Skip to main content

chio_guard_sdk/
lib.rs

1//! Guest-side SDK for writing Chio WASM guards.
2//!
3//! This crate is the primary dependency for guard authors. It provides:
4//!
5//! - **Types** ([`types`]): `GuardRequest`, `GuardVerdict`, `GuestDenyResponse`
6//!   with serde annotations matching the host ABI exactly.
7//! - **Host bindings** ([`host`]): safe wrappers for `chio.log`, `chio.get_config`,
8//!   and `chio.get_time_unix_secs` host imports.
9//! - **ABI glue** ([`glue`]): `read_request` to deserialize from linear memory,
10//!   `encode_verdict` to produce the ABI return code, and the `chio_deny_reason`
11//!   export for structured deny reasons.
12//! - **Allocator** ([`alloc`]): `chio_alloc`/`chio_free` exports that the host
13//!   runtime probes for dynamic memory allocation in guest linear memory.
14//!
15//! The crate compiles to `wasm32-unknown-unknown` for production guards. On
16//! native targets it compiles with no-op fallbacks for host imports, allowing
17//! `cargo test` to run without a WASM runtime.
18//!
19//! The `#[chio_guard]` proc macro (Phase 383) will generate the `evaluate`
20//! export automatically. Until then, guard authors wire the pieces together
21//! manually.
22//!
23//! # Quick start
24//!
25//! ```rust,ignore
26//! use chio_guard_sdk::prelude::*;
27//!
28//! fn evaluate(req: GuardRequest) -> GuardVerdict {
29//!     if req.tool_name == "dangerous_tool" {
30//!         GuardVerdict::deny("tool is blocked by policy")
31//!     } else {
32//!         GuardVerdict::allow()
33//!     }
34//! }
35//! ```
36
37pub mod alloc;
38pub mod glue;
39pub mod host;
40pub mod types;
41
42// Top-level re-exports for convenience.
43pub use glue::{encode_verdict, read_request};
44pub use host::{get_config, get_time, log, log_level};
45pub use types::{GuardRequest, GuardVerdict, GuestDenyResponse, VERDICT_ALLOW, VERDICT_DENY};
46
47/// Prelude module re-exporting the complete guard-author API.
48///
49/// Import with `use chio_guard_sdk::prelude::*;` to get all types, host
50/// bindings, and glue functions needed to write a guard.
51pub mod prelude {
52    pub use crate::glue::{encode_verdict, read_request};
53    pub use crate::host::{get_config, get_time, log, log_level};
54    pub use crate::types::{GuardRequest, GuardVerdict, VERDICT_ALLOW, VERDICT_DENY};
55}