Skip to main content

chio_guards/
lib.rs

1//! Security guards for the Chio runtime kernel.
2//!
3//! This crate provides policy-driven security guards adapted from
4//! [ClawdStrike](https://github.com/backbay-labs/clawdstrike).  Each guard
5//! implements `chio_kernel::Guard` and can be registered on the kernel via
6//! `kernel.add_guard(...)` or composed into a [`GuardPipeline`].
7//!
8//! # Implemented guards
9//!
10//! | Guard | Status | Description |
11//! |-------|--------|-------------|
12//! | [`ForbiddenPathGuard`] | **Full** | Blocks access to sensitive filesystem paths |
13//! | [`ShellCommandGuard`] | **Full** | Blocks dangerous shell commands |
14//! | [`EgressAllowlistGuard`] | **Full** | Controls network egress by domain |
15//! | [`PathAllowlistGuard`] | **Full** | Allowlist-based path access control |
16//! | [`McpToolGuard`] | **Full** | Restricts MCP tool invocations |
17//! | [`SecretLeakGuard`] | **Full** | Detects secrets in file writes |
18//! | [`PatchIntegrityGuard`] | **Full** | Validates patch safety |
19//! | [`InternalNetworkGuard`] | **Full** | Blocks SSRF targeting private/reserved addresses |
20//! | [`AgentVelocityGuard`] | **Full** | Per-agent and per-session rate limiting |
21//! | [`DataFlowGuard`] | **Full** | Cumulative bytes-read/written limits via session journal |
22//! | [`BehavioralSequenceGuard`] | **Full** | Tool ordering policies via session journal |
23//! | [`ResponseSanitizationGuard`] | **Full** | PII/PHI pattern detection and redaction |
24//! | [`AdvisoryPipeline`] | **Full** | Non-blocking advisory signals with optional promotion |
25//! | [`AnomalyAdvisoryGuard`] | **Full** | Flags unusual invocation patterns and delegation depth |
26//! | [`DataTransferAdvisoryGuard`] | **Full** | Flags high data transfer volumes |
27//! | [`JailbreakGuard`] | **Full** | Multi-layer jailbreak detection (heuristic + statistical + ML) |
28//!
29//! # Guard pipeline
30//!
31//! The [`GuardPipeline`] runs guards in sequence, fail-closed.  If any guard
32//! denies, the pipeline denies.  Register it on the kernel:
33//!
34//! ```ignore
35//! use chio_guards::GuardPipeline;
36//!
37//! let pipeline = GuardPipeline::default_pipeline();
38//! kernel.add_guard(Box::new(pipeline));
39//! ```
40
41#![cfg_attr(test, allow(clippy::expect_used, clippy::unwrap_used))]
42
43pub mod action;
44mod path_normalization;
45
46pub mod external;
47
48pub mod advisory;
49pub mod agent_velocity;
50pub mod behavioral_profile;
51pub mod behavioral_sequence;
52pub mod data_flow;
53mod egress_allowlist;
54mod forbidden_path;
55pub mod internal_network;
56pub mod jailbreak;
57pub mod jailbreak_detector;
58pub mod mcp_tool;
59pub mod patch_integrity;
60pub mod path_allowlist;
61mod pipeline;
62pub mod post_invocation;
63pub mod prompt_injection;
64pub mod response_sanitization;
65pub mod secret_leak;
66mod shell_command;
67pub mod text_utils;
68pub mod velocity;
69
70// Phase 5.1-5.4: Computer Use Agent (CUA) and SpiderSense guards.
71pub mod computer_use;
72pub mod input_injection;
73pub mod remote_desktop;
74pub mod spider_sense;
75
76// Phase 8.1-8.2, 11.1, 18.1: code execution, browser automation,
77// content review, and memory governance guards.
78pub mod browser_automation;
79pub mod code_execution;
80pub mod content_review;
81pub mod memory_governance;
82
83pub use advisory::{
84    AdvisoryGuard, AdvisoryPipeline, AdvisorySeverity, AdvisorySignal, AnomalyAdvisoryGuard,
85    DataTransferAdvisoryGuard, GuardOutput, PromotionPolicy, PromotionRule,
86};
87pub use agent_velocity::{AgentVelocityConfig, AgentVelocityGuard};
88pub use behavioral_profile::{
89    BehavioralMetric, BehavioralProfileConfig, BehavioralProfileGuard, InMemoryReceiptFeed,
90    ObservationOutcome, ReceiptFeedSource, DEFAULT_BASELINE_MIN_WINDOWS, DEFAULT_EMA_ALPHA,
91    DEFAULT_SIGMA_THRESHOLD, DEFAULT_WINDOW_SECS,
92};
93pub use behavioral_sequence::{BehavioralSequenceGuard, SequencePolicy};
94pub use data_flow::{DataFlowConfig, DataFlowGuard};
95pub use egress_allowlist::EgressAllowlistGuard;
96pub use forbidden_path::ForbiddenPathGuard;
97pub use internal_network::InternalNetworkGuard;
98pub use jailbreak::{
99    JailbreakGuard, JailbreakGuardConfig,
100    DEFAULT_FINGERPRINT_CAPACITY as JAILBREAK_DEFAULT_FINGERPRINT_CAPACITY,
101};
102pub use jailbreak_detector::{
103    Detection as JailbreakDetection, DetectorConfig as JailbreakDetectorConfig, JailbreakCategory,
104    JailbreakDetector, LayerScores as JailbreakLayerScores, LayerWeights,
105    LinearModel as JailbreakLinearModel, Signal as JailbreakSignal,
106    StatisticalThresholds as JailbreakStatisticalThresholds,
107    DEFAULT_DENY_THRESHOLD as JAILBREAK_DEFAULT_DENY_THRESHOLD,
108};
109pub use mcp_tool::McpToolGuard;
110pub use patch_integrity::PatchIntegrityGuard;
111pub use path_allowlist::PathAllowlistGuard;
112pub use pipeline::GuardPipeline;
113pub use post_invocation::{
114    sanitize_json, PipelineOutcome, PostInvocationHook, PostInvocationPipeline,
115    PostInvocationVerdict, SanitizerHook,
116};
117pub use prompt_injection::{
118    Detection as PromptInjectionDetection, PromptInjectionConfig, PromptInjectionGuard,
119    Signal as PromptInjectionSignal,
120};
121pub use response_sanitization::{
122    AllowlistConfig, CategoryConfig, DenylistConfig, EntropyConfig, OutputSanitizer,
123    OutputSanitizerConfig, OutputSanitizerConfigError, ProcessingStats, Redaction,
124    RedactionStrategy, ResponseSanitizationGuard, SanitizationAction, SanitizationResult,
125    SanitizedValue, ScanResult, SensitiveCategory, SensitiveDataFinding, SensitivityLevel, Span,
126    TokenVault,
127};
128pub use secret_leak::SecretLeakGuard;
129pub use shell_command::ShellCommandGuard;
130pub use velocity::VelocityGuard;
131
132pub use action::{extract_action, ToolAction};
133
134pub use external::{
135    AsyncGuardAdapter, AsyncGuardAdapterBuilder, AsyncGuardAdapterConfig, CircuitBreaker,
136    CircuitBreakerConfig, CircuitOpenVerdict, CircuitState, ExternalGuard, ExternalGuardError,
137    GuardCallContext, RateLimitedVerdict, RetryConfig, TokenBucket, TtlCache,
138};
139
140// Phase 5.1-5.4 re-exports.
141pub use computer_use::{
142    default_allowed_action_types as computer_use_default_allowed_action_types, ComputerUseConfig,
143    ComputerUseGuard, EnforcementMode,
144};
145pub use input_injection::{
146    default_allowed_input_types, InputInjectionCapabilityConfig, InputInjectionCapabilityGuard,
147};
148pub use remote_desktop::{RemoteDesktopSideChannelConfig, RemoteDesktopSideChannelGuard};
149pub use spider_sense::{
150    cosine_similarity as spider_sense_cosine_similarity, extract_embedding, AmbiguousPolicy,
151    PatternDb, PatternEntry, SpiderSenseConfig, SpiderSenseError, SpiderSenseGuard,
152    DEFAULT_AMBIGUITY_BAND, DEFAULT_SIMILARITY_THRESHOLD, DEFAULT_TOP_K,
153};
154
155// Phase 8.1-8.2, 11.1, 18.1 re-exports.
156pub use browser_automation::{
157    default_allowed_verbs as browser_automation_default_allowed_verbs, BrowserAutomationConfig,
158    BrowserAutomationError, BrowserAutomationGuard,
159};
160pub use code_execution::{
161    default_dangerous_modules as code_execution_default_dangerous_modules, CodeExecutionConfig,
162    CodeExecutionError, CodeExecutionGuard,
163};
164pub use content_review::{
165    ContentReviewConfig, ContentReviewError, ContentReviewGuard, ContentReviewRules,
166};
167pub use memory_governance::{MemoryGovernanceConfig, MemoryGovernanceError, MemoryGovernanceGuard};