Skip to content

feat: DataFog API v2 MVP — detection, enforcement, demo#14

Open
sidmohan0 wants to merge 50 commits intodevfrom
v2
Open

feat: DataFog API v2 MVP — detection, enforcement, demo#14
sidmohan0 wants to merge 50 commits intodevfrom
v2

Conversation

@sidmohan0
Copy link
Contributor

@sidmohan0 sidmohan0 commented Feb 24, 2026

Summary

Complete MVP for DataFog API v2, closing all gaps between prototype and shippable product across 4 workstreams:

WS1 — PII Detection Parity (M1–M3)

  • Expanded scanner from 5 to 10+ entity types (email, phone, SSN, credit card, API key, IP address, date, zip code, person, organization, location)
  • Added post-match validation (Luhn for credit cards, range check for IPs)
  • Go-native heuristic NER engine for person/organization/location detection (no Python/cgo deps)
  • 6 anonymization strategies: mask, redact, tokenize, anonymize, replace/pseudonymize, hash (SHA-256)

WS2 — Enforcement Gap Closure (M4–M6)

  • Shim now actually applies transform plans on allow_with_redaction decisions (was previously allow-only)
  • Shared adapter registry (internal/adapters) with claude and codex as recognized adapters
  • Policy rules can target specific adapters via match.adapters field
  • GET /v1/events endpoint with time range, decision, adapter, and limit filters
  • Receipt store rotation with configurable max entries and auto-archive

WS3 — Interactive Demo (M7)

  • Real execution demo server behind --enable-demo flag
  • /demo/exec, /demo/write-file, /demo/read-file endpoints run through actual shim gate
  • Updated docs/demo.html with command execution, file write, and file read panels
  • All operations sandboxed to temp directory

WS4 — Platform Integration (M8)

  • Integrated setup scripts from v2-claude and v2-codex branches
  • Claude Code and OpenAI Codex hook wrappers (scripts/claude-datafog-setup.sh, scripts/codex-datafog-setup.sh)
  • Policy rules for agent-specific enforcement (allow help commands, deny dangerous shell exec)

Test plan

  • go vet ./... passes
  • go test ./... — all 10 packages green
  • gofmt clean
  • Scanner detects all 10+ entity types with correct spans
  • NER identifies person/org/location entities
  • Luhn validation rejects invalid credit card numbers
  • IPv4 validation rejects out-of-range octets
  • Transform applies all 6 modes correctly
  • Shim enforces redaction on allow_with_redaction for both file read and write
  • Adapter registry resolves claude/codex aliases
  • Policy matching respects adapter conditions
  • Events endpoint filters by time/decision/adapter
  • Receipt rotation archives when max entries exceeded
  • CI pipeline (gofmt, go vet, go test, gosec)

🤖 Generated with Claude Code

@sidmohan0
chore: bootstrap harness-engineered workflow structure
113174f
@sidmohan0
docs: add datafog-api go mvp spec
2c27d26
@sidmohan0
feat: add go datafog-api runtime with policy and policy persistence
791d9dd
@sidmohan0
chore: migrate docs, ci, and container to go service
8d14b5c
@sidmohan0
chore: remove legacy python app surface
5d1532c
@sidmohan0
test: add policy validation and scan golden vector coverage
6e506a4
@sidmohan0
fix: normalize policy entity keys in evaluator
77d84d6
@sidmohan0
test(server): add endpoint contracts and validation cases
c762005
@sidmohan0
feat(server): add idempotency-aware decide handling
6a39470
@sidmohan0
feat(server): add idempotency to scan transform anonymize
3517000
@sidmohan0
feat(datafog-api): add decide integrity metadata to receipts
4890a9c
@sidmohan0
fix(server): include action context in decide input hash
a05be51
@sidmohan0
fix(policy): apply precedence after full rule evaluation
a0a5727
@sidmohan0
test(server): lock response content-type and request id contract
a3f7fbc
@sidmohan0
fix(server): return JSON not_found for unmapped routes
dcb673a
@sidmohan0
docs(api): add contract docs and malformed UTF-8 scan safety test
3b86c06
@sidmohan0
feat(api): enforce JSON content-type and request size limits
80b9da2
@sidmohan0
test(api): accept charset on JSON content-type
08c095e
@sidmohan0
feat(policy): tighten policy schema validation and loading checks
68908ed
@sidmohan0
feat(receipts): harden store load and append durability
b7f5fc8
@sidmohan0
fix(policy): normalize required-entity matching keys
9cf7974
@sidmohan0
feat(server): add request-id propagation and transform mode guards
f6e09e2
@sidmohan0
docs(contract): document request-id and transform validation behavior
e37d15c
@sidmohan0
feat(server): add metrics endpoint with request telemetry
165061e
@sidmohan0
chore(server): add configurable HTTP timeouts and header limits
7f9b087
@sidmohan0
chore(production): add graceful shutdown and hardening backlog updates
f242f9f
@sidmohan0
feat: add optional API token enforcement
e56b16a
@sidmohan0
feat: add optional request rate limiting
bc3ffcc
@sidmohan0
chore: document deployment and harden default container runtime settings
f821762
@sidmohan0
docs: restore security and reliability guidance
48d2db1
sidmohan0 and others added 20 commits February 23, 2026 14:11
@sidmohan0
chore: enable hardening checks and secure local artifacts
c6db082
@sidmohan0
chore: enforce strict vuln scanning and bump CI Go toolchain
7286d9f
@sidmohan0
feat: add command-sensitive policy matching and runtime shim gate
08a615a
@sidmohan0
feat(shim): add adapter hooks and enforcement boundary
918adc3
@sidmohan0
feat(shim): add adapter registry with inference and listing
fb9954b
@sidmohan0 @claude
fix(shim): resolve Windows pathLookup test and add Scalar API docs
e90644b 
The TestResolveTargetBinary/pathLookup test failed on Windows because
resolveTargetBinary appends .exe before exec.LookPath, but the test
created the lookup file without the extension. Also adds an OpenAPI 3.1
Scalar reference page for interactive local API exploration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(server): add CORS support for local API docs
cdc5c51 
Reflects request Origin in Access-Control-Allow-Origin and handles
OPTIONS preflight so Scalar UI can reach the API from file:// or
other origins during local development.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
docs(spec): 2026-02-24-feat-interactive-demo-ui draft
140771f 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
docs(spec): 2026-02-24-feat-v2-mvp-complete draft
da03857 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(scan): expand to 8 entity types with Luhn/IP validation
01bf196 
Add ip_address, date, zip_code detection patterns alongside existing
email, phone, ssn, api_key, credit_card. Credit card now validated
with Luhn algorithm; IP addresses validated for 0-255 range per octet.
Introduces EntityPattern struct with optional Validate func for
post-match filtering. Updates policy engine to recognize new types.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(scan): add Go-native NER for person/organization/location
50c5410 
Heuristic-based NER engine using dictionary lookups, title-case
analysis, contextual triggers (Mr./Dr. for person, Inc./Corp for org,
in/at for location), and common first-name matching. Cascaded after
regex engine in ScanText. Toggle via NEREnabled flag. No Python, no
cgo, no external dependencies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(transform): add replace/pseudonymize and hash anonymization modes
bb765a6 
Replace mode generates entity-typed pseudonyms ([PERSON_A1B2C3]).
Hash mode outputs full SHA256 hex digest. Both are deterministic.
Updates policy engine, server validation, and transform engine to
support all 6 modes: mask, tokenize, anonymize, redact, replace, hash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(shim): enforce transform plans on allow_with_redaction
75dba1c 
WriteFile now applies the transform plan to data before writing when
the decision is allow_with_redaction. ReadFile scans and redacts the
output. applyRedaction method scans content, applies transform steps,
and returns redacted bytes. Closes the critical enforcement gap where
the shim was ignoring transform plans.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(adapters): wire adapter registry into policy with claude/codex
dab2716 
Move adapter registry to internal/adapters for shared access. Add
claude and codex as recognized adapters with aliases. Add Adapters
field to MatchCriteria so policy rules can target specific adapters.
Policy engine resolves aliases to canonical names during matching.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(events): add GET /v1/events endpoint and receipt rotation
8b20f66 
Events endpoint supports time range, decision type, adapter, and limit
query filters. NDJSONDecisionEventSink now implements EventReader with
Query method. Receipt store supports configurable max entries with
auto-rotation (archives old file with timestamp suffix).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(demo): add real execution demo with shim enforcement
c29ae5b 
Demo server exposes /demo/exec, /demo/write-file, /demo/read-file
endpoints that run through the actual shim gate with policy enforcement.
All file operations sandboxed to temp directory. Requires --enable-demo
flag or DATAFOG_ENABLE_DEMO env var. Updated demo.html with command
execution, file write, and file read panels.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(adapters): integrate v2-claude and v2-codex setup scripts
6a0fb8f 
Cherry-pick setup scripts, runbooks, and specs from v2-claude/v2-codex
branches. Add claude/codex adapter rules to policy.json alongside
existing rules. Policy version bumped to v2026-02-24-1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
style: normalize formatting with gofmt
b6e5f31 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
feat(demo): scenario explorer UI with seed endpoint and policy fixes
b021590 
Replaces the old demo panels with a step-by-step scenario explorer.
Users pick a scenario (deny, redact, allow, read-redact) and walk
through each stage of the enforcement pipeline one step at a time.

- Add /demo/seed endpoint that writes directly to sandbox bypassing
  the shim gate, so file-read scenarios show real redaction on output
- Serve demo.html from /demo via the API server (no CORS issues)
- Fix policy: split file.write/read into separate allow_with_redaction
  rules, add allow-shell fallback, remove overly strict AND entity reqs
- Policy version bumped to v2026-02-24-2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sidmohan0 @claude
docs(spec): v2.1 optional NER sidecar with GLiNER2
5191c42 
Adds spec for an optional sidecar NER service that provides
GLiNER2-grade entity detection (person, org, location) without
bloating the Go binary. Shim calls sidecar over HTTP when
DATAFOG_NER_ENDPOINT is set, falls back to heuristic NER otherwise.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sidmohan0