chio-guards 0.1.0

Security guards for the Chio runtime kernel, adapted from ClawdStrike
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

//! Security guards for the Chio runtime kernel.
//!
//! This crate provides policy-driven security guards adapted from
//! [ClawdStrike](https://github.com/backbay-labs/clawdstrike).  Each guard
//! implements `chio_kernel::Guard` and can be registered on the kernel via
//! `kernel.add_guard(...)` or composed into a [`GuardPipeline`].
//!
//! # Implemented guards
//!
//! | Guard | Status | Description |
//! |-------|--------|-------------|
//! | [`ForbiddenPathGuard`] | **Full** | Blocks access to sensitive filesystem paths |
//! | [`ShellCommandGuard`] | **Full** | Blocks dangerous shell commands |
//! | [`EgressAllowlistGuard`] | **Full** | Controls network egress by domain |
//! | [`PathAllowlistGuard`] | **Full** | Allowlist-based path access control |
//! | [`McpToolGuard`] | **Full** | Restricts MCP tool invocations |
//! | [`SecretLeakGuard`] | **Full** | Detects secrets in file writes |
//! | [`PatchIntegrityGuard`] | **Full** | Validates patch safety |
//! | [`InternalNetworkGuard`] | **Full** | Blocks SSRF targeting private/reserved addresses |
//! | [`AgentVelocityGuard`] | **Full** | Per-agent and per-session rate limiting |
//! | [`DataFlowGuard`] | **Full** | Cumulative bytes-read/written limits via session journal |
//! | [`BehavioralSequenceGuard`] | **Full** | Tool ordering policies via session journal |
//! | [`ResponseSanitizationGuard`] | **Full** | PII/PHI pattern detection and redaction |
//! | [`AdvisoryPipeline`] | **Full** | Non-blocking advisory signals with optional promotion |
//! | [`AnomalyAdvisoryGuard`] | **Full** | Flags unusual invocation patterns and delegation depth |
//! | [`DataTransferAdvisoryGuard`] | **Full** | Flags high data transfer volumes |
//! | [`JailbreakGuard`] | **Full** | Multi-layer jailbreak detection (heuristic + statistical + ML) |
//!
//! # Guard pipeline
//!
//! The [`GuardPipeline`] runs guards in sequence, fail-closed.  If any guard
//! denies, the pipeline denies.  Register it on the kernel:
//!
//! ```ignore
//! use chio_guards::GuardPipeline;
//!
//! let pipeline = GuardPipeline::default_pipeline();
//! kernel.add_guard(Box::new(pipeline));
//! ```

#![cfg_attr(test, allow(clippy::expect_used, clippy::unwrap_used))]

pub mod action;
mod path_normalization;

pub mod external;

pub mod advisory;
pub mod agent_velocity;
pub mod behavioral_profile;
pub mod behavioral_sequence;
pub mod data_flow;
mod egress_allowlist;
mod forbidden_path;
pub mod internal_network;
pub mod jailbreak;
pub mod jailbreak_detector;
pub mod mcp_tool;
pub mod patch_integrity;
pub mod path_allowlist;
mod pipeline;
pub mod post_invocation;
pub mod prompt_injection;
pub mod response_sanitization;
pub mod secret_leak;
mod shell_command;
pub mod text_utils;
pub mod velocity;

// Phase 5.1-5.4: Computer Use Agent (CUA) and SpiderSense guards.
pub mod computer_use;
pub mod input_injection;
pub mod remote_desktop;
pub mod spider_sense;

// Phase 8.1-8.2, 11.1, 18.1: code execution, browser automation,
// content review, and memory governance guards.
pub mod browser_automation;
pub mod code_execution;
pub mod content_review;
pub mod memory_governance;

pub use advisory::{
    AdvisoryGuard, AdvisoryPipeline, AdvisorySeverity, AdvisorySignal, AnomalyAdvisoryGuard,
    DataTransferAdvisoryGuard, GuardOutput, PromotionPolicy, PromotionRule,
};
pub use agent_velocity::{AgentVelocityConfig, AgentVelocityGuard};
pub use behavioral_profile::{
    BehavioralMetric, BehavioralProfileConfig, BehavioralProfileGuard, InMemoryReceiptFeed,
    ObservationOutcome, ReceiptFeedSource, DEFAULT_BASELINE_MIN_WINDOWS, DEFAULT_EMA_ALPHA,
    DEFAULT_SIGMA_THRESHOLD, DEFAULT_WINDOW_SECS,
};
pub use behavioral_sequence::{BehavioralSequenceGuard, SequencePolicy};
pub use data_flow::{DataFlowConfig, DataFlowGuard};
pub use egress_allowlist::EgressAllowlistGuard;
pub use forbidden_path::ForbiddenPathGuard;
pub use internal_network::InternalNetworkGuard;
pub use jailbreak::{
    JailbreakGuard, JailbreakGuardConfig,
    DEFAULT_FINGERPRINT_CAPACITY as JAILBREAK_DEFAULT_FINGERPRINT_CAPACITY,
};
pub use jailbreak_detector::{
    Detection as JailbreakDetection, DetectorConfig as JailbreakDetectorConfig, JailbreakCategory,
    JailbreakDetector, LayerScores as JailbreakLayerScores, LayerWeights,
    LinearModel as JailbreakLinearModel, Signal as JailbreakSignal,
    StatisticalThresholds as JailbreakStatisticalThresholds,
    DEFAULT_DENY_THRESHOLD as JAILBREAK_DEFAULT_DENY_THRESHOLD,
};
pub use mcp_tool::McpToolGuard;
pub use patch_integrity::PatchIntegrityGuard;
pub use path_allowlist::PathAllowlistGuard;
pub use pipeline::GuardPipeline;
pub use post_invocation::{
    sanitize_json, PipelineOutcome, PostInvocationHook, PostInvocationPipeline,
    PostInvocationVerdict, SanitizerHook,
};
pub use prompt_injection::{
    Detection as PromptInjectionDetection, PromptInjectionConfig, PromptInjectionGuard,
    Signal as PromptInjectionSignal,
};
pub use response_sanitization::{
    AllowlistConfig, CategoryConfig, DenylistConfig, EntropyConfig, OutputSanitizer,
    OutputSanitizerConfig, OutputSanitizerConfigError, ProcessingStats, Redaction,
    RedactionStrategy, ResponseSanitizationGuard, SanitizationAction, SanitizationResult,
    SanitizedValue, ScanResult, SensitiveCategory, SensitiveDataFinding, SensitivityLevel, Span,
    TokenVault,
};
pub use secret_leak::SecretLeakGuard;
pub use shell_command::ShellCommandGuard;
pub use velocity::VelocityGuard;

pub use action::{extract_action, ToolAction};

pub use external::{
    AsyncGuardAdapter, AsyncGuardAdapterBuilder, AsyncGuardAdapterConfig, CircuitBreaker,
    CircuitBreakerConfig, CircuitOpenVerdict, CircuitState, ExternalGuard, ExternalGuardError,
    GuardCallContext, RateLimitedVerdict, RetryConfig, TokenBucket, TtlCache,
};

// Phase 5.1-5.4 re-exports.
pub use computer_use::{
    default_allowed_action_types as computer_use_default_allowed_action_types, ComputerUseConfig,
    ComputerUseGuard, EnforcementMode,
};
pub use input_injection::{
    default_allowed_input_types, InputInjectionCapabilityConfig, InputInjectionCapabilityGuard,
};
pub use remote_desktop::{RemoteDesktopSideChannelConfig, RemoteDesktopSideChannelGuard};
pub use spider_sense::{
    cosine_similarity as spider_sense_cosine_similarity, extract_embedding, AmbiguousPolicy,
    PatternDb, PatternEntry, SpiderSenseConfig, SpiderSenseError, SpiderSenseGuard,
    DEFAULT_AMBIGUITY_BAND, DEFAULT_SIMILARITY_THRESHOLD, DEFAULT_TOP_K,
};

// Phase 8.1-8.2, 11.1, 18.1 re-exports.
pub use browser_automation::{
    default_allowed_verbs as browser_automation_default_allowed_verbs, BrowserAutomationConfig,
    BrowserAutomationError, BrowserAutomationGuard,
};
pub use code_execution::{
    default_dangerous_modules as code_execution_default_dangerous_modules, CodeExecutionConfig,
    CodeExecutionError, CodeExecutionGuard,
};
pub use content_review::{
    ContentReviewConfig, ContentReviewError, ContentReviewGuard, ContentReviewRules,
};
pub use memory_governance::{MemoryGovernanceConfig, MemoryGovernanceError, MemoryGovernanceGuard};