Chio/Docs

Architecture

Chio is a capability-scoped trust kernel. Five components enforce a zero-ambient-authority model where every tool invocation must be explicitly authorized, metered, and recorded.

The Five Components

Five components, each with a defined trust boundary.

Agent (Untrusted)

The agent is any LLM-powered process that wants to use tools. Agents are treated as fully untrusted by the kernel. They cannot invoke tools directly. They must present a valid capability token with every request. Agents never have ambient authority; permissions are always explicit and externally granted.

Kernel (Trusted Compute Base)

The kernel is the central mediator and the smallest trusted component in the system. It sits between agents and tool servers, intercepting every invocation request. The kernel:

  • Validates capability tokens (signature, expiry, scope)
  • Runs the guard pipeline against the request
  • Enforces economic constraints (budgets, metering)
  • Dispatches allowed calls to the appropriate tool server
  • Signs and commits a receipt for every decision

The kernel is the TCB

The kernel is the trusted compute base. If the kernel is compromised, all guarantees are void. Keep it minimal, audited, and isolated. Chio's Rust implementation is designed to minimize this attack surface.

Tool Server (Sandboxed)

Tool servers are the actual implementations that perform work: reading files, querying databases, calling APIs. They can be native Chio tool servers or existing MCP servers wrapped by the Chio proxy. Tool servers are sandboxed: they only receive calls that have already passed the kernel's validation and guard pipeline.

Capability Authority (Trusted)

The Capability Authority (CA) issues and revokes capability tokens. It defines what an agent is permitted to do: which tools, which arguments, for how long, and with what budget. The CA is typically operated by the system owner or orchestrator, not the agent itself.

Receipt Log (Integrity-Verified)

The receipt log is an append-only store of signed receipts. Each receipt records a single kernel decision (allow or deny), including the full request, the guard evaluation results, timing, and a cryptographic signature. Receipts are cryptographically signed, making tampering detectable.

Inside the Kernel

The word “kernel” covers more than one thing. Chio splits it into a tiny pure core that is machine-checked in Lean, a thin shell that adapts that core to the real world, and an operational ring that handles I/O, storage, and transport. The trust story hinges on keeping those layers visibly separate.

The trusted compute base, by layer

Three concentric rings. Moving inward, the surface area shrinks and the guarantees get stronger.

Inside the kernel: verified core vs operational shelloperational shell · chio-kernel runtimekernel shell entry · chio-kernelpure verified core · chio-kernel-corechio_kernel_core::capability_verify — pure issuer-trust, signature, and time-window checks over one in-memory capabilitycapability_verifysig · issuer · timechio_kernel_core::scope::resolve_matching_grants — fail-closed portable scope matching over request arguments onlyresolve_matching_grantsportable scopechio_kernel_core::evaluate::evaluate — pure authorization path composing capability verification, subject binding, scope match, and sync guardsevaluateauth compositionchio_kernel_core::receipts::sign_receipt — pure receipt-signing step over an already-constructed receipt bodysign_receiptcanonical JSON · Ed25519ChioKernel::evaluate_portable_verdict — direct delegation into chio_kernel_core::evaluate with trusted-issuer and portable-guard wiringevaluate_portable_verdictshell delegatorChioKernel::build_and_sign_receipt — direct delegation into chio_kernel_core::sign_receipt once the shell has assembled the receipt bodybuild_and_sign_receiptassembles receipt bodyRuns async guards outside the pure core. Their synchronous portable decisions are passed into evaluate as data.Guard pipeline runnerasync · side-effectingRevocation-store lookups and delegation-store lineage joins — explicitly excluded from the verified-core boundary.Revocation · lineagestore lookupsReceipt persistence, checkpoint publication, and clustered trust-control — outside the verified core; affects availability, not safety.Receipt persistenceSQLite store · checkpointsBudget mutation, payment authorization, and any metering state transition — excluded from the verified-core boundary.Budget · meteringauthorize · commit · reconcileDPoP verification, nonce replay caches, hosted/session admission, tool subprocess and network effects — all operational-shell concerns.Transport · dispatchDPoP · hosted · subprocessdelegatedelegateLean 4 · 5 theorems · P1 has 1 outstanding `sorry`Lean-proven · pure functions · no I/Onot in TCB · affects availability, not safetythin API · wires trusted inputs into the pure corechio-core · chio-core-types — shared types: canonical JSON, capabilities, scopes, grants, receiptsinside out: narrower trust, stronger guaranteesdashed = shell delegates into pure core
The Chio kernel is layered for trust. The innermost ring is the pure, Lean-proven authorization and receipt-signing core. Around it sits a thin shell that delegates into that core, and around that sits the operational shell — transport, persistence, metering, dispatch — which affects availability but is not part of the safety TCB.
  • Pure verified core: the pure symbols in chio-kernel-core shown in the Lean map below (capability verification, grant resolution, evaluation, receipt signing, and scope subset) have no I/O and are covered by Lean proofs.
  • Kernel shell entry: a thin surface on ChioKernel that assembles inputs and delegates into the verified core.
  • Operational shell: everything else, transport, dispatch, persistence, budget mutation, revocation. A fault here can deny service; it cannot silently widen authority.

Why the layers matter

If the verified core is correct and the shell entry preserves its preconditions, no bug in the operational shell can produce a forged allow receipt or an over-broad grant. The shell can crash, refuse, or drop requests, but it cannot manufacture authority.

Where the kernel actually runs

The same kernel code ships in four deployment shapes. The trust model is identical across them; what changes is where the process boundary sits and which wire the agent speaks over.

Where the kernel runs: four deployment modes1 · Embedded library (chio-kernel-core)2 · Native sidecar (chio-kernel)3 · Hosted MCP edge (chio-cli mcp serve-http)4 · Envoy ext_authz (chio-envoy-ext-authz)agent processAgent: host binary that links chio-kernel-core directlyAgenthost binaryKernel: chio-kernel-core, linked in; validates tokens and runs guards in-processKernelchio-kernel-coreTool Server: spawned subprocess, reached over stdio or a unix socketTool Serversubprocagent processkernel processtool processAgentisolatedKernel: chio-kernel running as a local co-processKernelchio-kernelTool Serverisolatedhosted edgeAgent: remote client authenticating to the hosted edgeAgentremote clientKernel: chio-cli mcp serve-http, hosted behind an HTTPS boundaryKernelserve-httpControl plane: trust-control APIs (issue / revoke / attest) attached to the kernelControlissue · revokeTool ServertenantedAgent: any HTTP client; unaware of the kernelAgentHTTP clientEnvoy: proxy on the data path, configured with an ext_authz filterEnvoyext_authz filterKernel: chio-envoy-ext-authz, serving CheckRequest gRPC off the sideKernelauthz svcTool Server: any HTTP API; protected without modificationTool ServerHTTP APIin-proc callsubproc / unix sockframed JSONdispatchHTTPS + DPoPtrust-ctldispatchrequestCheckRequestforwardminimum footprint · agent owns trustagent–kernel isolation · local receiptsremote session lifecycle · tenantedprotect arbitrary HTTP APIs · header mutationssame five trust roles · four physical shapespick per workload · trust model identical across modes
The same five trust roles (agent · kernel · tool server · capability authority · receipt log) realised in four physical shapes. Pick the deployment that fits your workload; the trust model is identical across all of them.
  • Embedded library: link chio-kernel-core directly into the agent. Minimum footprint, but the agent owns the signing key. Good for single-tenant local deployments.
  • Native sidecar: run the kernel as a separate process, agents speak length-prefixed canonical JSON over a Unix socket or TCP. Process-level isolation between agent and kernel.
  • Hosted MCP edge: chio mcp serve-http exposes an MCP-compatible HTTP surface with remote session lifecycle and a control-plane API. Tenanted deployments.
  • Envoy ext_authz: run the kernel as an external authorization service for any HTTP API that Envoy fronts. Protects arbitrary upstream services with header mutations and structured verdicts.

Message Flow

Every tool invocation follows the same deterministic path through the kernel. There are no shortcuts, no bypass mechanisms, and no exceptions.

Chio message flow: agent, kernel, tool serverkernel · internal stagesAgent: any LLM-powered process requesting a tool callAgentuntrustedChio Kernel: the trusted mediatorChio Kerneltrusted compute baseTool Server: the actual tool implementationTool ServersandboxedValidate tokensig · expiry · scopeGuard pipelinestateless + sessionEconomic checkbudget · meteringSign receiptappend-onlyAgentreceives responseChio Kernelreceipt committedTool Serverwork completeToolCallRequest + capability tokendispatch · if all passtool resultToolCallResponse + receiptdeterministic path · no shortcuts · no bypasssolid = cross-lane message · numbered pill = kernel stage
A governed tool call's deterministic path. Four kernel stages (1–4) run between dispatch and return. Time flows top to bottom.

The kernel evaluation stages in detail:

Stage 1: Token Validation

The kernel extracts the capability token from the request and validates:

  • Signature: the token was issued by a recognized Capability Authority
  • Expiry: the token has not expired (time-bounded by design)
  • Scope: the requested tool and arguments fall within the token's declared scope
  • Revocation: the token has not been revoked by the CA

If any check fails, the request is immediately denied. No further processing occurs.

Stage 2: Guard Pipeline

If the token is valid, the request enters the guard pipeline. The pipeline is composed of composable guard families covering filesystem, shell, network egress, tool access, secrets, patch integrity, prompt safety, threat intel, rate limiting, and agent-surface controls (computer use, browser automation, code execution, remote desktop):

GuardEnforcesExample
forbidden-pathBlocks access to specific file patternsDeny **/.env, **/*.pem
path-allowlistRestricts file access to declared rootsOnly allow ./workspace/**
shell-commandValidates or blocks shell command executionBlock rm -rf, allow ls
egress-allowlistControls outbound network accessOnly allow api.example.com:443
mcp-toolLimits which tools can be invokedAllow read_file, deny write_file
secret-leakScans arguments and results for secretsBlock API keys, tokens in args
patch-integrityValidates patch and diff safetyBlock dangerous file modifications
velocityRate-limits invocations per time windowMax 100 calls per 60 seconds
agent-velocitySession-aware rate limiting across agent activityThrottle a runaway agent loop
internal-networkSSRF defense against internal ranges and metadata endpointsBlock 169.254.169.254, RFC 1918 ranges
data-flowTracks data provenance and exfiltration paths across a sessionBlock reading a secret then writing it outbound

Guards are composable and independent. Each guard receives the full request context and returns an allow or deny verdict. The pipeline uses a conjunctive model: all guards must allow for the request to proceed.

Machine-checked proofs in Lean 4

The kernel's core safety properties are not just tested, they are proved in Lean 4 under the scope set by the project claim registry. Five theorem families pin down the guarantees: P1 Capability Monotonicity (bounded Lean mechanization for attenuation over the verified-core model), P2 Revocation Completeness (bounded Lean proofs that revoked tokens and revoked presented ancestors cannot pass), P3 Fail-Closed Guarantee (bounded Lean proofs that the pure evaluator is total and fail-closed), P4 Symbolic receipt and checkpoint properties (symbolic Lean proofs plus runtime receipt-signing checks in Rust), and P5 Bounded delegation-chain structure (bounded structural delegation-chain theorems for the presented-chain model). The P1 bounded-model theorems are fully discharged under the claim-registry scope.

The map below shows which Rust symbols each theorem constrains. The boundary is deliberately narrow: revocation lookups, budget mutation, DPoP verification, and tool dispatch stay in the operational shell until a later formal phase pulls them in.

rendering…
Five Lean theorem families and the Rust symbols they constrain. Everything outside this map is operational shell, not proven.

Merkle-committed receipt log

Receipts are Merkle-committed in batched checkpoints. Inclusion proofs allow any single receipt to be verified without replaying the full log, so auditors can spot-check without materializing the entire history.

Stage 3: Economic Check

After the guard pipeline, the kernel evaluates economic constraints. Each tool call has an associated cost, and the capability token carries a budget. The kernel verifies:

  • The token's remaining budget can cover the estimated cost
  • Any underwriting agreements are valid and solvent
  • The cost is metered and deducted atomically

A tool that prices itself above what the token allows is denied here, before it runs. A tool that misreports its cost gets a signed reconciliation receipt the next time it tries to settle. Finance and security read the same artifact, in the same format, with the same signature.

Stage 4: Receipt Signing

Regardless of outcome, the kernel produces a signed receipt. The receipt includes the original request, the decision (allow/deny), which guards passed or failed, timing information, and economic data. The receipt is signed with the kernel's private key and appended to the receipt log. The receipt outlives the kernel that signed it: a verifier years later needs only the public key and the canonical bytes.

receipt-example.json
{
  "id": "rcpt_a1b2c3d4e5f6",
  "timestamp": 1744537862,
  "capability_id": "cap_7f3a...e91d",
  "tool_server": "srv-files",
  "tool_name": "read_file",
  "action": {
    "parameters": {"path": "./workspace/README.md"},
    "parameter_hash": "sha256:a1b2c3d4..."
  },
  "decision": "allow",
  "content_hash": "sha256:d7e8f9a0...",
  "policy_hash": "sha256:b5c6d7e8...",
  "evidence": [
    {"guard": "forbidden-path", "verdict": "allow"},
    {"guard": "path-allowlist", "verdict": "allow"},
    {"guard": "shell-command", "verdict": "allow"},
    {"guard": "egress-allowlist", "verdict": "allow"},
    {"guard": "mcp-tool", "verdict": "allow"},
    {"guard": "secret-leak", "verdict": "allow"},
    {"guard": "patch-integrity", "verdict": "allow"},
    {"guard": "velocity", "verdict": "allow"}
  ],
  "metadata": {
    "financial": {
      "estimated_cost": {"units": 1, "currency": "USD"},
      "actual_cost": {"units": 1, "currency": "USD"}
    }
  },
  "kernel_key": "ed25519:pub:9c7b3f...",
  "signature": "ed25519:e5f6a7b8..."
}

Signing is only the first event in a receipt’s life. After the kernel emits it, the receipt travels through persistence, batched Merkle commitment, optional external anchoring, and finally export to downstream verifiers and SIEMs.

rendering…
A receipt's lifecycle: sign → persist → checkpoint → anchor → export. Each stage produces evidence that the next stage consumes.

Fail-Closed Semantics

The kernel operates under a strict fail-closed model.

Default deny

If anything goes wrong, invalid token, guard error, budget exhausted, network timeout, or internal exception, the request is denied. There is no fail-open path. Silence is denial.

Every way a tool call can fail converges on the same terminal: a signed deny receipt. The diagram below traces the ten known failure modes from the stage that surfaces them down into the shared sink. There is no edge that bypasses signing, and no edge that leads to an unsigned allow.

Chio fail-closed convergence treekernel stages (fail-closed conjunction)Incoming tool call request from the agentTool callagent → kernelCapability token validation: presence, signature, expiry, revocation, scopeToken validationsig · expiry · scopeGuard pipeline: any guard can short-circuit; guard panics are treated as deniesGuardsstateless → sessionEconomic check: remaining budget, per-call metering, rate accountingEconomicbudget · meteringDispatch stage: hand off to tool server, await result, observe kernel livenessDispatchtool server · resultSigned allow receipt: reached only when every stage passedSigned allow receiptdispatched · committedSigned deny receipt: the single convergence point for every failure modeSigned deny receiptfail-closed · committedrequestpasspasspassall stages passno tokeninvalid signatureexpiredrevokedwrong scopeguard denyguard panicbudget exhaustedtool server timeoutkernel panicfunnel railevery deny → sinkno fail-open path · silence is denialsolid = happy path · dashed = deny branch
Every failure mode in the kernel converges to a single signed deny receipt. There is no fail-open path — silence is denial.

This shape is the whole point. A misconfigured kernel, a crashed guard, a network partition, or a downed tool server all collapse to the same outcome: the caller gets a signed denial, the receipt log gains one more row, and the auditor can replay exactly what happened. An attacker who disrupts the kernel causes a denial of service, never a privilege escalation.

Zero Ambient Authority

Authority is conferred, not inherited. An agent holds no permissions until a Capability Authority issues a signed, time-bounded, attenuable token granting one specific action. The full framing lives in the Trust Model; in the wire format, that token looks like this:

zero-authority-example.yaml
# An agent with this capability can ONLY:
#   - Call read_file on server srv-files
#   - For the next 30 minutes
#   - Up to 50 invocations
#   - With a max cost of $0.10 per invocation

capability:
  id: cap_7f3a...e91d
  issuer: ca-prod-01
  subject: agent-research-bot
  issued_at: 1744536000
  expires_at: 1744537800
  scope:
    grants:
      - server_id: srv-files
        tool_name: read_file
        operations: [invoke]
        max_invocations: 50
        max_cost_per_invocation:
          units: 10
          currency: USD
  delegation_chain: []
  signature: "ed25519:..."

Guard Pipeline Evaluation

The guard pipeline uses a conjunctive model: every enabled guard must allow for the request to proceed. Evaluation runs in a fixed order (cheapest first) and short-circuits on the first deny; a single deny from any guard rejects the entire request. For the per-guard reference, the authoring model, and custom-guard composition, see Guards.

Component Boundaries

The trust model depends on strict boundaries between components:

BoundaryMechanismGuarantee
Agent → KernelCapability tokensAgent cannot act without explicit authorization
Kernel → Tool ServerProcess isolation + sandboxingTool servers only receive pre-validated requests
Kernel → Receipt LogAppend-only + cryptographic signaturesReceipts cannot be modified after commit
CA → KernelSigned tokens + revocation listOnly the CA can grant or revoke authority
Agent → Tool ServerNo direct pathAll communication flows through the kernel

What an adversary would have to do

The boundaries table describes mechanisms; the diagram below describes the cost of crossing each one. Compromise one boundary and guarantees degrade along a specific axis; compromise none and the guarantees hold as stated.

Trust boundaries annotated with required adversary compromiseAgent: the untrusted LLM-driven process holding a capability tokenAgentuntrusted callerKernel: validates the token's signature, expiry, and scope before any dispatchKerneltoken validatorCrossing this boundary requires forging an Ed25519 signature from a trusted issuersig forgerywhat must failKernel: dispatches validated calls into an isolated tool server processKerneldispatcherTool Server: runs in its own OS process with a reduced syscall surfaceTool Serversandboxed workerCrossing this boundary requires breaking sandbox isolation or subverting the kernel's dispatch codesandbox escapewhat must failKernel: signs every decision with its Ed25519 key and appends to the logKernelreceipt signerReceipt Log: a tamper-evident chain; each entry references the previous hashReceipt Logappend-onlyCrossing this boundary requires exfiltrating the kernel's signing keykey theftwhat must failCapability Authority: mints tokens and publishes revocation lists consumed by the kernelCapability Authorityissuer · CAKernel: trusts the CA's public key and periodically syncs the revocation listKerneltoken verifierCrossing this boundary requires stealing the CA signing key or preventing the kernel from seeing the revocation listsync bypasswhat must failAgent: no protocol, port, or channel reaches the tool server directlyAgentuntrusted callerTool Server: addressable only via the kernel's dispatch surfaceTool ServerunreachableCrossing this boundary requires subverting the model itself — a path the kernel does not exposekernel bypasswhat must failcapability tokenprocess isolation · sandboxappend-only · Ed25519 chainsigned tokens · revocation listnone — no direct pathattacker must forge Ed25519 issuer signatureattacker must escape sandbox or subvert dispatchattacker must compromise kernel signing keyattacker must steal CA key or bypass revocation syncattacker must bypass kernel entirelyfive boundaries · five classes of required compromisecompromise one boundary · guarantees degrade; compromise none · guarantees hold
The same five boundaries as the architecture table, reframed adversarially. Each wire shows its mechanism; the caption below states what an attacker would have to break; the right-hand chip names the failure class. Lane 5 is dashed because there is no such wire by construction — crossing it requires subverting the whole model.

Key Hierarchy

Chio’s signed artifacts are only as meaningful as the keys that sign them. Production deployments separate five logically distinct roles, each owning a different artifact class and a different rotation domain.

Key hierarchy and rotation domainslocal dev · one Ed25519 keypairVerifier Trust Bundle — the root input to verification; lists which issuer keys are trusted for which artifact classesVerifier Trust Bundletrust root inputCapability Authority — signs capability tokens and delegated grants; represents authorization, not executionCapability Authorityissues capabilitiesKernel Signer — signs ChioReceipts and session compliance certificates; represents the execution environment that observed and enforced the sessionKernel Signersigns enforcement evidenceCheckpoint Publisher — signs checkpoint manifests and batch-root announcements; represents append-only publicationCheckpoint Publisherbatches · Merkle rootsHosted Control-Plane Identity — authenticates trust-control APIs, ingestion, and operator APIs; NOT the artifact-signing trust rootHosted Control-Planeauthenticates APIsSigned trust bundle consumed by verifiers — aggregates trusted issuer keys + validity intervals + retirement metadataverifier trust bundleCapability tokens — signed, scoped grants presented by agents to the kernelcapability tokensChioReceipts and session compliance certificates — per-decision and per-session signed evidenceChioReceipt + session certsCheckpoint manifests and batch-root announcements — signed append-only publication artifactscheckpoint manifestsAuthentication tokens for trust-control APIs, ingestion, and operator endpoints — transport auth, not artifact signingtrust-control API authsignssignssignsauthenticatesconsumed by verifierincludedincludedincludedrotation: bundle-v2rotation: cap-v3rotation: kernel-v7rotation: ckpt-v4rotation: ctrl-v1dev collapses these three onto one keypair · production keeps them separatekey roles · logically distinct signersartifact classes · signed or authenticated by each rolerotate per domain · retain retired keys for historical verificationhosted customer-controlled signing profile: kernel signer key stays under customer custodysolid = signs / authenticates · dashed = included in trust bundle
Five signing-key roles and the artifact classes each signs. Rotation is per-domain: rotating the kernel signer does not invalidate historical capability tokens or checkpoint manifests. Local dev may collapse the three signer roles onto one Ed25519 keypair; production keeps them separate.

Local development can collapse the three signer roles onto a single Ed25519 keypair, and the examples throughout these docs do. Production and hosted profiles separate them so a compromised kernel signer cannot mint capabilities, a compromised capability authority cannot forge receipts, and a compromised checkpoint publisher cannot do either. Rotation is per-domain: rotating the kernel signer does not invalidate outstanding capabilities, and rotating the capability authority does not invalidate past receipts.

Hosted customer-controlled signing

In hosted deployments, the runtime infrastructure may live with the provider, but the artifact-signing keys stay under customer custody, via HSM, KMS, or a dual-control signing sidecar. The full trust-model document, including rotation semantics, federated trust bundles, and verifier onboarding, lives in the CHIO protocol repository.

Next Steps

  • Capabilities: deep dive into token structure, delegation, and revocation
  • Guards: detailed reference for every guard in the pipeline
  • Receipts: cryptographic receipt format and verification
  • Economics: budgets, metering, settlement, and underwriting
PreviousInstallationNextPortable Kernel