L1 · the per-session capability profile, the named lattice, clamp (gate
meet), validate-profile!, and sci-opts (profile → the map passed to
sci/init). Capability is DENIED BY DEFAULT (04): the SCI ctx grants nothing
except what the profile explicitly injects/whitelists. Takes the host-fn
impls (FINAL/inspect[/lm/rlm]) as DATA, so it never depends on the kernel.
Gated IO (slurp/spit/sh/file-seq/io.reader/…) and the engine fns are injected
into clojure.core, so they are available unqualified AND survive a model
(in-ns …) (the §7 'gated slurp shadow survives in-ns' guarantee — SCI has
no built-in slurp to revert to, and a clojure.core var is referred by every
ns).
L1 · the per-session capability profile, the named lattice, `clamp` (gate meet), `validate-profile!`, and `sci-opts` (profile → the map passed to sci/init). Capability is DENIED BY DEFAULT (04): the SCI ctx grants nothing except what the profile explicitly injects/whitelists. Takes the host-fn impls (FINAL/inspect[/lm/rlm]) as DATA, so it never depends on the kernel. Gated IO (slurp/spit/sh/file-seq/io.reader/…) and the engine fns are injected into `clojure.core`, so they are available unqualified AND survive a model `(in-ns …)` (the §7 'gated slurp shadow survives in-ns' guarantee — SCI has no built-in slurp to revert to, and a clojure.core var is referred by every ns).
(clamp a b)The MEET of two profiles — the more restrictive of each gate (04 §3).
clamp(parent, child) is the universal inherit-and-clamp for every spawn /
per-session override.
The MEET of two profiles — the more restrictive of each gate (04 §3). `clamp(parent, child)` is the universal inherit-and-clamp for every spawn / per-session override.
The :default catalog grant: clojure.core + the SCI-default text namespaces + the copy-ns'd extras. (string/edn/set/walk are SCI built-ins; pprint/data/ zip/core.protocols are injected via copy-ns, below.)
The :default catalog grant: clojure.core + the SCI-default text namespaces + the copy-ns'd extras. (string/edn/set/walk are SCI built-ins; pprint/data/ zip/core.protocols are injected via copy-ns, below.)
(default-profile)The RLM workhorse: reads the work area (the thesis needs easy file reads), gates writes/network/shell. lm/rlm injected (Phase 3 uses them).
The RLM workhorse: reads the work area (the thesis needs easy file reads), gates writes/network/shell. lm/rlm injected (Phase 3 uses them).
Symbols the model may NEVER call (04 §5). *read-eval* stays false (SCI
default) so #= is already blocked — there is no read-string-with-eval
symbol to deny, and binding is deliberately NOT denied.
Symbols the model may NEVER call (04 §5). `*read-eval*` stays false (SCI default) so `#=` is already blocked — there is no read-string-with-eval symbol to deny, and `binding` is deliberately NOT denied.
(locked-down)Maximum sandbox: no fs/shell/network, no interop, no lm/rlm egress.
Maximum sandbox: no fs/shell/network, no interop, no lm/rlm egress.
(profile<=? a b)True iff a is at least as restrictive as b on EVERY gate (the per-gate
restrictiveness lattice, 04 §3) — the predicate that rejects a loosening
override.
True iff `a` is at least as restrictive as `b` on EVERY gate (the per-gate restrictiveness lattice, 04 §3) — the predicate that rejects a loosening override.
(resolve-override base override)Resolve a per-session capability override against the cfg base: REJECT it if it loosens any gate beyond the base, else return clamp(base, override) (04 §3, §4).
Resolve a per-session capability override against the cfg base: REJECT it if it loosens any gate beyond the base, else return clamp(base, override) (04 §3, §4).
(resolve-profile name-or-value)A keyword → its named profile value; a map → itself.
A keyword → its named profile value; a map → itself.
Genuinely non-exec / non-net / non-write tools (04 §2). Every interpreter and -exec/-write tool is excluded — they would defeat the gate.
Genuinely non-exec / non-net / non-write tools (04 §2). Every interpreter and -exec/-write tool is excluded — they would defeat the gate.
(sci-opts profile engine-fn-impls)(sci-opts profile engine-fn-impls surface-namespaces)Map a validated profile + engine-fn impls onto the options passed to
sci/init (03, 04 §2). Engine fns + gated IO live in clojure.core; the
copy-ns'd catalog namespaces are emitted iff granted; classes are an explicit
finite whitelist (never :all); the deny set + *read-eval* false close the
remaining holes.
Map a validated profile + engine-fn impls onto the options passed to sci/init (03, 04 §2). Engine fns + gated IO live in clojure.core; the copy-ns'd catalog namespaces are emitted iff granted; classes are an explicit finite whitelist (never :all); the deny set + `*read-eval* false` close the remaining holes.
(trusted)Broad: fs-read everywhere, writes to the work area, shell + network open.
Broad: fs-read everywhere, writes to the work area, shell + network open.
(validate-profile! profile)Reject profiles that would breach the sandbox: a dangerous :cap/java-classes entry without an explicit :capability/unsafe co-marker, the unsafe marker on :default/:locked-down, or a non-map class whitelist. Returns the profile.
Reject profiles that would breach the sandbox: a dangerous :cap/java-classes entry without an explicit :capability/unsafe co-marker, the unsafe marker on :default/:locked-down, or a non-map class whitelist. Returns the profile.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |