Skip to main content

Module vector_guard

chio_data_guards

Module vector_guard 

Source
Expand description

Vector database guard (roadmap phase 7.2).

VectorDbGuard inspects tool calls that target a vector database – Pinecone, Weaviate, Qdrant, Chroma, or any database the operator configures as vector-flavored – and enforces four categories of policy that the SQL guard cannot:

  1. Collection allowlist. A query to a collection that is not on the operator’s allowlist is denied.
  2. Namespace scoping. A query whose namespace field disagrees with the grant’s active namespace is denied. Empty/missing namespaces collapse to a single shared bucket.
  3. Operation class. Upsert, delete, or index-mutation verbs are denied when the active grant carries SqlOperationClass::ReadOnly. The reuse of SqlOperationClass is deliberate – see docs/ROADMAP.md phase 7.2 – so a single constraint enum covers every database-shaped grant.
  4. top_k ceiling. A query whose top_k exceeds the grant’s Constraint::MaxRowsReturned is denied. The guard fails closed when top_k is missing from the arguments and a ceiling is configured.

§Fail-closed rules

Like every other guard in this crate, the vector guard is fail-closed:

  • JSON parse errors in the arguments deny.
  • Missing required fields (collection when the allowlist is non-empty, namespace when a namespace is configured, top_k when a ceiling is configured) deny.
  • An empty collection allowlist denies every request (no collection is implicitly allowed). Operators can opt into an open configuration via VectorGuardConfig::allow_all.

§Action detection

chio-guards already categorises some vector flows as ToolAction::MemoryRead/ToolAction::MemoryWrite; this guard primarily drives off ToolAction::DatabaseQuery with a vector-flavored database (or a tool name that matches a configured vendor substring) so it can enforce the same policy against bespoke vendor-adapted SDK tools as well. The memory-read/write actions are handled as a second pass – they carry the store and optional key but no top_k or operation hint, so we lift those from the raw arguments JSON.

§Tool argument schema

The guard extracts four fields from the tool arguments by JSON path:

fielddefault arg keys
collectioncollection, index, class, store
namespacenamespace, tenant, partition
operationoperation, op, action
top_ktop_k, topK, k, limit

All paths are configurable via VectorGuardConfig::field_paths.

Structs§

VectorCall
The parsed view of a vector-database tool call.
VectorDbGuard
Vector database guard (roadmap phase 7.2).
VectorFieldPaths
Configurable JSON field paths for the argument extractor.
VectorGuardConfig
Configuration for VectorDbGuard.

Enums§

VectorGuardDenyReason
Structured reason for a VectorDbGuard denial.