Trait CapabilityGate 

pub trait CapabilityGate: Send + Sync {
    // Required method
    fn check(&self, cap: CapabilityBit) -> Result<(), CapabilityBit>;

    // Provided method
    fn check_gate(&self, gate: &NativeFnGate) -> Result<(), CapabilityBit> { ... }
}

Single source of capability-policy truth for evaluator backends.

Implementations answer “is this capability bit granted for the current evaluation context?”. The default impl on Capabilities reads the per-bit boolean fields; hosts can wrap the default with auditing / trust-level layers by writing their own impl.

The trait is intentionally minimal: one method, immutable receiver, no async, no allocations. Backends must be able to call this on hot paths (every native-fn dispatch for the tree-walker; once per run_main for cranelift) without contention.

Required Methods

fn check(&self, cap: CapabilityBit) -> Result<(), CapabilityBit>

Return Ok(()) if the bit is granted; Err(cap) carrying the denied bit otherwise.

Provided Methods

fn check_gate(&self, gate: &NativeFnGate) -> Result<(), CapabilityBit>

Check every bit set on gate, short-circuit on the first denial. Returns Ok(()) when the gate is fully satisfied — the canonical “may this native fn dispatch” question.

The default impl walks the bits in NativeFnGate::missing_bits order so the failing bit matches the tree-walker’s historical “first-missing” diagnostic shape. Implementations that want a different reporting order should override.

Dyn Compatibility

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors

impl CapabilityGate for Capabilities

Default gate implementation: consult the per-bit booleans on a Capabilities snapshot.

&Capabilities is the natural carrier on the tree-walker path — the Context already owns one. The cranelift backend constructs its CapabilityVtable from this gate as well, so the two paths share the exact same policy.