Module capability 

Plugin capabilities — declared in manifest, granted at load time.

A Capability is the unit of permission in the plugin framework. Every extension surface (Capability::ScalarFn, Capability::Storage, …) is gated by a capability; every host import that exposes powerful primitives (network, filesystem, secrets, host-side query) is gated by an attenuated capability (Capability::Network { allow }).

Enforcement happens in three layers:

1. Registrar gate — PluginRegistrar::scalar_fn etc. check the effective capability set before accepting a registration.
2. WIT linker — for WASM plugins, host imports for capability-gated functions are linked into the wasmtime Linker only when the corresponding capability is granted. Ungranted host functions are not present in the plugin’s imports table.
3. Runtime pattern checks — capability grants with patterns (Filesystem { read: vec!["/data/**"] }) validate the actual call arguments against the pattern before dispatching.

Structs

CapabilitySet

A set of capabilities — declared by manifest, granted by loader.

ManifestCapability

A capability as it appears in a guest plugin manifest (WASM / Extism) — either a bare capability name ("network", "scalar-fn") or a structured object carrying attenuation patterns ({"kind":"network","allow":["https://api.example/**"]}).

Enums

Capability

A single permission grant.

Determinism

Determinism characterization — drives planner caching and hoisting.

LockGranularity

Granularity of lock-capability grants.

Scope

Lifetime scope of a plugin’s registrations.

SideEffects

Declared side-effects of a plugin.