Expand description
Nix-based executor for synthesized stages.
Runs stage implementations as subprocesses using nix run nixpkgs#<runtime>,
giving a reproducible, Nix-pinned runtime for Python/JavaScript/Bash code
without requiring any ambient language runtime on the host.
This is a reproducibility boundary, not an isolation boundary. Stages run with the privileges of the host user — they can read/write the filesystem, make arbitrary network calls, and read environment variables. Do not execute untrusted stages on a host with credentials you are not willing to risk. See SECURITY.md for the full trust model.
§Execution protocol
- stdin → JSON-encoded input value followed by a newline
- stdout → JSON-encoded output value followed by a newline
- stderr → error message (any content is treated as failure)
- exit 0 → success; exit non-zero →
ExecutionError::StageFailed
§Timeout
Every execution is bounded by NixConfig::timeout_secs (default 30 s).
When the child process exceeds the limit it is sent SIGKILL and the call
returns ExecutionError::TimedOut.
§Generated wrapper (Python example)
import sys, json as _json
# ---- user code ----
def execute(input_value):
...
# -------------------
if __name__ == '__main__':
try:
_output = execute(_json.loads(sys.stdin.read()))
print(_json.dumps(_output))
except Exception as e:
print(str(e), file=sys.stderr)
sys.exit(1)Structs§
- NixConfig
- Tunable knobs for the
NixExecutor. - NixExecutor
- Executor that runs synthesized stages through Nix-managed language runtimes.