pub struct RedactionRegistry {
confidence_threshold: f32,
}Expand description
Server-side PII verification registry and egress guard.
Under Option A, the client performs primary scrubbing. The registry’s role:
- Verify: Check that text claimed to be scrubbed has no surviving PII.
- Verify manifest: Check consistency between manifest and payload.
- Scrub (redact-only): Fallback for server-originated text where client-side scrubbing wasn’t possible. No vault inserts — permanent redaction.
Fields§
§confidence_threshold: f32Implementations§
Source§impl RedactionRegistry
impl RedactionRegistry
Sourcepub fn with_defaults(confidence_threshold: f32) -> Self
pub fn with_defaults(confidence_threshold: f32) -> Self
Create a registry with default detectors and the given confidence threshold.
Sourcepub fn default_threshold() -> f32
pub fn default_threshold() -> f32
Default confidence threshold (0.8).
Sourcepub fn verify(&self, text: &str, confidence_threshold: f32) -> Vec<PiiViolation>
pub fn verify(&self, text: &str, confidence_threshold: f32) -> Vec<PiiViolation>
VERIFY: Check that text claimed to be scrubbed has no surviving PII.
Returns a list of violations (empty = text is clean).
Sourcepub fn verify_manifest(
&self,
payload: &Value,
manifest: &RedactionManifest,
) -> Result<(), Vec<ManifestViolation>>
pub fn verify_manifest( &self, payload: &Value, manifest: &RedactionManifest, ) -> Result<(), Vec<ManifestViolation>>
VERIFY MANIFEST: Check that a manifest is consistent with a JSON payload.
Checks:
- Every span’s placeholder string exists in the serialized payload.
- Every span whose PII type requires encryption has a matching vault_insert.
Sourcepub fn scrub_redact_only(&self, text: &str, threshold: f32) -> ScrubbedText
pub fn scrub_redact_only(&self, text: &str, threshold: f32) -> ScrubbedText
SCRUB (server-side, redact-only): For server-originated text where client-side scrubbing wasn’t possible.
No vault inserts are produced — these redactions are permanent (no reveal possible). Use this only for server-generated content.
Sourcepub fn mark_verified(
&self,
text: String,
manifest: RedactionManifest,
) -> ScrubbedText
pub fn mark_verified( &self, text: String, manifest: RedactionManifest, ) -> ScrubbedText
Wrap text that has been externally verified as PII-clean into a ScrubbedText.
Use this for text that arrived pre-scrubbed from the client SDK and passed
server-side verification (verify + verify_manifest). The registry reference
acts as a capability token — you can only produce ScrubbedText if you have
access to a registry.
Sourcepub fn mark_static_clean(&self, text: String) -> ScrubbedText
pub fn mark_static_clean(&self, text: String) -> ScrubbedText
Wrap text known to be Cellstate-generated (no user data) as clean.
Use for server-originated text that cannot contain user PII by construction (e.g. error messages, system prompt templates assembled from static strings).
Sourcepub fn scrub_payload_redact_only(
&self,
value: Value,
threshold: f32,
) -> ScrubbedPayload
pub fn scrub_payload_redact_only( &self, value: Value, threshold: f32, ) -> ScrubbedPayload
Scrub all string values in a JSON payload (redact-only, no vault inserts).
Sourcefn scrub_json_value(
&self,
value: Value,
threshold: f32,
spans: &mut Vec<RedactionSpan>,
) -> Value
fn scrub_json_value( &self, value: Value, threshold: f32, spans: &mut Vec<RedactionSpan>, ) -> Value
Recursively scrub string values in a JSON value.