Module lua 

Sandboxed LuaJIT plugin runtime.

[SEC] Doctrine 4 (“Plugins are sandboxed”) is enforced here, not just aspirationally. The VM is constructed with a filtered stdlib, dangerous os/package entries are neutralised, memory and instruction caps are wired in. Plugins that try os.execute, io.popen, package.loadlib or debug.* get a hard error rather than a foothold to read your SSH keys.

[HAZMAT] If you change setup_safe_stdlib, audit every callable returned to Lua. A single dangling os.exit or io.open defeats the sandbox for the entire VM.

Structs

LuaPlugin

A sandboxed LuaJIT plugin instance.

LuaPluginOptions

Tunable knobs for a LuaPlugin VM.

SoberHost

Host-provided Sober capability handle.

SoberInvocation

Request passed from Lua sober.run(action, opts) to the host.

SoberInvocationResult

Result returned by the host-backed Sober capability.