mini-gateway-rs — experimental/ai-security Branch Report

Branch: experimental/ai-security
Date: 2026-03-09
Commits: 18
Scope: 123 files changed, ~8,600 insertions, ~1,500 deletions

Overview

The experimental/ai-security branch introduces AI-driven security capabilities to mini-gateway-rs, along with supporting infrastructure for certificate automation, real-time statistics, and overall code quality improvements. The branch spans 18 commits covering new subsystems in both the API layer (router-api) and the core routing engine (router-core), with corresponding frontend pages in the web GUI (router-gui).

AI Security Subsystem

A new AI security module has been added to router-api, built around XGBoost-based threat inference. The system operates in a thread-isolated environment to keep model loading and prediction off the main request path. Key components include:

• Model management — Upload, list, update, and delete XGBoost models via REST API, with a dedicated SQLite-backed store for model metadata
• Thread-isolated inference — Model inference runs in a separate thread with its own state, preventing blocking or panics from affecting the gateway
• IP blocklist — A blocklist system that blocks flagged IPs with configurable expiry, synced from router-api to router-core every 5 seconds
• Blocklist cache optimization — The hot-path IP lookup was rewritten from per-request JSON deserialization with O(n) scan to an in-memory HashMap cache with O(1) lookups and an AtomicBool active flag

The frontend includes a new /security/ai page with model table, upload modal, edit/delete modals, and inference statistics overview.

Certificate Automation

Automatic SSL certificate management via Let's Encrypt (certbot) has been fully implemented. The system supports both staging and production environments with per-domain email configuration. Notable details:

• certbot_runner — A Rust wrapper around the certbot CLI supporting standalone and webroot challenges, custom directories for non-root operation, and renewal tracking
• certificate_automation — Higher-level orchestration that checks certificate expiry, triggers issuance or renewal, and updates proxy domain records
• Auto-renewal spawner — A background worker that periodically checks domains and renews certificates approaching expiry
• Backend validation — Email is required when auto-TLS is enabled, validated against RFC 5322 format at the API layer, with defense-in-depth checks in the renewal spawner
• Frontend support — The proxy domain configuration UI exposes email input, production/staging toggle, and certificate PEM/key fields

Statistics and Monitoring

The statistics system was reworked from separate log-type endpoints into a unified streaming architecture:

• Unified stats endpoint — Replaces the previous per-type statistics endpoints (log_bytesio, log_default, log_status_code) with a single unified_stream that delivers all metrics over one connection
• 15-second interval aggregation — Statistics are collected and broadcast at 15-second intervals with richer metrics including status codes, bytes I/O, and request counts
• Frontend rewrite — The stats page now uses sparkline graphs, stat cards, and status code distribution charts instead of the previous separate manager components

Gateway and Proxy Enhancements

Several improvements were made to the core routing infrastructure:

• Editable connection list — The connections list in the web GUI is now editable, allowing runtime modification of gateway and proxy node configurations
• Rich request context — ContextGw in the gateway was extended with TCP metrics (RTT, retransmissions, window sizes), HTTP method/status, TLS version, and client/server IP tracking
• Proxy node sync — Certificate paths are now included in proxy node synchronization from API to core
• Broker module — A new broker module was added to router-api for inter-component communication
• UDP sender — A new UDP-based telemetry sender was added to router-core for shipping metrics externally