Skip to main content

Capabilities

relon_eval_api::context

Struct Capabilities 

Source 
#[non_exhaustive]
pub struct Capabilities {
    pub reads_fs: bool,
    pub writes_fs: bool,
    pub network: bool,
    pub reads_clock: bool,
    pub reads_env: bool,
    pub uses_rng: bool,
    pub max_steps: Option<u64>,
    pub max_value_elements: Option<usize>,
}
Expand description

Context-wide sandbox policy the host hands the evaluator. The per-bit booleans are the capabilities the host grants; per-function requirements live on NativeFnGate. A call goes through iff every bit declared on the fn’s gate is also set here — there is no per-name allowlist or global short-circuit, so a successful call proves that every bit on its gate was granted.

Beyond the capability bits, this struct also carries the runtime resource budgets (max_steps, max_value_elements) the evaluator enforces. The analyzer’s static reachability check only reads the capability bits and ignores the budgets, but they live on the same struct so the evaluator’s Context keeps a single sandbox-policy carrier (the budgets are Option<_> defaulting to “unbounded”, so a Capabilities built purely for the analyzer is unaffected).

#[non_exhaustive]: future capability bits are added here without a breaking semver bump. External callers should prefer constructing via Capabilities::default / Capabilities::all_granted and mutating fields rather than relying on field-order struct literals.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§reads_fs: bool

Filesystem reads (host fn that calls std::fs::read*, also the policy bit consulted by FilesystemModuleResolver).

§writes_fs: bool

Filesystem writes (host fn that calls std::fs::write* / OpenOptions::write / create_dir* / remove_*).

§network: bool

Network access (sockets, HTTP clients, DNS).

§reads_clock: bool

Wall / monotonic clock reads (SystemTime::now, Instant::now).

§reads_env: bool

Process environment reads (std::env::var, args, etc.).

§uses_rng: bool

Random number generation (any non-deterministic source).

§max_steps: Option<u64>

Maximum number of AST nodes to process before aborting. None is unbounded. Consulted only by the evaluator; the analyzer ignores it.

§max_value_elements: Option<usize>

Maximum number of elements in a single List or Dict. None is unbounded. Consulted only by the evaluator; the analyzer ignores it.

Implementations§

Source§

impl Capabilities

Source

pub fn all_granted() -> Capabilities

Audit-visible “grant everything” preset: every capability bit flipped, no step / value-size budget. The spec forbids an implicit Context::trusted()-style shortcut; hosts that need full grant must call this and read the resulting Capabilities as data. See docs/zh/guide/spec.md §4.2.

Note: opening filesystem reads also requires installing a non-rejecting FilesystemModuleResolver. The reads_fs flag is the policy bit; the resolver is the machinery that enforces it.

Trait Implementations§

Source§

impl CapabilityGate for Capabilities

Default gate implementation: consult the per-bit booleans on a Capabilities snapshot.

&Capabilities is the natural carrier on the tree-walker path — the Context already owns one. The cranelift backend constructs its CapabilityVtable from this gate as well, so the two paths share the exact same policy.

Source§

fn check(&self, cap: CapabilityBit) -> Result<(), CapabilityBit>

Return Ok(()) if the bit is granted; Err(cap) carrying the denied bit otherwise.
Source§

fn check_gate(&self, gate: &NativeFnGate) -> Result<(), CapabilityBit>

Check every bit set on gate, short-circuit on the first denial. Returns Ok(()) when the gate is fully satisfied — the canonical “may this native fn dispatch” question. Read more
Source§

impl Clone for Capabilities

Source§

fn clone(&self) -> Capabilities

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Capabilities

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl Default for Capabilities

Source§

fn default() -> Capabilities

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.