feat: secureprompt: Pre-flight security layer for AI prompts

Author: ravisastryk

Makefile

@@ -0,0 +1,53 @@
+.PHONY: build run test clean fmt vet lint
+
+BINARY  = secureprompt
+CMD     = ./cmd/secureprompt
+
+## build: Compile the binary
+build:
+	go build -o $(BINARY) $(CMD)
+
+## run: Run in development mode
+run:
+	go run $(CMD)
+
+## test: Run all tests
+test:
+	go test ./... -v -count=1
+
+## fmt: Format all Go files
+fmt:
+	gofmt -s -w .
+
+## vet: Run go vet
+vet:
+	go vet ./...
+
+## lint: Format + vet
+lint: fmt vet
+
+## clean: Remove build artifacts
+clean:
+	rm -f $(BINARY)
+
+## health: Check if the API is running
+health:
+	@curl -s http://localhost:8080/health | python3 -m json.tool
+
+## scan: Quick interactive scan (usage: make scan PROMPT="your text")
+scan:
+	@curl -s http://localhost:8080/v1/prescan \
+		-H 'Content-Type: application/json' \
+		-d '{"content":"$(PROMPT)"}' | python3 -m json.tool
+
+## stats: View scan statistics
+stats:
+	@curl -s http://localhost:8080/v1/stats | python3 -m json.tool
+
+## audit: View the audit log
+audit:
+	@curl -s http://localhost:8080/v1/audit | python3 -m json.tool
+
+## help: Show this help
+help:
+	@grep -E '^## ' Makefile | sed 's/## //' | column -t -s ':'

README.md

@@ -0,0 +1,53 @@
+![SecurePrompt](secureprompt-logo-banner.png)
+# SecurePrompt
+
+**Pre-flight security layer for AI prompts.**
+
+Scans every prompt for secrets, PII, prompt injection, risky operations, data exfiltration, and malware intent — before it reaches your LLM.
+
+## Quick Start
+
+```bash
+# Build and run
+make build
+./secureprompt
+
+# Or run directly
+make run
+```
+
+## Test
+
+```bash
+# Safe prompt
+make scan PROMPT="Write hello world in Go"
+
+# Secret detected → BLOCK
+make scan PROMPT="My key is sk-abc123xyz456"
+
+# Injection → REVIEW
+make scan PROMPT="Ignore all previous instructions"
+
+# Run full test suite
+bash scripts/test_examples.sh
+```
+
+### Architecture
+![alt text](secureprompt_architecture.png)
+
+## API
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/health` | Health check |
+| POST | `/v1/prescan` | Scan a prompt |
+| GET | `/v1/audit` | View audit log |
+| GET | `/v1/stats` | View statistics |
+
+## Zero Dependencies
+
+The entire project uses **only Go's standard library**. No external packages.
+
+## License
+
+MIT

cmd/secureprompt/main.go

@@ -0,0 +1,49 @@
+// SecurePrompt — Pre-flight security layer for AI prompts.
+//
+// Usage:
+//
+//	go run ./cmd/secureprompt
+//	# or
+//	go build -o secureprompt ./cmd/secureprompt && ./secureprompt
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/ravisastryk/secureprompt/internal/api"
+)
+
+func main() {
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = "8080"
+	}
+
+	hmacSecret := os.Getenv("HMAC_SECRET")
+	if hmacSecret == "" {
+		hmacSecret = "secureprompt-dev-secret"
+	}
+
+	srv := api.NewServer(hmacSecret)
+
+	mux := http.NewServeMux()
+	srv.RegisterRoutes(mux)
+
+	fmt.Println("╔══════════════════════════════════════════════════════════════╗")
+	fmt.Println("║              SecurePrompt API v1.0                           ║")
+	fmt.Println("╠══════════════════════════════════════════════════════════════╣")
+	fmt.Printf("║  Port:    %-49s  ║\n", port)
+	fmt.Println("║  Policy:  strict (default)                                   ║")
+	fmt.Println("╠══════════════════════════════════════════════════════════════╣")
+	fmt.Println("║  Endpoints:                                                  ║")
+	fmt.Println("║    GET  /health      -> Health check                         ║")
+	fmt.Println("║    POST /v1/prescan  -> Scan a prompt                        ║")
+	fmt.Println("║    GET  /v1/audit    -> View audit log                       ║")
+	fmt.Println("║    GET  /v1/stats    -> View statistics                      ║")
+	fmt.Println("╚══════════════════════════════════════════════════════════════╝")
+
+	log.Fatal(http.ListenAndServe(":"+port, mux))
+}

configs/openapi.json

@@ -0,0 +1,58 @@
+{
+  "openapi": "3.1.0",
+  "info": {
+    "title": "SecurePrompt API",
+    "description": "Pre-flight security scanning for AI prompts",
+    "version": "1.0.0"
+  },
+  "servers": [
+    {
+      "url": "YOUR_NGROK_URL_HERE",
+      "description": "SecurePrompt Server"
+    }
+  ],
+  "paths": {
+    "/v1/prescan": {
+      "post": {
+        "operationId": "prescan",
+        "summary": "Scan a prompt for security issues",
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "required": ["content"],
+                "properties": {
+                  "event_id": { "type": "string" },
+                  "content": { "type": "string", "description": "The prompt to scan" },
+                  "policy_profile": { "type": "string", "enum": ["strict", "moderate", "permissive"], "default": "strict" }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Scan result",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "event_id": { "type": "string" },
+                    "risk_level": { "type": "string", "enum": ["SAFE", "REVIEW", "BLOCK"] },
+                    "risk_score": { "type": "integer" },
+                    "findings": { "type": "array" },
+                    "safe_rewrite": { "type": "string" },
+                    "decision_signature": { "type": "string" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

go.mod

@@ -0,0 +1,3 @@
+module github.com/ravisastryk/secureprompt
+
+go 1.22

internal/api/handler.go

@@ -0,0 +1,157 @@
+// Package api wires together the detection engine, policy engine,
+// rewriter, and audit logger behind HTTP endpoints.
+package api
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/ravisastryk/secureprompt/internal/audit"
+	"github.com/ravisastryk/secureprompt/internal/detector"
+	"github.com/ravisastryk/secureprompt/internal/middleware"
+	"github.com/ravisastryk/secureprompt/internal/models"
+	"github.com/ravisastryk/secureprompt/internal/policy"
+	"github.com/ravisastryk/secureprompt/internal/rewriter"
+	"github.com/ravisastryk/secureprompt/internal/util"
+)
+
+// Server holds all dependencies for the API.
+type Server struct {
+	detector *detector.Engine
+	policy   *policy.Engine
+	rewriter *rewriter.Engine
+	audit    *audit.Logger
+
+	mu    sync.RWMutex
+	stats Stats
+}
+
+// Stats tracks scan metrics.
+type Stats struct {
+	TotalScans int            `json:"total_scans"`
+	ByDecision map[string]int `json:"by_decision"`
+}
+
+// NewServer creates a fully-wired API server.
+func NewServer(hmacSecret string) *Server {
+	return &Server{
+		detector: detector.NewEngine(),
+		policy:   policy.NewEngine(),
+		rewriter: rewriter.NewEngine(),
+		audit:    audit.NewLogger(hmacSecret),
+		stats:    Stats{ByDecision: map[string]int{"SAFE": 0, "REVIEW": 0, "BLOCK": 0}},
+	}
+}
+
+// RegisterRoutes mounts all endpoints on the default mux.
+func (s *Server) RegisterRoutes(mux *http.ServeMux) {
+	mux.HandleFunc("/health", middleware.CORS(s.handleHealth))
+	mux.HandleFunc("/v1/prescan", middleware.CORS(s.handlePrescan))
+	mux.HandleFunc("/v1/audit", middleware.CORS(s.handleAudit))
+	mux.HandleFunc("/v1/stats", middleware.CORS(s.handleStats))
+
+	// Serve dashboard from web/static/ (falls back to embedded index if dir missing)
+	fs := http.FileServer(http.Dir("web/static"))
+	mux.Handle("/", fs)
+}
+
+func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
+	util.WriteJSON(w, http.StatusOK, map[string]string{
+		"status":  "ok",
+		"service": "secureprompt",
+		"version": "1.0.0",
+	})
+}
+
+func (s *Server) handlePrescan(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		util.WriteJSON(w, http.StatusMethodNotAllowed, map[string]string{"error": "POST required"})
+		return
+	}
+
+	var req models.PrescanRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		util.WriteJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON"})
+		return
+	}
+	if req.Content == "" {
+		util.WriteJSON(w, http.StatusBadRequest, map[string]string{"error": "content is required"})
+		return
+	}
+
+	// Defaults
+	if req.EventID == "" {
+		req.EventID = "evt_" + util.ShortUUID()
+	}
+	if req.PolicyProfile == "" {
+		req.PolicyProfile = "strict"
+	}
+
+	start := time.Now()
+
+	// 1. Detect
+	findings := s.detector.Scan(req.Content)
+
+	// 2. Policy decision
+	decision := s.policy.Evaluate(req.PolicyProfile, findings)
+
+	// 3. Rewrite (only for REVIEW/BLOCK with findings)
+	safeRewrite := ""
+	if decision.RiskLevel != models.RiskSafe && len(findings) > 0 {
+		safeRewrite = s.rewriter.Rewrite(req.Content, findings)
+	}
+
+	// 4. Audit log
+	sig := s.audit.Log(req.EventID, decision.RiskLevel, decision.RiskScore, len(findings), req.PolicyProfile)
+
+	// 5. Stats
+	s.mu.Lock()
+	s.stats.TotalScans++
+	s.stats.ByDecision[string(decision.RiskLevel)]++
+	s.mu.Unlock()
+
+	elapsed := time.Since(start)
+
+	// If no findings, return a single OK finding for clarity
+	if len(findings) == 0 {
+		findings = []models.Finding{{
+			Category:   models.CategoryOK,
+			Type:       "NONE",
+			Detail:     "No security issues detected",
+			Confidence: 1.0,
+			Severity:   "none",
+		}}
+	}
+
+	resp := models.PrescanResponse{
+		EventID:           req.EventID,
+		TenantID:          req.TenantID,
+		SessionID:         req.SessionID,
+		PolicyProfile:     req.PolicyProfile,
+		RiskLevel:         decision.RiskLevel,
+		RiskScore:         decision.RiskScore,
+		Findings:          findings,
+		SafeRewrite:       safeRewrite,
+		Timestamp:         time.Now().UTC().Format(time.RFC3339),
+		ProcessingTimeMs:  elapsed.Milliseconds(),
+		DecisionSignature: sig,
+	}
+
+	log.Printf("[%s] %s | score=%d | findings=%d | %dms",
+		resp.RiskLevel, req.EventID, resp.RiskScore, len(findings), elapsed.Milliseconds())
+
+	util.WriteJSON(w, http.StatusOK, resp)
+}
+
+func (s *Server) handleAudit(w http.ResponseWriter, r *http.Request) {
+	util.WriteJSON(w, http.StatusOK, map[string]interface{}{"entries": s.audit.Entries()})
+}
+
+func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	util.WriteJSON(w, http.StatusOK, s.stats)
+}