Expand description
Security guards for the Chio runtime kernel.
This crate provides policy-driven security guards adapted from
ClawdStrike. Each guard
implements chio_kernel::Guard and can be registered on the kernel via
kernel.add_guard(...) or composed into a GuardPipeline.
§Implemented guards
| Guard | Status | Description |
|---|---|---|
ForbiddenPathGuard | Full | Blocks access to sensitive filesystem paths |
ShellCommandGuard | Full | Blocks dangerous shell commands |
EgressAllowlistGuard | Full | Controls network egress by domain |
PathAllowlistGuard | Full | Allowlist-based path access control |
McpToolGuard | Full | Restricts MCP tool invocations |
SecretLeakGuard | Full | Detects secrets in file writes |
PatchIntegrityGuard | Full | Validates patch safety |
InternalNetworkGuard | Full | Blocks SSRF targeting private/reserved addresses |
AgentVelocityGuard | Full | Per-agent and per-session rate limiting |
DataFlowGuard | Full | Cumulative bytes-read/written limits via session journal |
BehavioralSequenceGuard | Full | Tool ordering policies via session journal |
ResponseSanitizationGuard | Full | PII/PHI pattern detection and redaction |
AdvisoryPipeline | Full | Non-blocking advisory signals with optional promotion |
AnomalyAdvisoryGuard | Full | Flags unusual invocation patterns and delegation depth |
DataTransferAdvisoryGuard | Full | Flags high data transfer volumes |
JailbreakGuard | Full | Multi-layer jailbreak detection (heuristic + statistical + ML) |
§Guard pipeline
The GuardPipeline runs guards in sequence, fail-closed. If any guard
denies, the pipeline denies. Register it on the kernel:
ⓘ
use chio_guards::GuardPipeline;
let pipeline = GuardPipeline::default_pipeline();
kernel.add_guard(Box::new(pipeline));Re-exports§
pub use advisory::AdvisoryGuard;pub use advisory::AdvisoryPipeline;pub use advisory::AdvisorySeverity;pub use advisory::AdvisorySignal;pub use advisory::AnomalyAdvisoryGuard;pub use advisory::DataTransferAdvisoryGuard;pub use advisory::GuardOutput;pub use advisory::PromotionPolicy;pub use advisory::PromotionRule;pub use agent_velocity::AgentVelocityConfig;pub use agent_velocity::AgentVelocityGuard;pub use behavioral_profile::BehavioralMetric;pub use behavioral_profile::BehavioralProfileConfig;pub use behavioral_profile::BehavioralProfileGuard;pub use behavioral_profile::InMemoryReceiptFeed;pub use behavioral_profile::ObservationOutcome;pub use behavioral_profile::ReceiptFeedSource;pub use behavioral_profile::DEFAULT_BASELINE_MIN_WINDOWS;pub use behavioral_profile::DEFAULT_EMA_ALPHA;pub use behavioral_profile::DEFAULT_SIGMA_THRESHOLD;pub use behavioral_profile::DEFAULT_WINDOW_SECS;pub use behavioral_sequence::BehavioralSequenceGuard;pub use behavioral_sequence::SequencePolicy;pub use data_flow::DataFlowConfig;pub use data_flow::DataFlowGuard;pub use internal_network::InternalNetworkGuard;pub use jailbreak::JailbreakGuard;pub use jailbreak::JailbreakGuardConfig;pub use jailbreak::DEFAULT_FINGERPRINT_CAPACITY as JAILBREAK_DEFAULT_FINGERPRINT_CAPACITY;pub use jailbreak_detector::Detection as JailbreakDetection;pub use jailbreak_detector::DetectorConfig as JailbreakDetectorConfig;pub use jailbreak_detector::JailbreakCategory;pub use jailbreak_detector::JailbreakDetector;pub use jailbreak_detector::LayerScores as JailbreakLayerScores;pub use jailbreak_detector::LayerWeights;pub use jailbreak_detector::LinearModel as JailbreakLinearModel;pub use jailbreak_detector::Signal as JailbreakSignal;pub use jailbreak_detector::StatisticalThresholds as JailbreakStatisticalThresholds;pub use jailbreak_detector::DEFAULT_DENY_THRESHOLD as JAILBREAK_DEFAULT_DENY_THRESHOLD;pub use mcp_tool::McpToolGuard;pub use patch_integrity::PatchIntegrityGuard;pub use path_allowlist::PathAllowlistGuard;pub use post_invocation::sanitize_json;pub use post_invocation::SanitizerHook;pub use prompt_injection::Detection as PromptInjectionDetection;pub use prompt_injection::PromptInjectionConfig;pub use prompt_injection::PromptInjectionGuard;pub use prompt_injection::Signal as PromptInjectionSignal;pub use response_sanitization::AllowlistConfig;pub use response_sanitization::CategoryConfig;pub use response_sanitization::DenylistConfig;pub use response_sanitization::EntropyConfig;pub use response_sanitization::OutputSanitizer;pub use response_sanitization::OutputSanitizerConfig;pub use response_sanitization::OutputSanitizerConfigError;pub use response_sanitization::ProcessingStats;pub use response_sanitization::Redaction;pub use response_sanitization::RedactionStrategy;pub use response_sanitization::ResponseSanitizationGuard;pub use response_sanitization::SanitizationAction;pub use response_sanitization::SanitizationResult;pub use response_sanitization::SanitizedValue;pub use response_sanitization::ScanResult;pub use response_sanitization::SensitiveCategory;pub use response_sanitization::SensitiveDataFinding;pub use response_sanitization::SensitivityLevel;pub use response_sanitization::Span;pub use response_sanitization::TokenVault;pub use secret_leak::SecretLeakGuard;pub use velocity::VelocityGuard;pub use action::extract_action;pub use action::ToolAction;pub use external::AsyncGuardAdapter;pub use external::AsyncGuardAdapterBuilder;pub use external::AsyncGuardAdapterConfig;pub use external::CircuitBreaker;pub use external::CircuitBreakerConfig;pub use external::CircuitOpenVerdict;pub use external::CircuitState;pub use external::ExternalGuard;pub use external::ExternalGuardError;pub use external::GuardCallContext;pub use external::RateLimitedVerdict;pub use external::RetryConfig;pub use external::TokenBucket;pub use external::TtlCache;pub use computer_use::default_allowed_action_types as computer_use_default_allowed_action_types;pub use computer_use::ComputerUseConfig;pub use computer_use::ComputerUseGuard;pub use computer_use::EnforcementMode;pub use input_injection::default_allowed_input_types;pub use input_injection::InputInjectionCapabilityConfig;pub use input_injection::InputInjectionCapabilityGuard;pub use remote_desktop::RemoteDesktopSideChannelConfig;pub use remote_desktop::RemoteDesktopSideChannelGuard;pub use spider_sense::cosine_similarity as spider_sense_cosine_similarity;pub use spider_sense::extract_embedding;pub use spider_sense::AmbiguousPolicy;pub use spider_sense::PatternDb;pub use spider_sense::PatternEntry;pub use spider_sense::SpiderSenseConfig;pub use spider_sense::SpiderSenseError;pub use spider_sense::SpiderSenseGuard;pub use spider_sense::DEFAULT_AMBIGUITY_BAND;pub use spider_sense::DEFAULT_SIMILARITY_THRESHOLD;pub use spider_sense::DEFAULT_TOP_K;pub use browser_automation::default_allowed_verbs as browser_automation_default_allowed_verbs;pub use browser_automation::BrowserAutomationConfig;pub use browser_automation::BrowserAutomationError;pub use browser_automation::BrowserAutomationGuard;pub use code_execution::default_dangerous_modules as code_execution_default_dangerous_modules;pub use code_execution::CodeExecutionConfig;pub use code_execution::CodeExecutionError;pub use code_execution::CodeExecutionGuard;pub use content_review::ContentReviewConfig;pub use content_review::ContentReviewError;pub use content_review::ContentReviewGuard;pub use content_review::ContentReviewRules;pub use memory_governance::MemoryGovernanceConfig;pub use memory_governance::MemoryGovernanceError;pub use memory_governance::MemoryGovernanceGuard;
Modules§
- action
- Tool action extraction from Chio tool call requests.
- advisory
- Advisory signal framework – signed, non-blocking evidence observations.
- agent_
velocity - Agent velocity guard – per-agent and per-session rate limiting.
- behavioral_
profile - Phase 19.2 – guard-integrated behavioral profiling.
- behavioral_
sequence - Behavioral sequence guard – enforces tool ordering policies using the session journal.
- browser_
automation - BrowserAutomationGuard – domain allowlists, action-type restrictions,
and credential detection in
Typeactions. - code_
execution - CodeExecutionGuard – language allowlist, dangerous-module detection, network gating, and execution-time bounds for sandboxed interpreter actions.
- computer_
use - ComputerUseGuard - coarse gate for Computer Use Agent (CUA) actions.
- content_
review - ContentReviewGuard – pre-invocation review of outbound content for SaaS / communication / payment tool calls.
- data_
flow - Data flow guard – enforces cumulative bytes-read/written limits via session journal.
- external
- External guard adapter infrastructure.
- input_
injection - InputInjectionCapabilityGuard - fine-grained control over
input.injectactions. - internal_
network - Internal network guard – blocks SSRF targeting private/reserved addresses.
- jailbreak
- Jailbreak-detection guard (roadmap phase 3.2).
- jailbreak_
detector - Multi-layer jailbreak detection engine.
- mcp_
tool - MCP tool guard – restricts which MCP tools an agent may invoke.
- memory_
governance - MemoryGovernanceGuard – enforce memory store allowlist, retention
TTL ceilings, and per-session memory-entry counts on
ToolAction::MemoryWriteandToolAction::MemoryReadactions. - patch_
integrity - Patch integrity guard – validates patch/diff safety.
- path_
allowlist - Path allowlist guard – deny by default when enabled.
- post_
invocation - Post-invocation hook pipeline – inspects tool results before they reach the agent.
- prompt_
injection - Prompt-injection detection guard (roadmap phase 3.1).
- remote_
desktop - RemoteDesktopSideChannelGuard - per-channel enable/disable with transfer-size limits for remote desktop / RDP / VNC style sessions.
- response_
sanitization - Response sanitization guard – scans tool results for secrets, PII/PHI, and other sensitive data, then redacts them before the agent sees them.
- secret_
leak - Secret leak guard – detects potential secret exposure in file writes.
- spider_
sense - SpiderSense embedding detector - cosine-similarity anomaly detection.
- text_
utils - Text canonicalization utilities shared across content-safety guards.
- velocity
- Velocity guard – synchronous token bucket rate limiting per grant.
Structs§
- Egress
Allowlist Guard - Guard that controls network egress via domain allowlist.
- Forbidden
Path Guard - Guard that blocks access to sensitive filesystem paths.
- Guard
Pipeline - A pipeline of guards evaluated in registration order.
- Pipeline
Outcome - Outcome of running the pipeline.
- Post
Invocation Pipeline - Pipeline of post-invocation hooks evaluated in registration order.
- Shell
Command Guard - Guard that blocks dangerous shell commands before execution.
Enums§
- Post
Invocation Verdict - Verdict from a post-invocation hook.
Traits§
- Post
Invocation Hook - A hook that inspects tool responses after invocation.