Security

Capability Gating

Some built-ins are gated behind explicit capabilities so that risky operations stay opt-in. This keeps execution predictable: the builtin exists in the language, but the capability model decides whether the call is allowed in the current context. Pointers command_exec covers command-building and process-style operations. filesystem covers file reads, writes, and filesystem mutation. network covers sockets, HTTP, and remote access helpers. A missing capability should be treated as a policy decision, not a language parser error.

Source repo
aoiflux/mutant
Source path
builtin/builtin.go
Last reviewed
2026-07-03
Freshness tier
critical

Some built-ins are gated behind explicit capabilities so that risky operations stay opt-in.

This keeps execution predictable: the builtin exists in the language, but the capability model decides whether the call is allowed in the current context.

Pointers

  • command_exec covers command-building and process-style operations.
  • filesystem covers file reads, writes, and filesystem mutation.
  • network covers sockets, HTTP, and remote access helpers.
  • A missing capability should be treated as a policy decision, not a language parser error.

Capability Groups

  • command_exec
  • filesystem
  • network

Model

flowchart TD A[Builtin call] --> B{Capability allowed?} B -->|yes| C[Execute builtin] B -->|no| D[Deny or signal policy]

Canonical Source