Cliente HTTP
Cada request (http* y fetch) está gateado por net(host) — deny-by-default, incluso bajo run. HTTPS funciona de fábrica (rustls + root CAs del SO).
-- Doc example: the HTTP client is gated by net(host). A request to an undeclared
-- host is refused at the capability check — before any network call happens.
intent: "doc example: HTTP client capability gating"
require net("api.allowed.com")
task reach_undeclared()
give http_get("https://evil.example.com/data") -- host not declared → denied
test "a request to an undeclared host is blocked (deny-by-default)"
assert_error(reach_undeclared)
Hacer requests
require net("api.store.com")
let r be http_get("https://api.store.com/products")
let r be http_get(url, {"x-api-key": secret("API_KEY")}, {"page": "1"}) -- headers, query
let r be http_post(url, {"name": "Alice"}, {"Authorization": bearer(secret("API_KEY"))})
let r be http("POST", url, headers, query, body) -- control total
Las credenciales van en headers (un secret se materializa solo en el socket) — ver Secretos.
La respuesta
Un request devuelve un map:
status of r -- 200
ok of r -- true (200–299)
body of r -- texto crudo
json of r -- JSON parseado (si el content-type es JSON)
headers of r -- headers de respuesta
error of r -- mensaje de error si falló
require net / net("") permiten cualquier host; net(".x.com") matchea subdominios.