secubox-openwrt/package/secubox/secubox-ai-gateway/README.md

# SecuBox AI Gateway

**Data Classifier (Sovereignty Engine) for ANSSI CSPN Compliance**

The AI Gateway implements intelligent routing of AI requests based on data sensitivity classification, ensuring data sovereignty and GDPR compliance.

## Features

- **Three-tier data classification**: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- **Multi-provider support**: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- **OpenAI-compatible API** on port 4050
- **PII sanitization** for EU provider tier
- **ANSSI CSPN audit logging**
- **Offline mode** for airgapped operation

## Classification Tiers

| Tier | Content | Destination |
|------|---------|-------------|
| `LOCAL_ONLY` | IPs, MACs, credentials, keys, logs | LocalAI (on-device) |
| `SANITIZED` | PII that can be scrubbed | Mistral EU (opt-in) |
| `CLOUD_DIRECT` | Generic queries | Any provider (opt-in) |

## Provider Hierarchy

1. **LocalAI** (Priority 0) - Always on-device, no API key needed
2. **Mistral** (Priority 1) - EU sovereign, GDPR compliant
3. **Claude** (Priority 2) - Anthropic
4. **OpenAI** (Priority 3) - GPT models
5. **Gemini** (Priority 4) - Google
6. **xAI** (Priority 5) - Grok models

All cloud providers are **opt-in** and require explicit configuration.

## CLI Reference

```sh
# Status
aigatewayctl status

# Classification testing
aigatewayctl classify "Server IP is 192.168.1.100"
aigatewayctl sanitize "User password=secret on 192.168.1.1"

# Provider management
aigatewayctl provider list
aigatewayctl provider enable mistral
aigatewayctl provider test localai

# Audit
aigatewayctl audit stats
aigatewayctl audit tail
aigatewayctl audit export

# Offline mode (forces LOCAL_ONLY)
aigatewayctl offline-mode on
aigatewayctl offline-mode off
```

## API Usage

The gateway provides an OpenAI-compatible API:

```sh
# Chat completion
curl -X POST http://127.0.0.1:4050/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"What is 2+2?"}]}'

# List models
curl http://127.0.0.1:4050/v1/models

# Health check
curl http://127.0.0.1:4050/health
```

## Configuration

### UCI Options

```sh
# Main configuration
uci set ai-gateway.main.enabled='1'
uci set ai-gateway.main.proxy_port='4050'
uci set ai-gateway.main.offline_mode='0'

# Enable Mistral (EU provider)
uci set ai-gateway.mistral.enabled='1'
uci set ai-gateway.mistral.api_key='your-api-key'
uci commit ai-gateway
```

### Classification Patterns

Edit `/etc/config/ai-gateway` to customize detection patterns:

```uci
config patterns 'local_only_patterns'
    list pattern '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    list pattern 'password|secret|token'
    list pattern 'BEGIN.*PRIVATE KEY'
```

## Audit Logging

Audit logs are stored in JSONL format for ANSSI CSPN compliance:

```
/var/log/ai-gateway/audit.jsonl
```

Each entry includes:
- Timestamp (ISO 8601)
- Request ID
- Classification decision
- Matched pattern
- Provider used
- Sanitization status

Export for compliance review:
```sh
aigatewayctl audit export
# Creates: /tmp/ai-gateway-audit-YYYYMMDD-HHMMSS.jsonl.gz
```

## ANSSI CSPN Compliance Points

1. **Data Sovereignty**: LOCAL_ONLY tier never sends data externally
2. **EU Preference**: Mistral (France) prioritized over US providers
3. **Audit Trail**: All classifications logged with timestamps
4. **Offline Capability**: Can operate fully airgapped
5. **Explicit Consent**: All cloud providers require opt-in

## File Locations

| Path | Description |
|------|-------------|
| `/etc/config/ai-gateway` | UCI configuration |
| `/usr/sbin/aigatewayctl` | CLI controller |
| `/usr/lib/ai-gateway/` | Library scripts |
| `/var/log/ai-gateway/audit.jsonl` | Audit log |
| `/tmp/ai-gateway/` | Runtime state |

## Dependencies

- `jsonfilter` (OpenWrt native)
- `wget-ssl` (HTTPS support)
- `secubox-app-localai` (optional, for local inference)

## License

MIT License - Copyright (C) 2026 CyberMind.fr