Synsema docsENES

Capabilities index

Deny-by-default: declare with require capability("scope"). See Capabilities & intent for the model.

capabilities.syn
-- Doc example: deny-by-default capabilities + faithful scope.
-- Uses `secret` because it proves the model with no network/disk side effects.
intent: "doc example: capabilities and intent"
require secret("APP_*")          -- name-prefix scope: covers APP_KEY, APP_DB, ... only

task read_app_key()
    -- APP_KEY is under the declared APP_* scope → allowed (still redacted, as always)
    give text(secret("APP_KEY", "demo")) == "secret(APP_KEY)"

task read_unscoped()
    -- DB_PASSWORD is NOT under APP_* → denied at the capability check (before any use)
    give secret("DB_PASSWORD")

print("APP_KEY is in scope → " + text(read_app_key()))

test "a capability you declared (in scope) is allowed"
    assert(read_app_key())

test "anything outside the declared scope is denied (deny-by-default)"
    assert_error(read_unscoped)
CapabilityGatesScopeAuto-granted in run?
stdoutprint / outputyes
timenow, format_time, sleepyes
llmreason/decide/analyze/generate, llm_step (incl. provider egress)yes
randomrandom, random_intno (tokens/nonces)
nethttp*, fetchhost: net("api.x"), net(".x"), net("")no
fileread and writepath: file("/data/*")no
file.read / file.writeleast-privilege I/Opath globno
dbsql/mongo_/redis_path (SQLite) or canonical URLno
secretsecret(...)name: secret("APP_*")no
revealreveal(...)name/label (scoped)no
execrun (shell)command nameno
serveserve on Nportno (and required)
envenv(...)name / prefixno
stdinread_line, free-text askno

Notes: path scopes are faithful (.. escapes denied). sandbox strips everything. A per-task require narrows a task to only what it declares (∩ the program). Under serve/secure mode, even the auto-granted ones must be declared.