Default Pipeline

GuardPipeline::default_pipeline() is the seven-guard catalog the kernel runs out of the box. The guards are stateless, conjunctively combined, and ordered cheapest first. This page lists them in registration order and walks through the guards that are deliberately not in the default.

Registration Order

From crates/chio-guards/src/pipeline.rs:

crates/chio-guards/src/pipeline.rs

/// Create a default pipeline with all implemented guards using their
/// default configurations.
pub fn default_pipeline() -> Self {
    let mut pipeline = Self::new();
    pipeline.add(Box::new(crate::ForbiddenPathGuard::new()));
    pipeline.add(Box::new(crate::ShellCommandGuard::new()));
    pipeline.add(Box::new(crate::EgressAllowlistGuard::new()));
    pipeline.add(Box::new(crate::PathAllowlistGuard::new()));
    pipeline.add(Box::new(crate::McpToolGuard::new()));
    pipeline.add(Box::new(crate::SecretLeakGuard::new()));
    pipeline.add(Box::new(crate::PatchIntegrityGuard::new()));
    pipeline
}

#	Guard	Purpose
1	`ForbiddenPathGuard`	Glob match against forbidden filesystem patterns. Cheap; runs first so denials short-circuit before more expensive checks.
2	`ShellCommandGuard`	Regex match against forbidden shell-command patterns extracted from the request arguments.
3	`EgressAllowlistGuard`	Domain allowlist for outbound network requests. Wildcard host patterns; default action is block.
4	`PathAllowlistGuard`	Allowlist for filesystem read, write, and patch operations. Empty allowlist means no filesystem access.
5	`McpToolGuard`	Per-tool access control. Allow/block lists for tool names plus a max argument size and a require-confirmation list.
6	`SecretLeakGuard`	Pattern match against tool arguments for known secret formats (AWS keys, GitHub tokens, private keys, generic patterns).
7	`PatchIntegrityGuard`	Validates patches: max additions, max deletions, forbidden content patterns, addition/deletion balance.

default_pipeline() does not include velocity

The current default_pipeline() registers the seven stateless guards above. Velocity, jailbreak, agent-velocity, internal-network, data-flow, response-sanitization, and the external adapters are explicit opt-ins because they have ordering, dependency, or cost characteristics that operators should choose deliberately.

Ordering Rationale

Conjunctive combination means ordering does not change correctness, but it does change cost. Cheap stateless checks are at the top so the common-case denial finishes work before any guard touches a regex compile, an argument-tree walk, or a patch parser.

Forbidden path is first because a glob match on a small list is among the cheapest checks the catalog has.
Tool access (mcp-tool) comes mid-pipeline rather than at the very top because a request that survives path checks but is not in the tool allowlist is rare in practice; the ordering optimizes for the expected denial distribution.
Patch integrity is last because patch parsing is the most expensive check in the default. By the time it runs, the cheap denials are already gone.

What Is Not in the Default

The full chio-guards catalog ships more than the seven stateless guards. The rest are opt-in. Each row is a Guard Platform page.

Guard	Why opt-in
`JailbreakGuard` (heuristic + statistical + ML)	ML inference cost and false-positive risk vary by deployment; operators should review thresholds before enabling.
`PromptInjectionGuard`	Pattern detection on incoming text. Useful but noisy; operators tune the signal set.
`BehavioralProfileGuard`	Reads receipt feed history; needs a configured feed source and baseline windows before it has anything to compare against.
`AgentVelocityGuard`, `DataFlowGuard`, `BehavioralSequenceGuard`	Session-aware: depend on a configured session journal. Not every edge maintains one.
`InternalNetworkGuard`	Requires DNS resolution policy and trusted-resolver configuration; surprises operators if it lands on by default.
`VelocityGuard`	Per-window invocation cap; operators should pick a window and limit, not inherit a default that may not match their workload.
`ResponseSanitizationGuard` / `SanitizerHook`	Post-invocation surface; lives on the PostInvocationPipeline rather than the sync default.
External adapters (Bedrock, Azure, Vertex, Safe Browsing, VirusTotal, Snyk)	Network dependency, credentials, latency cost; only enable per External Guards.
`AdvisoryPipeline` + advisory guards	Non-blocking by default; operators choose which signals to emit and which to promote.
CUA guards (`computer_use`, `browser_automation`, `remote_desktop`, `input_injection`, `spider_sense`)	Only relevant for deployments that mediate computer use; off by default elsewhere.
`code_execution`, `content_review`, `memory_governance`	Domain-specific; operators wire them in only where the corresponding tool surface exists.
WASM custom guards	Loaded from operator-authored modules at start-up; the kernel does not ship with default WASM guards baked in.

Extending the Default

Start from the default and append. Anything you add runs after the default seven, which is the right place for guards that are more expensive or that depend on session state.

rust

use chio_guards::{
    GuardPipeline, AgentVelocityGuard, AgentVelocityConfig,
    DataFlowGuard, DataFlowConfig,
};
use chio_guards::response_sanitization::ResponseSanitizationGuard;

let mut pipeline = GuardPipeline::default_pipeline();

// Session-aware guards depend on a journal handle.
pipeline.add(Box::new(AgentVelocityGuard::new(
    journal.clone(),
    AgentVelocityConfig::default(),
)));
pipeline.add(Box::new(DataFlowGuard::new(
    journal.clone(),
    DataFlowConfig::default(),
)));

// Custom guards last.
pipeline.add(Box::new(BusinessHoursGuard::new(9, 17)));

kernel.add_guard(Box::new(pipeline));

Authoring custom guards is covered in Custom Guards. For the response-side phase, register a PostInvocationPipeline separately on the kernel; see Sanitization.

Opting Out

Build the pipeline by hand if you do not want one of the default seven. The default pipeline is just a convenience; nothing forces you to use it.

rust

use chio_guards::{
    GuardPipeline, ForbiddenPathGuard, PathAllowlistGuard,
    McpToolGuard, SecretLeakGuard, PatchIntegrityGuard,
};

// A pipeline without ShellCommandGuard or EgressAllowlistGuard,
// for a deployment that has no shell or network surface to begin with.
let mut pipeline = GuardPipeline::new();
pipeline.add(Box::new(ForbiddenPathGuard::new()));
pipeline.add(Box::new(PathAllowlistGuard::new()));
pipeline.add(Box::new(McpToolGuard::new()));
pipeline.add(Box::new(SecretLeakGuard::new()));
pipeline.add(Box::new(PatchIntegrityGuard::new()));

kernel.add_guard(Box::new(pipeline));

Removing a guard removes the protection

Each default guard exists because its absence opens a class of attack. Confirm the corresponding surface really is closed at a different layer (network sandbox, immutable filesystem, no shell tool) before omitting the guard.

Catalog Pages by Category

Filesystem · ForbiddenPathGuard, PathAllowlistGuard
Network · EgressAllowlistGuard, InternalNetworkGuard
Shell & Code · ShellCommandGuard, PatchIntegrityGuard, code-execution guards
Rate Limit · VelocityGuard, AgentVelocityGuard
Session-aware Guards · DataFlowGuard, BehavioralSequenceGuard, BehavioralProfileGuard
Jailbreak Detection · JailbreakGuard, PromptInjectionGuard
Sanitization · SanitizerHook, ResponseSanitizationGuard
Computer Use · CUA-mediation guards
Data Layer · SqlQueryGuard and chio-data-guards
External Adapters · cloud guardrails and threat-intel
Advisory Signals · AdvisoryPipeline and PromotionPolicy
WASM Guards · custom guards loaded from .arcguard components

Where to Go Next

The Guard Trait · the contract every guard implements
Pipelines & Composition · the surrounding combination rules
Custom Guards · author your own
Write a Policy · configure the default guards through HushSpec