gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2482f76e52
secubox-openwrt/package/secubox/secubox-ai-gateway/README.md
CyberMind-FR f3cea01792 feat(ai-gateway): Add Data Classifier (Sovereignty Engine) for ANSSI CSPN 
Implement secubox-ai-gateway package with intelligent AI request routing
based on data sensitivity classification for GDPR/ANSSI compliance.

Features:
- 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- PII sanitizer: IPv4/IPv6, MAC, credentials, private keys scrubbing
- OpenAI-compatible API proxy on port 4050
- aigatewayctl CLI: status, classify, sanitize, provider, audit commands
- RPCD backend with 11 ubus methods for LuCI integration
- ANSSI CSPN audit logging in JSONL format

Classification patterns detect:
- IP addresses, MAC addresses, private keys
- Credentials (password, secret, token, api_key)
- System paths, security tool references
- WireGuard configuration data

All cloud providers are opt-in. Default LOCAL_ONLY ensures data
sovereignty - sensitive data never leaves the device.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 17:55:22 +01:00

3.8 KiB
Raw Blame History

SecuBox AI Gateway

Data Classifier (Sovereignty Engine) for ANSSI CSPN Compliance

The AI Gateway implements intelligent routing of AI requests based on data sensitivity classification, ensuring data sovereignty and GDPR compliance.

Features

  • Three-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
  • Multi-provider support: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
  • OpenAI-compatible API on port 4050
  • PII sanitization for EU provider tier
  • ANSSI CSPN audit logging
  • Offline mode for airgapped operation

Classification Tiers

Tier Content Destination
LOCAL_ONLY IPs, MACs, credentials, keys, logs LocalAI (on-device)
SANITIZED PII that can be scrubbed Mistral EU (opt-in)
CLOUD_DIRECT Generic queries Any provider (opt-in)

Provider Hierarchy

  1. LocalAI (Priority 0) - Always on-device, no API key needed
  2. Mistral (Priority 1) - EU sovereign, GDPR compliant
  3. Claude (Priority 2) - Anthropic
  4. OpenAI (Priority 3) - GPT models
  5. Gemini (Priority 4) - Google
  6. xAI (Priority 5) - Grok models

All cloud providers are opt-in and require explicit configuration.

CLI Reference

# Status
aigatewayctl status

# Classification testing
aigatewayctl classify "Server IP is 192.168.1.100"
aigatewayctl sanitize "User password=secret on 192.168.1.1"

# Provider management
aigatewayctl provider list
aigatewayctl provider enable mistral
aigatewayctl provider test localai

# Audit
aigatewayctl audit stats
aigatewayctl audit tail
aigatewayctl audit export

# Offline mode (forces LOCAL_ONLY)
aigatewayctl offline-mode on
aigatewayctl offline-mode off

API Usage

The gateway provides an OpenAI-compatible API:

# Chat completion
curl -X POST http://127.0.0.1:4050/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"What is 2+2?"}]}'

# List models
curl http://127.0.0.1:4050/v1/models

# Health check
curl http://127.0.0.1:4050/health

Configuration

UCI Options

# Main configuration
uci set ai-gateway.main.enabled='1'
uci set ai-gateway.main.proxy_port='4050'
uci set ai-gateway.main.offline_mode='0'

# Enable Mistral (EU provider)
uci set ai-gateway.mistral.enabled='1'
uci set ai-gateway.mistral.api_key='your-api-key'
uci commit ai-gateway

Classification Patterns

Edit /etc/config/ai-gateway to customize detection patterns:

config patterns 'local_only_patterns'
    list pattern '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    list pattern 'password|secret|token'
    list pattern 'BEGIN.*PRIVATE KEY'

Audit Logging

Audit logs are stored in JSONL format for ANSSI CSPN compliance:

/var/log/ai-gateway/audit.jsonl

Each entry includes:

  • Timestamp (ISO 8601)
  • Request ID
  • Classification decision
  • Matched pattern
  • Provider used
  • Sanitization status

Export for compliance review:

aigatewayctl audit export
# Creates: /tmp/ai-gateway-audit-YYYYMMDD-HHMMSS.jsonl.gz

ANSSI CSPN Compliance Points

  1. Data Sovereignty: LOCAL_ONLY tier never sends data externally
  2. EU Preference: Mistral (France) prioritized over US providers
  3. Audit Trail: All classifications logged with timestamps
  4. Offline Capability: Can operate fully airgapped
  5. Explicit Consent: All cloud providers require opt-in

File Locations

Path Description
/etc/config/ai-gateway UCI configuration
/usr/sbin/aigatewayctl CLI controller
/usr/lib/ai-gateway/ Library scripts
/var/log/ai-gateway/audit.jsonl Audit log
/tmp/ai-gateway/ Runtime state

Dependencies

  • jsonfilter (OpenWrt native)
  • wget-ssl (HTTPS support)
  • secubox-app-localai (optional, for local inference)

License

MIT License - Copyright (C) 2026 CyberMind.fr