aegis-shield

Integrated security shield for Aegis-DB. Provides SQL injection detection, IP reputation tracking, request fingerprinting, anomaly detection, auto-blocking, and a live threat feed.

Overview

aegis-shield is the runtime security layer the server consults on the login and query paths. It turns raw request signals (failed logins, suspicious SQL, client fingerprints) into reputation scores and, when thresholds are crossed, automatic IP blocks.

Modules

Module Responsibility
sql_injection.rs SQL injection pattern detection
ip_reputation.rs Per-IP reputation scoring
fingerprint.rs Request fingerprinting
anomaly.rs Behavioral anomaly detection
blocker.rs Auto-blocking / ban enforcement
feed.rs Live threat feed
threat.rs Threat classification and events
policy.rs Shield policy configuration
config.rs Shield configuration
error.rs Error types

Integration (v0.3.1)

The server wires Shield into two hot paths:

  • Brute-force detection. Failed logins call record_failed_auth(ip, user), feeding the reputation/auto-ban detector — reputation-based bans the rate limiter alone cannot provide.
  • SQL injection screening. User SQL on the query path is run through the injection detector (detect-and-log; enforcement is deployment-gated so rolling deploys aren’t broken by false positives).

Shield mutations (block/unblock, policy changes) are admin-only — require_admin is enforced on those routes.

Tests

808 tests (workspace total) covering injection detection, reputation scoring, fingerprinting, anomaly detection, and auto-blocking.