Skip to main content

Crate chio_data_guards

Crate chio_data_guards 

Source
Expand description

Data layer guards for the Chio runtime kernel.

This crate houses guards that inspect the semantics of data-store accesses rather than merely the presence of a tool. Phase 7.1 of the Chio roadmap ships the first such guard, SqlQueryGuard, which parses SQL queries submitted to database tools and enforces allowlists on operations, tables, columns, and predicates.

Future phases (7.2, 7.3, 7.4) will add VectorDbGuard, WarehouseCostGuard, and the post-invocation QueryResultGuard in this same crate. The module layout is designed to absorb those additions without breaking the public surface.

§Relationship to chio-guards

chio-data-guards is a sibling of chio-guards. It reuses the chio_kernel::Guard trait and the chio_guards::extract_action dispatcher; it does not redefine either. Pipelines compose the two crates transparently:

use chio_guards::GuardPipeline;
use chio_data_guards::{SqlGuardConfig, SqlQueryGuard};

let mut pipeline = GuardPipeline::default_pipeline();
pipeline.add(Box::new(SqlQueryGuard::new(SqlGuardConfig::default())));

§Fail-closed

Every guard in this crate is fail-closed. Parse errors deny, empty configurations deny, and invalid user-supplied regex configuration rejects policy loading or constructs a deny-all guard.

Re-exports§

pub use config::SqlDialect;
pub use config::SqlGuardConfig;
pub use config::SqlOperation;
pub use error::SqlGuardDenyReason;
pub use result_guard::QueryResultGuard;
pub use result_guard::QueryResultGuardConfig;
pub use result_guard::QueryResultHook;
pub use result_guard::DEFAULT_REDACTION_MARKER;
pub use sql_guard::SqlQueryGuard;
pub use sql_parser::SqlAnalysis;
pub use vector_guard::VectorCall;
pub use vector_guard::VectorDbGuard;
pub use vector_guard::VectorFieldPaths;
pub use vector_guard::VectorGuardConfig;
pub use vector_guard::VectorGuardDenyReason;
pub use warehouse_cost_guard::DryRunEstimate;
pub use warehouse_cost_guard::WarehouseCostDenyReason;
pub use warehouse_cost_guard::WarehouseCostFieldPaths;
pub use warehouse_cost_guard::WarehouseCostGuard;
pub use warehouse_cost_guard::WarehouseCostGuardConfig;

Modules§

config
Configuration types for the SQL query guard.
error
Error types for the Chio data layer guards.
result_guard
Post-invocation query result guard (roadmap phase 7.4).
sql_guard
The SqlQueryGuard implementation.
sql_parser
Thin wrapper over the sqlparser crate that produces a normalized SqlAnalysis for the guard to evaluate.
vector_guard
Vector database guard (roadmap phase 7.2).
warehouse_cost_guard
Warehouse cost guard (roadmap phase 7.3).