Deploy RustVital-AMD to HF Space

.gitignore

@@ -0,0 +1,17 @@
+# Rust build artifacts
+target/
+debug/
+release/
+
+# Environment (contains private key)
+.env
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*~
+
+# OS files
+.DS_Store
+Thumbs.db

Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "rustvital-amd"
+version = "0.1.0"
+edition = "2021"
+description = "Zero-trust medical AI triage gateway – AMD Hackathon 2026"
+
+[dependencies]
+tokio = { version = "1", features = ["full"] }
+axum = { version = "0.7", features = ["macros"] }
+tower = "0.4"
+tower-http = { version = "0.5", features = ["trace", "cors"] }
+
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
+anyhow = "1.0"
+
+# Candle — CPU only for now
+candle-core = "0.8"
+candle-nn = "0.8"
+candle-transformers = "0.8"
+hf-hub = "0.3"
+
+# PII Shield
+pii = "0.1"
+regex = "1"
+
+# Web3
+cid = "0.11"                        # re-exports multihash, we'll use that
+sha2 = "0.10"                       # manual hashing for CID
+alloy = { version = "0.7", features = ["full"] }
+alloy-provider = "0.7"
+alloy-signer-local = "0.7"
+
+# Environment
+dotenvy = "0.15"
+
+[profile.release]
+lto = true
+codegen-units = 1
+opt-level = 3

Dockerfile

@@ -0,0 +1,15 @@
+# Build stage
+FROM rust:1.78-slim-bookworm as builder
+WORKDIR /app
+COPY Cargo.toml Cargo.lock* ./
+COPY src src
+RUN cargo build --release
+
+# Runtime stage
+FROM debian:bookworm-slim
+RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+COPY --from=builder /app/target/release/rustvital-amd /usr/local/bin/rustvital-amd
+EXPOSE 7860
+ENV RUST_LOG=info
+ENV PRIVATE_KEY=  # Set via HF Space secrets, not here
+CMD ["rustvital-amd"]

README.md

@@ -0,0 +1,19 @@
+---
+title: RustVital-AMD
+emoji: 🏥
+colorFrom: blue
+colorTo: purple
+sdk: docker
+pinned: false
+---
+
+# RustVital-AMD: Zero‑Trust Medical AI Triage Gateway
+
+Pure Rust + AMD ROCm + Web3.
+
+- API endpoint: `/triage` (POST)
+- PII redaction before GPU inference
+- Filecoin CID + Base L2 audit trail
+
+**Currently in MVP stage – mock inference, real blockchain.**  
+Powered by Candle, Axum, Alloy.

src/handlers/mod.rs

@@ -0,0 +1 @@
+pub mod triage;

src/handlers/triage.rs

@@ -0,0 +1,64 @@
+use axum::{response::Json, http::StatusCode};
+use serde::{Deserialize, Serialize};
+use tracing::instrument;
+
+use crate::shield;
+use crate::inference;
+use crate::web3;
+
+#[derive(Debug, Deserialize)]
+pub struct TriageRequest {
+    pub patient_note: String,
+    pub consent_hash: String,
+}
+
+#[derive(Debug, Serialize)]
+pub struct TriageResponse {
+    pub triage_result: String,
+    pub transaction_hash: String,
+    /// Redacted text sent to the model (for audit/demo)
+    pub redacted_prompt: String,
+    /// PII map (only for verification; never in production)
+    pub pii_map: Vec<shield::redact::PiiMatch>,
+}
+
+#[instrument(skip_all)]
+pub async fn handle(
+    Json(payload): Json<TriageRequest>,
+) -> Result<Json<TriageResponse>, (StatusCode, String)> {
+    tracing::info!("Received triage request (consent_hash: {})", payload.consent_hash);
+
+    // 1. Zero‑Trust Shield: strip PII
+    let (redacted_note, pii_matches) = shield::redact::redact_pii(&payload.patient_note);
+
+    // 2. Inference on redacted text (GPU never sees PII)
+    let triage_result = inference::qwen::generate(&redacted_note)
+        .await
+        .map_err(|e| {
+            tracing::error!("Inference failed: {:?}", e);
+            (StatusCode::INTERNAL_SERVER_ERROR, "Inference engine error".into())
+        })?;
+
+    // 3. Filecoin CID (immutable record of redacted prompt + result)
+    let cid_input = format!("{}||{}", redacted_note, triage_result);
+    let cid = web3::filecoin::generate_cid(&cid_input)
+        .map_err(|e| {
+            tracing::error!("CID generation failed: {:?}", e);
+            (StatusCode::INTERNAL_SERVER_ERROR, "CID error".into())
+        })?;
+
+    // 4. Base L2 transaction (posts the CID)
+    let tx_hash = web3::base_tx::commit_cid(&cid)
+        .await
+        .map_err(|e| {
+            tracing::error!("Base L2 transaction failed: {:?}", e);
+            (StatusCode::INTERNAL_SERVER_ERROR, "Blockchain error".into())
+        })?;
+
+    Ok(Json(TriageResponse {
+        triage_result,
+        transaction_hash: tx_hash,
+        redacted_prompt: redacted_note,
+        pii_map: pii_matches,
+    }))
+}

src/inference/mod.rs

@@ -0,0 +1 @@
+pub mod qwen;

src/inference/qwen.rs

@@ -0,0 +1,10 @@
+use anyhow::Result;
+
+/// Mock inference for local testing.
+/// In production (AMD Cloud), this will load the Qwen-72B model via Candle + ROCm.
+pub async fn generate(_redacted_prompt: &str) -> Result<String> {
+    tracing::info!("[MOCK] GPU inference skipped — returning placeholder");
+    // Simulate some processing
+    tokio::time::sleep(std::time::Duration::from_millis(10)).await;
+    Ok("Triage result: non‑urgent (mock)".to_string())
+}

src/lib.rs

@@ -0,0 +1,4 @@
+pub mod handlers;
+pub mod inference;
+pub mod shield;
+pub mod web3;

src/main.rs

@@ -0,0 +1,27 @@
+use axum::{routing::post, Router};
+use tower_http::trace::TraceLayer;
+use tracing_subscriber::EnvFilter;
+
+// Use the library crate to get the handler
+use rustvital_amd::handlers;
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    // Load .env file (ignore if missing)
+    dotenvy::dotenv().ok();
+
+    // Initialise tracing (respects RUST_LOG from env)
+    tracing_subscriber::fmt()
+        .with_env_filter(EnvFilter::from_default_env().add_directive("rustvital_amd=debug".parse()?))
+        .init();
+
+    tracing::info!("Starting RustVital-AMD server");
+
+    let app = Router::new()
+        .route("/triage", post(handlers::triage::handle))
+        .layer(TraceLayer::new_for_http());
+
+    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000").await?;
+    axum::serve(listener, app).await?;
+    Ok(())
+}

src/shield/mod.rs

@@ -0,0 +1 @@
+pub mod redact;

src/shield/redact.rs

@@ -0,0 +1,100 @@
+use tracing::instrument;
+use serde::{Serialize, Deserialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PiiMatch {
+    pub entity_type: String,
+    pub original: String,
+    pub placeholder: String,
+}
+
+#[instrument(skip_all)]
+pub fn redact_pii(raw_text: &str) -> (String, Vec<PiiMatch>) {
+    let custom_patterns: Vec<(&str, &str)> = vec![
+        (r"\b(?:Dr\.|Dr|Professor|Prof\.)\s+[A-Z][a-z]+\b", "PROVIDER_NAME"),
+        // Match 2+ capitalized words (e.g., "John Smith", "Patient John Smith")
+        (r"\b[A-Z][a-z]+(?: [A-Z][a-z]+)+\b", "PERSON_NAME"),
+        (r"\b\d{1,2}/\d{1,2}/\d{2,4}\b", "DATE"),
+        (r"\b\d{3}-\d{2}-\d{4}\b", "SSN"),
+        (r"\b\d{10}\b", "PHONE"),
+        (r"\b[A-Z]{2}\d{2}\s?\d{2}\s?\d{2}\s?\d\b", "NHS_NUMBER"),
+        (r"\b\d{3}-\d{4}\b", "ZIP"),
+        (r"\b\d{2,3}\s?(?:years?|yo)\b", "AGE"),
+        (r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b", "EMAIL"),
+    ];
+
+    let compiled: Vec<(regex::Regex, &str)> = custom_patterns
+        .iter()
+        .filter_map(|(p, label)| regex::Regex::new(p).ok().map(|re| (re, *label)))
+        .collect();
+
+    let mut pii_matches = Vec::new();
+    let mut redacted = raw_text.to_string();
+    let mut counter: std::collections::HashMap<String, usize> = std::collections::HashMap::new();
+
+    let raw_bytes = raw_text.as_bytes();
+    let mut all_matches: Vec<(usize, usize, &regex::Regex, &str)> = Vec::new();
+    for (re, entity_type) in &compiled {
+        for mat in re.find_iter(raw_text) {
+            all_matches.push((mat.start(), mat.end(), re, *entity_type));
+        }
+    }
+
+    // Sort by start, then longest match first (to prefer "Patient John Smith" over "Patient John")
+    all_matches.sort_by(|a, b| a.0.cmp(&b.0).then_with(|| b.1.cmp(&a.1)));
+
+    // Remove overlapping matches
+    let mut used = vec![false; raw_bytes.len()];
+    let mut filtered = Vec::new();
+    for (start, end, re, entity_type) in all_matches {
+        let range = start..end;
+        if used[range.clone()].iter().any(|&b| b) {
+            continue;
+        }
+        used[range].fill(true);
+        filtered.push((start, end, re, entity_type));
+    }
+
+    // Process in reverse order for safe replacement
+    filtered.sort_by(|a, b| b.0.cmp(&a.0));
+    for (start, end, _re, entity_type) in filtered {
+        let original = &raw_text[start..end];
+        let count = counter.entry(entity_type.to_string()).or_insert(0);
+        *count += 1;
+        let placeholder = format!("[{}_{}]", entity_type, count);
+        pii_matches.push(PiiMatch {
+            entity_type: entity_type.to_string(),
+            original: original.to_string(),
+            placeholder: placeholder.clone(),
+        });
+        redacted.replace_range(start..end, &placeholder);
+    }
+
+    tracing::debug!("Redacted {} PII tokens", pii_matches.len());
+    (redacted, pii_matches)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn redact_pii_basic() {
+        let text = "Patient John Smith, 45 yo, phone 5551234567, SSN 123-45-6789.";
+        let (redacted, matches) = redact_pii(text);
+
+        // All PII tokens must be gone
+        assert!(!redacted.contains("John"));
+        assert!(!redacted.contains("Smith"));
+        assert!(!redacted.contains("5551234567"));
+        assert!(!redacted.contains("123-45-6789"));
+
+        // Placeholders present
+        assert!(redacted.contains("[PERSON_NAME_1]"));
+        assert!(redacted.contains("[PHONE_1]"));
+        assert!(redacted.contains("[SSN_1]"));
+
+        // Verify we captured the full name
+        assert!(matches.iter().any(|m| m.original.contains("John Smith") || m.original.contains("Patient John Smith")));
+    }
+}

src/web3/base_tx.rs

@@ -0,0 +1,66 @@
+use anyhow::Result;
+use alloy::{
+    network::TransactionBuilder,
+    primitives::U256,
+    providers::{Provider, ProviderBuilder},
+    signers::local::PrivateKeySigner,
+    rpc::types::TransactionRequest,
+};
+use std::str::FromStr;
+
+pub async fn commit_cid(cid: &str) -> Result<String> {
+    let rpc_url = "https://sepolia.base.org".parse()?;
+
+    let priv_key = std::env::var("PRIVATE_KEY")
+        .unwrap_or_else(|_| "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80".to_string());
+
+    let signer = PrivateKeySigner::from_str(&priv_key)?;
+    let from = signer.address();
+    let wallet = alloy::network::EthereumWallet::from(signer);
+
+    let provider = ProviderBuilder::new()
+        .wallet(wallet)
+        .on_http(rpc_url);
+
+    let data = cid.as_bytes().to_vec();
+
+    let mut tx = TransactionRequest::default()
+        .with_from(from)
+        .with_to(from)       // self‑transfer
+        .with_value(U256::ZERO)
+        .with_input(data)
+        .with_chain_id(84532);   // <-- Base Sepolia chain ID
+
+    let nonce = provider.get_transaction_count(from).await?;
+    let gas_limit = provider.estimate_gas(&tx).await?;
+    let fee = provider.estimate_eip1559_fees(None).await?;
+
+    tx = tx
+        .with_nonce(nonce)
+        .with_gas_limit(gas_limit)
+        .with_max_fee_per_gas(fee.max_fee_per_gas)
+        .with_max_priority_fee_per_gas(fee.max_priority_fee_per_gas);
+
+    // Retry loop (handles 502 errors)
+    let mut attempts = 0;
+    loop {
+        match provider.send_transaction(tx.clone()).await {
+            Ok(pending) => {
+                let receipt = pending.get_receipt().await?;
+                let tx_hash = receipt.transaction_hash;
+                tracing::info!(
+                    "Committed CID {} to Base Sepolia, tx: {:?}",
+                    cid,
+                    tx_hash
+                );
+                return Ok(format!("{:?}", tx_hash));
+            }
+            Err(e) if attempts < 3 && e.to_string().contains("502") => {
+                attempts += 1;
+                tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+                continue;
+            }
+            Err(e) => return Err(anyhow::Error::new(e).context("send_transaction failed")),
+        }
+    }
+}

src/web3/filecoin.rs

@@ -0,0 +1,35 @@
+use anyhow::Result;
+use cid::Cid;
+use sha2::{Digest, Sha256};
+
+/// Generate a Filecoin-compatible CIDv1 (raw codec, sha2-256)
+pub fn generate_cid(data: &str) -> Result<String> {
+    // Compute SHA-256 hash
+    let mut hasher = Sha256::new();
+    hasher.update(data.as_bytes());
+    let hash_bytes = hasher.finalize();
+
+    // Build multihash (code 0x12 = sha2-256, size 32)
+    let mh = cid::multihash::Multihash::wrap(0x12, &hash_bytes)
+        .map_err(|e| anyhow::anyhow!("Invalid multihash: {:?}", e))?;
+
+    // CIDv1, raw multicodec (0x55)
+    let cid = Cid::new_v1(0x55, mh);
+    Ok(cid.to_string())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn cid_format() {
+        let cid = generate_cid("hello world").unwrap();
+        // CIDv1 in base32 always starts with 'b'
+        assert!(cid.starts_with('b'), "CID should start with 'b': {}", cid);
+        // Must be non-empty and decodable
+        let decoded = Cid::try_from(cid.as_str()).unwrap();
+        assert_eq!(decoded.version(), cid::Version::V1);
+        println!("CID: {}", cid); // e.g., bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi
+    }
+}

src/web3/mod.rs

@@ -0,0 +1,2 @@
+pub mod filecoin;
+pub mod base_tx;