gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f424ec72c1
secubox-openwrt/package/secubox/secubox-ai-gateway/files/etc/config/ai-gateway
CyberMind-FR f3cea01792 feat(ai-gateway): Add Data Classifier (Sovereignty Engine) for ANSSI CSPN 
Implement secubox-ai-gateway package with intelligent AI request routing
based on data sensitivity classification for GDPR/ANSSI compliance.

Features:
- 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- PII sanitizer: IPv4/IPv6, MAC, credentials, private keys scrubbing
- OpenAI-compatible API proxy on port 4050
- aigatewayctl CLI: status, classify, sanitize, provider, audit commands
- RPCD backend with 11 ubus methods for LuCI integration
- ANSSI CSPN audit logging in JSONL format

Classification patterns detect:
- IP addresses, MAC addresses, private keys
- Credentials (password, secret, token, api_key)
- System paths, security tool references
- WireGuard configuration data

All cloud providers are opt-in. Default LOCAL_ONLY ensures data
sovereignty - sensitive data never leaves the device.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 17:55:22 +01:00

102 lines
2.9 KiB
Plaintext
Raw Blame History

# SecuBox AI Gateway Configuration
# Data Classifier (Sovereignty Engine) for ANSSI CSPN Compliance
config ai-gateway 'main'
option enabled '1'
option proxy_port '4050'
option proxy_host '127.0.0.1'
option default_classification 'local_only'
option offline_mode '0'
config classifier 'classifier'
option enabled '1'
option strict_mode '1'
# LOCAL_ONLY patterns - data that NEVER leaves the device
config patterns 'local_only_patterns'
# IPv4 addresses
list pattern '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
# IPv6 addresses
list pattern '[0-9a-fA-F:]{8,39}'
# MAC addresses
list pattern '[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}'
# Credentials
list pattern 'password|passwd|secret|token|api[_-]?key|private[_-]?key'
# Private keys
list pattern 'BEGIN.*PRIVATE KEY'
# System paths
list pattern '/var/log|/etc/config|/etc/shadow|/etc/passwd'
# Security tools
list pattern 'crowdsec|iptables|nftables|firewall|wireguard'
# WireGuard references
list pattern 'wg[0-9]+|AllowedIPs|Endpoint'
# Patterns that CAN be sanitized for EU providers
config patterns 'sanitizable_patterns'
list pattern '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
list pattern '[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}'
# Provider: LocalAI (on-device, always enabled)
config provider 'localai'
option enabled '1'
option priority '0'
option classification 'local_only'
option endpoint 'http://127.0.0.1:8081'
option model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'
# Provider: Mistral (EU sovereign, GDPR compliant)
config provider 'mistral'
option enabled '0'
option priority '1'
option classification 'sanitized'
option endpoint 'https://api.mistral.ai/v1'
option api_key ''
option model 'mistral-small-latest'
option region 'eu'
# Provider: Claude (Anthropic)
config provider 'claude'
option enabled '0'
option priority '2'
option classification 'cloud_direct'
option endpoint 'https://api.anthropic.com/v1'
option api_key ''
option model 'claude-sonnet-4-20250514'
# Provider: OpenAI
config provider 'openai'
option enabled '0'
option priority '3'
option classification 'cloud_direct'
option endpoint 'https://api.openai.com/v1'
option api_key ''
option model 'gpt-4o'
# Provider: Gemini (Google)
config provider 'gemini'
option enabled '0'
option priority '4'
option classification 'cloud_direct'
option endpoint 'https://generativelanguage.googleapis.com/v1beta'
option api_key ''
option model 'gemini-pro'
# Provider: xAI
config provider 'xai'
option enabled '0'
option priority '5'
option classification 'cloud_direct'
option endpoint 'https://api.x.ai/v1'
option api_key ''
option model 'grok-2'
# Audit configuration
config audit 'audit'
option enabled '1'
option log_requests '1'
option log_responses '0'
option log_classifications '1'
option audit_path '/var/log/ai-gateway/audit.jsonl'
option retention_days '90'
option max_log_size_mb '100'
Reference in New Issue View Git Blame Copy Permalink