chio-http-core 0.1.0

Protocol-agnostic HTTP security types for the Chio kernel
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263

//! Phase 1.4 emergency kill-switch HTTP surface.
//!
//! This module is intentionally substrate-agnostic -- `chio-http-core`
//! does not embed an HTTP server. It exposes:
//!
//! - Route constants used by every substrate adapter
//!   (`chio-tower`, `chio-api-protect`, hosted sidecars).
//! - Request/response DTOs that serialize into the wire shapes
//!   documented in `STRUCTURAL-SECURITY-FIXES.md` section 5.4.
//! - Pure handler functions that take parsed inputs and return a
//!   structured response. Each substrate adapter calls the handler
//!   from its own framework route, preserving framework-native
//!   streaming, tracing, and error-mapping behavior.
//!
//! Authentication: the handlers require an `X-Admin-Token` header
//! whose value matches the string configured on [`EmergencyAdmin`].
//! No new middleware layer is introduced. Adapters that already have
//! their own auth middleware can either pass the caller's bearer
//! token through as the admin token (when configured that way) or
//! short-circuit the `expected_admin_token` check.

use std::sync::Arc;

use chio_kernel::{ChioKernel, KernelError};
use serde::{Deserialize, Serialize};

use crate::routes::{
    EMERGENCY_ADMIN_TOKEN_HEADER, EMERGENCY_RESUME_PATH, EMERGENCY_STATUS_PATH, EMERGENCY_STOP_PATH,
};

/// Canonical JSON body for `POST /emergency-stop`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EmergencyStopRequest {
    /// Operator-supplied rationale for the kill switch. Recorded on
    /// the kernel and surfaced via `/emergency-status` so runbooks
    /// can correlate the halt with an incident.
    pub reason: String,
}

/// Wire response for `POST /emergency-stop`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EmergencyStopResponse {
    /// Always `true` for a successful stop.
    pub stopped: bool,
}

/// Wire response for `POST /emergency-resume`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EmergencyResumeResponse {
    /// Always `false` for a successful resume.
    pub stopped: bool,
}

/// Wire response for `GET /emergency-status`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EmergencyStatusResponse {
    /// Whether the kill switch is currently engaged.
    pub stopped: bool,

    /// RFC 3339 / ISO 8601 timestamp of the stop. `None` when the
    /// kernel has never been stopped or is currently resumed.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub since: Option<String>,

    /// Operator-supplied reason for the current stop. `None` when
    /// the kernel is running normally.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub reason: Option<String>,
}

/// Errors returned by the emergency handlers. Each variant maps
/// cleanly onto an HTTP status code via [`EmergencyHandlerError::status`].
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum EmergencyHandlerError {
    /// `X-Admin-Token` header missing or does not match the configured value.
    /// Returns HTTP 401 and a minimal JSON error body.
    Unauthorized,

    /// Request body could not be parsed as the expected JSON shape. The
    /// operator supplied bad input; returns HTTP 400.
    BadRequest(String),

    /// Kernel-side failure while toggling the kill switch. Fail-closed:
    /// the handler has already engaged the stop (see
    /// [`handle_emergency_stop`]); this error just reports what went wrong
    /// after the flag flipped. Returns HTTP 500.
    Kernel(String),
}

impl EmergencyHandlerError {
    /// HTTP status code for this error.
    #[must_use]
    pub fn status(&self) -> u16 {
        match self {
            Self::Unauthorized => 401,
            Self::BadRequest(_) => 400,
            Self::Kernel(_) => 500,
        }
    }

    /// Stable error code string (snake_case) for machine-readable error
    /// payloads. Adapters serialize `{ "error": "<code>", "message": ... }`.
    #[must_use]
    pub fn code(&self) -> &'static str {
        match self {
            Self::Unauthorized => "unauthorized",
            Self::BadRequest(_) => "bad_request",
            Self::Kernel(_) => "internal_error",
        }
    }

    /// Human-readable message.
    #[must_use]
    pub fn message(&self) -> String {
        match self {
            Self::Unauthorized => "missing or invalid X-Admin-Token header".to_string(),
            Self::BadRequest(reason) | Self::Kernel(reason) => reason.clone(),
        }
    }

    /// Wire body for this error response.
    #[must_use]
    pub fn body(&self) -> serde_json::Value {
        serde_json::json!({
            "error": self.code(),
            "message": self.message(),
        })
    }
}

impl From<KernelError> for EmergencyHandlerError {
    fn from(error: KernelError) -> Self {
        Self::Kernel(error.to_string())
    }
}

/// Admin handle bound to a kernel and a configured admin token.
///
/// The handle is cheap to clone (`Arc<ChioKernel>` + short strings) and
/// safe to share across threads. It holds the only reference to the
/// kernel needed by the emergency endpoints, so substrate adapters can
/// construct one `EmergencyAdmin` at startup and pass it to every
/// route registration.
#[derive(Clone)]
pub struct EmergencyAdmin {
    kernel: Arc<ChioKernel>,
    expected_admin_token: String,
}

impl std::fmt::Debug for EmergencyAdmin {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("EmergencyAdmin")
            .field("admin_token_len", &self.expected_admin_token.len())
            .finish_non_exhaustive()
    }
}

impl EmergencyAdmin {
    /// Create a new admin handle. `expected_admin_token` must match the
    /// value of the `X-Admin-Token` header on every incoming admin call.
    /// The token is compared with `==`; adapters that need constant-time
    /// comparison can wrap the check in their own middleware before
    /// delegating to the handler.
    #[must_use]
    pub fn new(kernel: Arc<ChioKernel>, expected_admin_token: String) -> Self {
        Self {
            kernel,
            expected_admin_token,
        }
    }

    /// Shared kernel reference, primarily for tests and for adapters
    /// that want to re-use the same `Arc<ChioKernel>` for other routes.
    #[must_use]
    pub fn kernel(&self) -> &Arc<ChioKernel> {
        &self.kernel
    }

    fn authorize(&self, admin_token: Option<&str>) -> Result<(), EmergencyHandlerError> {
        match admin_token {
            Some(token) if token == self.expected_admin_token => Ok(()),
            _ => Err(EmergencyHandlerError::Unauthorized),
        }
    }
}

/// Handler for `POST /emergency-stop`.
///
/// Fail-closed: if the token check passes, the kernel's `emergency_stop`
/// is invoked immediately. If it returns an error, the flag has still
/// been set (the kernel flips its atomic before any fallible step) so
/// the system is left in the safer stopped state even when the caller
/// sees a 500.
pub fn handle_emergency_stop(
    admin: &EmergencyAdmin,
    admin_token: Option<&str>,
    body: &[u8],
) -> Result<EmergencyStopResponse, EmergencyHandlerError> {
    admin.authorize(admin_token)?;

    let parsed: EmergencyStopRequest = serde_json::from_slice(body).map_err(|error| {
        EmergencyHandlerError::BadRequest(format!("invalid emergency-stop request body: {error}"))
    })?;

    admin.kernel.emergency_stop(&parsed.reason)?;

    Ok(EmergencyStopResponse { stopped: true })
}

/// Handler for `POST /emergency-resume`.
///
/// Body is ignored (any bytes, including empty, are accepted) so
/// adapters can keep wiring identical to `POST /emergency-stop`.
pub fn handle_emergency_resume(
    admin: &EmergencyAdmin,
    admin_token: Option<&str>,
    _body: &[u8],
) -> Result<EmergencyResumeResponse, EmergencyHandlerError> {
    admin.authorize(admin_token)?;
    admin.kernel.emergency_resume()?;
    Ok(EmergencyResumeResponse { stopped: false })
}

/// Handler for `GET /emergency-status`.
pub fn handle_emergency_status(
    admin: &EmergencyAdmin,
    admin_token: Option<&str>,
) -> Result<EmergencyStatusResponse, EmergencyHandlerError> {
    admin.authorize(admin_token)?;

    let stopped = admin.kernel.is_emergency_stopped();
    let since = admin
        .kernel
        .emergency_stopped_since()
        .and_then(|unix_secs| {
            // i64 is what chrono expects; secs fit comfortably for any
            // realistic operator timestamp.
            let secs = i64::try_from(unix_secs).ok()?;
            chrono::DateTime::<chrono::Utc>::from_timestamp(secs, 0).map(|dt| dt.to_rfc3339())
        });
    let reason = admin.kernel.emergency_stop_reason();

    Ok(EmergencyStatusResponse {
        stopped,
        since,
        reason,
    })
}

// Path constants re-exported at module scope so adapters can write
// `emergency::EMERGENCY_STOP_PATH`.
pub use crate::routes::EMERGENCY_ADMIN_TOKEN_HEADER as ADMIN_TOKEN_HEADER;
pub use crate::routes::EMERGENCY_RESUME_PATH as RESUME_PATH;
pub use crate::routes::EMERGENCY_STATUS_PATH as STATUS_PATH;
pub use crate::routes::EMERGENCY_STOP_PATH as STOP_PATH;

// Internal compile-time sanity: the module-level re-exports above must
// remain in sync with `routes::`. A `const _` guard catches drift if
// someone renames either set.
const _: &str = EMERGENCY_STOP_PATH;
const _: &str = EMERGENCY_RESUME_PATH;
const _: &str = EMERGENCY_STATUS_PATH;
const _: &str = EMERGENCY_ADMIN_TOKEN_HEADER;