08 19:12:37 +02:00 · 2026-03-23 16:45:40 +10:00 · 2026-03-23 16:45:40 +10:00 · 41cbfd6e0a
commit 41cbfd6e0a
parent 694e32be26
178 changed files with 36008 additions and 399 deletions
--- a/internal/domain/engines/engines.go
+++ b/internal/domain/engines/engines.go
@ -0,0 +1,138 @@
+package engines
+
+import (
+	"context"
+	"time"
+)
+
+// EngineStatus represents the health state of a security engine.
+type EngineStatus string
+
+const (
+	EngineHealthy     EngineStatus = "HEALTHY"
+	EngineDegraded    EngineStatus = "DEGRADED"
+	EngineOffline     EngineStatus = "OFFLINE"
+	EngineInitializing EngineStatus = "INITIALIZING"
+)
+
+// ScanResult is the unified output from any security engine.
+type ScanResult struct {
+	Engine      string        `json:"engine"`
+	ThreatFound bool          `json:"threat_found"`
+	ThreatType  string        `json:"threat_type,omitempty"`
+	Severity    string        `json:"severity"`
+	Confidence  float64       `json:"confidence"`
+	Details     string        `json:"details,omitempty"`
+	Indicators  []string      `json:"indicators,omitempty"`
+	Duration    time.Duration `json:"duration_ns"`
+	Timestamp   time.Time     `json:"timestamp"`
+}
+
+// SentinelCore defines the interface for the Rust-based detection engine (§3).
+// Real implementation: FFI bridge to sentinel-core Rust binary.
+// Stub implementation: used when sentinel-core is not deployed.
+type SentinelCore interface {
+	// Name returns the engine identifier.
+	Name() string
+
+	// Status returns current engine health.
+	Status() EngineStatus
+
+	// ScanPrompt analyzes an LLM prompt for injection/jailbreak patterns.
+	ScanPrompt(ctx context.Context, prompt string) (*ScanResult, error)
+
+	// ScanResponse analyzes an LLM response for data exfiltration or harmful content.
+	ScanResponse(ctx context.Context, response string) (*ScanResult, error)
+
+	// Version returns the engine version.
+	Version() string
+}
+
+// Shield defines the interface for the C++ network protection engine (§4).
+// Real implementation: FFI bridge to shield C++ shared library.
+// Stub implementation: used when shield is not deployed.
+type Shield interface {
+	// Name returns the engine identifier.
+	Name() string
+
+	// Status returns current engine health.
+	Status() EngineStatus
+
+	// InspectTraffic analyzes network traffic for threats.
+	InspectTraffic(ctx context.Context, payload []byte, metadata map[string]string) (*ScanResult, error)
+
+	// BlockIP adds an IP to the block list.
+	BlockIP(ctx context.Context, ip string, reason string, duration time.Duration) error
+
+	// ListBlocked returns currently blocked IPs.
+	ListBlocked(ctx context.Context) ([]BlockedIP, error)
+
+	// Version returns the engine version.
+	Version() string
+}
+
+// BlockedIP represents a blocked IP entry.
+type BlockedIP struct {
+	IP        string    `json:"ip"`
+	Reason    string    `json:"reason"`
+	BlockedAt time.Time `json:"blocked_at"`
+	ExpiresAt time.Time `json:"expires_at"`
+}
+
+// --- Stub implementations for standalone Go deployment ---
+
+// StubSentinelCore is a no-op sentinel-core when Rust engine is not deployed.
+type StubSentinelCore struct{}
+
+func NewStubSentinelCore() *StubSentinelCore { return &StubSentinelCore{} }
+func (s *StubSentinelCore) Name() string     { return "sentinel-core-stub" }
+func (s *StubSentinelCore) Status() EngineStatus { return EngineOffline }
+func (s *StubSentinelCore) Version() string  { return "stub-1.0" }
+
+func (s *StubSentinelCore) ScanPrompt(_ context.Context, _ string) (*ScanResult, error) {
+	return &ScanResult{
+		Engine:      "sentinel-core-stub",
+		ThreatFound: false,
+		Severity:    "NONE",
+		Confidence:  0,
+		Details:     "sentinel-core not deployed, stub mode",
+		Timestamp:   time.Now(),
+	}, nil
+}
+
+func (s *StubSentinelCore) ScanResponse(_ context.Context, _ string) (*ScanResult, error) {
+	return &ScanResult{
+		Engine:      "sentinel-core-stub",
+		ThreatFound: false,
+		Severity:    "NONE",
+		Confidence:  0,
+		Details:     "sentinel-core not deployed, stub mode",
+		Timestamp:   time.Now(),
+	}, nil
+}
+
+// StubShield is a no-op shield when C++ engine is not deployed.
+type StubShield struct{}
+
+func NewStubShield() *StubShield         { return &StubShield{} }
+func (s *StubShield) Name() string       { return "shield-stub" }
+func (s *StubShield) Status() EngineStatus { return EngineOffline }
+func (s *StubShield) Version() string    { return "stub-1.0" }
+
+func (s *StubShield) InspectTraffic(_ context.Context, _ []byte, _ map[string]string) (*ScanResult, error) {
+	return &ScanResult{
+		Engine:      "shield-stub",
+		ThreatFound: false,
+		Severity:    "NONE",
+		Details:     "shield not deployed, stub mode",
+		Timestamp:   time.Now(),
+	}, nil
+}
+
+func (s *StubShield) BlockIP(_ context.Context, _ string, _ string, _ time.Duration) error {
+	return nil
+}
+
+func (s *StubShield) ListBlocked(_ context.Context) ([]BlockedIP, error) {
+	return nil, nil
+}