[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-77514":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":15,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":16,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":17,"fork":17,"defaultBranch":18,"hasWiki":19,"hasPages":19,"topics":20,"createdAt":10,"pushedAt":10,"updatedAt":31,"readmeContent":32,"aiSummary":33,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":34,"discoverSource":35},77514,"ChronicleVM","didikana\u002FChronicleVM","didikana","Sandboxed plugin VM with typed capabilities, deterministic replay, and time-travel debugging — written in Rust.","https:\u002F\u002Fdidikana.github.io\u002FChronicleVM\u002F",null,"Rust",113,6,2,0,39.54,false,"main",true,[21,22,23,24,25,26,27,28,29,30],"bytecode","capability-based-security","capability-security","plugin-system","rust","rust-lang","sandbox","security","vm","wasm-alternative","2026-06-12 04:01:21","# ChronicleVM\n\nChronicleVM is a Rust safe-plugin runtime built around one idea: plugin\nexecution should be bounded, inspectable, and replayable.\n\nIt includes a bytecode VM, high-level `.chr` language, typed capability\nnegotiation, deterministic trace\u002Freplay, time-travel debugging, a browser trace\nviewer, an embeddable Rust host SDK, and security hardening for malformed input\nand runaway plugins.\n\n[![CI](https:\u002F\u002Fgithub.com\u002Fdidikana\u002FChronicleVM\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fdidikana\u002FChronicleVM\u002Factions\u002Fworkflows\u002Fci.yml)\n\n## 90-Second Quickstart\n\n```sh\ngit clone https:\u002F\u002Fgithub.com\u002Fdidikana\u002FChronicleVM && cd ChronicleVM\ncargo run -p chronicle-cli -- trace examples\u002Faudit-plugin.chr \\\n  --policy examples\u002Faudit-policy.toml --out \u002Ftmp\u002Faudit.ctrace\ncargo run -p chronicle-cli -- audit \u002Ftmp\u002Faudit.ctrace\n```\n\n`audit: valid` confirms the trace is checksummed and replayable. Step through\nevery instruction event in the browser:\n\n```sh\npython3 -m http.server 4173 --directory docs\n# Open http:\u002F\u002Flocalhost:4173\u002Ftrace-viewer\u002F and load \u002Ftmp\u002Faudit.ctrace\n```\n\n## Why It Exists\n\nMost plugin systems answer \"did it run?\" ChronicleVM answers more useful\nquestions:\n\n- What host powers did the plugin request?\n- Which powers were granted, mocked, or denied?\n- What exactly happened at each instruction?\n- Can the run be replayed without calling live host capabilities?\n- Can a failure trace be preserved as evidence?\n\nThat makes ChronicleVM a systems\u002Fsecurity project, not just a toy VM.\n\n## Highlights\n\n- **Typed capabilities:** plugins declare versioned host powers such as\n  `clock.now@1`, `random.u64@1`, or app-owned capabilities like `kv.get@1`.\n- **Policy negotiation:** hosts grant, deny, or mock capabilities before any\n  plugin bytecode runs.\n- **Deterministic trace\u002Freplay:** traces record instruction events, register\n  changes, source lines, capability calls, results, errors, and checksums.\n- **Trace audit:** `chronicle audit` validates full traces by replaying them and\n  reports module\u002Fpolicy digests, limits, capability counts, result, or error.\n- **Time-travel debugging:** step forward\u002Fbackward, jump to events, inspect\n  reconstructed state, diff event ranges, and slice traces.\n- **Security hardening:** CLI sandbox limits are enabled by default, malformed\n  binary modules return structured errors, and property tests exercise random\n  and mutated binary inputs.\n- **Embeddable host SDK:** Rust apps can register custom capability handlers and\n  run plugins with `Vm::new_with_host`.\n- **Static trace viewer:** a GitHub Pages-ready viewer loads `.ctrace` files\n  locally in the browser.\n\n## Demo\n\nRun the flagship audit plugin:\n\n```sh\ncargo run -p chronicle-cli -- trace examples\u002Faudit-plugin.chr \\\n  --policy examples\u002Faudit-policy.toml \\\n  --out \u002Ftmp\u002Faudit.ctrace\n\ncargo run -p chronicle-cli -- audit \u002Ftmp\u002Faudit.ctrace\ncargo run -p chronicle-cli -- replay \u002Ftmp\u002Faudit.ctrace\ncargo run -p chronicle-cli -- debug \u002Ftmp\u002Faudit.ctrace \\\n  --commands \"source;next;regs;caps;jump 20;why;quit\"\n```\n\nOpen the trace viewer:\n\n```sh\npython3 -m http.server 4173 --directory docs\n```\n\nThen visit `http:\u002F\u002Flocalhost:4173\u002Ftrace-viewer\u002F` and open\n`\u002Ftmp\u002Faudit.ctrace`.\n\n## What The Demo Shows\n\nThe audit plugin uses mocked time\u002Frandomness, prints audit events, computes a\nrisk score, and returns a deterministic decision. The trace captures:\n\n- source-correlated instruction events,\n- capability calls and returned values,\n- register changes,\n- final result or resource-limit error,\n- replay checksum,\n- provenance metadata with `sha256:` module and policy digests.\n\nReplay validates the trace without invoking live host capabilities.\n\n## CLI\n\n```sh\ncargo run -p chronicle-cli -- verify examples\u002Fplugin.chr\ncargo run -p chronicle-cli -- negotiate examples\u002Fplugin.chr --policy examples\u002Fplugin-mock.toml\ncargo run -p chronicle-cli -- compile examples\u002Fplugin.chr --out \u002Ftmp\u002Fplugin.cmod\ncargo run -p chronicle-cli -- run examples\u002Fplugin.chr --policy examples\u002Fplugin-mock.toml\ncargo run -p chronicle-cli -- trace examples\u002Fplugin.chr --policy examples\u002Fplugin-mock.toml --out \u002Ftmp\u002Fplugin.ctrace\ncargo run -p chronicle-cli -- inspect \u002Ftmp\u002Fplugin.ctrace\ncargo run -p chronicle-cli -- audit \u002Ftmp\u002Fplugin.ctrace --json\ncargo run -p chronicle-cli -- replay \u002Ftmp\u002Fplugin.ctrace\ncargo run -p chronicle-cli -- trace-slice \u002Ftmp\u002Fplugin.ctrace --from 1 --to 3 --out \u002Ftmp\u002Fslice.ctrace\n```\n\nInstall locally:\n\n```sh\ncargo install --path crates\u002Fchronicle-cli\n```\n\n## Safe Defaults\n\n`run` and `trace` use deterministic sandbox limits by default:\n\n- `--max-instructions 100000`\n- `--max-call-depth 64`\n- `--max-registers 1024`\n- `--max-array-items 4096`\n\nOverride limits individually:\n\n```sh\nchronicle run examples\u002Faudit-plugin.chr --policy examples\u002Faudit-policy.toml \\\n  --max-instructions 10000 \\\n  --max-call-depth 32\n```\n\nUse `--unbounded` only when intentionally reproducing older unlimited CLI\nbehavior. It cannot be combined with explicit `--max-*` flags.\n\n## Security Demo\n\n`examples\u002Fmalicious-plugin.chr` intentionally loops forever. ChronicleVM stops\nit with the default instruction budget:\n\n```sh\ncargo run -p chronicle-cli -- run examples\u002Fmalicious-plugin.chr \\\n  --policy examples\u002Fpolicy.toml\n```\n\nExpected result:\n\n```text\nresource limit exceeded: instruction budget exceeded max 100000\n```\n\nYou can also capture a bounded failure trace and audit it:\n\n```sh\ncargo run -p chronicle-cli -- trace examples\u002Faudit-plugin.chr \\\n  --policy examples\u002Faudit-policy.toml \\\n  --max-instructions 1 \\\n  --out \u002Ftmp\u002Flimited.ctrace\n\ncargo run -p chronicle-cli -- audit \u002Ftmp\u002Flimited.ctrace\n```\n\n## Embedding ChronicleVM\n\nRust hosts register app-owned capabilities with typed signatures and construct\nthe VM with `Vm::new_with_host`.\n\n```rust\nuse chronicle_core::{\n    CapabilityDecl, CapabilityDecision, HostPolicy, HostRegistry, Value, ValueType, Vm,\n};\nuse std::collections::BTreeMap;\n\nlet mut host = HostRegistry::with_builtins();\nhost.insert(\n    CapabilityDecl {\n        id: \"audit.emit@1\".into(),\n        params: vec![ValueType::AnyVariadic],\n        return_type: ValueType::Nil,\n        reason: Some(\"emit an app audit event\".into()),\n    },\n    |args| {\n        println!(\"audit event: {args:?}\");\n        Ok(Value::Nil)\n    },\n)?;\n\nlet policy = HostPolicy {\n    decisions: BTreeMap::from([(\"audit.emit@1\".into(), CapabilityDecision::Grant)]),\n};\nlet mut vm = Vm::new_with_host(module, policy, host)?;\nlet trace = vm.run_with_trace(\"main\")?;\n```\n\nRun the embedding demo:\n\n```sh\ncargo run -p chronicle-embed-demo\ncargo run -p chronicle-cli -- audit \u002Ftmp\u002Fembedded-plugin.ctrace\ncargo run -p chronicle-cli -- replay \u002Ftmp\u002Fembedded-plugin.ctrace\n```\n\n## Language Sketch\n\n```text\nmodule safe_plugin\ncap log.print@1(any...) -> nil \"emit audit line\"\ncap clock.now@1() -> i64 \"timestamp plugin execution\"\n\nfn main\n  let timestamp = cap clock.now@1()\n  print(\"plugin started\", timestamp)\n  return [\"ok\", timestamp]\nend\n```\n\nThe high-level language supports functions, parameters, calls, `if`\u002F`else`,\n`while`, arrays, arithmetic, comparisons, boolean operators, capability calls,\nand `print(...)` sugar for `log.print@1`.\n\n## Why Not WASM?\n\nWebAssembly gives you portable sandboxing. ChronicleVM gives you *inspectable*\nsandboxing.\n\n- **Per-instruction event recording** with register snapshots — WASM does not\n  expose this\n- **Typed capability negotiation** before execution begins, not at import time\n- **Replay from a trace** without re-calling live host functions\n- **CLI debugger** that steps backward through recorded events\n- **Pure Rust library** — no JS runtime or browser dependency required\n\n## Why Deterministic Replay?\n\n\"The plugin ran fine in CI\" is not evidence when CI used live clocks and real\nrandomness.\n\n- A production failure can be re-examined without reproducing original conditions\n- `chronicle audit` checksums the trace and re-runs it, verifying the same result\n- Capability values come from the recorded trace — not new calls to live hosts\n- The exact inputs, decisions, and outputs are preserved as auditable evidence\n\n## Architecture\n\n**Execution flow:** `.chr` source → `chronicle-lang` compiler → bytecode\n(`.cmod`) → verifier → VM with capability gate (bounded by sandbox limits) →\n`.ctrace` trace file → `audit` \u002F `replay` \u002F `debug` \u002F browser viewer.\n\n| Crate | Purpose |\n| --- | --- |\n| `chronicle-core` | bytecode model, verifier, VM runtime, capabilities, trace\u002Freplay, host SDK |\n| `chronicle-asm` | `.casm` assembly parser |\n| `chronicle-lang` | high-level `.chr` compiler |\n| `chronicle-cli` | command-line runner, debugger, audit tooling |\n| `chronicle-embed-demo` | Rust embedding example with custom host capabilities |\n\n## Documentation\n\n- [Security model](docs\u002Fsecurity.md)\n- [Trace and replay](docs\u002Ftrace-replay.md)\n- [Capabilities](docs\u002Fcapabilities.md)\n- [Verifier](docs\u002Fverifier.md)\n- [Benchmarks](docs\u002Fbenchmarks.md)\n\n## Verification\n\n```sh\ncargo fmt --check\ncargo clippy --all-targets --all-features -- -D warnings\ncargo test\ncargo bench -p chronicle-cli --no-run\n```\n\nThe test suite covers verifier errors, resource limits, trace replay, host SDK\nbehavior, CLI flows, malformed binary smoke cases, and property-based malformed\ninput checks.\n","ChronicleVM 是一个用 Rust 编写的沙盒插件虚拟机，旨在实现插件执行的边界化、可检查性和可重放性。其核心功能包括字节码虚拟机、高级`.chr`语言、类型化的权限协商、确定性追踪\u002F重放、时间旅行调试等功能，并提供了一个嵌入式的 Rust 主机 SDK 以及针对恶意输入和失控插件的安全强化措施。适合需要对插件行为进行严格控制与审计的应用场景，如企业级软件开发中的扩展系统安全增强、教育领域的代码执行环境等，确保插件在运行时的行为既受控又透明。","2026-06-11 03:55:32","CREATED_QUERY"]