HTTP Substrate

The HTTP substrate enables Chio to protect arbitrary HTTP APIs by evaluating requests against policy, signing receipts, and returning structured verdicts. It is the foundation that all HTTP-layer SDKs, middleware crates, and sidecar deployments consume.

When to use this page

Use this page when: you are building or auditing an HTTP-layer SDK, framework middleware, or sidecar deployment and need the typed ChioHttpRequest, HttpReceipt, verdict enum, default policy, and the deterministic HttpReceipt → ChioReceipt mapping. Don't use this if: you want the agent-protocol wire format (see Wire Protocol) or the cross-surface capability and receipt contract (see Protocol Reference).

Source

This page normatively reflects spec/HTTP-SUBSTRATE.md in the chio repository. Status: Normative. Version 1.0. The keywords MUST, SHOULD, and MAY are normative per RFC 2119.

Overview

The HTTP substrate uses a sidecar evaluation model: a Chio kernel runs as a local process and exposes an HTTP API on localhost. Language-specific middleware (Express, Actix, Axum, etc.) intercepts incoming HTTP requests, constructs a ChioHttpRequest, sends it to the sidecar, and enforces the returned verdict.

The substrate defines:

A sidecar evaluation protocol (three HTTP endpoints)
A typed request model (ChioHttpRequest) for policy evaluation
A typed receipt model (HttpReceipt) for signed proof of evaluation
Supporting types for caller identity, authentication, sessions, and verdicts
A deterministic mapping from HttpReceipt to the core ChioReceipt type

Sidecar Evaluation Protocol

Transport

The sidecar MUST listen on 127.0.0.1:9090 by default. Implementations MAY override the sidecar URL via:

An explicit configuration value (sidecarUrl in SDK config, or equivalent)
The CHIO_SIDECAR_URL environment variable

If both are set, the explicit configuration value takes precedence. If neither is set, the default http://127.0.0.1:9090 MUST be used. All request and response bodies MUST use Content-Type: application/json.

Endpoints

Endpoint	Method	Purpose
`/chio/evaluate`	POST	Evaluate an HTTP request against policy
`/chio/verify`	POST	Verify a receipt signature
`/chio/health`	GET	Sidecar health check

POST /chio/evaluate

Evaluates an HTTP request against the loaded policy and returns a signed receipt.

Request body: ChioHttpRequest.

Response body: EvaluateResponse.

Field	Type	Required	Description
`verdict`	Verdict	MUST	The evaluation verdict
`receipt`	HttpReceipt	MUST	Signed receipt proving the evaluation
`evidence`	GuardEvidence[]	MUST	Per-guard evidence collected during evaluation

Status codes:

200 OK. Evaluation completed (regardless of verdict). The verdict field indicates whether the request was allowed or denied.
400 Bad Request. The request body is malformed or missing required fields.
500 Internal Server Error. The sidecar encountered an internal error during evaluation.

200 means evaluated, not allowed

Implementations MUST return 200 for both allow and deny verdicts. The HTTP status code reflects the health of the evaluation pipeline, not the policy outcome. The policy outcome is encoded in the verdict field.

POST /chio/verify

Verifies the Ed25519 signature on a previously issued HttpReceipt.

Request body: HttpReceipt.

Response body:

Field	Type	Required	Description
`valid`	boolean	MUST	Whether the receipt signature is valid

A receipt with a valid signature but an expired timestamp is still valid: true from the verification endpoint's perspective. Temporal validity is the caller's responsibility.

GET /chio/health

Field	Type	Required	Description
`status`	string	MUST	One of `"healthy"`, `"degraded"`, or `"unhealthy"`
`version`	string	MUST	Sidecar version string

Status codes: 200 OK if healthy or degraded; 503 Service Unavailable if unhealthy.

Timeout and Failure Behavior

SDKs MUST implement a configurable timeout for sidecar calls. The default timeout SHOULD be 5000 milliseconds.

Fail-closed by default

When the sidecar is unreachable or times out, SDKs MUST default to fail-closed behavior (deny the request). SDKs MAY expose a configuration option to override this to fail-open, but fail-closed MUST be the default.

ChioHttpRequest

The protocol-agnostic HTTP request that Chio evaluates. This is the shared input type for all HTTP substrate adapters (reverse proxy, framework middleware, and sidecar alike).

Field	Type	Required	Default	Description
`request_id`	string	MUST		Unique request identifier. UUIDv7 recommended.
`method`	HttpMethod	MUST		HTTP method of the request
`route_pattern`	string	MUST		Matched route pattern (e.g., `"/pets/{petId}"`)
`path`	string	MUST		Actual request path (e.g., `"/pets/42"`)
`query`	map<string, string>	MAY	`{}`	Query parameters
`headers`	map<string, string>	MAY	`{}`	Selected headers. Adapters MUST NOT include raw auth credential headers.
`caller`	CallerIdentity	MUST		Extracted caller identity
`body_hash`	string or null	MAY	`null`	SHA-256 hex hash of the request body. `null` for bodyless requests (GET, HEAD, OPTIONS).
`body_length`	integer	MAY	`0`	Content-Length of the request body in bytes
`session_id`	string or null	MAY	`null`	Session ID this request belongs to
`capability_id`	string or null	MAY	`null`	Capability token ID presented with this request
`timestamp`	integer	MUST		Unix timestamp (seconds) when the request was received

Content Hash Computation

The content hash that binds a request to its receipt is computed as the SHA-256 hex digest of the canonical JSON (RFC 8785) of the following binding object:

json

{
  "body_hash": "<body_hash or null>",
  "method": "<HTTP method>",
  "path": "<actual path>",
  "query": { "<sorted query params>" },
  "route_pattern": "<route pattern>"
}

CallerIdentity

The identity of the caller as extracted from the HTTP request.

Field	Type	Required	Default	Description
`subject`	string	MUST		Stable identifier for the caller
`auth_method`	AuthMethod	MUST		How the caller authenticated
`verified`	boolean	MUST	`false`	Whether this identity has been cryptographically verified
`tenant`	string or null	MAY	`null`	Tenant or organization the caller belongs to
`agent_id`	string or null	MAY	`null`	Agent identifier when the caller is an AI agent

Identity hash: the caller_identity_hash in receipts is the SHA-256 hex digest of the canonical JSON representation of the full CallerIdentity object. The same identity MUST always produce the same hash.

AuthMethod

A tagged union representing how the caller authenticated. The discriminator field is method. Variant names use snake_case.

Variant	Tag value	Fields	Description
Bearer	`"bearer"`	`token_hash: string`	Bearer token (JWT or opaque). Implementations MUST NOT store or transmit raw tokens.
ApiKey	`"api_key"`	`key_name, key_hash`	API key. SHA-256 hex hash of the key value.
Cookie	`"cookie"`	`cookie_name, cookie_hash`	Session cookie. SHA-256 hex hash of the cookie value.
MtlsCertificate	`"mtls_certificate"`	`subject_dn, fingerprint`	mTLS client certificate. SHA-256 fingerprint.
Anonymous	`"anonymous"`	(none)	No authentication was presented.

json

{ "method": "bearer", "token_hash": "a1b2c3d4e5f6..." }

SessionContext

Per-session context carried through the Chio HTTP pipeline. A session groups related requests from the same caller over a bounded time window.

Field	Type	Required	Default	Description
`session_id`	string	MUST		Unique session identifier
`caller`	CallerIdentity	MUST		Authenticated caller for this session
`created_at`	integer	MUST		Unix timestamp (seconds) when the session was created
`expires_at`	integer or null	MAY	`null`	Unix timestamp (seconds) when the session expires
`request_count`	integer	MAY	`0`	Number of requests evaluated in this session
`bytes_read`	integer	MAY	`0`	Cumulative bytes read by this session
`bytes_written`	integer	MAY	`0`	Cumulative bytes written by this session
`delegation_depth`	integer	MAY	`0`	Current delegation depth. `0` means direct caller.
`metadata`	object or null	MAY	`null`	Extensibility metadata

Verdict

Internally tagged with "verdict" as the tag key and snake_case variant names.

Variant	Tag value	Fields	Description
Allow	`"allow"`	(none)	Request is allowed. Proceed to upstream.
Deny	`"deny"`	`reason, guard, http_status`	Request is denied. Default `http_status` is 403.
Cancel	`"cancel"`	`reason`	Evaluation was cancelled (e.g., timeout, circuit breaker).
Incomplete	`"incomplete"`	`reason`	Evaluation did not reach a terminal state.

Fail-closed semantics

When the verdict is cancel or incomplete, middleware MUST treat the request as denied. Only an explicit allow verdict permits forwarding to the upstream API.

When deserializing a deny verdict without an explicit http_status field, implementations MUST default to 403.

HttpMethod

Serialized as uppercase strings.

Value	Safe	Requires Capability
`"GET"`	Yes	No
`"HEAD"`	Yes	No
`"OPTIONS"`	Yes	No
`"POST"`	No	Yes
`"PUT"`	No	Yes
`"PATCH"`	No	Yes
`"DELETE"`	No	Yes

Safe methods (GET, HEAD, OPTIONS) are considered side-effect-free by default and receive session-scoped allow verdicts. Unsafe methods (POST, PUT, PATCH, DELETE) require an explicit capability grant.

GuardEvidence

Field	Type	Required	Description
`guard_name`	string	MUST	Name of the guard
`verdict`	boolean	MUST	Whether the guard passed (`true`) or denied (`false`)
`details`	string or null	MAY	Human-readable details about the guard's decision

HttpReceipt

A signed receipt proving that an HTTP request was evaluated by the Chio kernel. The receipt binds the request identity, route, method, verdict, and guard evidence under an Ed25519 signature from the kernel.

Field	Type	Required	Default	Signed	Description
`id`	string	MUST		Yes	Unique receipt ID. UUIDv7 recommended.
`request_id`	string	MUST		Yes	Unique request ID this receipt covers
`route_pattern`	string	MUST		Yes	Matched route pattern
`method`	HttpMethod	MUST		Yes	HTTP method of the evaluated request
`caller_identity_hash`	string	MUST		Yes	SHA-256 hex hash of the caller identity
`session_id`	string or null	MAY	`null`	Yes	Session ID the request belonged to
`verdict`	Verdict	MUST		Yes	The kernel's verdict
`evidence`	GuardEvidence[]	MAY	`[]`	Yes	Per-guard evidence collected during evaluation
`response_status`	integer	MUST		Yes	HTTP status Chio associated with the evaluation outcome at receipt-signing time.
`timestamp`	integer	MUST		Yes	Unix timestamp (seconds) when the receipt was created
`content_hash`	string	MUST		Yes	SHA-256 hex hash binding the request content to this receipt
`policy_hash`	string	MUST		Yes	SHA-256 hex hash of the policy that was applied
`capability_id`	string or null	MAY	`null`	Yes	Capability ID that was exercised, if any
`metadata`	object or null	MAY	`null`	Yes	Extensibility metadata
`kernel_key`	string	MUST		Yes	Kernel's Ed25519 public key (64-character hex)
`signature`	string	MUST		No	Ed25519 signature over canonical JSON of the body fields (128-character hex)

Signing

To produce a signed receipt:

Construct an HttpReceiptBody containing all fields from the table above except signature.
Serialize the body to canonical JSON (RFC 8785).
Sign the canonical bytes with the kernel's Ed25519 private key.
Attach the resulting signature to the receipt.

Verification

Extract the body (all fields except signature).
Serialize the body to canonical JSON (RFC 8785).
Verify the signature against the canonical bytes using the kernel_key embedded in the receipt.

Implementations SHOULD verify the receipt signature before treating receipt content as authoritative.

Cryptographic Representations

kernel_key: Ed25519 public key as 64-character lowercase hex (32 bytes). Pattern: ^[0-9a-f]{64}$.
signature: Ed25519 signature as 128-character lowercase hex (64 bytes). Pattern: ^[0-9a-f]{128}$.

HttpReceipt to ChioReceipt Mapping

The to_chio_receipt() conversion maps an HTTP-layer receipt into the core ChioReceipt type for unified storage and cross-surface querying.

Field Mapping

HttpReceipt field	ChioReceipt field	Transformation
`id`	`id`	Copied directly
`timestamp`	`timestamp`	Copied directly
`capability_id`	`capability_id`	Unwrapped; defaults to empty string if `null`
(constant)	`tool_server`	Set to `"http"`
`method` + `route_pattern`	`tool_name`	Formatted as `"{method} {route_pattern}"`
`method, route_pattern, request_id`	`action.parameters`	JSON object
`content_hash`	`action.parameter_hash`	Copied directly
`verdict`	`decision`	Converted via `Verdict.to_decision()`
`content_hash`	`content_hash`	Recomputed as SHA-256 of canonical JSON of `ChioReceiptBody`
`policy_hash`	`policy_hash`	Copied directly
`evidence`	`evidence`	Copied directly
`metadata`	`metadata`	Copied directly
`kernel_key`	`kernel_key`	Copied directly
`signature`	`signature`	Copied directly (see limitation below)

Verdict to Decision Mapping

Verdict variant	Decision variant
`allow`	`allow`
`deny { reason, guard, http_status }`	`deny { reason, guard }` (http_status is dropped)
`cancel { reason }`	`cancelled { reason }`
`incomplete { reason }`	`incomplete { reason }`

Signature Limitation

Converted receipts and signature verification

The signature field is copied directly from the HttpReceipt to the ChioReceipt. It is not re-signed over the ChioReceiptBody. Consumers that verify ChioReceipt signatures from HTTP-origin receipts MUST be aware that standard ChioReceipt signature verification will fail for these converted receipts. The intended use is unified storage and querying.

In production deployments, the kernel SHOULD sign both HttpReceipt and ChioReceipt independently from the same evaluation, rather than relying on the conversion method.

Default Policy Semantics

The HTTP substrate defines default policy behavior based on HTTP method safety:

Safe methods (GET, HEAD, OPTIONS): Session-scoped allow.
Unsafe methods (POST, PUT, PATCH, DELETE): Deny by default. These methods require an explicit capability token presented in the X-Chio-Capability request header or via capability_id in the ChioHttpRequest.

When a route is not matched in the loaded policy, the evaluator MUST fall back to method-based default policy.

Error Handling

Sidecar Error Codes

SDKs MUST use the following error codes when communicating sidecar failures to callers:

Code	Meaning
`chio_access_denied`	The request was denied by policy
`chio_sidecar_unreachable`	The sidecar process is not reachable
`chio_evaluation_failed`	The sidecar returned a non-200 status
`chio_invalid_receipt`	Receipt verification failed
`chio_timeout`	The sidecar did not respond within the timeout

Structured Error Response

When middleware denies a request, the response body SHOULD be a structured JSON object:

Field	Type	Required	Description
`error`	string	MUST	Error code from the table above
`message`	string	MUST	Human-readable error message
`receipt_id`	string or null	MAY	Receipt ID for the denied evaluation
`suggestion`	string or null	MAY	Actionable suggestion for the caller

Schemas and Conformance

Versioned HTTP substrate schemas live under spec/schemas/chio-http/v1/. Schema files in that directory are the machine-readable contract for the HTTP substrate types. Implementations MUST serialize all HTTP substrate types in a form accepted by those schemas. Schema validation SHOULD be exercised against live Rust serialization, not handwritten examples alone.

File	Described type
`http-receipt.schema.json`	`HttpReceipt`
`chio-http-request.schema.json`	`ChioHttpRequest`
`caller-identity.schema.json`	`CallerIdentity` with `AuthMethod`
`verdict.schema.json`	`Verdict`
`evaluate-request.schema.json`	POST `/chio/evaluate` request body
`evaluate-response.schema.json`	POST `/chio/evaluate` response body