Portal Community
Flow Studio

IGuardRail Interface

IGuardRail is the composite interface for a complete guard rail implementation. It combines executor, validator, and descriptor sub-interfaces into a single contract. All built-in and custom guards implement this composite interface.

Interface Hierarchy

// BizFirst.Ai.GuardRails.Domain.Contracts

// Composite interface — implement this for a complete guard
public interface IGuardRail : IGuardRailExecutor, IGuardRailConfigValidator, IGuardRailDescriptor
{ }

// --- IGuardRailExecutor ---
public interface IGuardRailExecutor
{
    string Name    { get; }  // unique identifier (e.g. "RateLimitingGuard")
    string Version { get; }  // semantic version (e.g. "1.0.0")

    // Which phases this guard participates in
    IReadOnlyList<GuardRailPhase> SupportedPhases { get; }

    // The evaluation method — called once per phase
    Task<GuardRailCheckResult> ExecuteAsync(
        GuardRailExecutionContext context,
        GuardRailPhase phase,
        CancellationToken cancellationToken = default);
}

// --- IGuardRailConfigValidator ---
public interface IGuardRailConfigValidator
{
    // Quick boolean validation
    bool Validate(IDictionary<string, object?> configuration);

    // Detailed validation with errors and warnings
    GuardRailConfigValidationResult ValidateWithDetails(IDictionary<string, object?> configuration);
}

// --- IGuardRailDescriptor ---
public interface IGuardRailDescriptor
{
    string GuardName          { get; }  // display name
    string Description        { get; }  // what the guard does
    string ConfigurationSchema { get; }  // JSON Schema for its config
    IReadOnlyList<GuardRailDependency> Dependencies { get; }
    bool IsSecurityCritical   { get; }  // if true: fail-closed on exception
}

GuardRailPhase Enum

public enum GuardRailPhase
{
    Pre   = 0,   // Before executor — can block execution
    Post  = 1,   // After executor — can override output
    Error = 2    // On error — informational/logging only
}

Key Properties to Implement

PropertyRequiredNotes
NameYesUnique identifier — used as the registry key
SupportedPhasesYesOnly return phases you implement — reduces unnecessary calls
ExecuteAsyncYesCheck phase parameter and return Success() for phases you don't handle
ValidateWithDetailsYesCalled at design time when the Atlas Form saves guard configuration
ConfigurationSchemaYesJSON Schema for the guard's config — drives the Atlas Form field generation
IsSecurityCriticalRecommendedSet to true if a guard exception should block rather than fail-open
Guard Phase Check in ExecuteAsync Always check if (phase != GuardRailPhase.Pre) return GuardRailCheckResult.Success(); at the top of ExecuteAsync for guards that only run in one phase. The engine passes all phases to all guards — it is the guard's responsibility to return Success for phases it does not handle.
← The Guard Pipeline Next: GuardRailCheckResult →