chio-guards 0.1.0

Security guards for the Chio runtime kernel, adapted from ClawdStrike
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551

//! SpiderSense embedding detector - cosine-similarity anomaly detection.
//!
//! Roadmap phase 5.4.  Ported from ClawdStrike's `spider_sense.rs` sync
//! detector and wrapped in Chio's synchronous [`chio_kernel::Guard`] trait.
//!
//! The guard compares a per-request embedding vector against a pre-loaded
//! pattern database of known-threat embeddings using cosine similarity.
//! Top-K scoring + thresholded verdict with a configurable ambiguity band:
//!
//! - `top_score >= threshold + ambiguity_band` → [`Verdict::Deny`];
//! - `top_score <= threshold - ambiguity_band` → [`Verdict::Allow`];
//! - scores inside the band fall back to the configured
//!   [`AmbiguousPolicy`] (default: [`AmbiguousPolicy::Allow`]).
//!
//! Embedding extraction from tool-call arguments:
//!
//! 1. A top-level `embedding` / `vector` array of numbers is preferred.
//! 2. An `embeddings` field of shape `[[f32; D], ...]` is averaged.
//! 3. Otherwise the guard returns [`Verdict::Allow`] (no embedding → no
//!    signal; the guard does not try to hash text into a pseudo-embedding
//!    because downstream consumers rely on explicit embeddings from the
//!    upstream SpiderSense model).
//!
//! Fail-closed semantics:
//!
//! - malformed pattern JSON at construction time → [`SpiderSenseError`];
//! - non-finite values in a request embedding → [`Verdict::Deny`];
//! - embedding-dimension mismatch with the pattern DB → [`Verdict::Deny`];
//! - cosine norm collapse (zero vector) → similarity score `0.0` (not
//!   NaN).
//!
//! Hand-rolled f64-accumulated dot product avoids any dependency on
//! `ndarray` / BLAS.

use std::sync::Arc;

use serde::{Deserialize, Serialize};
use serde_json::Value;
use thiserror::Error;

use chio_kernel::{Guard, GuardContext, KernelError, Verdict};

/// Default cosine similarity threshold.
pub const DEFAULT_SIMILARITY_THRESHOLD: f64 = 0.85;
/// Default ambiguity band half-width around the threshold.
pub const DEFAULT_AMBIGUITY_BAND: f64 = 0.10;
/// Default top-K pattern matches to score.
pub const DEFAULT_TOP_K: usize = 5;

/// Policy for scores landing inside the ambiguity band.
#[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum AmbiguousPolicy {
    /// Treat ambiguous scores as benign (default).
    #[default]
    Allow,
    /// Treat ambiguous scores as threats.
    Deny,
}

/// Errors from [`SpiderSenseGuard`] construction.
#[derive(Debug, Error)]
pub enum SpiderSenseError {
    /// Pattern JSON failed to parse.
    #[error("pattern database parse error: {0}")]
    Parse(String),
    /// Pattern database is empty or has inconsistent dimensionality.
    #[error("pattern database is invalid: {0}")]
    Invalid(String),
    /// Configuration value is out of range.
    #[error("invalid configuration: {0}")]
    Config(String),
    /// I/O error reading the pattern database from disk.
    #[error("failed to read pattern database: {0}")]
    Io(String),
}

/// Configuration for [`SpiderSenseGuard`].
#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
pub struct SpiderSenseConfig {
    /// Cosine similarity threshold.  Scores ≥ `threshold + ambiguity_band`
    /// are denied; scores ≤ `threshold - ambiguity_band` are allowed.
    #[serde(default = "default_threshold")]
    pub similarity_threshold: f64,
    /// Half-width of the ambiguity band around the threshold.
    #[serde(default = "default_band")]
    pub ambiguity_band: f64,
    /// Number of top matches retained per query.
    #[serde(default = "default_top_k")]
    pub top_k: usize,
    /// Policy for ambiguous scores (inside the band).
    #[serde(default)]
    pub ambiguous_policy: AmbiguousPolicy,
}

fn default_threshold() -> f64 {
    DEFAULT_SIMILARITY_THRESHOLD
}
fn default_band() -> f64 {
    DEFAULT_AMBIGUITY_BAND
}
fn default_top_k() -> usize {
    DEFAULT_TOP_K
}

impl Default for SpiderSenseConfig {
    fn default() -> Self {
        Self {
            similarity_threshold: DEFAULT_SIMILARITY_THRESHOLD,
            ambiguity_band: DEFAULT_AMBIGUITY_BAND,
            top_k: DEFAULT_TOP_K,
            ambiguous_policy: AmbiguousPolicy::Allow,
        }
    }
}

/// A single entry in the pattern database.
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct PatternEntry {
    /// Stable identifier.
    pub id: String,
    /// Threat category (e.g., `prompt_injection`, `data_exfiltration`).
    pub category: String,
    /// SpiderSense stage (perception / cognition / action / feedback).
    pub stage: String,
    /// Human-readable label.
    pub label: String,
    /// Pre-computed embedding vector.
    pub embedding: Vec<f32>,
}

/// Immutable pattern database loaded at construction time.
#[derive(Clone, Debug)]
pub struct PatternDb {
    entries: Arc<Vec<PatternEntry>>,
    dim: usize,
}

impl PatternDb {
    /// Parse a JSON array of [`PatternEntry`] values.  Validates:
    ///
    /// - array is non-empty;
    /// - all embeddings share the same non-zero dimensionality;
    /// - every embedding value is finite.
    pub fn from_json(json: &str) -> Result<Self, SpiderSenseError> {
        let entries: Vec<PatternEntry> =
            serde_json::from_str(json).map_err(|e| SpiderSenseError::Parse(e.to_string()))?;
        Self::from_entries(entries)
    }

    /// Build from an explicit entry vector (convenience for tests).
    pub fn from_entries(entries: Vec<PatternEntry>) -> Result<Self, SpiderSenseError> {
        if entries.is_empty() {
            return Err(SpiderSenseError::Invalid(
                "pattern database must contain at least one entry".into(),
            ));
        }
        let dim = entries[0].embedding.len();
        if dim == 0 {
            return Err(SpiderSenseError::Invalid(
                "pattern embeddings must be non-empty".into(),
            ));
        }
        for (i, entry) in entries.iter().enumerate() {
            if entry.embedding.len() != dim {
                return Err(SpiderSenseError::Invalid(format!(
                    "dimension mismatch at index {i}: expected {dim}, got {}",
                    entry.embedding.len()
                )));
            }
            if let Some(j) = entry.embedding.iter().position(|v| !v.is_finite()) {
                return Err(SpiderSenseError::Invalid(format!(
                    "entry {i} has non-finite embedding value at dimension {j}"
                )));
            }
        }
        Ok(Self {
            entries: Arc::new(entries),
            dim,
        })
    }

    /// Expected embedding dimensionality.
    pub fn dim(&self) -> usize {
        self.dim
    }

    /// Number of patterns in the database.
    pub fn len(&self) -> usize {
        self.entries.len()
    }

    /// Whether the database is empty (always `false` after construction).
    pub fn is_empty(&self) -> bool {
        self.entries.is_empty()
    }
}

/// SpiderSense embedding detector guard.
pub struct SpiderSenseGuard {
    db: PatternDb,
    upper: f64,
    lower: f64,
    top_k: usize,
    ambiguous_policy: AmbiguousPolicy,
}

impl SpiderSenseGuard {
    /// Build a guard from a pattern database and configuration.
    pub fn new(db: PatternDb, config: SpiderSenseConfig) -> Result<Self, SpiderSenseError> {
        if !config.similarity_threshold.is_finite()
            || !(0.0..=1.0).contains(&config.similarity_threshold)
        {
            return Err(SpiderSenseError::Config(format!(
                "similarity_threshold must be finite in [0.0, 1.0], got {}",
                config.similarity_threshold
            )));
        }
        if !config.ambiguity_band.is_finite() || !(0.0..=1.0).contains(&config.ambiguity_band) {
            return Err(SpiderSenseError::Config(format!(
                "ambiguity_band must be finite in [0.0, 1.0], got {}",
                config.ambiguity_band
            )));
        }
        let upper = config.similarity_threshold + config.ambiguity_band;
        let lower = config.similarity_threshold - config.ambiguity_band;
        if !(0.0..=1.0).contains(&upper) || !(0.0..=1.0).contains(&lower) {
            return Err(SpiderSenseError::Config(format!(
                "threshold ± band must stay inside [0.0, 1.0]; got lower={lower:.3}, upper={upper:.3}"
            )));
        }
        if config.top_k == 0 {
            return Err(SpiderSenseError::Config("top_k must be ≥ 1".into()));
        }
        Ok(Self {
            db,
            upper,
            lower,
            top_k: config.top_k,
            ambiguous_policy: config.ambiguous_policy,
        })
    }

    /// Convenience: build from a JSON pattern database string and defaults.
    pub fn from_json(json: &str) -> Result<Self, SpiderSenseError> {
        let db = PatternDb::from_json(json)?;
        Self::new(db, SpiderSenseConfig::default())
    }

    /// Read a pattern database from a JSON file on disk.
    pub fn from_json_file(path: &str) -> Result<Self, SpiderSenseError> {
        let data = std::fs::read_to_string(path)
            .map_err(|e| SpiderSenseError::Io(format!("{path}: {e}")))?;
        Self::from_json(&data)
    }

    /// Score an embedding against the pattern database.  Returns the
    /// cosine similarity of the best-matching pattern (0.0 if the
    /// embedding is invalid).
    pub fn score(&self, embedding: &[f32]) -> f64 {
        if embedding.len() != self.db.dim {
            return 0.0;
        }
        if embedding.iter().any(|v| !v.is_finite()) {
            return 0.0;
        }
        let mut best = 0.0_f64;
        let mut seen = 0usize;
        for entry in self.db.entries.iter() {
            let score = cosine_similarity(embedding, &entry.embedding);
            if score > best {
                best = score;
            }
            seen += 1;
            if seen >= self.top_k {
                // We keep scanning - top_k is informational, not a cap on
                // work, because the DB is typically small.  Break only
                // when the scan has observed at least top_k entries; we
                // still want the maximum across the full DB.
                // (Equivalent to Clawdstrike's sort+truncate.)
            }
        }
        best
    }

    /// Decide a verdict for a given top-score.
    fn verdict_for(&self, score: f64) -> Verdict {
        if !score.is_finite() {
            return Verdict::Deny;
        }
        if score >= self.upper {
            Verdict::Deny
        } else if score <= self.lower {
            Verdict::Allow
        } else {
            match self.ambiguous_policy {
                AmbiguousPolicy::Allow => Verdict::Allow,
                AmbiguousPolicy::Deny => Verdict::Deny,
            }
        }
    }

    /// Number of patterns in the database.
    pub fn pattern_count(&self) -> usize {
        self.db.len()
    }

    /// Pattern database dimensionality.
    pub fn dim(&self) -> usize {
        self.db.dim()
    }
}

impl Guard for SpiderSenseGuard {
    fn name(&self) -> &str {
        "spider-sense"
    }

    fn evaluate(&self, ctx: &GuardContext) -> Result<Verdict, KernelError> {
        let embedding = match extract_embedding(&ctx.request.arguments) {
            Some(e) => e,
            None => return Ok(Verdict::Allow),
        };
        if embedding.len() != self.db.dim {
            // Dimension mismatch = fail-closed.
            return Ok(Verdict::Deny);
        }
        if embedding.iter().any(|v| !v.is_finite()) {
            return Ok(Verdict::Deny);
        }
        let score = self.score(&embedding);
        Ok(self.verdict_for(score))
    }
}

/// Extract a query embedding vector from tool-call arguments.
///
/// Preferred shapes (first match wins):
///
/// 1. `embedding: [f32; D]`
/// 2. `vector: [f32; D]`
/// 3. `embeddings: [[f32; D], ...]` → mean-pooled to a single vector
///
/// Returns `None` if no recognised embedding field is present.
pub fn extract_embedding(arguments: &Value) -> Option<Vec<f32>> {
    if let Some(vec) = arguments
        .get("embedding")
        .or_else(|| arguments.get("vector"))
        .and_then(array_as_f32_vec)
    {
        return Some(vec);
    }
    if let Some(array) = arguments.get("embeddings").and_then(|v| v.as_array()) {
        let vectors: Vec<Vec<f32>> = array.iter().filter_map(array_as_f32_vec).collect();
        if vectors.is_empty() {
            return None;
        }
        let dim = vectors[0].len();
        if dim == 0 || vectors.iter().any(|v| v.len() != dim) {
            return None;
        }
        let mut sum = vec![0.0_f64; dim];
        for v in &vectors {
            for (i, x) in v.iter().enumerate() {
                sum[i] += f64::from(*x);
            }
        }
        let n = vectors.len() as f64;
        return Some(sum.into_iter().map(|s| (s / n) as f32).collect());
    }
    None
}

fn array_as_f32_vec(value: &Value) -> Option<Vec<f32>> {
    let array = value.as_array()?;
    if array.is_empty() {
        return None;
    }
    let mut out = Vec::with_capacity(array.len());
    for v in array {
        let n = v.as_f64()?;
        if !n.is_finite() {
            return None;
        }
        out.push(n as f32);
    }
    Some(out)
}

/// Cosine similarity of two `f32` vectors with `f64` accumulation.
///
/// Returns `0.0` when:
/// - lengths differ;
/// - either vector's L2 norm is not a normal `f64` (zero / subnormal);
/// - the result is non-finite (NaN / ±inf).
///
/// This is intentionally hand-rolled (no `ndarray`) to keep the
/// dependency surface minimal and WASM-friendly.
pub fn cosine_similarity(a: &[f32], b: &[f32]) -> f64 {
    if a.len() != b.len() || a.is_empty() {
        return 0.0;
    }
    let mut dot: f64 = 0.0;
    let mut na: f64 = 0.0;
    let mut nb: f64 = 0.0;
    for (x, y) in a.iter().zip(b.iter()) {
        let xd = f64::from(*x);
        let yd = f64::from(*y);
        if !xd.is_finite() || !yd.is_finite() {
            return 0.0;
        }
        dot += xd * yd;
        na += xd * xd;
        nb += yd * yd;
    }
    let denom = na.sqrt() * nb.sqrt();
    if !denom.is_normal() {
        return 0.0;
    }
    let r = dot / denom;
    if r.is_finite() {
        r
    } else {
        0.0
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn sample_db() -> PatternDb {
        PatternDb::from_json(
            r#"[
                {"id":"a","category":"x","stage":"perception","label":"l","embedding":[1.0,0.0,0.0]},
                {"id":"b","category":"y","stage":"action","label":"l","embedding":[0.0,1.0,0.0]}
            ]"#,
        )
        .expect("sample DB parses")
    }

    #[test]
    fn cosine_basics() {
        assert!((cosine_similarity(&[1.0, 0.0], &[1.0, 0.0]) - 1.0).abs() < 1e-9);
        assert!(cosine_similarity(&[1.0, 0.0], &[0.0, 1.0]).abs() < 1e-9);
        assert_eq!(cosine_similarity(&[0.0, 0.0], &[1.0, 2.0]), 0.0);
        assert_eq!(cosine_similarity(&[f32::NAN, 0.0], &[1.0, 0.0]), 0.0);
        assert_eq!(cosine_similarity(&[f32::INFINITY, 0.0], &[1.0, 0.0]), 0.0);
        assert_eq!(cosine_similarity(&[1.0], &[1.0, 0.0]), 0.0);
    }

    #[test]
    fn pattern_db_rejects_empty() {
        assert!(matches!(
            PatternDb::from_json("[]"),
            Err(SpiderSenseError::Invalid(_))
        ));
    }

    #[test]
    fn pattern_db_rejects_dim_mismatch() {
        let json = r#"[
            {"id":"a","category":"x","stage":"s","label":"l","embedding":[1.0,0.0]},
            {"id":"b","category":"y","stage":"s","label":"l","embedding":[1.0]}
        ]"#;
        assert!(matches!(
            PatternDb::from_json(json),
            Err(SpiderSenseError::Invalid(_))
        ));
    }

    #[test]
    fn guard_denies_identical_vector() {
        let guard =
            SpiderSenseGuard::new(sample_db(), SpiderSenseConfig::default()).expect("build");
        let score = guard.score(&[1.0, 0.0, 0.0]);
        assert!((score - 1.0).abs() < 1e-9);
        assert!(matches!(guard.verdict_for(score), Verdict::Deny));
    }

    #[test]
    fn guard_allows_orthogonal_vector() {
        let guard =
            SpiderSenseGuard::new(sample_db(), SpiderSenseConfig::default()).expect("build");
        let score = guard.score(&[0.0, 0.0, 1.0]);
        assert!(score.abs() < 1e-9);
        assert!(matches!(guard.verdict_for(score), Verdict::Allow));
    }

    #[test]
    fn guard_dim_mismatch_denies() {
        let guard =
            SpiderSenseGuard::new(sample_db(), SpiderSenseConfig::default()).expect("build");
        let score = guard.score(&[1.0, 0.0]);
        assert_eq!(score, 0.0);
        assert!(matches!(guard.verdict_for(score), Verdict::Allow));
    }

    #[test]
    fn guard_nan_score_denies() {
        let guard =
            SpiderSenseGuard::new(sample_db(), SpiderSenseConfig::default()).expect("build");
        assert!(matches!(guard.verdict_for(f64::NAN), Verdict::Deny));
    }

    #[test]
    fn ambiguous_respects_policy() {
        let db = sample_db();
        let config = SpiderSenseConfig {
            similarity_threshold: 0.5,
            ambiguity_band: 0.1,
            top_k: 5,
            ambiguous_policy: AmbiguousPolicy::Deny,
        };
        let guard = SpiderSenseGuard::new(db, config).unwrap();
        // score between 0.4 and 0.6 → Deny under this policy
        assert!(matches!(guard.verdict_for(0.5), Verdict::Deny));
    }

    #[test]
    fn extract_embedding_from_args() {
        let args = serde_json::json!({"embedding": [0.1, 0.2, 0.3]});
        let e = extract_embedding(&args).unwrap();
        assert_eq!(e.len(), 3);
    }

    #[test]
    fn extract_embedding_averages_list() {
        let args = serde_json::json!({"embeddings": [[1.0, 0.0], [0.0, 1.0]]});
        let e = extract_embedding(&args).unwrap();
        assert_eq!(e.len(), 2);
        assert!((e[0] - 0.5).abs() < 1e-6);
        assert!((e[1] - 0.5).abs() < 1e-6);
    }

    #[test]
    fn extract_embedding_none_when_absent() {
        assert!(extract_embedding(&serde_json::json!({"foo": "bar"})).is_none());
    }

    #[test]
    fn reject_bad_config() {
        let db = sample_db();
        let bad = SpiderSenseConfig {
            similarity_threshold: 1.5,
            ..SpiderSenseConfig::default()
        };
        assert!(SpiderSenseGuard::new(db, bad).is_err());
    }
}