Struct Policy 

pub struct Policy {
    pub denied_paths: BTreeSet<String>,
    pub denied_prefixes: BTreeSet<String>,
    pub deny_unsafe: bool,
}

Purity policy — exact path deny, namespace prefix deny, and an unsafe-block ban. The default deny_compute_impurity policy covers the 4-rule deny scope (Clock + RNG + I/O + FFI).

Known limitation: single-ident suffix-match false-positive

The visitor matches a single-segment path (e.g. thread_rng()) by scanning the deny-list for any entry ending in ::<ident>. This catches the common use-import escape (use rand::thread_rng; thread_rng()) but also collides with user-defined local fn of the same name (e.g. a shell crate defining fn random() -> u32 would have its calls to random() falsely flagged as rand::random).

Mitigation:

• Use full-qualified path in shell code (my_crate::random() instead of random()).
• Or apply Policy::empty() and rely on a downstream lint.
• Long-term — receiver-type aware HIR resolution lands when the crate migrates to the dylint_linting cdylib (documented in the crate-level rustdoc).

Fields

denied_paths: BTreeSet<String>

Fully-qualified path strings that must not appear as call targets or constant accesses. Match heuristics:

• exact full-path equality (e.g. std::time::Instant::now vs the path string of the visited ExprPath),
• use rand::thread_rng; thread_rng() style — the bare ident thread_rng matches the entry rand::thread_rng because the entry’s last segment equals the visited path’s last segment AND the visited path is a single ident.

denied_prefixes: BTreeSet<String>

Namespace prefixes that ban every prefix::* call site in expression position. Use for whole-module bans (std::fs, std::net, libc, …). A bare visited path P matches the prefix P exactly OR P::*. Type-position paths are skipped because the visitor only overrides visit_expr_path.

deny_unsafe: bool

When true, every unsafe { ... } block inside the scanned function triggers a violation. Closes the FFI escape route (raw extern "C" calls always require unsafe) plus transmute / raw-pointer dereferences.

Implementations

impl Policy

pub fn empty() -> Self

Empty policy — accepts every function. Useful for tests.

pub fn deny_compute_impurity() -> Self

Default deny list (4 categories): Clock + RNG + I/O + FFI plus unsafe block ban. Future rounds may add Threading + Sync/atomic

• replay hazards — non-breaking additions.

Trait Implementations

impl Clone for Policy

fn clone(&self) -> Policy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Policy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Policy

fn default() -> Self

Returns the “default value” for a type.