Expand description
The command allow-gates behind the dispatching tools.
ct-test and ct-each can run another program, so each runs only
commands on a fixed, compiled-in list. The lists are intentionally static
and immutable: nothing a caller does at run time can extend them, so an
agent driving these tools cannot grant itself new commands. A command that
is not on the relevant list is refused, and nothing runs. There is no shell
mode anywhere in the suite — every dispatch is a direct argv launch.
ct-testgates onBUILTIN: read-only commands only.ct-eachgates throughis_allowed_for_each:BUILTINplusct-test(itself gated, so still read-only), and — only behind an explicit--mutatingflag — the suite’s ownMUTATING_SUITEtools, which carry their own--expect/--dry-runsafety gates.
Gating is by program name (the file-name component of the command). It is a guard against unintended side effects, not a sandbox: it does not inspect arguments or resolve which binary a name ultimately runs.
Constants§
- BUILTIN
- Commands trusted as read-only —
ct-test’s entire, fixed allowlist. - MUTATING_
SUITE - The suite’s mutating tools, runnable by
ct-eachonly behind its explicit--mutatingflag. Each carries its own--expect/--dry-rungates, so a dispatched edit still has to assert its own effect before writing.
Functions§
- gated_
name - The program name the gates check for a command: its file-name component,
so
ls,/bin/ls, and./lsall gate onls. - is_
allowed - Whether
nameis onct-test’s fixed read-only allowlist. - is_
allowed_ for_ each - Whether
nameis a permittedct-eachdispatch target.