clawdesk-security

Security infrastructure covering access control lists, audit logging, cryptographic operations, DM pairing, group policies, identity management, content scanning, and token management.

Dependencies

Internal: clawdesk-types

External: tokio, serde, tracing, thiserror, chrono, uuid

Modules

Module	Description
`acl`	Access control list evaluation engine
`audit`	Audit trail logging for security events
`allowlist`	IP/user allowlist management
`crypto`	Cryptographic utilities (hashing, encryption, signatures)
`dm_pairing`	DM pairing flow with verification codes
`group_policy`	Group-level access policies
`identity`	`Identity` — user identity management and mapping
`scanner`	Content scanner for message filtering
`tokens`	JWT/API token generation and validation

Key Types

/// Access control rule
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AclRule {
    pub principal: Principal,
    pub resource: Resource,
    pub action: Action,
    pub effect: Effect,
}

#[derive(Debug, Clone)]
pub enum Effect {
    Allow,
    Deny,
}

/// ACL evaluation engine
pub struct AclEngine {
    rules: Vec<AclRule>,
}

impl AclEngine {
    pub fn evaluate(&self, principal: &Principal, resource: &Resource, action: &Action) -> Effect {
        // Last-match-wins evaluation
    }
}

/// User identity
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Identity {
    pub id: String,
    pub channel_id: ChannelId,
    pub external_id: String,
    pub display_name: Option<String>,
    pub permissions: Vec<Permission>,
}

/// Audit event
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    pub timestamp: chrono::DateTime<chrono::Utc>,
    pub actor: Identity,
    pub action: String,
    pub resource: String,
    pub outcome: AuditOutcome,
    pub details: serde_json::Value,
}

/// Content scanner for message filtering
pub struct ContentScanner {
    patterns: Vec<ScanPattern>,
    allowlist: Allowlist,
}

Example Usage

use clawdesk_security::{AclEngine, AclRule, Identity, ContentScanner};

// Evaluate access control
let engine = AclEngine::new(vec![
    AclRule {
        principal: Principal::User("admin".into()),
        resource: Resource::AdminApi,
        action: Action::Read,
        effect: Effect::Allow,
    },
]);

let effect = engine.evaluate(&principal, &resource, &action);

// Scan message content
let scanner = ContentScanner::new(scan_patterns);
let result = scanner.scan(&message.content);
if result.blocked {
    return Err(SecurityError::ContentBlocked(result.reason));
}

Configuration

[security]
enable_acl = true
enable_audit = true
enable_content_scanning = true

[security.tokens]
secret = "${JWT_SECRET}"
expiry_hours = 24

[security.allowlist]
ips = ["127.0.0.1", "10.0.0.0/8"]

warning

Always configure security.tokens.secret via environment variable, not directly in the config file.

Dependencies​

Modules​

Key Types​

Example Usage​

Configuration​

Dependencies

Modules

Key Types

Example Usage

Configuration