Expand description
The command allow-gates behind the dispatching tools.
ct-test and ct-each can run another program, so each runs only
commands on a fixed, compiled-in list. The lists are intentionally static
and immutable: nothing a caller does at run time can extend them, so an
agent driving these tools cannot grant itself new commands. A command that
is not on the relevant list is refused, and nothing runs. There is no shell
mode anywhere in the suite — every dispatch is a direct argv launch.
The allowlist is platform-aware, so the tools are usable both on Unix /
MSYS2 and on native Windows (no MSYS2 required): CORE is the suite’s own
read-only ct-* tools, present on every OS, and NATIVE adds the host
OS’s stock read-only utilities (coreutils on Unix; findstr/where/… on
Windows). builtin is their union for the current platform. This changes
which names resolve per OS, not the no-shell, direct-argv guarantee.
ct-testgates onbuiltin: read-only commands only.ct-eachgates throughis_allowed_for_each:builtinplusct-test(itself gated, so still read-only), and — only behind an explicit--mutatingflag — the suite’s ownMUTATING_SUITEtools, which carry their own--expect/--dry-runsafety gates.
Gating is by program name (the file-name component of the command, with
a Windows executable suffix like .exe stripped). It is a guard against
unintended side effects, not a sandbox: it does not inspect arguments or
resolve which binary a name ultimately runs.
Constants§
- CORE
- The suite’s own read-only tools — the cross-platform core of the allowlist, present and resolvable on every OS.
- MUTATING_
SUITE - The suite’s mutating tools, runnable by
ct-eachonly behind its explicit--mutatingflag. Each carries its own--expect/--dry-rungates, so a dispatched edit still has to assert its own effect before writing. - NATIVE
- The host OS’s stock read-only utilities, added to
CORE. Deliberately small and conservative: names whose ordinary use has no side effects. (findis excluded:-delete/-execmake it not read-only.) There is no run-time mechanism to add to this list.
Functions§
- builtin
ct-test’s entire read-only allowlist for the current platform: the cross-platformCOREplus the OS’sNATIVEutilities. Returned as an owned list so callers canjoin/iterate it in messages.- gated_
name - The program name the gates check for a command: its file-name component,
so
ls,/bin/ls, and./lsall gate onls. On Windows a trailing executable suffix (.exe/.com/.bat/.cmd, case-insensitive) is stripped, so an absolute or sibling path like...\ct-search.exegates asct-search. - is_
allowed - Whether
nameis onct-test’s fixed read-only allowlist for the current platform (COREplus the OS’sNATIVEutilities). - is_
allowed_ for_ each - Whether
nameis a permittedct-eachdispatch target.