Expand description
ComputerUseGuard - coarse gate for Computer Use Agent (CUA) actions.
Roadmap phase 5.1. Ported from ClawdStrike’s
guards/computer_use.rs and adapted to Chio’s synchronous
chio_kernel::Guard trait.
The guard is a coarse-grained allowlist for CUA action types. It recognises three surfaces that arrive on the kernel:
- Remote-session and side-channel actions - tool names or
action_type/custom_typearguments that start withremote.orinput.(e.g.,remote.clipboard,input.inject). The action-type string is matched against a configurable allowlist. ToolAction::BrowserAction- browser navigation verbs. The guard denies navigation to configured blocked domains.- Screenshot actions (subset of
ToolAction::BrowserActionwith ascreenshot-family verb) - rate-limited via a token bucket so a runaway agent cannot drain the capture channel.
Enforcement modes:
| Mode | Behavior |
|---|---|
EnforcementMode::Observe | Always allow; logs every decision |
EnforcementMode::Guardrail | Allow if in allowlist, warn otherwise (default) |
EnforcementMode::FailClosed | Allow if in allowlist, deny otherwise |
Fail-closed semantics:
ToolAction::Unknown/ non-CUA actions →Verdict::Allow;- invalid configuration → best-effort fallback to defaults at build time (never panics);
- token-bucket mutex poisoning → treated as no-tokens (deny).
Structs§
- Computer
UseConfig - Configuration for
ComputerUseGuard. - Computer
UseGuard - Coarse gate for CUA actions.
Enums§
- Enforcement
Mode - Enforcement modes for
ComputerUseGuard.
Functions§
- default_
allowed_ action_ types - Default allowlist of CUA action-type strings.