|
…
|
||
|---|---|---|
| .. | ||
| files | ||
| Makefile | ||
| README.md | ||
SecuBox AI Gateway
Data Classifier (Sovereignty Engine) for ANSSI CSPN Compliance
The AI Gateway implements intelligent routing of AI requests based on data sensitivity classification, ensuring data sovereignty and GDPR compliance.
Features
- Three-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Multi-provider support: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- OpenAI-compatible API on port 4050
- PII sanitization for EU provider tier
- ANSSI CSPN audit logging
- Offline mode for airgapped operation
Classification Tiers
| Tier | Content | Destination |
|---|---|---|
LOCAL_ONLY |
IPs, MACs, credentials, keys, logs | LocalAI (on-device) |
SANITIZED |
PII that can be scrubbed | Mistral EU (opt-in) |
CLOUD_DIRECT |
Generic queries | Any provider (opt-in) |
Provider Hierarchy
- LocalAI (Priority 0) - Always on-device, no API key needed
- Mistral (Priority 1) - EU sovereign, GDPR compliant
- Claude (Priority 2) - Anthropic
- OpenAI (Priority 3) - GPT models
- Gemini (Priority 4) - Google
- xAI (Priority 5) - Grok models
All cloud providers are opt-in and require explicit configuration.
CLI Reference
# Status
aigatewayctl status
# Classification testing
aigatewayctl classify "Server IP is 192.168.1.100"
aigatewayctl sanitize "User password=secret on 192.168.1.1"
# Provider management
aigatewayctl provider list
aigatewayctl provider enable mistral
aigatewayctl provider test localai
# Audit
aigatewayctl audit stats
aigatewayctl audit tail
aigatewayctl audit export
# Offline mode (forces LOCAL_ONLY)
aigatewayctl offline-mode on
aigatewayctl offline-mode off
API Usage
The gateway provides an OpenAI-compatible API:
# Chat completion
curl -X POST http://127.0.0.1:4050/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{"messages":[{"role":"user","content":"What is 2+2?"}]}'
# List models
curl http://127.0.0.1:4050/v1/models
# Health check
curl http://127.0.0.1:4050/health
Configuration
UCI Options
# Main configuration
uci set ai-gateway.main.enabled='1'
uci set ai-gateway.main.proxy_port='4050'
uci set ai-gateway.main.offline_mode='0'
# Enable Mistral (EU provider)
uci set ai-gateway.mistral.enabled='1'
uci set ai-gateway.mistral.api_key='your-api-key'
uci commit ai-gateway
Classification Patterns
Edit /etc/config/ai-gateway to customize detection patterns:
config patterns 'local_only_patterns'
list pattern '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
list pattern 'password|secret|token'
list pattern 'BEGIN.*PRIVATE KEY'
Audit Logging
Audit logs are stored in JSONL format for ANSSI CSPN compliance:
/var/log/ai-gateway/audit.jsonl
Each entry includes:
- Timestamp (ISO 8601)
- Request ID
- Classification decision
- Matched pattern
- Provider used
- Sanitization status
Export for compliance review:
aigatewayctl audit export
# Creates: /tmp/ai-gateway-audit-YYYYMMDD-HHMMSS.jsonl.gz
ANSSI CSPN Compliance Points
- Data Sovereignty: LOCAL_ONLY tier never sends data externally
- EU Preference: Mistral (France) prioritized over US providers
- Audit Trail: All classifications logged with timestamps
- Offline Capability: Can operate fully airgapped
- Explicit Consent: All cloud providers require opt-in
File Locations
| Path | Description |
|---|---|
/etc/config/ai-gateway |
UCI configuration |
/usr/sbin/aigatewayctl |
CLI controller |
/usr/lib/ai-gateway/ |
Library scripts |
/var/log/ai-gateway/audit.jsonl |
Audit log |
/tmp/ai-gateway/ |
Runtime state |
Dependencies
jsonfilter(OpenWrt native)wget-ssl(HTTPS support)secubox-app-localai(optional, for local inference)
License
MIT License - Copyright (C) 2026 CyberMind.fr