Capabilities index
Deny-by-default: declare with require capability("scope"). See Capabilities & intent for the model.
-- Doc example: deny-by-default capabilities + faithful scope.
-- Uses `secret` because it proves the model with no network/disk side effects.
intent: "doc example: capabilities and intent"
require secret("APP_*") -- name-prefix scope: covers APP_KEY, APP_DB, ... only
task read_app_key()
-- APP_KEY is under the declared APP_* scope → allowed (still redacted, as always)
give text(secret("APP_KEY", "demo")) == "secret(APP_KEY)"
task read_unscoped()
-- DB_PASSWORD is NOT under APP_* → denied at the capability check (before any use)
give secret("DB_PASSWORD")
print("APP_KEY is in scope → " + text(read_app_key()))
test "a capability you declared (in scope) is allowed"
assert(read_app_key())
test "anything outside the declared scope is denied (deny-by-default)"
assert_error(read_unscoped)
| Capability | Gates | Scope | Auto-granted in run? |
|---|---|---|---|
stdout | print / output | — | yes |
time | now, format_time, sleep | — | yes |
llm | reason/decide/analyze/generate, llm_step (incl. provider egress) | — | yes |
random | random, random_int | — | no (tokens/nonces) |
net | http*, fetch | host: net("api.x"), net(".x"), net("") | no |
file | read and write | path: file("/data/*") | no |
file.read / file.write | least-privilege I/O | path glob | no |
db | sql/mongo_/redis_ | path (SQLite) or canonical URL | no |
secret | secret(...) | name: secret("APP_*") | no |
reveal | reveal(...) | name/label (scoped) | no |
exec | run (shell) | command name | no |
serve | serve on N | port | no (and required) |
env | env(...) | name / prefix | no |
stdin | read_line, free-text ask | — | no |
Notes: path scopes are faithful (.. escapes denied). sandbox strips everything. A per-task require narrows a task to only what it declares (∩ the program). Under serve/secure mode, even the auto-granted ones must be declared.