Skip to main content

chio_kernel_core/
lib.rs

1//! Portable Chio kernel core.
2//!
3//! This crate contains the pure-compute subset of Chio evaluation as a
4//! `no_std + alloc` library so the same verdict-producing code can run
5//! inside a browser (wasm32-unknown-unknown), a Cloudflare Worker
6//! (wasm32-wasip1), a mobile app (UniFFI static lib), or the desktop
7//! sidecar (`chio-kernel`). The contract is described in
8//! `docs/protocols/PORTABLE-KERNEL-ARCHITECTURE.md`.
9//!
10//! # What lives here
11//!
12//! - [`Verdict`] -- the three-valued outcome of an evaluation.
13//! - [`Guard`] -- the sync guard trait (identical signature to the legacy
14//!   `chio_kernel::Guard`, modulo `Error` surface mapped onto [`KernelCoreError`]).
15//! - [`GuardContext`] -- the inputs a guard sees.
16//! - [`evaluate`] -- pure compute that walks a capability + request through
17//!   the sync checks (signature, time, subject binding, scope, guard pipeline)
18//!   and returns `Ok(Verdict::Allow)` or `Ok(Verdict::Deny { reason })`. No
19//!   I/O, no budget mutation, no revocation lookup.
20//! - [`verify_capability`] -- offline capability verification used by tools
21//!   that only need to inspect a token (no scope, no revocation).
22//! - [`sign_receipt`] -- sign an `ChioReceiptBody` with a `SigningBackend`.
23//! - [`Clock`] / [`Rng`] -- abstract trait boundaries for time/entropy so
24//!   adapters on wasm/mobile can inject platform clocks and CSPRNGs.
25//!
26//! # What stays in `chio-kernel`
27//!
28//! The full `chio-kernel` crate keeps every piece that actually touches I/O
29//! or async: `tokio` tasks, `rusqlite` receipt/revocation/budget stores,
30//! `ureq` price-oracle client, `lru` DPoP nonce cache, async session ops,
31//! HTTP/stdio transport, nested-flow bridges, tool-server dispatch. Those
32//! modules depend on `chio-kernel-core` for the pure-compute kernels but
33//! add the IO glue around them.
34//!
35//! # `no_std` status
36//!
37//! The crate is `#![no_std]` with `extern crate alloc;`. At the source level
38//! we never name `std::*`, and the portable proof is scripted in
39//! `scripts/check-portable-kernel.sh`.
40//!
41//! That proof runs both:
42//! - `cargo build -p chio-kernel-core --no-default-features`
43//! - `cargo build -p chio-kernel-core --target wasm32-unknown-unknown --no-default-features`
44//!
45//! The browser and mobile adapter crates perform their own platform-specific
46//! qualification on top of this core.
47
48#![no_std]
49#![cfg_attr(test, allow(clippy::expect_used, clippy::unwrap_used))]
50#![deny(unsafe_code)]
51
52extern crate alloc;
53
54pub mod capability_verify;
55pub mod clock;
56pub mod evaluate;
57pub mod guard;
58pub mod normalized;
59pub mod passport_verify;
60pub mod receipts;
61pub mod rng;
62pub mod scope;
63
64pub use capability_verify::{verify_capability, CapabilityError, VerifiedCapability};
65pub use clock::{Clock, FixedClock};
66pub use evaluate::{evaluate, EvaluateInput, EvaluationVerdict, KernelCoreError};
67pub use guard::{Guard, GuardContext, PortableToolCallRequest};
68pub use normalized::{
69    NormalizationError, NormalizedCapability, NormalizedConstraint, NormalizedEvaluationVerdict,
70    NormalizedMonetaryAmount, NormalizedOperation, NormalizedPromptGrant, NormalizedRequest,
71    NormalizedResourceGrant, NormalizedRuntimeAssuranceTier, NormalizedScope, NormalizedToolGrant,
72    NormalizedVerdict, NormalizedVerifiedCapability,
73};
74pub use passport_verify::{
75    verify_parsed_passport, verify_passport, PortablePassportBody, PortablePassportEnvelope,
76    VerifiedPassport, VerifyError, PORTABLE_PASSPORT_SCHEMA,
77};
78pub use receipts::{sign_receipt, ReceiptSigningError};
79pub use rng::{NullRng, Rng};
80pub use scope::{MatchedGrant, ScopeMatchError};
81
82/// Three-valued outcome of a kernel evaluation step.
83///
84/// This mirrors the legacy `chio_kernel::runtime::Verdict` exactly. The
85/// kernel core never emits `PendingApproval` itself; the full `chio-kernel`
86/// orchestration shell wraps the core verdict with the human-in-the-loop
87/// approval path where needed.
88#[derive(Debug, Clone, Copy, PartialEq, Eq)]
89pub enum Verdict {
90    /// The action is allowed.
91    Allow,
92    /// The action is denied.
93    Deny,
94    /// The action is suspended pending a human decision. Only produced by
95    /// the full `chio-kernel` shell, never by `chio-kernel-core` directly.
96    PendingApproval,
97}