checkrd

Hono

Add Checkrd policy enforcement to Hono routes via app.use middleware.

Hono

Checkrd's Hono integration is a standard Hono middleware. Mount it once on the app and every request flows through the policy engine before reaching your handlers.

Install

bash
npm install checkrd hono

Quickstart

typescript
import { Hono } from "hono";
import { checkrdHono } from "checkrd/hono";

const app = new Hono();

app.use(
  "*",
  checkrdHono({
    agentId: "01234567-89ab-cdef-0123-456789abcdef",
    apiKey: process.env.CHECKRD_API_KEY,
  }),
);

app.post("/chat", async (c) => {
  const body = await c.req.json();
  // ... your handler runs only if the policy allowed the call ...
  return c.json({ ok: true });
});

export default app;

Where does the policy come from?

No policy: argument — checkrdHono boots the SDK on first request via initAsync, which fetches your agent's currently-published DSSE-signed bundle from the control plane and installs it before any handler runs. Edit the policy in the dashboard; updates stream to running isolates over SSE in milliseconds.

What gets enforced

The middleware evaluates each request through the policy engine using the request's actual method, URL, headers, and body. Standard URL matchers apply:

yaml
default: deny

rules:
  - name: allow-public-chat
    allow:
      method: [POST]
      url: "**/chat"

  - name: deny-admin-from-public
    deny:
      method: [POST]
      url: "**/admin/**"
      headers:
        - name: x-tenant-tier
          exact: public

Context variables

The middleware sets a checkrdFetch value on the Hono context so downstream handlers can make Checkrd-governed outbound requests:

typescript
app.post("/chat", async (c) => {
  const fetch = c.get("checkrdFetch");
  const upstream = await fetch("https://api.openai.com/v1/chat/completions", {
    method: "POST",
    body: JSON.stringify({ model: "gpt-4o-mini", messages: [/* ... */] }),
  });
  return c.json(await upstream.json());
});

Outbound calls made through checkrdFetch are evaluated by the policy engine before they leave the Worker.

Edge runtimes

Hono runs in Cloudflare Workers, Vercel Edge, Deno, Bun, and Node. The Checkrd middleware is runtime-agnostic; initAsync in the bootstrap loads the WASM via fetch.

Caveats

  • Body is read once. The middleware reads the request body for policy evaluation. Hono caches the body on the request, so handlers can still call c.req.json() / c.req.text() afterward. If your handler uses a streaming reader, plumb it via c.req.raw.body directly.
  • Mount order. Place checkrdHono BEFORE any handlers you want enforced, but AFTER any auth middleware that adds identity headers; those headers feed the policy engine's header matchers.
Next.jsCloudflare Workers