Skip to content

Your First Auditor

This tutorial walks you through the complete lifecycle of a Lucid Auditor: development, verification, publishing, and deployment.

🎭 The Scenario: PII Redaction

You need to ensure that no Social Security Numbers (SSN) are sent to your AI model. You will build an auditor that intercepts requests and blocks those containing PII.

Step 1: Implement the Logic (SDK)

Create a file named pii_auditor.py. We'll use the Lucid SDK to define a request-phase hook.

from lucid_sdk import create_auditor, Proceed, Deny

# 1. Initialize the auditor builder
builder = create_auditor(auditor_id="pii-scanner")

# 2. Define the safety logic
@builder.on_request
def scan_pii(data: dict):
    # Logic: deny requests containing SSN patterns
    if "SSN" in str(data):
        return Deny(reason="PII Detected: SSN found in request")
    return Proceed()

# 3. Build the auditor instance
auditor = builder.build()

Step 2: Containerize

Lucid Auditors run as sidecars. Create a Dockerfile:

FROM python:3.12-slim
WORKDIR /app
COPY pii_auditor.py .
RUN pip install lucid-sdk
CMD ["python", "pii_auditor.py"]

Build the image: 

docker build -t my-auditor:v1 .

Step 3: Verify Compliance (CLI)

Before deploying, ensure your container meets the Lucid Auditor Standard (correct labels and health endpoints).

lucid auditor verify my-auditor:v1

Expected Output: 

[+] Basic labels found.
[+] Compliance probe successful!
[*] Verification complete. Auditor is compliant.

Step 4: Sign & Notarize

Register your auditor's cryptographic digest with the Lucid Verifier. This ensures only your authorized code can run in the TEE.

# Publish to the Lucid Registry
lucid auditor publish my-auditor:v1

Step 5: Define the Audit Chain

Create a file named auditors.yaml to define how this auditor fits into your security policy.

chain:
  - name: pii-scanner
    image: my-auditor:v1
    port: 8081

Step 6: Deploy

Apply your policy to an existing Kubernetes workload. Ensure your deployment manifest has the lucid.io/secured: "true" label.

lucid deploy apply --file my-app.yaml --auditors auditors.yaml --mock

✅ Results

  1. Sidecar Injection: The Lucid Operator will automatically inject your pii-scanner into the application Pod.
  2. Enforcement: Every request to your model will now pass through the PII scanner.
  3. AI Passport: Every response will include a cryptographically signed passport proving the PII check was performed.

Next: Learn more about Auditor Development.