Skip to main content

Grant

lex_types::trust

Struct Grant 

Source 
pub struct Grant {
    pub filesystem: Level,
    pub network: Level,
    pub exec: Level,
}
Expand description

A capability grant: one Level per Dimension. This is the trust manifest’s core payload. As a product of totally-ordered dimensions it forms a lattice under componentwise ordering, with Grant::bottom (deny everything) and Grant::top (the most dangerous config — sudo + open internet, design doc §3) as the extremes.

Fields§

§filesystem: Level§network: Level§exec: Level

Implementations§

Source§

impl Grant

Source

pub fn new(filesystem: Level, network: Level, exec: Level) -> Self

Source

pub fn bottom() -> Self

Deny everything — the lattice bottom. The default starting point for the narrowest-possible grant (design doc §5.1): every ungranted effect is physically absent.

Source

pub fn top() -> Self

Grant everything — the lattice top. sudo + open internet; the single most dangerous config. Never the default.

Source

pub fn level(&self, dim: Dimension) -> Level

Source

pub fn leq(&self, other: &Grant) -> bool

selfother: self grants no more authority than other on any dimension. This is the subtyping relation over the trust lattice — a narrower grant is a subtype of a wider one.

Source

pub fn join(&self, other: &Grant) -> Grant

Componentwise join (least upper bound).

Source

pub fn meet(&self, other: &Grant) -> Grant

Componentwise meet (greatest lower bound).

Source

pub fn narrow(parent: &Grant, child: &Grant) -> Result<Grant, TrustError>

Narrowing-as-subtyping (design doc §7.1, “the narrowing invariant becomes a type property”). A child manifest is only well-formed if it narrows its parent on every dimension; any widening is rejected here — the inheritance equivalent of a type error. On success returns the (validated) child grant.

Source

pub fn permits_effect(&self, effect: &EffectKind) -> bool

Does this grant permit a single effect? Effects are mapped to a dimension and the minimum level they require via effect_requirement; effects outside the trust vocabulary (pure compute, logging, time, rng) are always permitted.

Source

pub fn permits_effects(&self, effects: &EffectSet) -> Result<(), TrustError>

Check every concrete effect in a set against the grant. This is the bridge that makes “code calling a net effect won’t type-check under a network: none grant” true (design doc §7). Returns the first offending effect as a TrustError.

Source

pub fn permits_effects_with_allowlist( &self, effects: &EffectSet, allowlist: &[String], ) -> Result<(), TrustError>

Like Self::permits_effects but resolves network egress against an explicit host allowlist (the lex-os manifest’s egress rules — design doc demo grant network: none EXCEPT results.demo.internal). The allowlist is authoritative for network: a host-scoped net("h") effect is permitted iff the grant’s network is Full, or h matches an allowlist entry — regardless of the coarse network level, so an allowlist can carve exceptions into an otherwise-none network. An unscoped [net] is permitted only under Full (it cannot be proven to stay within the allowlist). Non-network effects use the same level check as Self::permits_effects.

Source

pub fn pretty(&self) -> String

Canonical one-line rendering, e.g. fs=read-only net=none exec=none.

Source

pub fn content_id(&self) -> GrantId

Content-addressed identity of the grant. The bytes hashed are a stable canonical form (dimension order is fixed, ranks not enum names), so a GrantId is reproducible across processes and languages — the manifest stays hashable exactly as AgentSpec required (design doc §7.4). Two grants with the same authority hash identically even if spelled with different aliases (Sandboxed vs ReadOnly).

Trait Implementations§

Source§

impl Clone for Grant

Source§

fn clone(&self) -> Grant

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Copy for Grant

Source§

impl Debug for Grant

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for Grant

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Display for Grant

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Eq for Grant

Source§

impl PartialEq for Grant

Source§

fn eq(&self, other: &Grant) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Grant

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for Grant

Auto Trait Implementations§

§

impl Freeze for Grant

§

impl RefUnwindSafe for Grant

§

impl Send for Grant

§

impl Sync for Grant

§

impl Unpin for Grant

§

impl UnsafeUnpin for Grant

§

impl UnwindSafe for Grant

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.