fleetforge_policy/

pii.rs

use anyhow::Result;
use async_trait::async_trait;
use regex::Regex;
use serde_json::{json, Value};

use crate::{Decision, DecisionEffect, PolicyEngine, PolicyRequest};

/// Determines how the PII guardrail responds when sensitive data is detected.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum PiiMode {
    Redact,
    Deny,
    Allow,
}

/// Regex-based PII detector and redactor.
#[derive(Clone)]
pub struct BasicPiiPolicy {
    email: Regex,
    phone: Regex,
    card: Regex,
    mode: PiiMode,
}

impl BasicPiiPolicy {
    pub fn new(mode: PiiMode) -> Self {
        Self {
            // Raw string keeps the literal dot escaped for email domains.
            email: Regex::new(r"(?i)[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}")
                .expect("valid email regex"),
            phone: Regex::new(
                r"(?x)\b(?:\+?\d{1,3}[-. ]?)?(?:\(?\d{3}\)?[-. ]?)?\d{3}[-. ]?\d{4}\b",
            )
            .expect("valid phone regex"),
            card: Regex::new(r"\b(?:\d[ -]?){13,16}\b").expect("valid card regex"),
            mode,
        }
    }

    pub fn with_mode(mut self, mode: PiiMode) -> Self {
        self.mode = mode;
        self
    }
}

impl Default for BasicPiiPolicy {
    fn default() -> Self {
        Self::new(PiiMode::Redact)
    }
}

fn redact_value(regexes: &[(&Regex, &str)], value: &Value, redacted: &mut bool) -> Value {
    match value {
        Value::String(s) => {
            let mut current = s.clone();
            for (regex, replacement) in regexes {
                let next = regex.replace_all(&current, *replacement).to_string();
                if next != current {
                    *redacted = true;
                    current = next;
                }
            }
            Value::String(current)
        }
        Value::Array(items) => {
            let mut changed = false;
            let redacted_items = items
                .iter()
                .map(|item| redact_value(regexes, item, &mut changed))
                .collect();
            if changed {
                *redacted = true;
            }
            Value::Array(redacted_items)
        }
        Value::Object(map) => {
            let mut changed = false;
            let mut new_map = serde_json::Map::with_capacity(map.len());
            for (k, v) in map {
                let next = redact_value(regexes, v, &mut changed);
                new_map.insert(k.clone(), next);
            }
            if changed {
                *redacted = true;
            }
            Value::Object(new_map)
        }
        _ => value.clone(),
    }
}

fn guardrails(request: &PolicyRequest) -> Vec<String> {
    request
        .context()
        .get("policy")
        .and_then(Value::as_object)
        .and_then(|obj| obj.get("guardrails"))
        .and_then(Value::as_array)
        .map(|arr| {
            arr.iter()
                .filter_map(Value::as_str)
                .map(|s| s.to_string())
                .collect()
        })
        .unwrap_or_default()
}

fn payload_inputs(request: &PolicyRequest, payload: &Value) -> Value {
    payload
        .get("inputs")
        .cloned()
        .or_else(|| request.context().get("inputs").cloned())
        .unwrap_or(Value::Null)
}

fn payload_output(payload: &Value) -> Value {
    payload.get("output").cloned().unwrap_or(Value::Null)
}

#[async_trait]
impl PolicyEngine for BasicPiiPolicy {
    async fn evaluate(&self, request: &PolicyRequest) -> Result<Decision> {
        let regexes = [
            (&self.email, "[redacted-email]"),
            (&self.phone, "[redacted-phone]"),
            (&self.card, "[redacted-card]"),
        ];

        let payload = request
            .context()
            .get("payload")
            .cloned()
            .unwrap_or(Value::Null);
        let boundary = request
            .context()
            .get("boundary")
            .and_then(Value::as_str)
            .unwrap_or_default()
            .to_string();

        let (target, patch_path) = match boundary.as_str() {
            "egress_prompt" | "egress_tool" | "egress_memory" => {
                (payload_output(&payload), "/output")
            }
            _ => (payload_inputs(request, &payload), "/inputs"),
        };

        let mut redacted_flag = false;
        let redacted_value = redact_value(&regexes, &target, &mut redacted_flag);

        if !redacted_flag {
            return Ok(Decision {
                effect: DecisionEffect::Allow,
                reason: None,
                patches: Vec::new(),
            });
        }

        let guardrails = guardrails(request);
        let effective_mode = if guardrails.iter().any(|rule| rule == "deny_on_pii") {
            PiiMode::Deny
        } else if guardrails.iter().any(|rule| rule == "skip_redaction") {
            PiiMode::Allow
        } else {
            self.mode
        };

        match effective_mode {
            PiiMode::Allow => Ok(Decision {
                effect: DecisionEffect::Allow,
                reason: Some("PII detected but redaction skipped".into()),
                patches: Vec::new(),
            }),
            PiiMode::Deny => Ok(Decision {
                effect: DecisionEffect::Deny,
                reason: Some("PII detected".into()),
                patches: Vec::new(),
            }),
            PiiMode::Redact => {
                let patch = json!({
                    "op": "replace",
                    "path": patch_path,
                    "value": redacted_value,
                });
                Ok(Decision {
                    effect: DecisionEffect::Redact,
                    reason: Some("PII redacted".into()),
                    patches: vec![patch],
                })
            }
        }
    }
}