Skip to main content

ExtismLoader

uni_plugin_extism::loader

Struct ExtismLoader 

Source 
pub struct ExtismLoader { /* private fields */ }
Expand description

Top-level Extism plugin loader.

Construct one per uni-db instance; the loader owns the HostFnRegistry (capability metadata) and a parallel map of the runtime-callable extism::Functions keyed by host-fn name. The metadata map exists unconditionally so embedders without extism-runtime can still introspect the host-fn surface; the runtime functions only materialize when the SDK feature is on.

Implementations§

Source§

impl ExtismLoader

Source

pub fn new() -> Self

Construct a fresh loader with an empty host-fn registry.

Source

pub fn host_fns_mut(&mut self) -> &mut HostFnRegistry

Mutable access to the host-fn registry (metadata).

Source

pub fn host_fns(&self) -> &HostFnRegistry

Shared access to the host-fn registry (metadata).

Source

pub fn register_host_function(&mut self, spec: HostFnSpec, function: Function)

Register a host function with both its metadata and its concrete extism::Function implementation.

The function is invocable from any plugin whose effective capability set contains spec.required_capability (or any plugin, if required_capability is None). The capability filter runs at Self::build_plugin time — plugins that don’t pass the filter never see this function in their import table.

Source

pub fn runtime_fn_count(&self) -> usize

Number of registered runtime functions. Diagnostic / test helper.

Source

pub fn with_kms(self, kms: Arc<dyn KmsProvider>) -> Self

Attach a KMS provider backing uni_kms_* (builder style).

Pair with crate::host_svc::register_default_host_svc to register the metadata specs; the concrete functions are built per load with the effective grant set so call-time attenuation is enforced.

Source

pub fn with_secret_store(self, store: Arc<SecretStore>) -> Self

Attach a secret store backing uni_secret_acquire (builder style).

Source

pub fn with_http(self, http: Arc<dyn HttpEgress>) -> Self

Attach an HTTP egress backing uni_http_* (builder style).

Source

pub fn prepare( &self, manifest_json: &[u8], grants: &CapabilitySet, ) -> Result<PreparedExtismPlugin, ExtismError>

Parse a manifest JSON blob (as the plugin’s manifest export returns) and filter the host-fn registry through the granted capability set.

This is the deterministic, sandbox-free portion of the M6a loader path: it doesn’t instantiate any wasm. The host can use the returned PreparedExtismPlugin to decide whether to proceed with full SDK instantiation, prompt the user for additional capability grants, or reject the load outright.

§Errors
Source

pub fn prepare_parsed( &self, manifest: ExtismPluginManifest, grants: &CapabilitySet, ) -> PreparedExtismPlugin

Intersect declared/granted capabilities for an already-parsed manifest, skipping the JSON round-trip.

Self::load reads the manifest export off a bootstrap plugin (parsed ExtismPluginManifest), then needs the combined cap-intersection and host-fn-allow-list result. The previous implementation re-serialized the parsed struct to JSON and called Self::prepare which deserialized it straight back — a wasteful round-trip whose only purpose was reusing the cap-intersection loop. This entry point preserves the loop and skips the (de)serialization.

Source

pub fn build_plugin( &self, bytes: &[u8], prepared: &PreparedExtismPlugin, ) -> Result<Plugin, ExtismError>

Build an extism::Plugin from raw wasm bytes against a prepared capability set.

Capability-gated host functions are filtered through prepared.allowed_host_fns — fns whose required_capability is not in the plugin’s effective set are omitted from the plugin’s import table. This is the Extism analogue of Component Model’s linker absence: the plugin literally cannot resolve an unauthorized host fn at link time. Per proposal §5.6.2 this is the structural half of capability enforcement; the call-time pattern attenuation in each host_svc body (kms_allows / secret_allows / network_allows) is the defense-in-depth half.

Resource limits declared in the parsed manifest are applied to the underlying wasmtime config: memory_max_pages (linear memory cap), timeout_ms (per-call wall-clock), fuel_per_call (instruction budget). If a field is None, the host’s default (no cap) applies.

§Errors
  • ExtismError::Instantiate if the wasm bytes fail to compile, link, or instantiate (invalid wasm, missing required imports, wasmtime errors).
  • ExtismError::Internal if a runtime function recorded in the registry’s allow-list is somehow absent from runtime_fns (should be unreachable; indicates a registry-state bug).
Source

pub fn load( &self, bytes: &[u8], host_grants: &CapabilitySet, registrar: &mut PluginRegistrar<'_>, ) -> Result<LoadOutcome, ExtismError>

End-to-end load: read manifest, intersect with host grants, re-instantiate with effective caps, read register export, push adapters into the supplied uni_plugin::PluginRegistrar.

The two-pass dance is the proposal’s §5.6 contract: the host cannot know what capabilities the plugin needs until it reads the manifest export, and reading that export requires a built plugin. The first pass uses an empty grant set — the manifest export must be implementable without any capability-gated host fn, which is trivially true (it just returns JSON). The second pass rebuilds with the intersected grants and the register export is read against that.

The currently-supported registration kinds are crate::exports::RegistrationEntry::Scalar; aggregate and procedure adapters land in M6a.2. Entries of unsupported kinds cause ExtismError::OutputDecode — better to fail loudly than silently ignore part of a plugin’s surface.

§Errors

Trait Implementations§

Source§

impl Debug for ExtismLoader

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ExtismLoader

Source§

fn default() -> ExtismLoader

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> GetSetFdFlags for T

Source§

fn get_fd_flags(&self) -> Result<FdFlags, Error>
where T: AsFilelike,

Query the “status” flags for the self file descriptor.
Source§

fn new_set_fd_flags(&self, fd_flags: FdFlags) -> Result<SetFdFlags<T>, Error>
where T: AsFilelike,

Create a new SetFdFlags value for use with set_fd_flags. Read more
Source§

fn set_fd_flags(&mut self, set_fd_flags: SetFdFlags<T>) -> Result<(), Error>
where T: Sized + AsFilelike,

Set the “status” flags for the self file descriptor. Read more
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> PluginState for T
where T: Send + Sync + 'static,

Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Pointee for T

Source§

type Pointer = u32

Source§

fn debug( pointer: <T as Pointee>::Pointer, f: &mut Formatter<'_>, ) -> Result<(), Error>

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more