Skip to main content

Module allowlist

Module allowlist 

Source
Expand description

The command allow-gates behind the dispatching tools.

ct-test and ct-each can run another program, so each runs only commands on a fixed, compiled-in list. The lists are intentionally static and immutable: nothing a caller does at run time can extend them, so an agent driving these tools cannot grant itself new commands. A command that is not on the relevant list is refused, and nothing runs. There is no shell mode anywhere in the suite — every dispatch is a direct argv launch.

The allowlist is platform-aware, so the tools are usable both on Unix / MSYS2 and on native Windows (no MSYS2 required): CORE is the suite’s own read-only ct-* tools, present on every OS, and NATIVE adds the host OS’s stock read-only utilities (coreutils on Unix; findstr/where/… on Windows). builtin is their union for the current platform. This changes which names resolve per OS, not the no-shell, direct-argv guarantee.

  • ct-test gates on builtin: read-only commands only.
  • ct-each gates through is_allowed_for_each: builtin plus ct-test (itself gated, so still read-only), and — only behind an explicit --mutating flag — the suite’s own MUTATING_SUITE tools, which carry their own --expect/--dry-run safety gates.

Gating is by program name (the file-name component of the command, with a Windows executable suffix like .exe stripped). It is a guard against unintended side effects, not a sandbox: it does not inspect arguments or resolve which binary a name ultimately runs.

Constants§

CORE
The suite’s own read-only tools — the cross-platform core of the allowlist, present and resolvable on every OS.
MUTATING_SUITE
The suite’s mutating tools, runnable by ct-each only behind its explicit --mutating flag. Each carries its own --expect/--dry-run gates, so a dispatched edit still has to assert its own effect before writing.
NATIVE
The host OS’s stock read-only utilities, added to CORE. Deliberately small and conservative: names whose ordinary use has no side effects. (find is excluded: -delete/-exec make it not read-only.) There is no run-time mechanism to add to this list.

Functions§

builtin
ct-test’s entire read-only allowlist for the current platform: the cross-platform CORE plus the OS’s NATIVE utilities. Returned as an owned list so callers can join/iterate it in messages.
gated_name
The program name the gates check for a command: its file-name component, so ls, /bin/ls, and ./ls all gate on ls. On Windows a trailing executable suffix (.exe/.com/.bat/.cmd, case-insensitive) is stripped, so an absolute or sibling path like ...\ct-search.exe gates as ct-search.
is_allowed
Whether name is on ct-test’s fixed read-only allowlist for the current platform (CORE plus the OS’s NATIVE utilities).
is_allowed_for_each
Whether name is a permitted ct-each dispatch target.